diff --git a/accessible/atk/AccessibleWrap.cpp b/accessible/atk/AccessibleWrap.cpp
index 7ad7cedd1191..6df4f57cc17d 100644
--- a/accessible/atk/AccessibleWrap.cpp
+++ b/accessible/atk/AccessibleWrap.cpp
@@ -11,6 +11,7 @@
 #include "InterfaceInitFuncs.h"
 #include "nsAccUtils.h"
 #include "mozilla/a11y/PDocAccessible.h"
+#include "OuterDocAccessible.h"
 #include "ProxyAccessible.h"
 #include "RootAccessible.h"
 #include "nsMai.h"
@@ -96,7 +97,7 @@ static GType GetAtkTypeForMai(MaiInterfaceType type)
   return G_TYPE_INVALID;
 }
 
-static const char* kNonUserInputEvent = ":system";
+#define NON_USER_EVENT ":system"
     
 static const GInterfaceInfo atk_if_infos[] = {
     {(GInterfaceInitFunc)componentInterfaceInitCB,
@@ -828,26 +829,45 @@ getChildCountCB(AtkObject *aAtkObj)
 AtkObject *
 refChildCB(AtkObject *aAtkObj, gint aChildIndex)
 {
-    // aChildIndex should not be less than zero
-    if (aChildIndex < 0) {
+  // aChildIndex should not be less than zero
+  if (aChildIndex < 0) {
+    return nullptr;
+  }
+
+  AtkObject* childAtkObj = nullptr;
+  AccessibleWrap* accWrap = GetAccessibleWrap(aAtkObj);
+  if (accWrap) {
+    if (nsAccUtils::MustPrune(accWrap)) {
       return nullptr;
     }
 
-    AccessibleWrap* accWrap = GetAccessibleWrap(aAtkObj);
-    if (!accWrap || nsAccUtils::MustPrune(accWrap)) {
-        return nullptr;
-    }
-
     Accessible* accChild = accWrap->GetEmbeddedChildAt(aChildIndex);
-    if (!accChild)
-        return nullptr;
+    if (accChild) {
+      childAtkObj = AccessibleWrap::GetAtkObject(accChild);
+    } else {
+      OuterDocAccessible* docOwner = accWrap->AsOuterDoc();
+      if (docOwner) {
+        ProxyAccessible* proxyDoc = docOwner->RemoteChildDoc();
+        if (proxyDoc)
+          childAtkObj = GetWrapperFor(proxyDoc);
+      }
+    }
+  } else if (ProxyAccessible* proxy = GetProxy(aAtkObj)) {
+    if (proxy->MustPruneChildren())
+      return nullptr;
 
-    AtkObject* childAtkObj = AccessibleWrap::GetAtkObject(accChild);
+    ProxyAccessible* child = proxy->EmbeddedChildAt(aChildIndex);
+    if (child)
+      childAtkObj = GetWrapperFor(child);
+  } else {
+    return nullptr;
+  }
 
-    NS_ASSERTION(childAtkObj, "Fail to get AtkObj");
-    if (!childAtkObj)
-        return nullptr;
-    g_object_ref(childAtkObj);
+  NS_ASSERTION(childAtkObj, "Fail to get AtkObj");
+  if (!childAtkObj)
+    return nullptr;
+
+  g_object_ref(childAtkObj);
 
   if (aAtkObj != childAtkObj->accessible_parent)
     atk_object_set_parent(childAtkObj, aAtkObj);
@@ -1431,6 +1451,21 @@ MaiAtkObject::FireStateChangeEvent(uint64_t aState, bool aEnabled)
     }
 }
 
+#define OLD_TEXT_INSERTED "text_changed::insert"
+#define OLD_TEXT_REMOVED "text_changed::delete"
+static const char* oldTextChangeStrings[2][2] = {
+  { OLD_TEXT_REMOVED NON_USER_EVENT, OLD_TEXT_INSERTED NON_USER_EVENT },
+  { OLD_TEXT_REMOVED, OLD_TEXT_INSERTED }
+};
+
+#define TEXT_INSERTED "text-insert"
+#define TEXT_REMOVED "text-remove"
+#define NON_USER_DETAIL "::system"
+static const char* textChangedStrings[2][2] = {
+  { TEXT_REMOVED NON_USER_DETAIL, TEXT_INSERTED NON_USER_DETAIL },
+  { TEXT_REMOVED, TEXT_INSERTED}
+};
+
 nsresult
 AccessibleWrap::FireAtkTextChangedEvent(AccEvent* aEvent,
                                         AtkObject* aObject)
@@ -1442,7 +1477,6 @@ AccessibleWrap::FireAtkTextChangedEvent(AccEvent* aEvent,
     uint32_t length = event->GetLength();
     bool isInserted = event->IsTextInserted();
     bool isFromUserInput = aEvent->IsFromUserInput();
-    char* signal_name = nullptr;
 
   if (gAvailableAtkSignals == eUnknown)
     gAvailableAtkSignals =
@@ -1453,23 +1487,29 @@ AccessibleWrap::FireAtkTextChangedEvent(AccEvent* aEvent,
     // XXX remove this code and the gHaveNewTextSignals check when we can
     // stop supporting old atk since it doesn't really work anyway
     // see bug 619002
-    signal_name = g_strconcat(isInserted ? "text_changed::insert" :
-                              "text_changed::delete",
-                              isFromUserInput ? "" : kNonUserInputEvent, nullptr);
+    const char* signal_name =
+      oldTextChangeStrings[isFromUserInput][isInserted];
     g_signal_emit_by_name(aObject, signal_name, start, length);
   } else {
     nsAutoString text;
     event->GetModifiedText(text);
-    signal_name = g_strconcat(isInserted ? "text-insert" : "text-remove",
-                              isFromUserInput ? "" : "::system", nullptr);
+    const char* signal_name =
+      textChangedStrings[isFromUserInput][isInserted];
     g_signal_emit_by_name(aObject, signal_name, start, length,
                           NS_ConvertUTF16toUTF8(text).get());
   }
 
-  g_free(signal_name);
   return NS_OK;
 }
 
+#define ADD_EVENT "children_changed::add"
+#define HIDE_EVENT "children_changed::remove"
+
+static const char *kMutationStrings[2][2] = {
+  { HIDE_EVENT NON_USER_EVENT, ADD_EVENT NON_USER_EVENT },
+  { HIDE_EVENT, ADD_EVENT },
+};
+
 nsresult
 AccessibleWrap::FireAtkShowHideEvent(AccEvent* aEvent,
                                      AtkObject* aObject, bool aIsAdded)
@@ -1479,10 +1519,8 @@ AccessibleWrap::FireAtkShowHideEvent(AccEvent* aEvent,
     NS_ENSURE_STATE(parentObject);
 
     bool isFromUserInput = aEvent->IsFromUserInput();
-    char *signal_name = g_strconcat(aIsAdded ? "children_changed::add" :  "children_changed::remove",
-                                    isFromUserInput ? "" : kNonUserInputEvent, nullptr);
+    const char *signal_name = kMutationStrings[isFromUserInput][aIsAdded];
     g_signal_emit_by_name(parentObject, signal_name, indexInParent, aObject, nullptr);
-    g_free(signal_name);
 
     return NS_OK;
 }
diff --git a/accessible/generic/Accessible.h b/accessible/generic/Accessible.h
index 6d9a9cc271af..03e9e7c03def 100644
--- a/accessible/generic/Accessible.h
+++ b/accessible/generic/Accessible.h
@@ -38,6 +38,7 @@ class HTMLLIAccessible;
 class HyperTextAccessible;
 class ImageAccessible;
 class KeyBinding;
+class OuterDocAccessible;
 class ProxyAccessible;
 class Relation;
 class RootAccessible;
@@ -619,6 +620,9 @@ public:
     return mBits.proxy;
   }
 
+  bool IsOuterDoc() const { return mType == eOuterDocType; }
+  OuterDocAccessible* AsOuterDoc();
+
   bool IsProgress() const { return mType == eProgressType; }
 
   bool IsRoot() const { return mType == eRootType; }
diff --git a/accessible/generic/OuterDocAccessible.cpp b/accessible/generic/OuterDocAccessible.cpp
index 3fbbc38e4116..a780b96a39f1 100644
--- a/accessible/generic/OuterDocAccessible.cpp
+++ b/accessible/generic/OuterDocAccessible.cpp
@@ -8,6 +8,8 @@
 #include "Accessible-inl.h"
 #include "nsAccUtils.h"
 #include "DocAccessible-inl.h"
+#include "mozilla/a11y/DocAccessibleParent.h"
+#include "mozilla/dom/TabParent.h"
 #include "Role.h"
 #include "States.h"
 
@@ -26,6 +28,7 @@ OuterDocAccessible::
   OuterDocAccessible(nsIContent* aContent, DocAccessible* aDoc) :
   AccessibleWrap(aContent, aDoc)
 {
+  mType = eOuterDocType;
 }
 
 OuterDocAccessible::~OuterDocAccessible()
@@ -181,3 +184,24 @@ OuterDocAccessible::CacheChildren()
       GetAccService()->GetDocAccessible(innerDoc);
   }
 }
+
+ProxyAccessible*
+OuterDocAccessible::RemoteChildDoc() const
+{
+  dom::TabParent* tab = dom::TabParent::GetFrom(GetContent());
+  if (!tab)
+    return nullptr;
+
+  // XXX Consider managing non top level remote documents with there parent
+  // document.
+  const nsTArray<PDocAccessibleParent*>& docs = tab->ManagedPDocAccessibleParent();
+  size_t docCount = docs.Length();
+  for (size_t i = 0; i < docCount; i++) {
+    auto doc = static_cast<DocAccessibleParent*>(docs[i]);
+    if (!doc->ParentDoc())
+      return doc;
+  }
+
+  MOZ_ASSERT(false, "no top level tab document?");
+  return nullptr;
+}
diff --git a/accessible/generic/OuterDocAccessible.h b/accessible/generic/OuterDocAccessible.h
index 9b07f29f234d..02b455941378 100644
--- a/accessible/generic/OuterDocAccessible.h
+++ b/accessible/generic/OuterDocAccessible.h
@@ -10,6 +10,7 @@
 
 namespace mozilla {
 namespace a11y {
+class ProxyAccessible;
 
 /**
  * Used for <browser>, <frame>, <iframe>, <page> or editor> elements.
@@ -27,6 +28,8 @@ public:
 
   NS_DECL_ISUPPORTS_INHERITED
 
+  ProxyAccessible* RemoteChildDoc() const;
+
   // Accessible
   virtual void Shutdown() override;
   virtual mozilla::a11y::role NativeRole() override;
@@ -44,6 +47,11 @@ protected:
   virtual void CacheChildren() override;
 };
 
+inline OuterDocAccessible*
+Accessible::AsOuterDoc()
+{
+  return IsOuterDoc() ? static_cast<OuterDocAccessible*>(this) : nullptr;
+}
 } // namespace a11y
 } // namespace mozilla
 
diff --git a/accessible/ipc/DocAccessibleChild.cpp b/accessible/ipc/DocAccessibleChild.cpp
index 914200a165ec..42957514e3f0 100644
--- a/accessible/ipc/DocAccessibleChild.cpp
+++ b/accessible/ipc/DocAccessibleChild.cpp
@@ -1637,6 +1637,21 @@ DocAccessibleChild::RecvIndexOfEmbeddedChild(const uint64_t& aID,
   return true;
 }
 
+bool
+DocAccessibleChild::RecvEmbeddedChildAt(const uint64_t& aID,
+                                        const uint32_t& aIdx,
+                                        uint64_t* aChildID)
+{
+  *aChildID = 0;
+
+  Accessible* acc = IdToAccessible(aID);
+  if (!acc)
+    return true;
+
+  *aChildID = reinterpret_cast<uintptr_t>(acc->GetEmbeddedChildAt(aIdx));
+  return true;
+}
+
 bool
 DocAccessibleChild::RecvChildAtPoint(const uint64_t& aID,
                                      const int32_t& aX,
diff --git a/accessible/ipc/DocAccessibleChild.h b/accessible/ipc/DocAccessibleChild.h
index c2654558b5de..c357a9f85c17 100644
--- a/accessible/ipc/DocAccessibleChild.h
+++ b/accessible/ipc/DocAccessibleChild.h
@@ -408,6 +408,9 @@ public:
                                         const uint64_t& aChildID,
                                         uint32_t* aChildIdx) override final;
 
+  virtual bool RecvEmbeddedChildAt(const uint64_t& aID, const uint32_t& aIdx,
+                                   uint64_t* aChildID) override final;
+
   virtual bool RecvChildAtPoint(const uint64_t& aID,
                                 const int32_t& aX,
                                 const int32_t& aY,
diff --git a/accessible/ipc/DocAccessibleParent.cpp b/accessible/ipc/DocAccessibleParent.cpp
index 4f67b9e759e2..18dee1729979 100644
--- a/accessible/ipc/DocAccessibleParent.cpp
+++ b/accessible/ipc/DocAccessibleParent.cpp
@@ -213,8 +213,11 @@ DocAccessibleParent::Destroy()
 
   mAccessibles.EnumerateEntries(ShutdownAccessibles, nullptr);
   ProxyDestroyed(this);
-  mParentDoc ? mParentDoc->RemoveChildDoc(this)
-    : GetAccService()->RemoteDocShutdown(this);
-}
-}
+  if (mParentDoc)
+    mParentDoc->RemoveChildDoc(this);
+  else if (IsTopLevel())
+    GetAccService()->RemoteDocShutdown(this);
 }
+
+} // a11y
+} // mozilla
diff --git a/accessible/ipc/DocAccessibleParent.h b/accessible/ipc/DocAccessibleParent.h
index 1a6b2c83e412..a8fbe43687cb 100644
--- a/accessible/ipc/DocAccessibleParent.h
+++ b/accessible/ipc/DocAccessibleParent.h
@@ -26,7 +26,8 @@ class DocAccessibleParent : public ProxyAccessible,
 {
 public:
   DocAccessibleParent() :
-    ProxyAccessible(this), mParentDoc(nullptr), mShutdown(false)
+    ProxyAccessible(this), mParentDoc(nullptr),
+    mTopLevel(false), mShutdown(false)
   { MOZ_COUNT_CTOR_INHERITED(DocAccessibleParent, ProxyAccessible); }
   ~DocAccessibleParent()
   {
@@ -35,6 +36,9 @@ public:
     MOZ_ASSERT(!ParentDoc());
   }
 
+  void SetTopLevel() { mTopLevel = true; }
+  bool IsTopLevel() const { return mTopLevel; }
+
   /*
    * Called when a message from a document in a child process notifies the main
    * process it is firing an event.
@@ -151,6 +155,7 @@ private:
    * proxy object so we can't use a real map.
    */
   nsTHashtable<ProxyEntry> mAccessibles;
+  bool mTopLevel;
   bool mShutdown;
 };
 
diff --git a/accessible/ipc/PDocAccessible.ipdl b/accessible/ipc/PDocAccessible.ipdl
index d67fa02e9c3c..5df2e1c12e82 100644
--- a/accessible/ipc/PDocAccessible.ipdl
+++ b/accessible/ipc/PDocAccessible.ipdl
@@ -218,6 +218,8 @@ child:
   prio(high) sync TakeFocus(uint64_t aID);
   prio(high) sync IndexOfEmbeddedChild(uint64_t aID, uint64_t aChildID)
     returns(uint32_t childIdx);
+  prio(high) sync EmbeddedChildAt(uint64_t aID, uint32_t aChildIdx)
+    returns(uint64_t aChild);
   prio(high) sync ChildAtPoint(uint64_t aID, int32_t aX, int32_t aY, uint32_t aWhich)
     returns(uint64_t aChild, bool aOk);
   prio(high) sync Bounds(uint64_t aID) returns(nsIntRect aRect);
diff --git a/accessible/ipc/ProxyAccessible.cpp b/accessible/ipc/ProxyAccessible.cpp
index 6a16197a652f..8522b4c20910 100644
--- a/accessible/ipc/ProxyAccessible.cpp
+++ b/accessible/ipc/ProxyAccessible.cpp
@@ -916,6 +916,14 @@ ProxyAccessible::IndexOfEmbeddedChild(const ProxyAccessible* aChild)
   return childIdx;
 }
 
+ProxyAccessible*
+ProxyAccessible::EmbeddedChildAt(size_t aChildIdx)
+{
+  uint64_t childID;
+  unused << mDoc->SendEmbeddedChildAt(mID, aChildIdx, &childID);
+  return mDoc->GetAccessible(childID);
+}
+
 ProxyAccessible*
 ProxyAccessible::ChildAtPoint(int32_t aX, int32_t aY,
                               Accessible::EWhichChildAtPoint aWhichChild)
diff --git a/accessible/ipc/ProxyAccessible.h b/accessible/ipc/ProxyAccessible.h
index e36c113fe043..056d9d4fea90 100644
--- a/accessible/ipc/ProxyAccessible.h
+++ b/accessible/ipc/ProxyAccessible.h
@@ -49,6 +49,7 @@ public:
   // XXX evaluate if this is fast enough.
   size_t IndexInParent() const { return Parent()->mChildren.IndexOf(this); }
   int32_t IndexOfEmbeddedChild(const ProxyAccessible*);
+  ProxyAccessible* EmbeddedChildAt(size_t aChildIdx);
   bool MustPruneChildren() const;
 
   void Shutdown();
diff --git a/accessible/mac/mozAccessible.mm b/accessible/mac/mozAccessible.mm
index fdacb6f43911..5bd916e72777 100644
--- a/accessible/mac/mozAccessible.mm
+++ b/accessible/mac/mozAccessible.mm
@@ -600,12 +600,13 @@ struct RoleDescrComparator
 {
   NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NIL;
 
-  AccessibleWrap* accWrap = [self getGeckoAccessible];
-  if (accWrap->IsDefunct())
-    return nil;
-
   nsAutoString desc;
-  accWrap->Description(desc);
+  if (AccessibleWrap* accWrap = [self getGeckoAccessible])
+    accWrap->Description(desc);
+  else if (ProxyAccessible* proxy = [self getProxyAccessible])
+    proxy->Description(desc);
+  else
+    return nil;
 
   return nsCocoaUtils::ToNSString(desc);
 
diff --git a/b2g/app/b2g.js b/b2g/app/b2g.js
index a18e52f46dad..e2b49526a2aa 100644
--- a/b2g/app/b2g.js
+++ b/b2g/app/b2g.js
@@ -1004,6 +1004,10 @@ pref("network.proxy.browsing.app_origins", "app://system.gaiamobile.org");
 // Enable Web Speech synthesis API
 pref("media.webspeech.synth.enabled", true);
 
+// Enable Web Speech recognition API
+pref("media.webspeech.recognition.enable", true);
+pref("media.webspeech.service.default", "pocketsphinx");
+
 // Downloads API
 pref("dom.mozDownloads.enabled", true);
 pref("dom.downloads.max_retention_days", 7);
diff --git a/b2g/confvars.sh b/b2g/confvars.sh
index ef92554460e3..ea8d5a01cb2a 100644
--- a/b2g/confvars.sh
+++ b/b2g/confvars.sh
@@ -29,13 +29,12 @@ NSS_DISABLE_DBM=1
 MOZ_NO_EV_CERTS=1
 MOZ_DISABLE_EXPORT_JS=1
 
-# Bug 1171082 - Broken on Windows B2G Desktop
-if test "$OS_TARGET" != "WINNT"; then
 MOZ_WEBSPEECH=1
+if test -n "$NIGHTLY_BUILD"; then
 MOZ_WEBSPEECH_MODELS=1
 MOZ_WEBSPEECH_POCKETSPHINX=1
+fi
 MOZ_WEBSPEECH_TEST_BACKEND=1
-fi # !WINNT
 
 if test "$OS_TARGET" = "Android"; then
 MOZ_CAPTURE=1
diff --git a/browser/base/content/browser.xul b/browser/base/content/browser.xul
index f30596edd698..a2a8161ff2e0 100644
--- a/browser/base/content/browser.xul
+++ b/browser/base/content/browser.xul
@@ -1235,9 +1235,14 @@
 
   <svg:svg height="0">
 #include tab-shape.inc.svg
+#if defined(XP_UNIX) && !defined(XP_MACOSX)
+    <svg:clipPath id="urlbar-clip-path" clipPathUnits="userSpaceOnUse">
+      <svg:path d="m 1,-5 l 0,50 l 10000,0 l 0,-50 z"/>
+    </svg:clipPath>
+#endif
     <svg:clipPath id="urlbar-back-button-clip-path" clipPathUnits="userSpaceOnUse">
 #ifndef XP_MACOSX
-      <svg:path d="m 1,-5 l 0,7.8 c 2.5,3.2 4,6.2 4,10.2 c 0,4 -1.5,7 -4,10 l 0,22l10000,0 l 0,-50 l -10000,0 z"/>
+      <svg:path d="m 1,-5 l 0,7.8 c 2.5,3.2 4,6.2 4,10.2 c 0,4 -1.5,7 -4,10 l 0,22 l 10000,0 l 0,-50 l -10000,0 z"/>
 #else
       <svg:path d="M -11,-5 a 16 16 0 0 1 0,34 l 10000,0 l 0,-34 l -10000,0 z"/>
 #endif
diff --git a/browser/devtools/performance/docs/markers.md b/browser/devtools/performance/docs/markers.md
index 1f13b4da0e50..c81cb43f3cb2 100644
--- a/browser/devtools/performance/docs/markers.md
+++ b/browser/devtools/performance/docs/markers.md
@@ -107,7 +107,8 @@ a setTimeout.
 
 ## GarbageCollection
 
-Emitted after a full GC has occurred (which will emit past incremental events).
+Emitted after a full GC cycle has completed (which is after any number of
+incremental slices).
 
 * DOMString causeName - The reason for a GC event to occur. A full list of
   GC reasons can be found [on MDN](https://developer.mozilla.org/en-US/docs/Tools/Debugger-API/Debugger.Memory#Debugger.Memory_Handler_Functions).
@@ -115,6 +116,17 @@ Emitted after a full GC has occurred (which will emit past incremental events).
   GC (smaller, quick GC events), and we have to walk the entire heap and
   GC everything marked, then the reason listed here is why.
 
+## nsCycleCollector::Collect
+
+An `nsCycleCollector::Collect` marker is emitted for each incremental cycle
+collection slice and each non-incremental cycle collection.
+
+# nsCycleCollector::ForgetSkippable
+
+`nsCycleCollector::ForgetSkippable` is presented as "Cycle Collection", but in
+reality it is preparation/pre-optimization for cycle collection, and not the
+actual tracing of edges and collecting of cycles.
+
 ## ConsoleTime
 
 A marker generated via `console.time()` and `console.timeEnd()`.
diff --git a/browser/devtools/performance/modules/logic/marker-utils.js b/browser/devtools/performance/modules/logic/marker-utils.js
index 345359202df3..43608eaac9df 100644
--- a/browser/devtools/performance/modules/logic/marker-utils.js
+++ b/browser/devtools/performance/modules/logic/marker-utils.js
@@ -435,6 +435,13 @@ const Formatters = {
       return { "Restyle Hint": marker.restyleHint.replace(/eRestyle_/g, "") };
     }
   },
+
+  CycleCollectionFields: function (marker) {
+    let Type = PREFS["show-platform-data"]
+        ? marker.name
+        : marker.name.replace(/nsCycleCollector::/g, "");
+    return { Type };
+  },
 };
 
 exports.getMarkerLabel = getMarkerLabel;
diff --git a/browser/devtools/performance/modules/markers.js b/browser/devtools/performance/modules/markers.js
index 6f9a4a33e2be..984eb4aa79bc 100644
--- a/browser/devtools/performance/modules/markers.js
+++ b/browser/devtools/performance/modules/markers.js
@@ -113,6 +113,20 @@ const TIMELINE_BLUEPRINT = {
       { property: "nonincrementalReason", label: "Non-incremental Reason:" }
     ],
   },
+  "nsCycleCollector::Collect": {
+    group: 1,
+    colorName: "graphs-red",
+    collapseFunc: either(collapse.parent, collapse.child),
+    label: "Cycle Collection",
+    fields: Formatters.CycleCollectionFields,
+  },
+  "nsCycleCollector::ForgetSkippable": {
+    group: 1,
+    colorName: "graphs-red",
+    collapseFunc: either(collapse.parent, collapse.child),
+    label: "Cycle Collection",
+    fields: Formatters.CycleCollectionFields,
+  },
 
   /* Group 2 - User Controlled */
   "ConsoleTime": {
diff --git a/browser/devtools/performance/test/browser.ini b/browser/devtools/performance/test/browser.ini
index 7c21b500542c..e5ee8c5dd2e7 100644
--- a/browser/devtools/performance/test/browser.ini
+++ b/browser/devtools/performance/test/browser.ini
@@ -2,6 +2,7 @@
 tags = devtools
 subsuite = devtools
 support-files =
+  doc_force_cc.html
   doc_force_gc.html
   doc_innerHTML.html
   doc_markers.html
@@ -13,6 +14,7 @@ support-files =
 
 [browser_aaa-run-first-leaktest.js]
 [browser_marker-utils.js]
+[browser_markers-cycle-collection.js]
 [browser_markers-gc.js]
 [browser_markers-parse-html.js]
 [browser_markers-styles.js]
diff --git a/browser/devtools/performance/test/browser_markers-cycle-collection.js b/browser/devtools/performance/test/browser_markers-cycle-collection.js
new file mode 100644
index 000000000000..eb75544f0a2e
--- /dev/null
+++ b/browser/devtools/performance/test/browser_markers-cycle-collection.js
@@ -0,0 +1,50 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/**
+ * Test that we get "nsCycleCollector::Collect" and
+ * "nsCycleCollector::ForgetSkippable" markers when we force cycle collection.
+ */
+
+const TEST_URL = EXAMPLE_URL + "doc_force_cc.html"
+
+function waitForMarkerType(front, type) {
+  info("Waiting for marker of type = " + type);
+  const { promise, resolve } = Promise.defer();
+
+  const handler = (_, name, markers) => {
+    if (name !== "markers") {
+      return;
+    }
+
+    info("Got markers: " + JSON.stringify(markers, null, 2));
+
+    if (markers.some(m => m.name === type)) {
+      ok(true, "Found marker of type = " + type);
+      front.off("timeline-data", handler);
+      resolve();
+    }
+  };
+  front.on("timeline-data", handler);
+
+  return promise;
+}
+
+function* spawnTest () {
+  // This test runs very slowly on linux32 debug EC2 instances.
+  requestLongerTimeout(2);
+
+  let { target, front } = yield initBackend(TEST_URL);
+
+  yield front.startRecording({ withMarkers: true, withTicks: true });
+
+  yield Promise.all([
+    waitForMarkerType(front, "nsCycleCollector::Collect"),
+    waitForMarkerType(front, "nsCycleCollector::ForgetSkippable")
+  ]);
+  ok(true, "Got expected cycle collection events");
+
+  yield front.stopRecording();
+  yield removeTab(target.tab);
+  finish();
+}
diff --git a/browser/devtools/performance/test/doc_force_cc.html b/browser/devtools/performance/test/doc_force_cc.html
new file mode 100644
index 000000000000..d5868bd6b7c7
--- /dev/null
+++ b/browser/devtools/performance/test/doc_force_cc.html
@@ -0,0 +1,29 @@
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<!doctype html>
+
+<html>
+  <head>
+    <meta charset="utf-8"/>
+    <title>Performance tool + cycle collection test page</title>
+  </head>
+
+  <body>
+    <script type="text/javascript">
+    window.test = function () {
+      document.body.expando1 = { cycle: document.body };
+      SpecialPowers.Cu.forceCC();
+
+      document.body.expando2 = { cycle: document.body };
+      SpecialPowers.Cu.forceCC();
+
+      document.body.expando3 = { cycle: document.body };
+      SpecialPowers.Cu.forceCC();
+
+      setTimeout(window.test, 100);
+    };
+    test();
+    </script>
+  </body>
+
+</html>
diff --git a/browser/devtools/webide/test/chrome.ini b/browser/devtools/webide/test/chrome.ini
index 7436b07056b6..e085fb75720a 100644
--- a/browser/devtools/webide/test/chrome.ini
+++ b/browser/devtools/webide/test/chrome.ini
@@ -1,6 +1,6 @@
 [DEFAULT]
 tags = devtools
-skip-if = buildapp == 'b2g'
+skip-if = buildapp == 'b2g' || (os == "mac" && (os_version == "10.8" || os_version == "10.10") && debug) # Bug 1135315 - assertions
 support-files =
   app/index.html
   app/manifest.webapp
diff --git a/browser/devtools/webide/test/sidebars/chrome.ini b/browser/devtools/webide/test/sidebars/chrome.ini
index d561b87eed5a..744806a7c131 100644
--- a/browser/devtools/webide/test/sidebars/chrome.ini
+++ b/browser/devtools/webide/test/sidebars/chrome.ini
@@ -1,6 +1,6 @@
 [DEFAULT]
 tags = devtools
-skip-if = buildapp == 'b2g'
+skip-if = buildapp == 'b2g' || (os == "mac" && (os_version == "10.8" || os_version == "10.10") && debug) # Bug 1135315 - assertions
 support-files =
   ../app/index.html
   ../app/manifest.webapp
diff --git a/browser/modules/ProcessHangMonitor.jsm b/browser/modules/ProcessHangMonitor.jsm
index c12964aaa8a9..d23668fbeb34 100644
--- a/browser/modules/ProcessHangMonitor.jsm
+++ b/browser/modules/ProcessHangMonitor.jsm
@@ -313,6 +313,7 @@ let ProcessHangMonitor = {
     for (let [otherReport, otherTimer] of this._activeReports) {
       if (otherTimer === timer) {
         this.removeReport(otherReport);
+        otherReport.userCanceled();
         break;
       }
     }
diff --git a/browser/themes/linux/browser.css b/browser/themes/linux/browser.css
index e0e46bfe6023..dffce93d48ae 100644
--- a/browser/themes/linux/browser.css
+++ b/browser/themes/linux/browser.css
@@ -680,17 +680,17 @@ toolbarbutton[constrain-size="true"][cui-areatype="toolbar"] > .toolbarbutton-ba
 }
 
 #back-button {
-  padding-top: 3px;
-  padding-bottom: 3px;
-  -moz-padding-start: 5px;
-  -moz-padding-end: 0;
+  margin-top: 3px;
+  margin-bottom: 3px;
+  -moz-margin-start: 5px;
+  padding: 0;
   position: relative;
   z-index: 1;
-  border-radius: 0 10000px 10000px 0;
+  border-radius: 10000px;
 }
 
-#back-button:-moz-locale-dir(rtl) {
-  border-radius: 10000px 0 0 10000px;
+#back-button:not(:-moz-lwtheme) {
+  background-color: -moz-dialog;
 }
 
 #back-button > menupopup {
@@ -894,13 +894,17 @@ toolbarbutton[constrain-size="true"][cui-areatype="toolbar"] > .toolbarbutton-ba
 }
 
 @conditionalForwardWithUrlbar@ {
-  clip-path: url("chrome://browser/content/browser.xul#urlbar-back-button-clip-path");
+  clip-path: url("chrome://browser/content/browser.xul#urlbar-clip-path");
   -moz-margin-start: -5px;
 }
 
+@conditionalForwardWithUrlbar@:-moz-lwtheme {
+  clip-path: url("chrome://browser/content/browser.xul#urlbar-back-button-clip-path");
+}
+
 @conditionalForwardWithUrlbar@:-moz-locale-dir(rtl),
 @conditionalForwardWithUrlbar@ > #urlbar:-moz-locale-dir(rtl) {
-  /* let urlbar-back-button-clip-path clip the urlbar's right side for RTL */
+  /* Let clip-path clip the urlbar-wrapper's right side for RTL. */
   transform: scaleX(-1);
 }
 
diff --git a/configure.in b/configure.in
index f00ee525be23..9fe01b1ff06c 100644
--- a/configure.in
+++ b/configure.in
@@ -5132,11 +5132,6 @@ fi
 dnl ========================================================
 dnl = Disable Speech API pocketsphinx backend
 dnl ========================================================
-MOZ_ARG_DISABLE_BOOL(webspeechpocketsphinx,
-[  --disable-webspeechpocketsphinx        Disable support for HTML Speech API Pocketsphinx Backend],
-    MOZ_WEBSPEECH_POCKETSPHINX=,
-    MOZ_WEBSPEECH_POCKETSPHINX=1)
-
 if test -n "$MOZ_WEBSPEECH_POCKETSPHINX"; then
     AC_DEFINE(MOZ_WEBSPEECH_POCKETSPHINX)
 fi
@@ -5178,11 +5173,6 @@ AC_SUBST(MOZ_WEBSPEECH_TEST_BACKEND)
 dnl ========================================================
 dnl = Disable Speech API models
 dnl ========================================================
-MOZ_ARG_DISABLE_BOOL(webspeechmodels,
-[  --disable-webspeechmodels        Disable support for HTML Speech API Models],
-    MOZ_WEBSPEECH_MODELS=,
-    MOZ_WEBSPEECH_MODELS=1)
-
 if test -z "$MOZ_WEBSPEECH"; then
 MOZ_WEBSPEECH_MODELS=
 fi
diff --git a/docshell/base/AutoTimelineMarker.cpp b/docshell/base/AutoTimelineMarker.cpp
new file mode 100644
index 000000000000..5a2027d97414
--- /dev/null
+++ b/docshell/base/AutoTimelineMarker.cpp
@@ -0,0 +1,105 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/AutoTimelineMarker.h"
+
+#include "MainThreadUtils.h"
+#include "nsDocShell.h"
+#include "mozilla/Move.h"
+
+namespace mozilla {
+
+bool
+AutoTimelineMarker::DocShellIsRecording(nsDocShell& aDocShell)
+{
+  bool isRecording = false;
+  if (nsDocShell::gProfileTimelineRecordingsCount > 0) {
+    aDocShell.GetRecordProfileTimelineMarkers(&isRecording);
+  }
+  return isRecording;
+}
+
+AutoTimelineMarker::AutoTimelineMarker(nsIDocShell* aDocShell, const char* aName
+                                       MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
+  : mDocShell(nullptr)
+  , mName(aName)
+{
+  MOZ_GUARD_OBJECT_NOTIFIER_INIT;
+  MOZ_ASSERT(NS_IsMainThread());
+
+  nsDocShell* docShell = static_cast<nsDocShell*>(aDocShell);
+  if (docShell && DocShellIsRecording(*docShell)) {
+    mDocShell = docShell;
+    mDocShell->AddProfileTimelineMarker(mName, TRACING_INTERVAL_START);
+  }
+}
+
+AutoTimelineMarker::~AutoTimelineMarker()
+{
+  if (mDocShell) {
+    mDocShell->AddProfileTimelineMarker(mName, TRACING_INTERVAL_END);
+  }
+}
+
+void
+AutoGlobalTimelineMarker::PopulateDocShells()
+{
+  const LinkedList<nsDocShell::ObservedDocShell>& docShells =
+    nsDocShell::GetObservedDocShells();
+  MOZ_ASSERT(!docShells.isEmpty());
+
+  for (const nsDocShell::ObservedDocShell* ds = docShells.getFirst();
+       ds;
+       ds = ds->getNext()) {
+    mOk = mDocShells.append(**ds);
+    if (!mOk) {
+      return;
+    }
+  }
+}
+
+AutoGlobalTimelineMarker::AutoGlobalTimelineMarker(const char* aName
+                                                   MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
+  : mOk(true)
+  , mDocShells()
+  , mName(aName)
+{
+  MOZ_GUARD_OBJECT_NOTIFIER_INIT;
+  MOZ_ASSERT(NS_IsMainThread());
+
+  if (nsDocShell::gProfileTimelineRecordingsCount == 0) {
+    return;
+  }
+
+  PopulateDocShells();
+  if (!mOk) {
+    // If we don't successfully populate our vector with *all* docshells being
+    // observed, don't add markers to *any* of them.
+    return;
+  }
+
+  for (Vector<nsRefPtr<nsDocShell>>::Range range = mDocShells.all();
+       !range.empty();
+       range.popFront()) {
+    range.front()->AddProfileTimelineMarker(mName, TRACING_INTERVAL_START);
+  }
+}
+
+AutoGlobalTimelineMarker::~AutoGlobalTimelineMarker()
+{
+  if (!mOk) {
+    return;
+  }
+
+  for (Vector<nsRefPtr<nsDocShell>>::Range range = mDocShells.all();
+       !range.empty();
+       range.popFront()) {
+    range.front()->AddProfileTimelineMarker(mName, TRACING_INTERVAL_END);
+  }
+}
+
+
+} // namespace mozilla
diff --git a/docshell/base/AutoTimelineMarker.h b/docshell/base/AutoTimelineMarker.h
index c0c4da183691..2f9db74158a6 100644
--- a/docshell/base/AutoTimelineMarker.h
+++ b/docshell/base/AutoTimelineMarker.h
@@ -8,10 +8,13 @@
 #define AutoTimelineMarker_h__
 
 #include "mozilla/GuardObjects.h"
-#include "mozilla/Move.h"
-#include "nsDocShell.h"
+#include "mozilla/Vector.h"
+
 #include "nsRefPtr.h"
 
+class nsIDocShell;
+class nsDocShell;
+
 namespace mozilla {
 
 // # AutoTimelineMarker
@@ -27,7 +30,6 @@ namespace mozilla {
 //       nsresult rv = ParseTheCSSFile(mFile);
 //       ...
 //     }
-
 class MOZ_STACK_CLASS AutoTimelineMarker
 {
   MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER;
@@ -35,42 +37,57 @@ class MOZ_STACK_CLASS AutoTimelineMarker
   nsRefPtr<nsDocShell> mDocShell;
   const char* mName;
 
-  bool
-  DocShellIsRecording(nsDocShell& aDocShell)
-  {
-    bool isRecording = false;
-    if (nsDocShell::gProfileTimelineRecordingsCount > 0) {
-      aDocShell.GetRecordProfileTimelineMarkers(&isRecording);
-    }
-    return isRecording;
-  }
+  bool DocShellIsRecording(nsDocShell& aDocShell);
 
 public:
   explicit AutoTimelineMarker(nsIDocShell* aDocShell, const char* aName
-                              MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
-    : mDocShell(nullptr)
-    , mName(aName)
-  {
-    MOZ_GUARD_OBJECT_NOTIFIER_INIT;
-
-    nsDocShell* docShell = static_cast<nsDocShell*>(aDocShell);
-    if (docShell && DocShellIsRecording(*docShell)) {
-      mDocShell = docShell;
-      mDocShell->AddProfileTimelineMarker(mName, TRACING_INTERVAL_START);
-    }
-  }
-
-  ~AutoTimelineMarker()
-  {
-    if (mDocShell) {
-      mDocShell->AddProfileTimelineMarker(mName, TRACING_INTERVAL_END);
-    }
-  }
+                              MOZ_GUARD_OBJECT_NOTIFIER_PARAM);
+  ~AutoTimelineMarker();
 
   AutoTimelineMarker(const AutoTimelineMarker& aOther) = delete;
   void operator=(const AutoTimelineMarker& aOther) = delete;
 };
 
+// # AutoGlobalTimelineMarker
+//
+// Similar to `AutoTimelineMarker`, but adds its traced marker to all docshells,
+// not a single particular one. This is useful for operations that aren't
+// associated with any one particular doc shell, or when it isn't clear which
+// doc shell triggered the operation.
+//
+// Example usage:
+//
+//     {
+//       AutoGlobalTimelineMarker marker("Cycle Collection");
+//       nsCycleCollector* cc = GetCycleCollector();
+//       cc->Collect();
+//       ...
+//     }
+class MOZ_STACK_CLASS AutoGlobalTimelineMarker
+{
+  MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER;
+
+  // True as long as no operation has failed, eg due to OOM.
+  bool mOk;
+
+  // The set of docshells that are being observed and will get markers.
+  mozilla::Vector<nsRefPtr<nsDocShell>> mDocShells;
+
+  // The name of the marker we are adding.
+  const char* mName;
+
+  void PopulateDocShells();
+
+public:
+  explicit AutoGlobalTimelineMarker(const char* aName
+                                    MOZ_GUARD_OBJECT_NOTIFIER_PARAM);
+
+  ~AutoGlobalTimelineMarker();
+
+  AutoGlobalTimelineMarker(const AutoGlobalTimelineMarker& aOther) = delete;
+  void operator=(const AutoGlobalTimelineMarker& aOther) = delete;
+};
+
 } // namespace mozilla
 
 #endif /* AutoTimelineMarker_h__ */
diff --git a/docshell/base/moz.build b/docshell/base/moz.build
index 12b9b0e786fc..602089b8e6d5 100644
--- a/docshell/base/moz.build
+++ b/docshell/base/moz.build
@@ -48,6 +48,7 @@ EXPORTS.mozilla += [
 ]
 
 UNIFIED_SOURCES += [
+    'AutoTimelineMarker.cpp',
     'LoadContext.cpp',
     'nsAboutRedirector.cpp',
     'nsDefaultURIFixup.cpp',
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 2a839b0b906b..5b331a439315 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -200,6 +200,12 @@
 #include "nsIBrowserSearchService.h"
 #endif
 
+#include "mozIThirdPartyUtil.h"
+// Values for the network.cookie.cookieBehavior pref are documented in
+// nsCookieService.cpp
+#define COOKIE_BEHAVIOR_ACCEPT 0 // Allow all cookies.
+#define COOKIE_BEHAVIOR_REJECT_FOREIGN 1 // Reject all third-party cookies.
+
 static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
 
 #if defined(DEBUG_bryner) || defined(DEBUG_chb)
@@ -944,7 +950,7 @@ nsDocShell::nsDocShell()
 
 nsDocShell::~nsDocShell()
 {
-  MOZ_ASSERT(!mProfileTimelineRecording);
+  MOZ_ASSERT(!IsObserved());
 
   Destroy();
 
@@ -2927,6 +2933,8 @@ nsDocShell::HistoryTransactionRemoved(int32_t aIndex)
 
 unsigned long nsDocShell::gProfileTimelineRecordingsCount = 0;
 
+mozilla::LinkedList<nsDocShell::ObservedDocShell>* nsDocShell::gObservedDocShells = nullptr;
+
 NS_IMETHODIMP
 nsDocShell::SetRecordProfileTimelineMarkers(bool aValue)
 {
@@ -2935,11 +2943,16 @@ nsDocShell::SetRecordProfileTimelineMarkers(bool aValue)
     if (aValue) {
       ++gProfileTimelineRecordingsCount;
       UseEntryScriptProfiling();
-      mProfileTimelineRecording = true;
+
+      MOZ_ASSERT(!mObserved);
+      mObserved.reset(new ObservedDocShell(this));
+      GetOrCreateObservedDocShells().insertFront(mObserved.get());
     } else {
       --gProfileTimelineRecordingsCount;
       UnuseEntryScriptProfiling();
-      mProfileTimelineRecording = false;
+
+      mObserved.reset(nullptr);
+
       ClearProfileTimelineMarkers();
     }
   }
@@ -2950,7 +2963,7 @@ nsDocShell::SetRecordProfileTimelineMarkers(bool aValue)
 NS_IMETHODIMP
 nsDocShell::GetRecordProfileTimelineMarkers(bool* aValue)
 {
-  *aValue = mProfileTimelineRecording;
+  *aValue = IsObserved();
   return NS_OK;
 }
 
@@ -3090,7 +3103,7 @@ void
 nsDocShell::AddProfileTimelineMarker(const char* aName,
                                      TracingMetadata aMetaData)
 {
-  if (mProfileTimelineRecording) {
+  if (IsObserved()) {
     TimelineMarker* marker = new TimelineMarker(this, aName, aMetaData);
     mProfileTimelineMarkers.AppendElement(marker);
   }
@@ -3099,7 +3112,7 @@ nsDocShell::AddProfileTimelineMarker(const char* aName,
 void
 nsDocShell::AddProfileTimelineMarker(UniquePtr<TimelineMarker>&& aMarker)
 {
-  if (mProfileTimelineRecording) {
+  if (IsObserved()) {
     mProfileTimelineMarkers.AppendElement(Move(aMarker));
   }
 }
@@ -14044,6 +14057,32 @@ nsDocShell::ShouldPrepareForIntercept(nsIURI* aURI, bool aIsNavigate,
     return NS_OK;
   }
 
+  nsresult result;
+  nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil =
+    do_GetService(THIRDPARTYUTIL_CONTRACTID, &result);
+  NS_ENSURE_SUCCESS(result, result);
+
+  if (mCurrentURI) {
+    nsAutoCString uriSpec;
+    mCurrentURI->GetSpec(uriSpec);
+    if (!(uriSpec.EqualsLiteral("about:blank"))) {
+      // Reject the interception of third-party iframes if the cookie behaviour
+      // is set to reject all third-party cookies (1). In case that this pref
+      // is not set or can't be read, we default to allow all cookies (0) as
+      // this is the default value in all.js.
+      bool isThirdPartyURI = true;
+      result = thirdPartyUtil->IsThirdPartyURI(mCurrentURI, aURI,
+                                               &isThirdPartyURI);
+      NS_ENSURE_SUCCESS(result, result);
+      if (isThirdPartyURI &&
+          (Preferences::GetInt("network.cookie.cookieBehavior",
+                               COOKIE_BEHAVIOR_ACCEPT) ==
+                               COOKIE_BEHAVIOR_REJECT_FOREIGN)) {
+        return NS_OK;
+      }
+    }
+  }
+
   if (aIsNavigate) {
     OriginAttributes attrs(GetAppId(), GetIsInBrowserElement());
     *aShouldIntercept = swm->IsAvailable(attrs, aURI);
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
index 7c6d1cad70b6..3f376c39905e 100644
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -23,6 +23,7 @@
 #include "mozilla/TimeStamp.h"
 #include "GeckoProfiler.h"
 #include "mozilla/dom/ProfileTimelineMarkerBinding.h"
+#include "mozilla/LinkedList.h"
 #include "jsapi.h"
 
 // Helper Classes
@@ -266,6 +267,43 @@ public:
   // timeline markers
   static unsigned long gProfileTimelineRecordingsCount;
 
+  class ObservedDocShell : public mozilla::LinkedListElement<ObservedDocShell>
+  {
+  public:
+    explicit ObservedDocShell(nsDocShell* aDocShell)
+      : mDocShell(aDocShell)
+    { }
+
+    nsDocShell* operator*() const { return mDocShell.get(); }
+
+  private:
+    nsRefPtr<nsDocShell> mDocShell;
+  };
+
+private:
+  static mozilla::LinkedList<ObservedDocShell>* gObservedDocShells;
+
+  static mozilla::LinkedList<ObservedDocShell>& GetOrCreateObservedDocShells()
+  {
+    if (!gObservedDocShells) {
+      gObservedDocShells = new mozilla::LinkedList<ObservedDocShell>();
+    }
+    return *gObservedDocShells;
+  }
+
+  // Never null if timeline markers are being observed.
+  mozilla::UniquePtr<ObservedDocShell> mObserved;
+
+  // Return true if timeline markers are being observed for this docshell. False
+  // otherwise.
+  bool IsObserved() const { return !!mObserved; }
+
+public:
+  static const mozilla::LinkedList<ObservedDocShell>& GetObservedDocShells()
+  {
+    return GetOrCreateObservedDocShells();
+  }
+
   // Tell the favicon service that aNewURI has the same favicon as aOldURI.
   static void CopyFavicon(nsIURI* aOldURI,
                           nsIURI* aNewURI,
@@ -973,9 +1011,6 @@ private:
   // has been called without a matching NotifyRunToCompletionStop.
   uint32_t mJSRunToCompletionDepth;
 
-  // True if recording profiles.
-  bool mProfileTimelineRecording;
-
   nsTArray<mozilla::UniquePtr<TimelineMarker>> mProfileTimelineMarkers;
 
   // Get rid of all the timeline markers accumulated so far
diff --git a/docshell/test/browser/frame-head.js b/docshell/test/browser/frame-head.js
index bf65351b87cb..967e1a9fae69 100644
--- a/docshell/test/browser/frame-head.js
+++ b/docshell/test/browser/frame-head.js
@@ -71,6 +71,10 @@ this.timelineContentTest = function(tests) {
       info("Waiting for new markers on the docShell");
       let markers = yield onMarkers;
 
+      // Cycle collection markers are non-deterministic, and none of these tests
+      // expect them to show up.
+      markers = markers.filter(m => m.name.indexOf("nsCycleCollector") === -1);
+
       info("Running the test check function");
       check(markers);
     }
diff --git a/dom/base/TextInputProcessor.cpp b/dom/base/TextInputProcessor.cpp
index 78bde607c540..1f13e1ba0f9c 100644
--- a/dom/base/TextInputProcessor.cpp
+++ b/dom/base/TextInputProcessor.cpp
@@ -186,7 +186,14 @@ TextInputProcessor::BeginInputTransactionInternal(
 
   // This instance has finished preparing to link to the dispatcher.  Therefore,
   // let's forget the old dispatcher and purpose.
-  UnlinkFromTextEventDispatcher();
+  if (mDispatcher) {
+    mDispatcher->EndInputTransaction(this);
+    if (NS_WARN_IF(mDispatcher)) {
+      // Forcibly initialize the members if we failed to end the input
+      // transaction.
+      UnlinkFromTextEventDispatcher();
+    }
+  }
 
   if (aForTests) {
     rv = dispatcher->BeginInputTransactionForTests(this);
diff --git a/dom/base/URL.cpp b/dom/base/URL.cpp
index 5dc76382c11f..5ab46d5fd99c 100644
--- a/dom/base/URL.cpp
+++ b/dom/base/URL.cpp
@@ -139,9 +139,25 @@ URL::CreateObjectURL(const GlobalObject& aGlobal, MediaSource& aSource,
                      nsAString& aResult,
                      ErrorResult& aError)
 {
-  CreateObjectURLInternal(aGlobal, &aSource,
-                          NS_LITERAL_CSTRING(MEDIASOURCEURI_SCHEME), aOptions,
-                          aResult, aError);
+  nsCOMPtr<nsIPrincipal> principal = nsContentUtils::ObjectPrincipal(aGlobal.Get());
+
+  nsCString url;
+  nsresult rv = nsHostObjectProtocolHandler::
+    AddDataEntry(NS_LITERAL_CSTRING(MEDIASOURCEURI_SCHEME),
+                 &aSource, principal, url);
+  if (NS_FAILED(rv)) {
+    aError.Throw(rv);
+    return;
+  }
+
+  nsCOMPtr<nsIRunnable> revocation = NS_NewRunnableFunction(
+    [url] {
+      nsHostObjectProtocolHandler::RemoveDataEntry(url);
+    });
+
+  nsContentUtils::RunInStableState(revocation.forget());
+
+  CopyASCIItoUTF16(url, aResult);
 }
 
 void
diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp
index 447f5ec099d2..3ffecd6be645 100644
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -92,6 +92,7 @@
 #include "nsHostObjectProtocolHandler.h"
 #include "nsHtml5Module.h"
 #include "nsHtml5StringParser.h"
+#include "nsIAppShell.h"
 #include "nsIAsyncVerifyRedirectCallback.h"
 #include "nsICategoryManager.h"
 #include "nsIChannelEventSink.h"
@@ -182,6 +183,7 @@
 #include "nsUnicodeProperties.h"
 #include "nsViewManager.h"
 #include "nsViewportInfo.h"
+#include "nsWidgetsCID.h"
 #include "nsWrapperCacheInlines.h"
 #include "nsXULPopupManager.h"
 #include "xpcprivate.h" // nsXPConnect
@@ -337,6 +339,7 @@ namespace {
 
 static NS_DEFINE_CID(kParserServiceCID, NS_PARSERSERVICE_CID);
 static NS_DEFINE_CID(kCParserCID, NS_PARSER_CID);
+static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
 
 static PLDHashTable* sEventListenerManagersHash;
 
@@ -5148,6 +5151,20 @@ nsContentUtils::AddScriptRunner(nsIRunnable* aRunnable)
   return true;
 }
 
+/* static */
+void
+nsContentUtils::RunInStableState(already_AddRefed<nsIRunnable> aRunnable,
+                                 DispatchFailureHandling aHandling)
+{
+  nsCOMPtr<nsIRunnable> runnable = aRunnable;
+  nsCOMPtr<nsIAppShell> appShell(do_GetService(kAppShellCID));
+  if (!appShell) {
+    MOZ_ASSERT(aHandling == DispatchFailureHandling::IgnoreFailure);
+    return;
+  }
+  appShell->RunInStableState(runnable.forget());
+}
+
 void
 nsContentUtils::EnterMicroTask()
 {
@@ -7414,7 +7431,9 @@ nsContentUtils::GetSurfaceData(mozilla::gfx::DataSourceSurface* aSurface,
                                size_t* aLength, int32_t* aStride)
 {
   mozilla::gfx::DataSourceSurface::MappedSurface map;
-  aSurface->Map(mozilla::gfx::DataSourceSurface::MapType::READ, &map);
+  if (NS_WARN_IF(!aSurface->Map(mozilla::gfx::DataSourceSurface::MapType::READ, &map))) {
+    return nullptr;
+  }
   mozilla::gfx::IntSize size = aSurface->GetSize();
   mozilla::CheckedInt32 requiredBytes =
     mozilla::CheckedInt32(map.mStride) * mozilla::CheckedInt32(size.height);
diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h
index 8a1e68447f62..3570d030638c 100644
--- a/dom/base/nsContentUtils.h
+++ b/dom/base/nsContentUtils.h
@@ -1576,6 +1576,27 @@ public:
    */
   static void WarnScriptWasIgnored(nsIDocument* aDocument);
 
+  /**
+   * Whether to assert that RunInStableState() succeeds, or ignore failure,
+   * which may happen late in shutdown.
+   */
+  enum class DispatchFailureHandling { AssertSuccess, IgnoreFailure };
+
+  /**
+   * Add a "synchronous section", in the form of an nsIRunnable run once the
+   * event loop has reached a "stable state". |aRunnable| must not cause any
+   * queued events to be processed (i.e. must not spin the event loop).
+   * We've reached a stable state when the currently executing task/event has
+   * finished, see
+   * http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#synchronous-section
+   * In practice this runs aRunnable once the currently executing event
+   * finishes. If called multiple times per task/event, all the runnables will
+   * be executed, in the order in which RunInStableState() was called.
+   */
+  static void RunInStableState(already_AddRefed<nsIRunnable> aRunnable,
+                               DispatchFailureHandling aHandling =
+                                 DispatchFailureHandling::AssertSuccess);
+
   /**
    * Retrieve information about the viewport as a data structure.
    * This will return information in the viewport META data section
diff --git a/dom/base/nsDOMWindowUtils.cpp b/dom/base/nsDOMWindowUtils.cpp
index af5df238102e..86881e568f6b 100644
--- a/dom/base/nsDOMWindowUtils.cpp
+++ b/dom/base/nsDOMWindowUtils.cpp
@@ -1509,18 +1509,23 @@ nsDOMWindowUtils::CompareCanvases(nsIDOMHTMLCanvasElement *aCanvas1,
   RefPtr<DataSourceSurface> img1 = CanvasToDataSourceSurface(aCanvas1);
   RefPtr<DataSourceSurface> img2 = CanvasToDataSourceSurface(aCanvas2);
 
+  DataSourceSurface::ScopedMap map1(img1, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap map2(img2, DataSourceSurface::READ);
+
   if (img1 == nullptr || img2 == nullptr ||
+      !map1.IsMapped() || !map2.IsMapped() ||
       img1->GetSize() != img2->GetSize() ||
-      img1->Stride() != img2->Stride())
+      map1.GetStride() != map2.GetStride()) {
     return NS_ERROR_FAILURE;
+  }
 
   int v;
   IntSize size = img1->GetSize();
-  uint32_t stride = img1->Stride();
+  int32_t stride = map1.GetStride();
 
   // we can optimize for the common all-pass case
-  if (stride == (uint32_t) size.width * 4) {
-    v = memcmp(img1->GetData(), img2->GetData(), size.width * size.height * 4);
+  if (stride == size.width * 4) {
+    v = memcmp(map1.GetData(), map2.GetData(), size.width * size.height * 4);
     if (v == 0) {
       if (aMaxDifference)
         *aMaxDifference = 0;
@@ -1533,8 +1538,8 @@ nsDOMWindowUtils::CompareCanvases(nsIDOMHTMLCanvasElement *aCanvas1,
   uint32_t different = 0;
 
   for (int j = 0; j < size.height; j++) {
-    unsigned char *p1 = img1->GetData() + j*stride;
-    unsigned char *p2 = img2->GetData() + j*stride;
+    unsigned char *p1 = map1.GetData() + j*stride;
+    unsigned char *p2 = map2.GetData() + j*stride;
     v = memcmp(p1, p2, stride);
 
     if (v) {
@@ -3441,16 +3446,14 @@ nsDOMWindowUtils::DispatchEventToChromeOnly(nsIDOMEventTarget* aTarget,
 }
 
 NS_IMETHODIMP
-nsDOMWindowUtils::RunInStableState(nsIRunnable *runnable)
+nsDOMWindowUtils::RunInStableState(nsIRunnable *aRunnable)
 {
   MOZ_RELEASE_ASSERT(nsContentUtils::IsCallerChrome());
 
-  nsCOMPtr<nsIAppShell> appShell(do_GetService(kAppShellCID));
-  if (!appShell) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
+  nsCOMPtr<nsIRunnable> runnable = aRunnable;
+  nsContentUtils::RunInStableState(runnable.forget());
 
-  return appShell->RunInStableState(runnable);
+  return NS_OK;
 }
 
 NS_IMETHODIMP
diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
index 0a03224f1662..7d27db587950 100644
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -711,17 +711,6 @@ public:
   nsIDocument *mSubDocument;
 };
 
-struct FindContentData
-{
-  explicit FindContentData(nsIDocument* aSubDoc)
-    : mSubDocument(aSubDoc), mResult(nullptr)
-  {
-  }
-
-  nsISupports *mSubDocument;
-  Element *mResult;
-};
-
 
 /**
  * A struct that holds all the information about a radio group.
@@ -1858,22 +1847,6 @@ NS_IMPL_CYCLE_COLLECTION_CAN_SKIP_THIS_BEGIN(nsDocument)
   return Element::CanSkipThis(tmp);
 NS_IMPL_CYCLE_COLLECTION_CAN_SKIP_THIS_END
 
-static PLDHashOperator
-SubDocTraverser(PLDHashTable *table, PLDHashEntryHdr *hdr, uint32_t number,
-                void *arg)
-{
-  SubDocMapEntry *entry = static_cast<SubDocMapEntry*>(hdr);
-  nsCycleCollectionTraversalCallback *cb =
-    static_cast<nsCycleCollectionTraversalCallback*>(arg);
-
-  NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(*cb, "mSubDocuments entry->mKey");
-  cb->NoteXPCOMChild(entry->mKey);
-  NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(*cb, "mSubDocuments entry->mSubDocument");
-  cb->NoteXPCOMChild(entry->mSubDocument);
-
-  return PL_DHASH_NEXT;
-}
-
 static PLDHashOperator
 RadioGroupsTraverser(const nsAString& aKey, nsRadioGroupStruct* aData,
                      void* aClosure)
@@ -2033,7 +2006,17 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INTERNAL(nsDocument)
   }
 
   if (tmp->mSubDocuments) {
-    PL_DHashTableEnumerate(tmp->mSubDocuments, SubDocTraverser, &cb);
+    PLDHashTable::Iterator iter(tmp->mSubDocuments);
+    while (iter.HasMoreEntries()) {
+      auto entry = static_cast<SubDocMapEntry*>(iter.NextEntry());
+
+      NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(cb,
+                                         "mSubDocuments entry->mKey");
+      cb.NoteXPCOMChild(entry->mKey);
+      NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(cb,
+                                         "mSubDocuments entry->mSubDocument");
+      cb.NoteXPCOMChild(entry->mSubDocument);
+    }
   }
 
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mCSSLoader)
@@ -4031,22 +4014,6 @@ nsDocument::GetSubDocumentFor(nsIContent *aContent) const
   return nullptr;
 }
 
-static PLDHashOperator
-FindContentEnumerator(PLDHashTable *table, PLDHashEntryHdr *hdr,
-                      uint32_t number, void *arg)
-{
-  SubDocMapEntry *entry = static_cast<SubDocMapEntry*>(hdr);
-  FindContentData *data = static_cast<FindContentData*>(arg);
-
-  if (entry->mSubDocument == data->mSubDocument) {
-    data->mResult = entry->mKey;
-
-    return PL_DHASH_STOP;
-  }
-
-  return PL_DHASH_NEXT;
-}
-
 Element*
 nsDocument::FindContentForSubDocument(nsIDocument *aDocument) const
 {
@@ -4056,10 +4023,14 @@ nsDocument::FindContentForSubDocument(nsIDocument *aDocument) const
     return nullptr;
   }
 
-  FindContentData data(aDocument);
-  PL_DHashTableEnumerate(mSubDocuments, FindContentEnumerator, &data);
-
-  return data.mResult;
+  PLDHashTable::Iterator iter(mSubDocuments);
+  while (iter.HasMoreEntries()) {
+    auto entry = static_cast<SubDocMapEntry*>(iter.NextEntry());
+    if (entry->mSubDocument == aDocument) {
+      return entry->mKey;
+    }
+  }
+  return nullptr;
 }
 
 bool
@@ -8739,45 +8710,22 @@ struct SubDocEnumArgs
   void *data;
 };
 
-static PLDHashOperator
-SubDocHashEnum(PLDHashTable *table, PLDHashEntryHdr *hdr,
-               uint32_t number, void *arg)
-{
-  SubDocMapEntry *entry = static_cast<SubDocMapEntry*>(hdr);
-  SubDocEnumArgs *args = static_cast<SubDocEnumArgs*>(arg);
-
-  nsIDocument *subdoc = entry->mSubDocument;
-  bool next = subdoc ? args->callback(subdoc, args->data) : true;
-
-  return next ? PL_DHASH_NEXT : PL_DHASH_STOP;
-}
-
 void
 nsDocument::EnumerateSubDocuments(nsSubDocEnumFunc aCallback, void *aData)
 {
-  if (mSubDocuments) {
-    SubDocEnumArgs args = { aCallback, aData };
-    PL_DHashTableEnumerate(mSubDocuments, SubDocHashEnum, &args);
-  }
-}
-
-static PLDHashOperator
-CanCacheSubDocument(PLDHashTable *table, PLDHashEntryHdr *hdr,
-                    uint32_t number, void *arg)
-{
-  SubDocMapEntry *entry = static_cast<SubDocMapEntry*>(hdr);
-  bool *canCacheArg = static_cast<bool*>(arg);
-
-  nsIDocument *subdoc = entry->mSubDocument;
-
-  // The aIgnoreRequest we were passed is only for us, so don't pass it on.
-  bool canCache = subdoc ? subdoc->CanSavePresentation(nullptr) : false;
-  if (!canCache) {
-    *canCacheArg = false;
-    return PL_DHASH_STOP;
+  if (!mSubDocuments) {
+    return;
   }
 
-  return PL_DHASH_NEXT;
+  PLDHashTable::Iterator iter(mSubDocuments);
+  while (iter.HasMoreEntries()) {
+    auto entry = static_cast<SubDocMapEntry*>(iter.NextEntry());
+    nsIDocument* subdoc = entry->mSubDocument;
+    bool next = subdoc ? aCallback(subdoc, aData) : true;
+    if (!next) {
+      break;
+    }
+  }
 }
 
 #ifdef DEBUG_bryner
@@ -8878,11 +8826,21 @@ nsDocument::CanSavePresentation(nsIRequest *aNewRequest)
     return false;
   }
 
-  bool canCache = true;
-  if (mSubDocuments)
-    PL_DHashTableEnumerate(mSubDocuments, CanCacheSubDocument, &canCache);
+  if (mSubDocuments) {
+    PLDHashTable::Iterator iter(mSubDocuments);
+    while (iter.HasMoreEntries()) {
+      auto entry = static_cast<SubDocMapEntry*>(iter.NextEntry());
+      nsIDocument* subdoc = entry->mSubDocument;
 
-  return canCache;
+      // The aIgnoreRequest we were passed is only for us, so don't pass it on.
+      bool canCache = subdoc ? subdoc->CanSavePresentation(nullptr) : false;
+      if (!canCache) {
+        return false;
+      }
+    }
+  }
+
+  return true;
 }
 
 void
diff --git a/dom/base/nsPropertyTable.cpp b/dom/base/nsPropertyTable.cpp
index 0b34167d9afe..a0524d191eb6 100644
--- a/dom/base/nsPropertyTable.cpp
+++ b/dom/base/nsPropertyTable.cpp
@@ -133,30 +133,16 @@ nsPropertyTable::Enumerate(nsPropertyOwner aObject,
   }
 }
 
-struct PropertyEnumeratorData
-{
-  nsIAtom* mName;
-  NSPropertyFunc mCallBack;
-  void* mData;
-};
-
-static PLDHashOperator
-PropertyEnumerator(PLDHashTable* aTable, PLDHashEntryHdr* aHdr,
-                   uint32_t aNumber, void* aArg)
-{
-  PropertyListMapEntry* entry = static_cast<PropertyListMapEntry*>(aHdr);
-  PropertyEnumeratorData* data = static_cast<PropertyEnumeratorData*>(aArg);
-  data->mCallBack(const_cast<void*>(entry->key), data->mName, entry->value,
-                  data->mData);
-  return PL_DHASH_NEXT;
-}
-
 void
 nsPropertyTable::EnumerateAll(NSPropertyFunc aCallBack, void* aData)
 {
   for (PropertyList* prop = mPropertyList; prop; prop = prop->mNext) {
-    PropertyEnumeratorData data = { prop->mName, aCallBack, aData };
-    PL_DHashTableEnumerate(&prop->mObjectValueMap, PropertyEnumerator, &data);
+    PLDHashTable::Iterator iter(&prop->mObjectValueMap);
+    while (iter.HasMoreEntries()) {
+      auto entry = static_cast<PropertyListMapEntry*>(iter.NextEntry());
+      aCallBack(const_cast<void*>(entry->key), prop->mName, entry->value,
+                aData);
+    }
   }
 }
 
@@ -294,25 +280,17 @@ nsPropertyTable::PropertyList::~PropertyList()
 {
 }
 
-static PLDHashOperator
-DestroyPropertyEnumerator(PLDHashTable *table, PLDHashEntryHdr *hdr,
-                          uint32_t number, void *arg)
-{
-  nsPropertyTable::PropertyList *propList =
-      static_cast<nsPropertyTable::PropertyList*>(arg);
-  PropertyListMapEntry* entry = static_cast<PropertyListMapEntry*>(hdr);
-
-  propList->mDtorFunc(const_cast<void*>(entry->key), propList->mName,
-                      entry->value, propList->mDtorData);
-  return PL_DHASH_NEXT;
-}
-
 void
 nsPropertyTable::PropertyList::Destroy()
 {
-  // Enumerate any remaining object/value pairs and destroy the value object
-  if (mDtorFunc)
-    PL_DHashTableEnumerate(&mObjectValueMap, DestroyPropertyEnumerator, this);
+  // Enumerate any remaining object/value pairs and destroy the value object.
+  if (mDtorFunc) {
+    PLDHashTable::Iterator iter(&mObjectValueMap);
+    while (iter.HasMoreEntries()) {
+      auto entry = static_cast<PropertyListMapEntry*>(iter.NextEntry());
+      mDtorFunc(const_cast<void*>(entry->key), mName, entry->value, mDtorData);
+    }
+  }
 }
 
 bool
diff --git a/dom/base/nsReferencedElement.cpp b/dom/base/nsReferencedElement.cpp
index 3cb9fc0150d9..f19abb76de2b 100644
--- a/dom/base/nsReferencedElement.cpp
+++ b/dom/base/nsReferencedElement.cpp
@@ -47,7 +47,7 @@ nsReferencedElement::Reset(nsIContent* aFromContent, nsIURI* aURI,
     return;
 
   // Get the current document
-  nsIDocument *doc = aFromContent->GetComposedDoc();
+  nsIDocument *doc = aFromContent->OwnerDoc();
   if (!doc)
     return;
 
@@ -124,7 +124,7 @@ void
 nsReferencedElement::ResetWithID(nsIContent* aFromContent, const nsString& aID,
                                  bool aWatch)
 {
-  nsIDocument *doc = aFromContent->GetComposedDoc();
+  nsIDocument *doc = aFromContent->OwnerDoc();
   if (!doc)
     return;
 
diff --git a/dom/bindings/parser/WebIDL.py b/dom/bindings/parser/WebIDL.py
index 15139dcabbea..1b0ec436ff23 100644
--- a/dom/bindings/parser/WebIDL.py
+++ b/dom/bindings/parser/WebIDL.py
@@ -3205,6 +3205,12 @@ class IDLInterfaceMember(IDLObjectWithIdentifier, IDLExposureMixins):
                                   "That seems rather unlikely.",
                                   [self.location])
 
+        if self.getExtendedAttribute("NewObject"):
+            if self.dependsOn == "Nothing" or self.dependsOn == "DOMState":
+                raise WebIDLError("A [NewObject] method is not idempotent, " 
+                                  "so it has to depend on something other than DOM state.",
+                                  [self.location])
+
     def _setDependsOn(self, dependsOn):
         if self.dependsOn != "Everything":
             raise WebIDLError("Trying to specify multiple different DependsOn, "
diff --git a/dom/browser-element/BrowserElementChildPreload.js b/dom/browser-element/BrowserElementChildPreload.js
index 1b25df49b126..bec221857c5d 100644
--- a/dom/browser-element/BrowserElementChildPreload.js
+++ b/dom/browser-element/BrowserElementChildPreload.js
@@ -229,7 +229,10 @@ BrowserElementChild.prototype = {
       "activate-next-paint-listener": this._activateNextPaintListener.bind(this),
       "set-input-method-active": this._recvSetInputMethodActive.bind(this),
       "deactivate-next-paint-listener": this._deactivateNextPaintListener.bind(this),
-      "do-command": this._recvDoCommand
+      "do-command": this._recvDoCommand,
+      "find-all": this._recvFindAll.bind(this),
+      "find-next": this._recvFindNext.bind(this),
+      "clear-match": this._recvClearMatch.bind(this),
     }
 
     addMessageListener("browser-element-api:call", function(aMessage) {
@@ -1240,6 +1243,57 @@ BrowserElementChild.prototype = {
     }
   },
 
+  _initFinder: function() {
+    if (!this._finder) {
+      try {
+        this._findLimit = Services.prefs.getIntPref("accessibility.typeaheadfind.matchesCountLimit");
+      } catch (e) {
+        // Pref not available, assume 0, no match counting.
+        this._findLimit = 0;
+      }
+
+      let {Finder} = Components.utils.import("resource://gre/modules/Finder.jsm", {});
+      this._finder = new Finder(docShell);
+      this._finder.addResultListener({
+        onMatchesCountResult: (data) => {
+          sendAsyncMsg('findchange', {
+            active: true,
+            searchString: this._finder.searchString,
+            searchLimit: this._findLimit,
+            activeMatchOrdinal: data.current,
+            numberOfMatches: data.total
+          });
+        }
+      });
+    }
+  },
+
+  _recvFindAll: function(data) {
+    this._initFinder();
+    let searchString = data.json.searchString;
+    this._finder.caseSensitive = data.json.caseSensitive;
+    this._finder.fastFind(searchString, false, false);
+    this._finder.requestMatchesCount(searchString, this._findLimit, false);
+  },
+
+  _recvFindNext: function(data) {
+    if (!this._finder) {
+      debug("findNext() called before findAll()");
+      return;
+    }
+    this._finder.findAgain(data.json.backward, false, false);
+    this._finder.requestMatchesCount(this._finder.searchString, this._findLimit, false);
+  },
+
+  _recvClearMatch: function(data) {
+    if (!this._finder) {
+      debug("clearMach() called before findAll()");
+      return;
+    }
+    this._finder.removeSelection();
+    sendAsyncMsg('findchange', {active: false});
+  },
+
   _recvSetInputMethodActive: function(data) {
     let msgData = { id: data.json.id };
     if (!this._isContentWindowCreated) {
diff --git a/dom/browser-element/BrowserElementParent.js b/dom/browser-element/BrowserElementParent.js
index 9e80ad887a41..b84d531760b9 100644
--- a/dom/browser-element/BrowserElementParent.js
+++ b/dom/browser-element/BrowserElementParent.js
@@ -206,6 +206,7 @@ BrowserElementParent.prototype = {
       "selectionstatechanged": this._handleSelectionStateChanged,
       "scrollviewchange": this._handleScrollViewChange,
       "caretstatechanged": this._handleCaretStateChanged,
+      "findchange": this._handleFindChange
     };
 
     let mmSecuritySensitiveCalls = {
@@ -475,6 +476,12 @@ BrowserElementParent.prototype = {
     this._frameElement.dispatchEvent(evt);
   },
 
+  _handleFindChange: function(data) {
+    let evt = this._createEvent("findchange", data.json,
+                                /* cancelable = */ false);
+    this._frameElement.dispatchEvent(evt);
+  },
+
   _createEvent: function(evtName, detail, cancelable) {
     // This will have to change if we ever want to send a CustomEvent with null
     // detail.  For now, it's OK.
@@ -646,6 +653,23 @@ BrowserElementParent.prototype = {
   getCanGoForward: defineDOMRequestMethod('get-can-go-forward'),
   getContentDimensions: defineDOMRequestMethod('get-contentdimensions'),
 
+  findAll: defineNoReturnMethod(function(searchString, caseSensitivity) {
+    return this._sendAsyncMsg('find-all', {
+      searchString,
+      caseSensitive: caseSensitivity == Ci.nsIBrowserElementAPI.FIND_CASE_SENSITIVE
+    });
+  }),
+
+  findNext: defineNoReturnMethod(function(direction) {
+    return this._sendAsyncMsg('find-next', {
+      backward: direction == Ci.nsIBrowserElementAPI.FIND_BACKWARD
+    });
+  }),
+
+  clearMatch: defineNoReturnMethod(function() {
+    return this._sendAsyncMsg('clear-match');
+  }),
+
   goBack: defineNoReturnMethod(function() {
     this._sendAsyncMsg('go-back');
   }),
diff --git a/dom/browser-element/mochitest/browserElement_Find.js b/dom/browser-element/mochitest/browserElement_Find.js
new file mode 100644
index 000000000000..2ab378ff1884
--- /dev/null
+++ b/dom/browser-element/mochitest/browserElement_Find.js
@@ -0,0 +1,146 @@
+/* Any copyright is dedicated to the public domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// Bug 1163961 - Test search API
+
+"use strict";
+
+SimpleTest.waitForExplicitFinish();
+browserElementTestHelpers.setEnabledPref(true);
+browserElementTestHelpers.addPermission();
+
+function runTest() {
+
+  let iframe = document.createElement('iframe');
+  iframe.setAttribute('mozbrowser', 'true');
+  iframe.src = 'data:text/html,foo bar foo XXX Foo BAR foobar foobar';
+
+  const once = (eventName) => {
+    return new Promise((resolve) => {
+      iframe.addEventListener(eventName, function onEvent(...args) {
+        iframe.removeEventListener(eventName, onEvent);
+        resolve(...args);
+      });
+    });
+  }
+
+  // Test if all key=>value pairs in o1 are present in o2.
+  const c = (o1, o2) => Object.keys(o1).every(k => o1[k] == o2[k]);
+
+  let testCount = 0;
+
+  once('mozbrowserloadend').then(() => {
+    iframe.findAll('foo', 'case-insensitive');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'foo',
+      searchLimit: 100,
+      activeMatchOrdinal: 1,
+      numberOfMatches: 5,
+    }), `test ${testCount++}`);
+    iframe.findNext('forward');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'foo',
+      searchLimit: 100,
+      activeMatchOrdinal: 2,
+      numberOfMatches: 5,
+    }), `test ${testCount++}`);
+    iframe.findNext('backward');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'foo',
+      searchLimit: 100,
+      activeMatchOrdinal: 1,
+      numberOfMatches: 5,
+    }), `test ${testCount++}`);
+    iframe.findAll('xxx', 'case-sensitive');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'xxx',
+      searchLimit: 100,
+      activeMatchOrdinal: 0,
+      numberOfMatches: 0,
+    }), `test ${testCount++}`);
+    iframe.findAll('bar', 'case-insensitive');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'bar',
+      searchLimit: 100,
+      activeMatchOrdinal: 1,
+      numberOfMatches: 4,
+    }), `test ${testCount++}`);
+    iframe.findNext('forward');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'bar',
+      searchLimit: 100,
+      activeMatchOrdinal: 2,
+      numberOfMatches: 4,
+    }), `test ${testCount++}`);
+    iframe.findNext('forward');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'bar',
+      searchLimit: 100,
+      activeMatchOrdinal: 3,
+      numberOfMatches: 4,
+    }), `test ${testCount++}`);
+    iframe.findNext('forward');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'bar',
+      searchLimit: 100,
+      activeMatchOrdinal: 4,
+      numberOfMatches: 4,
+    }), `test ${testCount++}`);
+    iframe.findNext('forward');
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: true,
+      searchString: 'bar',
+      searchLimit: 100,
+      activeMatchOrdinal: 1,
+      numberOfMatches: 4,
+    }), `test ${testCount++}`);
+    iframe.clearMatch();
+    return once('mozbrowserfindchange');
+  }).then(({detail}) => {
+    ok(c(detail, {
+      msg_name: "findchange",
+      active: false
+    }), `test ${testCount++}`);
+    SimpleTest.finish();
+  });
+
+  document.body.appendChild(iframe);
+
+}
+
+addEventListener('testready', runTest);
diff --git a/dom/browser-element/mochitest/mochitest-oop.ini b/dom/browser-element/mochitest/mochitest-oop.ini
index e0ef5136fc16..74d7cebf0ba8 100644
--- a/dom/browser-element/mochitest/mochitest-oop.ini
+++ b/dom/browser-element/mochitest/mochitest-oop.ini
@@ -7,6 +7,7 @@ skip-if = os == "android" || (toolkit == "cocoa" && debug) || buildapp == 'mulet
 support-files =
   browserElement_OpenMixedProcess.js
   file_browserElement_OpenMixedProcess.html
+  browserElement_Find.js
   browserElement_OpenTab.js
 
 [test_browserElement_oop_Viewmode.html]
@@ -41,6 +42,7 @@ skip-if = (toolkit == 'gonk' && !debug)
 disabled = bug 1022281
 [test_browserElement_oop_ErrorSecurity.html]
 skip-if = (toolkit == 'gonk' && !debug)
+[test_browserElement_oop_Find.html]
 [test_browserElement_oop_FirstPaint.html]
 [test_browserElement_oop_ForwardName.html]
 [test_browserElement_oop_FrameWrongURI.html]
diff --git a/dom/browser-element/mochitest/mochitest.ini b/dom/browser-element/mochitest/mochitest.ini
index 157c752eeafd..049e8004e73c 100644
--- a/dom/browser-element/mochitest/mochitest.ini
+++ b/dom/browser-element/mochitest/mochitest.ini
@@ -29,6 +29,7 @@ support-files =
   browserElement_Download.js
   browserElement_ErrorSecurity.js
   browserElement_ExposableURI.js
+  browserElement_Find.js
   browserElement_FirstPaint.js
   browserElement_ForwardName.js
   browserElement_FrameWrongURI.js
@@ -159,6 +160,7 @@ skip-if = os == "android" || toolkit == 'gonk' # embed-apps doesn't work in the
 [test_browserElement_inproc_Download.html]
 disabled = bug 1022281
 [test_browserElement_inproc_ExposableURI.html]
+[test_browserElement_inproc_Find.html]
 [test_browserElement_inproc_FirstPaint.html]
 [test_browserElement_inproc_ForwardName.html]
 [test_browserElement_inproc_FrameWrongURI.html]
diff --git a/dom/browser-element/mochitest/test_browserElement_inproc_Find.html b/dom/browser-element/mochitest/test_browserElement_inproc_Find.html
new file mode 100644
index 000000000000..e0333a6bb5db
--- /dev/null
+++ b/dom/browser-element/mochitest/test_browserElement_inproc_Find.html
@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1163961
+-->
+<head>
+  <title>Test for Bug 1163961</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="browserElementTestHelpers.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1163961">Mozilla Bug 1163961</a>
+
+<script type="application/javascript;version=1.7" src="browserElement_Find.js">
+</script>
+</body>
+</html>
+
diff --git a/dom/browser-element/mochitest/test_browserElement_oop_Find.html b/dom/browser-element/mochitest/test_browserElement_oop_Find.html
new file mode 100644
index 000000000000..e0333a6bb5db
--- /dev/null
+++ b/dom/browser-element/mochitest/test_browserElement_oop_Find.html
@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1163961
+-->
+<head>
+  <title>Test for Bug 1163961</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="browserElementTestHelpers.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1163961">Mozilla Bug 1163961</a>
+
+<script type="application/javascript;version=1.7" src="browserElement_Find.js">
+</script>
+</body>
+</html>
+
diff --git a/dom/browser-element/nsIBrowserElementAPI.idl b/dom/browser-element/nsIBrowserElementAPI.idl
index 91885e004fcf..95a9ae940ef0 100644
--- a/dom/browser-element/nsIBrowserElementAPI.idl
+++ b/dom/browser-element/nsIBrowserElementAPI.idl
@@ -26,9 +26,15 @@ interface nsIBrowserElementNextPaintListener : nsISupports
  * Interface to the BrowserElementParent implementation. All methods
  * but setFrameLoader throw when the remote process is dead.
  */
-[scriptable, uuid(3811446f-90bb-42c1-b2b6-aae3603b61e1)]
+[scriptable, uuid(8ecb598c-f886-11e4-9915-778f934fbf93)]
 interface nsIBrowserElementAPI : nsISupports
 {
+  const long FIND_CASE_SENSITIVE = 0;
+  const long FIND_CASE_INSENSITIVE = 1;
+
+  const long FIND_FORWARD = 0;
+  const long FIND_BACKWARD = 1;
+
   void setFrameLoader(in nsIFrameLoader frameLoader);
 
   void setVisible(in boolean visible);
@@ -67,6 +73,10 @@ interface nsIBrowserElementAPI : nsISupports
   nsIDOMDOMRequest getCanGoForward();
   nsIDOMDOMRequest getContentDimensions();
 
+  void findAll(in DOMString searchString, in long caseSensitivity);
+  void findNext(in long direction);
+  void clearMatch();
+
   void addNextPaintListener(in nsIBrowserElementNextPaintListener listener);
   void removeNextPaintListener(in nsIBrowserElementNextPaintListener listener);
 
diff --git a/dom/canvas/CanvasRenderingContext2D.cpp b/dom/canvas/CanvasRenderingContext2D.cpp
index 2ba104e12f4c..522263f23253 100644
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -2352,11 +2352,16 @@ private:
 void
 CanvasRenderingContext2D::UpdateFilter()
 {
-  nsIPresShell* presShell = GetPresShell();
+  nsCOMPtr<nsIPresShell> presShell = GetPresShell();
   if (!presShell || presShell->IsDestroying()) {
     return;
   }
 
+  // The filter might reference an SVG filter that is declared inside this
+  // document. Flush frames so that we'll have an nsSVGFilterFrame to work
+  // with.
+  presShell->FlushPendingNotifications(Flush_Frames);
+
   CurrentState().filter =
     nsFilterInstance::GetFilterDescription(mCanvasElement,
       CurrentState().filterChain,
@@ -4700,11 +4705,17 @@ CanvasRenderingContext2D::DrawWindow(nsGlobalWindow& window, double x,
     RefPtr<SourceSurface> snapshot = drawDT->Snapshot();
     RefPtr<DataSourceSurface> data = snapshot->GetDataSurface();
 
+    DataSourceSurface::MappedSurface rawData;
+    if (NS_WARN_IF(!data->Map(DataSourceSurface::READ, &rawData))) {
+        error.Throw(NS_ERROR_FAILURE);
+        return;
+    }
     RefPtr<SourceSurface> source =
-      mTarget->CreateSourceSurfaceFromData(data->GetData(),
+      mTarget->CreateSourceSurfaceFromData(rawData.mData,
                                            data->GetSize(),
-                                           data->Stride(),
+                                           rawData.mStride,
                                            data->GetFormat());
+    data->Unmap();
 
     if (!source) {
       error.Throw(NS_ERROR_FAILURE);
@@ -4979,12 +4990,13 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx,
   IntRect destRect(aX, aY, aWidth, aHeight);
   IntRect srcReadRect = srcRect.Intersect(destRect);
   RefPtr<DataSourceSurface> readback;
+  DataSourceSurface::MappedSurface rawData;
   if (!srcReadRect.IsEmpty() && !mZero) {
     RefPtr<SourceSurface> snapshot = mTarget->Snapshot();
     if (snapshot) {
       readback = snapshot->GetDataSurface();
     }
-    if (!readback || !readback->GetData()) {
+    if (!readback || !readback->Map(DataSourceSurface::READ, &rawData)) {
       return NS_ERROR_OUT_OF_MEMORY;
     }
   }
@@ -5006,8 +5018,8 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx,
   uint32_t srcStride;
 
   if (readback) {
-    srcStride = readback->Stride();
-    src = readback->GetData() + srcReadRect.y * srcStride + srcReadRect.x * 4;
+    srcStride = rawData.mStride;
+    src = rawData.mData + srcReadRect.y * srcStride + srcReadRect.x * 4;
   }
 
   JS::AutoCheckCannotGC nogc;
@@ -5071,6 +5083,10 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx,
     dst += (aWidth * 4) - (dstWriteRect.width * 4);
   }
 
+  if (readback) {
+    readback->Unmap();
+  }
+
   *aRetval = darray;
   return NS_OK;
 }
diff --git a/dom/canvas/CanvasRenderingContext2D.h b/dom/canvas/CanvasRenderingContext2D.h
index 41db0c7c1958..136addccf0d0 100644
--- a/dom/canvas/CanvasRenderingContext2D.h
+++ b/dom/canvas/CanvasRenderingContext2D.h
@@ -884,6 +884,7 @@ protected:
                      fillRule(mozilla::gfx::FillRule::FILL_WINDING),
                      lineCap(mozilla::gfx::CapStyle::BUTT),
                      lineJoin(mozilla::gfx::JoinStyle::MITER_OR_BEVEL),
+                     filterString(MOZ_UTF16("none")),
                      imageSmoothingEnabled(true),
                      fontExplicitLanguage(false)
     { }
diff --git a/dom/canvas/WebGL2Context.h b/dom/canvas/WebGL2Context.h
index c6c00493cb03..6ddad7ec1ed5 100644
--- a/dom/canvas/WebGL2Context.h
+++ b/dom/canvas/WebGL2Context.h
@@ -324,6 +324,7 @@ public:
     void BindBufferBase(GLenum target, GLuint index, WebGLBuffer* buffer);
     void BindBufferRange(GLenum target, GLuint index, WebGLBuffer* buffer, GLintptr offset, GLsizeiptr size);
 */
+    virtual JS::Value GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv) override;
     void GetIndexedParameter(GLenum target, GLuint index,
                              dom::Nullable<dom::OwningWebGLBufferOrLongLong>& retval);
     void GetUniformIndices(WebGLProgram* program,
diff --git a/dom/canvas/WebGL2ContextSamplers.cpp b/dom/canvas/WebGL2ContextSamplers.cpp
index bad4b50bdb54..3e2b31ebd36f 100644
--- a/dom/canvas/WebGL2ContextSamplers.cpp
+++ b/dom/canvas/WebGL2ContextSamplers.cpp
@@ -36,6 +36,12 @@ WebGL2Context::DeleteSampler(WebGLSampler* sampler)
     if (!sampler || sampler->IsDeleted())
         return;
 
+    for (int n = 0; n < mGLMaxTextureUnits; n++) {
+        if (mBoundSamplers[n] == sampler) {
+            mBoundSamplers[n] = nullptr;
+        }
+    }
+
     sampler->RequestDelete();
 }
 
@@ -74,6 +80,8 @@ WebGL2Context::BindSampler(GLuint unit, WebGLSampler* sampler)
         return ErrorInvalidOperation("bindSampler: binding deleted sampler");
 
     WebGLContextUnchecked::BindSampler(unit, sampler);
+
+    mBoundSamplers[unit] = sampler;
 }
 
 void
diff --git a/dom/canvas/WebGL2ContextState.cpp b/dom/canvas/WebGL2ContextState.cpp
new file mode 100644
index 000000000000..09a842730b05
--- /dev/null
+++ b/dom/canvas/WebGL2ContextState.cpp
@@ -0,0 +1,177 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "WebGL2Context.h"
+#include "WebGLContextUtils.h"
+
+namespace mozilla {
+
+JS::Value
+WebGL2Context::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
+{
+  // The following cases are handled in WebGLContext::GetParameter():
+  //     case LOCAL_GL_MAX_COLOR_ATTACHMENTS:
+  //     case LOCAL_GL_MAX_DRAW_BUFFERS:
+  //     case LOCAL_GL_DRAW_BUFFERi:
+
+  if (IsContextLost())
+    return JS::NullValue();
+
+  MakeContextCurrent();
+
+  switch (pname) {
+    /* GLboolean */
+    case LOCAL_GL_RASTERIZER_DISCARD:
+    case LOCAL_GL_SAMPLE_ALPHA_TO_COVERAGE:
+    case LOCAL_GL_SAMPLE_COVERAGE:
+    case LOCAL_GL_TRANSFORM_FEEDBACK_PAUSED:
+    case LOCAL_GL_TRANSFORM_FEEDBACK_ACTIVE:
+    case LOCAL_GL_UNPACK_SKIP_IMAGES:
+    case LOCAL_GL_UNPACK_SKIP_PIXELS:
+    case LOCAL_GL_UNPACK_SKIP_ROWS: {
+      realGLboolean b = 0;
+      gl->fGetBooleanv(pname, &b);
+      return JS::BooleanValue(bool(b));
+    }
+
+    /* GLenum */
+    case LOCAL_GL_READ_BUFFER: {
+      if (mBoundReadFramebuffer) {
+        GLint val = LOCAL_GL_NONE;
+        gl->fGetIntegerv(pname, &val);
+        return JS::Int32Value(val);
+      }
+
+      return JS::Int32Value(LOCAL_GL_BACK);
+    }
+
+    case LOCAL_GL_FRAGMENT_SHADER_DERIVATIVE_HINT:
+      /* fall through */
+
+    /* GLint */
+    case LOCAL_GL_MAX_3D_TEXTURE_SIZE:
+    case LOCAL_GL_MAX_ARRAY_TEXTURE_LAYERS:
+    case LOCAL_GL_MAX_COMBINED_UNIFORM_BLOCKS:
+    case LOCAL_GL_MAX_ELEMENTS_INDICES:
+    case LOCAL_GL_MAX_ELEMENTS_VERTICES:
+    case LOCAL_GL_MAX_FRAGMENT_INPUT_COMPONENTS:
+    case LOCAL_GL_MAX_FRAGMENT_UNIFORM_BLOCKS:
+    case LOCAL_GL_MAX_FRAGMENT_UNIFORM_COMPONENTS:
+    case LOCAL_GL_MAX_PROGRAM_TEXEL_OFFSET:
+    case LOCAL_GL_MAX_SAMPLES:
+    case LOCAL_GL_MAX_TEXTURE_LOD_BIAS:
+    case LOCAL_GL_MAX_TRANSFORM_FEEDBACK_INTERLEAVED_COMPONENTS:
+    case LOCAL_GL_MAX_TRANSFORM_FEEDBACK_SEPARATE_ATTRIBS:
+    case LOCAL_GL_MAX_TRANSFORM_FEEDBACK_SEPARATE_COMPONENTS:
+    case LOCAL_GL_MAX_UNIFORM_BUFFER_BINDINGS:
+    case LOCAL_GL_MAX_VERTEX_OUTPUT_COMPONENTS:
+    case LOCAL_GL_MAX_VERTEX_UNIFORM_BLOCKS:
+    case LOCAL_GL_MAX_VERTEX_UNIFORM_COMPONENTS:
+    case LOCAL_GL_MIN_PROGRAM_TEXEL_OFFSET:
+    case LOCAL_GL_PACK_ROW_LENGTH:
+    case LOCAL_GL_PACK_SKIP_PIXELS:
+    case LOCAL_GL_PACK_SKIP_ROWS:
+    case LOCAL_GL_UNIFORM_BUFFER_OFFSET_ALIGNMENT:
+    case LOCAL_GL_UNPACK_IMAGE_HEIGHT:
+    case LOCAL_GL_UNPACK_ROW_LENGTH: {
+      GLint val;
+      gl->fGetIntegerv(pname, &val);
+      return JS::Int32Value(val);
+    }
+
+    case LOCAL_GL_MAX_VARYING_COMPONENTS: {
+      // On OS X Core Profile this is buggy.  The spec says that the
+      // value is 4 * GL_MAX_VARYING_VECTORS
+      GLint val;
+      gl->fGetIntegerv(LOCAL_GL_MAX_VARYING_VECTORS, &val);
+      return JS::Int32Value(4*val);
+    }
+
+    /* GLint64 */
+    case LOCAL_GL_MAX_CLIENT_WAIT_TIMEOUT_WEBGL:
+      return JS::NumberValue(0); // TODO
+
+    case LOCAL_GL_MAX_ELEMENT_INDEX:
+      // GL_MAX_ELEMENT_INDEX becomes available in GL 4.3 or via ES3
+      // compatibility
+      if (!gl->IsSupported(gl::GLFeature::ES3_compatibility))
+        return JS::NumberValue(0);
+
+      /*** fall through to fGetInteger64v ***/
+
+    case LOCAL_GL_MAX_COMBINED_FRAGMENT_UNIFORM_COMPONENTS:
+    case LOCAL_GL_MAX_COMBINED_VERTEX_UNIFORM_COMPONENTS:
+    case LOCAL_GL_MAX_UNIFORM_BLOCK_SIZE: {
+      GLint64 val;
+      gl->fGetInteger64v(pname, &val);
+      return JS::DoubleValue(static_cast<double>(val));
+    }
+
+
+    /* GLuint64 */
+    case LOCAL_GL_MAX_SERVER_WAIT_TIMEOUT: {
+      GLuint64 val;
+      gl->fGetInteger64v(pname, (GLint64*) &val);
+      return JS::DoubleValue(static_cast<double>(val));
+    }
+
+    case LOCAL_GL_COPY_READ_BUFFER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundCopyReadBuffer.get(), rv);
+
+    case LOCAL_GL_COPY_WRITE_BUFFER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundCopyWriteBuffer.get(), rv);
+
+    case LOCAL_GL_PIXEL_PACK_BUFFER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundPixelPackBuffer.get(), rv);
+
+    case LOCAL_GL_PIXEL_UNPACK_BUFFER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundPixelUnpackBuffer.get(), rv);
+
+    case LOCAL_GL_TRANSFORM_FEEDBACK_BUFFER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundTransformFeedbackBuffer.get(), rv);
+
+    case LOCAL_GL_UNIFORM_BUFFER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundUniformBuffer.get(), rv);
+
+    // DRAW_FRAMEBUFFER_BINDING is the same as FRAMEBUFFER_BINDING.
+    case LOCAL_GL_READ_FRAMEBUFFER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundReadFramebuffer.get(), rv);
+
+    case LOCAL_GL_SAMPLER_BINDING:
+      return WebGLObjectAsJSValue(cx, mBoundSamplers[mActiveTexture].get(), rv);
+
+    case LOCAL_GL_TEXTURE_BINDING_2D_ARRAY:
+      // TODO: Implement gl.TEXTURE_2D_ARRAY
+      // return WebGLObjectAsJSValue(cx, mBound2DTextureArrays[mActiveTexture].get(), rv);
+      return JS::NullValue();
+
+    case LOCAL_GL_TEXTURE_BINDING_3D:
+      return WebGLObjectAsJSValue(cx, mBound3DTextures[mActiveTexture].get(), rv);
+
+    case LOCAL_GL_TRANSFORM_FEEDBACK_BINDING: {
+      WebGLTransformFeedback* tf =
+        (mBoundTransformFeedback != mDefaultTransformFeedback) ? mBoundTransformFeedback.get() : nullptr;
+      return WebGLObjectAsJSValue(cx, tf, rv);
+    }
+
+    case LOCAL_GL_VERTEX_ARRAY_BINDING: {
+      WebGLVertexArray* vao =
+        (mBoundVertexArray != mDefaultVertexArray) ? mBoundVertexArray.get() : nullptr;
+      return WebGLObjectAsJSValue(cx, vao, rv);
+    }
+
+    case LOCAL_GL_VERSION:
+      return StringValue(cx, "WebGL 2.0", rv);
+
+    case LOCAL_GL_SHADING_LANGUAGE_VERSION:
+      return StringValue(cx, "WebGL GLSL ES 3.00", rv);
+
+    default:
+      return WebGLContext::GetParameter(cx, pname, rv);
+  }
+}
+
+} // namespace mozilla
diff --git a/dom/canvas/WebGLContext.cpp b/dom/canvas/WebGLContext.cpp
index 97303063b634..a2ebf9d516e2 100644
--- a/dom/canvas/WebGLContext.cpp
+++ b/dom/canvas/WebGLContext.cpp
@@ -325,6 +325,7 @@ WebGLContext::DestroyResourcesAndContext()
     mBound2DTextures.Clear();
     mBoundCubeMapTextures.Clear();
     mBound3DTextures.Clear();
+    mBoundSamplers.Clear();
     mBoundArrayBuffer = nullptr;
     mBoundCopyReadBuffer = nullptr;
     mBoundCopyWriteBuffer = nullptr;
@@ -1949,6 +1950,7 @@ NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(WebGLContext,
   mBound2DTextures,
   mBoundCubeMapTextures,
   mBound3DTextures,
+  mBoundSamplers,
   mBoundArrayBuffer,
   mBoundCopyReadBuffer,
   mBoundCopyWriteBuffer,
diff --git a/dom/canvas/WebGLContext.h b/dom/canvas/WebGLContext.h
index 55c5d802631d..1354c2eafcd2 100644
--- a/dom/canvas/WebGLContext.h
+++ b/dom/canvas/WebGLContext.h
@@ -65,6 +65,16 @@ class nsIDocShell;
 #define MINVALUE_GL_MAX_RENDERBUFFER_SIZE             1024  // Different from the spec, which sets it to 1 on page 164
 #define MINVALUE_GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS  8     // Page 164
 
+/*
+ * WebGL-only GLenums
+ */
+#define LOCAL_GL_BROWSER_DEFAULT_WEBGL                       0x9244
+#define LOCAL_GL_CONTEXT_LOST_WEBGL                          0x9242
+#define LOCAL_GL_MAX_CLIENT_WAIT_TIMEOUT_WEBGL               0x9247
+#define LOCAL_GL_UNPACK_COLORSPACE_CONVERSION_WEBGL          0x9243
+#define LOCAL_GL_UNPACK_FLIP_Y_WEBGL                         0x9240
+#define LOCAL_GL_UNPACK_PREMULTIPLY_ALPHA_WEBGL              0x9241
+
 namespace mozilla {
 
 class WebGLActiveInfo;
@@ -955,7 +965,7 @@ public:
     void Disable(GLenum cap);
     void Enable(GLenum cap);
     bool GetStencilBits(GLint* out_stencilBits);
-    JS::Value GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv);
+    virtual JS::Value GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv);
 
     void GetParameter(JSContext* cx, GLenum pname,
                       JS::MutableHandle<JS::Value> retval, ErrorResult& rv)
@@ -1435,6 +1445,7 @@ protected:
     nsTArray<WebGLRefPtr<WebGLTexture> > mBound2DTextures;
     nsTArray<WebGLRefPtr<WebGLTexture> > mBoundCubeMapTextures;
     nsTArray<WebGLRefPtr<WebGLTexture> > mBound3DTextures;
+    nsTArray<WebGLRefPtr<WebGLSampler> > mBoundSamplers;
 
     void ResolveTexturesForDraw() const;
 
diff --git a/dom/canvas/WebGLContextState.cpp b/dom/canvas/WebGLContextState.cpp
index 0ad586978a03..b24a3ba82f45 100644
--- a/dom/canvas/WebGLContextState.cpp
+++ b/dom/canvas/WebGLContextState.cpp
@@ -58,18 +58,6 @@ WebGLContext::Enable(GLenum cap)
     gl->fEnable(cap);
 }
 
-static JS::Value
-StringValue(JSContext* cx, const char* chars, ErrorResult& rv)
-{
-    JSString* str = JS_NewStringCopyZ(cx, chars);
-    if (!str) {
-        rv.Throw(NS_ERROR_OUT_OF_MEMORY);
-        return JS::NullValue();
-    }
-
-    return JS::StringValue(str);
-}
-
 bool
 WebGLContext::GetStencilBits(GLint* out_stencilBits)
 {
@@ -150,18 +138,15 @@ WebGLContext::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
         } else if (pname >= LOCAL_GL_DRAW_BUFFER0 &&
                    pname < GLenum(LOCAL_GL_DRAW_BUFFER0 + mGLMaxDrawBuffers))
         {
-            if (mBoundDrawFramebuffer) {
-                GLint iv = 0;
-                gl->fGetIntegerv(pname, &iv);
-                return JS::Int32Value(iv);
-            }
-
             GLint iv = 0;
             gl->fGetIntegerv(pname, &iv);
 
-            if (iv == GLint(LOCAL_GL_COLOR_ATTACHMENT0 + pname - LOCAL_GL_DRAW_BUFFER0)) {
+            if (mBoundDrawFramebuffer)
+                return JS::Int32Value(iv);
+
+            const GLint index = (pname - LOCAL_GL_DRAW_BUFFER0);
+            if (iv == LOCAL_GL_COLOR_ATTACHMENT0 + index)
                 return JS::Int32Value(LOCAL_GL_BACK);
-            }
 
             return JS::Int32Value(LOCAL_GL_NONE);
         }
@@ -169,11 +154,9 @@ WebGLContext::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
 
     if (IsExtensionEnabled(WebGLExtensionID::OES_vertex_array_object)) {
         if (pname == LOCAL_GL_VERTEX_ARRAY_BINDING) {
-            if (mBoundVertexArray == mDefaultVertexArray){
-                return WebGLObjectAsJSValue(cx, (WebGLVertexArray *) nullptr, rv);
-            }
-
-            return WebGLObjectAsJSValue(cx, mBoundVertexArray.get(), rv);
+            WebGLVertexArray* vao =
+                (mBoundVertexArray != mDefaultVertexArray) ? mBoundVertexArray.get() : nullptr;
+            return WebGLObjectAsJSValue(cx, vao, rv);
         }
     }
 
@@ -181,10 +164,12 @@ WebGLContext::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
         if (pname == LOCAL_GL_TIMESTAMP_EXT) {
             GLuint64 iv = 0;
             gl->fGetInteger64v(pname, (GLint64*) &iv);
-            return JS::NumberValue(uint64_t(iv));
+            // TODO: JS doesn't support 64-bit integers. Be lossy and
+            // cast to double (53 bits)
+            return JS::NumberValue(static_cast<double>(iv));
         } else if (pname == LOCAL_GL_GPU_DISJOINT_EXT) {
             // When disjoint isn't supported, leave as false.
-            realGLboolean disjoint = 0;
+            realGLboolean disjoint = LOCAL_GL_FALSE;
             if (gl->IsExtensionSupported(gl::GLContext::EXT_disjoint_timer_query)) {
                 gl->fGetBooleanv(pname, &disjoint);
             }
@@ -192,40 +177,35 @@ WebGLContext::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
         }
     }
 
-    if (IsWebGL2()) {
+    // Privileged string params exposed by WEBGL_debug_renderer_info:
+    if (IsExtensionEnabled(WebGLExtensionID::WEBGL_debug_renderer_info)) {
         switch (pname) {
-        case LOCAL_GL_MAX_SAMPLES:
-        case LOCAL_GL_MAX_UNIFORM_BLOCK_SIZE:
-        case LOCAL_GL_MAX_VERTEX_UNIFORM_COMPONENTS: {
-            GLint val;
-            gl->fGetIntegerv(pname, &val);
-            return JS::NumberValue(uint32_t(val));
+        case UNMASKED_VENDOR_WEBGL:
+        case UNMASKED_RENDERER_WEBGL:
+            GLenum glstringname = LOCAL_GL_NONE;
+            if (pname == UNMASKED_VENDOR_WEBGL) {
+                glstringname = LOCAL_GL_VENDOR;
+            } else if (pname == UNMASKED_RENDERER_WEBGL) {
+                glstringname = LOCAL_GL_RENDERER;
+            }
+            const GLchar* string = (const GLchar*) gl->fGetString(glstringname);
+            return StringValue(cx, string, rv);
         }
+    }
 
-        case LOCAL_GL_TEXTURE_BINDING_3D:
-            return WebGLObjectAsJSValue(cx, mBound3DTextures[mActiveTexture].get(), rv);
+    if (IsExtensionEnabled(WebGLExtensionID::OES_standard_derivatives)) {
+        if (pname == LOCAL_GL_FRAGMENT_SHADER_DERIVATIVE_HINT) {
+            GLint i = 0;
+            gl->fGetIntegerv(pname, &i);
+            return JS::Int32Value(i);
+        }
+    }
 
-        // DRAW_FRAMEBUFFER_BINDING is the same as FRAMEBUFFER_BINDING.
-        case LOCAL_GL_READ_FRAMEBUFFER_BINDING:
-            return WebGLObjectAsJSValue(cx, mBoundReadFramebuffer.get(), rv);
-
-        case LOCAL_GL_PIXEL_PACK_BUFFER_BINDING:
-            return WebGLObjectAsJSValue(cx, mBoundPixelPackBuffer.get(), rv);
-
-        case LOCAL_GL_PIXEL_UNPACK_BUFFER_BINDING:
-            return WebGLObjectAsJSValue(cx, mBoundPixelUnpackBuffer.get(), rv);
-
-        case LOCAL_GL_UNIFORM_BUFFER_BINDING:
-            return WebGLObjectAsJSValue(cx, mBoundUniformBuffer.get(), rv);
-
-        case LOCAL_GL_TRANSFORM_FEEDBACK_BUFFER_BINDING:
-            return WebGLObjectAsJSValue(cx, mBoundTransformFeedbackBuffer.get(), rv);
-
-        case LOCAL_GL_COPY_READ_BUFFER_BINDING:
-            return WebGLObjectAsJSValue(cx, mBoundCopyReadBuffer.get(), rv);
-
-        case LOCAL_GL_COPY_WRITE_BUFFER_BINDING:
-            return WebGLObjectAsJSValue(cx, mBoundCopyWriteBuffer.get(), rv);
+    if (IsExtensionEnabled(WebGLExtensionID::EXT_texture_filter_anisotropic)) {
+        if (pname == LOCAL_GL_MAX_TEXTURE_MAX_ANISOTROPY_EXT) {
+            GLfloat f = 0.f;
+            gl->fGetFloatv(pname, &f);
+            return JS::NumberValue(f);
         }
     }
 
@@ -234,42 +214,13 @@ WebGLContext::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
         // String params
         //
         case LOCAL_GL_VENDOR:
-            return StringValue(cx, "Mozilla", rv);
         case LOCAL_GL_RENDERER:
             return StringValue(cx, "Mozilla", rv);
-        case LOCAL_GL_VERSION: {
-            const char* version = 0;
-
-            if (IsWebGL2()) {
-                version = "WebGL 2.0";
-            } else {
-                version = "WebGL 1.0";
-            }
-
-            MOZ_ASSERT(version != 0);
-            return StringValue(cx, version, rv);
-        }
+        case LOCAL_GL_VERSION:
+            return StringValue(cx, "WebGL 1.0", rv);
         case LOCAL_GL_SHADING_LANGUAGE_VERSION:
             return StringValue(cx, "WebGL GLSL ES 1.0", rv);
 
-            // Privileged string params exposed by WEBGL_debug_renderer_info:
-        case UNMASKED_VENDOR_WEBGL:
-        case UNMASKED_RENDERER_WEBGL: {
-            // The privilege check is done in WebGLContext::IsExtensionSupported.
-            // So here we just have to check that the extension is enabled.
-            if (!IsExtensionEnabled(WebGLExtensionID::WEBGL_debug_renderer_info)) {
-                break;
-            }
-            GLenum glstringname = LOCAL_GL_NONE;
-            if (pname == UNMASKED_VENDOR_WEBGL) {
-                glstringname = LOCAL_GL_VENDOR;
-            } else if (pname == UNMASKED_RENDERER_WEBGL) {
-                glstringname = LOCAL_GL_RENDERER;
-            }
-            const char* string = reinterpret_cast<const char*>(gl->fGetString(glstringname));
-            return StringValue(cx, string, rv);
-        }
-
         ////////////////////////////////
         // Single-value params
 
@@ -380,15 +331,6 @@ WebGLContext::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
             }
             return JS::Int32Value(i);
         }
-        case LOCAL_GL_FRAGMENT_SHADER_DERIVATIVE_HINT: {
-            if (IsExtensionEnabled(WebGLExtensionID::OES_standard_derivatives)) {
-                GLint i = 0;
-                gl->fGetIntegerv(pname, &i);
-                return JS::Int32Value(i);
-            } else {
-                break;
-            }
-        }
         case LOCAL_GL_MAX_TEXTURE_SIZE:
             return JS::Int32Value(mGLMaxTextureSize);
 
@@ -417,38 +359,22 @@ WebGLContext::GetParameter(JSContext* cx, GLenum pname, ErrorResult& rv)
             }
             return JS::ObjectOrNullValue(obj);
         }
-        case LOCAL_GL_MAX_TRANSFORM_FEEDBACK_SEPARATE_ATTRIBS: {
-            if (!IsWebGL2()) {
-                break;
-            }
-            return JS::Int32Value(mGLMaxTransformFeedbackSeparateAttribs);
-        }
 
         // unsigned int. here we may have to return very large values like 2^32-1 that can't be represented as
         // javascript integer values. We just return them as doubles and javascript doesn't care.
-        case LOCAL_GL_STENCIL_BACK_VALUE_MASK: {
+        case LOCAL_GL_STENCIL_BACK_VALUE_MASK:
             return JS::DoubleValue(mStencilValueMaskBack); // pass as FP value to allow large values such as 2^32-1.
-        }
-        case LOCAL_GL_STENCIL_BACK_WRITEMASK: {
+
+        case LOCAL_GL_STENCIL_BACK_WRITEMASK:
             return JS::DoubleValue(mStencilWriteMaskBack);
-        }
-        case LOCAL_GL_STENCIL_VALUE_MASK: {
+
+        case LOCAL_GL_STENCIL_VALUE_MASK:
             return JS::DoubleValue(mStencilValueMaskFront);
-        }
-        case LOCAL_GL_STENCIL_WRITEMASK: {
+
+        case LOCAL_GL_STENCIL_WRITEMASK:
             return JS::DoubleValue(mStencilWriteMaskFront);
-        }
 
         // float
-        case LOCAL_GL_MAX_TEXTURE_MAX_ANISOTROPY_EXT: {
-            if (IsExtensionEnabled(WebGLExtensionID::EXT_texture_filter_anisotropic)) {
-                GLfloat f = 0.f;
-                gl->fGetFloatv(pname, &f);
-                return JS::DoubleValue(f);
-            } else {
-                break;
-            }
-        }
         case LOCAL_GL_DEPTH_CLEAR_VALUE:
         case LOCAL_GL_LINE_WIDTH:
         case LOCAL_GL_POLYGON_OFFSET_FACTOR:
diff --git a/dom/canvas/WebGLContextUtils.cpp b/dom/canvas/WebGLContextUtils.cpp
index 69fda519db96..f84e4276a91d 100644
--- a/dom/canvas/WebGLContextUtils.cpp
+++ b/dom/canvas/WebGLContextUtils.cpp
@@ -75,6 +75,18 @@ TexImageTargetToTexTarget(TexImageTarget texImageTarget)
     }
 }
 
+JS::Value
+StringValue(JSContext* cx, const char* chars, ErrorResult& rv)
+{
+    JSString* str = JS_NewStringCopyZ(cx, chars);
+    if (!str) {
+        rv.Throw(NS_ERROR_OUT_OF_MEMORY);
+        return JS::NullValue();
+    }
+
+    return JS::StringValue(str);
+}
+
 GLComponents::GLComponents(TexInternalFormat internalformat)
 {
     TexInternalFormat unsizedformat = UnsizedInternalFormatFromInternalFormat(internalformat);
diff --git a/dom/canvas/WebGLContextUtils.h b/dom/canvas/WebGLContextUtils.h
index d130153f548c..5535ee9fc696 100644
--- a/dom/canvas/WebGLContextUtils.h
+++ b/dom/canvas/WebGLContextUtils.h
@@ -56,6 +56,9 @@ size_t GetBitsPerTexel(TexInternalFormat effectiveinternalformat);
 // Returns GL_NONE if passed an invalid texture image target
 TexTarget TexImageTargetToTexTarget(TexImageTarget texImageTarget);
 
+// Helper function to create a JS::Value from a C string
+JS::Value StringValue(JSContext* cx, const char* str, ErrorResult& rv);
+
 struct GLComponents
 {
     unsigned char mComponents;
diff --git a/dom/canvas/WebGLContextValidate.cpp b/dom/canvas/WebGLContextValidate.cpp
index 846401c1cc26..44bdb74a2790 100644
--- a/dom/canvas/WebGLContextValidate.cpp
+++ b/dom/canvas/WebGLContextValidate.cpp
@@ -1755,6 +1755,7 @@ WebGLContext::InitAndValidateGL()
     mBound2DTextures.Clear();
     mBoundCubeMapTextures.Clear();
     mBound3DTextures.Clear();
+    mBoundSamplers.Clear();
 
     mBoundArrayBuffer = nullptr;
     mBoundTransformFeedbackBuffer = nullptr;
@@ -1798,6 +1799,7 @@ WebGLContext::InitAndValidateGL()
     mBound2DTextures.SetLength(mGLMaxTextureUnits);
     mBoundCubeMapTextures.SetLength(mGLMaxTextureUnits);
     mBound3DTextures.SetLength(mGLMaxTextureUnits);
+    mBoundSamplers.SetLength(mGLMaxTextureUnits);
 
     if (MinCapabilityMode()) {
         mGLMaxTextureSize = MINVALUE_GL_MAX_TEXTURE_SIZE;
diff --git a/dom/canvas/WebGLTimerQuery.h b/dom/canvas/WebGLTimerQuery.h
index d1224e931754..9f6205e9e18f 100644
--- a/dom/canvas/WebGLTimerQuery.h
+++ b/dom/canvas/WebGLTimerQuery.h
@@ -7,6 +7,7 @@
 #ifndef WEBGL_TIMER_QUERY_H_
 #define WEBGL_TIMER_QUERY_H_
 
+#include "GLConsts.h"
 #include "nsWrapperCache.h"
 #include "WebGLObjectModel.h"
 
diff --git a/dom/canvas/moz.build b/dom/canvas/moz.build
index e8b1541be24d..69367f4cd61a 100644
--- a/dom/canvas/moz.build
+++ b/dom/canvas/moz.build
@@ -61,6 +61,7 @@ UNIFIED_SOURCES += [
     'WebGL2ContextPrograms.cpp',
     'WebGL2ContextQueries.cpp',
     'WebGL2ContextSamplers.cpp',
+    'WebGL2ContextState.cpp',
     'WebGL2ContextSync.cpp',
     'WebGL2ContextTextures.cpp',
     'WebGL2ContextTransformFeedback.cpp',
diff --git a/dom/canvas/test/mochitest.ini b/dom/canvas/test/mochitest.ini
index f6e370d5d504..6be7e59f67d0 100644
--- a/dom/canvas/test/mochitest.ini
+++ b/dom/canvas/test/mochitest.ini
@@ -249,3 +249,4 @@ skip-if = (buildapp == 'b2g' && toolkit != 'gonk') # bug 1040965
 [test_2d_composite_canvaspattern_setTransform.html]
 [test_createPattern_broken.html]
 [test_setlinedash.html]
+[test_filter.html]
diff --git a/dom/canvas/test/reftest/filters/default-color.html b/dom/canvas/test/reftest/filters/default-color.html
new file mode 100644
index 000000000000..82fb5eda3841
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/default-color.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'drop-shadow(0 10px)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/drop-shadow-transformed.html b/dom/canvas/test/reftest/filters/drop-shadow-transformed.html
new file mode 100644
index 000000000000..0cf33deea82b
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/drop-shadow-transformed.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#0f0';
+ctx.scale(-1, -1);
+ctx.filter = 'drop-shadow(0 10px black)';
+ctx.fillRect(-75, -65, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/drop-shadow.html b/dom/canvas/test/reftest/filters/drop-shadow.html
new file mode 100644
index 000000000000..6977b7d5e03b
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/drop-shadow.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'drop-shadow(0 10px black)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/global-alpha-ref.html b/dom/canvas/test/reftest/filters/global-alpha-ref.html
new file mode 100644
index 000000000000..2577581401ff
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/global-alpha-ref.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.globalAlpha = 0.5;
+ctx.fillStyle = '#000';
+ctx.fillRect(25, 35, 50, 40);
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/global-alpha.html b/dom/canvas/test/reftest/filters/global-alpha.html
new file mode 100644
index 000000000000..4676e00605e0
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/global-alpha.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'drop-shadow(0 10px black)';
+ctx.globalAlpha = 0.5;
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/global-composite-operation-ref.html b/dom/canvas/test/reftest/filters/global-composite-operation-ref.html
new file mode 100644
index 000000000000..cad90893544c
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/global-composite-operation-ref.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#000';
+ctx.arc(50, 50, 25, 0, Math.PI * 2, true);
+ctx.fill();
+
+var tmp_canvas = canvas.cloneNode();
+var tmp_ctx = tmp_canvas.getContext('2d');
+tmp_ctx.fillStyle = '#0f0';
+tmp_ctx.fillRect(25, 25, 50, 50);
+tmp_ctx.fillStyle = '#000';
+tmp_ctx.fillRect(25, 65, 50, 10);
+
+ctx.globalCompositeOperation = 'source-in';
+ctx.drawImage(tmp_canvas, 0, 0);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/global-composite-operation.html b/dom/canvas/test/reftest/filters/global-composite-operation.html
new file mode 100644
index 000000000000..61a6f206a30e
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/global-composite-operation.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#000';
+ctx.arc(50, 50, 25, 0, Math.PI * 2, true);
+ctx.fill();
+
+ctx.filter = 'drop-shadow(0 10px black)';
+ctx.globalCompositeOperation = 'source-in';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/liveness.html b/dom/canvas/test/reftest/filters/liveness.html
new file mode 100644
index 000000000000..389505179693
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/liveness.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.font = '10px sans-serif';
+ctx.filter = 'drop-shadow(0 .5em black)';
+ctx.font = '20px sans-serif';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/multiple-drop-shadows.html b/dom/canvas/test/reftest/filters/multiple-drop-shadows.html
new file mode 100644
index 000000000000..f8d9261c65f3
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/multiple-drop-shadows.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#0f0';
+ctx.filter = 'drop-shadow(0 10px black) drop-shadow(10px 0 #ccc)';
+ctx.fillRect(20, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/ref.html b/dom/canvas/test/reftest/filters/ref.html
new file mode 100644
index 000000000000..bb634fe66d47
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/ref.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+ctx.fillStyle = '#000';
+ctx.fillRect(25, 65, 50, 10);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/reftest.list b/dom/canvas/test/reftest/filters/reftest.list
new file mode 100644
index 000000000000..9dd1d8c47608
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/reftest.list
@@ -0,0 +1,20 @@
+default-preferences pref(canvas.filters.enabled,true)
+
+== default-color.html ref.html
+== drop-shadow.html ref.html
+== drop-shadow-transformed.html ref.html
+== global-alpha.html global-alpha-ref.html
+== global-composite-operation.html global-composite-operation-ref.html
+== liveness.html ref.html
+== multiple-drop-shadows.html shadow-ref.html
+== shadow.html shadow-ref.html
+== subregion-fill-paint.html subregion-ref.html
+== subregion-stroke-paint.html subregion-ref.html
+== svg-bbox.html svg-bbox-ref.html
+== svg-inline.html ref.html
+== svg-liveness.html ref.html
+== svg-off-screen.html ref.html
+== units.html ref.html
+== units-em.html ref.html
+== units-ex.html ref.html
+== units-off-screen.html ref.html
diff --git a/dom/canvas/test/reftest/filters/shadow-ref.html b/dom/canvas/test/reftest/filters/shadow-ref.html
new file mode 100644
index 000000000000..736c5f94dd8a
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/shadow-ref.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#0f0';
+ctx.shadowOffsetX = 10;
+ctx.shadowColor = '#ccc';
+ctx.fillRect(20, 25, 50, 40);
+ctx.fillStyle = '#000';
+ctx.fillRect(20, 65, 50, 10);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/shadow.html b/dom/canvas/test/reftest/filters/shadow.html
new file mode 100644
index 000000000000..61de33bdc2b8
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/shadow.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#0f0';
+ctx.filter = 'drop-shadow(0 10px black)';
+ctx.shadowOffsetX = 10;
+ctx.shadowColor = '#ccc';
+ctx.fillRect(20, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/subregion-fill-paint.html b/dom/canvas/test/reftest/filters/subregion-fill-paint.html
new file mode 100644
index 000000000000..854190359f23
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/subregion-fill-paint.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<svg style="display: block; width: 0; height: 0">
+  <defs>
+    <filter id="merge" primitiveUnits="objectBoundingBox">
+      <feMerge x="25%" y="25%" width="50%" height="50%">
+        <feMergeNode in="SourceGraphic"/>
+        <feMergeNode in="FillPaint"/>
+      </feMerge>
+    </filter>
+  </defs>
+</svg>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'url(#merge)';
+ctx.fillStyle = '#0f0';
+ctx.arc(50, 50, 25, 0, Math.PI * 2, true);
+ctx.fill();
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/subregion-ref.html b/dom/canvas/test/reftest/filters/subregion-ref.html
new file mode 100644
index 000000000000..97b231b94657
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/subregion-ref.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 50);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/subregion-stroke-paint.html b/dom/canvas/test/reftest/filters/subregion-stroke-paint.html
new file mode 100644
index 000000000000..24ed92a9be13
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/subregion-stroke-paint.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<svg style="display: block; width: 0; height: 0">
+  <defs>
+    <filter id="merge" primitiveUnits="objectBoundingBox">
+      <feMerge x="25%" y="25%" width="50%" height="50%">
+        <feMergeNode in="SourceGraphic"/>
+        <feMergeNode in="StrokePaint"/>
+      </feMerge>
+    </filter>
+  </defs>
+</svg>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'url(#merge)';
+ctx.strokeStyle = '#0f0';
+ctx.arc(50, 50, 25, 0, Math.PI * 2, true);
+ctx.fill();
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/svg-bbox-ref.html b/dom/canvas/test/reftest/filters/svg-bbox-ref.html
new file mode 100644
index 000000000000..323cea948aad
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/svg-bbox-ref.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.fillStyle = '#0f0';
+ctx.fillRect(0, 0, 100, 100);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/svg-bbox.html b/dom/canvas/test/reftest/filters/svg-bbox.html
new file mode 100644
index 000000000000..f25e26355d8b
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/svg-bbox.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<svg style="display: block; width: 0; height: 0">
+  <defs>
+    <filter id="color-matrix">
+      <feColorMatrix type="matrix" in="SourceGraphic"
+        values="0 0 0 0 0 
+                0 0 0 0 255 
+                0 0 0 0 0 
+                0 0 0 0 255"/>
+    </filter>
+  </defs>
+</svg>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'url(#color-matrix)';
+ctx.fillStyle = '#fff';
+ctx.fillRect(25, 25, 50, 50);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/svg-inline.html b/dom/canvas/test/reftest/filters/svg-inline.html
new file mode 100644
index 000000000000..f9be99800a35
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/svg-inline.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<body>
+<svg style="display: block; width: 0; height: 0">
+  <defs>
+    <filter id="drop-shadow">
+      <feGaussianBlur in="SourceAlpha" stdDeviation="0"/>
+      <feOffset dx="0" dy="10" result="offsetblur"/>
+      <feFlood flood-color="rgba(0,0,0,1)"/>
+      <feComposite in2="offsetblur" operator="in"/>
+      <feMerge>
+        <feMergeNode/>
+        <feMergeNode in="SourceGraphic"/>
+      </feMerge>
+    </filter>
+  </defs>
+</svg>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'url(#drop-shadow)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/svg-liveness.html b/dom/canvas/test/reftest/filters/svg-liveness.html
new file mode 100644
index 000000000000..732fe7562f98
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/svg-liveness.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+
+var svg = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+svg.setAttribute('style', 'display: block; width: 0; height: 0');
+
+var defs = document.createElementNS('http://www.w3.org/2000/svg', 'defs');
+
+var dropShadowFilter = document.createElementNS('http://www.w3.org/2000/svg', 'filter');
+dropShadowFilter.setAttribute('id', 'drop-shadow');
+
+var gaussianFilter = document.createElementNS('http://www.w3.org/2000/svg', 'feGaussianBlur');
+gaussianFilter.setAttribute('in', 'SourceAlpha');
+gaussianFilter.setAttribute('stdDeviation', '0');
+dropShadowFilter.appendChild(gaussianFilter);
+
+var offset = document.createElementNS('http://www.w3.org/2000/svg', 'feOffset');
+offset.setAttribute('dx', '0');
+offset.setAttribute('dy', '0');
+offset.setAttribute('result', 'offsetblur');
+dropShadowFilter.appendChild(offset);
+
+var flood = document.createElementNS('http://www.w3.org/2000/svg', 'feFlood');
+flood.setAttribute('flood-color', 'rgba(0,0,0,1)');
+dropShadowFilter.appendChild(flood);
+
+var composite = document.createElementNS('http://www.w3.org/2000/svg', 'feComposite');
+composite.setAttribute('in2', 'offsetblur');
+composite.setAttribute('operator', 'in');
+dropShadowFilter.appendChild(composite);
+
+var merge = document.createElementNS('http://www.w3.org/2000/svg', 'feMerge');
+var mergeNode = document.createElementNS('http://www.w3.org/2000/svg', 'feMergeNode');
+merge.appendChild(mergeNode);
+
+var mergeNode = document.createElementNS('http://www.w3.org/2000/svg', 'feMergeNode');
+mergeNode.setAttribute('in', 'SourceGraphic');
+merge.appendChild(mergeNode);
+dropShadowFilter.appendChild(merge);
+
+defs.appendChild(dropShadowFilter);
+svg.appendChild(defs);
+
+document.body.appendChild(svg);
+
+</script>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'url(#drop-shadow)';
+
+offset.setAttribute('dy', '10');
+
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/svg-off-screen.html b/dom/canvas/test/reftest/filters/svg-off-screen.html
new file mode 100644
index 000000000000..1aa22cd99057
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/svg-off-screen.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<body>
+<svg style="display: block; width: 0; height: 0">
+  <defs>
+    <filter id="drop-shadow">
+    <feGaussianBlur in="SourceAlpha" stdDeviation="0"/>
+    <feOffset dx="0" dy="10" result="offsetblur"/>
+    <feFlood flood-color="rgba(0,0,0,1)"/>
+    <feComposite in2="offsetblur" operator="in"/>
+      <feMerge>
+        <feMergeNode/>
+        <feMergeNode in="SourceGraphic"/>
+      </feMerge>
+    </filter>
+  </defs>
+</svg>
+<script>
+
+var canvas = document.createElement('canvas');
+canvas.width = 100;
+canvas.height = 100;
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'url(#drop-shadow)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+document.body.appendChild(canvas);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/units-em.html b/dom/canvas/test/reftest/filters/units-em.html
new file mode 100644
index 000000000000..1f280c1b5b8f
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/units-em.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.font = '20px sans-serif';
+ctx.filter = 'drop-shadow(0 .5em black)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 25, 40);
+
+canvas.style.fontSize = '5px';
+ctx.font = '4em sans-serif';
+ctx.filter = 'drop-shadow(0 .5em black)';
diff --git a/dom/canvas/test/reftest/filters/units-ex.html b/dom/canvas/test/reftest/filters/units-ex.html
new file mode 100644
index 000000000000..3bf4fadd74e3
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/units-ex.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.font = '10px sans-serif';
+ctx.filter = 'drop-shadow(0 2ex black)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/units-off-screen.html b/dom/canvas/test/reftest/filters/units-off-screen.html
new file mode 100644
index 000000000000..879e575c1086
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/units-off-screen.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+
+var canvas = document.createElement('canvas');
+canvas.width = 500;
+canvas.height = 500;
+canvas.style.width = '100px';
+canvas.style.height = '100px';
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'drop-shadow(0 50px black)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(125, 125, 250, 200);
+
+document.body.appendChild(canvas);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/units-pt.html b/dom/canvas/test/reftest/filters/units-pt.html
new file mode 100644
index 000000000000..74fecb3d818d
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/units-pt.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="100" height="100"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'drop-shadow(0 10mm black)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(25, 25, 50, 40);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/reftest/filters/units.html b/dom/canvas/test/reftest/filters/units.html
new file mode 100644
index 000000000000..d12abdeb139a
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/units.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="canvas" width="500" height="500" style="width: 100px; height: 100px"></canvas>
+<script>
+
+var canvas = document.getElementById('canvas');
+var ctx = canvas.getContext('2d');
+
+ctx.filter = 'drop-shadow(0 50px black)';
+ctx.fillStyle = '#0f0';
+ctx.fillRect(125, 125, 250, 200);
+
+</script>
+</body>
+</html>
diff --git a/dom/canvas/test/test_filter.html b/dom/canvas/test/test_filter.html
new file mode 100644
index 000000000000..f4cac00a4bb5
--- /dev/null
+++ b/dom/canvas/test/test_filter.html
@@ -0,0 +1,45 @@
+<!DOCTYPE HTML>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" href="/tests/SimpleTest/test.css">
+<body>
+<script>
+
+SpecialPowers.pushPrefEnv({ 'set': [['canvas.filters.enabled', true]] }, function () {
+
+  var canvas = document.createElement('canvas');
+  var ctx = canvas.getContext('2d');
+
+  is(ctx.filter, 'none', 'filter should intialy be set to \'none\'');
+  ctx.filter = 'blur(5px)';
+  is(ctx.filter, 'blur(5px)', 'valid filter should round-trip');
+
+  ctx.save();
+  ctx.filter = 'none';
+  is(ctx.filter, 'none', 'none should unset the filter');
+  ctx.restore();
+  is(ctx.filter, 'blur(5px)', 'filter should be part of the state');
+
+  ctx.filter = 'blur(10)';
+  is(ctx.filter, 'blur(5px)', 'invalid filter should be ignored');
+  ctx.filter = 'blur 10px';
+  is(ctx.filter, 'blur(5px)', 'syntax error should be ignored');
+
+  ctx.filter = 'inherit';
+  is(ctx.filter, 'blur(5px)', 'inherit should be ignored');
+  ctx.filter = 'initial';
+  is(ctx.filter, 'blur(5px)', 'initial should be ignored');
+
+  ctx.filter = '';
+  is(ctx.filter, 'blur(5px)', 'empty string should be ignored and not unset the filter');
+  ctx.filter = null;
+  is(ctx.filter, 'blur(5px)', 'null should be ignored and not unset the filter');
+  ctx.filter = undefined;
+  is(ctx.filter, 'blur(5px)', 'undefined should be ignored and not unset the filter');
+
+  SimpleTest.finish();
+  
+});
+
+SimpleTest.waitForExplicitFinish();
+
+</script>
diff --git a/dom/events/test/test_all_synthetic_events.html b/dom/events/test/test_all_synthetic_events.html
index fc8bdef18bb3..9cf5fc6ac210 100644
--- a/dom/events/test/test_all_synthetic_events.html
+++ b/dom/events/test/test_all_synthetic_events.html
@@ -427,6 +427,10 @@ const kEventConstructors = {
                                                          return e;
                                                        },
                                              },
+  SpeechRecognitionError:                    { create: function (aName, aProps) {
+                                                         return new SpeechRecognitionError(aName, aProps);
+                                                       },
+                                             },
   SpeechRecognitionEvent:                    { create: function (aName, aProps) {
                                                          return new SpeechRecognitionEvent(aName, aProps);
                                                        },
diff --git a/dom/html/HTMLImageElement.cpp b/dom/html/HTMLImageElement.cpp
index d7e89f108bfa..aac2e44afbca 100644
--- a/dom/html/HTMLImageElement.cpp
+++ b/dom/html/HTMLImageElement.cpp
@@ -17,8 +17,6 @@
 #include "nsIURL.h"
 #include "nsIIOService.h"
 #include "nsIServiceManager.h"
-#include "nsIAppShell.h"
-#include "nsWidgetsCID.h"
 #include "nsNetUtil.h"
 #include "nsContentUtils.h"
 #include "nsContainerFrame.h"
@@ -53,8 +51,6 @@
 #include "mozilla/Preferences.h"
 static const char *kPrefSrcsetEnabled = "dom.image.srcset.enabled";
 
-static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
-
 NS_IMPL_NS_NEW_HTML_ELEMENT(Image)
 
 #ifdef DEBUG
@@ -882,15 +878,11 @@ HTMLImageElement::QueueImageLoadTask()
     return;
   }
 
-  // The task checks this to determine if it was the last queued event, so this
-  // implicitly cancels earlier tasks
-  mPendingImageLoadTask = new ImageLoadTask(this);
-  nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
-  if (appShell) {
-    appShell->RunInStableState(mPendingImageLoadTask);
-  } else {
-    MOZ_ASSERT(false, "expect appshell for HTMLImageElement");
-  }
+  nsCOMPtr<nsIRunnable> task = new ImageLoadTask(this);
+  // The task checks this to determine if it was the last
+  // queued event, and so earlier tasks are implicitly canceled.
+  mPendingImageLoadTask = task;
+  nsContentUtils::RunInStableState(task.forget());
 }
 
 bool
diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
index c5c61c26f844..182183fc7e89 100644
--- a/dom/html/HTMLMediaElement.cpp
+++ b/dom/html/HTMLMediaElement.cpp
@@ -61,8 +61,6 @@
 #include "Layers.h"
 #include <limits>
 #include "nsIAsyncVerifyRedirectCallback.h"
-#include "nsIAppShell.h"
-#include "nsWidgetsCID.h"
 #include "nsMediaFragmentURIParser.h"
 #include "nsURIHashKey.h"
 #include "nsJSUtils.h"
@@ -758,13 +756,10 @@ public:
   }
 };
 
-static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
-
 void HTMLMediaElement::RunInStableState(nsIRunnable* aRunnable)
 {
   nsCOMPtr<nsIRunnable> event = new nsSyncSection(this, aRunnable);
-  nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
-  appShell->RunInStableState(event);
+  nsContentUtils::RunInStableState(event.forget());
 }
 
 void HTMLMediaElement::QueueLoadFromSourceTask()
diff --git a/dom/html/HTMLObjectElement.cpp b/dom/html/HTMLObjectElement.cpp
index 3150ba26be0f..3714c2839fef 100644
--- a/dom/html/HTMLObjectElement.cpp
+++ b/dom/html/HTMLObjectElement.cpp
@@ -161,7 +161,12 @@ HTMLObjectElement::OnFocusBlurPlugin(Element* aElement, bool aFocus)
     nsCOMPtr<nsIObjectLoadingContent> olc = do_QueryInterface(aElement);
     bool hasRunningPlugin = false;
     if (olc) {
-      olc->GetHasRunningPlugin(&hasRunningPlugin);
+      // nsIObjectLoadingContent::GetHasRunningPlugin() fails when
+      // nsContentUtils::IsCallerChrome() returns false (which it can do even
+      // when we're processing a trusted focus event).  We work around this by
+      // calling nsObjectLoadingContent::HasRunningPlugin() directly.
+      hasRunningPlugin =
+        static_cast<nsObjectLoadingContent*>(olc.get())->HasRunningPlugin();
     }
     if (!hasRunningPlugin) {
       aFocus = false;
diff --git a/dom/html/nsBrowserElement.cpp b/dom/html/nsBrowserElement.cpp
index 4aab917961ec..5a84096d80fc 100644
--- a/dom/html/nsBrowserElement.cpp
+++ b/dom/html/nsBrowserElement.cpp
@@ -376,6 +376,62 @@ nsBrowserElement::GetContentDimensions(ErrorResult& aRv)
   return req.forget().downcast<DOMRequest>();
 }
 
+void
+nsBrowserElement::FindAll(const nsAString& aSearchString,
+                          BrowserFindCaseSensitivity aCaseSensitivity,
+                          ErrorResult& aRv)
+{
+  NS_ENSURE_TRUE_VOID(IsBrowserElementOrThrow(aRv));
+  NS_ENSURE_TRUE_VOID(IsNotWidgetOrThrow(aRv));
+
+  uint32_t caseSensitivity;
+  if (aCaseSensitivity == BrowserFindCaseSensitivity::Case_insensitive) {
+    caseSensitivity = nsIBrowserElementAPI::FIND_CASE_INSENSITIVE;
+  } else {
+    caseSensitivity = nsIBrowserElementAPI::FIND_CASE_SENSITIVE;
+  }
+
+  nsresult rv = mBrowserElementAPI->FindAll(aSearchString, caseSensitivity);
+
+  if (NS_FAILED(rv)) {
+    aRv.Throw(rv);
+  }
+}
+
+void
+nsBrowserElement::FindNext(BrowserFindDirection aDirection,
+                          ErrorResult& aRv)
+{
+  NS_ENSURE_TRUE_VOID(IsBrowserElementOrThrow(aRv));
+  NS_ENSURE_TRUE_VOID(IsNotWidgetOrThrow(aRv));
+
+  uint32_t direction;
+  if (aDirection == BrowserFindDirection::Backward) {
+    direction = nsIBrowserElementAPI::FIND_BACKWARD;
+  } else {
+    direction = nsIBrowserElementAPI::FIND_FORWARD;
+  }
+
+  nsresult rv = mBrowserElementAPI->FindNext(direction);
+
+  if (NS_FAILED(rv)) {
+    aRv.Throw(rv);
+  }
+}
+
+void
+nsBrowserElement::ClearMatch(ErrorResult& aRv)
+{
+  NS_ENSURE_TRUE_VOID(IsBrowserElementOrThrow(aRv));
+  NS_ENSURE_TRUE_VOID(IsNotWidgetOrThrow(aRv));
+
+  nsresult rv = mBrowserElementAPI->ClearMatch();
+
+  if (NS_FAILED(rv)) {
+    aRv.Throw(rv);
+  }
+}
+
 void
 nsBrowserElement::AddNextPaintListener(BrowserElementNextPaintEventCallback& aListener,
                                        ErrorResult& aRv)
diff --git a/dom/html/nsBrowserElement.h b/dom/html/nsBrowserElement.h
index 2270a7fe864d..d30c8b3c2193 100644
--- a/dom/html/nsBrowserElement.h
+++ b/dom/html/nsBrowserElement.h
@@ -20,6 +20,8 @@ namespace dom {
 struct BrowserElementDownloadOptions;
 class BrowserElementNextPaintEventCallback;
 class DOMRequest;
+enum class BrowserFindCaseSensitivity: uint32_t;
+enum class BrowserFindDirection: uint32_t;
 } // namespace dom
 
 class ErrorResult;
@@ -80,6 +82,11 @@ public:
   already_AddRefed<dom::DOMRequest> GetCanGoForward(ErrorResult& aRv);
   already_AddRefed<dom::DOMRequest> GetContentDimensions(ErrorResult& aRv);
 
+  void FindAll(const nsAString& aSearchString, dom::BrowserFindCaseSensitivity aCaseSensitivity,
+               ErrorResult& aRv);
+  void FindNext(dom::BrowserFindDirection aDirection, ErrorResult& aRv);
+  void ClearMatch(ErrorResult& aRv);
+
   void AddNextPaintListener(dom::BrowserElementNextPaintEventCallback& listener,
                             ErrorResult& aRv);
   void RemoveNextPaintListener(dom::BrowserElementNextPaintEventCallback& listener,
diff --git a/dom/indexedDB/ActorsChild.cpp b/dom/indexedDB/ActorsChild.cpp
index 008ed9e8e8a0..1212f1914e7b 100644
--- a/dom/indexedDB/ActorsChild.cpp
+++ b/dom/indexedDB/ActorsChild.cpp
@@ -2518,6 +2518,7 @@ BackgroundCursorChild::HandleResponse(
   auto& response = const_cast<ObjectStoreCursorResponse&>(aResponse);
 
   StructuredCloneReadInfo cloneReadInfo(Move(response.cloneInfo()));
+  cloneReadInfo.mDatabase = mTransaction->Database();
 
   ConvertActorsToBlobs(mTransaction->Database(),
                        response.cloneInfo(),
@@ -2579,6 +2580,7 @@ BackgroundCursorChild::HandleResponse(const IndexCursorResponse& aResponse)
   auto& response = const_cast<IndexCursorResponse&>(aResponse);
 
   StructuredCloneReadInfo cloneReadInfo(Move(response.cloneInfo()));
+  cloneReadInfo.mDatabase = mTransaction->Database();
 
   ConvertActorsToBlobs(mTransaction->Database(),
                        aResponse.cloneInfo(),
diff --git a/dom/indexedDB/IDBFactory.cpp b/dom/indexedDB/IDBFactory.cpp
index 722666cbd4b2..6d757dbc24d4 100644
--- a/dom/indexedDB/IDBFactory.cpp
+++ b/dom/indexedDB/IDBFactory.cpp
@@ -367,15 +367,14 @@ IDBFactory::AllowedForWindowInternal(nsPIDOMWindow* aWindow,
     return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
   }
 
-  if (nsContentUtils::IsSystemPrincipal(principal)) {
-    principal.forget(aPrincipal);
-    return NS_OK;
+  bool isSystemPrincipal;
+  if (!AllowedForPrincipal(principal, &isSystemPrincipal)) {
+    return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
   }
 
-  bool isNullPrincipal;
-  if (NS_WARN_IF(NS_FAILED(principal->GetIsNullPrincipal(&isNullPrincipal))) ||
-      isNullPrincipal) {
-    return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
+  if (isSystemPrincipal) {
+    principal.forget(aPrincipal);
+    return NS_OK;
   }
 
   // Whitelist about:home, since it doesn't have a base domain it would not
@@ -424,6 +423,36 @@ IDBFactory::AllowedForWindowInternal(nsPIDOMWindow* aWindow,
   return NS_OK;
 }
 
+// static
+bool
+IDBFactory::AllowedForPrincipal(nsIPrincipal* aPrincipal,
+                                bool* aIsSystemPrincipal)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MOZ_ASSERT(aPrincipal);
+
+  if (NS_WARN_IF(!IndexedDatabaseManager::GetOrCreate())) {
+    return false;
+  }
+
+  if (nsContentUtils::IsSystemPrincipal(aPrincipal)) {
+    if (aIsSystemPrincipal) {
+      *aIsSystemPrincipal = true;
+    }
+    return true;
+  } else if (aIsSystemPrincipal) {
+    *aIsSystemPrincipal = false;
+  }
+
+  bool isNullPrincipal;
+  if (NS_WARN_IF(NS_FAILED(aPrincipal->GetIsNullPrincipal(&isNullPrincipal))) ||
+      isNullPrincipal) {
+    return false;
+  }
+
+  return true;
+}
+
 #ifdef DEBUG
 
 void
diff --git a/dom/indexedDB/IDBFactory.h b/dom/indexedDB/IDBFactory.h
index deab1a976f64..bebd4da9c3b3 100644
--- a/dom/indexedDB/IDBFactory.h
+++ b/dom/indexedDB/IDBFactory.h
@@ -105,6 +105,10 @@ public:
   static bool
   AllowedForWindow(nsPIDOMWindow* aWindow);
 
+  static bool
+  AllowedForPrincipal(nsIPrincipal* aPrincipal,
+                      bool* aIsSystemPrincipal = nullptr);
+
   void
   AssertIsOnOwningThread() const
 #ifdef DEBUG
diff --git a/dom/indexedDB/test/mochitest.ini b/dom/indexedDB/test/mochitest.ini
index 0e2444dc614b..c5f154bb3363 100644
--- a/dom/indexedDB/test/mochitest.ini
+++ b/dom/indexedDB/test/mochitest.ini
@@ -12,6 +12,8 @@ support-files =
   file_app_isolation.js
   helpers.js
   leaving_page_iframe.html
+  service_worker.js
+  service_worker_client.html
   third_party_iframe1.html
   third_party_iframe2.html
   unit/test_add_put.js
@@ -196,6 +198,9 @@ skip-if = buildapp == 'b2g' || buildapp == 'mulet' || e10s
 [test_filehandle_getFile.html]
 # FileHandle is not supported in child processes.
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || e10s
+[test_filehandle_iteration.html]
+# FileHandle is not supported in child processes.
+skip-if = buildapp == 'b2g' || buildapp == 'mulet' || e10s
 [test_filehandle_lifetimes.html]
 # FileHandle is not supported in child processes.
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || e10s
@@ -374,3 +379,5 @@ skip-if = buildapp == 'b2g' || buildapp == 'mulet' || e10s || toolkit == 'androi
 # The clearBrowserData tests are only supposed to run in the main process.
 # They currently time out on android.
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || e10s || toolkit == 'android'
+[test_serviceworker.html]
+skip-if = buildapp == 'b2g'
diff --git a/dom/indexedDB/test/service_worker.js b/dom/indexedDB/test/service_worker.js
new file mode 100644
index 000000000000..eb8fd7f6637a
--- /dev/null
+++ b/dom/indexedDB/test/service_worker.js
@@ -0,0 +1,10 @@
+onmessage = function(e) {
+  self.clients.matchAll().then(function(res) {
+    if (!res.length) {
+      dump("Error: no clients are currently controlled.\n");
+      return;
+    }
+    res[0].postMessage(indexedDB ? { available: true } :
+                                   { available: false });
+  });
+};
diff --git a/dom/indexedDB/test/service_worker_client.html b/dom/indexedDB/test/service_worker_client.html
new file mode 100644
index 000000000000..c1c98eaabbdc
--- /dev/null
+++ b/dom/indexedDB/test/service_worker_client.html
@@ -0,0 +1,28 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>controlled page</title>
+<script class="testbody" type="text/javascript">
+  if (!parent) {
+      info("service_worker_client.html should not be launched directly!");
+  }
+
+  window.onload = function() {
+    navigator.serviceWorker.onmessage = function(msg) {
+      // Forward messages coming from the service worker to the test page.
+      parent.postMessage(msg.data, "*");
+    };
+    navigator.serviceWorker.ready.then(function(swr) {
+      parent.postMessage("READY", "*");
+    });
+  }
+</script>
+
+</head>
+<body>
+</body>
+</html>
diff --git a/dom/indexedDB/test/test_filehandle_iteration.html b/dom/indexedDB/test/test_filehandle_iteration.html
new file mode 100644
index 000000000000..ebbc8b8beff0
--- /dev/null
+++ b/dom/indexedDB/test/test_filehandle_iteration.html
@@ -0,0 +1,77 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<html>
+<head>
+  <title>Indexed Database Property Test</title>
+
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+  <script type="text/javascript;version=1.7">
+  function testSteps()
+  {
+    const dbName = window.location.pathname;
+    const dbVersion = 1;
+    const objectStoreName = "foo";
+    const entryCount = 10;
+
+    let request = indexedDB.open(dbName, dbVersion);
+    request.onerror = errorHandler;
+    request.onupgradeneeded = grabEventAndContinueHandler;
+    request.onsuccess = unexpectedSuccessHandler;
+    let event = yield undefined;
+
+    is(event.type, "upgradeneeded", "Got correct event type");
+
+    let db = event.target.result;
+    db.onerror = errorHandler;
+
+    db.createObjectStore(objectStoreName, { autoIncrement: true });
+
+    request.onupgradeneeded = unexpectedSuccessHandler;
+    request.onsuccess = grabEventAndContinueHandler;
+    event = yield undefined;
+
+    is(event.type, "success", "Got correct event type");
+
+    request = db.createMutableFile("bar");
+    request.onsuccess = grabEventAndContinueHandler;
+    event = yield undefined;
+
+    let mutableFile = event.target.result;
+
+    let trans = db.transaction(objectStoreName, "readwrite");
+    let objectStore = trans.objectStore(objectStoreName);
+
+    for (let i = 0; i < entryCount; i++) {
+      request = objectStore.add(mutableFile);
+    }
+
+    let seenEntryCount = 0;
+
+    request = objectStore.openCursor().onsuccess = event => {
+      let cursor = event.target.result;
+      if (cursor) {
+        seenEntryCount++;
+        cursor.continue();
+      } else {
+        continueToNextStep();
+      }
+    }
+    yield undefined;
+
+    is(seenEntryCount, entryCount, "Correct entry count");
+
+    finishTest();
+    yield undefined;
+  }
+  </script>
+  <script type="text/javascript;version=1.7" src="helpers.js"></script>
+
+</head>
+
+<body onload="runTest();"></body>
+
+</html>
diff --git a/dom/indexedDB/test/test_serviceworker.html b/dom/indexedDB/test/test_serviceworker.html
new file mode 100644
index 000000000000..505743802ae0
--- /dev/null
+++ b/dom/indexedDB/test/test_serviceworker.html
@@ -0,0 +1,71 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1137245 - Allow IndexedDB usage in ServiceWorkers</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none"></div>
+<pre id="test"></pre>
+<script class="testbody" type="text/javascript">
+
+  function simpleRegister() {
+    return navigator.serviceWorker.register("service_worker.js", {
+      scope: 'service_worker_client.html'
+    });
+  }
+
+  function testIndexedDBAvailable(sw) {
+    var p = new Promise(function(resolve, reject) {
+      window.onmessage = function(e) {
+        if (e.data === "READY") {
+          sw.active.postMessage("GO");
+          return;
+        }
+
+        if (!("available" in e.data)) {
+          ok(false, "Something went wrong");
+          reject();
+          return;
+        }
+
+        ok(e.data.available, "IndexedDB available in service worker.");
+        resolve();
+      }
+    });
+
+    var content = document.getElementById("content");
+    ok(content, "Parent exists.");
+
+    iframe = document.createElement("iframe");
+    iframe.setAttribute('src', "service_worker_client.html");
+    content.appendChild(iframe);
+
+    return p.then(() => content.removeChild(iframe));
+  }
+
+  function runTest() {
+    simpleRegister()
+      .then(testIndexedDBAvailable)
+      .then(SimpleTest.finish)
+      .catch(function(e) {
+        ok(false, "Some test failed with error " + e);
+        SimpleTest.finish();
+      });
+  }
+
+  SimpleTest.waitForExplicitFinish();
+  SpecialPowers.pushPrefEnv({"set": [
+    ["dom.serviceWorkers.enabled", true],
+    ["dom.serviceWorkers.testing.enabled", true]
+  ]}, runTest);
+</script>
+</pre>
+</body>
+</html>
diff --git a/dom/interfaces/base/nsIDOMWindowUtils.idl b/dom/interfaces/base/nsIDOMWindowUtils.idl
index 51a136dad003..a85ee6042e9b 100644
--- a/dom/interfaces/base/nsIDOMWindowUtils.idl
+++ b/dom/interfaces/base/nsIDOMWindowUtils.idl
@@ -1704,9 +1704,11 @@ interface nsIDOMWindowUtils : nsISupports {
    attribute boolean paintFlashing;
 
    /**
-    * Allows running of a "synchronous section", in the form of an nsIRunnable
-    * once the event loop has reached a "stable state". We've reached a stable
-    * state when the currently executing task/event has finished, see:
+    * Add a "synchronous section", in the form of an nsIRunnable run once the
+    * event loop has reached a "stable state". |runnable| must not cause any
+    * queued events to be processed (i.e. must not spin the event loop).
+    * We've reached a stable state when the currently executing task/event has
+    * finished, see:
     * http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#synchronous-section
     * In practice this runs aRunnable once the currently executing event
     * finishes. If called multiple times per task/event, all the runnables will
diff --git a/dom/ipc/ContentBridgeChild.cpp b/dom/ipc/ContentBridgeChild.cpp
index 9dbbcc35dead..0c8dce8614f3 100644
--- a/dom/ipc/ContentBridgeChild.cpp
+++ b/dom/ipc/ContentBridgeChild.cpp
@@ -12,6 +12,7 @@
 #include "mozilla/dom/ipc/BlobChild.h"
 #include "mozilla/jsipc/CrossProcessObjectWrappers.h"
 #include "mozilla/ipc/InputStreamUtils.h"
+#include "nsIObserverService.h"
 
 using namespace mozilla::ipc;
 using namespace mozilla::jsipc;
@@ -19,7 +20,9 @@ using namespace mozilla::jsipc;
 namespace mozilla {
 namespace dom {
 
-NS_IMPL_ISUPPORTS(ContentBridgeChild, nsIContentChild)
+NS_IMPL_ISUPPORTS(ContentBridgeChild,
+                  nsIContentChild,
+                  nsIObserver)
 
 ContentBridgeChild::ContentBridgeChild(Transport* aTransport)
   : mTransport(aTransport)
@@ -33,6 +36,10 @@ ContentBridgeChild::~ContentBridgeChild()
 void
 ContentBridgeChild::ActorDestroy(ActorDestroyReason aWhy)
 {
+  nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
+  if (os) {
+    os->RemoveObserver(this, "content-child-shutdown");
+  }
   MessageLoop::current()->PostTask(
     FROM_HERE,
     NewRunnableMethod(this, &ContentBridgeChild::DeferredDestroy));
@@ -47,6 +54,12 @@ ContentBridgeChild::Create(Transport* aTransport, ProcessId aOtherPid)
 
   DebugOnly<bool> ok = bridge->Open(aTransport, aOtherPid, XRE_GetIOMessageLoop());
   MOZ_ASSERT(ok);
+
+  nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
+  if (os) {
+    os->AddObserver(bridge, "content-child-shutdown", false);
+  }
+
   return bridge;
 }
 
@@ -167,5 +180,16 @@ ContentBridgeChild::DeallocPBlobChild(PBlobChild* aActor)
   return nsIContentChild::DeallocPBlobChild(aActor);
 }
 
+NS_IMETHODIMP
+ContentBridgeChild::Observe(nsISupports* aSubject,
+                             const char* aTopic,
+                             const char16_t* aData)
+{
+  if (!strcmp(aTopic, "content-child-shutdown")) {
+    Close();
+  }
+  return NS_OK;
+}
+
 } // namespace dom
 } // namespace mozilla
diff --git a/dom/ipc/ContentBridgeChild.h b/dom/ipc/ContentBridgeChild.h
index 1170232ae9f4..7c3122360a95 100644
--- a/dom/ipc/ContentBridgeChild.h
+++ b/dom/ipc/ContentBridgeChild.h
@@ -9,17 +9,20 @@
 
 #include "mozilla/dom/PContentBridgeChild.h"
 #include "mozilla/dom/nsIContentChild.h"
+#include "nsIObserver.h"
 
 namespace mozilla {
 namespace dom {
 
 class ContentBridgeChild final : public PContentBridgeChild
                                , public nsIContentChild
+                               , public nsIObserver
 {
 public:
   explicit ContentBridgeChild(Transport* aTransport);
 
   NS_DECL_ISUPPORTS
+  NS_DECL_NSIOBSERVER
 
   static ContentBridgeChild*
   Create(Transport* aTransport, ProcessId aOtherProcess);
diff --git a/dom/ipc/ContentParent.cpp b/dom/ipc/ContentParent.cpp
index c92c661a8361..ff30011a3678 100755
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -2012,14 +2012,9 @@ ContentParent::ActorDestroy(ActorDestroyReason why)
                                                        NS_ConvertUTF16toUTF8(mAppManifestURL));
                 }
 
-                if (mCreatedPairedMinidumps) {
-                    // We killed the child with KillHard, so two minidumps should already
-                    // exist - one for the content process, and one for the browser process.
-                    // The "main" minidump of this crash report is the content processes,
-                    // and we use GenerateChildData to annotate our crash report with
-                    // information about the child process.
-                    crashReporter->GenerateChildData(nullptr);
-                } else {
+                // if mCreatedPairedMinidumps is true, we've already generated
+                // parent/child dumps for dekstop crashes.
+                if (!mCreatedPairedMinidumps) {
                     crashReporter->GenerateCrashReport(this, nullptr);
                 }
 
@@ -2065,7 +2060,7 @@ ContentParent::ActorDestroy(ActorDestroyReason why)
         MessageLoop::current()->PostTask(
             FROM_HERE,
             NewRunnableMethod(cp, &ContentParent::ShutDownProcess,
-                              CLOSE_CHANNEL));
+                              SEND_SHUTDOWN_MESSAGE));
     }
     cpm->RemoveContentProcess(this->ChildID());
 }
@@ -3388,37 +3383,33 @@ ContentParent::KillHard(const char* aReason)
     mForceKillTimer = nullptr;
 
 #if defined(MOZ_CRASHREPORTER) && !defined(MOZ_B2G)
+    // We're about to kill the child process associated with this content.
+    // Something has gone wrong to get us here, so we generate a minidump
+    // of the parent and child for submission to the crash server.
     if (ManagedPCrashReporterParent().Length() > 0) {
         CrashReporterParent* crashReporter =
             static_cast<CrashReporterParent*>(ManagedPCrashReporterParent()[0]);
-
-        // We're about to kill the child process associated with this
-        // ContentParent. Something has gone wrong to get us here,
-        // so we generate a minidump to be potentially submitted in
-        // a crash report. ContentParent::ActorDestroy is where the
-        // actual report gets generated, once the child process has
-        // finally died.
-        if (crashReporter->GeneratePairedMinidump(this)) {
-            mCreatedPairedMinidumps = true;
-            // GeneratePairedMinidump created two minidumps for us - the main
-            // one is for the content process we're about to kill, and the other
-            // one is for the main browser process. That second one is the extra
-            // minidump tagging along, so we have to tell the crash reporter that
-            // it exists and is being appended.
-            nsAutoCString additionalDumps("browser");
-            crashReporter->AnnotateCrashReport(
-                NS_LITERAL_CSTRING("additional_minidumps"),
-                additionalDumps);
-            if (IsKillHardAnnotationSet()) {
-              crashReporter->AnnotateCrashReport(
-                  NS_LITERAL_CSTRING("kill_hard"),
-                  GetKillHardAnnotation());
-            }
-            nsDependentCString reason(aReason);
-            crashReporter->AnnotateCrashReport(
-                NS_LITERAL_CSTRING("ipc_channel_error"),
-                reason);
+        // GeneratePairedMinidump creates two minidumps for us - the main
+        // one is for the content process we're about to kill, and the other
+        // one is for the main browser process. That second one is the extra
+        // minidump tagging along, so we have to tell the crash reporter that
+        // it exists and is being appended.
+        nsAutoCString additionalDumps("browser");
+        crashReporter->AnnotateCrashReport(
+            NS_LITERAL_CSTRING("additional_minidumps"),
+            additionalDumps);
+        if (IsKillHardAnnotationSet()) {
+          crashReporter->AnnotateCrashReport(
+              NS_LITERAL_CSTRING("kill_hard"),
+              GetKillHardAnnotation());
         }
+        nsDependentCString reason(aReason);
+        crashReporter->AnnotateCrashReport(
+            NS_LITERAL_CSTRING("ipc_channel_error"),
+            reason);
+
+        // Generate the report and insert into the queue for submittal.
+        mCreatedPairedMinidumps = crashReporter->GenerateCompleteMinidump(this);
     }
 #endif
     ProcessHandle otherProcessHandle;
diff --git a/dom/ipc/CrashReporterParent.cpp b/dom/ipc/CrashReporterParent.cpp
index 57fb4fc496d5..399ae15b20f9 100644
--- a/dom/ipc/CrashReporterParent.cpp
+++ b/dom/ipc/CrashReporterParent.cpp
@@ -111,6 +111,11 @@ CrashReporterParent::GenerateChildData(const AnnotationTable* processNotes)
 {
     MOZ_ASSERT(mInitialized);
 
+    if (mChildDumpID.IsEmpty()) {
+      NS_WARNING("problem with GenerateChildData: no child dump id yet!");
+      return false;
+    }
+
     nsAutoCString type;
     switch (mProcessType) {
         case GeckoProcessType_Content:
@@ -130,14 +135,35 @@ CrashReporterParent::GenerateChildData(const AnnotationTable* processNotes)
     snprintf_literal(startTime, "%lld", static_cast<long long>(mStartTime));
     mNotes.Put(NS_LITERAL_CSTRING("StartupTime"), nsDependentCString(startTime));
 
-    if (!mAppNotes.IsEmpty())
+    if (!mAppNotes.IsEmpty()) {
         mNotes.Put(NS_LITERAL_CSTRING("Notes"), mAppNotes);
+    }
 
+    // Append these notes to the end of the extra file based on the current
+    // dump id we obtained from CreatePairedMinidumps.
     bool ret = CrashReporter::AppendExtraData(mChildDumpID, mNotes);
-    if (ret && processNotes)
+    if (ret && processNotes) {
         ret = CrashReporter::AppendExtraData(mChildDumpID, *processNotes);
-    if (!ret)
+    }
+
+    if (!ret) {
         NS_WARNING("problem appending child data to .extra");
+    }
+
+    FinalizeChildData();
+    return ret;
+}
+
+void
+CrashReporterParent::FinalizeChildData()
+{
+    MOZ_ASSERT(mInitialized);
+
+    if (NS_IsMainThread()) {
+        // Inline, this is the main thread. Get this done.
+        NotifyCrashService();
+        return;
+    }
 
     nsCOMPtr<nsIThread> mainThread = do_GetMainThread();
     class NotifyOnMainThread : public nsRunnable
@@ -155,13 +181,13 @@ CrashReporterParent::GenerateChildData(const AnnotationTable* processNotes)
         CrashReporterParent* mCR;
     };
     SyncRunnable::DispatchToThread(mainThread, new NotifyOnMainThread(this));
-    return ret;
 }
 
 void
 CrashReporterParent::NotifyCrashService()
 {
     MOZ_ASSERT(NS_IsMainThread());
+    MOZ_ASSERT(!mChildDumpID.IsEmpty());
 
     nsCOMPtr<nsICrashService> crashService =
         do_GetService("@mozilla.org/crashservice;1");
@@ -201,6 +227,7 @@ CrashReporterParent::NotifyCrashService()
 
     crashService->AddCrash(processType, crashType, mChildDumpID);
     Telemetry::Accumulate(Telemetry::SUBPROCESS_CRASHES_WITH_DUMP, telemetryKey, 1);
+    mNotes.Clear();
 }
 #endif
 
diff --git a/dom/ipc/CrashReporterParent.h b/dom/ipc/CrashReporterParent.h
index 82a43e7f67c8..01e7313b4b7b 100644
--- a/dom/ipc/CrashReporterParent.h
+++ b/dom/ipc/CrashReporterParent.h
@@ -29,49 +29,122 @@ public:
   virtual ~CrashReporterParent();
 
 #ifdef MOZ_CRASHREPORTER
-  /* Attempt to generate a parent/child pair of minidumps from the given
-     toplevel actor in the event of a hang. Returns true if successful,
-     false otherwise.
-  */
-  template<class Toplevel>
-  bool
-  GeneratePairedMinidump(Toplevel* t);
 
-  /* Attempt to create a bare-bones crash report, along with extra process-
-     specific annotations present in the given AnnotationTable. Returns true if
-     successful, false otherwise.
-  */
+  /*
+   * Attempt to create a bare-bones crash report, along with extra process-
+   * specific annotations present in the given AnnotationTable.
+   *
+   * @returns true if successful, false otherwise.
+   */
   template<class Toplevel>
   bool
   GenerateCrashReport(Toplevel* t, const AnnotationTable* processNotes);
 
+  /*
+   * Attempt to generate a parent/child pair of minidumps from the given
+   * toplevel actor. This calls CrashReporter::CreateMinidumpsAndPair to
+   * generate the minidumps. Crash reporter annotations set prior to this
+   * call will be saved via PairedDumpCallbackExtra into an .extra file
+   * under the proper crash id. AnnotateCrashReport annotations are not
+   * set in this call, use GenerateChildData.
+   *
+   * @returns true if successful, false otherwise.
+   */
+  template<class Toplevel>
+  bool
+  GeneratePairedMinidump(Toplevel* t);
+
+  /*
+   * Attempts to take a minidump of the current process and pair that with
+   * a named minidump handed in by the caller.
+   *
+   * @param aTopLevel - top level actor this reporter is associated with.
+   * @param aMinidump - the minidump to associate with.
+   * @param aPairName - the name of the additional minidump.
+   * @returns true if successful, false otherwise.
+   */
+  template<class Toplevel>
+  bool
+  GenerateMinidumpAndPair(Toplevel* aTopLevel, nsIFile* aMinidump,
+                          const nsACString& aPairName);
+
   /**
-   * Add the .extra data for an existing crash report.
+   * Apply child process annotations to an existing paired mindump generated
+   * with GeneratePairedMinidump.
+   *
+   * Be careful about calling generate apis immediately after this call,
+   * see FinalizeChildData.
+   *
+   * @param processNotes (optional) - Additional notes to append. Annotations
+   *   stored in mNotes will also be applied. processNotes can be null.
+   * @returns true if successful, false otherwise.
    */
   bool
   GenerateChildData(const AnnotationTable* processNotes);
 
+  /**
+   * Handles main thread finalization tasks after a report has been
+   * generated. Does the following:
+   *  - register the finished report with the crash service manager
+   *  - records telemetry related data about crashes
+   *
+   * Be careful about calling generate apis immediately after this call,
+   * if this api is called on a non-main thread it will fire off a runnable
+   * to complete its work async.
+   */
+  void
+  FinalizeChildData();
+
+  /*
+   * Attempt to generate a full paired dump complete with any child
+   * annoations, and finalizes the report. Note this call is only valid
+   * on the main thread. Calling on a background thread will fail.
+   *
+   * @returns true if successful, false otherwise.
+   */
+  template<class Toplevel>
+  bool
+  GenerateCompleteMinidump(Toplevel* t);
+
+  /**
+   * Submits a raw minidump handed in, calls GenerateChildData. Used
+   * by plugins.
+   *
+   * @returns true if successful, false otherwise.
+   */
   bool
   GenerateCrashReportForMinidump(nsIFile* minidump,
                                  const AnnotationTable* processNotes);
 
-  /* Instantiate a new crash reporter actor from a given parent that manages
-     the protocol.
-  */
+  /*
+   * Instantiate a new crash reporter actor from a given parent that manages
+   * the protocol.
+   *
+   * @returns true if successful, false otherwise.
+   */
   template<class Toplevel>
   static bool CreateCrashReporter(Toplevel* actor);
-#endif
-  /* Initialize this reporter with data from the child process */
-  void
-    SetChildData(const NativeThreadId& id, const uint32_t& processType);
+#endif // MOZ_CRASHREPORTER
 
-  /* Returns the ID of the child minidump.
-     GeneratePairedMinidump or GenerateCrashReport must be called first.
-  */
+  /*
+   * Initialize this reporter with data from the child process.
+   */
+  void
+  SetChildData(const NativeThreadId& id, const uint32_t& processType);
+
+  /*
+   * Returns the ID of the child minidump.
+   * GeneratePairedMinidump or GenerateCrashReport must be called first.
+   */
   const nsString& ChildDumpID() {
     return mChildDumpID;
   }
 
+  /*
+   * Add an annotation to our internally tracked list of annotations.
+   * Callers must apply these notes using GenerateChildData otherwise
+   * the notes will get dropped.
+   */
   void
   AnnotateCrashReport(const nsCString& key, const nsCString& data);
 
@@ -99,8 +172,10 @@ public:
 #endif
   nsCString mAppNotes;
   nsString mChildDumpID;
+  // stores the child main thread id
   NativeThreadId mMainThread;
   time_t mStartTime;
+  // stores the child process type
   uint32_t mProcessType;
   bool mInitialized;
 };
@@ -120,15 +195,44 @@ CrashReporterParent::GeneratePairedMinidump(Toplevel* t)
   }
 #endif
   nsCOMPtr<nsIFile> childDump;
-  if (CrashReporter::CreatePairedMinidumps(child,
-                                           mMainThread,
-                                           getter_AddRefs(childDump)) &&
+  if (CrashReporter::CreateMinidumpsAndPair(child,
+                                            mMainThread,
+                                            NS_LITERAL_CSTRING("browser"),
+                                            nullptr, // pair with a dump of this process and thread
+                                            getter_AddRefs(childDump)) &&
       CrashReporter::GetIDFromMinidump(childDump, mChildDumpID)) {
     return true;
   }
   return false;
 }
 
+template<class Toplevel>
+inline bool
+CrashReporterParent::GenerateMinidumpAndPair(Toplevel* aTopLevel,
+                                             nsIFile* aMinidumpToPair,
+                                             const nsACString& aPairName)
+{
+  mozilla::ipc::ScopedProcessHandle childHandle;
+#ifdef XP_MACOSX
+  childHandle = aTopLevel->Process()->GetChildTask();
+#else
+  if (!base::OpenPrivilegedProcessHandle(aTopLevel->OtherPid(), &childHandle.rwget())) {
+    NS_WARNING("Failed to open child process handle.");
+    return false;
+  }
+#endif
+  nsCOMPtr<nsIFile> targetDump;
+  if (CrashReporter::CreateMinidumpsAndPair(childHandle,
+                                            mMainThread, // child thread id
+                                            aPairName,
+                                            aMinidumpToPair,
+                                            getter_AddRefs(targetDump)) &&
+      CrashReporter::GetIDFromMinidump(targetDump, mChildDumpID)) {
+    return true;
+  }
+  return false;
+}
+
 template<class Toplevel>
 inline bool
 CrashReporterParent::GenerateCrashReport(Toplevel* t,
@@ -142,6 +246,38 @@ CrashReporterParent::GenerateCrashReport(Toplevel* t,
   return false;
 }
 
+template<class Toplevel>
+inline bool
+CrashReporterParent::GenerateCompleteMinidump(Toplevel* t)
+{
+  mozilla::ipc::ScopedProcessHandle child;
+  if (!NS_IsMainThread()) {
+    NS_WARNING("GenerateCompleteMinidump can't be called on non-main thread.");
+    return false;
+  }
+
+#ifdef XP_MACOSX
+  child = t->Process()->GetChildTask();
+#else
+  if (!base::OpenPrivilegedProcessHandle(t->OtherPid(), &child.rwget())) {
+    NS_WARNING("Failed to open child process handle.");
+    return false;
+  }
+#endif
+  nsCOMPtr<nsIFile> childDump;
+  if (CrashReporter::CreateMinidumpsAndPair(child,
+                                            mMainThread,
+                                            NS_LITERAL_CSTRING("browser"),
+                                            nullptr, // pair with a dump of this process and thread
+                                            getter_AddRefs(childDump)) &&
+      CrashReporter::GetIDFromMinidump(childDump, mChildDumpID)) {
+    GenerateChildData(nullptr);
+    FinalizeChildData();
+    return true;
+  }
+  return false;
+}
+
 template<class Toplevel>
 /* static */ bool
 CrashReporterParent::CreateCrashReporter(Toplevel* actor)
diff --git a/dom/ipc/ProcessHangMonitor.cpp b/dom/ipc/ProcessHangMonitor.cpp
index ecfeadb1964f..be90848b17b7 100644
--- a/dom/ipc/ProcessHangMonitor.cpp
+++ b/dom/ipc/ProcessHangMonitor.cpp
@@ -22,6 +22,9 @@
 #include "nsITabParent.h"
 #include "nsPluginHost.h"
 #include "nsThreadUtils.h"
+#ifdef MOZ_CRASHREPORTER
+#include "nsExceptionHandler.h"
+#endif
 
 #include "base/task.h"
 #include "base/thread.h"
@@ -149,12 +152,20 @@ public:
   NS_IMETHOD EndStartingDebugger() override;
   NS_IMETHOD TerminatePlugin() override;
   NS_IMETHOD TerminateProcess() override;
+  NS_IMETHOD UserCanceled() override;
 
   NS_IMETHOD IsReportForBrowser(nsIFrameLoader* aFrameLoader, bool* aResult) override;
 
-  void Clear() { mContentParent = nullptr; mActor = nullptr; }
+  // Called on xpcom shutdown
+  void Clear() {
+    mContentParent = nullptr;
+    mActor = nullptr;
+  }
 
   void SetHangData(const HangData& aHangData) { mHangData = aHangData; }
+  void SetBrowserDumpId(nsAutoString& aId) {
+    mBrowserDumpId = aId;
+  }
 
 private:
   ~HangMonitoredProcess() {}
@@ -163,6 +174,7 @@ private:
   HangMonitorParent* mActor;
   ContentParent* mContentParent;
   HangData mHangData;
+  nsAutoString mBrowserDumpId;
 };
 
 class HangMonitorParent
@@ -185,6 +197,7 @@ public:
   void TerminateScript();
   void BeginStartingDebugger();
   void EndStartingDebugger();
+  void CleanupPluginHang(uint32_t aPluginId, bool aRemoveFiles);
 
   MessageLoop* MonitorLoop() { return mHangMonitor->MonitorLoop(); }
 
@@ -204,6 +217,9 @@ public:
   // Must be accessed with mMonitor held.
   nsRefPtr<HangMonitoredProcess> mProcess;
   bool mShutdownDone;
+  // Map from plugin ID to crash dump ID. Protected by mBrowserCrashDumpHashLock.
+  nsDataHashtable<nsUint32HashKey, nsString> mBrowserCrashDumpIds;
+  Mutex mBrowserCrashDumpHashLock;
 };
 
 } // namespace
@@ -389,10 +405,12 @@ HangMonitorChild::IsDebuggerStartupComplete()
 void
 HangMonitorChild::NotifyPluginHang(uint32_t aPluginId)
 {
+  // main thread in the child
   MOZ_RELEASE_ASSERT(NS_IsMainThread());
 
   mSentReport = true;
 
+  // bounce to background thread
   MonitorLoop()->PostTask(
     FROM_HERE,
     NewRunnableMethod(this,
@@ -405,6 +423,7 @@ HangMonitorChild::NotifyPluginHangAsync(uint32_t aPluginId)
 {
   MOZ_RELEASE_ASSERT(MessageLoop::current() == MonitorLoop());
 
+  // bounce back to parent on background thread
   if (mIPCOpen) {
     unused << SendHangEvidence(PluginHangData(aPluginId));
   }
@@ -430,7 +449,8 @@ HangMonitorParent::HangMonitorParent(ProcessHangMonitor* aMonitor)
  : mHangMonitor(aMonitor),
    mIPCOpen(true),
    mMonitor("HangMonitorParent lock"),
-   mShutdownDone(false)
+   mShutdownDone(false),
+   mBrowserCrashDumpHashLock("mBrowserCrashDumpIds lock")
 {
   MOZ_RELEASE_ASSERT(NS_IsMainThread());
   mReportHangs = mozilla::Preferences::GetBool("dom.ipc.reportProcessHangs", false);
@@ -501,16 +521,21 @@ HangMonitorParent::Open(Transport* aTransport, ProcessId aPid,
 class HangObserverNotifier final : public nsRunnable
 {
 public:
-  HangObserverNotifier(HangMonitoredProcess* aProcess, const HangData& aHangData)
+  HangObserverNotifier(HangMonitoredProcess* aProcess,
+                       const HangData& aHangData,
+                       const nsString& aBrowserDumpId)
     : mProcess(aProcess),
-      mHangData(aHangData)
+      mHangData(aHangData),
+      mBrowserDumpId(aBrowserDumpId)
   {}
 
   NS_IMETHOD
   Run()
   {
+    // chrome process, main thread
     MOZ_RELEASE_ASSERT(NS_IsMainThread());
     mProcess->SetHangData(mHangData);
+    mProcess->SetBrowserDumpId(mBrowserDumpId);
 
     nsCOMPtr<nsIObserverService> observerService =
       mozilla::services::GetObserverService();
@@ -521,11 +546,13 @@ public:
 private:
   nsRefPtr<HangMonitoredProcess> mProcess;
   HangData mHangData;
+  nsAutoString mBrowserDumpId;
 };
 
 bool
 HangMonitorParent::RecvHangEvidence(const HangData& aHangData)
 {
+  // chrome process, background thread
   MOZ_RELEASE_ASSERT(MessageLoop::current() == MonitorLoop());
 
   if (!mReportHangs) {
@@ -540,11 +567,33 @@ HangMonitorParent::RecvHangEvidence(const HangData& aHangData)
   }
 #endif
 
+  // Before we wake up the browser main thread we want to take a
+  // browser minidump.
+  nsAutoString crashId;
+#ifdef MOZ_CRASHREPORTER
+  if (aHangData.type() == HangData::TPluginHangData) {
+    MutexAutoLock lock(mBrowserCrashDumpHashLock);
+    const PluginHangData& phd = aHangData.get_PluginHangData();
+    if (!mBrowserCrashDumpIds.Get(phd.pluginId(), &crashId)) {
+      nsCOMPtr<nsIFile> browserDump;
+      if (CrashReporter::TakeMinidump(getter_AddRefs(browserDump), true)) {
+        if (!CrashReporter::GetIDFromMinidump(browserDump, crashId) || crashId.IsEmpty()) {
+          browserDump->Remove(false);
+          NS_WARNING("Failed to generate timely browser stack, this is bad for plugin hang analysis!");
+        } else {
+          mBrowserCrashDumpIds.Put(phd.pluginId(), crashId);
+        }
+      }
+    }
+  }
+#endif
+
   mHangMonitor->InitiateCPOWTimeout();
 
   MonitorAutoLock lock(mMonitor);
 
-  nsCOMPtr<nsIRunnable> notifier = new HangObserverNotifier(mProcess, aHangData);
+  nsCOMPtr<nsIRunnable> notifier =
+    new HangObserverNotifier(mProcess, aHangData, crashId);
   NS_DispatchToMainThread(notifier);
 
   return true;
@@ -580,6 +629,22 @@ HangMonitorParent::EndStartingDebugger()
   }
 }
 
+void
+HangMonitorParent::CleanupPluginHang(uint32_t aPluginId, bool aRemoveFiles)
+{
+  MutexAutoLock lock(mBrowserCrashDumpHashLock);
+  nsAutoString crashId;
+  if (!mBrowserCrashDumpIds.Get(aPluginId, &crashId)) {
+    return;
+  }
+  mBrowserCrashDumpIds.Remove(aPluginId);
+#ifdef MOZ_CRASHREPORTER
+  if (aRemoveFiles && !crashId.IsEmpty()) {
+    CrashReporter::DeleteMinidumpFilesForID(crashId);
+  }
+#endif
+}
+
 /* HangMonitoredProcess implementation */
 
 NS_IMPL_ISUPPORTS(HangMonitoredProcess, nsIHangReport)
@@ -738,7 +803,9 @@ HangMonitoredProcess::TerminatePlugin()
   }
 
   uint32_t id = mHangData.get_PluginHangData().pluginId();
-  plugins::TerminatePlugin(id);
+  plugins::TerminatePlugin(id, mBrowserDumpId);
+
+  mActor->CleanupPluginHang(id, false);
   return NS_OK;
 }
 
@@ -751,6 +818,11 @@ HangMonitoredProcess::TerminateProcess()
     return NS_ERROR_UNEXPECTED;
   }
 
+  if (mHangData.type() == HangData::TPluginHangData) {
+    uint32_t id = mHangData.get_PluginHangData().pluginId();
+    mActor->CleanupPluginHang(id, true);
+  }
+
   mContentParent->KillHard("HangMonitor");
   return NS_OK;
 }
@@ -775,6 +847,19 @@ HangMonitoredProcess::IsReportForBrowser(nsIFrameLoader* aFrameLoader, bool* aRe
   return NS_OK;
 }
 
+NS_IMETHODIMP
+HangMonitoredProcess::UserCanceled()
+{
+  MOZ_RELEASE_ASSERT(NS_IsMainThread());
+  if (mHangData.type() != HangData::TPluginHangData) {
+    return NS_OK;
+  }
+
+  uint32_t id = mHangData.get_PluginHangData().pluginId();
+  mActor->CleanupPluginHang(id, true);
+  return NS_OK;
+}
+
 ProcessHangMonitor* ProcessHangMonitor::sInstance;
 
 ProcessHangMonitor::ProcessHangMonitor()
diff --git a/dom/ipc/TabChild.cpp b/dom/ipc/TabChild.cpp
index b17208f8c154..838ba2fc42e4 100644
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -545,7 +545,7 @@ TabChildBase::UpdateFrameHandler(const FrameMetrics& aFrameMetrics)
 {
   MOZ_ASSERT(aFrameMetrics.GetScrollId() != FrameMetrics::NULL_SCROLL_ID);
 
-  if (aFrameMetrics.GetIsRoot()) {
+  if (aFrameMetrics.IsRootContent()) {
     if (nsCOMPtr<nsIPresShell> shell = GetPresShell()) {
       // Guard against stale updates (updates meant for a pres shell which
       // has since been torn down and destroyed).
diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp
index 8482d64d9764..cd194b468424 100644
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@@ -689,12 +689,13 @@ TabParent::RecvCreateWindow(PBrowserParent* aNewTab,
   rv = NS_NewURI(getter_AddRefs(baseURI), aBaseURI);
   NS_ENSURE_SUCCESS(rv, false);
 
-  nsCOMPtr<nsIURI> finalURI;
-  rv = NS_NewURI(getter_AddRefs(finalURI), NS_ConvertUTF16toUTF8(aURI).get(), baseURI);
-  NS_ENSURE_SUCCESS(rv, false);
-
   nsAutoCString finalURIString;
-  finalURI->GetSpec(finalURIString);
+  if (!aURI.IsEmpty()) {
+    nsCOMPtr<nsIURI> finalURI;
+    rv = NS_NewURI(getter_AddRefs(finalURI), NS_ConvertUTF16toUTF8(aURI).get(), baseURI);
+    NS_ENSURE_SUCCESS(rv, false);
+    finalURI->GetSpec(finalURIString);
+  }
 
   nsCOMPtr<nsIDOMWindow> window;
 
@@ -1136,6 +1137,7 @@ TabParent::RecvPDocAccessibleConstructor(PDocAccessibleParent* aDoc,
     return parentDoc->AddChildDoc(doc, aParentID);
   } else {
     MOZ_ASSERT(!aParentID);
+    doc->SetTopLevel();
     a11y::DocManager::RemoteDocAdded(doc);
   }
 #endif
diff --git a/dom/ipc/nsIHangReport.idl b/dom/ipc/nsIHangReport.idl
index d8ac12505288..565ad8a6e392 100644
--- a/dom/ipc/nsIHangReport.idl
+++ b/dom/ipc/nsIHangReport.idl
@@ -18,7 +18,7 @@ interface nsIFrameLoader;
  * process will continue to run uninhibitedly during this time.
  */
 
-[scriptable, uuid(3b88d100-8d5b-11e4-b4a9-0800200c9a66)]
+[scriptable, uuid(90cea731-dd3e-459e-b017-f9a14697b56e)]
 interface nsIHangReport : nsISupports
 {
   const unsigned long SLOW_SCRIPT = 1;
@@ -38,6 +38,10 @@ interface nsIHangReport : nsISupports
   // Only valid for PLUGIN_HANG reports.
   readonly attribute ACString pluginName;
 
+  // Called by front end code when user ignores or cancels
+  // the notification.
+  void userCanceled();
+
   // Terminate the slow script if it is still running.
   // Only valid for SLOW_SCRIPT reports.
   void terminateScript();
diff --git a/dom/media/AbstractMediaDecoder.h b/dom/media/AbstractMediaDecoder.h
index 36c0e10ded0e..ed2debd12f07 100644
--- a/dom/media/AbstractMediaDecoder.h
+++ b/dom/media/AbstractMediaDecoder.h
@@ -43,7 +43,7 @@ enum class MediaDecoderEventVisibility : int8_t {
  * The AbstractMediaDecoder class describes the public interface for a media decoder
  * and is used by the MediaReader classes.
  */
-class AbstractMediaDecoder : public nsISupports
+class AbstractMediaDecoder : public nsIObserver
 {
 public:
   // Returns the monitor for other threads to synchronise access to
@@ -146,6 +146,11 @@ public:
     AbstractMediaDecoder* mDecoder;
   };
 
+  // Classes directly inheriting from AbstractMediaDecoder do not support
+  // Observe and it should never be called directly.
+  NS_IMETHOD Observe(nsISupports *aSubject, const char * aTopic, const char16_t * aData) override
+  { MOZ_CRASH("Forbidden method"); return NS_OK; }
+
 #ifdef MOZ_EME
   virtual nsresult SetCDMProxy(CDMProxy* aProxy) { return NS_ERROR_NOT_IMPLEMENTED; }
   virtual CDMProxy* GetCDMProxy() { return nullptr; }
diff --git a/dom/media/AbstractThread.cpp b/dom/media/AbstractThread.cpp
index e01e06c96e59..632446563548 100644
--- a/dom/media/AbstractThread.cpp
+++ b/dom/media/AbstractThread.cpp
@@ -10,8 +10,7 @@
 #include "nsThreadUtils.h"
 #include "TaskDispatcher.h"
 
-#include "nsIAppShell.h"
-#include "nsWidgetsCID.h"
+#include "nsContentUtils.h"
 #include "nsServiceManagerUtils.h"
 
 #include "mozilla/ClearOnShutdown.h"
@@ -24,8 +23,6 @@ namespace mozilla {
 StaticRefPtr<AbstractThread> sMainThread;
 ThreadLocal<AbstractThread*> AbstractThread::sCurrentThreadTLS;
 
-static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
-
 class XPCOMThreadWrapper : public AbstractThread
 {
 public:
@@ -87,8 +84,7 @@ public:
       mTailDispatcher.emplace(/* aIsTailDispatcher = */ true);
 
       nsCOMPtr<nsIRunnable> event = NS_NewRunnableMethod(this, &XPCOMThreadWrapper::FireTailDispatcher);
-      nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
-      appShell->RunInStableState(event);
+      nsContentUtils::RunInStableState(event.forget());
     }
 
     return mTailDispatcher.ref();
diff --git a/dom/media/CanvasCaptureMediaStream.cpp b/dom/media/CanvasCaptureMediaStream.cpp
index 1d7f2e52cdd4..d8f06b790e60 100644
--- a/dom/media/CanvasCaptureMediaStream.cpp
+++ b/dom/media/CanvasCaptureMediaStream.cpp
@@ -11,10 +11,7 @@
 #include "mozilla/Mutex.h"
 #include "mozilla/dom/CanvasCaptureMediaStreamBinding.h"
 #include "mozilla/dom/HTMLCanvasElement.h"
-#include "nsIAppShell.h"
-#include "nsWidgetsCID.h"
-
-static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
+#include "nsContentUtils.h"
 
 using namespace mozilla::layers;
 using namespace mozilla::gfx;
@@ -113,8 +110,7 @@ OutputStreamDriver::Start()
   // Run StartInternal() in stable state to allow it to directly capture a frame
   nsCOMPtr<nsIRunnable> runnable =
     NS_NewRunnableMethod(this, &OutputStreamDriver::StartInternal);
-  nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
-  appShell->RunInStableState(runnable);
+  nsContentUtils::RunInStableState(runnable.forget());
 
   mStarted = true;
   return NS_OK;
diff --git a/dom/media/DecoderTraits.cpp b/dom/media/DecoderTraits.cpp
index 6af5e345ed06..a815be42eebd 100644
--- a/dom/media/DecoderTraits.cpp
+++ b/dom/media/DecoderTraits.cpp
@@ -191,8 +191,8 @@ static char const *const gWebMCodecs[7] = {
   nullptr
 };
 
-static bool
-IsWebMType(const nsACString& aType)
+/* static */ bool
+DecoderTraits::IsWebMType(const nsACString& aType)
 {
   if (!MediaDecoder::IsWebMEnabled()) {
     return false;
@@ -210,7 +210,7 @@ IsGStreamerSupportedType(const nsACString& aMimeType)
     return false;
 
 #ifdef MOZ_WEBM
-  if (IsWebMType(aMimeType) && !Preferences::GetBool("media.prefer-gstreamer", false))
+  if (DecoderTraits::IsWebMType(aMimeType) && !Preferences::GetBool("media.prefer-gstreamer", false))
     return false;
 #endif
   if (IsOggType(aMimeType) && !Preferences::GetBool("media.prefer-gstreamer", false))
@@ -624,7 +624,7 @@ InstantiateDecoder(const nsACString& aType, MediaDecoderOwner* aOwner)
   }
 #endif
 #ifdef MOZ_WEBM
-  if (IsWebMType(aType)) {
+  if (DecoderTraits::IsWebMType(aType)) {
     decoder = new WebMDecoder();
     return decoder.forget();
   }
diff --git a/dom/media/DecoderTraits.h b/dom/media/DecoderTraits.h
index 0f8eb5a310ec..a85b141ca345 100644
--- a/dom/media/DecoderTraits.h
+++ b/dom/media/DecoderTraits.h
@@ -61,6 +61,8 @@ public:
   // Returns true if we should not start decoder until we receive
   // OnConnected signal. (currently RTSP only)
   static bool DecoderWaitsForOnConnected(const nsACString& aType);
+
+  static bool IsWebMType(const nsACString& aType);
 };
 
 }
diff --git a/dom/media/Intervals.h b/dom/media/Intervals.h
index a4d70b06b0c0..4c051f61d0b8 100644
--- a/dom/media/Intervals.h
+++ b/dom/media/Intervals.h
@@ -389,6 +389,30 @@ public:
     return intervals;
   }
 
+  // Excludes an interval from an IntervalSet.
+  // This is done by inverting aInterval within the bounds of mIntervals
+  // and then doing the intersection.
+  SelfType& operator-= (const ElemType& aInterval)
+  {
+    if (aInterval.IsEmpty() || mIntervals.IsEmpty()) {
+      return *this;
+    }
+    T firstEnd = std::max(mIntervals[0].mStart, aInterval.mStart);
+    T secondStart = std::min(mIntervals.LastElement().mEnd, aInterval.mEnd);
+    ElemType startInterval(mIntervals[0].mStart, firstEnd, aInterval.mFuzz);
+    ElemType endInterval(secondStart, mIntervals.LastElement().mEnd, aInterval.mFuzz);
+    SelfType intervals(Move(startInterval));
+    intervals += Move(endInterval);
+    return Intersection(intervals);
+  }
+
+  SelfType operator- (const ElemType& aInterval)
+  {
+    SelfType intervals(*this);
+    intervals -= aInterval;
+    return intervals;
+  }
+
   // Mutate this IntervalSet to be the union of this and aOther.
   SelfType& Union(const SelfType& aOther)
   {
diff --git a/dom/media/MediaDecoder.h b/dom/media/MediaDecoder.h
index 9e9a94983710..93ac3a237cd6 100644
--- a/dom/media/MediaDecoder.h
+++ b/dom/media/MediaDecoder.h
@@ -264,8 +264,7 @@ struct SeekTarget {
   MediaDecoderEventVisibility mEventVisibility;
 };
 
-class MediaDecoder : public nsIObserver,
-                     public AbstractMediaDecoder
+class MediaDecoder : public AbstractMediaDecoder
 {
 public:
   struct SeekResolveValue {
diff --git a/dom/media/MediaDecoderReader.cpp b/dom/media/MediaDecoderReader.cpp
index d644e391d984..16b954e7db76 100644
--- a/dom/media/MediaDecoderReader.cpp
+++ b/dom/media/MediaDecoderReader.cpp
@@ -60,14 +60,18 @@ public:
   size_t mSize;
 };
 
-MediaDecoderReader::MediaDecoderReader(AbstractMediaDecoder* aDecoder)
+MediaDecoderReader::MediaDecoderReader(AbstractMediaDecoder* aDecoder,
+                                       MediaTaskQueue* aBorrowedTaskQueue)
   : mAudioCompactor(mAudioQueue)
   , mDecoder(aDecoder)
+  , mTaskQueue(aBorrowedTaskQueue ? aBorrowedTaskQueue
+                                  : new MediaTaskQueue(GetMediaThreadPool(MediaThreadType::PLAYBACK),
+                                                       /* aSupportsTailDispatch = */ true))
   , mIgnoreAudioOutputFormat(false)
   , mStartTime(-1)
   , mHitAudioDecodeError(false)
   , mShutdown(false)
-  , mTaskQueueIsBorrowed(false)
+  , mTaskQueueIsBorrowed(!!aBorrowedTaskQueue)
   , mAudioDiscontinuity(false)
   , mVideoDiscontinuity(false)
 {
@@ -219,7 +223,7 @@ public:
 
   NS_METHOD Run()
   {
-    MOZ_ASSERT(mReader->GetTaskQueue()->IsCurrentThreadIn());
+    MOZ_ASSERT(mReader->OnTaskQueue());
 
     // Make sure ResetDecode hasn't been called in the mean time.
     if (!mReader->mBaseVideoPromise.IsEmpty()) {
@@ -244,7 +248,7 @@ public:
 
   NS_METHOD Run()
   {
-    MOZ_ASSERT(mReader->GetTaskQueue()->IsCurrentThreadIn());
+    MOZ_ASSERT(mReader->OnTaskQueue());
 
     // Make sure ResetDecode hasn't been called in the mean time.
     if (!mReader->mBaseAudioPromise.IsEmpty()) {
@@ -331,19 +335,6 @@ MediaDecoderReader::RequestAudioData()
   return p;
 }
 
-MediaTaskQueue*
-MediaDecoderReader::EnsureTaskQueue()
-{
-  if (!mTaskQueue) {
-    MOZ_ASSERT(!mTaskQueueIsBorrowed);
-    RefPtr<SharedThreadPool> pool(GetMediaThreadPool(MediaThreadType::PLAYBACK));
-    MOZ_DIAGNOSTIC_ASSERT(pool);
-    mTaskQueue = new MediaTaskQueue(pool.forget());
-  }
-
-  return mTaskQueue;
-}
-
 void
 MediaDecoderReader::BreakCycles()
 {
@@ -364,7 +355,7 @@ MediaDecoderReader::Shutdown()
 
   // Spin down the task queue if necessary. We wait until BreakCycles to null
   // out mTaskQueue, since otherwise any remaining tasks could crash when they
-  // invoke GetTaskQueue()->IsCurrentThreadIn().
+  // invoke OnTaskQueue().
   if (mTaskQueue && !mTaskQueueIsBorrowed) {
     // If we own our task queue, shutdown ends when the task queue is done.
     p = mTaskQueue->BeginShutdown();
diff --git a/dom/media/MediaDecoderReader.h b/dom/media/MediaDecoderReader.h
index 6af636265126..bc5e689dafba 100644
--- a/dom/media/MediaDecoderReader.h
+++ b/dom/media/MediaDecoderReader.h
@@ -79,7 +79,7 @@ public:
 
   // The caller must ensure that Shutdown() is called before aDecoder is
   // destroyed.
-  explicit MediaDecoderReader(AbstractMediaDecoder* aDecoder);
+  explicit MediaDecoderReader(AbstractMediaDecoder* aDecoder, MediaTaskQueue* aBorrowedTaskQueue = nullptr);
 
   // Initializes the reader, returns NS_OK on success, or NS_ERROR_FAILURE
   // on failure.
@@ -107,18 +107,9 @@ public:
   // thread.
   virtual nsRefPtr<ShutdownPromise> Shutdown();
 
-  MediaTaskQueue* EnsureTaskQueue();
-
   virtual bool OnTaskQueue()
   {
-    return !GetTaskQueue() || GetTaskQueue()->IsCurrentThreadIn();
-  }
-
-  void SetBorrowedTaskQueue(MediaTaskQueue* aTaskQueue)
-  {
-    MOZ_ASSERT(!mTaskQueue && aTaskQueue);
-    mTaskQueue = aTaskQueue;
-    mTaskQueueIsBorrowed = true;
+    return TaskQueue()->IsCurrentThreadIn();
   }
 
   // Resets all state related to decoding, emptying all buffers etc.
@@ -266,7 +257,7 @@ public:
   virtual bool IsMediaSeekable() = 0;
   void SetStartTime(int64_t aStartTime);
 
-  MediaTaskQueue* GetTaskQueue() {
+  MediaTaskQueue* TaskQueue() {
     return mTaskQueue;
   }
 
@@ -320,6 +311,9 @@ protected:
   // Reference to the owning decoder object.
   AbstractMediaDecoder* mDecoder;
 
+  // Decode task queue.
+  nsRefPtr<MediaTaskQueue> mTaskQueue;
+
   // Stores presentation info required for playback.
   MediaInfo mInfo;
 
@@ -347,7 +341,6 @@ private:
   MediaPromiseHolder<AudioDataPromise> mBaseAudioPromise;
   MediaPromiseHolder<VideoDataPromise> mBaseVideoPromise;
 
-  nsRefPtr<MediaTaskQueue> mTaskQueue;
   bool mTaskQueueIsBorrowed;
 
   // Flags whether a the next audio/video sample comes after a "gap" or
diff --git a/dom/media/MediaDecoderStateMachine.cpp b/dom/media/MediaDecoderStateMachine.cpp
index de3fee733c3b..7567cfea052e 100644
--- a/dom/media/MediaDecoderStateMachine.cpp
+++ b/dom/media/MediaDecoderStateMachine.cpp
@@ -182,7 +182,7 @@ MediaDecoderStateMachine::MediaDecoderStateMachine(MediaDecoder* aDecoder,
                                                    bool aRealTime) :
   mDecoder(aDecoder),
   mTaskQueue(new MediaTaskQueue(GetMediaThreadPool(MediaThreadType::PLAYBACK),
-                                /* aAssertTailDispatch = */ true)),
+                                /* aSupportsTailDispatch = */ true)),
   mWatchManager(this, mTaskQueue),
   mRealTime(aRealTime),
   mDispatchedStateMachine(false),
@@ -1258,10 +1258,6 @@ nsresult MediaDecoderStateMachine::Init(MediaDecoderStateMachine* aCloneDonor)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
-  if (NS_WARN_IF(!mReader->EnsureTaskQueue())) {
-    return NS_ERROR_FAILURE;
-  }
-
   MediaDecoderReader* cloneReader = nullptr;
   if (aCloneDonor) {
     cloneReader = aCloneDonor->mReader;
@@ -2621,7 +2617,7 @@ nsresult MediaDecoderStateMachine::RunStateMachine()
       MaybeStartPlayback();
 
       AdvanceFrame();
-      NS_ASSERTION(mPlayState != MediaDecoder::PLAY_STATE_PLAYING ||
+      NS_ASSERTION(!IsPlaying() ||
                    mLogicallySeeking ||
                    IsStateMachineScheduled() ||
                    mPlaybackRate == 0.0, "Must have timer scheduled");
@@ -2682,6 +2678,9 @@ nsresult MediaDecoderStateMachine::RunStateMachine()
     }
 
     case DECODER_STATE_COMPLETED: {
+      if (mPlayState != MediaDecoder::PLAY_STATE_PLAYING && IsPlaying()) {
+        StopPlayback();
+      }
       // Play the remaining media. We want to run AdvanceFrame() at least
       // once to ensure the current playback position is advanced to the
       // end of the media, and so that we update the readyState.
@@ -2689,8 +2688,10 @@ nsresult MediaDecoderStateMachine::RunStateMachine()
           (HasAudio() && !mAudioCompleted) ||
           (mAudioCaptured && !GetDecodedStream()->IsFinished()))
       {
+        // Start playback if necessary to play the remaining media.
+        MaybeStartPlayback();
         AdvanceFrame();
-        NS_ASSERTION(mPlayState != MediaDecoder::PLAY_STATE_PLAYING ||
+        NS_ASSERTION(!IsPlaying() ||
                      mLogicallySeeking ||
                      mPlaybackRate == 0 || IsStateMachineScheduled(),
                      "Must have timer scheduled");
@@ -2898,7 +2899,7 @@ void MediaDecoderStateMachine::AdvanceFrame()
   NS_ASSERTION(!HasAudio() || mAudioStartTime != -1,
                "Should know audio start time if we have audio.");
 
-  if (mPlayState != MediaDecoder::PLAY_STATE_PLAYING || mLogicallySeeking) {
+  if (!IsPlaying() || mLogicallySeeking) {
     return;
   }
 
@@ -3008,13 +3009,7 @@ void MediaDecoderStateMachine::AdvanceFrame()
       // duration.
       RenderVideoFrame(currentFrame, presTime);
     }
-    // If we're no longer playing after dropping and reacquiring the lock,
-    // playback must've been stopped on the decode thread (by a seek, for
-    // example).  In that case, the current frame is probably out of date.
-    if (!IsPlaying()) {
-      ScheduleStateMachine();
-      return;
-    }
+    MOZ_ASSERT(IsPlaying());
     MediaDecoder::FrameStatistics& frameStats = mDecoder->GetFrameStatistics();
     frameStats.NotifyPresentedFrame();
     remainingTime = currentFrame->GetEndTime() - clock_time;
diff --git a/dom/media/MediaDecoderStateMachine.h b/dom/media/MediaDecoderStateMachine.h
index b2a0f505094d..f9f4ac6ffb73 100644
--- a/dom/media/MediaDecoderStateMachine.h
+++ b/dom/media/MediaDecoderStateMachine.h
@@ -846,7 +846,7 @@ public:
   // The task queue in which we run decode tasks. This is referred to as
   // the "decode thread", though in practise tasks can run on a different
   // thread every time they're called.
-  MediaTaskQueue* DecodeTaskQueue() const { return mReader->GetTaskQueue(); }
+  MediaTaskQueue* DecodeTaskQueue() const { return mReader->TaskQueue(); }
 
   // The time that playback started from the system clock. This is used for
   // timing the presentation of video frames when there's no audio.
diff --git a/dom/media/MediaFormatReader.cpp b/dom/media/MediaFormatReader.cpp
index ae60fe941665..5321faccc95b 100644
--- a/dom/media/MediaFormatReader.cpp
+++ b/dom/media/MediaFormatReader.cpp
@@ -61,8 +61,9 @@ TrackTypeToStr(TrackInfo::TrackType aTrack)
 }
 
 MediaFormatReader::MediaFormatReader(AbstractMediaDecoder* aDecoder,
-                                       MediaDataDemuxer* aDemuxer)
-  : MediaDecoderReader(aDecoder)
+                                     MediaDataDemuxer* aDemuxer,
+                                     MediaTaskQueue* aBorrowedTaskQueue)
+  : MediaDecoderReader(aDecoder, aBorrowedTaskQueue)
   , mDemuxer(aDemuxer)
   , mAudio(this, MediaData::AUDIO_DATA, Preferences::GetUint("media.audio-decode-ahead", 2))
   , mVideo(this, MediaData::VIDEO_DATA, Preferences::GetUint("media.video-decode-ahead", 2))
@@ -280,7 +281,7 @@ MediaFormatReader::AsyncReadMetadata()
   nsRefPtr<MetadataPromise> p = mMetadataPromise.Ensure(__func__);
 
   mDemuxerInitRequest.Begin(mDemuxer->Init()
-                       ->Then(GetTaskQueue(), __func__, this,
+                       ->Then(TaskQueue(), __func__, this,
                               &MediaFormatReader::OnDemuxerInitDone,
                               &MediaFormatReader::OnDemuxerInitFailed));
   return p;
@@ -587,7 +588,7 @@ MediaFormatReader::DoDemuxVideo()
 {
   // TODO Use DecodeAhead value rather than 1.
   mVideo.mDemuxRequest.Begin(mVideo.mTrackDemuxer->GetSamples(1)
-                      ->Then(GetTaskQueue(), __func__, this,
+                      ->Then(TaskQueue(), __func__, this,
                              &MediaFormatReader::OnVideoDemuxCompleted,
                              &MediaFormatReader::OnVideoDemuxFailed));
 }
@@ -642,7 +643,7 @@ MediaFormatReader::DoDemuxAudio()
 {
   // TODO Use DecodeAhead value rather than 1.
   mAudio.mDemuxRequest.Begin(mAudio.mTrackDemuxer->GetSamples(1)
-                      ->Then(GetTaskQueue(), __func__, this,
+                      ->Then(TaskQueue(), __func__, this,
                              &MediaFormatReader::OnAudioDemuxCompleted,
                              &MediaFormatReader::OnAudioDemuxFailed));
 }
@@ -747,7 +748,7 @@ MediaFormatReader::ScheduleUpdate(TrackType aTrack)
   decoder.mUpdateScheduled = true;
   RefPtr<nsIRunnable> task(
     NS_NewRunnableMethodWithArg<TrackType>(this, &MediaFormatReader::Update, aTrack));
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 bool
@@ -1042,7 +1043,7 @@ MediaFormatReader::Output(TrackType aTrack, MediaData* aSample)
   RefPtr<nsIRunnable> task =
     NS_NewRunnableMethodWithArgs<TrackType, MediaData*>(
       this, &MediaFormatReader::NotifyNewOutput, aTrack, aSample);
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 void
@@ -1051,7 +1052,7 @@ MediaFormatReader::DrainComplete(TrackType aTrack)
   RefPtr<nsIRunnable> task =
     NS_NewRunnableMethodWithArg<TrackType>(
       this, &MediaFormatReader::NotifyDrainComplete, aTrack);
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 void
@@ -1060,7 +1061,7 @@ MediaFormatReader::InputExhausted(TrackType aTrack)
   RefPtr<nsIRunnable> task =
     NS_NewRunnableMethodWithArg<TrackType>(
       this, &MediaFormatReader::NotifyInputExhausted, aTrack);
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 void
@@ -1069,7 +1070,7 @@ MediaFormatReader::Error(TrackType aTrack)
   RefPtr<nsIRunnable> task =
     NS_NewRunnableMethodWithArg<TrackType>(
       this, &MediaFormatReader::NotifyError, aTrack);
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 void
@@ -1109,7 +1110,7 @@ MediaFormatReader::SkipVideoDemuxToNextKeyFrame(media::TimeUnit aTimeThreshold)
   }
 
   mSkipRequest.Begin(mVideo.mTrackDemuxer->SkipToNextRandomAccessPoint(aTimeThreshold)
-                          ->Then(GetTaskQueue(), __func__, this,
+                          ->Then(TaskQueue(), __func__, this,
                                  &MediaFormatReader::OnVideoSkipCompleted,
                                  &MediaFormatReader::OnVideoSkipFailed));
   return;
@@ -1212,7 +1213,7 @@ MediaFormatReader::DoVideoSeek()
   LOGV("Seeking video to %lld", mPendingSeekTime.ref().ToMicroseconds());
   media::TimeUnit seekTime = mPendingSeekTime.ref();
   mVideoSeekRequest.Begin(mVideo.mTrackDemuxer->Seek(seekTime)
-                          ->Then(GetTaskQueue(), __func__, this,
+                          ->Then(TaskQueue(), __func__, this,
                                  &MediaFormatReader::OnVideoSeekCompleted,
                                  &MediaFormatReader::OnVideoSeekFailed));
 }
@@ -1241,7 +1242,7 @@ MediaFormatReader::DoAudioSeek()
   LOGV("Seeking audio to %lld", mPendingSeekTime.ref().ToMicroseconds());
   media::TimeUnit seekTime = mPendingSeekTime.ref();
   mAudioSeekRequest.Begin(mAudio.mTrackDemuxer->Seek(seekTime)
-                         ->Then(GetTaskQueue(), __func__, this,
+                         ->Then(TaskQueue(), __func__, this,
                                 &MediaFormatReader::OnAudioSeekCompleted,
                                 &MediaFormatReader::OnAudioSeekFailed));
 }
@@ -1433,7 +1434,7 @@ MediaFormatReader::NotifyDataArrived(const char* aBuffer, uint32_t aLength, int6
     NS_NewRunnableMethodWithArgs<int32_t, uint64_t>(
       this, &MediaFormatReader::NotifyDemuxer,
       aLength, aOffset);
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 void
@@ -1456,7 +1457,7 @@ MediaFormatReader::NotifyDataRemoved()
     NS_NewRunnableMethodWithArgs<int32_t, uint64_t>(
       this, &MediaFormatReader::NotifyDemuxer,
       0, 0);
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 } // namespace mozilla
diff --git a/dom/media/MediaFormatReader.h b/dom/media/MediaFormatReader.h
index 2bfdf4a5ca54..410697a20100 100644
--- a/dom/media/MediaFormatReader.h
+++ b/dom/media/MediaFormatReader.h
@@ -30,7 +30,8 @@ class MediaFormatReader final : public MediaDecoderReader
 
 public:
   explicit MediaFormatReader(AbstractMediaDecoder* aDecoder,
-                              MediaDataDemuxer* aDemuxer);
+                             MediaDataDemuxer* aDemuxer,
+                             MediaTaskQueue* aBorrowedTaskQueue = nullptr);
 
   virtual ~MediaFormatReader();
 
diff --git a/dom/media/MediaResource.h b/dom/media/MediaResource.h
index 55829f6999a6..e33358347fed 100644
--- a/dom/media/MediaResource.h
+++ b/dom/media/MediaResource.h
@@ -428,6 +428,8 @@ public:
     return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf);
   }
 
+  const nsCString& GetContentURL() const { return EmptyCString(); }
+
 protected:
   virtual ~MediaResource() {};
 
@@ -460,6 +462,12 @@ public:
     return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf);
   }
 
+  // Returns the url of the resource. Safe to call from any thread?
+  const nsCString& GetContentURL() const
+  {
+    return mContentURL;
+  }
+
 protected:
   BaseMediaResource(MediaDecoder* aDecoder,
                     nsIChannel* aChannel,
@@ -473,6 +481,7 @@ protected:
   {
     MOZ_COUNT_CTOR(BaseMediaResource);
     NS_ASSERTION(!mContentType.IsEmpty(), "Must know content type");
+    mURI->GetSpec(mContentURL);
   }
   virtual ~BaseMediaResource()
   {
@@ -511,6 +520,9 @@ protected:
   // is safe.
   const nsAutoCString mContentType;
 
+  // Copy of the url of the channel resource.
+  nsAutoCString mContentURL;
+
   // True if SetLoadInBackground() has been called with
   // aLoadInBackground = true, i.e. when the document load event is not
   // blocked by this resource, and all channel loads will be in the
diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp
index b39f02f999dc..8e6cedab4a73 100644
--- a/dom/media/MediaStreamGraph.cpp
+++ b/dom/media/MediaStreamGraph.cpp
@@ -10,11 +10,9 @@
 #include "AudioSegment.h"
 #include "VideoSegment.h"
 #include "nsContentUtils.h"
-#include "nsIAppShell.h"
 #include "nsIObserver.h"
 #include "nsPrintfCString.h"
 #include "nsServiceManagerUtils.h"
-#include "nsWidgetsCID.h"
 #include "prerror.h"
 #include "mozilla/Logging.h"
 #include "mozilla/Attributes.h"
@@ -1839,8 +1837,6 @@ MediaStreamGraphImpl::RunInStableState(bool aSourceIsMSG)
 }
 
 
-static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
-
 void
 MediaStreamGraphImpl::EnsureRunInStableState()
 {
@@ -1850,12 +1846,7 @@ MediaStreamGraphImpl::EnsureRunInStableState()
     return;
   mPostedRunInStableState = true;
   nsCOMPtr<nsIRunnable> event = new MediaStreamGraphStableStateRunnable(this, false);
-  nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
-  if (appShell) {
-    appShell->RunInStableState(event);
-  } else {
-    NS_ERROR("Appshell already destroyed?");
-  }
+  nsContentUtils::RunInStableState(event.forget());
 }
 
 void
diff --git a/dom/media/MediaTaskQueue.h b/dom/media/MediaTaskQueue.h
index cf90e5b88e97..20e110d29b96 100644
--- a/dom/media/MediaTaskQueue.h
+++ b/dom/media/MediaTaskQueue.h
@@ -31,7 +31,7 @@ typedef MediaPromise<bool, bool, false> ShutdownPromise;
 // to make this threadsafe for objects that aren't already threadsafe.
 class MediaTaskQueue : public AbstractThread {
 public:
-  explicit MediaTaskQueue(TemporaryRef<SharedThreadPool> aPool, bool aRequireTailDispatch = false);
+  explicit MediaTaskQueue(TemporaryRef<SharedThreadPool> aPool, bool aSupportsTailDispatch = false);
 
   void Dispatch(TemporaryRef<nsIRunnable> aRunnable,
                 DispatchFailureHandling aFailureHandling = AssertDispatchSuccess)
diff --git a/dom/media/TimeUnits.h b/dom/media/TimeUnits.h
index 4aee59b88e9e..d3e5f3d7876d 100644
--- a/dom/media/TimeUnits.h
+++ b/dom/media/TimeUnits.h
@@ -173,6 +173,21 @@ public:
     MOZ_ASSERT(!IsInfinite() && !aOther.IsInfinite());
     return TimeUnit(mValue - aOther.mValue);
   }
+  TimeUnit& operator += (const TimeUnit& aOther) {
+    *this = *this + aOther;
+    return *this;
+  }
+  TimeUnit& operator -= (const TimeUnit& aOther) {
+    *this = *this - aOther;
+    return *this;
+  }
+
+  friend TimeUnit operator* (int aVal, const TimeUnit& aUnit) {
+    return TimeUnit(aUnit.mValue * aVal);
+  }
+  friend TimeUnit operator* (const TimeUnit& aUnit, int aVal) {
+    return TimeUnit(aUnit.mValue * aVal);
+  }
 
   bool IsValid() const
   {
diff --git a/dom/media/fmp4/MP4Demuxer.cpp b/dom/media/fmp4/MP4Demuxer.cpp
index d9fe1c442fc6..6328cfb460ed 100644
--- a/dom/media/fmp4/MP4Demuxer.cpp
+++ b/dom/media/fmp4/MP4Demuxer.cpp
@@ -168,7 +168,7 @@ MP4TrackDemuxer::MP4TrackDemuxer(MP4Demuxer* aParent,
                                   mInfo->IsAudio(),
                                   &mMonitor);
   mIterator = MakeUnique<mp4_demuxer::SampleIterator>(mIndex);
-  NotifyDataArrived(); // Force update of index
+  EnsureUpToDateIndex(); // Force update of index
 }
 
 UniquePtr<TrackInfo>
@@ -216,6 +216,7 @@ MP4TrackDemuxer::Seek(media::TimeUnit aTime)
 nsRefPtr<MP4TrackDemuxer::SamplesPromise>
 MP4TrackDemuxer::GetSamples(int32_t aNumSamples)
 {
+  EnsureUpToDateIndex();
   nsRefPtr<SamplesHolder> samples = new SamplesHolder;
   if (!aNumSamples) {
     return SamplesPromise::CreateAndReject(DemuxerFailureReason::DEMUXER_ERROR, __func__);
diff --git a/dom/media/fmp4/MP4Reader.cpp b/dom/media/fmp4/MP4Reader.cpp
index 0ae9d15f6f0e..6fad89c47701 100644
--- a/dom/media/fmp4/MP4Reader.cpp
+++ b/dom/media/fmp4/MP4Reader.cpp
@@ -144,8 +144,8 @@ InvokeAndRetry(ThisType* aThisVal, ReturnType(ThisType::*aMethod)(), MP4Stream*
   }
 }
 
-MP4Reader::MP4Reader(AbstractMediaDecoder* aDecoder)
-  : MediaDecoderReader(aDecoder)
+MP4Reader::MP4Reader(AbstractMediaDecoder* aDecoder, MediaTaskQueue* aBorrowedTaskQueue)
+  : MediaDecoderReader(aDecoder, aBorrowedTaskQueue)
   , mAudio(MediaData::AUDIO_DATA, Preferences::GetUint("media.mp4-audio-decode-ahead", 2))
   , mVideo(MediaData::VIDEO_DATA, Preferences::GetUint("media.mp4-video-decode-ahead", 2))
   , mLastReportedNumDecodedFrames(0)
@@ -172,7 +172,7 @@ MP4Reader::~MP4Reader()
 nsRefPtr<ShutdownPromise>
 MP4Reader::Shutdown()
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
 
   if (mAudio.mDecoder) {
     Flush(TrackInfo::kAudioTrack);
@@ -611,7 +611,7 @@ nsRefPtr<MediaDecoderReader::VideoDataPromise>
 MP4Reader::RequestVideoData(bool aSkipToNextKeyframe,
                             int64_t aTimeThreshold)
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
   VLOG("skip=%d time=%lld", aSkipToNextKeyframe, aTimeThreshold);
 
   if (!EnsureDecodersSetup()) {
@@ -652,7 +652,7 @@ MP4Reader::RequestVideoData(bool aSkipToNextKeyframe,
 nsRefPtr<MediaDecoderReader::AudioDataPromise>
 MP4Reader::RequestAudioData()
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
   VLOG("");
 
   if (!EnsureDecodersSetup()) {
@@ -683,7 +683,7 @@ MP4Reader::ScheduleUpdate(TrackType aTrack)
   decoder.mUpdateScheduled = true;
   RefPtr<nsIRunnable> task(
     NS_NewRunnableMethodWithArg<TrackType>(this, &MP4Reader::Update, aTrack));
-  GetTaskQueue()->Dispatch(task.forget());
+  TaskQueue()->Dispatch(task.forget());
 }
 
 bool
@@ -707,7 +707,7 @@ MP4Reader::NeedInput(DecoderData& aDecoder)
 void
 MP4Reader::Update(TrackType aTrack)
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
 
   if (mShutdown) {
     return;
@@ -873,7 +873,7 @@ MP4Reader::SizeOfQueue(TrackType aTrack)
 nsresult
 MP4Reader::ResetDecode()
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
   Flush(TrackInfo::kVideoTrack);
   {
     MonitorAutoLock mon(mDemuxerMonitor);
@@ -955,7 +955,7 @@ MP4Reader::Error(TrackType aTrack)
 void
 MP4Reader::Flush(TrackType aTrack)
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
   VLOG("Flush(%s) BEGIN", TrackTypeToStr(aTrack));
   DecoderData& data = GetDecoderData(aTrack);
   if (!data.mDecoder) {
@@ -993,7 +993,7 @@ MP4Reader::Flush(TrackType aTrack)
 bool
 MP4Reader::SkipVideoDemuxToNextKeyFrame(int64_t aTimeThreshold, uint32_t& parsed)
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
 
   MOZ_ASSERT(mVideo.mDecoder);
 
@@ -1024,7 +1024,7 @@ nsRefPtr<MediaDecoderReader::SeekPromise>
 MP4Reader::Seek(int64_t aTime, int64_t aEndTime)
 {
   LOG("aTime=(%lld)", aTime);
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
   MonitorAutoLock mon(mDemuxerMonitor);
   if (!mDemuxer->CanSeek()) {
     VLOG("Seek() END (Unseekable)");
diff --git a/dom/media/fmp4/MP4Reader.h b/dom/media/fmp4/MP4Reader.h
index db07526e0278..005fba92784a 100644
--- a/dom/media/fmp4/MP4Reader.h
+++ b/dom/media/fmp4/MP4Reader.h
@@ -34,7 +34,7 @@ class MP4Reader final : public MediaDecoderReader
   typedef TrackInfo::TrackType TrackType;
 
 public:
-  explicit MP4Reader(AbstractMediaDecoder* aDecoder);
+  explicit MP4Reader(AbstractMediaDecoder* aDecoder, MediaTaskQueue* aBorrowedTaskQueue = nullptr);
 
   virtual ~MP4Reader();
 
diff --git a/dom/media/gstreamer/GStreamerFormatHelper.cpp b/dom/media/gstreamer/GStreamerFormatHelper.cpp
index 2ee32e53c046..c4b4fa335d45 100644
--- a/dom/media/gstreamer/GStreamerFormatHelper.cpp
+++ b/dom/media/gstreamer/GStreamerFormatHelper.cpp
@@ -8,6 +8,7 @@
 #include "nsCharSeparatedTokenizer.h"
 #include "nsString.h"
 #include "GStreamerLoader.h"
+#include "mozilla/Logging.h"
 #include "mozilla/Preferences.h"
 
 #define ENTRY_FORMAT(entry) entry[0]
@@ -15,6 +16,10 @@
 
 namespace mozilla {
 
+extern PRLogModuleInfo* gMediaDecoderLog;
+#define LOG(msg, ...) \
+    MOZ_LOG(gMediaDecoderLog, LogLevel::Debug, ("GStreamerFormatHelper " msg, ##__VA_ARGS__))
+
 GStreamerFormatHelper* GStreamerFormatHelper::gInstance = nullptr;
 bool GStreamerFormatHelper::sLoadOK = false;
 
@@ -236,6 +241,7 @@ GStreamerFormatHelper::IsPluginFeatureBlacklisted(GstPluginFeature *aFeature)
 
   for (unsigned int i = 0; i < G_N_ELEMENTS(sPluginBlacklist); i++) {
     if (!strcmp(factoryName, sPluginBlacklist[i])) {
+      LOG("rejecting disabled plugin %s", factoryName);
       return true;
     }
   }
diff --git a/dom/media/gstreamer/GStreamerReader.cpp b/dom/media/gstreamer/GStreamerReader.cpp
index b058b8a4f822..33ea67fcb636 100644
--- a/dom/media/gstreamer/GStreamerReader.cpp
+++ b/dom/media/gstreamer/GStreamerReader.cpp
@@ -374,6 +374,9 @@ nsresult GStreamerReader::ReadMetadata(MediaInfo* aInfo,
    * might be concurrent stream operations happening on both decoding and gstreamer
    * threads which will screw the GStreamer state machine.
    */
+  LOG(LogLevel::Debug, "content-type: %s %s",
+      mDecoder->GetResource()->GetContentType().get(),
+      mDecoder->GetResource()->GetContentURL().get());
   bool isMP3 = mDecoder->GetResource()->GetContentType().EqualsASCII(AUDIO_MP3);
   if (isMP3) {
     ParseMP3Headers();
diff --git a/dom/media/gtest/TestIntervalSet.cpp b/dom/media/gtest/TestIntervalSet.cpp
index 08aac2041ee6..f2198320f534 100644
--- a/dom/media/gtest/TestIntervalSet.cpp
+++ b/dom/media/gtest/TestIntervalSet.cpp
@@ -14,6 +14,7 @@ using namespace mozilla;
 
 typedef media::Interval<uint8_t> ByteInterval;
 typedef media::Interval<int> IntInterval;
+typedef media::IntervalSet<int> IntIntervals;
 
 ByteInterval CreateByteInterval(int32_t aStart, int32_t aEnd)
 {
@@ -150,18 +151,18 @@ TEST(IntervalSet, Equals)
 
 TEST(IntervalSet, IntersectionIntervalSet)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(5, 10);
   i0 += IntInterval(20, 25);
   i0 += IntInterval(40, 60);
 
-  media::IntervalSet<int> i1;
+  IntIntervals i1;
   i1.Add(IntInterval(7, 15));
   i1.Add(IntInterval(16, 27));
   i1.Add(IntInterval(45, 50));
   i1.Add(IntInterval(53, 57));
 
-  media::IntervalSet<int> i = media::Intersection(i0, i1);
+  IntIntervals i = media::Intersection(i0, i1);
 
   EXPECT_EQ(4u, i.Length());
 
@@ -192,10 +193,10 @@ static void Compare(const media::IntervalSet<T>& aI1,
   }
 }
 
-static void GeneratePermutations(media::IntervalSet<int> aI1,
-                                 media::IntervalSet<int> aI2)
+static void GeneratePermutations(IntIntervals aI1,
+                                 IntIntervals aI2)
 {
-  media::IntervalSet<int> i_ref = media::Intersection(aI1, aI2);
+  IntIntervals i_ref = media::Intersection(aI1, aI2);
   // Test all permutations possible
   std::vector<uint32_t> comb1;
   for (uint32_t i = 0; i < aI1.Length(); i++) {
@@ -209,13 +210,13 @@ static void GeneratePermutations(media::IntervalSet<int> aI1,
   do {
     do {
       // Create intervals according to new indexes.
-      media::IntervalSet<int> i_0;
+      IntIntervals i_0;
       for (uint32_t i = 0; i < comb1.size(); i++) {
         i_0 += aI1[comb1[i]];
       }
       // Test that intervals are always normalized.
       Compare(aI1, i_0);
-      media::IntervalSet<int> i_1;
+      IntIntervals i_1;
       for (uint32_t i = 0; i < comb2.size(); i++) {
         i_1 += aI2[comb2[i]];
       }
@@ -228,12 +229,12 @@ static void GeneratePermutations(media::IntervalSet<int> aI1,
 
 TEST(IntervalSet, IntersectionNormalizedIntervalSet)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(5, 10);
   i0 += IntInterval(20, 25);
   i0 += IntInterval(40, 60);
 
-  media::IntervalSet<int> i1;
+  IntIntervals i1;
   i1.Add(IntInterval(7, 15));
   i1.Add(IntInterval(16, 27));
   i1.Add(IntInterval(45, 50));
@@ -244,12 +245,12 @@ TEST(IntervalSet, IntersectionNormalizedIntervalSet)
 
 TEST(IntervalSet, IntersectionUnorderedNonNormalizedIntervalSet)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(5, 10);
   i0 += IntInterval(8, 25);
   i0 += IntInterval(24, 60);
 
-  media::IntervalSet<int> i1;
+  IntIntervals i1;
   i1.Add(IntInterval(7, 15));
   i1.Add(IntInterval(10, 27));
   i1.Add(IntInterval(45, 50));
@@ -260,7 +261,7 @@ TEST(IntervalSet, IntersectionUnorderedNonNormalizedIntervalSet)
 
 TEST(IntervalSet, IntersectionNonNormalizedInterval)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(5, 10);
   i0 += IntInterval(8, 25);
   i0 += IntInterval(30, 60);
@@ -274,7 +275,7 @@ TEST(IntervalSet, IntersectionNonNormalizedInterval)
 
 TEST(IntervalSet, IntersectionUnorderedNonNormalizedInterval)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(1, 3);
   i0 += IntInterval(1, 10);
   i0 += IntInterval(9, 12);
@@ -291,22 +292,22 @@ TEST(IntervalSet, IntersectionUnorderedNonNormalizedInterval)
   EXPECT_EQ(i0[0].mEnd, i1.mEnd);
 }
 
-static media::IntervalSet<int> Duplicate(const media::IntervalSet<int>& aValue)
+static IntIntervals Duplicate(const IntIntervals& aValue)
 {
-  media::IntervalSet<int> value(aValue);
+  IntIntervals value(aValue);
   return value;
 }
 
 TEST(IntervalSet, Normalize)
 {
-  media::IntervalSet<int> i;
+  IntIntervals i;
   // Test IntervalSet<T> + Interval<T> operator.
   i = i + IntInterval(20, 30);
   // Test Internal<T> + IntervalSet<T> operator.
   i = IntInterval(2, 7) + i;
   // Test Interval<T> + IntervalSet<T> operator
   i = IntInterval(1, 8) + i;
-  media::IntervalSet<int> interval;
+  IntIntervals interval;
   interval += IntInterval(5, 10);
   // Test += with rval move.
   i += Duplicate(interval);
@@ -333,7 +334,7 @@ TEST(IntervalSet, Normalize)
 
 TEST(IntervalSet, ContainValue)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(0, 10);
   i0 += IntInterval(15, 20);
   i0 += IntInterval(30, 50);
@@ -345,7 +346,7 @@ TEST(IntervalSet, ContainValue)
 
 TEST(IntervalSet, ContainValueWithFuzz)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(0, 10);
   i0 += IntInterval(15, 20, 1);
   i0 += IntInterval(30, 50);
@@ -357,7 +358,7 @@ TEST(IntervalSet, ContainValueWithFuzz)
 
 TEST(IntervalSet, ContainInterval)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(0, 10);
   i0 += IntInterval(15, 20);
   i0 += IntInterval(30, 50);
@@ -373,7 +374,7 @@ TEST(IntervalSet, ContainInterval)
 
 TEST(IntervalSet, ContainIntervalWithFuzz)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(0, 10);
   i0 += IntInterval(15, 20);
   i0 += IntInterval(30, 50);
@@ -386,7 +387,7 @@ TEST(IntervalSet, ContainIntervalWithFuzz)
   EXPECT_FALSE(i0.Contains(IntInterval(15, 30)));
   EXPECT_FALSE(i0.Contains(IntInterval(30, 55)));
 
-  media::IntervalSet<int> i1;
+  IntIntervals i1;
   i1 += IntInterval(0, 10, 1);
   i1 += IntInterval(15, 20, 1);
   i1 += IntInterval(30, 50, 1);
@@ -408,18 +409,18 @@ TEST(IntervalSet, Span)
 
 TEST(IntervalSet, Union)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(5, 10);
   i0 += IntInterval(20, 25);
   i0 += IntInterval(40, 60);
 
-  media::IntervalSet<int> i1;
+  IntIntervals i1;
   i1.Add(IntInterval(7, 15));
   i1.Add(IntInterval(16, 27));
   i1.Add(IntInterval(45, 50));
   i1.Add(IntInterval(53, 57));
 
-  media::IntervalSet<int> i = media::Union(i0, i1);
+  IntIntervals i = media::Union(i0, i1);
 
   EXPECT_EQ(3u, i.Length());
 
@@ -435,18 +436,18 @@ TEST(IntervalSet, Union)
 
 TEST(IntervalSet, UnionNotOrdered)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(20, 25);
   i0 += IntInterval(40, 60);
   i0 += IntInterval(5, 10);
 
-  media::IntervalSet<int> i1;
+  IntIntervals i1;
   i1.Add(IntInterval(16, 27));
   i1.Add(IntInterval(7, 15));
   i1.Add(IntInterval(53, 57));
   i1.Add(IntInterval(45, 50));
 
-  media::IntervalSet<int> i = media::Union(i0, i1);
+  IntIntervals i = media::Union(i0, i1);
 
   EXPECT_EQ(3u, i.Length());
 
@@ -462,7 +463,7 @@ TEST(IntervalSet, UnionNotOrdered)
 
 TEST(IntervalSet, NormalizeFuzz)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(11, 25, 0);
   i0 += IntInterval(5, 10, 1);
   i0 += IntInterval(40, 60, 1);
@@ -478,7 +479,7 @@ TEST(IntervalSet, NormalizeFuzz)
 
 TEST(IntervalSet, UnionFuzz)
 {
-  media::IntervalSet<int> i0;
+  IntIntervals i0;
   i0 += IntInterval(5, 10, 1);
   i0 += IntInterval(11, 25, 0);
   i0 += IntInterval(40, 60, 1);
@@ -488,7 +489,7 @@ TEST(IntervalSet, UnionFuzz)
   EXPECT_EQ(40, i0[1].mStart);
   EXPECT_EQ(60, i0[1].mEnd);
 
-  media::IntervalSet<int> i1;
+  IntIntervals i1;
   i1.Add(IntInterval(7, 15, 1));
   i1.Add(IntInterval(16, 27, 1));
   i1.Add(IntInterval(45, 50, 1));
@@ -501,7 +502,7 @@ TEST(IntervalSet, UnionFuzz)
   EXPECT_EQ(53, i1[2].mStart);
   EXPECT_EQ(57, i1[2].mEnd);
 
-  media::IntervalSet<int> i = media::Union(i0, i1);
+  IntIntervals i = media::Union(i0, i1);
 
   EXPECT_EQ(2u, i.Length());
 
@@ -712,9 +713,67 @@ TEST(IntervalSet, FooIntervalSet)
 
 TEST(IntervalSet, StaticAssert)
 {
-  typedef media::IntervalSet<int> IntIntervals;
   media::Interval<int> i;
 
   static_assert(mozilla::IsSame<nsTArray_CopyChooser<IntIntervals>::Type, nsTArray_CopyWithConstructors<IntIntervals>>::value, "Must use copy constructor");
   static_assert(mozilla::IsSame<nsTArray_CopyChooser<media::TimeIntervals>::Type, nsTArray_CopyWithConstructors<media::TimeIntervals>>::value, "Must use copy constructor");
 }
+
+TEST(IntervalSet, Substraction)
+{
+  IntIntervals i0;
+  i0 += IntInterval(5, 10);
+  i0 += IntInterval(20, 25);
+  i0 += IntInterval(40, 60);
+
+  IntInterval i1(8, 15);
+  i0 -= i1;
+
+  EXPECT_EQ(3u, i0.Length());
+  EXPECT_EQ(5, i0[0].mStart);
+  EXPECT_EQ(8, i0[0].mEnd);
+  EXPECT_EQ(20, i0[1].mStart);
+  EXPECT_EQ(25, i0[1].mEnd);
+  EXPECT_EQ(40, i0[2].mStart);
+  EXPECT_EQ(60, i0[2].mEnd);
+
+  i0 = IntIntervals();
+  i0 += IntInterval(5, 10);
+  i0 += IntInterval(20, 25);
+  i0 += IntInterval(40, 60);
+  i1 = IntInterval(0, 60);
+  i0 -= i1;
+  EXPECT_EQ(0u, i0.Length());
+
+  i0 = IntIntervals();
+  i0 += IntInterval(5, 10);
+  i0 += IntInterval(20, 25);
+  i0 += IntInterval(40, 60);
+  i1 = IntInterval(0, 45);
+  i0 -= i1;
+  EXPECT_EQ(1u, i0.Length());
+  EXPECT_EQ(45, i0[0].mStart);
+  EXPECT_EQ(60, i0[0].mEnd);
+
+  i0 = IntIntervals();
+  i0 += IntInterval(5, 10);
+  i0 += IntInterval(20, 25);
+  i0 += IntInterval(40, 60);
+  i1 = IntInterval(8, 45);
+  i0 -= i1;
+  EXPECT_EQ(2u, i0.Length());
+  EXPECT_EQ(5, i0[0].mStart);
+  EXPECT_EQ(8, i0[0].mEnd);
+  EXPECT_EQ(45, i0[1].mStart);
+  EXPECT_EQ(60, i0[1].mEnd);
+
+  i0 = IntIntervals();
+  i0 += IntInterval(5, 10);
+  i0 += IntInterval(20, 25);
+  i0 += IntInterval(40, 60);
+  i1 = IntInterval(8, 70);
+  i0 -= i1;
+  EXPECT_EQ(1u, i0.Length());
+  EXPECT_EQ(5, i0[0].mStart);
+  EXPECT_EQ(8, i0[0].mEnd);
+}
diff --git a/dom/media/gtest/TestMP4Reader.cpp b/dom/media/gtest/TestMP4Reader.cpp
index 2a1bd8471ad6..fa5bd1dffe8d 100644
--- a/dom/media/gtest/TestMP4Reader.cpp
+++ b/dom/media/gtest/TestMP4Reader.cpp
@@ -36,7 +36,6 @@ public:
     decoder->SetResource(resource);
 
     reader->Init(nullptr);
-    reader->EnsureTaskQueue();
     {
       // This needs to be done before invoking GetBuffered. This is normally
       // done by MediaDecoderStateMachine.
@@ -57,7 +56,7 @@ private:
   virtual ~TestBinding()
   {
     {
-      nsRefPtr<MediaTaskQueue> queue = reader->GetTaskQueue();
+      nsRefPtr<MediaTaskQueue> queue = reader->TaskQueue();
       nsCOMPtr<nsIRunnable> task = NS_NewRunnableMethod(reader, &MP4Reader::Shutdown);
       // Hackily bypass the tail dispatcher so that we can AwaitShutdownAndIdle.
       // In production code we'd use BeginShutdown + promises.
diff --git a/dom/media/mediasource/ContainerParser.cpp b/dom/media/mediasource/ContainerParser.cpp
index 7b71016eaeab..24b78db8da79 100644
--- a/dom/media/mediasource/ContainerParser.cpp
+++ b/dom/media/mediasource/ContainerParser.cpp
@@ -92,6 +92,24 @@ ContainerParser::InitData()
   return mInitData;
 }
 
+MediaByteRange
+ContainerParser::InitSegmentRange()
+{
+  return mCompleteInitSegmentRange;
+}
+
+MediaByteRange
+ContainerParser::MediaHeaderRange()
+{
+  return mCompleteMediaHeaderRange;
+}
+
+MediaByteRange
+ContainerParser::MediaSegmentRange()
+{
+  return mCompleteMediaSegmentRange;
+}
+
 class WebMContainerParser : public ContainerParser {
 public:
   explicit WebMContainerParser(const nsACString& aType)
@@ -103,7 +121,7 @@ public:
   static const unsigned NS_PER_USEC = 1000;
   static const unsigned USEC_PER_SEC = 1000000;
 
-  bool IsInitSegmentPresent(MediaLargeByteBuffer* aData)
+  bool IsInitSegmentPresent(MediaLargeByteBuffer* aData) override
   {
     ContainerParser::IsInitSegmentPresent(aData);
     // XXX: This is overly primitive, needs to collect data as it's appended
@@ -126,7 +144,7 @@ public:
     return false;
   }
 
-  bool IsMediaSegmentPresent(MediaLargeByteBuffer* aData)
+  bool IsMediaSegmentPresent(MediaLargeByteBuffer* aData) override
   {
     ContainerParser::IsMediaSegmentPresent(aData);
     // XXX: This is overly primitive, needs to collect data as it's appended
@@ -148,7 +166,7 @@ public:
   }
 
   bool ParseStartAndEndTimestamps(MediaLargeByteBuffer* aData,
-                                  int64_t& aStart, int64_t& aEnd)
+                                  int64_t& aStart, int64_t& aEnd) override
   {
     bool initSegment = IsInitSegmentPresent(aData);
     if (initSegment) {
@@ -180,6 +198,7 @@ public:
           // Super unlikely OOM
           return false;
         }
+        mCompleteInitSegmentRange = MediaByteRange(0, mParser.mInitEndOffset);
         char* buffer = reinterpret_cast<char*>(mInitData->Elements());
         mResource->ReadFromCache(buffer, 0, mParser.mInitEndOffset);
         MSE_DEBUG(WebMContainerParser, "Stashed init of %u bytes.",
@@ -219,7 +238,7 @@ public:
     return true;
   }
 
-  int64_t GetRoundingError()
+  int64_t GetRoundingError() override
   {
     int64_t error = mParser.GetTimecodeScale() / NS_PER_USEC;
     return error * 2;
@@ -239,7 +258,7 @@ public:
     , mMonitor("MP4ContainerParser Index Monitor")
   {}
 
-  bool IsInitSegmentPresent(MediaLargeByteBuffer* aData)
+  bool IsInitSegmentPresent(MediaLargeByteBuffer* aData) override
   {
     ContainerParser::IsInitSegmentPresent(aData);
     // Each MP4 atom has a chunk size and chunk type. The root chunk in an MP4
@@ -259,7 +278,7 @@ public:
            (*aData)[7] == 'p';
   }
 
-  bool IsMediaSegmentPresent(MediaLargeByteBuffer* aData)
+  bool IsMediaSegmentPresent(MediaLargeByteBuffer* aData) override
   {
     ContainerParser::IsMediaSegmentPresent(aData);
     if (aData->Length() < 8) {
@@ -280,7 +299,7 @@ public:
   }
 
   bool ParseStartAndEndTimestamps(MediaLargeByteBuffer* aData,
-                                  int64_t& aStart, int64_t& aEnd)
+                                  int64_t& aStart, int64_t& aEnd) override
   {
     MonitorAutoLock mon(mMonitor); // We're not actually racing against anything,
                                    // but mParser requires us to hold a monitor.
@@ -306,17 +325,17 @@ public:
     mParser->RebuildFragmentedIndex(byteRanges);
 
     if (initSegment || !HasCompleteInitData()) {
-      const MediaByteRange& range = mParser->mInitRange;
-      uint32_t length = range.mEnd - range.mStart;
-      if (length) {
-        if (!mInitData->SetLength(length, fallible)) {
+      MediaByteRange& range = mParser->mInitRange;
+      if (range.Length()) {
+        mCompleteInitSegmentRange = range;
+        if (!mInitData->SetLength(range.Length(), fallible)) {
           // Super unlikely OOM
           return false;
         }
         char* buffer = reinterpret_cast<char*>(mInitData->Elements());
-        mResource->ReadFromCache(buffer, range.mStart, length);
+        mResource->ReadFromCache(buffer, range.mStart, range.Length());
         MSE_DEBUG(MP4ContainerParser ,"Stashed init of %u bytes.",
-                  length);
+                  range.Length());
       } else {
         MSE_DEBUG(MP4ContainerParser, "Incomplete init found.");
       }
@@ -326,6 +345,8 @@ public:
     mp4_demuxer::Interval<mp4_demuxer::Microseconds> compositionRange =
       mParser->GetCompositionRange(byteRanges);
 
+    mCompleteMediaHeaderRange = mParser->FirstCompleteMediaHeader();
+    mCompleteMediaSegmentRange = mParser->FirstCompleteMediaSegment();
     ErrorResult rv;
     mResource->EvictData(mParser->mOffset, mParser->mOffset, rv);
     if (NS_WARN_IF(rv.Failed())) {
@@ -345,7 +366,7 @@ public:
 
   // Gaps of up to 35ms (marginally longer than a single frame at 30fps) are considered
   // to be sequential frames.
-  int64_t GetRoundingError()
+  int64_t GetRoundingError() override
   {
     return 35000;
   }
diff --git a/dom/media/mediasource/ContainerParser.h b/dom/media/mediasource/ContainerParser.h
index e4fa837b2af4..e567723845b7 100644
--- a/dom/media/mediasource/ContainerParser.h
+++ b/dom/media/mediasource/ContainerParser.h
@@ -9,6 +9,7 @@
 
 #include "nsRefPtr.h"
 #include "nsString.h"
+#include "MediaResource.h"
 
 namespace mozilla {
 
@@ -51,6 +52,15 @@ public:
   }
 
   bool HasCompleteInitData();
+  // Returns the byte range of the first complete init segment, or an empty
+  // range if not complete.
+  MediaByteRange InitSegmentRange();
+  // Returns the byte range of the first complete media segment header,
+  // or an empty range if not complete.
+  MediaByteRange MediaHeaderRange();
+  // Returns the byte range of the first complete media segment or an empty
+  // range if not complete.
+  MediaByteRange MediaSegmentRange();
 
   static ContainerParser* CreateForMIMEType(const nsACString& aType);
 
@@ -58,6 +68,9 @@ protected:
   nsRefPtr<MediaLargeByteBuffer> mInitData;
   nsRefPtr<SourceBufferResource> mResource;
   bool mHasInitData;
+  MediaByteRange mCompleteInitSegmentRange;
+  MediaByteRange mCompleteMediaHeaderRange;
+  MediaByteRange mCompleteMediaSegmentRange;
   const nsCString mType;
 };
 
diff --git a/dom/media/mediasource/MediaSourceReader.cpp b/dom/media/mediasource/MediaSourceReader.cpp
index 1d2d6bd8c3aa..495ada196bce 100644
--- a/dom/media/mediasource/MediaSourceReader.cpp
+++ b/dom/media/mediasource/MediaSourceReader.cpp
@@ -23,6 +23,10 @@
 #include "MP4Reader.h"
 #endif
 
+#ifdef MOZ_WEBM
+#include "WebMReader.h"
+#endif
+
 extern PRLogModuleInfo* GetMediaSourceLog();
 
 #define MSE_DEBUG(arg, ...) MOZ_LOG(GetMediaSourceLog(), mozilla::LogLevel::Debug, ("MediaSourceReader(%p)::%s: " arg, this, __func__, ##__VA_ARGS__))
@@ -157,7 +161,7 @@ MediaSourceReader::RequestAudioData()
     case SOURCE_NEW:
       GetAudioReader()->ResetDecode();
       mAudioSeekRequest.Begin(GetAudioReader()->Seek(GetReaderAudioTime(mLastAudioTime), 0)
-                              ->Then(GetTaskQueue(), __func__, this,
+                              ->Then(TaskQueue(), __func__, this,
                                      &MediaSourceReader::CompleteAudioSeekAndDoRequest,
                                      &MediaSourceReader::CompleteAudioSeekAndRejectPromise));
       break;
@@ -182,7 +186,7 @@ MediaSourceReader::RequestAudioData()
 void MediaSourceReader::DoAudioRequest()
 {
   mAudioRequest.Begin(GetAudioReader()->RequestAudioData()
-                      ->Then(GetTaskQueue(), __func__, this,
+                      ->Then(TaskQueue(), __func__, this,
                              &MediaSourceReader::OnAudioDecoded,
                              &MediaSourceReader::OnAudioNotDecoded));
 }
@@ -205,7 +209,7 @@ MediaSourceReader::OnAudioDecoded(AudioData* aSample)
       MSE_DEBUG("mTime=%lld < mTimeThreshold=%lld",
                 ourTime, mTimeThreshold);
       mAudioRequest.Begin(GetAudioReader()->RequestAudioData()
-                          ->Then(GetTaskQueue(), __func__, this,
+                          ->Then(TaskQueue(), __func__, this,
                                  &MediaSourceReader::OnAudioDecoded,
                                  &MediaSourceReader::OnAudioNotDecoded));
       return;
@@ -275,7 +279,7 @@ MediaSourceReader::OnAudioNotDecoded(NotDecodedReason aReason)
   if (result == SOURCE_NEW) {
     GetAudioReader()->ResetDecode();
     mAudioSeekRequest.Begin(GetAudioReader()->Seek(GetReaderAudioTime(mLastAudioTime), 0)
-                            ->Then(GetTaskQueue(), __func__, this,
+                            ->Then(TaskQueue(), __func__, this,
                                    &MediaSourceReader::CompleteAudioSeekAndDoRequest,
                                    &MediaSourceReader::CompleteAudioSeekAndRejectPromise));
     return;
@@ -330,7 +334,7 @@ MediaSourceReader::RequestVideoData(bool aSkipToNextKeyframe, int64_t aTimeThres
     case SOURCE_NEW:
       GetVideoReader()->ResetDecode();
       mVideoSeekRequest.Begin(GetVideoReader()->Seek(GetReaderVideoTime(mLastVideoTime), 0)
-                             ->Then(GetTaskQueue(), __func__, this,
+                             ->Then(TaskQueue(), __func__, this,
                                     &MediaSourceReader::CompleteVideoSeekAndDoRequest,
                                     &MediaSourceReader::CompleteVideoSeekAndRejectPromise));
       break;
@@ -357,7 +361,7 @@ void
 MediaSourceReader::DoVideoRequest()
 {
   mVideoRequest.Begin(GetVideoReader()->RequestVideoData(mDropVideoBeforeThreshold, GetReaderVideoTime(mTimeThreshold))
-                      ->Then(GetTaskQueue(), __func__, this,
+                      ->Then(TaskQueue(), __func__, this,
                              &MediaSourceReader::OnVideoDecoded,
                              &MediaSourceReader::OnVideoNotDecoded));
 }
@@ -427,7 +431,7 @@ MediaSourceReader::OnVideoNotDecoded(NotDecodedReason aReason)
   if (result == SOURCE_NEW) {
     GetVideoReader()->ResetDecode();
     mVideoSeekRequest.Begin(GetVideoReader()->Seek(GetReaderVideoTime(mLastVideoTime), 0)
-                           ->Then(GetTaskQueue(), __func__, this,
+                           ->Then(TaskQueue(), __func__, this,
                                   &MediaSourceReader::CompleteVideoSeekAndDoRequest,
                                   &MediaSourceReader::CompleteVideoSeekAndRejectPromise));
     return;
@@ -498,7 +502,7 @@ MediaSourceReader::ContinueShutdown()
 {
   ReentrantMonitorAutoEnter mon(mDecoder->GetReentrantMonitor());
   if (mTrackBuffers.Length()) {
-    mTrackBuffers[0]->Shutdown()->Then(GetTaskQueue(), __func__, this,
+    mTrackBuffers[0]->Shutdown()->Then(TaskQueue(), __func__, this,
                                        &MediaSourceReader::ContinueShutdown,
                                        &MediaSourceReader::ContinueShutdown);
     mShutdownTrackBuffers.AppendElement(mTrackBuffers[0]);
@@ -674,7 +678,8 @@ MediaSourceReader::ReleaseMediaResources()
 }
 
 MediaDecoderReader*
-CreateReaderForType(const nsACString& aType, AbstractMediaDecoder* aDecoder)
+CreateReaderForType(const nsACString& aType, AbstractMediaDecoder* aDecoder,
+                    MediaTaskQueue* aBorrowedTaskQueue)
 {
 #ifdef MOZ_FMP4
   // The MP4Reader that supports fragmented MP4 and uses
@@ -687,12 +692,19 @@ CreateReaderForType(const nsACString& aType, AbstractMediaDecoder* aDecoder)
     bool useFormatDecoder =
       Preferences::GetBool("media.mediasource.format-reader.mp4", true);
     MediaDecoderReader* reader = useFormatDecoder ?
-      static_cast<MediaDecoderReader*>(new MediaFormatReader(aDecoder, new MP4Demuxer(aDecoder->GetResource()))) :
-      static_cast<MediaDecoderReader*>(new MP4Reader(aDecoder));
+      static_cast<MediaDecoderReader*>(new MediaFormatReader(aDecoder, new MP4Demuxer(aDecoder->GetResource()), aBorrowedTaskQueue)) :
+      static_cast<MediaDecoderReader*>(new MP4Reader(aDecoder, aBorrowedTaskQueue));
     return reader;
   }
 #endif
-  return DecoderTraits::CreateReader(aType, aDecoder);
+
+#ifdef MOZ_WEBM
+  if (DecoderTraits::IsWebMType(aType)) {
+    return new WebMReader(aDecoder, aBorrowedTaskQueue);
+  }
+#endif
+
+  return nullptr;
 }
 
 already_AddRefed<SourceBufferDecoder>
@@ -701,10 +713,17 @@ MediaSourceReader::CreateSubDecoder(const nsACString& aType, int64_t aTimestampO
   if (IsShutdown()) {
     return nullptr;
   }
-  MOZ_ASSERT(GetTaskQueue());
+
+  // The task queue borrowing is icky. It would be nicer to just give each subreader
+  // its own task queue. Unfortunately though, Request{Audio,Video}Data implementations
+  // currently assert that they're on "the decode thread", and so having
+  // separate task queues makes MediaSource stuff unnecessarily cumbersome. We
+  // should remove the need for these assertions (which probably involves making
+  // all Request*Data implementations fully async), and then get rid of the
+  // borrowing.
   nsRefPtr<SourceBufferDecoder> decoder =
     new SourceBufferDecoder(new SourceBufferResource(aType), mDecoder, aTimestampOffset);
-  nsRefPtr<MediaDecoderReader> reader(CreateReaderForType(aType, decoder));
+  nsRefPtr<MediaDecoderReader> reader(CreateReaderForType(aType, decoder, TaskQueue()));
   if (!reader) {
     return nullptr;
   }
@@ -717,15 +736,6 @@ MediaSourceReader::CreateSubDecoder(const nsACString& aType, int64_t aTimestampO
     reader->SetStartTime(0);
   }
 
-  // This part is icky. It would be nicer to just give each subreader its own
-  // task queue. Unfortunately though, Request{Audio,Video}Data implementations
-  // currently assert that they're on "the decode thread", and so having
-  // separate task queues makes MediaSource stuff unnecessarily cumbersome. We
-  // should remove the need for these assertions (which probably involves making
-  // all Request*Data implementations fully async), and then get rid of the
-  // borrowing.
-  reader->SetBorrowedTaskQueue(GetTaskQueue());
-
 #ifdef MOZ_FMP4
   reader->SetSharedDecoderManager(mSharedDecoderManager);
 #endif
@@ -803,7 +813,7 @@ MediaSourceReader::NotifyTimeRangesChanged()
     //post a task to the decode queue to try to complete the pending seek.
     RefPtr<nsIRunnable> task(NS_NewRunnableMethod(
         this, &MediaSourceReader::AttemptSeek));
-    GetTaskQueue()->Dispatch(task.forget());
+    TaskQueue()->Dispatch(task.forget());
   } else {
     MaybeNotifyHaveData();
   }
@@ -919,7 +929,7 @@ MediaSourceReader::DoAudioSeek()
   }
   GetAudioReader()->ResetDecode();
   mAudioSeekRequest.Begin(GetAudioReader()->Seek(GetReaderAudioTime(seekTime), 0)
-                         ->Then(GetTaskQueue(), __func__, this,
+                         ->Then(TaskQueue(), __func__, this,
                                 &MediaSourceReader::OnAudioSeekCompleted,
                                 &MediaSourceReader::OnAudioSeekFailed));
   MSE_DEBUG("reader=%p", GetAudioReader());
@@ -991,7 +1001,7 @@ MediaSourceReader::DoVideoSeek()
   }
   GetVideoReader()->ResetDecode();
   mVideoSeekRequest.Begin(GetVideoReader()->Seek(GetReaderVideoTime(seekTime), 0)
-                          ->Then(GetTaskQueue(), __func__, this,
+                          ->Then(TaskQueue(), __func__, this,
                                  &MediaSourceReader::OnVideoSeekCompleted,
                                  &MediaSourceReader::OnVideoSeekFailed));
   MSE_DEBUG("reader=%p", GetVideoReader());
@@ -1192,7 +1202,7 @@ MediaSourceReader::Ended(bool aEnded)
     // seek or wait
     RefPtr<nsIRunnable> task(NS_NewRunnableMethod(
         this, &MediaSourceReader::NotifyTimeRangesChanged));
-    GetTaskQueue()->Dispatch(task.forget());
+    TaskQueue()->Dispatch(task.forget());
   }
 }
 
diff --git a/dom/media/mediasource/SourceBuffer.cpp b/dom/media/mediasource/SourceBuffer.cpp
index 232d07304ec7..c95d82dcbba3 100644
--- a/dom/media/mediasource/SourceBuffer.cpp
+++ b/dom/media/mediasource/SourceBuffer.cpp
@@ -37,86 +37,70 @@ namespace mozilla {
 
 namespace dom {
 
-class AppendDataRunnable : public nsRunnable {
+class BufferAppendRunnable : public nsRunnable {
 public:
-  AppendDataRunnable(SourceBuffer* aSourceBuffer,
-                     MediaLargeByteBuffer* aData,
-                     TimeUnit aTimestampOffset,
-                     uint32_t aUpdateID)
+  BufferAppendRunnable(SourceBuffer* aSourceBuffer,
+                       uint32_t aUpdateID)
   : mSourceBuffer(aSourceBuffer)
-  , mData(aData)
-  , mTimestampOffset(aTimestampOffset)
   , mUpdateID(aUpdateID)
   {
   }
 
   NS_IMETHOD Run() override final {
 
-    mSourceBuffer->AppendData(mData, mTimestampOffset, mUpdateID);
+    mSourceBuffer->BufferAppend(mUpdateID);
 
     return NS_OK;
   }
 
 private:
   nsRefPtr<SourceBuffer> mSourceBuffer;
-  nsRefPtr<MediaLargeByteBuffer> mData;
-  TimeUnit mTimestampOffset;
   uint32_t mUpdateID;
 };
 
-class RangeRemovalRunnable : public nsRunnable {
-public:
-  RangeRemovalRunnable(SourceBuffer* aSourceBuffer,
-                       double aStart,
-                       double aEnd)
-  : mSourceBuffer(aSourceBuffer)
-  , mStart(aStart)
-  , mEnd(aEnd)
-  { }
-
-  NS_IMETHOD Run() override final {
-
-    if (!mSourceBuffer->mUpdating) {
-      // abort was called in between.
-      return NS_OK;
-    }
-    mSourceBuffer->DoRangeRemoval(mStart, mEnd);
-    mSourceBuffer->StopUpdating();
-
-    return NS_OK;
-  }
-
-private:
-  nsRefPtr<SourceBuffer> mSourceBuffer;
-  double mStart;
-  double mEnd;
-};
-
 void
 SourceBuffer::SetMode(SourceBufferAppendMode aMode, ErrorResult& aRv)
 {
+  typedef mozilla::SourceBufferContentManager::AppendState AppendState;
+
   MOZ_ASSERT(NS_IsMainThread());
   MSE_API("SetMode(aMode=%d)", aMode);
   if (!IsAttached() || mUpdating) {
     aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
     return;
   }
-  if (aMode == SourceBufferAppendMode::Sequence) {
+  if (!mIsUsingFormatReader && aMode == SourceBufferAppendMode::Sequence) {
     aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
     return;
   }
+  if (mIsUsingFormatReader && mGenerateTimestamp &&
+      aMode == SourceBufferAppendMode::Segments) {
+    aRv.Throw(NS_ERROR_DOM_INVALID_ACCESS_ERR);
+    return;
+  }
   MOZ_ASSERT(mMediaSource->ReadyState() != MediaSourceReadyState::Closed);
   if (mMediaSource->ReadyState() == MediaSourceReadyState::Ended) {
     mMediaSource->SetReadyState(MediaSourceReadyState::Open);
   }
-  // TODO: Test append state.
-  // TODO: If aMode is "sequence", set sequence start time.
+  if (mIsUsingFormatReader &&
+      mContentManager->GetAppendState() == AppendState::PARSING_MEDIA_SEGMENT){
+    aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
+    return;
+  }
+
+  if (mIsUsingFormatReader && aMode == SourceBufferAppendMode::Sequence) {
+    // Will set GroupStartTimestamp to GroupEndTimestamp.
+    mContentManager->RestartGroupStartTimestamp();
+  }
+
   mAppendMode = aMode;
 }
 
 void
 SourceBuffer::SetTimestampOffset(double aTimestampOffset, ErrorResult& aRv)
 {
+  typedef mozilla::SourceBufferContentManager::AppendState AppendState;
+
   MOZ_ASSERT(NS_IsMainThread());
   MSE_API("SetTimestampOffset(aTimestampOffset=%f)", aTimestampOffset);
   if (!IsAttached() || mUpdating) {
@@ -127,9 +111,25 @@ SourceBuffer::SetTimestampOffset(double aTimestampOffset, ErrorResult& aRv)
   if (mMediaSource->ReadyState() == MediaSourceReadyState::Ended) {
     mMediaSource->SetReadyState(MediaSourceReadyState::Open);
   }
-  // TODO: Test append state.
-  // TODO: If aMode is "sequence", set sequence start time.
+  if (mIsUsingFormatReader &&
+      mContentManager->GetAppendState() == AppendState::PARSING_MEDIA_SEGMENT){
+    aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
+    return;
+  }
+  mApparentTimestampOffset = aTimestampOffset;
+  mTimestampOffset = TimeUnit::FromSeconds(aTimestampOffset);
+  if (mIsUsingFormatReader && mAppendMode == SourceBufferAppendMode::Sequence) {
+    mContentManager->SetGroupStartTimestamp(mTimestampOffset);
+  }
+}
+
+void
+SourceBuffer::SetTimestampOffset(const TimeUnit& aTimestampOffset)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+
   mTimestampOffset = aTimestampOffset;
+  mApparentTimestampOffset = aTimestampOffset.ToSeconds();
 }
 
 already_AddRefed<TimeRanges>
@@ -221,7 +221,7 @@ SourceBuffer::AbortBufferAppend()
 {
   if (mUpdating) {
     mPendingAppend.DisconnectIfExists();
-    // TODO: Abort segment parser loop, and stream append loop algorithms.
+    // TODO: Abort stream append loop algorithms.
     // cancel any pending buffer append.
     mContentManager->AbortAppendData();
     AbortUpdating();
@@ -251,29 +251,20 @@ SourceBuffer::Remove(double aStart, double aEnd, ErrorResult& aRv)
     mMediaSource->SetReadyState(MediaSourceReadyState::Open);
   }
 
-  StartUpdating();
-  nsCOMPtr<nsIRunnable> task = new RangeRemovalRunnable(this, aStart, aEnd);
-  NS_DispatchToMainThread(task);
+  RangeRemoval(aStart, aEnd);
 }
 
 void
 SourceBuffer::RangeRemoval(double aStart, double aEnd)
 {
   StartUpdating();
-  DoRangeRemoval(aStart, aEnd);
-  nsCOMPtr<nsIRunnable> task =
-    NS_NewRunnableMethod(this, &SourceBuffer::StopUpdating);
-  NS_DispatchToMainThread(task);
-}
 
-void
-SourceBuffer::DoRangeRemoval(double aStart, double aEnd)
-{
-  MSE_DEBUG("DoRangeRemoval(%f, %f)", aStart, aEnd);
-  if (mContentManager && !IsInfinite(aStart)) {
-    mContentManager->RangeRemoval(TimeUnit::FromSeconds(aStart),
-                                  TimeUnit::FromSeconds(aEnd));
-  }
+  nsRefPtr<SourceBuffer> self = this;
+  mContentManager->RangeRemoval(TimeUnit::FromSeconds(aStart),
+                                TimeUnit::FromSeconds(aEnd))
+    ->Then(AbstractThread::MainThread(), __func__,
+           [self] (bool) { self->StopUpdating(); },
+           []() { MOZ_ASSERT(false); });
 }
 
 void
@@ -303,7 +294,7 @@ SourceBuffer::SourceBuffer(MediaSource* aMediaSource, const nsACString& aType)
   , mMediaSource(aMediaSource)
   , mAppendWindowStart(0)
   , mAppendWindowEnd(PositiveInfinity<double>())
-  , mTimestampOffset(0)
+  , mApparentTimestampOffset(0)
   , mAppendMode(SourceBufferAppendMode::Segments)
   , mUpdating(false)
   , mActive(false)
@@ -314,9 +305,26 @@ SourceBuffer::SourceBuffer(MediaSource* aMediaSource, const nsACString& aType)
   MOZ_ASSERT(aMediaSource);
   mEvictionThreshold = Preferences::GetUint("media.mediasource.eviction_threshold",
                                             75 * (1 << 20));
-  mContentManager = SourceBufferContentManager::CreateManager(aMediaSource->GetDecoder(), aType);
+  mContentManager =
+    SourceBufferContentManager::CreateManager(this,
+                                              aMediaSource->GetDecoder(),
+                                              aType);
   MSE_DEBUG("Create mContentManager=%p",
             mContentManager.get());
+  if (aType.LowerCaseEqualsLiteral("audio/mpeg") ||
+      aType.LowerCaseEqualsLiteral("audio/aac")) {
+    mGenerateTimestamp = true;
+  } else {
+    mGenerateTimestamp = false;
+  }
+  mIsUsingFormatReader =
+    Preferences::GetBool("media.mediasource.format-reader", false);
+  ErrorResult dummy;
+  if (mGenerateTimestamp) {
+    SetMode(SourceBufferAppendMode::Sequence, dummy);
+  } else {
+    SetMode(SourceBufferAppendMode::Segments, dummy);
+  }
 }
 
 SourceBuffer::~SourceBuffer()
@@ -413,18 +421,18 @@ SourceBuffer::AppendData(const uint8_t* aData, uint32_t aLength, ErrorResult& aR
   if (!data) {
     return;
   }
+  mContentManager->AppendData(data, mTimestampOffset);
+
   StartUpdating();
 
   MOZ_ASSERT(mAppendMode == SourceBufferAppendMode::Segments,
              "We don't handle timestampOffset for sequence mode yet");
-  nsCOMPtr<nsIRunnable> task =
-    new AppendDataRunnable(this, data, TimeUnit::FromSeconds(mTimestampOffset), mUpdateID);
+  nsCOMPtr<nsIRunnable> task = new BufferAppendRunnable(this, mUpdateID);
   NS_DispatchToMainThread(task);
 }
 
 void
-SourceBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset,
-                         uint32_t aUpdateID)
+SourceBuffer::BufferAppend(uint32_t aUpdateID)
 {
   if (!mUpdating || aUpdateID != mUpdateID) {
     // The buffer append algorithm has been interrupted by abort().
@@ -439,12 +447,7 @@ SourceBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset,
   MOZ_ASSERT(mMediaSource);
   MOZ_ASSERT(!mPendingAppend.Exists());
 
-  if (!aData->Length()) {
-    StopUpdating();
-    return;
-  }
-
-  mPendingAppend.Begin(mContentManager->AppendData(aData, aTimestampOffset)
+  mPendingAppend.Begin(mContentManager->BufferAppend()
                        ->Then(AbstractThread::MainThread(), __func__, this,
                               &SourceBuffer::AppendDataCompletedWithSuccess,
                               &SourceBuffer::AppendDataErrored));
diff --git a/dom/media/mediasource/SourceBuffer.h b/dom/media/mediasource/SourceBuffer.h
index ce2e43c18cb2..34ad18bc3e16 100644
--- a/dom/media/mediasource/SourceBuffer.h
+++ b/dom/media/mediasource/SourceBuffer.h
@@ -11,6 +11,7 @@
 #include "MediaSource.h"
 #include "js/RootingAPI.h"
 #include "mozilla/Assertions.h"
+#include "mozilla/Atomics.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/DOMEventTargetHelper.h"
 #include "mozilla/dom/SourceBufferBinding.h"
@@ -32,8 +33,8 @@ namespace mozilla {
 
 class ErrorResult;
 class MediaLargeByteBuffer;
-class TrackBuffer;
 template <typename T> class AsyncEventRunner;
+class TrackBuffersManager;
 
 namespace dom {
 
@@ -62,7 +63,7 @@ public:
 
   double TimestampOffset() const
   {
-    return mTimestampOffset;
+    return mApparentTimestampOffset;
   }
 
   void SetTimestampOffset(double aTimestampOffset, ErrorResult& aRv);
@@ -117,8 +118,6 @@ public:
 
   // Runs the range removal algorithm as defined by the MSE spec.
   void RangeRemoval(double aStart, double aEnd);
-  // Actually remove data between aStart and aEnd
-  void DoRangeRemoval(double aStart, double aEnd);
 
   bool IsActive() const
   {
@@ -133,8 +132,8 @@ private:
   ~SourceBuffer();
 
   friend class AsyncEventRunner<SourceBuffer>;
-  friend class AppendDataRunnable;
-  friend class RangeRemovalRunnable;
+  friend class BufferAppendRunnable;
+  friend class mozilla::TrackBuffersManager;
   void DispatchSimpleEvent(const char* aName);
   void QueueAsyncSimpleEvent(const char* aName);
 
@@ -150,8 +149,7 @@ private:
 
   // Shared implementation of AppendBuffer overloads.
   void AppendData(const uint8_t* aData, uint32_t aLength, ErrorResult& aRv);
-  void AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset,
-                  uint32_t aAppendID);
+  void BufferAppend(uint32_t aAppendID);
 
   // Implement the "Append Error Algorithm".
   // Will call endOfStream() with "decode" error if aDecodeError is true.
@@ -168,6 +166,9 @@ private:
   void AppendDataCompletedWithSuccess(bool aHasActiveTracks);
   void AppendDataErrored(nsresult aError);
 
+  // Set timestampOffset, must be called on the main thread.
+  void SetTimestampOffset(const TimeUnit& aTimestampOffset);
+
   nsRefPtr<MediaSource> mMediaSource;
 
   uint32_t mEvictionThreshold;
@@ -177,12 +178,15 @@ private:
   double mAppendWindowStart;
   double mAppendWindowEnd;
 
-  double mTimestampOffset;
+  double mApparentTimestampOffset;
+  TimeUnit mTimestampOffset;
 
   SourceBufferAppendMode mAppendMode;
   bool mUpdating;
+  bool mGenerateTimestamp;
+  bool mIsUsingFormatReader;
 
-  bool mActive;
+  mozilla::Atomic<bool> mActive;
 
   // Each time mUpdating is set to true, mUpdateID will be incremented.
   // This allows for a queued AppendData task to identify if it was earlier
diff --git a/dom/media/mediasource/SourceBufferContentManager.cpp b/dom/media/mediasource/SourceBufferContentManager.cpp
index 169201ad3791..03189be89772 100644
--- a/dom/media/mediasource/SourceBufferContentManager.cpp
+++ b/dom/media/mediasource/SourceBufferContentManager.cpp
@@ -5,15 +5,24 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "SourceBufferContentManager.h"
+#include "TrackBuffer.h"
+#include "TrackBuffersManager.h"
 
 namespace mozilla {
 
 already_AddRefed<SourceBufferContentManager>
-SourceBufferContentManager::CreateManager(MediaSourceDecoder* aParentDecoder,
+SourceBufferContentManager::CreateManager(dom::SourceBuffer* aParent,
+                                          MediaSourceDecoder* aParentDecoder,
                                           const nsACString &aType)
 {
   nsRefPtr<SourceBufferContentManager> manager;
-  manager = new TrackBuffer(aParentDecoder, aType);
+  bool useFormatReader =
+    Preferences::GetBool("media.mediasource.format-reader", false);
+  if (useFormatReader) {
+    manager = new TrackBuffersManager(aParent, aParentDecoder, aType);
+  } else {
+    manager = new TrackBuffer(aParentDecoder, aType);
+  }
   return  manager.forget();
 }
 
diff --git a/dom/media/mediasource/SourceBufferContentManager.h b/dom/media/mediasource/SourceBufferContentManager.h
index df24f295f1ef..918d82aa87a3 100644
--- a/dom/media/mediasource/SourceBufferContentManager.h
+++ b/dom/media/mediasource/SourceBufferContentManager.h
@@ -24,15 +24,21 @@ public:
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SourceBufferContentManager);
 
   typedef MediaPromise<bool, nsresult, /* IsExclusive = */ true> AppendPromise;
+  typedef AppendPromise RangeRemovalPromise;
 
   static already_AddRefed<SourceBufferContentManager>
-  CreateManager(MediaSourceDecoder* aParentDecoder, const nsACString& aType);
+  CreateManager(dom::SourceBuffer* aParent, MediaSourceDecoder* aParentDecoder,
+                const nsACString& aType);
 
-  // Append data to the current decoder.  Also responsible for calling
-  // NotifyDataArrived on the decoder to keep buffered range computation up
-  // to date.  Returns false if the append failed.
-  virtual nsRefPtr<AppendPromise>
-  AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset /* microseconds */) = 0;
+  // Add data to the end of the input buffer.
+  // Returns false if the append failed.
+  virtual bool
+  AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset) = 0;
+
+  // Run MSE Buffer Append Algorithm
+  // 3.5.5 Buffer Append Algorithm.
+  // http://w3c.github.io/media-source/index.html#sourcebuffer-buffer-append
+  virtual nsRefPtr<AppendPromise> BufferAppend() = 0;
 
   // Abort any pending AppendData.
   virtual void AbortAppendData() = 0;
@@ -44,7 +50,7 @@ public:
 
   // Runs MSE range removal algorithm.
   // http://w3c.github.io/media-source/#sourcebuffer-coded-frame-removal
-  virtual bool RangeRemoval(TimeUnit aStart, TimeUnit aEnd) = 0;
+  virtual nsRefPtr<RangeRemovalPromise> RangeRemoval(TimeUnit aStart, TimeUnit aEnd) = 0;
 
   enum class EvictDataResult : int8_t
   {
@@ -77,6 +83,23 @@ public:
   // The parent SourceBuffer is about to be destroyed.
   virtual void Detach() = 0;
 
+  // Current state as per Segment Parser Loop Algorithm
+  // http://w3c.github.io/media-source/index.html#sourcebuffer-segment-parser-loop
+  enum class AppendState : int32_t
+  {
+    WAITING_FOR_SEGMENT,
+    PARSING_INIT_SEGMENT,
+    PARSING_MEDIA_SEGMENT,
+  };
+
+  virtual AppendState GetAppendState()
+  {
+    return AppendState::WAITING_FOR_SEGMENT;
+  }
+
+  virtual void SetGroupStartTimestamp(const TimeUnit& aGroupStartTimestamp) {}
+  virtual void RestartGroupStartTimestamp() {}
+
 #if defined(DEBUG)
   virtual void Dump(const char* aPath) { }
 #endif
diff --git a/dom/media/mediasource/TrackBuffer.cpp b/dom/media/mediasource/TrackBuffer.cpp
index ed5d3f9b8c0b..0f2d88add43f 100644
--- a/dom/media/mediasource/TrackBuffer.cpp
+++ b/dom/media/mediasource/TrackBuffer.cpp
@@ -112,7 +112,7 @@ TrackBuffer::Shutdown()
   RefPtr<MediaTaskQueue> queue = mTaskQueue;
   mTaskQueue = nullptr;
   queue->BeginShutdown()
-       ->Then(mParentDecoder->GetReader()->GetTaskQueue(), __func__, this,
+       ->Then(mParentDecoder->GetReader()->TaskQueue(), __func__, this,
               &TrackBuffer::ContinueShutdown, &TrackBuffer::ContinueShutdown);
 
   return p;
@@ -124,7 +124,7 @@ TrackBuffer::ContinueShutdown()
   ReentrantMonitorAutoEnter mon(mParentDecoder->GetReentrantMonitor());
   if (mDecoders.Length()) {
     mDecoders[0]->GetReader()->Shutdown()
-                ->Then(mParentDecoder->GetReader()->GetTaskQueue(), __func__, this,
+                ->Then(mParentDecoder->GetReader()->TaskQueue(), __func__, this,
                        &TrackBuffer::ContinueShutdown, &TrackBuffer::ContinueShutdown);
     mShutdownDecoders.AppendElement(mDecoders[0]);
     mDecoders.RemoveElementAt(0);
@@ -138,18 +138,32 @@ TrackBuffer::ContinueShutdown()
   mShutdownPromise.Resolve(true, __func__);
 }
 
-nsRefPtr<TrackBuffer::AppendPromise>
+bool
 TrackBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  mInputBuffer = aData;
+  mTimestampOffset = aTimestampOffset;
+  return true;
+}
+
+nsRefPtr<TrackBuffer::AppendPromise>
+TrackBuffer::BufferAppend()
 {
   MOZ_ASSERT(NS_IsMainThread());
   MOZ_ASSERT(mInitializationPromise.IsEmpty());
+  MOZ_ASSERT(mInputBuffer);
+
+  if (mInputBuffer->IsEmpty()) {
+    return AppendPromise::CreateAndResolve(false, __func__);
+  }
 
   DecodersToInitialize decoders(this);
   nsRefPtr<AppendPromise> p = mInitializationPromise.Ensure(__func__);
   bool hadInitData = mParser->HasInitData();
   bool hadCompleteInitData = mParser->HasCompleteInitData();
   nsRefPtr<MediaLargeByteBuffer> oldInit = mParser->InitData();
-  bool newInitData = mParser->IsInitSegmentPresent(aData);
+  bool newInitData = mParser->IsInitSegmentPresent(mInputBuffer);
 
   // TODO: Run more of the buffer append algorithm asynchronously.
   if (newInitData) {
@@ -161,14 +175,14 @@ TrackBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset)
   }
 
   int64_t start = 0, end = 0;
-  bool gotMedia = mParser->ParseStartAndEndTimestamps(aData, start, end);
+  bool gotMedia = mParser->ParseStartAndEndTimestamps(mInputBuffer, start, end);
   bool gotInit = mParser->HasCompleteInitData();
 
   if (newInitData) {
     if (!gotInit) {
       // We need a new decoder, but we can't initialize it yet.
       nsRefPtr<SourceBufferDecoder> decoder =
-        NewDecoder(aTimestampOffset);
+        NewDecoder(mTimestampOffset);
       // The new decoder is stored in mDecoders/mCurrentDecoder, so we
       // don't need to do anything with 'decoder'. It's only a placeholder.
       if (!decoder) {
@@ -176,7 +190,7 @@ TrackBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset)
         return p;
       }
     } else {
-      if (!decoders.NewDecoder(aTimestampOffset)) {
+      if (!decoders.NewDecoder(mTimestampOffset)) {
         mInitializationPromise.Reject(NS_ERROR_FAILURE, __func__);
         return p;
       }
@@ -189,9 +203,9 @@ TrackBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset)
   }
 
   if (gotMedia) {
-    if (mParser->IsMediaSegmentPresent(aData) && mLastEndTimestamp &&
+    if (mParser->IsMediaSegmentPresent(mInputBuffer) && mLastEndTimestamp &&
         (!mParser->TimestampsFuzzyEqual(start, mLastEndTimestamp.value()) ||
-         mLastTimestampOffset != aTimestampOffset ||
+         mLastTimestampOffset != mTimestampOffset ||
          mDecoderPerSegment ||
          (mCurrentDecoder && mCurrentDecoder->WasTrimmed()))) {
       MSE_DEBUG("Data last=[%lld, %lld] overlaps [%lld, %lld]",
@@ -202,7 +216,7 @@ TrackBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset)
         // processed or not continuous, so we must create a new decoder
         // to handle the decoding.
         if (!hadCompleteInitData ||
-            !decoders.NewDecoder(aTimestampOffset)) {
+            !decoders.NewDecoder(mTimestampOffset)) {
           mInitializationPromise.Reject(NS_ERROR_FAILURE, __func__);
           return p;
         }
@@ -228,7 +242,7 @@ TrackBuffer::AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset)
     mAdjustedTimestamp = starttu;
   }
 
-  if (!AppendDataToCurrentResource(aData, end - start)) {
+  if (!AppendDataToCurrentResource(mInputBuffer, end - start)) {
     mInitializationPromise.Reject(NS_ERROR_FAILURE, __func__);
     return p;
   }
@@ -274,7 +288,7 @@ TrackBuffer::NotifyTimeRangesChanged()
   RefPtr<nsIRunnable> task =
     NS_NewRunnableMethod(mParentDecoder->GetReader(),
                          &MediaSourceReader::NotifyTimeRangesChanged);
-  mParentDecoder->GetReader()->GetTaskQueue()->Dispatch(task.forget());
+  mParentDecoder->GetReader()->TaskQueue()->Dispatch(task.forget());
 }
 
 class DecoderSorter
@@ -566,7 +580,7 @@ TrackBuffer::NewDecoder(TimeUnit aTimestampOffset)
   mLastEndTimestamp.reset();
   mLastTimestampOffset = aTimestampOffset;
 
-  decoder->SetTaskQueue(decoder->GetReader()->GetTaskQueue());
+  decoder->SetTaskQueue(decoder->GetReader()->TaskQueue());
   return decoder.forget();
 }
 
@@ -582,7 +596,7 @@ TrackBuffer::QueueInitializeDecoder(SourceBufferDecoder* aDecoder)
                                                       &TrackBuffer::InitializeDecoder,
                                                       aDecoder);
   // We need to initialize the reader on its own task queue
-  aDecoder->GetReader()->GetTaskQueue()->Dispatch(task.forget());
+  aDecoder->GetReader()->TaskQueue()->Dispatch(task.forget());
   return true;
 }
 
@@ -646,7 +660,7 @@ TrackBuffer::InitializeDecoder(SourceBufferDecoder* aDecoder)
     return;
   }
 
-  MOZ_ASSERT(aDecoder->GetReader()->GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(aDecoder->GetReader()->OnTaskQueue());
 
   MediaDecoderReader* reader = aDecoder->GetReader();
 
@@ -681,7 +695,7 @@ TrackBuffer::InitializeDecoder(SourceBufferDecoder* aDecoder)
     return;
   }
 
-  mMetadataRequest.Begin(promise->Then(reader->GetTaskQueue(), __func__,
+  mMetadataRequest.Begin(promise->Then(reader->TaskQueue(), __func__,
                                        recipient.get(),
                                        &MetadataRecipient::OnMetadataRead,
                                        &MetadataRecipient::OnMetadataNotRead));
@@ -692,7 +706,7 @@ TrackBuffer::OnMetadataRead(MetadataHolder* aMetadata,
                             SourceBufferDecoder* aDecoder,
                             bool aWasEnded)
 {
-  MOZ_ASSERT(aDecoder->GetReader()->GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(aDecoder->GetReader()->OnTaskQueue());
 
   mParentDecoder->GetReentrantMonitor().AssertNotCurrentThreadIn();
   ReentrantMonitorAutoEnter mon(mParentDecoder->GetReentrantMonitor());
@@ -752,7 +766,7 @@ void
 TrackBuffer::OnMetadataNotRead(ReadMetadataFailureReason aReason,
                                SourceBufferDecoder* aDecoder)
 {
-  MOZ_ASSERT(aDecoder->GetReader()->GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(aDecoder->GetReader()->TaskQueue()->IsCurrentThreadIn());
 
   mParentDecoder->GetReentrantMonitor().AssertNotCurrentThreadIn();
   ReentrantMonitorAutoEnter mon(mParentDecoder->GetReentrantMonitor());
@@ -957,6 +971,7 @@ TrackBuffer::ResetParserState()
     mParser = ContainerParser::CreateForMIMEType(mType);
     DiscardCurrentDecoder();
   }
+  mInputBuffer = nullptr;
 }
 
 void
@@ -1073,10 +1088,10 @@ TrackBuffer::RemoveDecoder(SourceBufferDecoder* aDecoder)
     mInitializedDecoders.RemoveElement(aDecoder);
     mDecoders.RemoveElement(aDecoder);
   }
-  aDecoder->GetReader()->GetTaskQueue()->Dispatch(task.forget());
+  aDecoder->GetReader()->TaskQueue()->Dispatch(task.forget());
 }
 
-bool
+nsRefPtr<TrackBuffer::RangeRemovalPromise>
 TrackBuffer::RangeRemoval(TimeUnit aStart, TimeUnit aEnd)
 {
   MOZ_ASSERT(NS_IsMainThread());
@@ -1088,14 +1103,14 @@ TrackBuffer::RangeRemoval(TimeUnit aStart, TimeUnit aEnd)
 
   if (!buffered.Length() || aStart > bufferedEnd || aEnd < bufferedStart) {
     // Nothing to remove.
-    return false;
+    return RangeRemovalPromise::CreateAndResolve(false, __func__);
   }
 
   if (aStart > bufferedStart && aEnd < bufferedEnd) {
     // TODO. We only handle trimming and removal from the start.
     NS_WARNING("RangeRemoval unsupported arguments. "
                "Can only handle trimming (trim left or trim right");
-    return false;
+    return RangeRemovalPromise::CreateAndResolve(false, __func__);
   }
 
   nsTArray<SourceBufferDecoder*> decoders;
@@ -1121,7 +1136,7 @@ TrackBuffer::RangeRemoval(TimeUnit aStart, TimeUnit aEnd)
           decoders[i]->GetResource()->EvictData(offset, offset, rv);
           if (NS_WARN_IF(rv.Failed())) {
             rv.SuppressException();
-            return false;
+            return RangeRemovalPromise::CreateAndResolve(false, __func__);
           }
         }
       }
@@ -1143,7 +1158,7 @@ TrackBuffer::RangeRemoval(TimeUnit aStart, TimeUnit aEnd)
   RemoveEmptyDecoders(decoders);
 
   NotifyTimeRangesChanged();
-  return true;
+  return RangeRemovalPromise::CreateAndResolve(true, __func__);
 }
 
 void
diff --git a/dom/media/mediasource/TrackBuffer.h b/dom/media/mediasource/TrackBuffer.h
index adb3f2f31b8e..541d7dd230b8 100644
--- a/dom/media/mediasource/TrackBuffer.h
+++ b/dom/media/mediasource/TrackBuffer.h
@@ -30,11 +30,12 @@ public:
 
   nsRefPtr<ShutdownPromise> Shutdown();
 
+  bool AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset) override;
+
   // Append data to the current decoder.  Also responsible for calling
   // NotifyDataArrived on the decoder to keep buffered range computation up
-  // to date.  Returns false if the append failed.
-  nsRefPtr<AppendPromise> AppendData(MediaLargeByteBuffer* aData,
-                                     TimeUnit aTimestampOffset /* microseconds */) override;
+  // to date.
+  nsRefPtr<AppendPromise> BufferAppend() override;
 
   // Evicts data held in the current decoders SourceBufferResource from the
   // start of the buffer through to aPlaybackTime. aThreshold is used to
@@ -47,7 +48,7 @@ public:
   // of the buffer through to aTime.
   void EvictBefore(TimeUnit aTime) override;
 
-  bool RangeRemoval(TimeUnit aStart, TimeUnit aEnd) override;
+  nsRefPtr<RangeRemovalPromise> RangeRemoval(TimeUnit aStart, TimeUnit aEnd) override;
 
   void AbortAppendData() override;
 
@@ -162,6 +163,7 @@ private:
                          SourceBufferDecoder* aDecoder);
 
   nsAutoPtr<ContainerParser> mParser;
+  nsRefPtr<MediaLargeByteBuffer> mInputBuffer;
 
   // A task queue using the shared media thread pool.  Used exclusively to
   // initialize (i.e. call ReadMetadata on) decoders as they are created via
@@ -196,6 +198,7 @@ private:
 
   // The timestamp offset used by our current decoder.
   TimeUnit mLastTimestampOffset;
+  TimeUnit mTimestampOffset;
   TimeUnit mAdjustedTimestamp;
 
   // True if at least one of our decoders has encrypted content.
diff --git a/dom/media/mediasource/TrackBuffersManager.cpp b/dom/media/mediasource/TrackBuffersManager.cpp
new file mode 100644
index 000000000000..70ebbf4f6f69
--- /dev/null
+++ b/dom/media/mediasource/TrackBuffersManager.cpp
@@ -0,0 +1,1480 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "TrackBuffersManager.h"
+#include "SourceBufferResource.h"
+#include "SourceBuffer.h"
+
+#ifdef MOZ_FMP4
+#include "MP4Demuxer.h"
+#endif
+
+#include <limits>
+
+extern PRLogModuleInfo* GetMediaSourceLog();
+
+#define MSE_DEBUG(arg, ...) MOZ_LOG(GetMediaSourceLog(), mozilla::LogLevel::Debug, ("TrackBuffersManager(%p:%s)::%s: " arg, this, mType.get(), __func__, ##__VA_ARGS__))
+#define MSE_DEBUGV(arg, ...) MOZ_LOG(GetMediaSourceLog(), mozilla::LogLevel::Verbose, ("TrackBuffersManager(%p:%s)::%s: " arg, this, mType.get(), __func__, ##__VA_ARGS__))
+
+namespace mozilla {
+
+static const char*
+AppendStateToStr(TrackBuffersManager::AppendState aState)
+{
+  switch (aState) {
+    case TrackBuffersManager::AppendState::WAITING_FOR_SEGMENT:
+      return "WAITING_FOR_SEGMENT";
+    case TrackBuffersManager::AppendState::PARSING_INIT_SEGMENT:
+      return "PARSING_INIT_SEGMENT";
+    case TrackBuffersManager::AppendState::PARSING_MEDIA_SEGMENT:
+      return "PARSING_MEDIA_SEGMENT";
+    default:
+      return "IMPOSSIBLE";
+  }
+}
+
+TrackBuffersManager::TrackBuffersManager(dom::SourceBuffer* aParent, MediaSourceDecoder* aParentDecoder, const nsACString& aType)
+  : mInputBuffer(new MediaLargeByteBuffer)
+  , mAppendState(AppendState::WAITING_FOR_SEGMENT)
+  , mBufferFull(false)
+  , mFirstInitializationSegmentReceived(false)
+  , mActiveTrack(false)
+  , mType(aType)
+  , mParser(ContainerParser::CreateForMIMEType(aType))
+  , mProcessedInput(0)
+  , mAppendRunning(false)
+  , mTaskQueue(new MediaTaskQueue(GetMediaThreadPool(MediaThreadType::PLAYBACK),
+                                  /* aSupportsTailDispatch = */ true))
+  , mParent(new nsMainThreadPtrHolder<dom::SourceBuffer>(aParent, false /* strict */))
+  , mParentDecoder(new nsMainThreadPtrHolder<MediaSourceDecoder>(aParentDecoder, false /* strict */))
+  , mMediaSourceDuration(mTaskQueue, Maybe<double>(), "TrackBuffersManager::mMediaSourceDuration (Mirror)")
+  , mAbort(false)
+  , mMonitor("TrackBuffersManager")
+{
+  MOZ_ASSERT(NS_IsMainThread(), "Must be instanciated on the main thread");
+  nsRefPtr<TrackBuffersManager> self = this;
+  nsCOMPtr<nsIRunnable> task =
+    NS_NewRunnableFunction([self] () {
+      self->mMediaSourceDuration.Connect(self->mParentDecoder->CanonicalExplicitDuration());
+    });
+  GetTaskQueue()->Dispatch(task.forget());
+}
+
+bool
+TrackBuffersManager::AppendData(MediaLargeByteBuffer* aData,
+                                TimeUnit aTimestampOffset)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MSE_DEBUG("Appending %lld bytes", aData->Length());
+
+  mEnded = false;
+  nsCOMPtr<nsIRunnable> task =
+    NS_NewRunnableMethodWithArg<IncomingBuffer>(
+      this, &TrackBuffersManager::AppendIncomingBuffer,
+      IncomingBuffer(aData, aTimestampOffset));
+  GetTaskQueue()->Dispatch(task.forget());
+  return true;
+}
+
+void
+TrackBuffersManager::AppendIncomingBuffer(IncomingBuffer aData)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  mIncomingBuffers.AppendElement(aData);
+  mAbort = false;
+}
+
+nsRefPtr<TrackBuffersManager::AppendPromise>
+TrackBuffersManager::BufferAppend()
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MSE_DEBUG("");
+
+  return ProxyMediaCall(GetTaskQueue(), this,
+                        __func__, &TrackBuffersManager::InitSegmentParserLoop);
+}
+
+// Abort any pending AppendData.
+// We don't really care about really aborting our inner loop as by spec the
+// process is happening asynchronously, as such where and when we would abort is
+// non-deterministic. The SourceBuffer also makes sure BufferAppend
+// isn't called should the appendBuffer be immediately aborted.
+// We do however want to ensure that no new task will be dispatched on our task
+// queue and only let the current one finish its job. For this we set mAbort
+// to true.
+void
+TrackBuffersManager::AbortAppendData()
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MSE_DEBUG("");
+
+  mAbort = true;
+}
+
+void
+TrackBuffersManager::ResetParserState()
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MOZ_ASSERT(!mAppendRunning, "AbortAppendData must have been called");
+  MSE_DEBUG("");
+
+  // 1. If the append state equals PARSING_MEDIA_SEGMENT and the input buffer contains some complete coded frames, then run the coded frame processing algorithm until all of these complete coded frames have been processed.
+  if (mAppendState == AppendState::PARSING_MEDIA_SEGMENT) {
+    nsCOMPtr<nsIRunnable> task =
+      NS_NewRunnableMethod(this, &TrackBuffersManager::FinishCodedFrameProcessing);
+    GetTaskQueue()->Dispatch(task.forget());
+  } else {
+    nsCOMPtr<nsIRunnable> task =
+      NS_NewRunnableMethod(this, &TrackBuffersManager::CompleteResetParserState);
+    GetTaskQueue()->Dispatch(task.forget());
+  }
+
+  // Our ResetParserState is really asynchronous, the current task has been
+  // interrupted and will complete shortly (or has already completed).
+  // We must however present to the main thread a stable, reset state.
+  // So we run the following operation now in the main thread.
+  // 7. Set append state to WAITING_FOR_SEGMENT.
+  SetAppendState(AppendState::WAITING_FOR_SEGMENT);
+}
+
+nsRefPtr<TrackBuffersManager::RangeRemovalPromise>
+TrackBuffersManager::RangeRemoval(TimeUnit aStart, TimeUnit aEnd)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MSE_DEBUG("From %.2f to %.2f", aStart.ToSeconds(), aEnd.ToSeconds());
+
+  mEnded = false;
+
+  return ProxyMediaCall(GetTaskQueue(), this, __func__,
+                        &TrackBuffersManager::CodedFrameRemovalWithPromise,
+                        TimeInterval(aStart, aEnd));
+}
+
+TrackBuffersManager::EvictDataResult
+TrackBuffersManager::EvictData(TimeUnit aPlaybackTime,
+                               uint32_t aThreshold,
+                               TimeUnit* aBufferStartTime)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MSE_DEBUG("");
+
+  int64_t toEvict = GetSize() - aThreshold;
+  if (toEvict <= 0) {
+    return EvictDataResult::NO_DATA_EVICTED;
+  }
+  MSE_DEBUG("Reaching our size limit, schedule eviction of %lld bytes", toEvict);
+
+  nsCOMPtr<nsIRunnable> task =
+    NS_NewRunnableMethodWithArgs<TimeUnit, uint32_t>(
+      this, &TrackBuffersManager::DoEvictData,
+      aPlaybackTime, toEvict);
+  GetTaskQueue()->Dispatch(task.forget());
+
+  return EvictDataResult::NO_DATA_EVICTED;
+}
+
+void
+TrackBuffersManager::EvictBefore(TimeUnit aTime)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MSE_DEBUG("");
+
+  nsCOMPtr<nsIRunnable> task =
+    NS_NewRunnableMethodWithArg<TimeInterval>(
+      this, &TrackBuffersManager::CodedFrameRemoval,
+      TimeInterval(TimeUnit::FromSeconds(0), aTime));
+  GetTaskQueue()->Dispatch(task.forget());
+}
+
+media::TimeIntervals
+TrackBuffersManager::Buffered()
+{
+  MSE_DEBUG("");
+  MonitorAutoLock mon(mMonitor);
+  // http://w3c.github.io/media-source/index.html#widl-SourceBuffer-buffered
+  // 2. Let highest end time be the largest track buffer ranges end time across all the track buffers managed by this SourceBuffer object.
+  TimeUnit highestEndTime;
+
+  nsTArray<TimeIntervals*> tracks;
+  if (HasVideo()) {
+    tracks.AppendElement(&mVideoBufferedRanges);
+  }
+  if (HasAudio()) {
+    tracks.AppendElement(&mAudioBufferedRanges);
+  }
+  for (auto trackRanges : tracks) {
+    highestEndTime = std::max(trackRanges->GetEnd(), highestEndTime);
+  }
+
+  // 3. Let intersection ranges equal a TimeRange object containing a single range from 0 to highest end time.
+  TimeIntervals intersection{TimeInterval(TimeUnit::FromSeconds(0), highestEndTime)};
+
+  // 4. For each track buffer managed by this SourceBuffer, run the following steps:
+  //   1. Let track ranges equal the track buffer ranges for the current track buffer.
+  for (auto trackRanges : tracks) {
+    // 2. If readyState is "ended", then set the end time on the last range in track ranges to highest end time.
+    if (mEnded) {
+      trackRanges->Add(TimeInterval(trackRanges->GetEnd(), highestEndTime));
+    }
+    // 3. Let new intersection ranges equal the intersection between the intersection ranges and the track ranges.
+    intersection.Intersection(*trackRanges);
+  }
+  return intersection;
+}
+
+int64_t
+TrackBuffersManager::GetSize()
+{
+  return mSizeSourceBuffer;
+}
+
+void
+TrackBuffersManager::Ended()
+{
+  mEnded = true;
+}
+
+void
+TrackBuffersManager::Detach()
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MSE_DEBUG("");
+
+  nsRefPtr<TrackBuffersManager> self = this;
+  nsCOMPtr<nsIRunnable> task =
+    NS_NewRunnableFunction([self] () {
+      // Clear our sourcebuffer
+      self->CodedFrameRemoval(TimeInterval(TimeUnit::FromSeconds(0),
+                                           TimeUnit::FromInfinity()));
+      self->mMediaSourceDuration.DisconnectIfConnected();
+    });
+  GetTaskQueue()->Dispatch(task.forget());
+}
+
+#if defined(DEBUG)
+void
+TrackBuffersManager::Dump(const char* aPath)
+{
+
+}
+#endif
+
+void
+TrackBuffersManager::FinishCodedFrameProcessing()
+{
+  MOZ_ASSERT(OnTaskQueue());
+
+  if (mProcessingRequest.Exists()) {
+    NS_WARNING("Processing request pending");
+    mProcessingRequest.Disconnect();
+  }
+  // The spec requires us to complete parsing synchronously any outstanding
+  // frames in the current media segment. This can't be implemented in a way
+  // that makes sense.
+  // As such we simply completely ignore the result of any pending input buffer.
+  // TODO: Link to W3C bug.
+
+  CompleteResetParserState();
+}
+
+void
+TrackBuffersManager::CompleteResetParserState()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MOZ_ASSERT(!mAppendRunning);
+  MSE_DEBUG("");
+
+  for (auto track : GetTracksList()) {
+    // 2. Unset the last decode timestamp on all track buffers.
+    track->mLastDecodeTimestamp.reset();
+    // 3. Unset the last frame duration on all track buffers.
+    track->mLastFrameDuration.reset();
+    // 4. Unset the highest end timestamp on all track buffers.
+    track->mHighestEndTimestamp.reset();
+    // 5. Set the need random access point flag on all track buffers to true.
+    track->mNeedRandomAccessPoint = true;
+
+    // if we have been aborted, we may have pending frames that we are going
+    // to discard now.
+    track->mQueuedSamples.Clear();
+    track->mLongestFrameDuration.reset();
+  }
+  // 6. Remove all bytes from the input buffer.
+  mIncomingBuffers.Clear();
+  mInputBuffer = nullptr;
+  if (mCurrentInputBuffer) {
+    mCurrentInputBuffer->EvictAll();
+    mCurrentInputBuffer = new SourceBufferResource(mType);
+  }
+
+  // We could be left with a demuxer in an unusable state. It needs to be
+  // recreated. We store in the InputBuffer an init segment which will be parsed
+  // during the next Segment Parser Loop and a new demuxer will be created and
+  // initialized.
+  if (mFirstInitializationSegmentReceived) {
+    nsRefPtr<MediaLargeByteBuffer> initData = mParser->InitData();
+    MOZ_ASSERT(initData->Length(), "we must have an init segment");
+    // The aim here is really to destroy our current demuxer.
+    CreateDemuxerforMIMEType();
+    // Recreate our input buffer. We can't directly assign the initData buffer
+    // to mInputBuffer as it will get modified in the Segment Parser Loop.
+    mInputBuffer = new MediaLargeByteBuffer;
+    MOZ_ALWAYS_TRUE(mInputBuffer->AppendElements(*initData, fallible));
+  }
+  RecreateParser();
+
+  // 7. Set append state to WAITING_FOR_SEGMENT.
+  SetAppendState(AppendState::WAITING_FOR_SEGMENT);
+}
+
+void
+TrackBuffersManager::DoEvictData(const TimeUnit& aPlaybackTime,
+                                 uint32_t aSizeToEvict)
+{
+  MOZ_ASSERT(OnTaskQueue());
+
+  // Remove any data we've already played, up to 5s behind.
+  TimeUnit lowerLimit = aPlaybackTime - TimeUnit::FromSeconds(5);
+  TimeUnit to;
+  // Video is what takes the most space, only evict there if we have video.
+  const auto& track = HasVideo() ? mVideoTracks : mAudioTracks;
+  const auto& buffer = track.mBuffers.LastElement();
+  uint32_t lastKeyFrameIndex = 0;
+  int64_t toEvict = aSizeToEvict;
+  uint32_t partialEvict = 0;
+  for (uint32_t i = 0; i < buffer.Length(); i++) {
+    const auto& frame = buffer[i];
+    if (frame->mKeyframe) {
+      lastKeyFrameIndex = i;
+      toEvict -= partialEvict;
+      if (toEvict < 0) {
+        break;
+      }
+      partialEvict = 0;
+    }
+    if (frame->mTime >= lowerLimit.ToMicroseconds()) {
+      break;
+    }
+    partialEvict += sizeof(*frame) + frame->mSize;
+  }
+  if (lastKeyFrameIndex > 0) {
+    CodedFrameRemoval(
+      TimeInterval(TimeUnit::FromMicroseconds(0),
+                   TimeUnit::FromMicroseconds(buffer[lastKeyFrameIndex-1]->mTime)));
+  }
+  if (toEvict <= 0) {
+    return;
+  }
+
+  // Still some to remove. Remove data starting from the end, up to 5s ahead
+  // of our playtime.
+  TimeUnit upperLimit = aPlaybackTime + TimeUnit::FromSeconds(5);
+  for (int32_t i = buffer.Length() - 1; i >= 0; i--) {
+    const auto& frame = buffer[i];
+    if (frame->mKeyframe) {
+      lastKeyFrameIndex = i;
+      toEvict -= partialEvict;
+      if (toEvict < 0) {
+        break;
+      }
+      partialEvict = 0;
+    }
+    if (frame->mTime <= upperLimit.ToMicroseconds()) {
+      break;
+    }
+    partialEvict += sizeof(*frame) + frame->mSize;
+  }
+  if (lastKeyFrameIndex < buffer.Length()) {
+    CodedFrameRemoval(
+      TimeInterval(TimeUnit::FromMicroseconds(buffer[lastKeyFrameIndex+1]->mTime),
+                   TimeUnit::FromInfinity()));
+  }
+}
+
+nsRefPtr<TrackBuffersManager::RangeRemovalPromise>
+TrackBuffersManager::CodedFrameRemovalWithPromise(TimeInterval aInterval)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  bool rv = CodedFrameRemoval(aInterval);
+  return RangeRemovalPromise::CreateAndResolve(rv, __func__);
+}
+
+bool
+TrackBuffersManager::CodedFrameRemoval(TimeInterval aInterval)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MOZ_ASSERT(!mAppendRunning, "Logic error: Append in progress");
+  MSE_DEBUG("From %.2fs to %.2f",
+            aInterval.mStart.ToSeconds(), aInterval.mEnd.ToSeconds());
+
+  if (mMediaSourceDuration.Ref().isNothing() ||
+      IsNaN(mMediaSourceDuration.Ref().ref())) {
+    MSE_DEBUG("Nothing to remove, aborting");
+    return false;
+  }
+  TimeUnit duration{TimeUnit::FromSeconds(mMediaSourceDuration.Ref().ref())};
+
+  MSE_DEBUG("duration:%.2f", duration.ToSeconds());
+  if (HasAudio()) {
+    MSE_DEBUG("before video ranges=%s",
+              DumpTimeRanges(mVideoTracks.mBufferedRanges).get());
+  }
+  if (HasVideo()) {
+    MSE_DEBUG("before audio ranges=%s",
+              DumpTimeRanges(mAudioTracks.mBufferedRanges).get());
+  }
+
+  // 1. Let start be the starting presentation timestamp for the removal range.
+  TimeUnit start = aInterval.mStart;
+  // 2. Let end be the end presentation timestamp for the removal range.
+  TimeUnit end = aInterval.mEnd;
+
+  bool dataRemoved = false;
+
+  // 3. For each track buffer in this source buffer, run the following steps:
+  for (auto track : GetTracksList()) {
+    MSE_DEBUGV("Processing %s track", track->mInfo->mMimeType.get());
+    // 1. Let remove end timestamp be the current value of duration
+    // See bug: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28727
+    TimeUnit removeEndTimestamp = std::max(duration, track->mBufferedRanges.GetEnd());
+
+    // 2. If this track buffer has a random access point timestamp that is greater than or equal to end,
+    // then update remove end timestamp to that random access point timestamp.
+    if (end < track->mBufferedRanges.GetEnd()) {
+      for (auto& frame : track->mBuffers.LastElement()) {
+        if (frame->mKeyframe && frame->mTime >= end.ToMicroseconds()) {
+          removeEndTimestamp = TimeUnit::FromMicroseconds(frame->mTime);
+          break;
+        }
+      }
+    }
+    // 3. Remove all media data, from this track buffer, that contain starting
+    // timestamps greater than or equal to start and less than the remove end timestamp.
+    TimeInterval removedInterval;
+    int32_t firstRemovedIndex = -1;
+    TrackBuffer& data = track->mBuffers.LastElement();
+    for (uint32_t i = 0; i < data.Length(); i++) {
+      const auto& frame = data[i];
+      if (frame->mTime >= start.ToMicroseconds() &&
+          frame->mTime < removeEndTimestamp.ToMicroseconds()) {
+        if (firstRemovedIndex < 0) {
+          removedInterval =
+            TimeInterval(TimeUnit::FromMicroseconds(frame->mTime),
+                         TimeUnit::FromMicroseconds(frame->mTime + frame->mDuration));
+          firstRemovedIndex = i;
+        } else {
+          removedInterval = removedInterval.Span(
+            TimeInterval(TimeUnit::FromMicroseconds(frame->mTime),
+                         TimeUnit::FromMicroseconds(frame->mTime + frame->mDuration)));
+        }
+        track->mSizeBuffer -= sizeof(*frame) + frame->mSize;
+        data.RemoveElementAt(i);
+      }
+    }
+    // 4. Remove decoding dependencies of the coded frames removed in the previous step:
+    // Remove all coded frames between the coded frames removed in the previous step and the next random access point after those removed frames.
+    if (firstRemovedIndex >= 0) {
+      for (uint32_t i = firstRemovedIndex; i < data.Length(); i++) {
+        const auto& frame = data[i];
+        if (frame->mKeyframe) {
+          break;
+        }
+        removedInterval = removedInterval.Span(
+          TimeInterval(TimeUnit::FromMicroseconds(frame->mTime),
+                       TimeUnit::FromMicroseconds(frame->mTime + frame->mDuration)));
+        track->mSizeBuffer -= sizeof(*frame) + frame->mSize;
+        data.RemoveElementAt(i);
+      }
+      dataRemoved = true;
+    }
+    track->mBufferedRanges -= removedInterval;
+
+    // 5. If this object is in activeSourceBuffers, the current playback position
+    // is greater than or equal to start and less than the remove end timestamp,
+    // and HTMLMediaElement.readyState is greater than HAVE_METADATA, then set the
+    // HTMLMediaElement.readyState attribute to HAVE_METADATA and stall playback.
+    // This will be done by the MDSM during playback.
+    // TODO properly, so it works even if paused.
+  }
+  // 4. If buffer full flag equals true and this object is ready to accept more bytes, then set the buffer full flag to false.
+  // TODO.
+  mBufferFull = false;
+  {
+    MonitorAutoLock mon(mMonitor);
+    mVideoBufferedRanges = mVideoTracks.mBufferedRanges;
+    mAudioBufferedRanges = mAudioTracks.mBufferedRanges;
+  }
+
+  if (HasAudio()) {
+    MSE_DEBUG("after video ranges=%s",
+              DumpTimeRanges(mVideoTracks.mBufferedRanges).get());
+  }
+  if (HasVideo()) {
+    MSE_DEBUG("after audio ranges=%s",
+              DumpTimeRanges(mAudioTracks.mBufferedRanges).get());
+  }
+
+  // Update our reported total size.
+  mSizeSourceBuffer = mVideoTracks.mSizeBuffer + mAudioTracks.mSizeBuffer;
+
+  return dataRemoved;
+}
+
+nsRefPtr<TrackBuffersManager::AppendPromise>
+TrackBuffersManager::InitSegmentParserLoop()
+{
+  MOZ_ASSERT(OnTaskQueue());
+
+  MOZ_ASSERT(mAppendPromise.IsEmpty() && !mAppendRunning);
+  nsRefPtr<AppendPromise> p = mAppendPromise.Ensure(__func__);
+
+  AppendIncomingBuffers();
+  SegmentParserLoop();
+
+  return p;
+}
+
+void
+TrackBuffersManager::AppendIncomingBuffers()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MonitorAutoLock mon(mMonitor);
+  for (auto& incomingBuffer : mIncomingBuffers) {
+    if (!mInputBuffer) {
+      mInputBuffer = incomingBuffer.first();
+    } else if (!mInputBuffer->AppendElements(*incomingBuffer.first(), fallible)) {
+      RejectAppend(NS_ERROR_OUT_OF_MEMORY, __func__);
+    }
+    mTimestampOffset = incomingBuffer.second();
+    mLastTimestampOffset = mTimestampOffset;
+  }
+  mIncomingBuffers.Clear();
+}
+
+void
+TrackBuffersManager::SegmentParserLoop()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  while (true) {
+    // 1. If the input buffer is empty, then jump to the need more data step below.
+    if (!mInputBuffer || mInputBuffer->IsEmpty()) {
+      NeedMoreData();
+      return;
+    }
+    // 2. If the input buffer contains bytes that violate the SourceBuffer
+    // byte stream format specification, then run the append error algorithm with
+    // the decode error parameter set to true and abort this algorithm.
+    // TODO
+
+    // 3. Remove any bytes that the byte stream format specifications say must be
+    // ignored from the start of the input buffer.
+    // TODO
+
+    // 4. If the append state equals WAITING_FOR_SEGMENT, then run the following
+    // steps:
+    if (mAppendState == AppendState::WAITING_FOR_SEGMENT) {
+      if (mParser->IsInitSegmentPresent(mInputBuffer)) {
+        SetAppendState(AppendState::PARSING_INIT_SEGMENT);
+        continue;
+      }
+      if (mParser->IsMediaSegmentPresent(mInputBuffer)) {
+        SetAppendState(AppendState::PARSING_MEDIA_SEGMENT);
+        continue;
+      }
+      // We have neither an init segment nor a media segment, this is invalid
+      // data.
+      MSE_DEBUG("Found invalid data");
+      RejectAppend(NS_ERROR_FAILURE, __func__);
+      return;
+    }
+
+    int64_t start, end;
+    mParser->ParseStartAndEndTimestamps(mInputBuffer, start, end);
+    mProcessedInput += mInputBuffer->Length();
+
+    // 5. If the append state equals PARSING_INIT_SEGMENT, then run the
+    // following steps:
+    if (mAppendState == AppendState::PARSING_INIT_SEGMENT) {
+      if (mParser->InitSegmentRange().IsNull()) {
+        NeedMoreData();
+        return;
+      }
+      InitializationSegmentReceived();
+      return;
+    }
+    if (mAppendState == AppendState::PARSING_MEDIA_SEGMENT) {
+      // 1. If the first initialization segment received flag is false, then run the append error algorithm with the decode error parameter set to true and abort this algorithm.
+      if (!mFirstInitializationSegmentReceived) {
+        RejectAppend(NS_ERROR_FAILURE, __func__);
+        return;
+      }
+      // 2. If the input buffer does not contain a complete media segment header yet, then jump to the need more data step below.
+      if (mParser->MediaHeaderRange().IsNull()) {
+        NeedMoreData();
+        return;
+      }
+      // 3. If the input buffer contains one or more complete coded frames, then run the coded frame processing algorithm.
+      nsRefPtr<TrackBuffersManager> self = this;
+      mProcessingRequest.Begin(CodedFrameProcessing()
+          ->Then(GetTaskQueue(), __func__,
+                 [self] (bool aNeedMoreData) {
+                   self->mProcessingRequest.Complete();
+                   if (aNeedMoreData || self->mAbort) {
+                     self->NeedMoreData();
+                   } else {
+                     self->ScheduleSegmentParserLoop();
+                   }
+                 },
+                 [self] (nsresult aRejectValue) {
+                   self->mProcessingRequest.Complete();
+                   self->RejectAppend(aRejectValue, __func__);
+                 }));
+      return;
+    }
+  }
+}
+
+void
+TrackBuffersManager::NeedMoreData()
+{
+  MSE_DEBUG("");
+  if (!mAbort) {
+    RestoreCachedVariables();
+  }
+  mAppendRunning = false;
+  mAppendPromise.ResolveIfExists(mActiveTrack, __func__);
+}
+
+void
+TrackBuffersManager::RejectAppend(nsresult aRejectValue, const char* aName)
+{
+  MSE_DEBUG("rv=%d", aRejectValue);
+  mAppendRunning = false;
+  mAppendPromise.RejectIfExists(aRejectValue, aName);
+}
+
+void
+TrackBuffersManager::ScheduleSegmentParserLoop()
+{
+  nsCOMPtr<nsIRunnable> task =
+    NS_NewRunnableMethod(this, &TrackBuffersManager::SegmentParserLoop);
+  GetTaskQueue()->Dispatch(task.forget());
+}
+
+void
+TrackBuffersManager::CreateDemuxerforMIMEType()
+{
+  if (mVideoTracks.mDemuxer) {
+    mVideoTracks.mDemuxer->BreakCycles();
+    mVideoTracks.mDemuxer = nullptr;
+  }
+  if (mAudioTracks.mDemuxer) {
+    mAudioTracks.mDemuxer->BreakCycles();
+    mAudioTracks.mDemuxer = nullptr;
+  }
+  mInputDemuxer = nullptr;
+  if (mType.LowerCaseEqualsLiteral("video/webm") || mType.LowerCaseEqualsLiteral("audio/webm")) {
+    MOZ_ASSERT(false, "Waiting on WebMDemuxer");
+  // mInputDemuxer = new WebMDemuxer(mCurrentInputBuffer);
+  }
+
+#ifdef MOZ_FMP4
+  if (mType.LowerCaseEqualsLiteral("video/mp4") || mType.LowerCaseEqualsLiteral("audio/mp4")) {
+    mInputDemuxer = new MP4Demuxer(mCurrentInputBuffer);
+    return;
+  }
+#endif
+  MOZ_ASSERT(false, "Not supported (yet)");
+}
+
+void
+TrackBuffersManager::InitializationSegmentReceived()
+{
+  MOZ_ASSERT(mParser->HasCompleteInitData());
+  mCurrentInputBuffer = new SourceBufferResource(mType);
+  mCurrentInputBuffer->AppendData(mParser->InitData());
+  uint32_t initLength = mParser->InitSegmentRange().mEnd;
+  if (mInputBuffer->Length() == initLength) {
+    mInputBuffer = nullptr;
+  } else {
+    mInputBuffer->RemoveElementsAt(0, initLength);
+  }
+  CreateDemuxerforMIMEType();
+  if (!mInputDemuxer) {
+    MOZ_ASSERT(false, "TODO type not supported");
+    return;
+  }
+  mDemuxerInitRequest.Begin(mInputDemuxer->Init()
+                      ->Then(GetTaskQueue(), __func__,
+                             this,
+                             &TrackBuffersManager::OnDemuxerInitDone,
+                             &TrackBuffersManager::OnDemuxerInitFailed));
+}
+
+void
+TrackBuffersManager::OnDemuxerInitDone(nsresult)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MSE_DEBUG("mAbort:%d", static_cast<bool>(mAbort));
+  mDemuxerInitRequest.Complete();
+
+  if (mAbort) {
+    RejectAppend(NS_ERROR_ABORT, __func__);
+    return;
+  }
+
+  MediaInfo info;
+
+  uint32_t numVideos = mInputDemuxer->GetNumberTracks(TrackInfo::kVideoTrack);
+  if (numVideos) {
+    // We currently only handle the first video track.
+    mVideoTracks.mDemuxer = mInputDemuxer->GetTrackDemuxer(TrackInfo::kVideoTrack, 0);
+    MOZ_ASSERT(mVideoTracks.mDemuxer);
+    info.mVideo = *mVideoTracks.mDemuxer->GetInfo()->GetAsVideoInfo();
+  }
+
+  uint32_t numAudios = mInputDemuxer->GetNumberTracks(TrackInfo::kAudioTrack);
+  if (numAudios) {
+    // We currently only handle the first audio track.
+    mAudioTracks.mDemuxer = mInputDemuxer->GetTrackDemuxer(TrackInfo::kAudioTrack, 0);
+    MOZ_ASSERT(mAudioTracks.mDemuxer);
+    info.mAudio = *mAudioTracks.mDemuxer->GetInfo()->GetAsAudioInfo();
+  }
+
+  int64_t videoDuration = numVideos ? info.mVideo.mDuration : 0;
+  int64_t audioDuration = numAudios ? info.mAudio.mDuration : 0;
+
+  int64_t duration = std::max(videoDuration, audioDuration);
+  // 1. Update the duration attribute if it currently equals NaN.
+  // Those steps are performed by the MediaSourceDecoder::SetInitialDuration
+  nsCOMPtr<nsIRunnable> task =
+    NS_NewRunnableMethodWithArg<int64_t>(mParentDecoder,
+                                         &MediaSourceDecoder::SetInitialDuration,
+                                         duration ? duration : -1);
+  AbstractThread::MainThread()->Dispatch(task.forget());
+
+  // 2. If the initialization segment has no audio, video, or text tracks, then
+  // run the append error algorithm with the decode error parameter set to true
+  // and abort these steps.
+  if (!numVideos && !numAudios) {
+    RejectAppend(NS_ERROR_FAILURE, __func__);
+    return;
+  }
+
+  // 3. If the first initialization segment received flag is true, then run the following steps:
+  if (mFirstInitializationSegmentReceived) {
+    if (numVideos != mVideoTracks.mNumTracks ||
+        numAudios != mAudioTracks.mNumTracks ||
+        (numVideos && info.mVideo.mMimeType != mVideoTracks.mInfo->mMimeType) ||
+        (numAudios && info.mAudio.mMimeType != mAudioTracks.mInfo->mMimeType)) {
+      RejectAppend(NS_ERROR_FAILURE, __func__);
+      return;
+    }
+    // 1. If more than one track for a single type are present (ie 2 audio tracks),
+    // then the Track IDs match the ones in the first initialization segment.
+    // TODO
+    // 2. Add the appropriate track descriptions from this initialization
+    // segment to each of the track buffers.
+    // TODO
+    // 3. Set the need random access point flag on all track buffers to true.
+    mVideoTracks.mNeedRandomAccessPoint = true;
+    mAudioTracks.mNeedRandomAccessPoint = true;
+
+    mVideoTracks.mLongestFrameDuration = mVideoTracks.mLastFrameDuration;
+    mAudioTracks.mLongestFrameDuration = mAudioTracks.mLastFrameDuration;
+  }
+
+  // 4. Let active track flag equal false.
+  mActiveTrack = false;
+
+  // 5. If the first initialization segment received flag is false, then run the following steps:
+  if (!mFirstInitializationSegmentReceived) {
+    mAudioTracks.mNumTracks = numAudios;
+    // TODO:
+    // 1. If the initialization segment contains tracks with codecs the user agent
+    // does not support, then run the append error algorithm with the decode
+    // error parameter set to true and abort these steps.
+
+    // 2. For each audio track in the initialization segment, run following steps:
+    // for (uint32_t i = 0; i < numAudios; i++) {
+    if (numAudios) {
+      // 1. Let audio byte stream track ID be the Track ID for the current track being processed.
+      // 2. Let audio language be a BCP 47 language tag for the language specified in the initialization segment for this track or an empty string if no language info is present.
+      // 3. If audio language equals an empty string or the 'und' BCP 47 value, then run the default track language algorithm with byteStreamTrackID set to audio byte stream track ID and type set to "audio" and assign the value returned by the algorithm to audio language.
+      // 4. Let audio label be a label specified in the initialization segment for this track or an empty string if no label info is present.
+      // 5. If audio label equals an empty string, then run the default track label algorithm with byteStreamTrackID set to audio byte stream track ID and type set to "audio" and assign the value returned by the algorithm to audio label.
+      // 6. Let audio kinds be an array of kind strings specified in the initialization segment for this track or an empty array if no kind information is provided.
+      // 7. If audio kinds equals an empty array, then run the default track kinds algorithm with byteStreamTrackID set to audio byte stream track ID and type set to "audio" and assign the value returned by the algorithm to audio kinds.
+      // 8. For each value in audio kinds, run the following steps:
+      //   1. Let current audio kind equal the value from audio kinds for this iteration of the loop.
+      //   2. Let new audio track be a new AudioTrack object.
+      //   3. Generate a unique ID and assign it to the id property on new audio track.
+      //   4. Assign audio language to the language property on new audio track.
+      //   5. Assign audio label to the label property on new audio track.
+      //   6. Assign current audio kind to the kind property on new audio track.
+      //   7. If audioTracks.length equals 0, then run the following steps:
+      //     1. Set the enabled property on new audio track to true.
+      //     2. Set active track flag to true.
+      mActiveTrack = true;
+      //   8. Add new audio track to the audioTracks attribute on this SourceBuffer object.
+      //   9. Queue a task to fire a trusted event named addtrack, that does not bubble and is not cancelable, and that uses the TrackEvent interface, at the AudioTrackList object referenced by the audioTracks attribute on this SourceBuffer object.
+      //   10. Add new audio track to the audioTracks attribute on the HTMLMediaElement.
+      //   11. Queue a task to fire a trusted event named addtrack, that does not bubble and is not cancelable, and that uses the TrackEvent interface, at the AudioTrackList object referenced by the audioTracks attribute on the HTMLMediaElement.
+      mAudioTracks.mBuffers.AppendElement(TrackBuffer());
+      // 10. Add the track description for this track to the track buffer.
+      mAudioTracks.mInfo = info.mAudio.Clone();
+    }
+
+    mVideoTracks.mNumTracks = numVideos;
+    // 3. For each video track in the initialization segment, run following steps:
+    // for (uint32_t i = 0; i < numVideos; i++) {
+    if (numVideos) {
+      // 1. Let video byte stream track ID be the Track ID for the current track being processed.
+      // 2. Let video language be a BCP 47 language tag for the language specified in the initialization segment for this track or an empty string if no language info is present.
+      // 3. If video language equals an empty string or the 'und' BCP 47 value, then run the default track language algorithm with byteStreamTrackID set to video byte stream track ID and type set to "video" and assign the value returned by the algorithm to video language.
+      // 4. Let video label be a label specified in the initialization segment for this track or an empty string if no label info is present.
+      // 5. If video label equals an empty string, then run the default track label algorithm with byteStreamTrackID set to video byte stream track ID and type set to "video" and assign the value returned by the algorithm to video label.
+      // 6. Let video kinds be an array of kind strings specified in the initialization segment for this track or an empty array if no kind information is provided.
+      // 7. If video kinds equals an empty array, then run the default track kinds algorithm with byteStreamTrackID set to video byte stream track ID and type set to "video" and assign the value returned by the algorithm to video kinds.
+      // 8. For each value in video kinds, run the following steps:
+      //   1. Let current video kind equal the value from video kinds for this iteration of the loop.
+      //   2. Let new video track be a new VideoTrack object.
+      //   3. Generate a unique ID and assign it to the id property on new video track.
+      //   4. Assign video language to the language property on new video track.
+      //   5. Assign video label to the label property on new video track.
+      //   6. Assign current video kind to the kind property on new video track.
+      //   7. If videoTracks.length equals 0, then run the following steps:
+      //     1. Set the selected property on new video track to true.
+      //     2. Set active track flag to true.
+      mActiveTrack = true;
+      //   8. Add new video track to the videoTracks attribute on this SourceBuffer object.
+      //   9. Queue a task to fire a trusted event named addtrack, that does not bubble and is not cancelable, and that uses the TrackEvent interface, at the VideoTrackList object referenced by the videoTracks attribute on this SourceBuffer object.
+      //   10. Add new video track to the videoTracks attribute on the HTMLMediaElement.
+      //   11. Queue a task to fire a trusted event named addtrack, that does not bubble and is not cancelable, and that uses the TrackEvent interface, at the VideoTrackList object referenced by the videoTracks attribute on the HTMLMediaElement.
+      mVideoTracks.mBuffers.AppendElement(TrackBuffer());
+      // 10. Add the track description for this track to the track buffer.
+      mVideoTracks.mInfo = info.mVideo.Clone();
+    }
+    // 4. For each text track in the initialization segment, run following steps:
+    // 5. If active track flag equals true, then run the following steps:
+    // This is handled by SourceBuffer once the promise is resolved.
+
+    // 6. Set first initialization segment received flag to true.
+    mFirstInitializationSegmentReceived = true;
+  }
+
+  // TODO CHECK ENCRYPTION
+  UniquePtr<EncryptionInfo> crypto = mInputDemuxer->GetCrypto();
+  if (crypto && crypto->IsEncrypted()) {
+#ifdef MOZ_EME
+    // Try and dispatch 'encrypted'. Won't go if ready state still HAVE_NOTHING.
+    for (uint32_t i = 0; i < crypto->mInitDatas.Length(); i++) {
+//      NS_DispatchToMainThread(
+//        new DispatchKeyNeededEvent(mParentDecoder, crypto->mInitDatas[i].mInitData, NS_LITERAL_STRING("cenc")));
+    }
+#endif // MOZ_EME
+    info.mCrypto = *crypto;
+    mEncrypted = true;
+  }
+
+  {
+    MonitorAutoLock mon(mMonitor);
+    mInfo = info;
+  }
+
+  // 3. Remove the initialization segment bytes from the beginning of the input buffer.
+  // This step has already been done in InitializationSegmentReceived when we
+  // transferred the content into mCurrentInputBuffer.
+  mCurrentInputBuffer->EvictAll();
+  RecreateParser();
+
+  // 4. Set append state to WAITING_FOR_SEGMENT.
+  SetAppendState(AppendState::WAITING_FOR_SEGMENT);
+  // 5. Jump to the loop top step above.
+  ScheduleSegmentParserLoop();
+}
+
+void
+TrackBuffersManager::OnDemuxerInitFailed(DemuxerFailureReason aFailure)
+{
+  MOZ_ASSERT(aFailure != DemuxerFailureReason::WAITING_FOR_DATA);
+  mDemuxerInitRequest.Complete();
+
+  RejectAppend(NS_ERROR_FAILURE, __func__);
+}
+
+nsRefPtr<TrackBuffersManager::CodedFrameProcessingPromise>
+TrackBuffersManager::CodedFrameProcessing()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MOZ_ASSERT(mProcessingPromise.IsEmpty());
+  nsRefPtr<CodedFrameProcessingPromise> p = mProcessingPromise.Ensure(__func__);
+
+  int64_t offset = mCurrentInputBuffer->GetLength();
+  MediaByteRange mediaRange = mParser->MediaSegmentRange();
+  uint32_t length;
+  if (mediaRange.IsNull()) {
+    length = mInputBuffer->Length();
+    mCurrentInputBuffer->AppendData(mInputBuffer);
+    mInputBuffer = nullptr;
+  } else {
+    // The mediaRange is offset by the init segment position previously added.
+    length = mediaRange.mEnd - (mProcessedInput - mInputBuffer->Length());
+    nsRefPtr<MediaLargeByteBuffer> segment = new MediaLargeByteBuffer;
+    MOZ_ASSERT(mInputBuffer->Length() >= length);
+    if (!segment->AppendElements(mInputBuffer->Elements(), length, fallible)) {
+      return CodedFrameProcessingPromise::CreateAndReject(NS_ERROR_OUT_OF_MEMORY, __func__);
+    }
+    mCurrentInputBuffer->AppendData(segment);
+    mInputBuffer->RemoveElementsAt(0, length);
+  }
+  mInputDemuxer->NotifyDataArrived(length, offset);
+
+  DoDemuxVideo();
+
+  return p;
+}
+
+void
+TrackBuffersManager::OnDemuxFailed(TrackType aTrack,
+                                   DemuxerFailureReason aFailure)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MSE_DEBUG("Failed to demux %s, failure:%d mAbort:%d",
+            aTrack == TrackType::kVideoTrack ? "video" : "audio",
+            aFailure, static_cast<bool>(mAbort));
+  switch (aFailure) {
+    case DemuxerFailureReason::END_OF_STREAM:
+    case DemuxerFailureReason::WAITING_FOR_DATA:
+      if (aTrack == TrackType::kVideoTrack) {
+        DoDemuxAudio();
+      } else {
+        CompleteCodedFrameProcessing();
+      }
+      break;
+    case DemuxerFailureReason::DEMUXER_ERROR:
+      RejectProcessing(NS_ERROR_FAILURE, __func__);
+      break;
+    case DemuxerFailureReason::CANCELED:
+    case DemuxerFailureReason::SHUTDOWN:
+      RejectProcessing(NS_ERROR_ABORT, __func__);
+      break;
+    default:
+      MOZ_ASSERT(false);
+      break;
+  }
+}
+
+void
+TrackBuffersManager::DoDemuxVideo()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MSE_DEBUG("mAbort:%d", static_cast<bool>(mAbort));
+  if (!HasVideo()) {
+    DoDemuxAudio();
+    return;
+  }
+  if (mAbort) {
+    RejectProcessing(NS_ERROR_ABORT, __func__);
+    return;
+  }
+  mVideoTracks.mDemuxRequest.Begin(mVideoTracks.mDemuxer->GetSamples(-1)
+                             ->Then(GetTaskQueue(), __func__, this,
+                                    &TrackBuffersManager::OnVideoDemuxCompleted,
+                                    &TrackBuffersManager::OnVideoDemuxFailed));
+}
+
+void
+TrackBuffersManager::OnVideoDemuxCompleted(nsRefPtr<MediaTrackDemuxer::SamplesHolder> aSamples)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MSE_DEBUG("%d video samples demuxed", aSamples->mSamples.Length());
+  mVideoTracks.mDemuxRequest.Complete();
+  mVideoTracks.mQueuedSamples.AppendElements(aSamples->mSamples);
+  DoDemuxAudio();
+}
+
+void
+TrackBuffersManager::DoDemuxAudio()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MSE_DEBUG("mAbort:%d", static_cast<bool>(mAbort));
+  if (!HasAudio()) {
+    CompleteCodedFrameProcessing();
+    return;
+  }
+  if (mAbort) {
+    RejectProcessing(NS_ERROR_ABORT, __func__);
+    return;
+  }
+  mAudioTracks.mDemuxRequest.Begin(mAudioTracks.mDemuxer->GetSamples(-1)
+                             ->Then(GetTaskQueue(), __func__, this,
+                                    &TrackBuffersManager::OnAudioDemuxCompleted,
+                                    &TrackBuffersManager::OnAudioDemuxFailed));
+}
+
+void
+TrackBuffersManager::OnAudioDemuxCompleted(nsRefPtr<MediaTrackDemuxer::SamplesHolder> aSamples)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MSE_DEBUG("%d audio samples demuxed", aSamples->mSamples.Length());
+  mAudioTracks.mDemuxRequest.Complete();
+  mAudioTracks.mQueuedSamples.AppendElements(aSamples->mSamples);
+  CompleteCodedFrameProcessing();
+}
+
+void
+TrackBuffersManager::CompleteCodedFrameProcessing()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  MSE_DEBUG("mAbort:%d", static_cast<bool>(mAbort));
+
+  // 1. For each coded frame in the media segment run the following steps:
+
+  for (auto& sample : mVideoTracks.mQueuedSamples) {
+    while (true) {
+      if (!ProcessFrame(sample, mVideoTracks)) {
+        break;
+      }
+    }
+  }
+  mVideoTracks.mQueuedSamples.Clear();
+
+  for (auto& sample : mAudioTracks.mQueuedSamples) {
+    while (true) {
+      if (!ProcessFrame(sample, mAudioTracks)) {
+        break;
+      }
+    }
+  }
+  mAudioTracks.mQueuedSamples.Clear();
+
+  {
+    MonitorAutoLock mon(mMonitor);
+
+    // Save our final tracks buffered ranges.
+    mVideoBufferedRanges = mVideoTracks.mBufferedRanges;
+    mAudioBufferedRanges = mAudioTracks.mBufferedRanges;
+    if (HasAudio()) {
+      MSE_DEBUG("audio new buffered range = %s",
+                DumpTimeRanges(mAudioBufferedRanges).get());
+    }
+    if (HasVideo()) {
+      MSE_DEBUG("video new buffered range = %s",
+                DumpTimeRanges(mVideoBufferedRanges).get());
+    }
+  }
+
+  // Update our reported total size.
+  mSizeSourceBuffer = mVideoTracks.mSizeBuffer + mAudioTracks.mSizeBuffer;
+
+  // Return to step 6.4 of Segment Parser Loop algorithm
+  // 4. If this SourceBuffer is full and cannot accept more media data, then set the buffer full flag to true.
+  // TODO
+  mBufferFull = false;
+
+  // 5. If the input buffer does not contain a complete media segment, then jump to the need more data step below.
+  if (mParser->MediaSegmentRange().IsNull()) {
+    ResolveProcessing(true, __func__);
+    return;
+  }
+
+  // 6. Remove the media segment bytes from the beginning of the input buffer.
+  // Clear our demuxer from any already processed data.
+  // As we have handled a complete media segment, it is safe to evict all data
+  // from the resource.
+  mCurrentInputBuffer->EvictAll();
+  mInputDemuxer->NotifyDataRemoved();
+  RecreateParser();
+
+  // 7. Set append state to WAITING_FOR_SEGMENT.
+  SetAppendState(AppendState::WAITING_FOR_SEGMENT);
+
+  // 8. Jump to the loop top step above.
+  ResolveProcessing(false, __func__);
+}
+
+void
+TrackBuffersManager::RejectProcessing(nsresult aRejectValue, const char* aName)
+{
+  if (mAbort) {
+    // mAppendPromise will be resolved immediately upon mProcessingPromise
+    // completing.
+    mAppendRunning = false;
+  }
+  mProcessingPromise.RejectIfExists(aRejectValue, __func__);
+}
+
+void
+TrackBuffersManager::ResolveProcessing(bool aResolveValue, const char* aName)
+{
+  if (mAbort) {
+    // mAppendPromise will be resolved immediately upon mProcessingPromise
+    // completing.
+    mAppendRunning = false;
+  }
+  mProcessingPromise.ResolveIfExists(aResolveValue, __func__);
+}
+
+bool
+TrackBuffersManager::ProcessFrame(MediaRawData* aSample,
+                                  TrackData& aTrackData)
+{
+  TrackData* tracks[] = { &mVideoTracks, &mAudioTracks };
+  TimeUnit presentationTimestamp;
+  TimeUnit decodeTimestamp;
+
+  if (!mParent->mGenerateTimestamp) {
+    presentationTimestamp = TimeUnit::FromMicroseconds(aSample->mTime);
+    decodeTimestamp = TimeUnit::FromMicroseconds(aSample->mTimecode);
+  }
+
+  // 2. Let frame duration be a double precision floating point representation of the coded frame's duration in seconds.
+  TimeUnit frameDuration{TimeUnit::FromMicroseconds(aSample->mDuration)};
+
+  // 3. If mode equals "sequence" and group start timestamp is set, then run the following steps:
+  if (mParent->mAppendMode == SourceBufferAppendMode::Sequence &&
+      mGroupStartTimestamp.isSome()) {
+    mTimestampOffset = mGroupStartTimestamp.ref();
+    mGroupEndTimestamp = mGroupStartTimestamp.ref();
+    mVideoTracks.mNeedRandomAccessPoint = true;
+    mAudioTracks.mNeedRandomAccessPoint = true;
+    mGroupStartTimestamp.reset();
+  }
+
+  // 4. If timestampOffset is not 0, then run the following steps:
+  if (mTimestampOffset != TimeUnit::FromSeconds(0)) {
+    presentationTimestamp += mTimestampOffset;
+    decodeTimestamp += mTimestampOffset;
+  }
+
+  MSE_DEBUGV("Processing %s frame(pts:%lld end:%lld, dts:%lld, duration:%lld, "
+             "kf:%d)",
+             aTrackData.mInfo->mMimeType.get(),
+             presentationTimestamp.ToMicroseconds(),
+             (presentationTimestamp + frameDuration).ToMicroseconds(),
+             decodeTimestamp.ToMicroseconds(),
+             frameDuration.ToMicroseconds(),
+             aSample->mKeyframe);
+
+  // 5. Let track buffer equal the track buffer that the coded frame will be added to.
+  auto& trackBuffer = aTrackData;
+
+  // 6. If last decode timestamp for track buffer is set and decode timestamp is less than last decode timestamp:
+  // OR
+  // If last decode timestamp for track buffer is set and the difference between decode timestamp and last decode timestamp is greater than 2 times last frame duration:
+
+  // TODO: Maybe we should be using TimeStamp and TimeDuration instead?
+
+  // Some MP4 content may exhibit an extremely short frame duration.
+  // As such, we can't use the last frame duration as a way to detect
+  // discontinuities as required per step 6 above.
+  // Instead we use the biggest duration seen so far in this run (init + media
+  // segment).
+  if ((trackBuffer.mLastDecodeTimestamp.isSome() &&
+       decodeTimestamp < trackBuffer.mLastDecodeTimestamp.ref()) ||
+      (trackBuffer.mLastDecodeTimestamp.isSome() &&
+       decodeTimestamp - trackBuffer.mLastDecodeTimestamp.ref() > 2*trackBuffer.mLongestFrameDuration.ref())) {
+
+    // 1a. If mode equals "segments":
+    if (mParent->mAppendMode == SourceBufferAppendMode::Segments) {
+      // Set group end timestamp to presentation timestamp.
+      mGroupEndTimestamp = presentationTimestamp;
+    }
+    // 1b. If mode equals "sequence":
+    if (mParent->mAppendMode == SourceBufferAppendMode::Sequence) {
+      // Set group start timestamp equal to the group end timestamp.
+      mGroupStartTimestamp = Some(mGroupEndTimestamp);
+    }
+    for (auto& track : tracks) {
+      // 2. Unset the last decode timestamp on all track buffers.
+      track->mLastDecodeTimestamp.reset();
+      // 3. Unset the last frame duration on all track buffers.
+      track->mLastFrameDuration.reset();
+      // 4. Unset the highest end timestamp on all track buffers.
+      track->mHighestEndTimestamp.reset();
+      // 5. Set the need random access point flag on all track buffers to true.
+      track->mNeedRandomAccessPoint = true;
+
+      trackBuffer.mLongestFrameDuration.reset();
+    }
+    MSE_DEBUG("Detected discontinuity. Restarting process");
+    // 6. Jump to the Loop Top step above to restart processing of the current coded frame.
+    return true;
+  }
+
+  // 7. Let frame end timestamp equal the sum of presentation timestamp and frame duration.
+  TimeUnit frameEndTimestamp = presentationTimestamp + frameDuration;
+
+  // 8. If presentation timestamp is less than appendWindowStart, then set the need random access point flag to true, drop the coded frame, and jump to the top of the loop to start processing the next coded frame.
+  if (presentationTimestamp.ToSeconds() < mParent->mAppendWindowStart) {
+    trackBuffer.mNeedRandomAccessPoint = true;
+    return false;
+  }
+
+  // 9. If frame end timestamp is greater than appendWindowEnd, then set the need random access point flag to true, drop the coded frame, and jump to the top of the loop to start processing the next coded frame.
+  if (frameEndTimestamp.ToSeconds() > mParent->mAppendWindowEnd) {
+    trackBuffer.mNeedRandomAccessPoint = true;
+    return false;
+  }
+
+  // 10. If the need random access point flag on track buffer equals true, then run the following steps:
+  if (trackBuffer.mNeedRandomAccessPoint) {
+    // 1. If the coded frame is not a random access point, then drop the coded frame and jump to the top of the loop to start processing the next coded frame.
+    if (!aSample->mKeyframe) {
+      return false;
+    }
+    // 2. Set the need random access point flag on track buffer to false.
+    trackBuffer.mNeedRandomAccessPoint = false;
+  }
+
+  // TODO: Handle splicing of audio (and text) frames.
+  // 11. Let spliced audio frame be an unset variable for holding audio splice information
+  // 12. Let spliced timed text frame be an unset variable for holding timed text splice information
+
+  // 13. If last decode timestamp for track buffer is unset and presentation timestamp falls within the presentation interval of a coded frame in track buffer,then run the following steps:
+  // For now we only handle replacing existing frames with the new ones. So we
+  // skip this step.
+
+  // 14. Remove existing coded frames in track buffer:
+
+  // There is an ambiguity on how to remove frames, which was lodged with:
+  // https://www.w3.org/Bugs/Public/show_bug.cgi?id=28710, implementing as per
+  // bug description.
+  int firstRemovedIndex = -1;
+  TimeInterval removedInterval;
+  TrackBuffer& data = trackBuffer.mBuffers.LastElement();
+  if (trackBuffer.mBufferedRanges.Contains(presentationTimestamp)) {
+    if (trackBuffer.mHighestEndTimestamp.isNothing()) {
+      for (uint32_t i = 0; i < data.Length(); i++) {
+        MediaRawData* sample = data[i].get();
+        if (sample->mTime >= presentationTimestamp.ToMicroseconds() &&
+            sample->mTime < frameEndTimestamp.ToMicroseconds()) {
+          if (firstRemovedIndex < 0) {
+            removedInterval =
+              TimeInterval(TimeUnit::FromMicroseconds(sample->mTime),
+                           TimeUnit::FromMicroseconds(sample->mTime + sample->mDuration));
+            firstRemovedIndex = i;
+          } else {
+            removedInterval = removedInterval.Span(
+              TimeInterval(TimeUnit::FromMicroseconds(sample->mTime),
+                           TimeUnit::FromMicroseconds(sample->mTime + sample->mDuration)));
+          }
+          trackBuffer.mSizeBuffer -= sizeof(*sample) + sample->mSize;
+          data.RemoveElementAt(i);
+        }
+      }
+    } else if (trackBuffer.mHighestEndTimestamp.ref() <= presentationTimestamp) {
+      for (uint32_t i = 0; i < data.Length(); i++) {
+        MediaRawData* sample = data[i].get();
+        if (sample->mTime >= trackBuffer.mHighestEndTimestamp.ref().ToMicroseconds() &&
+            sample->mTime < frameEndTimestamp.ToMicroseconds()) {
+          if (firstRemovedIndex < 0) {
+            removedInterval =
+              TimeInterval(TimeUnit::FromMicroseconds(sample->mTime),
+                           TimeUnit::FromMicroseconds(sample->mTime + sample->mDuration));
+            firstRemovedIndex = i;
+          } else {
+            removedInterval = removedInterval.Span(
+              TimeInterval(TimeUnit::FromMicroseconds(sample->mTime),
+                           TimeUnit::FromMicroseconds(sample->mTime + sample->mDuration)));
+          }
+          trackBuffer.mSizeBuffer -= sizeof(*sample) + sample->mSize;
+          data.RemoveElementAt(i);
+        }
+      }
+    }
+  }
+  // 15. Remove decoding dependencies of the coded frames removed in the previous step:
+  // Remove all coded frames between the coded frames removed in the previous step and the next random access point after those removed frames.
+  if (firstRemovedIndex >= 0) {
+    for (uint32_t i = firstRemovedIndex; i < data.Length(); i++) {
+      MediaRawData* sample = data[i].get();
+      if (sample->mKeyframe) {
+        break;
+      }
+      removedInterval = removedInterval.Span(
+        TimeInterval(TimeUnit::FromMicroseconds(sample->mTime),
+                     TimeUnit::FromMicroseconds(sample->mTime + sample->mDuration)));
+      trackBuffer.mSizeBuffer -= sizeof(*aSample) + sample->mSize;
+      data.RemoveElementAt(i);
+    }
+    // Update our buffered range to exclude the range just removed.
+    trackBuffer.mBufferedRanges -= removedInterval;
+  }
+
+  // 16. Add the coded frame with the presentation timestamp, decode timestamp, and frame duration to the track buffer.
+  aSample->mTime = presentationTimestamp.ToMicroseconds();
+  aSample->mTimecode = decodeTimestamp.ToMicroseconds();
+  if (firstRemovedIndex >= 0) {
+    data.InsertElementAt(firstRemovedIndex, aSample);
+  } else {
+    if (data.IsEmpty() || aSample->mTimecode > data.LastElement()->mTimecode) {
+      data.AppendElement(aSample);
+    } else {
+      // Find where to insert frame.
+      for (uint32_t i = 0; i < data.Length(); i++) {
+        const auto& sample = data[i];
+        if (sample->mTimecode > aSample->mTimecode) {
+          data.InsertElementAt(i, aSample);
+          break;
+        }
+      }
+    }
+  }
+  trackBuffer.mSizeBuffer += sizeof(*aSample) + aSample->mSize;
+
+  // 17. Set last decode timestamp for track buffer to decode timestamp.
+  trackBuffer.mLastDecodeTimestamp = Some(decodeTimestamp);
+  // 18. Set last frame duration for track buffer to frame duration.
+  trackBuffer.mLastFrameDuration =
+    Some(TimeUnit::FromMicroseconds(aSample->mDuration));
+
+  if (trackBuffer.mLongestFrameDuration.isNothing()) {
+    trackBuffer.mLongestFrameDuration = trackBuffer.mLastFrameDuration;
+  } else {
+    trackBuffer.mLongestFrameDuration =
+      Some(std::max(trackBuffer.mLongestFrameDuration.ref(),
+               trackBuffer.mLastFrameDuration.ref()));
+  }
+
+  // 19. If highest end timestamp for track buffer is unset or frame end timestamp is greater than highest end timestamp, then set highest end timestamp for track buffer to frame end timestamp.
+  if (trackBuffer.mHighestEndTimestamp.isNothing() ||
+      frameEndTimestamp > trackBuffer.mHighestEndTimestamp.ref()) {
+    trackBuffer.mHighestEndTimestamp = Some(frameEndTimestamp);
+  }
+  // 20. If frame end timestamp is greater than group end timestamp, then set group end timestamp equal to frame end timestamp.
+  if (frameEndTimestamp > mGroupEndTimestamp) {
+    mGroupEndTimestamp = frameEndTimestamp;
+  }
+  // 21. If generate timestamps flag equals true, then set timestampOffset equal to frame end timestamp.
+  if (mParent->mGenerateTimestamp) {
+    mTimestampOffset = frameEndTimestamp;
+  }
+
+  // Update our buffered range with new sample interval.
+  // We allow a fuzz factor in our interval of half a frame length,
+  // as fuzz is +/- value, giving an effective leeway of a full frame
+  // length.
+  trackBuffer.mBufferedRanges +=
+    TimeInterval(presentationTimestamp, frameEndTimestamp,
+                 TimeUnit::FromMicroseconds(aSample->mDuration / 2));
+  return false;
+}
+
+void
+TrackBuffersManager::RecreateParser()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  // Recreate our parser for only the data remaining. This is required
+  // as it has parsed the entire InputBuffer provided.
+  // Once the old TrackBuffer/MediaSource implementation is removed
+  // we can optimize this part. TODO
+  nsRefPtr<MediaLargeByteBuffer> initData = mParser->InitData();
+  mParser = ContainerParser::CreateForMIMEType(mType);
+  if (initData) {
+    int64_t start, end;
+    mParser->ParseStartAndEndTimestamps(initData, start, end);
+    mProcessedInput = initData->Length();
+  } else {
+    mProcessedInput = 0;
+  }
+}
+
+nsTArray<TrackBuffersManager::TrackData*>
+TrackBuffersManager::GetTracksList()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  nsTArray<TrackData*> tracks;
+  if (HasVideo()) {
+    tracks.AppendElement(&mVideoTracks);
+  }
+  if (HasAudio()) {
+    tracks.AppendElement(&mAudioTracks);
+  }
+  return tracks;
+}
+
+void
+TrackBuffersManager::RestoreCachedVariables()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  if (mTimestampOffset != mLastTimestampOffset) {
+    nsCOMPtr<nsIRunnable> task =
+      NS_NewRunnableMethodWithArg<TimeUnit>(
+        mParent.get(),
+        static_cast<void (dom::SourceBuffer::*)(const TimeUnit&)>(&dom::SourceBuffer::SetTimestampOffset), /* beauty uh? :) */
+        mTimestampOffset);
+    AbstractThread::MainThread()->Dispatch(task.forget());
+  }
+}
+
+void
+TrackBuffersManager::SetAppendState(TrackBuffersManager::AppendState aAppendState)
+{
+  MSE_DEBUG("AppendState changed from %s to %s",
+            AppendStateToStr(mAppendState), AppendStateToStr(aAppendState));
+  mAppendState = aAppendState;
+}
+
+void
+TrackBuffersManager::SetGroupStartTimestamp(const TimeUnit& aGroupStartTimestamp)
+{
+  if (NS_IsMainThread()) {
+    nsCOMPtr<nsIRunnable> task =
+      NS_NewRunnableMethodWithArg<TimeUnit>(
+        this,
+        &TrackBuffersManager::SetGroupStartTimestamp,
+        aGroupStartTimestamp);
+    GetTaskQueue()->Dispatch(task.forget());
+    return;
+  }
+  MOZ_ASSERT(OnTaskQueue());
+  mGroupStartTimestamp = Some(aGroupStartTimestamp);
+}
+
+void
+TrackBuffersManager::RestartGroupStartTimestamp()
+{
+  if (NS_IsMainThread()) {
+    nsCOMPtr<nsIRunnable> task =
+      NS_NewRunnableMethod(this, &TrackBuffersManager::RestartGroupStartTimestamp);
+    GetTaskQueue()->Dispatch(task.forget());
+    return;
+  }
+  MOZ_ASSERT(OnTaskQueue());
+  mGroupStartTimestamp = Some(mGroupEndTimestamp);
+}
+
+TrackBuffersManager::~TrackBuffersManager()
+{
+  mTaskQueue->BeginShutdown();
+  mTaskQueue = nullptr;
+}
+
+MediaInfo
+TrackBuffersManager::GetMetadata()
+{
+  MonitorAutoLock mon(mMonitor);
+  return mInfo;
+}
+
+const TimeIntervals&
+TrackBuffersManager::Buffered(TrackInfo::TrackType aTrack)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  return GetTracksData(aTrack).mBufferedRanges;
+}
+
+const TrackBuffersManager::TrackBuffer&
+TrackBuffersManager::GetTrackBuffer(TrackInfo::TrackType aTrack)
+{
+  MOZ_ASSERT(OnTaskQueue());
+  return GetTracksData(aTrack).mBuffers.LastElement();
+}
+
+}
+#undef MSE_DEBUG
diff --git a/dom/media/mediasource/TrackBuffersManager.h b/dom/media/mediasource/TrackBuffersManager.h
new file mode 100644
index 000000000000..3d9577213b96
--- /dev/null
+++ b/dom/media/mediasource/TrackBuffersManager.h
@@ -0,0 +1,288 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MOZILLA_TRACKBUFFERSMANAGER_H_
+#define MOZILLA_TRACKBUFFERSMANAGER_H_
+
+#include "SourceBufferContentManager.h"
+#include "MediaSourceDecoder.h"
+#include "mozilla/Atomics.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/Monitor.h"
+#include "mozilla/Pair.h"
+#include "nsProxyRelease.h"
+#include "nsTArray.h"
+#include "StateMirroring.h"
+
+namespace mozilla {
+
+class ContainerParser;
+class MediaLargeByteBuffer;
+class MediaRawData;
+class SourceBuffer;
+class SourceBufferResource;
+
+using media::TimeUnit;
+using media::TimeInterval;
+using media::TimeIntervals;
+using dom::SourceBufferAppendMode;
+
+class TrackBuffersManager : public SourceBufferContentManager {
+public:
+  typedef MediaPromise<bool, nsresult, /* IsExclusive = */ true> CodedFrameProcessingPromise;
+  typedef TrackInfo::TrackType TrackType;
+  typedef MediaData::Type MediaType;
+  typedef nsTArray<nsRefPtr<MediaRawData>> TrackBuffer;
+
+  TrackBuffersManager(dom::SourceBuffer* aParent, MediaSourceDecoder* aParentDecoder, const nsACString& aType);
+
+  bool AppendData(MediaLargeByteBuffer* aData, TimeUnit aTimestampOffset) override;
+
+  nsRefPtr<AppendPromise> BufferAppend() override;
+
+  void AbortAppendData() override;
+
+  void ResetParserState() override;
+
+  nsRefPtr<RangeRemovalPromise> RangeRemoval(TimeUnit aStart, TimeUnit aEnd) override;
+
+  EvictDataResult
+  EvictData(TimeUnit aPlaybackTime, uint32_t aThreshold, TimeUnit* aBufferStartTime) override;
+
+  void EvictBefore(TimeUnit aTime) override;
+
+  TimeIntervals Buffered() override;
+
+  int64_t GetSize() override;
+
+  void Ended() override;
+
+  void Detach() override;
+
+  AppendState GetAppendState() override
+  {
+    return mAppendState;
+  }
+
+  void SetGroupStartTimestamp(const TimeUnit& aGroupStartTimestamp) override;
+  void RestartGroupStartTimestamp() override;
+
+  // Interface for MediaSourceDemuxer
+  MediaInfo GetMetadata();
+  const TrackBuffer& GetTrackBuffer(TrackInfo::TrackType aTrack);
+  const TimeIntervals& Buffered(TrackInfo::TrackType);
+  bool IsEnded() const
+  {
+    return mEnded;
+  }
+
+#if defined(DEBUG)
+  void Dump(const char* aPath) override;
+#endif
+
+private:
+  virtual ~TrackBuffersManager();
+  // All following functions run on the taskqueue.
+  nsRefPtr<AppendPromise> InitSegmentParserLoop();
+  void ScheduleSegmentParserLoop();
+  void SegmentParserLoop();
+  void AppendIncomingBuffers();
+  void InitializationSegmentReceived();
+  void CreateDemuxerforMIMEType();
+  void NeedMoreData();
+  void RejectAppend(nsresult aRejectValue, const char* aName);
+  // Will return a promise that will be resolved once all frames of the current
+  // media segment have been processed.
+  nsRefPtr<CodedFrameProcessingPromise> CodedFrameProcessing();
+  void CompleteCodedFrameProcessing();
+  // Called by ResetParserState. Complete parsing the input buffer for the
+  // current media segment.
+  void FinishCodedFrameProcessing();
+  void CompleteResetParserState();
+  nsRefPtr<RangeRemovalPromise> CodedFrameRemovalWithPromise(TimeInterval aInterval);
+  bool CodedFrameRemoval(TimeInterval aInterval);
+  void SetAppendState(AppendState aAppendState);
+
+  bool HasVideo() const
+  {
+    return mVideoTracks.mNumTracks > 0;
+  }
+  bool HasAudio() const
+  {
+    return mAudioTracks.mNumTracks > 0;
+  }
+
+  typedef Pair<nsRefPtr<MediaLargeByteBuffer>, TimeUnit> IncomingBuffer;
+  void AppendIncomingBuffer(IncomingBuffer aData);
+  nsTArray<IncomingBuffer> mIncomingBuffers;
+
+  // The input buffer as per http://w3c.github.io/media-source/index.html#sourcebuffer-input-buffer
+  nsRefPtr<MediaLargeByteBuffer> mInputBuffer;
+  // The current append state as per https://w3c.github.io/media-source/#sourcebuffer-append-state
+  // Accessed on both the main thread and the task queue.
+  Atomic<AppendState> mAppendState;
+  // Buffer full flag as per https://w3c.github.io/media-source/#sourcebuffer-buffer-full-flag.
+  // Accessed on both the main thread and the task queue.
+  // TODO: Unused for now.
+  Atomic<bool> mBufferFull;
+  bool mFirstInitializationSegmentReceived;
+  bool mActiveTrack;
+  Maybe<TimeUnit> mGroupStartTimestamp;
+  TimeUnit mGroupEndTimestamp;
+  nsCString mType;
+
+  // ContainerParser objects and methods.
+  // Those are used to parse the incoming input buffer.
+
+  // Recreate the ContainerParser and only feed it with the previous init
+  // segment found.
+  void RecreateParser();
+  nsAutoPtr<ContainerParser> mParser;
+
+  // Demuxer objects and methods.
+  nsRefPtr<SourceBufferResource> mCurrentInputBuffer;
+  nsRefPtr<MediaDataDemuxer> mInputDemuxer;
+  // Length already processed in current media segment.
+  uint32_t mProcessedInput;
+
+  void OnDemuxerInitDone(nsresult);
+  void OnDemuxerInitFailed(DemuxerFailureReason aFailure);
+  MediaPromiseRequestHolder<MediaDataDemuxer::InitPromise> mDemuxerInitRequest;
+  bool mEncrypted;
+
+  void OnDemuxFailed(TrackType aTrack, DemuxerFailureReason aFailure);
+  void DoDemuxVideo();
+  void OnVideoDemuxCompleted(nsRefPtr<MediaTrackDemuxer::SamplesHolder> aSamples);
+  void OnVideoDemuxFailed(DemuxerFailureReason aFailure)
+  {
+    mVideoTracks.mDemuxRequest.Complete();
+    OnDemuxFailed(TrackType::kVideoTrack, aFailure);
+  }
+  void DoDemuxAudio();
+  void OnAudioDemuxCompleted(nsRefPtr<MediaTrackDemuxer::SamplesHolder> aSamples);
+  void OnAudioDemuxFailed(DemuxerFailureReason aFailure)
+  {
+    mAudioTracks.mDemuxRequest.Complete();
+    OnDemuxFailed(TrackType::kAudioTrack, aFailure);
+  }
+
+  void DoEvictData(const TimeUnit& aPlaybackTime, uint32_t aThreshold);
+
+  struct TrackData {
+    TrackData()
+      : mNumTracks(0)
+      , mNeedRandomAccessPoint(true)
+      , mSizeBuffer(0)
+    {}
+    uint32_t mNumTracks;
+    // Definition of variables:
+    // https://w3c.github.io/media-source/#track-buffers
+    // Last decode timestamp variable that stores the decode timestamp of the
+    // last coded frame appended in the current coded frame group.
+    // The variable is initially unset to indicate that no coded frames have
+    // been appended yet.
+    Maybe<TimeUnit> mLastDecodeTimestamp;
+    // Last frame duration variable that stores the coded frame duration of the
+    // last coded frame appended in the current coded frame group.
+    // The variable is initially unset to indicate that no coded frames have
+    // been appended yet.
+    Maybe<TimeUnit> mLastFrameDuration;
+    // Highest end timestamp variable that stores the highest coded frame end
+    // timestamp across all coded frames in the current coded frame group that
+    // were appended to this track buffer.
+    // The variable is initially unset to indicate that no coded frames have
+    // been appended yet.
+    Maybe<TimeUnit> mHighestEndTimestamp;
+    // Longest frame duration seen in a coded frame group.
+    Maybe<TimeUnit> mLongestFrameDuration;
+    // Need random access point flag variable that keeps track of whether the
+    // track buffer is waiting for a random access point coded frame.
+    // The variable is initially set to true to indicate that random access
+    // point coded frame is needed before anything can be added to the track
+    // buffer.
+    bool mNeedRandomAccessPoint;
+    nsRefPtr<MediaTrackDemuxer> mDemuxer;
+    MediaPromiseRequestHolder<MediaTrackDemuxer::SamplesPromise> mDemuxRequest;
+    // Samples just demuxed, but not yet parsed.
+    TrackBuffer mQueuedSamples;
+    // We only manage a single track of each type at this time.
+    nsTArray<TrackBuffer> mBuffers;
+    // Track buffer ranges variable that represents the presentation time ranges
+    // occupied by the coded frames currently stored in the track buffer.
+    TimeIntervals mBufferedRanges;
+    // Byte size of all samples contained in this track buffer.
+    uint32_t mSizeBuffer;
+    // TrackInfo of the first metadata received.
+    UniquePtr<TrackInfo> mInfo;
+  };
+
+  bool ProcessFrame(MediaRawData* aSample, TrackData& aTrackData);
+  void RejectProcessing(nsresult aRejectValue, const char* aName);
+  void ResolveProcessing(bool aResolveValue, const char* aName);
+  MediaPromiseRequestHolder<CodedFrameProcessingPromise> mProcessingRequest;
+  MediaPromiseHolder<CodedFrameProcessingPromise> mProcessingPromise;
+
+  MediaPromiseHolder<AppendPromise> mAppendPromise;
+  // Set to true while SegmentParserLoop is running. This is used for diagnostic
+  // purposes only. We can't rely on mAppendPromise to be empty as it is only
+  // cleared in a follow up task.
+  bool mAppendRunning;
+
+  // Trackbuffers definition.
+  nsTArray<TrackData*> GetTracksList();
+  TrackData& GetTracksData(TrackType aTrack)
+  {
+    switch(aTrack) {
+      case TrackType::kVideoTrack:
+        return mVideoTracks;
+      case TrackType::kAudioTrack:
+      default:
+        return mAudioTracks;
+    }
+  }
+  TrackData mVideoTracks;
+  TrackData mAudioTracks;
+
+  // TaskQueue methods and objects.
+  AbstractThread* GetTaskQueue() {
+    return mTaskQueue;
+  }
+  bool OnTaskQueue()
+  {
+    return !GetTaskQueue() || GetTaskQueue()->IsCurrentThreadIn();
+  }
+  RefPtr<MediaTaskQueue> mTaskQueue;
+
+  TimeUnit mTimestampOffset;
+  TimeUnit mLastTimestampOffset;
+  void RestoreCachedVariables();
+
+  // Strong references to external objects.
+  nsMainThreadPtrHandle<dom::SourceBuffer> mParent;
+  nsMainThreadPtrHandle<MediaSourceDecoder> mParentDecoder;
+
+  // MediaSource duration mirrored from MediaDecoder on the main thread..
+  Mirror<Maybe<double>> mMediaSourceDuration;
+
+  // Set to true if abort was called.
+  Atomic<bool> mAbort;
+  // Set to true if mediasource state changed to ended.
+  Atomic<bool> mEnded;
+
+  // Global size of this source buffer content.
+  Atomic<int64_t> mSizeSourceBuffer;
+
+  // Monitor to protect following objects accessed across multipple threads.
+  mutable Monitor mMonitor;
+  // Stable audio and video track time ranges.
+  TimeIntervals mVideoBufferedRanges;
+  TimeIntervals mAudioBufferedRanges;
+  // MediaInfo of the first init segment read.
+  MediaInfo mInfo;
+};
+
+} // namespace mozilla
+#endif /* MOZILLA_TRACKBUFFERSMANAGER_H_ */
diff --git a/dom/media/mediasource/moz.build b/dom/media/mediasource/moz.build
index 8256df9d5d80..0667407da278 100644
--- a/dom/media/mediasource/moz.build
+++ b/dom/media/mediasource/moz.build
@@ -31,6 +31,7 @@ UNIFIED_SOURCES += [
     'SourceBufferList.cpp',
     'SourceBufferResource.cpp',
     'TrackBuffer.cpp',
+    'TrackBuffersManager.cpp',
 ]
 
 FAIL_ON_WARNINGS = True
diff --git a/dom/media/omx/MediaCodecReader.cpp b/dom/media/omx/MediaCodecReader.cpp
index 3cb4034a5af8..8a71d6f25e2f 100644
--- a/dom/media/omx/MediaCodecReader.cpp
+++ b/dom/media/omx/MediaCodecReader.cpp
@@ -340,7 +340,7 @@ MediaCodecReader::DispatchVideoTask(int64_t aTimeThreshold)
 nsRefPtr<MediaDecoderReader::AudioDataPromise>
 MediaCodecReader::RequestAudioData()
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
   MOZ_ASSERT(HasAudio());
 
   MonitorAutoLock al(mAudioTrack.mTrackMonitor);
@@ -355,7 +355,7 @@ nsRefPtr<MediaDecoderReader::VideoDataPromise>
 MediaCodecReader::RequestVideoData(bool aSkipToNextKeyframe,
                                    int64_t aTimeThreshold)
 {
-  MOZ_ASSERT(GetTaskQueue()->IsCurrentThreadIn());
+  MOZ_ASSERT(OnTaskQueue());
   MOZ_ASSERT(HasVideo());
 
   int64_t threshold = sInvalidTimestampUs;
@@ -659,7 +659,7 @@ MediaCodecReader::AsyncReadMetadata()
 
   nsRefPtr<MediaCodecReader> self = this;
   mMediaResourceRequest.Begin(CreateMediaCodecs()
-    ->Then(GetTaskQueue(), __func__,
+    ->Then(TaskQueue(), __func__,
       [self] (bool) -> void {
         self->mMediaResourceRequest.Complete();
         self->HandleResourceAllocated();
diff --git a/dom/media/omx/MediaOmxReader.cpp b/dom/media/omx/MediaOmxReader.cpp
index c7a55baab769..480f89e2ebd2 100644
--- a/dom/media/omx/MediaOmxReader.cpp
+++ b/dom/media/omx/MediaOmxReader.cpp
@@ -252,7 +252,7 @@ MediaOmxReader::AsyncReadMetadata()
 
   nsRefPtr<MediaOmxReader> self = this;
   mMediaResourceRequest.Begin(mOmxDecoder->AllocateMediaResources()
-    ->Then(GetTaskQueue(), __func__,
+    ->Then(TaskQueue(), __func__,
       [self] (bool) -> void {
         self->mMediaResourceRequest.Complete();
         self->HandleResourceAllocated();
diff --git a/dom/media/tests/mochitest/head.js b/dom/media/tests/mochitest/head.js
index d8f6dfdb02ac..e07fa7088730 100644
--- a/dom/media/tests/mochitest/head.js
+++ b/dom/media/tests/mochitest/head.js
@@ -134,7 +134,7 @@ function setupEnvironment() {
       ['dom.messageChannel.enabled', true],
       ['media.peerconnection.enabled', true],
       ['media.peerconnection.identity.enabled', true],
-      ['media.peerconnection.identity.timeout', 12000],
+      ['media.peerconnection.identity.timeout', 120000],
       ['media.peerconnection.ice.stun_client_maximum_transmits', 14],
       ['media.peerconnection.ice.trickle_grace_period', 30000],
       ['media.navigator.permission.disabled', true],
diff --git a/dom/media/webaudio/AudioDestinationNode.cpp b/dom/media/webaudio/AudioDestinationNode.cpp
index 0200f9390938..1f7a7a39536a 100644
--- a/dom/media/webaudio/AudioDestinationNode.cpp
+++ b/dom/media/webaudio/AudioDestinationNode.cpp
@@ -16,13 +16,12 @@
 #include "AudioNodeStream.h"
 #include "MediaStreamGraph.h"
 #include "OfflineAudioCompletionEvent.h"
+#include "nsContentUtils.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsIDocShell.h"
 #include "nsIPermissionManager.h"
 #include "nsIScriptObjectPrincipal.h"
 #include "nsServiceManagerUtils.h"
-#include "nsIAppShell.h"
-#include "nsWidgetsCID.h"
 #include "mozilla/dom/Promise.h"
 
 namespace mozilla {
@@ -684,17 +683,16 @@ AudioDestinationNode::NotifyStableState()
   mExtraCurrentTimeUpdatedSinceLastStableState = false;
 }
 
-static NS_DEFINE_CID(kAppShellCID, NS_APPSHELL_CID);
-
 void
 AudioDestinationNode::ScheduleStableStateNotification()
 {
-  nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
-  if (appShell) {
-    nsCOMPtr<nsIRunnable> event =
-      NS_NewRunnableMethod(this, &AudioDestinationNode::NotifyStableState);
-    appShell->RunInStableState(event);
-  }
+  nsCOMPtr<nsIRunnable> event =
+    NS_NewRunnableMethod(this, &AudioDestinationNode::NotifyStableState);
+  // Dispatch will fail if this is called on AudioNode destruction during
+  // shutdown, in which case failure can be ignored.
+  nsContentUtils::RunInStableState(event.forget(),
+                                   nsContentUtils::
+                                     DispatchFailureHandling::IgnoreFailure);
 }
 
 double
diff --git a/dom/media/webaudio/MediaBufferDecoder.cpp b/dom/media/webaudio/MediaBufferDecoder.cpp
index fac61f727d9c..918b20cb2710 100644
--- a/dom/media/webaudio/MediaBufferDecoder.cpp
+++ b/dom/media/webaudio/MediaBufferDecoder.cpp
@@ -211,10 +211,6 @@ MediaDecodeTask::CreateReader()
     return false;
   }
 
-  if (!mDecoderReader->EnsureTaskQueue()) {
-    return false;
-  }
-
   return true;
 }
 
@@ -249,14 +245,14 @@ MediaDecodeTask::Decode()
 {
   MOZ_ASSERT(!NS_IsMainThread());
 
-  mBufferDecoder->BeginDecoding(mDecoderReader->GetTaskQueue());
+  mBufferDecoder->BeginDecoding(mDecoderReader->TaskQueue());
 
   // Tell the decoder reader that we are not going to play the data directly,
   // and that we should not reject files with more channels than the audio
   // backend support.
   mDecoderReader->SetIgnoreAudioOutputFormat();
 
-  mDecoderReader->AsyncReadMetadata()->Then(mDecoderReader->GetTaskQueue(), __func__, this,
+  mDecoderReader->AsyncReadMetadata()->Then(mDecoderReader->TaskQueue(), __func__, this,
                                        &MediaDecodeTask::OnMetadataRead,
                                        &MediaDecodeTask::OnMetadataNotRead);
 }
@@ -285,7 +281,7 @@ MediaDecodeTask::OnMetadataNotRead(ReadMetadataFailureReason aReason)
 void
 MediaDecodeTask::RequestSample()
 {
-  mDecoderReader->RequestAudioData()->Then(mDecoderReader->GetTaskQueue(), __func__, this,
+  mDecoderReader->RequestAudioData()->Then(mDecoderReader->TaskQueue(), __func__, this,
                                            &MediaDecodeTask::SampleDecoded,
                                            &MediaDecodeTask::SampleNotDecoded);
 }
@@ -508,10 +504,10 @@ AsyncDecodeWebAudio(const char* aContentType, uint8_t* aBuffer,
     NS_DispatchToMainThread(event);
   } else {
     // If we did this without a temporary:
-    //   task->Reader()->GetTaskQueue()->Dispatch(task.forget())
+    //   task->Reader()->TaskQueue()->Dispatch(task.forget())
     // we might evaluate the task.forget() before calling Reader(). Enforce
     // a non-crashy order-of-operations.
-    MediaTaskQueue* taskQueue = task->Reader()->GetTaskQueue();
+    MediaTaskQueue* taskQueue = task->Reader()->TaskQueue();
     taskQueue->Dispatch(task.forget());
   }
 }
diff --git a/dom/media/webaudio/WaveShaperNode.cpp b/dom/media/webaudio/WaveShaperNode.cpp
index 5be595100735..29846ee37bd0 100644
--- a/dom/media/webaudio/WaveShaperNode.cpp
+++ b/dom/media/webaudio/WaveShaperNode.cpp
@@ -229,7 +229,9 @@ public:
 
     AllocateAudioBlock(channelCount, aOutput);
     for (uint32_t i = 0; i < channelCount; ++i) {
-      const float* inputBuffer = static_cast<const float*>(aInput.mChannelData[i]);
+      float* scaledSample = (float *)(aInput.mChannelData[i]);
+      AudioBlockInPlaceScale(scaledSample, aInput.mVolume);
+      const float* inputBuffer = static_cast<const float*>(scaledSample);
       float* outputBuffer = const_cast<float*> (static_cast<const float*>(aOutput->mChannelData[i]));
       float* sampleBuffer;
 
diff --git a/dom/media/webaudio/test/mochitest.ini b/dom/media/webaudio/test/mochitest.ini
index db6b26ffa146..cc5a52acbe4a 100644
--- a/dom/media/webaudio/test/mochitest.ini
+++ b/dom/media/webaudio/test/mochitest.ini
@@ -83,6 +83,7 @@ tags=capturestream
 [test_bug966247.html]
 tags=capturestream
 [test_bug972678.html]
+[test_bug1118372.html]
 [test_bug1056032.html]
 skip-if = toolkit == 'android' # bug 1056706
 [test_channelMergerNode.html]
diff --git a/dom/media/webaudio/test/test_bug1118372.html b/dom/media/webaudio/test/test_bug1118372.html
new file mode 100644
index 000000000000..ca3fc6b0df26
--- /dev/null
+++ b/dom/media/webaudio/test/test_bug1118372.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test WaveShaperNode with no curve</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="webaudio.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+addLoadEvent(function() {
+  var context = new OfflineAudioContext(1, 2048, 44100);
+
+  var osc=context.createOscillator();
+  var gain=context.createGain();
+  var shaper=context.createWaveShaper();
+  gain.gain.value=0.1;
+  shaper.curve=new Float32Array([-0.5,-0.5,1,1]);
+
+  osc.connect(gain);
+  gain.connect(shaper);
+  shaper.connect(context.destination);
+  osc.start(0);
+
+  context.startRendering().then(function(buffer) {
+    var samples = buffer.getChannelData(0);
+    // the signal should be scaled
+    var failures = 0;
+    for (var i = 0; i < 2048; ++i) {
+      if (samples[i] > 0.5) {
+        failures = failures + 1;
+      }
+    }
+    ok(failures == 0, "signal should have been rescaled by gain: found " + failures + " points too loud.");
+    SimpleTest.finish();
+  });
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/dom/media/webm/WebMReader.cpp b/dom/media/webm/WebMReader.cpp
index 1a3b05123bad..1ed5c8ac3562 100644
--- a/dom/media/webm/WebMReader.cpp
+++ b/dom/media/webm/WebMReader.cpp
@@ -161,8 +161,8 @@ ogg_packet InitOggPacket(const unsigned char* aData, size_t aLength,
 static bool sIsIntelDecoderEnabled = false;
 #endif
 
-WebMReader::WebMReader(AbstractMediaDecoder* aDecoder)
-  : MediaDecoderReader(aDecoder)
+WebMReader::WebMReader(AbstractMediaDecoder* aDecoder, MediaTaskQueue* aBorrowedTaskQueue)
+  : MediaDecoderReader(aDecoder, aBorrowedTaskQueue)
   , mContext(nullptr)
   , mPacketCount(0)
   , mOpusDecoder(nullptr)
diff --git a/dom/media/webm/WebMReader.h b/dom/media/webm/WebMReader.h
index 4bcfb42b8fcd..27da0842cfec 100644
--- a/dom/media/webm/WebMReader.h
+++ b/dom/media/webm/WebMReader.h
@@ -141,7 +141,7 @@ public:
 class WebMReader : public MediaDecoderReader
 {
 public:
-  explicit WebMReader(AbstractMediaDecoder* aDecoder);
+  explicit WebMReader(AbstractMediaDecoder* aDecoder, MediaTaskQueue* aBorrowedTaskQueue = nullptr);
 
 protected:
   ~WebMReader();
diff --git a/dom/media/webspeech/recognition/PocketSphinxSpeechRecognitionService.cpp b/dom/media/webspeech/recognition/PocketSphinxSpeechRecognitionService.cpp
new file mode 100644
index 000000000000..6108cf1e9480
--- /dev/null
+++ b/dom/media/webspeech/recognition/PocketSphinxSpeechRecognitionService.cpp
@@ -0,0 +1,345 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim:set ts=2 sw=2 sts=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsThreadUtils.h"
+#include "nsXPCOMCIDInternal.h"
+#include "PocketSphinxSpeechRecognitionService.h"
+#include "nsIFile.h"
+#include "SpeechGrammar.h"
+#include "SpeechRecognition.h"
+#include "SpeechRecognitionAlternative.h"
+#include "SpeechRecognitionResult.h"
+#include "SpeechRecognitionResultList.h"
+#include "nsIObserverService.h"
+#include "mozilla/Services.h"
+#include "nsDirectoryServiceDefs.h"
+#include "nsDirectoryServiceUtils.h"
+#include "nsMemory.h"
+
+extern "C" {
+#include "pocketsphinx/pocketsphinx.h"
+#include "sphinxbase/sphinx_config.h"
+#include "sphinxbase/jsgf.h"
+}
+
+namespace mozilla {
+
+using namespace dom;
+
+class DecodeResultTask : public nsRunnable
+{
+public:
+  DecodeResultTask(const nsString& hypstring,
+                   WeakPtr<dom::SpeechRecognition> recognition)
+      : mResult(hypstring),
+        mRecognition(recognition),
+        mWorkerThread(do_GetCurrentThread())
+  {
+    MOZ_ASSERT(
+      !NS_IsMainThread()); // This should be running on the worker thread
+  }
+
+  NS_IMETHOD
+  Run()
+  {
+    MOZ_ASSERT(NS_IsMainThread()); // This method is supposed to run on the main
+                                   // thread!
+
+    // Declare javascript result events
+    nsRefPtr<SpeechEvent> event = new SpeechEvent(
+      mRecognition, SpeechRecognition::EVENT_RECOGNITIONSERVICE_FINAL_RESULT);
+    SpeechRecognitionResultList* resultList =
+      new SpeechRecognitionResultList(mRecognition);
+    SpeechRecognitionResult* result = new SpeechRecognitionResult(mRecognition);
+    SpeechRecognitionAlternative* alternative =
+      new SpeechRecognitionAlternative(mRecognition);
+
+    alternative->mTranscript = mResult;
+    alternative->mConfidence = 100;
+
+    result->mItems.AppendElement(alternative);
+    resultList->mItems.AppendElement(result);
+
+    event->mRecognitionResultList = resultList;
+    NS_DispatchToMainThread(event);
+
+    // If we don't destroy the thread when we're done with it, it will hang
+    // around forever... bad!
+    // But thread->Shutdown must be called from the main thread, not from the
+    // thread itself.
+    return mWorkerThread->Shutdown();
+  }
+
+private:
+  nsString mResult;
+  WeakPtr<dom::SpeechRecognition> mRecognition;
+  nsCOMPtr<nsIThread> mWorkerThread;
+};
+
+class DecodeTask : public nsRunnable
+{
+public:
+  DecodeTask(WeakPtr<dom::SpeechRecognition> recogntion,
+             const nsTArray<int16_t>& audiovector, ps_decoder_t* ps)
+      : mRecognition(recogntion), mAudiovector(audiovector), mPs(ps)
+  {
+  }
+
+  NS_IMETHOD
+  Run()
+  {
+    char const* hyp;
+    int rv;
+    int32 score;
+    nsAutoCString hypoValue;
+
+    rv = ps_start_utt(mPs);
+    rv = ps_process_raw(mPs, &mAudiovector[0], mAudiovector.Length(), FALSE,
+                        FALSE);
+
+    rv = ps_end_utt(mPs);
+    if (rv >= 0) {
+      hyp = ps_get_hyp(mPs, &score);
+      if (hyp == nullptr) {
+        hypoValue.Assign("ERROR");
+      } else {
+        hypoValue.Assign(hyp);
+      }
+    }
+
+    nsCOMPtr<nsIRunnable> resultrunnable =
+      new DecodeResultTask(NS_ConvertUTF8toUTF16(hypoValue), mRecognition);
+    return NS_DispatchToMainThread(resultrunnable);
+  }
+
+private:
+  WeakPtr<dom::SpeechRecognition> mRecognition;
+  nsTArray<int16_t> mAudiovector;
+  ps_decoder_t* mPs;
+};
+
+NS_IMPL_ISUPPORTS(PocketSphinxSpeechRecognitionService,
+                  nsISpeechRecognitionService, nsIObserver)
+
+PocketSphinxSpeechRecognitionService::PocketSphinxSpeechRecognitionService()
+{
+  mSpeexState = nullptr;
+
+  // get root folder
+  nsCOMPtr<nsIFile> tmpFile;
+  nsAutoString aStringAMPath;   // am folder
+  nsAutoString aStringDictPath; // dict folder
+
+  NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(tmpFile));
+#if defined(XP_WIN) // for some reason, on windows NS_GRE_DIR is not bin root,
+                    // but bin/browser
+  tmpFile->AppendRelativePath(NS_LITERAL_STRING(".."));
+#endif
+  tmpFile->AppendRelativePath(NS_LITERAL_STRING("models"));
+  tmpFile->AppendRelativePath(NS_LITERAL_STRING("en-us-semi"));
+  tmpFile->GetPath(aStringAMPath);
+
+  NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(tmpFile));
+#if defined(XP_WIN) // for some reason, on windows NS_GRE_DIR is not bin root,
+                    // but bin/browser
+  tmpFile->AppendRelativePath(NS_LITERAL_STRING(".."));
+#endif
+  tmpFile->AppendRelativePath(NS_LITERAL_STRING("models"));     //
+  tmpFile->AppendRelativePath(NS_LITERAL_STRING("dict"));       //
+  tmpFile->AppendRelativePath(NS_LITERAL_STRING("cmu07a.dic")); //
+  tmpFile->GetPath(aStringDictPath);
+
+  // FOR B2G PATHS HARDCODED (APPEND /DATA ON THE BEGINING, FOR DESKTOP, ONLY
+  // MODELS/ RELATIVE TO ROOT
+  mPSConfig = cmd_ln_init(nullptr, ps_args(), TRUE, "-hmm",
+                          ToNewUTF8String(aStringAMPath), // acoustic model
+                          "-dict", ToNewUTF8String(aStringDictPath), nullptr);
+  if (mPSConfig == nullptr) {
+    ISDecoderCreated = false;
+  } else {
+    mPSHandle = ps_init(mPSConfig);
+    if (mPSHandle == nullptr) {
+      ISDecoderCreated = false;
+    } else {
+      ISDecoderCreated = true;
+    }
+  }
+
+  ISGrammarCompiled = false;
+}
+
+PocketSphinxSpeechRecognitionService::~PocketSphinxSpeechRecognitionService()
+{
+  if (mPSConfig) {
+    free(mPSConfig);
+  }
+  if (mPSHandle) {
+    free(mPSHandle);
+  }
+
+  mSpeexState = nullptr;
+}
+
+// CALL START IN JS FALLS HERE
+NS_IMETHODIMP
+PocketSphinxSpeechRecognitionService::Initialize(
+    WeakPtr<SpeechRecognition> aSpeechRecognition)
+{
+  if (!ISDecoderCreated || !ISGrammarCompiled) {
+    return NS_ERROR_NOT_INITIALIZED;
+  } else {
+    mAudioVector.Clear();
+
+    if (mSpeexState) {
+      mSpeexState = nullptr;
+    }
+
+    mRecognition = aSpeechRecognition;
+    nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+    obs->AddObserver(this, SPEECH_RECOGNITION_TEST_EVENT_REQUEST_TOPIC, false);
+    obs->AddObserver(this, SPEECH_RECOGNITION_TEST_END_TOPIC, false);
+    return NS_OK;
+  }
+}
+
+NS_IMETHODIMP
+PocketSphinxSpeechRecognitionService::ProcessAudioSegment(
+  AudioSegment* aAudioSegment, int32_t aSampleRate)
+{
+  if (!mSpeexState) {
+    mSpeexState = speex_resampler_init(1, aSampleRate, 16000,
+                                       SPEEX_RESAMPLER_QUALITY_MAX, nullptr);
+  }
+  aAudioSegment->ResampleChunks(mSpeexState, aSampleRate, 16000);
+
+  AudioSegment::ChunkIterator iterator(*aAudioSegment);
+
+  while (!iterator.IsEnded()) {
+    mozilla::AudioChunk& chunk = *(iterator);
+    MOZ_ASSERT(chunk.mBuffer);
+    const int16_t* buf = static_cast<const int16_t*>(chunk.mChannelData[0]);
+
+    for (int i = 0; i < iterator->mDuration; i++) {
+      mAudioVector.AppendElement((int16_t)buf[i]);
+    }
+    iterator.Next();
+  }
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PocketSphinxSpeechRecognitionService::SoundEnd()
+{
+  speex_resampler_destroy(mSpeexState);
+  mSpeexState = nullptr;
+
+  // To create a new thread, get the thread manager
+  nsCOMPtr<nsIThreadManager> tm = do_GetService(NS_THREADMANAGER_CONTRACTID);
+  nsCOMPtr<nsIThread> decodethread;
+  nsresult rv = tm->NewThread(0, 0, getter_AddRefs(decodethread));
+  if (NS_FAILED(rv)) {
+    // In case of failure, call back immediately with an empty string which
+    // indicates failure
+    return NS_OK;
+  }
+
+  nsCOMPtr<nsIRunnable> r =
+    new DecodeTask(mRecognition, mAudioVector, mPSHandle);
+  decodethread->Dispatch(r, nsIEventTarget::DISPATCH_NORMAL);
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PocketSphinxSpeechRecognitionService::ValidateAndSetGrammarList(
+  SpeechGrammar* aSpeechGrammar,
+  nsISpeechGrammarCompilationCallback* aCallback)
+{
+  if (!ISDecoderCreated) {
+    ISGrammarCompiled = false;
+  } else if (aSpeechGrammar) {
+    nsAutoString grammar;
+    ErrorResult rv;
+    aSpeechGrammar->GetSrc(grammar, rv);
+
+    int result = ps_set_jsgf_string(mPSHandle, "name",
+                                    NS_ConvertUTF16toUTF8(grammar).get());
+
+    ps_set_search(mPSHandle, "name");
+
+    if (result != 0) {
+      ISGrammarCompiled = false;
+    } else {
+      ISGrammarCompiled = true;
+    }
+  } else {
+    ISGrammarCompiled = false;
+  }
+
+  return ISGrammarCompiled ? NS_OK : NS_ERROR_NOT_INITIALIZED;
+}
+
+NS_IMETHODIMP
+PocketSphinxSpeechRecognitionService::Abort()
+{
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PocketSphinxSpeechRecognitionService::Observe(nsISupports* aSubject,
+                                              const char* aTopic,
+                                              const char16_t* aData)
+{
+  MOZ_ASSERT(mRecognition->mTestConfig.mFakeRecognitionService,
+             "Got request to fake recognition service event, "
+             "but " TEST_PREFERENCE_FAKE_RECOGNITION_SERVICE " is not set");
+
+  if (!strcmp(aTopic, SPEECH_RECOGNITION_TEST_END_TOPIC)) {
+    nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+    obs->RemoveObserver(this, SPEECH_RECOGNITION_TEST_EVENT_REQUEST_TOPIC);
+    obs->RemoveObserver(this, SPEECH_RECOGNITION_TEST_END_TOPIC);
+
+    return NS_OK;
+  }
+
+  const nsDependentString eventName = nsDependentString(aData);
+
+  if (eventName.EqualsLiteral("EVENT_RECOGNITIONSERVICE_ERROR")) {
+    mRecognition->DispatchError(
+      SpeechRecognition::EVENT_RECOGNITIONSERVICE_ERROR,
+      SpeechRecognitionErrorCode::Network, // TODO different codes?
+      NS_LITERAL_STRING("RECOGNITIONSERVICE_ERROR test event"));
+
+  } else if (eventName.EqualsLiteral("EVENT_RECOGNITIONSERVICE_FINAL_RESULT")) {
+    nsRefPtr<SpeechEvent> event = new SpeechEvent(
+      mRecognition, SpeechRecognition::EVENT_RECOGNITIONSERVICE_FINAL_RESULT);
+
+    event->mRecognitionResultList = BuildMockResultList();
+    NS_DispatchToMainThread(event);
+  }
+
+  return NS_OK;
+}
+
+SpeechRecognitionResultList*
+PocketSphinxSpeechRecognitionService::BuildMockResultList()
+{
+  SpeechRecognitionResultList* resultList =
+    new SpeechRecognitionResultList(mRecognition);
+  SpeechRecognitionResult* result = new SpeechRecognitionResult(mRecognition);
+  SpeechRecognitionAlternative* alternative =
+    new SpeechRecognitionAlternative(mRecognition);
+
+  alternative->mTranscript = NS_LITERAL_STRING("Mock final result");
+  alternative->mConfidence = 0.0f;
+
+  result->mItems.AppendElement(alternative);
+  resultList->mItems.AppendElement(result);
+
+  return resultList;
+}
+
+} // namespace mozilla
diff --git a/dom/media/webspeech/recognition/PocketSphinxSpeechRecognitionService.h b/dom/media/webspeech/recognition/PocketSphinxSpeechRecognitionService.h
new file mode 100644
index 000000000000..5b814b9a5578
--- /dev/null
+++ b/dom/media/webspeech/recognition/PocketSphinxSpeechRecognitionService.h
@@ -0,0 +1,85 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim:set ts=2 sw=2 sts=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_PocketSphinxRecognitionService_h
+#define mozilla_dom_PocketSphinxRecognitionService_h
+
+#include "nsCOMPtr.h"
+#include "nsTArray.h"
+#include "nsIObserver.h"
+#include "nsISpeechRecognitionService.h"
+#include "speex/speex_resampler.h"
+
+extern "C" {
+#include <pocketsphinx/pocketsphinx.h>
+#include <sphinxbase/sphinx_config.h>
+}
+
+#define NS_POCKETSPHINX_SPEECH_RECOGNITION_SERVICE_CID                         \
+  {                                                                            \
+    0x0ff5ce56, 0x5b09, 0x4db8, {                                              \
+      0xad, 0xc6, 0x82, 0x66, 0xaf, 0x95, 0xf8, 0x64                           \
+    }                                                                          \
+  };
+
+namespace mozilla {
+
+/**
+ * Pocketsphix implementation of the nsISpeechRecognitionService interface
+ */
+class PocketSphinxSpeechRecognitionService : public nsISpeechRecognitionService,
+                                             public nsIObserver
+{
+public:
+  // Add XPCOM glue code
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSISPEECHRECOGNITIONSERVICE
+
+  // Add nsIObserver code
+  NS_DECL_NSIOBSERVER
+
+  /**
+   * Default constructs a PocketSphinxSpeechRecognitionService loading default
+   * files
+   */
+  PocketSphinxSpeechRecognitionService();
+
+private:
+  /**
+   * Private destructor to prevent bypassing of reference counting
+   */
+  virtual ~PocketSphinxSpeechRecognitionService();
+
+  /** The associated SpeechRecognition */
+  WeakPtr<dom::SpeechRecognition> mRecognition;
+
+  /**
+   * Builds a mock SpeechRecognitionResultList
+   */
+  dom::SpeechRecognitionResultList* BuildMockResultList();
+
+  /** Speex state */
+  SpeexResamplerState* mSpeexState;
+
+  /** Pocksphix decoder */
+  ps_decoder_t* mPSHandle;
+
+  /** Sphinxbase parsed command line arguments */
+  cmd_ln_t* mPSConfig;
+
+  /** Flag to verify if decoder was created */
+  bool ISDecoderCreated;
+
+  /** Flag to verify if grammar was compiled */
+  bool ISGrammarCompiled;
+
+  /** Audio data */
+  nsTArray<int16_t> mAudioVector;
+};
+
+} // namespace mozilla
+
+#endif
diff --git a/dom/media/webspeech/recognition/SpeechGrammar.cpp b/dom/media/webspeech/recognition/SpeechGrammar.cpp
index a195e34a1485..dd2fb1a987e6 100644
--- a/dom/media/webspeech/recognition/SpeechGrammar.cpp
+++ b/dom/media/webspeech/recognition/SpeechGrammar.cpp
@@ -53,14 +53,14 @@ SpeechGrammar::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
 void
 SpeechGrammar::GetSrc(nsString& aRetVal, ErrorResult& aRv) const
 {
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
+  aRetVal = mSrc;
   return;
 }
 
 void
 SpeechGrammar::SetSrc(const nsAString& aArg, ErrorResult& aRv)
 {
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
+  mSrc = aArg;
   return;
 }
 
diff --git a/dom/media/webspeech/recognition/SpeechGrammar.h b/dom/media/webspeech/recognition/SpeechGrammar.h
index 70453e513f79..5acc41410e5f 100644
--- a/dom/media/webspeech/recognition/SpeechGrammar.h
+++ b/dom/media/webspeech/recognition/SpeechGrammar.h
@@ -49,6 +49,8 @@ private:
   ~SpeechGrammar();
 
   nsCOMPtr<nsISupports> mParent;
+
+  nsString mSrc;
 };
 
 } // namespace dom
diff --git a/dom/media/webspeech/recognition/SpeechGrammarList.cpp b/dom/media/webspeech/recognition/SpeechGrammarList.cpp
index 490a1378e729..09657018348c 100644
--- a/dom/media/webspeech/recognition/SpeechGrammarList.cpp
+++ b/dom/media/webspeech/recognition/SpeechGrammarList.cpp
@@ -15,7 +15,7 @@
 namespace mozilla {
 namespace dom {
 
-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(SpeechGrammarList, mParent)
+NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(SpeechGrammarList, mParent, mItems)
 NS_IMPL_CYCLE_COLLECTING_ADDREF(SpeechGrammarList)
 NS_IMPL_CYCLE_COLLECTING_RELEASE(SpeechGrammarList)
 NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(SpeechGrammarList)
@@ -64,14 +64,14 @@ SpeechGrammarList::GetParentObject() const
 uint32_t
 SpeechGrammarList::Length() const
 {
-  return 0;
+  return mItems.Length();
 }
 
 already_AddRefed<SpeechGrammar>
 SpeechGrammarList::Item(uint32_t aIndex, ErrorResult& aRv)
 {
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
-  return nullptr;
+  nsRefPtr<SpeechGrammar> result = mItems.ElementAt(aIndex);
+  return result.forget();
 }
 
 void
@@ -88,7 +88,10 @@ SpeechGrammarList::AddFromString(const nsAString& aString,
                                  const Optional<float>& aWeight,
                                  ErrorResult& aRv)
 {
-  mRecognitionService->ValidateAndSetGrammarList(this, nullptr);
+  SpeechGrammar* speechGrammar = new SpeechGrammar(mParent);
+  speechGrammar->SetSrc(aString, aRv);
+  mItems.AppendElement(speechGrammar);
+  mRecognitionService->ValidateAndSetGrammarList(speechGrammar, nullptr);
   return;
 }
 
@@ -96,8 +99,13 @@ already_AddRefed<SpeechGrammar>
 SpeechGrammarList::IndexedGetter(uint32_t aIndex, bool& aPresent,
                                  ErrorResult& aRv)
 {
-  aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
-  return nullptr;
+  if (aIndex >= Length()) {
+    aPresent = false;
+    return nullptr;
+  }
+  ErrorResult rv;
+  aPresent = true;
+  return Item(aIndex, rv);
 }
 } // namespace dom
 } // namespace mozilla
diff --git a/dom/media/webspeech/recognition/SpeechGrammarList.h b/dom/media/webspeech/recognition/SpeechGrammarList.h
index a821ab9817d2..018913c2396c 100644
--- a/dom/media/webspeech/recognition/SpeechGrammarList.h
+++ b/dom/media/webspeech/recognition/SpeechGrammarList.h
@@ -56,6 +56,8 @@ private:
   ~SpeechGrammarList();
 
   nsCOMPtr<nsISupports> mParent;
+
+  nsTArray<nsRefPtr<SpeechGrammar>> mItems;
 };
 
 } // namespace dom
diff --git a/dom/media/webspeech/recognition/SpeechRecognition.cpp b/dom/media/webspeech/recognition/SpeechRecognition.cpp
index 2001e2e9ae91..002612aedc88 100644
--- a/dom/media/webspeech/recognition/SpeechRecognition.cpp
+++ b/dom/media/webspeech/recognition/SpeechRecognition.cpp
@@ -34,7 +34,7 @@ namespace mozilla {
 namespace dom {
 
 #define PREFERENCE_DEFAULT_RECOGNITION_SERVICE "media.webspeech.service.default"
-#define DEFAULT_RECOGNITION_SERVICE "google"
+#define DEFAULT_RECOGNITION_SERVICE "pocketsphinx"
 
 #define PREFERENCE_ENDPOINTER_SILENCE_LENGTH "media.webspeech.silence_length"
 #define PREFERENCE_ENDPOINTER_LONG_SILENCE_LENGTH "media.webspeech.long_silence_length"
@@ -84,9 +84,9 @@ GetSpeechRecognitionService()
       NS_SPEECH_RECOGNITION_SERVICE_CONTRACTID_PREFIX "fake";
   }
 
-  nsresult aRv;
+  nsresult rv;
   nsCOMPtr<nsISpeechRecognitionService> recognitionService;
-  recognitionService = do_GetService(speechRecognitionServiceCID.get(), &aRv);
+  recognitionService = do_GetService(speechRecognitionServiceCID.get(), &rv);
   return recognitionService.forget();
 }
 
@@ -472,12 +472,12 @@ SpeechRecognition::NotifyFinalResult(SpeechEvent* aEvent)
 {
   ResetAndEnd();
 
-  SpeechRecognitionEventInit init;
+  RootedDictionary<SpeechRecognitionEventInit> init(nsContentUtils::RootingCx());
   init.mBubbles = true;
   init.mCancelable = false;
   // init.mResultIndex = 0;
   init.mResults = aEvent->mRecognitionResultList;
-  init.mInterpretation = NS_LITERAL_STRING("NOT_IMPLEMENTED");
+  init.mInterpretation = JS::NullValue();
   // init.mEmma = nullptr;
 
   nsRefPtr<SpeechRecognitionEvent> event =
@@ -535,7 +535,9 @@ SpeechRecognition::StartRecording(DOMMediaStream* aDOMStream)
   // doesn't get Destroy()'ed
   mDOMStream = aDOMStream;
 
-  NS_ENSURE_STATE(mDOMStream->GetStream());
+  if (NS_WARN_IF(!mDOMStream->GetStream())) {
+    return NS_ERROR_UNEXPECTED;
+  }
   mSpeechListener = new SpeechStreamListener(this);
   mDOMStream->GetStream()->AddListener(mSpeechListener);
 
@@ -698,11 +700,15 @@ SpeechRecognition::Start(const Optional<NonNull<DOMMediaStream>>& aStream, Error
   }
 
   mRecognitionService = GetSpeechRecognitionService();
-  NS_ENSURE_TRUE_VOID(mRecognitionService);
+  if (NS_WARN_IF(!mRecognitionService)) {
+    return;
+  }
 
   nsresult rv;
   rv = mRecognitionService->Initialize(this);
-  NS_ENSURE_SUCCESS_VOID(rv);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return;
+  }
 
   MediaStreamConstraints constraints;
   constraints.mAudio.SetAsBoolean() = true;
@@ -957,7 +963,7 @@ SpeechRecognition::GetUserMediaErrorCallback::OnError(nsISupports* aError)
   }
   SpeechRecognitionErrorCode errorCode;
 
-  nsString name;
+  nsAutoString name;
   error->GetName(name);
   if (name.EqualsLiteral("PERMISSION_DENIED")) {
     errorCode = SpeechRecognitionErrorCode::Not_allowed;
@@ -965,7 +971,7 @@ SpeechRecognition::GetUserMediaErrorCallback::OnError(nsISupports* aError)
     errorCode = SpeechRecognitionErrorCode::Audio_capture;
   }
 
-  nsString message;
+  nsAutoString message;
   error->GetMessage(message);
   mRecognition->DispatchError(SpeechRecognition::EVENT_AUDIO_ERROR, errorCode,
                               message);
diff --git a/dom/media/webspeech/recognition/SpeechRecognitionAlternative.cpp b/dom/media/webspeech/recognition/SpeechRecognitionAlternative.cpp
index 9d19774fb4fd..0609c19ef788 100644
--- a/dom/media/webspeech/recognition/SpeechRecognitionAlternative.cpp
+++ b/dom/media/webspeech/recognition/SpeechRecognitionAlternative.cpp
@@ -22,8 +22,7 @@ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(SpeechRecognitionAlternative)
 NS_INTERFACE_MAP_END
 
 SpeechRecognitionAlternative::SpeechRecognitionAlternative(SpeechRecognition* aParent)
-  : mTranscript(NS_LITERAL_STRING(""))
-  , mConfidence(0)
+  : mConfidence(0)
   , mParent(aParent)
 {
 }
diff --git a/dom/media/webspeech/recognition/SpeechRecognitionResult.cpp b/dom/media/webspeech/recognition/SpeechRecognitionResult.cpp
index 215978d218ec..00bcec4396ee 100644
--- a/dom/media/webspeech/recognition/SpeechRecognitionResult.cpp
+++ b/dom/media/webspeech/recognition/SpeechRecognitionResult.cpp
@@ -67,7 +67,7 @@ SpeechRecognitionResult::Item(uint32_t aIndex)
 }
 
 bool
-SpeechRecognitionResult::Final() const
+SpeechRecognitionResult::IsFinal() const
 {
   return true; // TODO
 }
diff --git a/dom/media/webspeech/recognition/SpeechRecognitionResult.h b/dom/media/webspeech/recognition/SpeechRecognitionResult.h
index cf1545721b2b..2a0b5641818f 100644
--- a/dom/media/webspeech/recognition/SpeechRecognitionResult.h
+++ b/dom/media/webspeech/recognition/SpeechRecognitionResult.h
@@ -38,11 +38,11 @@ public:
 
   already_AddRefed<SpeechRecognitionAlternative> Item(uint32_t aIndex);
 
-  bool Final() const;
+  bool IsFinal() const;
 
   already_AddRefed<SpeechRecognitionAlternative> IndexedGetter(uint32_t aIndex, bool& aPresent);
 
-  nsTArray<nsRefPtr<SpeechRecognitionAlternative> > mItems;
+  nsTArray<nsRefPtr<SpeechRecognitionAlternative>> mItems;
 
 private:
   ~SpeechRecognitionResult();
diff --git a/dom/media/webspeech/recognition/SpeechRecognitionResultList.h b/dom/media/webspeech/recognition/SpeechRecognitionResultList.h
index 861974956ca7..2c43af3ffafd 100644
--- a/dom/media/webspeech/recognition/SpeechRecognitionResultList.h
+++ b/dom/media/webspeech/recognition/SpeechRecognitionResultList.h
@@ -41,7 +41,7 @@ public:
 
   already_AddRefed<SpeechRecognitionResult> IndexedGetter(uint32_t aIndex, bool& aPresent);
 
-  nsTArray<nsRefPtr<SpeechRecognitionResult> > mItems;
+  nsTArray<nsRefPtr<SpeechRecognitionResult>> mItems;
 private:
   ~SpeechRecognitionResultList();
 
diff --git a/dom/media/webspeech/recognition/moz.build b/dom/media/webspeech/recognition/moz.build
index 14cb3752431c..8002a2ffabec 100644
--- a/dom/media/webspeech/recognition/moz.build
+++ b/dom/media/webspeech/recognition/moz.build
@@ -26,6 +26,11 @@ if CONFIG['MOZ_WEBSPEECH_TEST_BACKEND']:
         'test/FakeSpeechRecognitionService.h',
     ]
 
+if CONFIG['MOZ_WEBSPEECH_POCKETSPHINX']:
+    EXPORTS.mozilla.dom += [
+        'PocketSphinxSpeechRecognitionService.h',
+    ]
+
 UNIFIED_SOURCES += [
     'endpointer.cc',
     'energy_endpointer.cc',
@@ -44,10 +49,21 @@ if CONFIG['MOZ_WEBSPEECH_TEST_BACKEND']:
         'test/FakeSpeechRecognitionService.cpp',
     ]
 
+if CONFIG['MOZ_WEBSPEECH_POCKETSPHINX']:
+    UNIFIED_SOURCES += [
+        'PocketSphinxSpeechRecognitionService.cpp',
+    ]
+
 LOCAL_INCLUDES += [
     '/dom/base',
+    '/media/sphinxbase',
 ]
 
+if CONFIG['MOZ_WEBSPEECH_POCKETSPHINX']:
+    LOCAL_INCLUDES += [
+        '/media/pocketsphinx',
+    ]
+
 include('/ipc/chromium/chromium-config.mozbuild')
 
 FINAL_LIBRARY = 'xul'
diff --git a/dom/media/webspeech/recognition/nsISpeechRecognitionService.idl b/dom/media/webspeech/recognition/nsISpeechRecognitionService.idl
index 7bd3b6173b1d..a43d277da03b 100644
--- a/dom/media/webspeech/recognition/nsISpeechRecognitionService.idl
+++ b/dom/media/webspeech/recognition/nsISpeechRecognitionService.idl
@@ -21,19 +21,19 @@ class SpeechGrammar;
 
 native SpeechRecognitionWeakPtr(mozilla::WeakPtr<mozilla::dom::SpeechRecognition>);
 [ptr] native AudioSegmentPtr(mozilla::AudioSegment);
-[ptr] native SpeechGrammarListPtr(mozilla::dom::SpeechGrammarList);
 [ptr] native SpeechGrammarPtr(mozilla::dom::SpeechGrammar);
+[ptr] native SpeechGrammarListPtr(mozilla::dom::SpeechGrammarList);
 
-[uuid(374583f0-4507-11e4-a183-164230d1df67)]
+[uuid(6fcb6ee8-a6db-49ba-9f06-355d7ee18ea7)]
 interface nsISpeechGrammarCompilationCallback : nsISupports {
     void grammarCompilationEnd(in SpeechGrammarPtr grammarObject, in boolean success);
 };
 
-[uuid(857f3fa2-a980-4d3e-a959-a2f53af74232)]
+[uuid(8e97f287-f322-44e8-8888-8344fa408ef8)]
 interface nsISpeechRecognitionService : nsISupports {
     void initialize(in SpeechRecognitionWeakPtr aSpeechRecognition);
     void processAudioSegment(in AudioSegmentPtr aAudioSegment, in long aSampleRate);
-    void validateAndSetGrammarList(in SpeechGrammarListPtr aSpeechGramarList, in nsISpeechGrammarCompilationCallback aCallback);
+    void validateAndSetGrammarList(in SpeechGrammarPtr aSpeechGrammar, in nsISpeechGrammarCompilationCallback aCallback);
     void soundEnd();
     void abort();
 };
diff --git a/dom/media/webspeech/recognition/test/FakeSpeechRecognitionService.cpp b/dom/media/webspeech/recognition/test/FakeSpeechRecognitionService.cpp
index 58a0ac3e2987..ff36134aa81c 100644
--- a/dom/media/webspeech/recognition/test/FakeSpeechRecognitionService.cpp
+++ b/dom/media/webspeech/recognition/test/FakeSpeechRecognitionService.cpp
@@ -52,7 +52,7 @@ FakeSpeechRecognitionService::SoundEnd()
 }
 
 NS_IMETHODIMP
-FakeSpeechRecognitionService::ValidateAndSetGrammarList(mozilla::dom::SpeechGrammarList*, nsISpeechGrammarCompilationCallback*)
+FakeSpeechRecognitionService::ValidateAndSetGrammarList(mozilla::dom::SpeechGrammar*, nsISpeechGrammarCompilationCallback*)
 {
   return NS_OK;
 }
diff --git a/dom/media/webspeech/recognition/test/head.js b/dom/media/webspeech/recognition/test/head.js
index 85478c99eb50..8ff7d1569e38 100644
--- a/dom/media/webspeech/recognition/test/head.js
+++ b/dom/media/webspeech/recognition/test/head.js
@@ -38,7 +38,7 @@ function EventManager(sr) {
 
   var eventDependencies = {
     "speechend": "speechstart",
-    "soundent": "soundstart",
+    "soundend": "soundstart",
     "audioend": "audiostart"
   };
 
diff --git a/dom/nfc/gonk/NfcService.cpp b/dom/nfc/gonk/NfcService.cpp
index 706594c1c57b..68c69508b7d0 100644
--- a/dom/nfc/gonk/NfcService.cpp
+++ b/dom/nfc/gonk/NfcService.cpp
@@ -161,14 +161,15 @@ public:
       int length = mEvent.mTechList.Length();
       event.mTechList.Construct();
 
-      if (!event.mTechList.Value().SetCapacity(length)) {
+      if (!event.mTechList.Value().SetCapacity(length, fallible)) {
         return NS_ERROR_FAILURE;
       }
 
       for (int i = 0; i < length; i++) {
         NFCTechType tech = static_cast<NFCTechType>(mEvent.mTechList[i]);
         MOZ_ASSERT(tech < NFCTechType::EndGuard_);
-        *event.mTechList.Value().AppendElement() = tech;
+        // FIXME: Make this infallible after bug 968520 is done.
+        *event.mTechList.Value().AppendElement(fallible) = tech;
       }
     }
 
@@ -180,13 +181,15 @@ public:
     if (mEvent.mRecords.Length() > 0) {
       int length = mEvent.mRecords.Length();
       event.mRecords.Construct();
-      if (!event.mRecords.Value().SetCapacity(length)) {
+      if (!event.mRecords.Value().SetCapacity(length, fallible)) {
         return NS_ERROR_FAILURE;
       }
 
       for (int i = 0; i < length; i++) {
         NDEFRecordStruct& recordStruct = mEvent.mRecords[i];
-        MozNDEFRecordOptions& record = *event.mRecords.Value().AppendElement();
+        // FIXME: Make this infallible after bug 968520 is done.
+        MozNDEFRecordOptions& record =
+          *event.mRecords.Value().AppendElement(fallible);
 
         record.mTnf = recordStruct.mTnf;
         MOZ_ASSERT(record.mTnf < TNF::EndGuard_);
diff --git a/dom/plugins/ipc/PluginBridge.h b/dom/plugins/ipc/PluginBridge.h
index 761e379f139a..9d1075515d19 100644
--- a/dom/plugins/ipc/PluginBridge.h
+++ b/dom/plugins/ipc/PluginBridge.h
@@ -25,7 +25,7 @@ FindPluginsForContent(uint32_t aPluginEpoch,
                       uint32_t* aNewPluginEpoch);
 
 void
-TerminatePlugin(uint32_t aPluginId);
+TerminatePlugin(uint32_t aPluginId, const nsString& aBrowserDumpId);
 
 } // namespace plugins
 } // namespace mozilla
diff --git a/dom/plugins/ipc/PluginHangUIParent.cpp b/dom/plugins/ipc/PluginHangUIParent.cpp
index 5376e71f6070..ae922d054848 100644
--- a/dom/plugins/ipc/PluginHangUIParent.cpp
+++ b/dom/plugins/ipc/PluginHangUIParent.cpp
@@ -353,7 +353,8 @@ PluginHangUIParent::RecvUserResponse(const unsigned int& aResponse)
   int responseCode;
   if (aResponse & HANGUI_USER_RESPONSE_STOP) {
     // User clicked Stop
-    mModule->TerminateChildProcess(mMainThreadMessageLoop);
+    nsString dummy;
+    mModule->TerminateChildProcess(mMainThreadMessageLoop, &dummy);
     responseCode = 1;
   } else if(aResponse & HANGUI_USER_RESPONSE_CONTINUE) {
     mModule->OnHangUIContinue();
diff --git a/dom/plugins/ipc/PluginInstanceChild.cpp b/dom/plugins/ipc/PluginInstanceChild.cpp
index 38cd1264e93b..36bf4c048c7f 100644
--- a/dom/plugins/ipc/PluginInstanceChild.cpp
+++ b/dom/plugins/ipc/PluginInstanceChild.cpp
@@ -1768,7 +1768,7 @@ PluginInstanceChild::SetCaptureHook(HWND aHwnd)
     wchar_t className[256] = {0};
     int numChars = GetClassNameW(aHwnd, className, ArrayLength(className));
     NS_NAMED_LITERAL_STRING(unityClassName, "Unity.WebPlayer");
-    if (numChars == unityClassName.Length() && unityClassName == className) {
+    if (numChars == unityClassName.Length() && unityClassName == wwc(className)) {
         sSetCaptureHookData = new SetCaptureHookData(aHwnd);
     }
     return sUser32SetCaptureHookStub(aHwnd);
diff --git a/dom/plugins/ipc/PluginModuleParent.cpp b/dom/plugins/ipc/PluginModuleParent.cpp
index 191f0ce08375..5eacd9e09126 100755
--- a/dom/plugins/ipc/PluginModuleParent.cpp
+++ b/dom/plugins/ipc/PluginModuleParent.cpp
@@ -344,7 +344,7 @@ bool PluginModuleMapping::sIsLoadModuleOnStack = false;
 } // anonymous namespace
 
 void
-mozilla::plugins::TerminatePlugin(uint32_t aPluginId)
+mozilla::plugins::TerminatePlugin(uint32_t aPluginId, const nsString& aBrowserDumpId)
 {
     MOZ_ASSERT(XRE_GetProcessType() == GeckoProcessType_Default);
 
@@ -353,10 +353,10 @@ mozilla::plugins::TerminatePlugin(uint32_t aPluginId)
     if (!pluginTag || !pluginTag->mPlugin) {
         return;
     }
-
+    nsAutoString dumpId(aBrowserDumpId);
     nsRefPtr<nsNPAPIPlugin> plugin = pluginTag->mPlugin;
     PluginModuleChromeParent* chromeParent = static_cast<PluginModuleChromeParent*>(plugin->GetLibrary());
-    chromeParent->TerminateChildProcess(MessageLoop::current());
+    chromeParent->TerminateChildProcess(MessageLoop::current(), &dumpId);
 }
 
 /* static */ PluginLibrary*
@@ -1148,7 +1148,8 @@ PluginModuleChromeParent::ShouldContinueFromReplyTimeout()
     // original plugin hang behaviour and kill the plugin container.
     FinishHangUI();
 #endif // XP_WIN
-    TerminateChildProcess(MessageLoop::current());
+    nsString dummy;
+    TerminateChildProcess(MessageLoop::current(), &dummy);
     GetIPCChannel()->CloseWithTimeout();
     return false;
 }
@@ -1171,7 +1172,8 @@ PluginModuleContentParent::OnExitedSyncSend()
 }
 
 void
-PluginModuleChromeParent::TerminateChildProcess(MessageLoop* aMsgLoop)
+PluginModuleChromeParent::TerminateChildProcess(MessageLoop* aMsgLoop,
+                                                nsAString* aBrowserDumpId)
 {
 #ifdef MOZ_CRASHREPORTER
 #ifdef XP_WIN
@@ -1198,8 +1200,39 @@ PluginModuleChromeParent::TerminateChildProcess(MessageLoop* aMsgLoop)
         }
     }
 #endif // XP_WIN
-    // Generate base report, includes plugin and browser process minidumps.
-    if (crashReporter->GeneratePairedMinidump(this)) {
+
+    bool reportsReady = false;
+
+    // Check to see if we already have a browser dump id - with e10s plugin
+    // hangs we take this earlier (see ProcessHangMonitor) from a background
+    // thread. We do this before we message the main thread about the hang
+    // since the posted message will trash our browser stack state.
+    bool exists;
+    nsCOMPtr<nsIFile> browserDumpFile;
+    if (aBrowserDumpId && !aBrowserDumpId->IsEmpty() &&
+        CrashReporter::GetMinidumpForID(*aBrowserDumpId, getter_AddRefs(browserDumpFile)) &&
+        browserDumpFile &&
+        NS_SUCCEEDED(browserDumpFile->Exists(&exists)) && exists)
+    {
+        // We have a single browser report, generate a new plugin process parent
+        // report and pair it up with the browser report handed in.
+        reportsReady = crashReporter->GenerateMinidumpAndPair(this, browserDumpFile,
+                                                              NS_LITERAL_CSTRING("browser"));
+        if (!reportsReady) {
+          browserDumpFile = nullptr;
+          CrashReporter::DeleteMinidumpFilesForID(*aBrowserDumpId);
+        }
+    }
+
+    // Generate crash report including plugin and browser process minidumps.
+    // The plugin process is the parent report with additional dumps including
+    // the browser process, content process when running under e10s, and
+    // various flash subprocesses if we're the flash module.
+    if (!reportsReady) {
+        reportsReady = crashReporter->GeneratePairedMinidump(this);
+    }
+
+    if (reportsReady) {
         mPluginDumpID = crashReporter->ChildDumpID();
         PLUGIN_LOG_DEBUG(
                 ("generated paired browser/plugin minidumps: %s)",
diff --git a/dom/plugins/ipc/PluginModuleParent.h b/dom/plugins/ipc/PluginModuleParent.h
index 2a5d86192923..578ffd641fa6 100644
--- a/dom/plugins/ipc/PluginModuleParent.h
+++ b/dom/plugins/ipc/PluginModuleParent.h
@@ -369,7 +369,19 @@ class PluginModuleChromeParent
 
     virtual ~PluginModuleChromeParent();
 
-    void TerminateChildProcess(MessageLoop* aMsgLoop);
+    /*
+     * Terminates the plugin process associated with this plugin module. Also
+     * generates appropriate crash reports. Takes ownership of the file
+     * associated with aBrowserDumpId on success.
+     *
+     * @param aMsgLoop the main message pump associated with the module
+     *   protocol.
+     * @param aBrowserDumpId (optional) previously taken browser dump id. If
+     *   provided TerminateChildProcess will use this browser dump file in
+     *   generating a multi-process crash report. If not provided a browser
+     *   dump will be taken at the time of this call.
+     */
+    void TerminateChildProcess(MessageLoop* aMsgLoop, nsAString* aBrowserDumpId);
 
 #ifdef XP_WIN
     /**
diff --git a/dom/system/gonk/NetworkUtils.cpp b/dom/system/gonk/NetworkUtils.cpp
index a59942244024..f7e50c65e4a3 100644
--- a/dom/system/gonk/NetworkUtils.cpp
+++ b/dom/system/gonk/NetworkUtils.cpp
@@ -15,6 +15,8 @@
 
 #include "NetworkUtils.h"
 
+#include "prprf.h"
+
 #include <android/log.h>
 #include <cutils/properties.h>
 #include <limits>
@@ -354,11 +356,11 @@ static void join(nsTArray<nsCString>& array,
 static void getIFProperties(const char* ifname, IFProperties& prop)
 {
   char key[PROPERTY_KEY_MAX];
-  snprintf(key, PROPERTY_KEY_MAX - 1, "net.%s.gw", ifname);
+  PR_snprintf(key, PROPERTY_KEY_MAX - 1, "net.%s.gw", ifname);
   property_get(key, prop.gateway, "");
-  snprintf(key, PROPERTY_KEY_MAX - 1, "net.%s.dns1", ifname);
+  PR_snprintf(key, PROPERTY_KEY_MAX - 1, "net.%s.dns1", ifname);
   property_get(key, prop.dns1, "");
-  snprintf(key, PROPERTY_KEY_MAX - 1, "net.%s.dns2", ifname);
+  PR_snprintf(key, PROPERTY_KEY_MAX - 1, "net.%s.dns2", ifname);
   property_get(key, prop.dns2, "");
 }
 
@@ -479,7 +481,7 @@ void NetworkUtils::nextNetdCommand()
 
   gCurrentCommand.chain = GET_CURRENT_CHAIN;
   gCurrentCommand.callback = GET_CURRENT_CALLBACK;
-  snprintf(gCurrentCommand.command, MAX_COMMAND_SIZE - 1, "%s", GET_CURRENT_COMMAND);
+  PR_snprintf(gCurrentCommand.command, MAX_COMMAND_SIZE - 1, "%s", GET_CURRENT_COMMAND);
 
   NU_DBG("Sending \'%s\' command to netd.", gCurrentCommand.command);
   SendNetdCommand(GET_CURRENT_NETD_COMMAND);
@@ -504,9 +506,9 @@ void NetworkUtils::doCommand(const char* aCommand, CommandChain* aChain, Command
 
   // Android JB version adds sequence number to netd command.
   if (SDK_VERSION >= 16) {
-    snprintf((char*)netdCommand->mData, MAX_COMMAND_SIZE - 1, "0 %s", aCommand);
+    PR_snprintf((char*)netdCommand->mData, MAX_COMMAND_SIZE - 1, "0 %s", aCommand);
   } else {
-    snprintf((char*)netdCommand->mData, MAX_COMMAND_SIZE - 1, "%s", aCommand);
+    PR_snprintf((char*)netdCommand->mData, MAX_COMMAND_SIZE - 1, "%s", aCommand);
   }
   netdCommand->mSize = strlen((char*)netdCommand->mData) + 1;
 
@@ -526,7 +528,7 @@ void NetworkUtils::wifiFirmwareReload(CommandChain* aChain,
                                       NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "softap fwreload %s %s", GET_CHAR(mIfname), GET_CHAR(mMode));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "softap fwreload %s %s", GET_CHAR(mIfname), GET_CHAR(mMode));
 
   doCommand(command, aChain, aCallback);
 }
@@ -544,7 +546,7 @@ void NetworkUtils::startAccessPointDriver(CommandChain* aChain,
   }
 
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "softap start %s", GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "softap start %s", GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -562,7 +564,7 @@ void NetworkUtils::stopAccessPointDriver(CommandChain* aChain,
   }
 
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "softap stop %s", GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "softap stop %s", GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -606,19 +608,19 @@ void NetworkUtils::setAccessPoint(CommandChain* aChain,
   escapeQuote(key);
 
   if (SDK_VERSION >= 19) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s \"%s\" broadcast 6 %s \"%s\"",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s \"%s\" broadcast 6 %s \"%s\"",
                      GET_CHAR(mIfname),
                      ssid.get(),
                      GET_CHAR(mSecurity),
                      key.get());
   } else if (SDK_VERSION >= 16) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s \"%s\" %s \"%s\"",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s \"%s\" %s \"%s\"",
                      GET_CHAR(mIfname),
                      ssid.get(),
                      GET_CHAR(mSecurity),
                      key.get());
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s %s \"%s\" %s \"%s\" 6 0 8",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "softap set %s %s \"%s\" %s \"%s\" 6 0 8",
                      GET_CHAR(mIfname),
                      GET_CHAR(mWifictrlinterfacename),
                      ssid.get(),
@@ -634,7 +636,7 @@ void NetworkUtils::cleanUpStream(CommandChain* aChain,
                                  NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "nat disable %s %s 0", GET_CHAR(mPreInternalIfname), GET_CHAR(mPreExternalIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "nat disable %s %s 0", GET_CHAR(mPreInternalIfname), GET_CHAR(mPreExternalIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -644,7 +646,7 @@ void NetworkUtils::createUpStream(CommandChain* aChain,
                                   NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "nat enable %s %s 0", GET_CHAR(mCurInternalIfname), GET_CHAR(mCurExternalIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "nat enable %s %s 0", GET_CHAR(mCurInternalIfname), GET_CHAR(mCurExternalIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -695,7 +697,7 @@ void NetworkUtils::setQuota(CommandChain* aChain,
                             NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "bandwidth setiquota %s %lld", GET_CHAR(mIfname), LLONG_MAX);
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "bandwidth setiquota %s %lld", GET_CHAR(mIfname), LLONG_MAX);
 
   doCommand(command, aChain, aCallback);
 }
@@ -705,7 +707,7 @@ void NetworkUtils::removeQuota(CommandChain* aChain,
                                NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "bandwidth removeiquota %s", GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "bandwidth removeiquota %s", GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -715,7 +717,7 @@ void NetworkUtils::setAlarm(CommandChain* aChain,
                             NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "bandwidth setinterfacealert %s %ld", GET_CHAR(mIfname), GET_FIELD(mThreshold));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "bandwidth setinterfacealert %s %ld", GET_CHAR(mIfname), GET_FIELD(mThreshold));
 
   doCommand(command, aChain, aCallback);
 }
@@ -726,13 +728,13 @@ void NetworkUtils::setInterfaceUp(CommandChain* aChain,
 {
   char command[MAX_COMMAND_SIZE];
   if (SDK_VERSION >= 16) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "interface setcfg %s %s %s %s",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "interface setcfg %s %s %s %s",
                      GET_CHAR(mIfname),
                      GET_CHAR(mIp),
                      GET_CHAR(mPrefix),
                      GET_CHAR(mLink));
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "interface setcfg %s %s %s [%s]",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "interface setcfg %s %s %s [%s]",
                      GET_CHAR(mIfname),
                      GET_CHAR(mIp),
                      GET_CHAR(mPrefix),
@@ -746,7 +748,7 @@ void NetworkUtils::tetherInterface(CommandChain* aChain,
                                    NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface add %s", GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface add %s", GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -764,8 +766,8 @@ void NetworkUtils::addInterfaceToLocalNetwork(CommandChain* aChain,
   }
 
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network interface add local %s",
-           GET_CHAR(mInternalIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network interface add local %s",
+              GET_CHAR(mInternalIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -787,8 +789,8 @@ void NetworkUtils::addRouteToLocalNetwork(CommandChain* aChain,
   uint32_t ip = inet_addr(GET_CHAR(mIp));
   char* networkAddr = getNetworkAddr(ip, prefix);
 
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network route add local %s %s/%s",
-           GET_CHAR(mInternalIfname), networkAddr, GET_CHAR(mPrefix));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network route add local %s %s/%s",
+              GET_CHAR(mInternalIfname), networkAddr, GET_CHAR(mPrefix));
 
   doCommand(command, aChain, aCallback);
 }
@@ -799,9 +801,9 @@ void NetworkUtils::preTetherInterfaceList(CommandChain* aChain,
 {
   char command[MAX_COMMAND_SIZE];
   if (SDK_VERSION >= 16) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface list");
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface list");
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface list 0");
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface list 0");
   }
 
   doCommand(command, aChain, aCallback);
@@ -813,7 +815,7 @@ void NetworkUtils::postTetherInterfaceList(CommandChain* aChain,
 {
   // Send the dummy command to continue the function chain.
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
 
   char buf[BUF_SIZE];
   NS_ConvertUTF16toUTF8 reason(aResult.mResultReason);
@@ -871,8 +873,8 @@ void NetworkUtils::addUpstreamInterface(CommandChain* aChain,
   }
 
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface add_upstream %s",
-           interface.get());
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface add_upstream %s",
+              interface.get());
   doCommand(command, aChain, aCallback);
 }
 
@@ -891,8 +893,8 @@ void NetworkUtils::removeUpstreamInterface(CommandChain* aChain,
   }
 
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface remove_upstream %s",
-           interface.get());
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface remove_upstream %s",
+              interface.get());
   doCommand(command, aChain, aCallback);
 }
 
@@ -903,14 +905,14 @@ void NetworkUtils::setIpForwardingEnabled(CommandChain* aChain,
   char command[MAX_COMMAND_SIZE];
 
   if (GET_FIELD(mEnable)) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "ipfwd enable");
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "ipfwd enable");
   } else {
     // Don't disable ip forwarding because others interface still need it.
     // Send the dummy command to continue the function chain.
     if (GET_FIELD(mInterfaceList).Length() > 1) {
-      snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
+      PR_snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
     } else {
-      snprintf(command, MAX_COMMAND_SIZE - 1, "ipfwd disable");
+      PR_snprintf(command, MAX_COMMAND_SIZE - 1, "ipfwd disable");
     }
   }
 
@@ -934,9 +936,9 @@ void NetworkUtils::stopTethering(CommandChain* aChain,
   // Don't stop tethering because others interface still need it.
   // Send the dummy to continue the function chain.
   if (GET_FIELD(mInterfaceList).Length() > 1) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "tether stop");
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether stop");
   }
 
   doCommand(command, aChain, aCallback);
@@ -951,18 +953,18 @@ void NetworkUtils::startTethering(CommandChain* aChain,
   // We don't need to start tethering again.
   // Send the dummy command to continue the function chain.
   if (aResult.mResultReason.Find("started") != kNotFound) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
   } else {
     // If usbStartIp/usbEndIp is not valid, don't append them since
     // the trailing white spaces will be parsed to extra empty args
     // See: http://androidxref.com/4.3_r2.1/xref/system/core/libsysutils/src/FrameworkListener.cpp#78
     if (!GET_FIELD(mUsbStartIp).IsEmpty() && !GET_FIELD(mUsbEndIp).IsEmpty()) {
-      snprintf(command, MAX_COMMAND_SIZE - 1, "tether start %s %s %s %s",
-               GET_CHAR(mWifiStartIp), GET_CHAR(mWifiEndIp),
-               GET_CHAR(mUsbStartIp),  GET_CHAR(mUsbEndIp));
+      PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether start %s %s %s %s",
+                  GET_CHAR(mWifiStartIp), GET_CHAR(mWifiEndIp),
+                  GET_CHAR(mUsbStartIp),  GET_CHAR(mUsbEndIp));
     } else {
-      snprintf(command, MAX_COMMAND_SIZE - 1, "tether start %s %s",
-               GET_CHAR(mWifiStartIp), GET_CHAR(mWifiEndIp));
+      PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether start %s %s",
+                  GET_CHAR(mWifiStartIp), GET_CHAR(mWifiEndIp));
     }
   }
 
@@ -974,7 +976,7 @@ void NetworkUtils::untetherInterface(CommandChain* aChain,
                                      NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface remove %s", GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether interface remove %s", GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -992,8 +994,8 @@ void NetworkUtils::removeInterfaceFromLocalNetwork(CommandChain* aChain,
   }
 
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network interface remove local %s",
-           GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network interface remove local %s",
+              GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -1005,11 +1007,11 @@ void NetworkUtils::setDnsForwarders(CommandChain* aChain,
   char command[MAX_COMMAND_SIZE];
 
   if (SDK_VERSION >= 20) {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "tether dns set %d %s %s",
-             GET_FIELD(mNetId), GET_CHAR(mDns1), GET_CHAR(mDns2));
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether dns set %d %s %s",
+                GET_FIELD(mNetId), GET_CHAR(mDns1), GET_CHAR(mDns2));
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "tether dns set %s %s",
-             GET_CHAR(mDns1), GET_CHAR(mDns2));
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "tether dns set %s %s",
+                GET_CHAR(mDns1), GET_CHAR(mDns2));
   }
 
   doCommand(command, aChain, aCallback);
@@ -1027,11 +1029,11 @@ void NetworkUtils::enableNat(CommandChain* aChain,
     char* networkAddr = getNetworkAddr(ip, prefix);
 
     // address/prefix will only take effect when secondary routing table exists.
-    snprintf(command, MAX_COMMAND_SIZE - 1, "nat enable %s %s 1 %s/%s",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "nat enable %s %s 1 %s/%s",
       GET_CHAR(mInternalIfname), GET_CHAR(mExternalIfname), networkAddr,
       GET_CHAR(mPrefix));
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "nat enable %s %s 0",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "nat enable %s %s 0",
       GET_CHAR(mInternalIfname), GET_CHAR(mExternalIfname));
   }
 
@@ -1049,11 +1051,11 @@ void NetworkUtils::disableNat(CommandChain* aChain,
     uint32_t ip = inet_addr(GET_CHAR(mIp));
     char* networkAddr = getNetworkAddr(ip, prefix);
 
-    snprintf(command, MAX_COMMAND_SIZE - 1, "nat disable %s %s 1 %s/%s",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "nat disable %s %s 1 %s/%s",
       GET_CHAR(mInternalIfname), GET_CHAR(mExternalIfname), networkAddr,
       GET_CHAR(mPrefix));
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1, "nat disable %s %s 0",
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1, "nat disable %s %s 0",
       GET_CHAR(mInternalIfname), GET_CHAR(mExternalIfname));
   }
 
@@ -1065,7 +1067,7 @@ void NetworkUtils::setDefaultInterface(CommandChain* aChain,
                                        NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "resolver setdefaultif %s", GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "resolver setdefaultif %s", GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -1084,9 +1086,9 @@ void NetworkUtils::removeDefaultRoute(CommandChain* aChain,
   NS_ConvertUTF16toUTF8 autoGateway(gateways[GET_FIELD(mLoopIndex)]);
 
   int type = getIpType(autoGateway.get());
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network route remove %d %s %s/0 %s",
-           GET_FIELD(mNetId), GET_CHAR(mIfname),
-           type == AF_INET6 ? "::" : "0.0.0.0", autoGateway.get());
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network route remove %d %s %s/0 %s",
+              GET_FIELD(mNetId), GET_CHAR(mIfname),
+              type == AF_INET6 ? "::" : "0.0.0.0", autoGateway.get());
 
   struct MyCallback {
     static void callback(CommandCallback::CallbackType aOriginalCallback,
@@ -1117,11 +1119,11 @@ void NetworkUtils::setInterfaceDns(CommandChain* aChain,
   int written;
 
   if (SDK_VERSION >= 20) {
-    written = snprintf(command, sizeof command, "resolver setnetdns %d %s",
-                                                GET_FIELD(mNetId), GET_CHAR(mDomain));
+    written = PR_snprintf(command, sizeof command, "resolver setnetdns %d %s",
+                                                   GET_FIELD(mNetId), GET_CHAR(mDomain));
   } else {
-    written = snprintf(command, sizeof command, "resolver setifdns %s %s",
-                                                GET_CHAR(mIfname), GET_CHAR(mDomain));
+    written = PR_snprintf(command, sizeof command, "resolver setifdns %s %s",
+                                                   GET_CHAR(mIfname), GET_CHAR(mDomain));
   }
 
   nsTArray<nsString>& dnses = GET_FIELD(mDnses);
@@ -1130,7 +1132,7 @@ void NetworkUtils::setInterfaceDns(CommandChain* aChain,
   for (uint32_t i = 0; i < length; i++) {
     NS_ConvertUTF16toUTF8 autoDns(dnses[i]);
 
-    int ret = snprintf(command + written, sizeof(command) - written, " %s", autoDns.get());
+    int ret = PR_snprintf(command + written, sizeof(command) - written, " %s", autoDns.get());
     if (ret <= 1) {
       command[written] = '\0';
       continue;
@@ -1152,7 +1154,7 @@ void NetworkUtils::clearAddrForInterface(CommandChain* aChain,
                                          NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "interface clearaddrs %s", GET_CHAR(mIfname));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "interface clearaddrs %s", GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
 }
@@ -1162,7 +1164,7 @@ void NetworkUtils::createNetwork(CommandChain* aChain,
                                  NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network create %d", GET_FIELD(mNetId));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network create %d", GET_FIELD(mNetId));
 
   doCommand(command, aChain, aCallback);
 }
@@ -1172,7 +1174,7 @@ void NetworkUtils::destroyNetwork(CommandChain* aChain,
                                   NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network destroy %d", GET_FIELD(mNetId));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network destroy %d", GET_FIELD(mNetId));
 
   doCommand(command, aChain, aCallback);
 }
@@ -1182,7 +1184,7 @@ void NetworkUtils::addInterfaceToNetwork(CommandChain* aChain,
                                          NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network interface add %d %s",
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network interface add %d %s",
                     GET_FIELD(mNetId), GET_CHAR(mIfname));
 
   doCommand(command, aChain, aCallback);
@@ -1242,10 +1244,10 @@ void NetworkUtils::modifyRouteOnInterface(CommandChain* aChain,
 
   const char* action = aDoAdd ? "add" : "remove";
 
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network route %s%s %d %s %s/%d%s",
-           legacyOrEmpty, action,
-           GET_FIELD(mNetId), GET_CHAR(mIfname), ipOrSubnetIp.get(),
-           GET_FIELD(mPrefixLength), gatewayOrEmpty.get());
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network route %s%s %d %s %s/%d%s",
+              legacyOrEmpty, action,
+              GET_FIELD(mNetId), GET_CHAR(mIfname), ipOrSubnetIp.get(),
+              GET_FIELD(mPrefixLength), gatewayOrEmpty.get());
 
   doCommand(command, aChain, aCallback);
 }
@@ -1264,9 +1266,9 @@ void NetworkUtils::addDefaultRouteToNetwork(CommandChain* aChain,
   NS_ConvertUTF16toUTF8 autoGateway(gateways[GET_FIELD(mLoopIndex)]);
 
   int type = getIpType(autoGateway.get());
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network route add %d %s %s/0 %s",
-           GET_FIELD(mNetId), GET_CHAR(mIfname),
-           type == AF_INET6 ? "::" : "0.0.0.0", autoGateway.get());
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network route add %d %s %s/0 %s",
+              GET_FIELD(mNetId), GET_CHAR(mIfname),
+              type == AF_INET6 ? "::" : "0.0.0.0", autoGateway.get());
 
   struct MyCallback {
     static void callback(CommandCallback::CallbackType aOriginalCallback,
@@ -1294,7 +1296,7 @@ void NetworkUtils::setDefaultNetwork(CommandChain* aChain,
                                      NetworkResultOptions& aResult)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "network default set %d", GET_FIELD(mNetId));
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "network default set %d", GET_FIELD(mNetId));
 
   doCommand(command, aChain, aCallback);
 }
@@ -1306,20 +1308,20 @@ void NetworkUtils::addRouteToSecondaryTable(CommandChain* aChain,
   char command[MAX_COMMAND_SIZE];
 
   if (SDK_VERSION >= 20) {
-    snprintf(command, MAX_COMMAND_SIZE - 1,
-             "network route add %d %s %s/%s %s",
-             GET_FIELD(mNetId),
-             GET_CHAR(mIfname),
-             GET_CHAR(mIp),
-             GET_CHAR(mPrefix),
-             GET_CHAR(mGateway));
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1,
+                "network route add %d %s %s/%s %s",
+                GET_FIELD(mNetId),
+                GET_CHAR(mIfname),
+                GET_CHAR(mIp),
+                GET_CHAR(mPrefix),
+                GET_CHAR(mGateway));
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1,
-             "interface route add %s secondary %s %s %s",
-             GET_CHAR(mIfname),
-             GET_CHAR(mIp),
-             GET_CHAR(mPrefix),
-             GET_CHAR(mGateway));
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1,
+                "interface route add %s secondary %s %s %s",
+                GET_CHAR(mIfname),
+                GET_CHAR(mIp),
+                GET_CHAR(mPrefix),
+                GET_CHAR(mGateway));
   }
 
   doCommand(command, aChain, aCallback);
@@ -1331,20 +1333,20 @@ void NetworkUtils::removeRouteFromSecondaryTable(CommandChain* aChain,
   char command[MAX_COMMAND_SIZE];
 
   if (SDK_VERSION >= 20) {
-    snprintf(command, MAX_COMMAND_SIZE - 1,
-             "network route remove %d %s %s/%s %s",
-             GET_FIELD(mNetId),
-             GET_CHAR(mIfname),
-             GET_CHAR(mIp),
-             GET_CHAR(mPrefix),
-             GET_CHAR(mGateway));
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1,
+                "network route remove %d %s %s/%s %s",
+                GET_FIELD(mNetId),
+                GET_CHAR(mIfname),
+                GET_CHAR(mIp),
+                GET_CHAR(mPrefix),
+                GET_CHAR(mGateway));
   } else {
-    snprintf(command, MAX_COMMAND_SIZE - 1,
-             "interface route remove %s secondary %s %s %s",
-             GET_CHAR(mIfname),
-             GET_CHAR(mIp),
-             GET_CHAR(mPrefix),
-             GET_CHAR(mGateway));
+    PR_snprintf(command, MAX_COMMAND_SIZE - 1,
+                "interface route remove %s secondary %s %s %s",
+                GET_CHAR(mIfname),
+                GET_CHAR(mIp),
+                GET_CHAR(mPrefix),
+                GET_CHAR(mGateway));
   }
 
   doCommand(command, aChain, aCallback);
@@ -1356,8 +1358,8 @@ void NetworkUtils::setIpv6Enabled(CommandChain* aChain,
                                   bool aEnabled)
 {
   char command[MAX_COMMAND_SIZE];
-  snprintf(command, MAX_COMMAND_SIZE - 1, "interface ipv6 %s %s",
-           GET_CHAR(mIfname), aEnabled ? "enable" : "disable");
+  PR_snprintf(command, MAX_COMMAND_SIZE - 1, "interface ipv6 %s %s",
+              GET_CHAR(mIfname), aEnabled ? "enable" : "disable");
 
   struct MyCallback {
     static void callback(CommandCallback::CallbackType aOriginalCallback,
@@ -1687,9 +1689,9 @@ void NetworkUtils::onNetdMessage(NetdCommand* aCommand)
     if (code == NETD_COMMAND_INTERFACE_CHANGE) {
       if (gWifiTetheringParms) {
         char linkdownReason[MAX_COMMAND_SIZE];
-        snprintf(linkdownReason, MAX_COMMAND_SIZE - 1,
-                 "Iface linkstate %s down",
-                 NS_ConvertUTF16toUTF8(gWifiTetheringParms->mIfname).get());
+        PR_snprintf(linkdownReason, MAX_COMMAND_SIZE - 1,
+                    "Iface linkstate %s down",
+                    NS_ConvertUTF16toUTF8(gWifiTetheringParms->mIfname).get());
 
         if (!strcmp(reason, linkdownReason)) {
           NU_DBG("Wifi link down, restarting tethering.");
@@ -1766,7 +1768,7 @@ CommandResult NetworkUtils::setDNS(NetworkParams& aOptions)
       NS_ConvertUTF16toUTF8 autoDns(aOptions.mDnses[i]);
 
       char dns_prop_key[PROPERTY_VALUE_MAX];
-      snprintf(dns_prop_key, sizeof dns_prop_key, "net.dns%d", i+1);
+      PR_snprintf(dns_prop_key, sizeof dns_prop_key, "net.dns%d", i+1);
       property_set(dns_prop_key, autoDns.get());
     }
   } else {
@@ -1783,7 +1785,7 @@ CommandResult NetworkUtils::setDNS(NetworkParams& aOptions)
   property_get("net.dnschange", dnschange, "0");
 
   char num[PROPERTY_VALUE_MAX];
-  snprintf(num, PROPERTY_VALUE_MAX - 1, "%d", atoi(dnschange) + 1);
+  PR_snprintf(num, PROPERTY_VALUE_MAX - 1, "%d", atoi(dnschange) + 1);
   property_set("net.dnschange", num);
 
   // DNS needs to be set through netd since JellyBean (4.3).
@@ -1981,7 +1983,7 @@ CommandResult NetworkUtils::setDefaultRouteLegacy(NetworkParams& aOptions)
     char key[PROPERTY_KEY_MAX];
     char gateway[PROPERTY_KEY_MAX];
 
-    snprintf(key, sizeof key - 1, "net.%s.gw", autoIfname.get());
+    PR_snprintf(key, sizeof key - 1, "net.%s.gw", autoIfname.get());
     property_get(key, gateway, "");
 
     int type = getIpType(gateway);
diff --git a/dom/tests/mochitest/general/test_interfaces.html b/dom/tests/mochitest/general/test_interfaces.html
index 3c11c6e893d7..0de37e035d48 100644
--- a/dom/tests/mochitest/general/test_interfaces.html
+++ b/dom/tests/mochitest/general/test_interfaces.html
@@ -938,6 +938,22 @@ var interfaceNamesInGlobalScope =
     {name: "SourceBuffer", linux: false, release: false},
 // IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SourceBufferList", linux: false, release: false},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechRecognition", b2g: true, nightly: true},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechRecognitionError", b2g: true, nightly: true},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechRecognitionAlternative", b2g: true, nightly: true},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechRecognitionResult", b2g: true, nightly: true},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechRecognitionResultList", b2g: true, nightly: true},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechRecognitionEvent", b2g: true, nightly: true},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechGrammar", b2g: true, nightly: true},
+// IMPORTANT: Do not change this list without review from a DOM peer!
+    {name: "SpeechGrammarList", b2g: true, nightly: true},
 // IMPORTANT: Do not change this list without review from a DOM peer!
     {name: "SpeechSynthesisEvent", b2g: true},
 // IMPORTANT: Do not change this list without review from a DOM peer!
diff --git a/dom/webidl/BrowserElement.webidl b/dom/webidl/BrowserElement.webidl
index 256637ed731d..0a569fac23ae 100644
--- a/dom/webidl/BrowserElement.webidl
+++ b/dom/webidl/BrowserElement.webidl
@@ -6,6 +6,9 @@
 
 callback BrowserElementNextPaintEventCallback = void ();
 
+enum BrowserFindCaseSensitivity { "case-sensitive", "case-insensitive" };
+enum BrowserFindDirection { "forward", "backward" };
+
 dictionary BrowserElementDownloadOptions {
   DOMString? filename;
   DOMString? referrer;
@@ -146,4 +149,20 @@ interface BrowserElementPrivileged {
    Pref="dom.mozBrowserFramesEnabled",
    CheckPermissions="browser"]
   void setNFCFocus(boolean isFocus);
+
+  [Throws,
+   Pref="dom.mozBrowserFramesEnabled",
+   CheckPermissions="browser"]
+  void findAll(DOMString searchString, BrowserFindCaseSensitivity caseSensitivity);
+
+  [Throws,
+   Pref="dom.mozBrowserFramesEnabled",
+   CheckPermissions="browser"]
+  void findNext(BrowserFindDirection direction);
+
+  [Throws,
+   Pref="dom.mozBrowserFramesEnabled",
+   CheckPermissions="browser"]
+  void clearMatch();
+
 };
diff --git a/dom/webidl/SpeechRecognitionEvent.webidl b/dom/webidl/SpeechRecognitionEvent.webidl
index 62003392ac72..a464fcc70d29 100644
--- a/dom/webidl/SpeechRecognitionEvent.webidl
+++ b/dom/webidl/SpeechRecognitionEvent.webidl
@@ -10,15 +10,15 @@ interface nsISupports;
 interface SpeechRecognitionEvent : Event
 {
   readonly attribute unsigned long resultIndex;
-  readonly attribute nsISupports? results;
-  readonly attribute DOMString? interpretation;
+  readonly attribute SpeechRecognitionResultList? results;
+  readonly attribute any interpretation;
   readonly attribute Document? emma;
 };
 
 dictionary SpeechRecognitionEventInit : EventInit
 {
   unsigned long resultIndex = 0;
-  nsISupports? results = null;
-  DOMString interpretation = "";
+  SpeechRecognitionResultList? results = null;
+  any interpretation = null;
   Document? emma = null;
 };
diff --git a/dom/webidl/SpeechRecognitionResult.webidl b/dom/webidl/SpeechRecognitionResult.webidl
index 73e1bb62065f..9fb7bdc6b738 100644
--- a/dom/webidl/SpeechRecognitionResult.webidl
+++ b/dom/webidl/SpeechRecognitionResult.webidl
@@ -14,5 +14,5 @@
 interface SpeechRecognitionResult {
     readonly attribute unsigned long length;
     getter SpeechRecognitionAlternative item(unsigned long index);
-    readonly attribute boolean final;
+    readonly attribute boolean isFinal;
 };
diff --git a/dom/webidl/WebGL2RenderingContext.webidl b/dom/webidl/WebGL2RenderingContext.webidl
index b8bba687887b..30e4c9e16a7f 100644
--- a/dom/webidl/WebGL2RenderingContext.webidl
+++ b/dom/webidl/WebGL2RenderingContext.webidl
@@ -312,6 +312,9 @@ interface WebGL2RenderingContext : WebGLRenderingContext
 
     const GLint64 TIMEOUT_IGNORED                              = -1;
 
+    /* WebGL-specific enums */
+    const GLenum MAX_CLIENT_WAIT_TIMEOUT_WEBGL                 = 0x9247;
+
     /* Buffer objects */
     void copyBufferSubData(GLenum readTarget, GLenum writeTarget, GLintptr readOffset,
                            GLintptr writeOffset, GLsizeiptr size);
diff --git a/dom/wifi/WifiUtils.cpp b/dom/wifi/WifiUtils.cpp
index 1468f78a16df..e52a515fa24d 100644
--- a/dom/wifi/WifiUtils.cpp
+++ b/dom/wifi/WifiUtils.cpp
@@ -368,10 +368,10 @@ public:
     char command[COMMAND_SIZE];
     if (!strcmp(iface, "p2p0")) {
       // Commands for p2p0 interface don't need prefix
-      snprintf(command, COMMAND_SIZE, "%s", cmd);
+      PR_snprintf(command, COMMAND_SIZE, "%s", cmd);
     }
     else {
-      snprintf(command, COMMAND_SIZE, "IFNAME=%s %s", iface, cmd);
+      PR_snprintf(command, COMMAND_SIZE, "IFNAME=%s %s", iface, cmd);
     }
     USE_DLFUNC(wifi_command)
     return wifi_command(command, buf, len);
diff --git a/dom/workers/ScriptLoader.cpp b/dom/workers/ScriptLoader.cpp
index 6eda7de113a1..aaefcba69a05 100644
--- a/dom/workers/ScriptLoader.cpp
+++ b/dom/workers/ScriptLoader.cpp
@@ -1585,27 +1585,24 @@ ScriptExecutorRunnable::WorkerRun(JSContext* aCx, WorkerPrivate* aWorkerPrivate)
     }
   }
 
-  JS::Rooted<JSObject*> global(aCx, JS::CurrentGlobalOrNull(aCx));
-  NS_ASSERTION(global, "Must have a global by now!");
+  JS::Rooted<JSObject*> global(aCx);
 
-  // Determine whether we want to be discarding source on this global to save
-  // memory. It would make more sense to do this when we create the global, but
-  // the information behind UsesSystemPrincipal() et al isn't finalized until
-  // the call to SetPrincipal during the first script load. After that, however,
-  // it never changes. So we can just idempotently set the bits here.
-  //
-  // Note that we read a pref that is cached on the main thread. This is benignly
-  // racey.
-  if (xpc::ShouldDiscardSystemSource()) {
-    bool discard = aWorkerPrivate->UsesSystemPrincipal() ||
-                   aWorkerPrivate->IsInPrivilegedApp();
-    JS::CompartmentOptionsRef(global).setDiscardSource(discard);
+  if (mIsWorkerScript) {
+    WorkerGlobalScope* globalScope =
+      aWorkerPrivate->GetOrCreateGlobalScope(aCx);
+    if (NS_WARN_IF(!globalScope)) {
+      NS_WARNING("Failed to make global!");
+      return false;
+    }
+
+    global.set(globalScope->GetWrapper());
+  } else {
+    global.set(JS::CurrentGlobalOrNull(aCx));
   }
 
-  // Similar to the above.
-  if (xpc::ExtraWarningsForSystemJS() && aWorkerPrivate->UsesSystemPrincipal()) {
-      JS::CompartmentOptionsRef(global).extraWarningsOverride().set(true);
-  }
+  MOZ_ASSERT(global);
+
+  JSAutoCompartment ac(aCx, global);
 
   for (uint32_t index = mFirstIndex; index <= mLastIndex; index++) {
     ScriptLoadInfo& loadInfo = loadInfos.ElementAt(index);
diff --git a/dom/workers/ServiceWorkerManager.cpp b/dom/workers/ServiceWorkerManager.cpp
index 3092eb144eee..4aaa7d363d5b 100644
--- a/dom/workers/ServiceWorkerManager.cpp
+++ b/dom/workers/ServiceWorkerManager.cpp
@@ -6,6 +6,8 @@
 
 #include "ServiceWorkerManager.h"
 
+#include "mozIApplication.h"
+#include "mozIApplicationClearPrivateDataParams.h"
 #include "nsIAppsService.h"
 #include "nsIDOMEventTarget.h"
 #include "nsIDocument.h"
@@ -34,6 +36,7 @@
 #include "mozilla/dom/DOMError.h"
 #include "mozilla/dom/ErrorEvent.h"
 #include "mozilla/dom/Headers.h"
+#include "mozilla/dom/indexedDB/IDBFactory.h"
 #include "mozilla/dom/InternalHeaders.h"
 #include "mozilla/dom/Navigator.h"
 #include "mozilla/dom/PromiseNativeHandler.h"
@@ -77,6 +80,7 @@ BEGIN_WORKERS_NAMESPACE
 
 #define PURGE_DOMAIN_DATA "browser:purge-domain-data"
 #define PURGE_SESSION_HISTORY "browser:purge-session-history"
+#define WEBAPPS_CLEAR_DATA "webapps-clear-data"
 
 static_assert(nsIHttpChannelInternal::CORS_MODE_SAME_ORIGIN == static_cast<uint32_t>(RequestMode::Same_origin),
               "RequestMode enumeration value should match Necko CORS mode value.");
@@ -414,6 +418,8 @@ ServiceWorkerManager::Init()
       MOZ_ASSERT(NS_SUCCEEDED(rv));
       rv = obs->AddObserver(this, PURGE_DOMAIN_DATA, false /* ownsWeak */);
       MOZ_ASSERT(NS_SUCCEEDED(rv));
+      rv = obs->AddObserver(this, WEBAPPS_CLEAR_DATA, false /* ownsWeak */);
+      MOZ_ASSERT(NS_SUCCEEDED(rv));
     }
   }
 }
@@ -874,7 +880,15 @@ public:
           mRegistration->mPendingUninstall = false;
           swm->StoreRegistration(mPrincipal, mRegistration);
           Succeed();
-          Done(NS_OK);
+
+          // Done() must always be called async from Start()
+          nsCOMPtr<nsIRunnable> runnable =
+            NS_NewRunnableMethodWithArg<nsresult>(
+              this,
+              &ServiceWorkerRegisterJob::Done,
+              NS_OK);
+          MOZ_ALWAYS_TRUE(NS_SUCCEEDED(NS_DispatchToCurrentThread(runnable)));
+
           return;
         }
       } else {
@@ -2670,7 +2684,7 @@ ServiceWorkerManager::GetServiceWorkerRegistrationInfo(nsIPrincipal* aPrincipal,
 
   nsAutoCString originAttributesSuffix;
   nsresult rv = PrincipalToScopeKey(aPrincipal, originAttributesSuffix);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
+  if (NS_FAILED(rv)) {
     return nullptr;
   }
 
@@ -2732,7 +2746,7 @@ ServiceWorkerManager::PrincipalToScopeKey(nsIPrincipal* aPrincipal,
 {
   MOZ_ASSERT(aPrincipal);
 
-  if (NS_WARN_IF(!BasePrincipal::Cast(aPrincipal)->IsCodebasePrincipal())) {
+  if (!BasePrincipal::Cast(aPrincipal)->IsCodebasePrincipal()) {
     return NS_ERROR_FAILURE;
   }
 
@@ -3532,6 +3546,9 @@ ServiceWorkerManager::CreateServiceWorker(nsIPrincipal* aPrincipal,
 
   info.mPrincipal = aPrincipal;
 
+  info.mIndexedDBAllowed =
+    indexedDB::IDBFactory::AllowedForPrincipal(aPrincipal);
+
   // NOTE: this defaults the SW load context to:
   //  - private browsing = false
   //  - content = true
@@ -4020,9 +4037,9 @@ HasRootDomain(nsIURI* aURI, const nsACString& aDomain)
   return prevChar == '.';
 }
 
-struct UnregisterIfMatchesHostData
+struct UnregisterIfMatchesHostOrPrincipalData
 {
-  UnregisterIfMatchesHostData(
+  UnregisterIfMatchesHostOrPrincipalData(
     ServiceWorkerManager::RegistrationDataPerPrincipal* aRegistrationData,
     void* aUserData)
     : mRegistrationData(aRegistrationData)
@@ -4039,8 +4056,8 @@ UnregisterIfMatchesHost(const nsACString& aScope,
                         ServiceWorkerRegistrationInfo* aReg,
                         void* aPtr)
 {
-  UnregisterIfMatchesHostData* data =
-    static_cast<UnregisterIfMatchesHostData*>(aPtr);
+  UnregisterIfMatchesHostOrPrincipalData* data =
+    static_cast<UnregisterIfMatchesHostOrPrincipalData*>(aPtr);
 
   // We avoid setting toRemove = aReg by default since there is a possibility
   // of failure when data->mUserData is passed, in which case we don't want to
@@ -4072,11 +4089,47 @@ UnregisterIfMatchesHostPerPrincipal(const nsACString& aKey,
                                     ServiceWorkerManager::RegistrationDataPerPrincipal* aData,
                                     void* aUserData)
 {
-  UnregisterIfMatchesHostData data(aData, aUserData);
+  UnregisterIfMatchesHostOrPrincipalData data(aData, aUserData);
   aData->mInfos.EnumerateRead(UnregisterIfMatchesHost, &data);
   return PL_DHASH_NEXT;
 }
 
+PLDHashOperator
+UnregisterIfMatchesPrincipal(const nsACString& aScope,
+                             ServiceWorkerRegistrationInfo* aReg,
+                             void* aPtr)
+{
+  UnregisterIfMatchesHostOrPrincipalData* data =
+    static_cast<UnregisterIfMatchesHostOrPrincipalData*>(aPtr);
+
+  if (data->mUserData) {
+    nsIPrincipal *principal = static_cast<nsIPrincipal*>(data->mUserData);
+    MOZ_ASSERT(principal);
+    MOZ_ASSERT(aReg->mPrincipal);
+    bool equals;
+    aReg->mPrincipal->Equals(principal, &equals);
+    if (equals) {
+      nsRefPtr<ServiceWorkerManager> swm = ServiceWorkerManager::GetInstance();
+      swm->ForceUnregister(data->mRegistrationData, aReg);
+    }
+  }
+
+  return PL_DHASH_NEXT;
+}
+
+PLDHashOperator
+UnregisterIfMatchesPrincipal(const nsACString& aKey,
+                             ServiceWorkerManager::RegistrationDataPerPrincipal* aData,
+                             void* aUserData)
+{
+  UnregisterIfMatchesHostOrPrincipalData data(aData, aUserData);
+  // We can use EnumerateRead because ForceUnregister (and Unregister) are async.
+  // Otherwise doing some R/W operations on an hashtable during an EnumerateRead
+  // will crash.
+  aData->mInfos.EnumerateRead(UnregisterIfMatchesPrincipal, &data);
+  return PL_DHASH_NEXT;
+}
+
 PLDHashOperator
 GetAllRegistrationsEnumerator(const nsACString& aScope,
                               ServiceWorkerRegistrationInfo* aReg,
@@ -4245,6 +4298,17 @@ UpdateEachRegistration(const nsACString& aKey,
   return PL_DHASH_NEXT;
 }
 
+void
+ServiceWorkerManager::RemoveAllRegistrations(nsIPrincipal* aPrincipal)
+{
+  AssertIsOnMainThread();
+
+  MOZ_ASSERT(aPrincipal);
+
+  mRegistrationInfos.EnumerateRead(UnregisterIfMatchesPrincipal,
+                                   aPrincipal);
+}
+
 static PLDHashOperator
 UpdateEachRegistrationPerPrincipal(const nsACString& aKey,
                                    ServiceWorkerManager::RegistrationDataPerPrincipal* aData,
@@ -4286,12 +4350,43 @@ ServiceWorkerManager::Observe(nsISupports* aSubject,
     }
 
     Remove(NS_ConvertUTF16toUTF8(domain));
+  } else if (strcmp(aTopic, WEBAPPS_CLEAR_DATA) == 0) {
+    nsCOMPtr<mozIApplicationClearPrivateDataParams> params =
+      do_QueryInterface(aSubject);
+    if (NS_WARN_IF(!params)) {
+      return NS_OK;
+    }
+
+    uint32_t appId;
+    nsresult rv = params->GetAppId(&appId);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIAppsService> appsService =
+      do_GetService(APPS_SERVICE_CONTRACTID);
+    if (NS_WARN_IF(!appsService)) {
+      return NS_OK;
+    }
+
+    nsCOMPtr<mozIApplication> app;
+    appsService->GetAppByLocalId(appId, getter_AddRefs(app));
+    if (NS_WARN_IF(!app)) {
+      return NS_OK;
+    }
+
+    nsCOMPtr<nsIPrincipal> principal;
+    app->GetPrincipal(getter_AddRefs(principal));
+    if (NS_WARN_IF(!principal)) {
+      return NS_OK;
+    }
+
+    RemoveAllRegistrations(principal);
   } else if (strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
     nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
     if (obs) {
       obs->RemoveObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID);
       obs->RemoveObserver(this, PURGE_SESSION_HISTORY);
       obs->RemoveObserver(this, PURGE_DOMAIN_DATA);
+      obs->RemoveObserver(this, WEBAPPS_CLEAR_DATA);
     }
   } else {
     MOZ_CRASH("Received message we aren't supposed to be registered for!");
diff --git a/dom/workers/ServiceWorkerManager.h b/dom/workers/ServiceWorkerManager.h
index fefacd93eb13..bbb3caad0bbf 100644
--- a/dom/workers/ServiceWorkerManager.h
+++ b/dom/workers/ServiceWorkerManager.h
@@ -532,6 +532,10 @@ private:
   void
   RemoveRegistrationInternal(ServiceWorkerRegistrationInfo* aRegistration);
 
+  // Removes all service worker registrations for a given principal.
+  void
+  RemoveAllRegistrations(nsIPrincipal* aPrincipal);
+
   nsRefPtr<ServiceWorkerManagerChild> mActor;
 
   struct PendingOperation;
diff --git a/dom/workers/ServiceWorkerRegistrar.cpp b/dom/workers/ServiceWorkerRegistrar.cpp
index c914633278a5..24b8d36dfc64 100644
--- a/dom/workers/ServiceWorkerRegistrar.cpp
+++ b/dom/workers/ServiceWorkerRegistrar.cpp
@@ -149,12 +149,26 @@ ServiceWorkerRegistrar::RegisterServiceWorker(
     MonitorAutoLock lock(mMonitor);
     MOZ_ASSERT(mDataLoaded);
 
+    const mozilla::ipc::PrincipalInfo& newPrincipalInfo = aData.principal();
+    MOZ_ASSERT(newPrincipalInfo.type() ==
+               mozilla::ipc::PrincipalInfo::TContentPrincipalInfo);
+
+    const mozilla::ipc::ContentPrincipalInfo& newContentPrincipalInfo =
+      newPrincipalInfo.get_ContentPrincipalInfo();
+
     bool found = false;
     for (uint32_t i = 0, len = mData.Length(); i < len; ++i) {
       if (mData[i].scope() == aData.scope()) {
-        mData[i] = aData;
-        found = true;
-        break;
+        const mozilla::ipc::PrincipalInfo& existingPrincipalInfo =
+          mData[i].principal();
+        const mozilla::ipc::ContentPrincipalInfo& existingContentPrincipalInfo =
+          existingPrincipalInfo.get_ContentPrincipalInfo();
+
+        if (newContentPrincipalInfo == existingContentPrincipalInfo) {
+          mData[i] = aData;
+          found = true;
+          break;
+        }
       }
     }
 
diff --git a/dom/workers/WorkerPrivate.cpp b/dom/workers/WorkerPrivate.cpp
index 8d05961eac32..ac29fc04989c 100644
--- a/dom/workers/WorkerPrivate.cpp
+++ b/dom/workers/WorkerPrivate.cpp
@@ -1044,21 +1044,12 @@ private:
   virtual bool
   WorkerRun(JSContext* aCx, WorkerPrivate* aWorkerPrivate) override
   {
-    WorkerGlobalScope* globalScope =
-      aWorkerPrivate->GetOrCreateGlobalScope(aCx);
-    if (!globalScope) {
-      NS_WARNING("Failed to make global!");
+    if (!scriptloader::LoadMainScript(aCx, mScriptURL, WorkerScript)) {
       return false;
     }
 
-    JS::Rooted<JSObject*> global(aCx, globalScope->GetWrapper());
-
-    JSAutoCompartment ac(aCx, global);
-    bool result = scriptloader::LoadMainScript(aCx, mScriptURL, WorkerScript);
-    if (result) {
-      aWorkerPrivate->SetWorkerScriptExecutedSuccessfully();
-    }
-    return result;
+    aWorkerPrivate->SetWorkerScriptExecutedSuccessfully();
+    return true;
   }
 };
 
@@ -6043,7 +6034,9 @@ WorkerPrivate::RunCurrentSyncLoop()
       MOZ_ALWAYS_TRUE(NS_ProcessNextEvent(mThread, false));
 
       // Now *might* be a good time to GC. Let the JS engine make the decision.
-      JS_MaybeGC(cx);
+      if (JS::CurrentGlobalOrNull(cx)) {
+        JS_MaybeGC(cx);
+      }
     }
   }
 
@@ -6280,7 +6273,9 @@ WorkerPrivate::EnterDebuggerEventLoop()
       runnable->Release();
 
       // Now *might* be a good time to GC. Let the JS engine make the decision.
-      JS_MaybeGC(cx);
+      if (JS::CurrentGlobalOrNull(cx)) {
+        JS_MaybeGC(cx);
+      }
     }
   }
 }
@@ -6525,7 +6520,8 @@ WorkerPrivate::ReportError(JSContext* aCx, const char* aMessage,
   // if there was an error in the close handler or if we ran out of memory.
   bool fireAtScope = mErrorHandlerRecursionCount == 1 &&
                      !mCloseHandlerStarted &&
-                     errorNumber != JSMSG_OUT_OF_MEMORY;
+                     errorNumber != JSMSG_OUT_OF_MEMORY &&
+                     JS::CurrentGlobalOrNull(aCx);
 
   if (!ReportErrorRunnable::ReportError(aCx, this, fireAtScope, nullptr, message,
                                         filename, line, lineNumber,
@@ -6918,7 +6914,7 @@ WorkerPrivate::GarbageCollectInternal(JSContext* aCx, bool aShrinking,
 {
   AssertIsOnWorkerThread();
 
-  if (!JS::CurrentGlobalOrNull(aCx)) {
+  if (!GlobalScope()) {
     // We haven't compiled anything yet. Just bail out.
     return;
   }
@@ -7167,13 +7163,16 @@ WorkerPrivate::GetOrCreateGlobalScope(JSContext* aCx)
 
     JSAutoCompartment ac(aCx, global);
 
+    // RegisterBindings() can spin a nested event loop so we have to set mScope
+    // before calling it, and we have to make sure to unset mScope if it fails.
+    mScope = Move(globalScope);
+
     if (!RegisterBindings(aCx, global)) {
+      mScope = nullptr;
       return nullptr;
     }
 
     JS_FireOnNewGlobalObject(aCx, global);
-
-    mScope = globalScope.forget();
   }
 
   return mScope;
diff --git a/dom/workers/WorkerScope.cpp b/dom/workers/WorkerScope.cpp
index 347dd8d72b4f..f5c8f772c6bf 100644
--- a/dom/workers/WorkerScope.cpp
+++ b/dom/workers/WorkerScope.cpp
@@ -395,6 +395,20 @@ DedicatedWorkerGlobalScope::WrapGlobalObject(JSContext* aCx,
   JS::CompartmentOptions options;
   mWorkerPrivate->CopyJSCompartmentOptions(options);
 
+  const bool usesSystemPrincipal = mWorkerPrivate->UsesSystemPrincipal();
+
+  // Note that xpc::ShouldDiscardSystemSource() and
+  // xpc::ExtraWarningsForSystemJS() read prefs that are cached on the main
+  // thread. This is benignly racey.
+  const bool discardSource = (usesSystemPrincipal ||
+                              mWorkerPrivate->IsInPrivilegedApp()) &&
+                             xpc::ShouldDiscardSystemSource();
+  const bool extraWarnings = usesSystemPrincipal &&
+                             xpc::ExtraWarningsForSystemJS();
+
+  options.setDiscardSource(discardSource)
+         .extraWarningsOverride().set(extraWarnings);
+
   return DedicatedWorkerGlobalScopeBinding_workers::Wrap(aCx, this, this,
                                                          options,
                                                          GetWorkerPrincipal(),
diff --git a/dom/workers/moz.build b/dom/workers/moz.build
index 956c6ddddb45..77681acb4182 100644
--- a/dom/workers/moz.build
+++ b/dom/workers/moz.build
@@ -117,7 +117,10 @@ MOCHITEST_MANIFESTS += [
     'test/serviceworkers/mochitest.ini',
 ]
 
-MOCHITEST_CHROME_MANIFESTS += ['test/chrome.ini']
+MOCHITEST_CHROME_MANIFESTS += [
+    'test/chrome.ini',
+    'test/serviceworkers/chrome.ini'
+]
 
 XPCSHELL_TESTS_MANIFESTS += ['test/xpcshell/xpcshell.ini']
 
diff --git a/dom/workers/test/serviceworkers/app/index.html b/dom/workers/test/serviceworkers/app/index.html
new file mode 100644
index 000000000000..a12702484f0b
--- /dev/null
+++ b/dom/workers/test/serviceworkers/app/index.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Test app for bug 1169249</title>
+    <script type='application/javascript;version=1.7'>
+function ok(aCondition, aMessage) {
+  if (aCondition) {
+    alert('OK: ' + aMessage);
+  } else {
+    alert('KO: ' + aMessage);
+  }
+}
+
+function ready() {
+  alert('READY');
+}
+
+function registerServiceWorker() {
+  return new Promise((resolve, reject) => {
+    navigator.serviceWorker.ready.then(() => {
+      ready();
+      resolve();
+    });
+    navigator.serviceWorker.register('sw.js', {scope: '.'})
+    .then(registration => {
+      ok(true, 'service worker registered');
+    })
+    .catch(reject);
+  });
+}
+
+function runTests() {
+  return Promise.resolve()
+    .then(registerServiceWorker)
+    .then(ready)
+}
+  </script>
+  </head>
+  <body onload='runTests()'>
+  </body>
+</html>
diff --git a/dom/workers/test/serviceworkers/app/manifest.webapp b/dom/workers/test/serviceworkers/app/manifest.webapp
new file mode 100644
index 000000000000..e8ead7c6055c
--- /dev/null
+++ b/dom/workers/test/serviceworkers/app/manifest.webapp
@@ -0,0 +1,5 @@
+{
+  "name": "App",
+  "launch_path": "/index.html",
+  "description": "Test app for bug 1169249"
+}
diff --git a/dom/workers/test/serviceworkers/app/manifest.webapp^headers^ b/dom/workers/test/serviceworkers/app/manifest.webapp^headers^
new file mode 100644
index 000000000000..90818c6398ec
--- /dev/null
+++ b/dom/workers/test/serviceworkers/app/manifest.webapp^headers^
@@ -0,0 +1 @@
+Content-Type: application/manifest+json
diff --git a/dom/workers/test/serviceworkers/app/sw.js b/dom/workers/test/serviceworkers/app/sw.js
new file mode 100644
index 000000000000..9d071d6df7b5
--- /dev/null
+++ b/dom/workers/test/serviceworkers/app/sw.js
@@ -0,0 +1 @@
+// Useless service worker.
diff --git a/dom/workers/test/serviceworkers/chrome.ini b/dom/workers/test/serviceworkers/chrome.ini
new file mode 100644
index 000000000000..cb1b272ccc05
--- /dev/null
+++ b/dom/workers/test/serviceworkers/chrome.ini
@@ -0,0 +1,6 @@
+[DEFAULT]
+skip-if = buildapp == 'b2g'
+support-files =
+  app/*
+
+[test_app_installation.html]
diff --git a/dom/workers/test/serviceworkers/mochitest.ini b/dom/workers/test/serviceworkers/mochitest.ini
index a0ff08418f4f..f185085142d3 100644
--- a/dom/workers/test/serviceworkers/mochitest.ini
+++ b/dom/workers/test/serviceworkers/mochitest.ini
@@ -129,6 +129,11 @@ support-files =
   strict_mode_error.js
   skip_waiting_installed_worker.js
   skip_waiting_scope/index.html
+  thirdparty/iframe1.html
+  thirdparty/iframe2.html
+  thirdparty/register.html
+  thirdparty/unregister.html
+  thirdparty/sw.js
 
 [test_unregister.html]
 [test_installation_simple.html]
@@ -167,6 +172,7 @@ support-files =
 [test_sanitize_domain.html]
 [test_service_worker_allowed.html]
 [test_app_protocol.html]
+[test_third_party_iframes.html]
 [test_claim_fetch.html]
 [test_force_refresh.html]
 [test_skip_waiting.html]
diff --git a/dom/workers/test/serviceworkers/test_app_installation.html b/dom/workers/test/serviceworkers/test_app_installation.html
new file mode 100644
index 000000000000..07337213cab0
--- /dev/null
+++ b/dom/workers/test/serviceworkers/test_app_installation.html
@@ -0,0 +1,167 @@
+<!DOCTYPE html>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id={1169249}
+-->
+<head>
+  <title>Test for Bug {1169249}</title>
+  <script type="application/javascript"
+          src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript"
+          src="chrome://mochikit/content/chrome-harness.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+</head>
+<body>
+
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id={1169249}">Mozilla Bug {1169249}</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+<script class="testbody" type="application/javascript;version=1.7">
+
+const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+XPCOMUtils.defineLazyServiceGetter(this, "gServiceWorkerManager",
+                                   "@mozilla.org/serviceworkers/manager;1",
+                                   "nsIServiceWorkerManager");
+
+XPCOMUtils.defineLazyServiceGetter(this, "gAppsService",
+                                   "@mozilla.org/AppsService;1",
+                                   "nsIAppsService");
+SimpleTest.waitForExplicitFinish();
+
+const gOrigin = 'http://test/chrome/dom/workers/test/serviceworkers/app';
+const appManifestURL = gOrigin + '/manifest.webapp';
+let gApp;
+
+addLoadEvent(go);
+
+function setup() {
+  info('Setting up');
+  return new Promise((resolve, reject) => {
+    SpecialPowers.setAllAppsLaunchable(true);
+    SpecialPowers.pushPrefEnv({'set': [
+      ['dom.mozBrowserFramesEnabled', true],
+      ['dom.serviceWorkers.exemptFromPerDomainMax', true],
+      ['dom.serviceWorkers.enabled', true],
+      ['dom.serviceWorkers.testing.enabled', true]
+    ]}, () => {
+      SpecialPowers.pushPermissions([
+        { 'type': 'webapps-manage', 'allow': 1, 'context': document },
+        { 'type': 'browser', 'allow': 1, 'context': document },
+        { 'type': 'embed-apps', 'allow': 1, 'context': document }
+      ], () => {
+        SpecialPowers.autoConfirmAppInstall(() => {
+          SpecialPowers.autoConfirmAppUninstall(resolve);
+        });
+      });
+    });
+  });
+}
+
+function installApp() {
+  return new Promise((resolve, reject) => {
+    let req = navigator.mozApps.install(appManifestURL);
+    req.onsuccess = function() {
+      gApp = req.result;
+      is(req.result.manifestURL, appManifestURL, 'app installed');
+      if (req.result.installState == 'installed') {
+        is(req.result.installState, 'installed', 'app downloaded');
+        resolve()
+      } else {
+        req.result.ondownloadapplied = function() {
+          is(req.result.installState, 'installed', 'app downloaded');
+          resolve();
+        }
+      }
+    }
+    req.onerror = reject;
+  });
+}
+
+function checkSwRegistration(aExpectedRegistrations) {
+  return new Promise((resolve, reject) => {
+    let registrations = [];
+    registrations = gServiceWorkerManager.getAllRegistrations();
+    is(registrations.length, aExpectedRegistrations.length,
+       "There should be " + aExpectedRegistrations.length + " registrations");
+
+    for (let i = 0; i < registrations.length; i++) {
+      let registration = registrations.queryElementAt(i, Ci.nsIServiceWorkerInfo);
+      if (!registration) {
+        reject();
+        return;
+      }
+      is(registration.principal.origin, aExpectedRegistrations[i].origin,
+         "Registration principal should be as expected");
+    }
+    resolve();
+  });
+}
+
+
+function launchApp() {
+  if (!gApp) {
+    ok(false, 'No test application to launch');
+    return Promise.reject();
+  }
+  return new Promise((resolve, reject) => {
+    let iframe = document.createElement('iframe');
+    iframe.setAttribute('mozbrowser', 'true');
+    iframe.setAttribute('mozapp', gApp.manifestURL);
+    iframe.addEventListener('mozbrowsershowmodalprompt', function listener(e) {
+      let message = e.detail.message;
+      if (/OK/.exec(message)) {
+        ok(true, "Message from app: " + message);
+      } else if (/READY/.exec(message)) {
+        ok(true, 'Message from app: ' + message);
+        resolve();
+      }
+    }, false);
+    let domParent = document.getElementById('container');
+    domParent.appendChild(iframe);
+    ok(true, "origin " +  gOrigin + gApp.manifest.launch_path);
+    SpecialPowers.wrap(iframe.contentWindow).location =
+      gOrigin + gApp.manifest.launch_path;
+  });
+}
+
+function uninstallApp() {
+  return new Promise((resolve, reject) => {
+    if (!gApp) {
+      return reject();
+    }
+    let req = navigator.mozApps.mgmt.uninstall(gApp);
+    req.onsuccess = resolve;
+    req.onerror = reject;
+  });
+}
+
+function go() {
+  setup()
+    .then(installApp)
+    .then(launchApp)
+    .then(() => {
+      app = gAppsService.getAppByManifestURL(gApp.manifestURL);
+      return checkSwRegistration([{
+        origin: app.principal.origin
+      }]);
+    })
+    .then(uninstallApp)
+    .then(() => {
+      return checkSwRegistration([]);
+    })
+    .then(SimpleTest.finish)
+    .catch((e) => {
+      ok(false, 'Unexpected error ' + e);
+      SimpleTest.finish();
+    });
+}
+</script>
+</pre>
+<div id="container"></div>
+</body>
+</html>
diff --git a/dom/workers/test/serviceworkers/test_third_party_iframes.html b/dom/workers/test/serviceworkers/test_third_party_iframes.html
new file mode 100644
index 000000000000..ebea682accb1
--- /dev/null
+++ b/dom/workers/test/serviceworkers/test_third_party_iframes.html
@@ -0,0 +1,174 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+  <title>Bug 1152899 - Disallow the interception of third-party iframes using service workers when the third-party cookie preference is set</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe></iframe>
+</div>
+<pre id="test"></pre>
+<script class="testbody" type="text/javascript;version=1.7">
+
+SimpleTest.waitForExplicitFinish();
+
+let index = 0;
+function next() {
+  info("Step " + index);
+  if (index >= steps.length) {
+    SimpleTest.finish();
+    return;
+  }
+  try {
+    let i = index++;
+    steps[i]();
+  } catch(ex) {
+    ok(false, "Caught exception", ex);
+  }
+}
+
+onload = next;
+
+let iframe;
+let basePath = "/tests/dom/workers/test/serviceworkers/thirdparty/";
+let origin = window.location.protocol + "//" + window.location.host;
+let thirdPartyOrigin = "https://example.com";
+
+function testIframeLoaded() {
+  ok(true, "Iframe loaded");
+  iframe.removeEventListener("load", testIframeLoaded);
+  let message = {
+    source: "parent",
+    href: origin + basePath + "iframe2.html"
+  };
+  iframe.contentWindow.postMessage(message.toSource(), "*");
+}
+
+function loadThirdPartyIframe() {
+  let message = {
+    source: "parent",
+    href: thirdPartyOrigin + basePath + "iframe2.html"
+  }
+  iframe.contentWindow.postMessage(message.toSource(), "*");
+}
+
+function runTest(aExpectedResponses) {
+  iframe = document.querySelector("iframe");
+  iframe.src = thirdPartyOrigin + basePath + "register.html";
+  let responsesIndex = 0;
+  window.onmessage = function(e) {
+    let status = e.data.status;
+    let expected = aExpectedResponses[responsesIndex];
+    if (status == expected.status) {
+      ok(true, "Received expected " + expected.status);
+      if (expected.next) {
+        expected.next();
+      }
+    } else {
+      ok(false, "Expected " + expected.status + " got " + status);
+    }
+    responsesIndex++;
+  };
+}
+
+function testShouldIntercept(done) {
+  runTest([{
+    status: "ok"
+  }, {
+    status: "registrationdone",
+    next: function() {
+      iframe.addEventListener("load", testIframeLoaded);
+      iframe.src = origin + basePath + "iframe1.html";
+    }
+  }, {
+    status: "networkresponse",
+    next: loadThirdPartyIframe
+  }, {
+    status: "swresponse",
+    next: function() {
+      iframe.src = origin + basePath + "unregister.html";
+    }
+  }, {
+    status: "unregistrationdone",
+    next: function() {
+      window.onmessage = null;
+      ok(true, "Test finished successfully");
+      done();
+    }
+  }]);
+}
+
+function testShouldNotIntercept(done) {
+  runTest([{
+    status: "ok"
+  }, {
+    status: "registrationdone",
+    next: function() {
+      iframe.addEventListener("load", testIframeLoaded);
+      iframe.src = origin + basePath + "iframe1.html";
+    }
+  }, {
+    status: "networkresponse",
+    next: loadThirdPartyIframe
+  }, {
+    status: "networkresponse",
+    next: function() {
+      iframe.src = origin + basePath + "unregister.html";
+    }
+  }, {
+    status: "unregistrationdone",
+    next: function() {
+      window.onmessage = null;
+      ok(true, "Test finished successfully");
+      done();
+    }
+  }]);
+}
+
+const COOKIE_BEHAVIOR_ACCEPT        = 0;
+const COOKIE_BEHAVIOR_REJECTFOREIGN = 1;
+const COOKIE_BEHAVIOR_REJECT        = 2;
+const COOKIE_BEHAVIOR_LIMITFOREIGN  = 3;
+
+let steps = [() => {
+  SpecialPowers.pushPrefEnv({"set": [
+    ["dom.serviceWorkers.exemptFromPerDomainMax", true],
+    ["dom.serviceWorkers.enabled", true],
+    ["dom.serviceWorkers.testing.enabled", true],
+    ["browser.dom.window.dump.enabled", true],
+    ["network.cookie.cookieBehavior", COOKIE_BEHAVIOR_ACCEPT]
+  ]}, next);
+}, () => {
+  testShouldIntercept(next);
+}, () => {
+  SpecialPowers.pushPrefEnv({"set": [
+    ["network.cookie.cookieBehavior", COOKIE_BEHAVIOR_REJECTFOREIGN]
+  ]}, next);
+}, () => {
+  testShouldNotIntercept(next);
+}, () => {
+  SpecialPowers.pushPrefEnv({"set": [
+    ["network.cookie.cookieBehavior", COOKIE_BEHAVIOR_REJECT]
+  ]}, next);
+}, () => {
+  testShouldIntercept(next);
+}, () => {
+  SpecialPowers.pushPrefEnv({"set": [
+    ["network.cookie.cookieBehavior", COOKIE_BEHAVIOR_LIMITFOREIGN]
+  ]}, next);
+}, () => {
+  testShouldIntercept(next);
+}];
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/dom/workers/test/serviceworkers/thirdparty/iframe1.html b/dom/workers/test/serviceworkers/thirdparty/iframe1.html
new file mode 100644
index 000000000000..43fe8c5729b5
--- /dev/null
+++ b/dom/workers/test/serviceworkers/thirdparty/iframe1.html
@@ -0,0 +1,30 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<html>
+<head>
+  <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+  <title>SW third party iframe test</title>
+
+  <script type="text/javascript;version=1.7">
+    function messageListener(event) {
+      let message = eval(event.data);
+
+      dump("got message " + JSON.stringify(message) + "\n");
+      if (message.source == "parent") {
+        document.getElementById("iframe2").src = message.href;
+      }
+      else if (message.source == "iframe") {
+        parent.postMessage(event.data, "*");
+      }
+    }
+  </script>
+
+</head>
+
+<body onload="window.addEventListener('message', messageListener, false);">
+  <iframe id="iframe2"></iframe>
+</body>
+
+</html>
diff --git a/dom/workers/test/serviceworkers/thirdparty/iframe2.html b/dom/workers/test/serviceworkers/thirdparty/iframe2.html
new file mode 100644
index 000000000000..fac6a9395dea
--- /dev/null
+++ b/dom/workers/test/serviceworkers/thirdparty/iframe2.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<script>
+  window.parent.postMessage({
+    source: "iframe",
+    status: "networkresponse"
+  }, "*");
+</script>
diff --git a/dom/workers/test/serviceworkers/thirdparty/register.html b/dom/workers/test/serviceworkers/thirdparty/register.html
new file mode 100644
index 000000000000..59b8c5c41ad5
--- /dev/null
+++ b/dom/workers/test/serviceworkers/thirdparty/register.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script>
+  function ok(v, msg) {
+    window.parent.postMessage({status: "ok", result: !!v, message: msg}, "*");
+  }
+
+  var isDone = false;
+  function done(reg) {
+    if (!isDone) {
+      ok(reg.waiting || reg.active,
+         "Either active or waiting worker should be available.");
+      window.parent.postMessage({status: "registrationdone"}, "*");
+      isDone = true;
+    }
+  }
+
+  navigator.serviceWorker.register("sw.js", {scope: "."})
+    .then(function(registration) {
+      if (registration.installing) {
+        registration.installing.onstatechange = function(e) {
+          done(registration);
+        };
+      } else {
+        done(registration);
+      }
+    });
+</script>
diff --git a/dom/workers/test/serviceworkers/thirdparty/sw.js b/dom/workers/test/serviceworkers/thirdparty/sw.js
new file mode 100644
index 000000000000..ca45698c8374
--- /dev/null
+++ b/dom/workers/test/serviceworkers/thirdparty/sw.js
@@ -0,0 +1,14 @@
+self.addEventListener("fetch", function(event) {
+  dump("fetch " + event.request.url + "\n");
+  if (event.request.url.indexOf("iframe2.html") >= 0) {
+    var body =
+      "<script>" +
+        "window.parent.postMessage({" +
+          "source: 'iframe', status: 'swresponse'" +
+        "}, '*');" +
+      "</script>";
+    event.respondWith(new Response(body, {
+      headers: {'Content-Type': 'text/html'}
+    }));
+  }
+});
diff --git a/dom/workers/test/serviceworkers/thirdparty/unregister.html b/dom/workers/test/serviceworkers/thirdparty/unregister.html
new file mode 100644
index 000000000000..a054f3bd2c09
--- /dev/null
+++ b/dom/workers/test/serviceworkers/thirdparty/unregister.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script>
+  navigator.serviceWorker.getRegistration(".").then(function(registration) {
+    if(!registration) {
+      window.parent.postMessage({status: "unregistrationdone"}, "*");
+      return;
+    }
+    registration.unregister().then(() => {
+      window.parent.postMessage({status: "unregistrationdone"}, "*");
+    });
+  });
+</script>
diff --git a/embedding/components/webbrowserpersist/nsWebBrowserPersist.cpp b/embedding/components/webbrowserpersist/nsWebBrowserPersist.cpp
index b5f3cbf8686a..208f41469b8d 100644
--- a/embedding/components/webbrowserpersist/nsWebBrowserPersist.cpp
+++ b/embedding/components/webbrowserpersist/nsWebBrowserPersist.cpp
@@ -2529,6 +2529,36 @@ nsWebBrowserPersist::EnumCleanupUploadList(nsISupports *aKey, UploadData *aData,
     return PL_DHASH_NEXT;
 }
 
+static void
+AppendXMLAttr(const nsAString& key, const nsAString& aValue, nsAString& aBuffer)
+{
+    if (!aBuffer.IsEmpty()) {
+        aBuffer.Append(' ');
+    }
+    aBuffer.Append(key);
+    aBuffer.AppendLiteral("=\"");
+    for (size_t i = 0; i < aValue.Length(); ++i) {
+        switch (aValue[i]) {
+            case '&':
+                aBuffer.AppendLiteral("&amp;");
+                break;
+            case '<':
+                aBuffer.AppendLiteral("&lt;");
+                break;
+            case '>':
+                aBuffer.AppendLiteral("&gt;");
+                break;
+            case '"':
+                aBuffer.AppendLiteral("&quot;");
+                break;
+            default:
+                aBuffer.Append(aValue[i]);
+                break;
+        }
+    }
+    aBuffer.Append('"');
+}
+
 nsresult nsWebBrowserPersist::FixupXMLStyleSheetLink(nsIDOMProcessingInstruction *aPI, const nsAString &aHref)
 {
     NS_ENSURE_ARG_POINTER(aPI);
@@ -2568,30 +2598,28 @@ nsresult nsWebBrowserPersist::FixupXMLStyleSheetLink(nsIDOMProcessingInstruction
                                                 nsGkAtoms::media,
                                                 media);
 
-        NS_NAMED_LITERAL_STRING(kCloseAttr, "\" ");
         nsAutoString newData;
-        newData += NS_LITERAL_STRING("href=\"") + aHref + kCloseAttr;
+        AppendXMLAttr(NS_LITERAL_STRING("href"), aHref, newData);
         if (!title.IsEmpty())
         {
-            newData += NS_LITERAL_STRING("title=\"") + title + kCloseAttr;
+            AppendXMLAttr(NS_LITERAL_STRING("title"), title, newData);
         }
         if (!media.IsEmpty())
         {
-            newData += NS_LITERAL_STRING("media=\"") + media + kCloseAttr;
+            AppendXMLAttr(NS_LITERAL_STRING("media"), media, newData);
         }
         if (!type.IsEmpty())
         {
-            newData += NS_LITERAL_STRING("type=\"") + type + kCloseAttr;
+            AppendXMLAttr(NS_LITERAL_STRING("type"), type, newData);
         }
         if (!charset.IsEmpty())
         {
-            newData += NS_LITERAL_STRING("charset=\"") + charset + kCloseAttr;
+            AppendXMLAttr(NS_LITERAL_STRING("charset"), charset, newData);
         }
         if (!alternate.IsEmpty())
         {
-            newData += NS_LITERAL_STRING("alternate=\"") + alternate + kCloseAttr;
+            AppendXMLAttr(NS_LITERAL_STRING("alternate"), alternate, newData);
         }
-        newData.Truncate(newData.Length() - 1);  // Remove the extra space on the end.
         aPI->SetData(newData);
     }
 
diff --git a/embedding/test/bug1170334_iframe.xml b/embedding/test/bug1170334_iframe.xml
new file mode 100644
index 000000000000..1821e07f967d
--- /dev/null
+++ b/embedding/test/bug1170334_iframe.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<?xml-stylesheet href="bug1170334_style.css" type="text/css" title="&quot;?&gt;FAIL"?>
+<thing/>
diff --git a/embedding/test/bug1170334_style.css b/embedding/test/bug1170334_style.css
new file mode 100644
index 000000000000..476c22b695c2
--- /dev/null
+++ b/embedding/test/bug1170334_style.css
@@ -0,0 +1 @@
+/* This stylesheet intentionally left blank. */
diff --git a/embedding/test/chrome.ini b/embedding/test/chrome.ini
index 14dccff247a4..4684b7612937 100644
--- a/embedding/test/chrome.ini
+++ b/embedding/test/chrome.ini
@@ -3,6 +3,9 @@ skip-if = buildapp == 'b2g'
 support-files =
   320x240.ogv
   bug449141_page.html
+  bug1170334_iframe.xml
+  bug1170334_style.css
 
 [test_bug449141.html]
 skip-if = toolkit == 'android'
+[test_bug1170334_wbp_xmlstyle.html]
diff --git a/embedding/test/test_bug1170334_wbp_xmlstyle.html b/embedding/test/test_bug1170334_wbp_xmlstyle.html
new file mode 100644
index 000000000000..4dee9a6ba735
--- /dev/null
+++ b/embedding/test/test_bug1170334_wbp_xmlstyle.html
@@ -0,0 +1,80 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1170334
+-->
+<head>
+  <title>Test for Bug 1170334 (nsWebBrowserPersist vs. XML stylesheets)</title>
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1170334">Mozilla Bug 1170334</a>
+<p id="display"></p>
+<pre id="results"></pre>
+<div id="content">
+  <iframe src="bug1170334_iframe.xml" id="iframe"></iframe>
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript;version=1.7">
+const nameStem="test_bug1170334_" + Date.now();
+const { Ci, Cc, Cu, Cr } = SpecialPowers;
+let iframe = document.getElementById("iframe");
+
+SimpleTest.waitForExplicitFinish();
+
+iframe.onload = function iframe_onload1() {
+  let doc = iframe.contentDocument;
+  ok(doc, "iframe content document exists");
+
+  let wbp = Cc["@mozilla.org/embedding/browser/nsWebBrowserPersist;1"]
+            .createInstance(Ci.nsIWebBrowserPersist);
+  let ios = Cc["@mozilla.org/network/io-service;1"]
+            .getService(Ci.nsIIOService);
+  let tmp = Cc["@mozilla.org/file/directory_service;1"]
+            .getService(Ci.nsIProperties)
+            .get("TmpD", Ci.nsIFile);
+  let tmpFile = tmp.clone();
+  tmpFile.append(nameStem + "_iframe.xml");
+  let tmpDir = tmp.clone();
+  tmpDir.append(nameStem + "_files");
+
+  // When the document in the iframe is saved, try to load the result.
+  wbp.progressListener = {
+    onProgressChange: function(){},
+    onLocationChange: function(){},
+    onStatusChange: function(){},
+    onSecurityChange: function(){},
+    onStateChange: function wbp_stateChange(_wbp, _req, state, status) {
+      if ((state & Ci.nsIWebProgressListener.STATE_STOP) == 0) {
+	return;
+      }
+      is(status, Cr.NS_OK, "nsWebBrowserPersist status");
+      iframe.onload = function iframe_onload2() {
+	let elem = iframe.contentDocument.documentElement;
+	is(elem && elem.tagName, "thing", "document element tag");
+	if (elem && elem.tagName == "parsererror") {
+	  ok(false, "Parser error: " + elem.textContent);
+	}
+
+	cleanUp();
+	SimpleTest.finish();
+      };
+      iframe.src = ios.newFileURI(tmpFile).spec;
+    }
+  };
+  wbp.saveDocument(doc, tmpFile, tmpDir, null, 0, 0);
+
+  function cleanUp() {
+    if (tmpFile.exists()) {
+      tmpFile.remove(/* recursive: */ false);
+    }
+    if (tmpDir.exists()) {
+      tmpDir.remove(/* recursive: */ true);
+    }
+  }
+};
+</script>
+</pre>
+</body>
+</html>
diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h
index 9bae3a3f61a7..3605f12253ea 100644
--- a/gfx/2d/2D.h
+++ b/gfx/2d/2D.h
@@ -395,6 +395,52 @@ public:
     READ_WRITE
   };
 
+  /**
+   * This is a scoped version of Map(). Map() is called in the constructor and
+   * Unmap() in the destructor. Use this for automatic unmapping of your data
+   * surfaces.
+   *
+   * Use IsMapped() to verify whether Map() succeeded or not.
+   */
+  class ScopedMap {
+  public:
+    explicit ScopedMap(DataSourceSurface* aSurface, MapType aType)
+      : mSurface(aSurface)
+      , mIsMapped(aSurface->Map(aType, &mMap)) {}
+
+    virtual ~ScopedMap()
+    {
+      if (mIsMapped) {
+        mSurface->Unmap();
+      }
+    }
+
+    uint8_t* GetData()
+    {
+      MOZ_ASSERT(mIsMapped);
+      return mMap.mData;
+    }
+
+    int32_t GetStride()
+    {
+      MOZ_ASSERT(mIsMapped);
+      return mMap.mStride;
+    }
+
+    MappedSurface* GetMappedSurface()
+    {
+      MOZ_ASSERT(mIsMapped);
+      return &mMap;
+    }
+
+    bool IsMapped() { return mIsMapped; }
+
+  private:
+    RefPtr<DataSourceSurface> mSurface;
+    MappedSurface mMap;
+    bool mIsMapped;
+  };
+
   virtual SurfaceType GetType() const override { return SurfaceType::DATA; }
   /** @deprecated
    * Get the raw bitmap data of the surface.
diff --git a/gfx/2d/DataSurfaceHelpers.cpp b/gfx/2d/DataSurfaceHelpers.cpp
index d0f08fa295cd..dbccf5673e17 100644
--- a/gfx/2d/DataSurfaceHelpers.cpp
+++ b/gfx/2d/DataSurfaceHelpers.cpp
@@ -16,7 +16,9 @@ namespace mozilla {
 namespace gfx {
 
 uint8_t*
-DataAtOffset(DataSourceSurface* aSurface, IntPoint aPoint)
+DataAtOffset(DataSourceSurface* aSurface,
+             DataSourceSurface::MappedSurface* aMap,
+             IntPoint aPoint)
 {
   if (!SurfaceContainsPoint(aSurface, aPoint)) {
     MOZ_CRASH("sample position needs to be inside surface!");
@@ -25,10 +27,10 @@ DataAtOffset(DataSourceSurface* aSurface, IntPoint aPoint)
   MOZ_ASSERT(Factory::CheckSurfaceSize(aSurface->GetSize()),
              "surface size overflows - this should have been prevented when the surface was created");
 
-  uint8_t* data = aSurface->GetData() + aPoint.y * aSurface->Stride() +
+  uint8_t* data = aMap->mData + aPoint.y * aMap->mStride +
     aPoint.x * BytesPerPixel(aSurface->GetFormat());
 
-  if (data < aSurface->GetData()) {
+  if (data < aMap->mData) {
     MOZ_CRASH("out-of-range data access");
   }
 
@@ -250,10 +252,16 @@ CopyRect(DataSourceSurface* aSrc, DataSourceSurface* aDest,
     return;
   }
 
-  uint8_t* sourceData = DataAtOffset(aSrc, aSrcRect.TopLeft());
-  uint32_t sourceStride = aSrc->Stride();
-  uint8_t* destData = DataAtOffset(aDest, aDestPoint);
-  uint32_t destStride = aDest->Stride();
+  DataSourceSurface::ScopedMap srcMap(aSrc, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap destMap(aDest, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!srcMap.IsMapped() || !destMap.IsMapped())) {
+    return;
+  }
+
+  uint8_t* sourceData = DataAtOffset(aSrc, srcMap.GetMappedSurface(), aSrcRect.TopLeft());
+  uint32_t sourceStride = srcMap.GetStride();
+  uint8_t* destData = DataAtOffset(aDest, destMap.GetMappedSurface(), aDestPoint);
+  uint32_t destStride = destMap.GetStride();
 
   if (BytesPerPixel(aSrc->GetFormat()) == 4) {
     for (int32_t y = 0; y < aSrcRect.height; y++) {
diff --git a/gfx/2d/DataSurfaceHelpers.h b/gfx/2d/DataSurfaceHelpers.h
index e1afecee1df0..4444f747c0c9 100644
--- a/gfx/2d/DataSurfaceHelpers.h
+++ b/gfx/2d/DataSurfaceHelpers.h
@@ -90,7 +90,9 @@ CreateDataSourceSurfaceByCloning(DataSourceSurface* aSource);
  * Return the byte at aPoint.
  */
 uint8_t*
-DataAtOffset(DataSourceSurface* aSurface, IntPoint aPoint);
+DataAtOffset(DataSourceSurface* aSurface,
+             DataSourceSurface::MappedSurface* aMap,
+             IntPoint aPoint);
 
 /**
  * Check if aPoint is contained by the surface.
diff --git a/gfx/2d/DrawTargetD2D.cpp b/gfx/2d/DrawTargetD2D.cpp
index 57be72b4c3a9..98bee747cf7c 100644
--- a/gfx/2d/DrawTargetD2D.cpp
+++ b/gfx/2d/DrawTargetD2D.cpp
@@ -305,15 +305,22 @@ DrawTargetD2D::GetBitmapForSurface(SourceSurface *aSurface,
         return nullptr;
       }
 
-      int stride = srcSurf->Stride();
+      HRESULT hr;
+      {
+        DataSourceSurface::ScopedMap srcMap(srcSurf, DataSourceSurface::READ);
+        if (MOZ2D_WARN_IF(!srcMap.IsMapped())) {
+          return nullptr;
+        }
 
-      unsigned char *data = srcSurf->GetData() +
-                            (uint32_t)sourceRect.y * stride +
-                            (uint32_t)sourceRect.x * BytesPerPixel(srcSurf->GetFormat());
+        int stride = srcMap.GetStride();
+        unsigned char *data = srcMap.GetData() +
+                              (uint32_t)sourceRect.y * stride +
+                              (uint32_t)sourceRect.x * BytesPerPixel(srcSurf->GetFormat());
 
-      D2D1_BITMAP_PROPERTIES props =
-        D2D1::BitmapProperties(D2DPixelFormat(srcSurf->GetFormat()));
-      HRESULT hr = mRT->CreateBitmap(D2D1::SizeU(UINT32(sourceRect.width), UINT32(sourceRect.height)), data, stride, props, byRef(bitmap));
+        D2D1_BITMAP_PROPERTIES props =
+          D2D1::BitmapProperties(D2DPixelFormat(srcSurf->GetFormat()));
+        hr = mRT->CreateBitmap(D2D1::SizeU(UINT32(sourceRect.width), UINT32(sourceRect.height)), data, stride, props, byRef(bitmap));
+      }
       if (FAILED(hr)) {
         IntSize size(sourceRect.width, sourceRect.height);
         gfxCriticalError(CriticalLog::DefaultOptions(Factory::ReasonableSurfaceSize(size))) << "[D2D] 1CreateBitmap failure " << size << " Code: " << hexa(hr);
diff --git a/gfx/2d/DrawTargetD2D1.cpp b/gfx/2d/DrawTargetD2D1.cpp
index 8cbfad641369..4a402cc6c886 100644
--- a/gfx/2d/DrawTargetD2D1.cpp
+++ b/gfx/2d/DrawTargetD2D1.cpp
@@ -1536,22 +1536,22 @@ DrawTargetD2D1::OptimizeSourceSurface(SourceSurface* aSurface) const
 
   RefPtr<DataSourceSurface> data = aSurface->GetDataSurface();
 
-  DataSourceSurface::MappedSurface map;
-  if (!data->Map(DataSourceSurface::MapType::READ, &map)) {
-    return nullptr;
-  }
-
   RefPtr<ID2D1Bitmap1> bitmap;
-  HRESULT hr = mDC->CreateBitmap(D2DIntSize(data->GetSize()), map.mData, map.mStride,
-                                 D2D1::BitmapProperties1(D2D1_BITMAP_OPTIONS_NONE, D2DPixelFormat(data->GetFormat())),
-                                 byRef(bitmap));
+  {
+    DataSourceSurface::ScopedMap map(data, DataSourceSurface::READ);
+    if (MOZ2D_WARN_IF(!map.IsMapped())) {
+      return nullptr;
+    }
 
-  if (FAILED(hr)) {
-    gfxCriticalError(CriticalLog::DefaultOptions(Factory::ReasonableSurfaceSize(data->GetSize()))) << "[D2D1.1] 4CreateBitmap failure " << data->GetSize() << " Code: " << hexa(hr);
+    HRESULT hr = mDC->CreateBitmap(D2DIntSize(data->GetSize()), map.GetData(), map.GetStride(),
+                                   D2D1::BitmapProperties1(D2D1_BITMAP_OPTIONS_NONE, D2DPixelFormat(data->GetFormat())),
+                                   byRef(bitmap));
+
+    if (FAILED(hr)) {
+      gfxCriticalError(CriticalLog::DefaultOptions(Factory::ReasonableSurfaceSize(data->GetSize()))) << "[D2D1.1] 4CreateBitmap failure " << data->GetSize() << " Code: " << hexa(hr);
+    }
   }
 
-  data->Unmap();
-
   if (!bitmap) {
     return data.forget();
   }
diff --git a/gfx/2d/DrawTargetTiled.h b/gfx/2d/DrawTargetTiled.h
index be020c2ca927..934237632ce1 100644
--- a/gfx/2d/DrawTargetTiled.h
+++ b/gfx/2d/DrawTargetTiled.h
@@ -177,7 +177,10 @@ public:
     RefPtr<DataSourceSurface> surf = Factory::CreateDataSourceSurface(GetSize(), GetFormat());
 
     DataSourceSurface::MappedSurface mappedSurf;
-    surf->Map(DataSourceSurface::MapType::WRITE, &mappedSurf);
+    if (!surf->Map(DataSourceSurface::MapType::WRITE, &mappedSurf)) {
+      gfxCriticalError() << "DrawTargetTiled::GetDataSurface failed to map surface";
+      return nullptr;
+    }
 
     {
       RefPtr<DrawTarget> dt =
diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
index cccc540aab0b..6b8611b84e4e 100644
--- a/gfx/2d/FilterNodeSoftware.cpp
+++ b/gfx/2d/FilterNodeSoftware.cpp
@@ -195,9 +195,12 @@ FillRectWithPixel(DataSourceSurface *aSurface, const IntRect &aFillRect, IntPoin
   MOZ_ASSERT(SurfaceContainsPoint(aSurface, aPixelPos),
              "aPixelPos needs to be inside the surface");
 
-  int32_t stride = aSurface->Stride();
-  uint8_t* sourcePixelData = DataAtOffset(aSurface, aPixelPos);
-  uint8_t* data = DataAtOffset(aSurface, aFillRect.TopLeft());
+  DataSourceSurface::ScopedMap surfMap(aSurface, DataSourceSurface::READ_WRITE);
+  if(MOZ2D_WARN_IF(!surfMap.IsMapped())) {
+    return;
+  }
+  uint8_t* sourcePixelData = DataAtOffset(aSurface, surfMap.GetMappedSurface(), aPixelPos);
+  uint8_t* data = DataAtOffset(aSurface, surfMap.GetMappedSurface(), aFillRect.TopLeft());
   int bpp = BytesPerPixel(aSurface->GetFormat());
 
   // Fill the first row by hand.
@@ -213,7 +216,7 @@ FillRectWithPixel(DataSourceSurface *aSurface, const IntRect &aFillRect, IntPoin
 
   // Copy the first row into the other rows.
   for (int32_t y = 1; y < aFillRect.height; y++) {
-    PodCopy(data + y * stride, data, aFillRect.width * bpp);
+    PodCopy(data + y * surfMap.GetStride(), data, aFillRect.width * bpp);
   }
 }
 
@@ -229,18 +232,22 @@ FillRectWithVerticallyRepeatingHorizontalStrip(DataSourceSurface *aSurface,
   MOZ_ASSERT(IntRect(IntPoint(), aSurface->GetSize()).Contains(aSampleRect),
              "aSampleRect needs to be completely inside the surface");
 
-  int32_t stride = aSurface->Stride();
-  uint8_t* sampleData = DataAtOffset(aSurface, aSampleRect.TopLeft());
-  uint8_t* data = DataAtOffset(aSurface, aFillRect.TopLeft());
+  DataSourceSurface::ScopedMap surfMap(aSurface, DataSourceSurface::READ_WRITE);
+  if (MOZ2D_WARN_IF(!surfMap.IsMapped())) {
+    return;
+  }
+
+  uint8_t* sampleData = DataAtOffset(aSurface, surfMap.GetMappedSurface(), aSampleRect.TopLeft());
+  uint8_t* data = DataAtOffset(aSurface, surfMap.GetMappedSurface(), aFillRect.TopLeft());
   if (BytesPerPixel(aSurface->GetFormat()) == 4) {
     for (int32_t y = 0; y < aFillRect.height; y++) {
       PodCopy((uint32_t*)data, (uint32_t*)sampleData, aFillRect.width);
-      data += stride;
+      data += surfMap.GetStride();
     }
   } else if (BytesPerPixel(aSurface->GetFormat()) == 1) {
     for (int32_t y = 0; y < aFillRect.height; y++) {
       PodCopy(data, sampleData, aFillRect.width);
-      data += stride;
+      data += surfMap.GetStride();
     }
   }
 }
@@ -257,24 +264,28 @@ FillRectWithHorizontallyRepeatingVerticalStrip(DataSourceSurface *aSurface,
   MOZ_ASSERT(IntRect(IntPoint(), aSurface->GetSize()).Contains(aSampleRect),
              "aSampleRect needs to be completely inside the surface");
 
-  int32_t stride = aSurface->Stride();
-  uint8_t* sampleData = DataAtOffset(aSurface, aSampleRect.TopLeft());
-  uint8_t* data = DataAtOffset(aSurface, aFillRect.TopLeft());
+  DataSourceSurface::ScopedMap surfMap(aSurface, DataSourceSurface::READ_WRITE);
+  if (MOZ2D_WARN_IF(!surfMap.IsMapped())) {
+    return;
+  }
+
+  uint8_t* sampleData = DataAtOffset(aSurface, surfMap.GetMappedSurface(), aSampleRect.TopLeft());
+  uint8_t* data = DataAtOffset(aSurface, surfMap.GetMappedSurface(), aFillRect.TopLeft());
   if (BytesPerPixel(aSurface->GetFormat()) == 4) {
     for (int32_t y = 0; y < aFillRect.height; y++) {
       int32_t sampleColor = *((uint32_t*)sampleData);
       for (int32_t x = 0; x < aFillRect.width; x++) {
         *((uint32_t*)data + x) = sampleColor;
       }
-      data += stride;
-      sampleData += stride;
+      data += surfMap.GetStride();
+      sampleData += surfMap.GetStride();
     }
   } else if (BytesPerPixel(aSurface->GetFormat()) == 1) {
     for (int32_t y = 0; y < aFillRect.height; y++) {
       uint8_t sampleColor = *sampleData;
       memset(data, sampleColor, aFillRect.width);
-      data += stride;
-      sampleData += stride;
+      data += surfMap.GetStride();
+      sampleData += surfMap.GetStride();
     }
   }
 }
@@ -987,12 +998,18 @@ FilterNodeBlendSoftware::Render(const IntRect& aRect)
 
   CopyRect(input1, target, IntRect(IntPoint(), size), IntPoint());
 
+  // This needs to stay in scope until the draw target has been flushed.
+  DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::READ_WRITE);
+  if (MOZ2D_WARN_IF(!targetMap.IsMapped())) {
+    return nullptr;
+  }
+
   RefPtr<DrawTarget> dt =
-	    Factory::CreateDrawTargetForData(BackendType::CAIRO,
-	                                     target->GetData(),
-	                                     target->GetSize(),
-	                                     target->Stride(),
-	                                     target->GetFormat());
+    Factory::CreateDrawTargetForData(BackendType::CAIRO,
+                                     targetMap.GetData(),
+                                     target->GetSize(),
+                                     targetMap.GetStride(),
+                                     target->GetFormat());
 
   if (!dt) {
     gfxWarning() << "FilterNodeBlendSoftware::Render failed in CreateDrawTargetForData";
@@ -1095,7 +1112,10 @@ FilterNodeTransformSoftware::Render(const IntRect& aRect)
   }
 
   DataSourceSurface::MappedSurface mapping;
-  surf->Map(DataSourceSurface::MapType::WRITE, &mapping);
+  if (!surf->Map(DataSourceSurface::MapType::WRITE, &mapping)) {
+    gfxCriticalError() << "FilterNodeTransformSoftware::Render failed to map surface";
+    return nullptr;
+  }
 
   RefPtr<DrawTarget> dt =
     Factory::CreateDrawTargetForData(BackendType::CAIRO,
@@ -1195,14 +1215,18 @@ ApplyMorphology(const IntRect& aSourceRect, DataSourceSurface* aInput,
       return nullptr;
     }
 
-    int32_t sourceStride = aInput->Stride();
-    uint8_t* sourceData = DataAtOffset(aInput, destRect.TopLeft() - srcRect.TopLeft());
-
-    int32_t tmpStride = tmp->Stride();
-    uint8_t* tmpData = DataAtOffset(tmp, destRect.TopLeft() - tmpRect.TopLeft());
+    DataSourceSurface::ScopedMap sourceMap(aInput, DataSourceSurface::READ);
+    DataSourceSurface::ScopedMap tmpMap(tmp, DataSourceSurface::WRITE);
+    if (MOZ2D_WARN_IF(!sourceMap.IsMapped() || !tmpMap.IsMapped())) {
+      return nullptr;
+    }
+    uint8_t* sourceData = DataAtOffset(aInput, sourceMap.GetMappedSurface(),
+                                       destRect.TopLeft() - srcRect.TopLeft());
+    uint8_t* tmpData = DataAtOffset(tmp, tmpMap.GetMappedSurface(),
+                                    destRect.TopLeft() - tmpRect.TopLeft());
 
     FilterProcessing::ApplyMorphologyHorizontal(
-      sourceData, sourceStride, tmpData, tmpStride, tmpRect, rx, aOperator);
+      sourceData, sourceMap.GetStride(), tmpData, tmpMap.GetStride(), tmpRect, rx, aOperator);
   }
 
   RefPtr<DataSourceSurface> dest;
@@ -1214,11 +1238,16 @@ ApplyMorphology(const IntRect& aSourceRect, DataSourceSurface* aInput,
       return nullptr;
     }
 
-    int32_t tmpStride = tmp->Stride();
-    uint8_t* tmpData = DataAtOffset(tmp, destRect.TopLeft() - tmpRect.TopLeft());
+    DataSourceSurface::ScopedMap tmpMap(tmp, DataSourceSurface::READ);
+    DataSourceSurface::ScopedMap destMap(dest, DataSourceSurface::WRITE);
+    if (MOZ2D_WARN_IF(!tmpMap.IsMapped() || !destMap.IsMapped())) {
+      return nullptr;
+    }
+    int32_t tmpStride = tmpMap.GetStride();
+    uint8_t* tmpData = DataAtOffset(tmp, tmpMap.GetMappedSurface(), destRect.TopLeft() - tmpRect.TopLeft());
 
-    int32_t destStride = dest->Stride();
-    uint8_t* destData = dest->GetData();
+    int32_t destStride = destMap.GetStride();
+    uint8_t* destData = destMap.GetData();
 
     FilterProcessing::ApplyMorphologyVertical(
       tmpData, tmpStride, destData, destStride, destRect, ry, aOperator);
@@ -1313,10 +1342,16 @@ Premultiply(DataSourceSurface* aSurface)
     return nullptr;
   }
 
-  uint8_t* inputData = aSurface->GetData();
-  int32_t inputStride = aSurface->Stride();
-  uint8_t* targetData = target->GetData();
-  int32_t targetStride = target->Stride();
+  DataSourceSurface::ScopedMap inputMap(aSurface, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!inputMap.IsMapped() || !targetMap.IsMapped())) {
+    return nullptr;
+  }
+
+  uint8_t* inputData = inputMap.GetData();
+  int32_t inputStride = inputMap.GetStride();
+  uint8_t* targetData = targetMap.GetData();
+  int32_t targetStride = targetMap.GetStride();
 
   FilterProcessing::DoPremultiplicationCalculation(
     size, targetData, targetStride, inputData, inputStride);
@@ -1339,10 +1374,16 @@ Unpremultiply(DataSourceSurface* aSurface)
     return nullptr;
   }
 
-  uint8_t* inputData = aSurface->GetData();
-  int32_t inputStride = aSurface->Stride();
-  uint8_t* targetData = target->GetData();
-  int32_t targetStride = target->Stride();
+  DataSourceSurface::ScopedMap inputMap(aSurface, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!inputMap.IsMapped() || !targetMap.IsMapped())) {
+    return nullptr;
+  }
+
+  uint8_t* inputData = inputMap.GetData();
+  int32_t inputStride = inputMap.GetStride();
+  uint8_t* targetData = targetMap.GetData();
+  int32_t targetStride = targetMap.GetStride();
 
   FilterProcessing::DoUnpremultiplicationCalculation(
     size, targetData, targetStride, inputData, inputStride);
@@ -1429,8 +1470,13 @@ FilterNodeFloodSoftware::Render(const IntRect& aRect)
     return nullptr;
   }
 
-  uint8_t* targetData = target->GetData();
-  uint32_t stride = target->Stride();
+  DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!targetMap.IsMapped())) {
+    return nullptr;
+  }
+
+  uint8_t* targetData = targetMap.GetData();
+  int32_t stride = targetMap.GetStride();
 
   if (format == SurfaceFormat::B8G8R8A8) {
     uint32_t color = ColorToBGRA(mColor);
@@ -1649,10 +1695,16 @@ static void TransferComponents(DataSourceSurface* aInput,
   MOZ_ASSERT(aInput->GetFormat() == aTarget->GetFormat(), "different formats");
   IntSize size = aInput->GetSize();
 
-  uint8_t* sourceData = aInput->GetData();
-  uint8_t* targetData = aTarget->GetData();
-  uint32_t sourceStride = aInput->Stride();
-  uint32_t targetStride = aTarget->Stride();
+  DataSourceSurface::ScopedMap sourceMap(aInput, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap targetMap(aTarget, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!sourceMap.IsMapped() || !targetMap.IsMapped())) {
+    return;
+  }
+
+  uint8_t* sourceData = sourceMap.GetData();
+  int32_t sourceStride = sourceMap.GetStride();
+  uint8_t* targetData = targetMap.GetData();
+  int32_t targetStride = targetMap.GetStride();
 
   for (int32_t y = 0; y < size.height; y++) {
     for (int32_t x = 0; x < size.width; x++) {
@@ -2392,10 +2444,16 @@ FilterNodeConvolveMatrixSoftware::DoRender(const IntRect& aRect,
 
   IntPoint offset = aRect.TopLeft() - srcRect.TopLeft();
 
-  uint8_t* sourceData = DataAtOffset(input, offset);
-  int32_t sourceStride = input->Stride();
-  uint8_t* targetData = target->GetData();
-  int32_t targetStride = target->Stride();
+  DataSourceSurface::ScopedMap sourceMap(input, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!sourceMap.IsMapped() || !targetMap.IsMapped())) {
+    return nullptr;
+  }
+
+  uint8_t* sourceData = DataAtOffset(input, sourceMap.GetMappedSurface(), offset);
+  int32_t sourceStride = sourceMap.GetStride();
+  uint8_t* targetData = targetMap.GetData();
+  int32_t targetStride = targetMap.GetStride();
 
   // Why exactly are we reversing the kernel?
   std::vector<Float> kernel = ReversedVector(mKernelMatrix);
@@ -2538,12 +2596,19 @@ FilterNodeDisplacementMapSoftware::Render(const IntRect& aRect)
 
   IntPoint offset = aRect.TopLeft() - srcRect.TopLeft();
 
-  uint8_t* sourceData = DataAtOffset(input, offset);
-  int32_t sourceStride = input->Stride();
-  uint8_t* mapData = map->GetData();
-  int32_t mapStride = map->Stride();
-  uint8_t* targetData = target->GetData();
-  int32_t targetStride = target->Stride();
+  DataSourceSurface::ScopedMap inputMap(input, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap mapMap(map, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!(inputMap.IsMapped() && mapMap.IsMapped() && targetMap.IsMapped()))) {
+    return nullptr;
+  }
+
+  uint8_t* sourceData = DataAtOffset(input, inputMap.GetMappedSurface(), offset);
+  int32_t sourceStride = inputMap.GetStride();
+  uint8_t* mapData = mapMap.GetData();
+  int32_t mapStride = mapMap.GetStride();
+  uint8_t* targetData = targetMap.GetData();
+  int32_t targetStride = targetMap.GetStride();
 
   static const ptrdiff_t channelMap[4] = {
                              B8G8R8A8_COMPONENT_BYTEOFFSET_R,
@@ -2885,19 +2950,35 @@ FilterNodeBlurXYSoftware::Render(const IntRect& aRect)
       return nullptr;
     }
     CopyRect(input, target, IntRect(IntPoint(), input->GetSize()), IntPoint());
-    AlphaBoxBlur blur(r, target->Stride(), sigmaXY.width, sigmaXY.height);
-    blur.Blur(target->GetData());
+
+    DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::READ_WRITE);
+    if (MOZ2D_WARN_IF(!targetMap.IsMapped())) {
+      return nullptr;
+    }
+    AlphaBoxBlur blur(r, targetMap.GetStride(), sigmaXY.width, sigmaXY.height);
+    blur.Blur(targetMap.GetData());
   } else {
     RefPtr<DataSourceSurface> channel0, channel1, channel2, channel3;
     FilterProcessing::SeparateColorChannels(input, channel0, channel1, channel2, channel3);
-    if (MOZ2D_WARN_IF(!(channel0 && channel1 && channel2))) {
+    if (MOZ2D_WARN_IF(!(channel0 && channel1 && channel2 && channel3))) {
       return nullptr;
     }
-    AlphaBoxBlur blur(r, channel0->Stride(), sigmaXY.width, sigmaXY.height);
-    blur.Blur(channel0->GetData());
-    blur.Blur(channel1->GetData());
-    blur.Blur(channel2->GetData());
-    blur.Blur(channel3->GetData());
+    {
+      DataSourceSurface::ScopedMap channel0Map(channel0, DataSourceSurface::READ_WRITE);
+      DataSourceSurface::ScopedMap channel1Map(channel1, DataSourceSurface::READ_WRITE);
+      DataSourceSurface::ScopedMap channel2Map(channel2, DataSourceSurface::READ_WRITE);
+      DataSourceSurface::ScopedMap channel3Map(channel3, DataSourceSurface::READ_WRITE);
+      if (MOZ2D_WARN_IF(!(channel0Map.IsMapped() && channel1Map.IsMapped() &&
+                          channel2Map.IsMapped() && channel3Map.IsMapped()))) {
+        return nullptr;
+      }
+
+      AlphaBoxBlur blur(r, channel0Map.GetStride(), sigmaXY.width, sigmaXY.height);
+      blur.Blur(channel0Map.GetData());
+      blur.Blur(channel1Map.GetData());
+      blur.Blur(channel2Map.GetData());
+      blur.Blur(channel3Map.GetData());
+    }
     target = FilterProcessing::CombineColorChannels(channel0, channel1, channel2, channel3);
   }
 
@@ -3414,10 +3495,17 @@ FilterNodeLightingSoftware<LightType, LightingType>::DoRender(const IntRect& aRe
 
   IntPoint offset = aRect.TopLeft() - srcRect.TopLeft();
 
-  uint8_t* sourceData = DataAtOffset(input, offset);
-  int32_t sourceStride = input->Stride();
-  uint8_t* targetData = target->GetData();
-  int32_t targetStride = target->Stride();
+
+  DataSourceSurface::ScopedMap sourceMap(input, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap targetMap(target, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!(sourceMap.IsMapped() && targetMap.IsMapped()))) {
+    return nullptr;
+  }
+
+  uint8_t* sourceData = DataAtOffset(input, sourceMap.GetMappedSurface(), offset);
+  int32_t sourceStride = sourceMap.GetStride();
+  uint8_t* targetData = targetMap.GetData();
+  int32_t targetStride = targetMap.GetStride();
 
   uint32_t lightColor = ColorToBGRA(mColor);
   mLight.Prepare();
diff --git a/gfx/2d/FilterProcessing.cpp b/gfx/2d/FilterProcessing.cpp
index 084f9476c53a..5d03f2da214c 100644
--- a/gfx/2d/FilterProcessing.cpp
+++ b/gfx/2d/FilterProcessing.cpp
@@ -17,10 +17,17 @@ FilterProcessing::ExtractAlpha(DataSourceSurface* aSource)
   if (MOZ2D_WARN_IF(!alpha)) {
     return nullptr;
   }
-  uint8_t* sourceData = aSource->GetData();
-  int32_t sourceStride = aSource->Stride();
-  uint8_t* alphaData = alpha->GetData();
-  int32_t alphaStride = alpha->Stride();
+
+  DataSourceSurface::ScopedMap sourceMap(aSource, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap alphaMap(alpha, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!sourceMap.IsMapped() || !alphaMap.IsMapped())) {
+    return nullptr;
+  }
+
+  uint8_t* sourceData = sourceMap.GetData();
+  int32_t sourceStride = sourceMap.GetStride();
+  uint8_t* alphaData = alphaMap.GetData();
+  int32_t alphaStride = alphaMap.GetStride();
 
   if (Factory::HasSSE2()) {
 #ifdef USE_SSE2
@@ -130,13 +137,23 @@ FilterProcessing::SeparateColorChannels(DataSourceSurface* aSource,
     return;
   }
 
-  uint8_t* sourceData = aSource->GetData();
-  int32_t sourceStride = aSource->Stride();
-  uint8_t* channel0Data = aChannel0->GetData();
-  uint8_t* channel1Data = aChannel1->GetData();
-  uint8_t* channel2Data = aChannel2->GetData();
-  uint8_t* channel3Data = aChannel3->GetData();
-  int32_t channelStride = aChannel0->Stride();
+  DataSourceSurface::ScopedMap sourceMap(aSource, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap channel0Map(aChannel0, DataSourceSurface::WRITE);
+  DataSourceSurface::ScopedMap channel1Map(aChannel1, DataSourceSurface::WRITE);
+  DataSourceSurface::ScopedMap channel2Map(aChannel2, DataSourceSurface::WRITE);
+  DataSourceSurface::ScopedMap channel3Map(aChannel3, DataSourceSurface::WRITE);
+  if (MOZ2D_WARN_IF(!(sourceMap.IsMapped() &&
+                      channel0Map.IsMapped() && channel1Map.IsMapped() &&
+                      channel2Map.IsMapped() && channel3Map.IsMapped()))) {
+    return;
+  }
+  uint8_t* sourceData = sourceMap.GetData();
+  int32_t sourceStride = sourceMap.GetStride();
+  uint8_t* channel0Data = channel0Map.GetData();
+  uint8_t* channel1Data = channel1Map.GetData();
+  uint8_t* channel2Data = channel2Map.GetData();
+  uint8_t* channel3Data = channel3Map.GetData();
+  int32_t channelStride = channel0Map.GetStride();
 
   if (Factory::HasSSE2()) {
 #ifdef USE_SSE2
@@ -157,13 +174,23 @@ FilterProcessing::CombineColorChannels(DataSourceSurface* aChannel0, DataSourceS
   if (MOZ2D_WARN_IF(!result)) {
     return nullptr;
   }
-  int32_t resultStride = result->Stride();
-  uint8_t* resultData = result->GetData();
-  int32_t channelStride = aChannel0->Stride();
-  uint8_t* channel0Data = aChannel0->GetData();
-  uint8_t* channel1Data = aChannel1->GetData();
-  uint8_t* channel2Data = aChannel2->GetData();
-  uint8_t* channel3Data = aChannel3->GetData();
+  DataSourceSurface::ScopedMap resultMap(result, DataSourceSurface::WRITE);
+  DataSourceSurface::ScopedMap channel0Map(aChannel0, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap channel1Map(aChannel1, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap channel2Map(aChannel2, DataSourceSurface::READ);
+  DataSourceSurface::ScopedMap channel3Map(aChannel3, DataSourceSurface::READ);
+  if (MOZ2D_WARN_IF(!(resultMap.IsMapped() &&
+                      channel0Map.IsMapped() && channel1Map.IsMapped() &&
+                      channel2Map.IsMapped() && channel3Map.IsMapped()))) {
+    return nullptr;
+  }
+  int32_t resultStride = resultMap.GetStride();
+  uint8_t* resultData = resultMap.GetData();
+  int32_t channelStride = channel0Map.GetStride();
+  uint8_t* channel0Data = channel0Map.GetData();
+  uint8_t* channel1Data = channel1Map.GetData();
+  uint8_t* channel2Data = channel2Map.GetData();
+  uint8_t* channel3Data = channel3Map.GetData();
 
   if (Factory::HasSSE2()) {
 #ifdef USE_SSE2
diff --git a/gfx/2d/HelpersD2D.h b/gfx/2d/HelpersD2D.h
index 579a2d8ba9c9..2b9d3c40b8c4 100644
--- a/gfx/2d/HelpersD2D.h
+++ b/gfx/2d/HelpersD2D.h
@@ -601,18 +601,22 @@ CreatePartialBitmapForSurface(DataSourceSurface *aSurface, const Matrix &aDestin
     uploadRect.height = rect.height;
   }
 
-
-  int stride = aSurface->Stride();
-
   if (uploadRect.width <= aRT->GetMaximumBitmapSize() &&
       uploadRect.height <= aRT->GetMaximumBitmapSize()) {
+    {
+      // Scope to auto-Unmap() |mapping|.
+      DataSourceSurface::ScopedMap mapping(aSurface, DataSourceSurface::READ);
+      if (MOZ2D_WARN_IF(!mapping.IsMapped())) {
+        return nullptr;
+      }
 
-    // A partial upload will suffice.
-    aRT->CreateBitmap(D2D1::SizeU(uint32_t(uploadRect.width), uint32_t(uploadRect.height)),
-                      aSurface->GetData() + int(uploadRect.x) * 4 + int(uploadRect.y) * stride,
-                      stride,
-                      D2D1::BitmapProperties(D2DPixelFormat(aSurface->GetFormat())),
-                      byRef(bitmap));
+      // A partial upload will suffice.
+      aRT->CreateBitmap(D2D1::SizeU(uint32_t(uploadRect.width), uint32_t(uploadRect.height)),
+                        mapping.GetData() + int(uploadRect.x) * 4 + int(uploadRect.y) * mapping.GetStride(),
+                        mapping.GetStride(),
+                        D2D1::BitmapProperties(D2DPixelFormat(aSurface->GetFormat())),
+                        byRef(bitmap));
+    }
 
     aSourceTransform.PreTranslate(uploadRect.x, uploadRect.y);
 
@@ -626,46 +630,53 @@ CreatePartialBitmapForSurface(DataSourceSurface *aSurface, const Matrix &aDestin
       return nullptr;
     }
 
-    ImageHalfScaler scaler(aSurface->GetData(), stride, size);
+    {
+      // Scope to auto-Unmap() |mapping|.
+      DataSourceSurface::ScopedMap mapping(aSurface, DataSourceSurface::READ);
+      if (MOZ2D_WARN_IF(!mapping.IsMapped())) {
+        return nullptr;
+      }
+      ImageHalfScaler scaler(mapping.GetData(), mapping.GetStride(), size);
 
-    // Calculate the maximum width/height of the image post transform.
-    Point topRight = transform * Point(Float(size.width), 0);
-    Point topLeft = transform * Point(0, 0);
-    Point bottomRight = transform * Point(Float(size.width), Float(size.height));
-    Point bottomLeft = transform * Point(0, Float(size.height));
-    
-    IntSize scaleSize;
+      // Calculate the maximum width/height of the image post transform.
+      Point topRight = transform * Point(Float(size.width), 0);
+      Point topLeft = transform * Point(0, 0);
+      Point bottomRight = transform * Point(Float(size.width), Float(size.height));
+      Point bottomLeft = transform * Point(0, Float(size.height));
 
-    scaleSize.width = int32_t(std::max(Distance(topRight, topLeft),
-                                       Distance(bottomRight, bottomLeft)));
-    scaleSize.height = int32_t(std::max(Distance(topRight, bottomRight),
-                                        Distance(topLeft, bottomLeft)));
+      IntSize scaleSize;
 
-    if (unsigned(scaleSize.width) > aRT->GetMaximumBitmapSize()) {
-      // Ok, in this case we'd really want a downscale of a part of the bitmap,
-      // perhaps we can do this later but for simplicity let's do something
-      // different here and assume it's good enough, this should be rare!
-      scaleSize.width = 4095;
+      scaleSize.width = int32_t(std::max(Distance(topRight, topLeft),
+                                         Distance(bottomRight, bottomLeft)));
+      scaleSize.height = int32_t(std::max(Distance(topRight, bottomRight),
+                                          Distance(topLeft, bottomLeft)));
+
+      if (unsigned(scaleSize.width) > aRT->GetMaximumBitmapSize()) {
+        // Ok, in this case we'd really want a downscale of a part of the bitmap,
+        // perhaps we can do this later but for simplicity let's do something
+        // different here and assume it's good enough, this should be rare!
+        scaleSize.width = 4095;
+      }
+      if (unsigned(scaleSize.height) > aRT->GetMaximumBitmapSize()) {
+        scaleSize.height = 4095;
+      }
+
+      scaler.ScaleForSize(scaleSize);
+
+      IntSize newSize = scaler.GetSize();
+
+      if (newSize.IsEmpty()) {
+        return nullptr;
+      }
+
+      aRT->CreateBitmap(D2D1::SizeU(newSize.width, newSize.height),
+                        scaler.GetScaledData(), scaler.GetStride(),
+                        D2D1::BitmapProperties(D2DPixelFormat(aSurface->GetFormat())),
+                        byRef(bitmap));
+
+      aSourceTransform.PreScale(Float(size.width) / newSize.width,
+                                Float(size.height) / newSize.height);
     }
-    if (unsigned(scaleSize.height) > aRT->GetMaximumBitmapSize()) {
-      scaleSize.height = 4095;
-    }
-
-    scaler.ScaleForSize(scaleSize);
-
-    IntSize newSize = scaler.GetSize();
-
-    if (newSize.IsEmpty()) {
-      return nullptr;
-    }
-    
-    aRT->CreateBitmap(D2D1::SizeU(newSize.width, newSize.height),
-                      scaler.GetScaledData(), scaler.GetStride(),
-                      D2D1::BitmapProperties(D2DPixelFormat(aSurface->GetFormat())),
-                      byRef(bitmap));
-
-    aSourceTransform.PreScale(Float(size.width) / newSize.width,
-                              Float(size.height) / newSize.height);
     return bitmap.forget();
   }
 }
diff --git a/gfx/2d/SourceSurfaceD2D1.cpp b/gfx/2d/SourceSurfaceD2D1.cpp
index bd79d918c495..1f26d26b756c 100644
--- a/gfx/2d/SourceSurfaceD2D1.cpp
+++ b/gfx/2d/SourceSurfaceD2D1.cpp
@@ -182,7 +182,10 @@ DataSourceSurfaceD2D1::Map(MapType aMapType, MappedSurface *aMappedSurface)
   }
 
   D2D1_MAPPED_RECT map;
-  mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map);
+  if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map))) {
+    gfxCriticalError() << "Failed to map bitmap.";
+    return false;
+  }
   aMappedSurface->mData = map.bits;
   aMappedSurface->mStride = map.pitch;
 
@@ -215,7 +218,10 @@ DataSourceSurfaceD2D1::EnsureMapped()
   if (mMapped) {
     return;
   }
-  mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap);
+  if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap))) {
+    gfxCriticalError() << "Failed to map bitmap.";
+    return;
+  }
   mMapped = true;
 }
 
diff --git a/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/PixelTransfer11.cpp b/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/PixelTransfer11.cpp
index 6054c545f39a..8f949b4dabd1 100644
--- a/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/PixelTransfer11.cpp
+++ b/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/PixelTransfer11.cpp
@@ -201,6 +201,21 @@ gl::Error PixelTransfer11::copyBufferToTexture(const gl::PixelUnpackState &unpac
     GLenum unsizedFormat = gl::GetInternalFormatInfo(destinationFormat).format;
     GLenum sourceFormat = gl::GetFormatTypeInfo(unsizedFormat, sourcePixelsType).internalFormat;
 
+    CopyShaderParams shaderParams;
+    setBufferToTextureCopyParams(destArea, destSize, sourceFormat, unpack, offset, &shaderParams);
+
+    ID3D11DeviceContext *deviceContext = mRenderer->getDeviceContext();
+
+    if (!StructEquals(mParamsData, shaderParams))
+    {
+        HRESULT result = d3d11::SetBufferData(deviceContext, mParamsConstantBuffer, shaderParams);
+        if (FAILED(result))
+        {
+             return gl::Error(GL_OUT_OF_MEMORY, "Failed to set shader parameters, result: 0x%X.", result);
+        }
+        mParamsData = shaderParams;
+    }
+
     const d3d11::TextureFormat &sourceFormatInfo = d3d11::GetTextureFormatInfo(sourceFormat);
     DXGI_FORMAT srvFormat = sourceFormatInfo.srvFormat;
     ASSERT(srvFormat != DXGI_FORMAT_UNKNOWN);
@@ -211,11 +226,6 @@ gl::Error PixelTransfer11::copyBufferToTexture(const gl::PixelUnpackState &unpac
     ID3D11RenderTargetView *textureRTV = RenderTarget11::makeRenderTarget11(destRenderTarget)->getRenderTargetView();
     ASSERT(textureRTV != NULL);
 
-    CopyShaderParams shaderParams;
-    setBufferToTextureCopyParams(destArea, destSize, sourceFormat, unpack, offset, &shaderParams);
-
-    ID3D11DeviceContext *deviceContext = mRenderer->getDeviceContext();
-
     ID3D11Buffer *nullBuffer = NULL;
     UINT zero = 0;
 
@@ -236,12 +246,6 @@ gl::Error PixelTransfer11::copyBufferToTexture(const gl::PixelUnpackState &unpac
 
     mRenderer->setOneTimeRenderTarget(textureRTV);
 
-    if (!StructEquals(mParamsData, shaderParams))
-    {
-        d3d11::SetBufferData(deviceContext, mParamsConstantBuffer, shaderParams);
-        mParamsData = shaderParams;
-    }
-
     deviceContext->VSSetConstantBuffers(0, 1, &mParamsConstantBuffer);
 
     // Set the viewport
diff --git a/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/renderer11_utils.h b/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/renderer11_utils.h
index 9df9c95763e5..7c0ad78e3452 100644
--- a/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/renderer11_utils.h
+++ b/gfx/angle/src/libGLESv2/renderer/d3d/d3d11/renderer11_utils.h
@@ -168,14 +168,17 @@ inline ID3D11PixelShader *CompilePS(ID3D11Device *device, const BYTE (&byteCode)
 // Copy data to small D3D11 buffers, such as for small constant buffers, which use one struct to
 // represent an entire buffer.
 template <class T>
-inline void SetBufferData(ID3D11DeviceContext *context, ID3D11Buffer *constantBuffer, const T &value)
+inline HRESULT SetBufferData(ID3D11DeviceContext *context, ID3D11Buffer *constantBuffer, const T &value)
 {
     D3D11_MAPPED_SUBRESOURCE mappedResource;
-    context->Map(constantBuffer, 0, D3D11_MAP_WRITE_DISCARD, 0, &mappedResource);
+    HRESULT result = context->Map(constantBuffer, 0, D3D11_MAP_WRITE_DISCARD, 0, &mappedResource);
+    if(SUCCEEDED(result))
+    {
+        memcpy(mappedResource.pData, &value, sizeof(T));
 
-    memcpy(mappedResource.pData, &value, sizeof(T));
-
-    context->Unmap(constantBuffer, 0);
+        context->Unmap(constantBuffer, 0);
+    }
+    return result;
 }
 
 gl::Error GetAttachmentRenderTarget(gl::FramebufferAttachment *attachment, RenderTarget11 **outRT);
diff --git a/gfx/cairo/README b/gfx/cairo/README
index c2022d0c63a3..154e26727101 100644
--- a/gfx/cairo/README
+++ b/gfx/cairo/README
@@ -242,6 +242,8 @@ win32-d3dsurface9.patch: Create a win32 d3d9 surface to support LockRect
 
 win32-avoid-extend-pad-fallback: Avoid falling back to pixman when using EXTEND_PAD
 
+support-new-style-atomic-primitives.patch: Support the __atomic_* primitives for atomic operations
+
 ==== disable printing patch ====
 
 disable-printing.patch:  allows us to use NS_PRINTING to disable printing.
diff --git a/gfx/cairo/cairo/src/cairo-atomic-private.h b/gfx/cairo/cairo/src/cairo-atomic-private.h
index 8d02ec948cbb..dd42a8ad135c 100644
--- a/gfx/cairo/cairo/src/cairo-atomic-private.h
+++ b/gfx/cairo/cairo/src/cairo-atomic-private.h
@@ -53,6 +53,96 @@
 
 CAIRO_BEGIN_DECLS
 
+/* C++11 atomic primitives were designed to be more flexible than the
+ * __sync_* family of primitives.  Despite the name, they are available
+ * in C as well as C++.  The motivating reason for using them is that
+ * for _cairo_atomic_{int,ptr}_get, the compiler is able to see that
+ * the load is intended to be atomic, as opposed to the __sync_*
+ * version, below, where the load looks like a plain load.  Having
+ * the load appear atomic to the compiler is particular important for
+ * tools like ThreadSanitizer so they don't report false positives on
+ * memory operations that we intend to be atomic.
+ */
+#if HAVE_CXX11_ATOMIC_PRIMITIVES
+
+#define HAS_ATOMIC_OPS 1
+
+typedef int cairo_atomic_int_t;
+
+static cairo_always_inline cairo_atomic_int_t
+_cairo_atomic_int_get (cairo_atomic_int_t *x)
+{
+    return __atomic_load_n(x, __ATOMIC_SEQ_CST);
+}
+
+static cairo_always_inline void *
+_cairo_atomic_ptr_get (void **x)
+{
+    return __atomic_load_n(x, __ATOMIC_SEQ_CST);
+}
+
+# define _cairo_atomic_int_inc(x) ((void) __atomic_fetch_add(x, 1, __ATOMIC_SEQ_CST))
+# define _cairo_atomic_int_dec(x) ((void) __atomic_fetch_sub(x, 1, __ATOMIC_SEQ_CST))
+# define _cairo_atomic_int_dec_and_test(x) (__atomic_fetch_sub(x, 1, __ATOMIC_SEQ_CST) == 1)
+
+#if SIZEOF_VOID_P==SIZEOF_INT
+typedef int cairo_atomic_intptr_t;
+#elif SIZEOF_VOID_P==SIZEOF_LONG
+typedef long cairo_atomic_intptr_t;
+#elif SIZEOF_VOID_P==SIZEOF_LONG_LONG
+typedef long long cairo_atomic_intptr_t;
+#else
+#error No matching integer pointer type
+#endif
+
+static cairo_always_inline cairo_bool_t
+_cairo_atomic_int_cmpxchg_impl(cairo_atomic_int_t *x,
+			       cairo_atomic_int_t oldv,
+			       cairo_atomic_int_t newv)
+{
+    cairo_atomic_int_t expected = oldv;
+    return __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
+}
+
+#define _cairo_atomic_int_cmpxchg(x, oldv, newv) \
+  _cairo_atomic_int_cmpxchg_impl(x, oldv, newv)
+
+static cairo_always_inline cairo_atomic_int_t
+_cairo_atomic_int_cmpxchg_return_old_impl(cairo_atomic_int_t *x,
+					  cairo_atomic_int_t oldv,
+					  cairo_atomic_int_t newv)
+{
+    cairo_atomic_int_t expected = oldv;
+    (void) __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
+    return expected;
+}
+
+#define _cairo_atomic_int_cmpxchg_return_old(x, oldv, newv) \
+  _cairo_atomic_int_cmpxchg_return_old_impl(x, oldv, newv)
+
+static cairo_always_inline cairo_bool_t
+_cairo_atomic_ptr_cmpxchg_impl(void **x, void *oldv, void *newv)
+{
+    void *expected = oldv;
+    return __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
+}
+
+#define _cairo_atomic_ptr_cmpxchg(x, oldv, newv) \
+  _cairo_atomic_ptr_cmpxchg_impl(x, oldv, newv)
+
+static cairo_always_inline void *
+_cairo_atomic_ptr_cmpxchg_return_old_impl(void **x, void *oldv, void *newv)
+{
+    void *expected = oldv;
+    (void) __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
+    return expected;
+}
+
+#define _cairo_atomic_ptr_cmpxchg_return_old(x, oldv, newv) \
+  _cairo_atomic_ptr_cmpxchg_return_old_impl(x, oldv, newv)
+
+#endif
+
 #if HAVE_INTEL_ATOMIC_PRIMITIVES
 
 #define HAS_ATOMIC_OPS 1
diff --git a/gfx/cairo/cairo/src/moz.build b/gfx/cairo/cairo/src/moz.build
index 3fd0129f6b9c..9e5ec88713b7 100644
--- a/gfx/cairo/cairo/src/moz.build
+++ b/gfx/cairo/cairo/src/moz.build
@@ -198,7 +198,7 @@ for var in ('MOZ_TREE_CAIRO', 'MOZ_TREE_PIXMAN'):
         DEFINES[var] = True
 
 if CONFIG['GNU_CC']:
-    DEFINES['HAVE_INTEL_ATOMIC_PRIMITIVES'] = True
+    DEFINES['HAVE_CXX11_ATOMIC_PRIMITIVES'] = True
     # We would normally use autoconf to set these up, using AC_CHECK_SIZEOF.
     # But AC_CHECK_SIZEOF requires running programs to determine the sizes,
     # and that doesn't work so well with cross-compiling.  So instead we
diff --git a/gfx/cairo/support-new-style-atomic-primitives.patch b/gfx/cairo/support-new-style-atomic-primitives.patch
new file mode 100644
index 000000000000..1830a4691f03
--- /dev/null
+++ b/gfx/cairo/support-new-style-atomic-primitives.patch
@@ -0,0 +1,121 @@
+From 5d150ee111c222f09e78f4f88540964476327844 Mon Sep 17 00:00:00 2001
+From: Nathan Froyd <froydnj@mozilla.com>
+Date: Mon, 4 May 2015 13:38:41 -0400
+Subject: Support new-style __atomic_* primitives
+
+Recent versions of GCC/clang feature a new set of compiler intrinsics
+for performing atomic operations, motivated by the operations needed to
+support the C++11 memory model.  These intrinsics are more flexible than
+the old __sync_* intrinstics and offer efficient support for atomic load
+and store operations.
+
+Having the load appear atomic to the compiler is particular important
+for tools like ThreadSanitizer so they don't report false positives on
+memory operations that we intend to be atomic.
+
+Patch from Nathan Froyd <froydnj@mozilla.com>
+
+diff --git a/src/cairo-atomic-private.h b/src/cairo-atomic-private.h
+index 327fed1..11b2887 100644
+--- a/src/cairo-atomic-private.h
++++ b/src/cairo-atomic-private.h
+@@ -53,6 +53,96 @@
+ 
+ CAIRO_BEGIN_DECLS
+ 
++/* C++11 atomic primitives were designed to be more flexible than the
++ * __sync_* family of primitives.  Despite the name, they are available
++ * in C as well as C++.  The motivating reason for using them is that
++ * for _cairo_atomic_{int,ptr}_get, the compiler is able to see that
++ * the load is intended to be atomic, as opposed to the __sync_*
++ * version, below, where the load looks like a plain load.  Having
++ * the load appear atomic to the compiler is particular important for
++ * tools like ThreadSanitizer so they don't report false positives on
++ * memory operations that we intend to be atomic.
++ */
++#if HAVE_CXX11_ATOMIC_PRIMITIVES
++
++#define HAS_ATOMIC_OPS 1
++
++typedef int cairo_atomic_int_t;
++
++static cairo_always_inline cairo_atomic_int_t
++_cairo_atomic_int_get (cairo_atomic_int_t *x)
++{
++    return __atomic_load_n(x, __ATOMIC_SEQ_CST);
++}
++
++static cairo_always_inline void *
++_cairo_atomic_ptr_get (void **x)
++{
++    return __atomic_load_n(x, __ATOMIC_SEQ_CST);
++}
++
++# define _cairo_atomic_int_inc(x) ((void) __atomic_fetch_add(x, 1, __ATOMIC_SEQ_CST))
++# define _cairo_atomic_int_dec(x) ((void) __atomic_fetch_sub(x, 1, __ATOMIC_SEQ_CST))
++# define _cairo_atomic_int_dec_and_test(x) (__atomic_fetch_sub(x, 1, __ATOMIC_SEQ_CST) == 1)
++
++#if SIZEOF_VOID_P==SIZEOF_INT
++typedef int cairo_atomic_intptr_t;
++#elif SIZEOF_VOID_P==SIZEOF_LONG
++typedef long cairo_atomic_intptr_t;
++#elif SIZEOF_VOID_P==SIZEOF_LONG_LONG
++typedef long long cairo_atomic_intptr_t;
++#else
++#error No matching integer pointer type
++#endif
++
++static cairo_always_inline cairo_bool_t
++_cairo_atomic_int_cmpxchg_impl(cairo_atomic_int_t *x,
++			       cairo_atomic_int_t oldv,
++			       cairo_atomic_int_t newv)
++{
++    cairo_atomic_int_t expected = oldv;
++    return __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
++}
++
++#define _cairo_atomic_int_cmpxchg(x, oldv, newv) \
++  _cairo_atomic_int_cmpxchg_impl(x, oldv, newv)
++
++static cairo_always_inline cairo_atomic_int_t
++_cairo_atomic_int_cmpxchg_return_old_impl(cairo_atomic_int_t *x,
++					  cairo_atomic_int_t oldv,
++					  cairo_atomic_int_t newv)
++{
++    cairo_atomic_int_t expected = oldv;
++    (void) __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
++    return expected;
++}
++
++#define _cairo_atomic_int_cmpxchg_return_old(x, oldv, newv) \
++  _cairo_atomic_int_cmpxchg_return_old_impl(x, oldv, newv)
++
++static cairo_always_inline cairo_bool_t
++_cairo_atomic_ptr_cmpxchg_impl(void **x, void *oldv, void *newv)
++{
++    void *expected = oldv;
++    return __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
++}
++
++#define _cairo_atomic_ptr_cmpxchg(x, oldv, newv) \
++  _cairo_atomic_ptr_cmpxchg_impl(x, oldv, newv)
++
++static cairo_always_inline void *
++_cairo_atomic_ptr_cmpxchg_return_old_impl(void **x, void *oldv, void *newv)
++{
++    void *expected = oldv;
++    (void) __atomic_compare_exchange_n(x, &expected, newv, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
++    return expected;
++}
++
++#define _cairo_atomic_ptr_cmpxchg_return_old(x, oldv, newv) \
++  _cairo_atomic_ptr_cmpxchg_return_old_impl(x, oldv, newv)
++
++#endif
++
+ #if HAVE_INTEL_ATOMIC_PRIMITIVES
+ 
+ #define HAS_ATOMIC_OPS 1
+-- 
+cgit v0.10.2
+
diff --git a/gfx/gl/GLConsts.h b/gfx/gl/GLConsts.h
index b21dfe79a1a8..0c1e43e8aacf 100644
--- a/gfx/gl/GLConsts.h
+++ b/gfx/gl/GLConsts.h
@@ -283,7 +283,6 @@
 #define LOCAL_GL_BOOL_VEC4_ARB                               0x8B59
 #define LOCAL_GL_BOUNDING_BOX_NV                             0x908D
 #define LOCAL_GL_BOUNDING_BOX_OF_BOUNDING_BOXES_NV           0x909C
-#define LOCAL_GL_BROWSER_DEFAULT_WEBGL                       0x9244
 #define LOCAL_GL_BUFFER                                      0x82E0
 #define LOCAL_GL_BUFFER_ACCESS                               0x88BB
 #define LOCAL_GL_BUFFER_ACCESS_ARB                           0x88BB
@@ -731,7 +730,6 @@
 #define LOCAL_GL_CONTEXT_FLAG_DEBUG_BIT_KHR                  0x00000002
 #define LOCAL_GL_CONTEXT_FLAG_FORWARD_COMPATIBLE_BIT         0x00000001
 #define LOCAL_GL_CONTEXT_FLAG_ROBUST_ACCESS_BIT_ARB          0x00000004
-#define LOCAL_GL_CONTEXT_LOST_WEBGL                          0x9242
 #define LOCAL_GL_CONTEXT_PROFILE_MASK                        0x9126
 #define LOCAL_GL_CONTEXT_ROBUST_ACCESS_EXT                   0x90F3
 #define LOCAL_GL_CONTINUOUS_AMD                              0x9007
@@ -4680,19 +4678,16 @@
 #define LOCAL_GL_UNPACK_ALIGNMENT                            0x0CF5
 #define LOCAL_GL_UNPACK_CLIENT_STORAGE_APPLE                 0x85B2
 #define LOCAL_GL_UNPACK_CMYK_HINT_EXT                        0x800F
-#define LOCAL_GL_UNPACK_COLORSPACE_CONVERSION_WEBGL          0x9243
 #define LOCAL_GL_UNPACK_COMPRESSED_BLOCK_DEPTH               0x9129
 #define LOCAL_GL_UNPACK_COMPRESSED_BLOCK_HEIGHT              0x9128
 #define LOCAL_GL_UNPACK_COMPRESSED_BLOCK_SIZE                0x912A
 #define LOCAL_GL_UNPACK_COMPRESSED_BLOCK_WIDTH               0x9127
 #define LOCAL_GL_UNPACK_COMPRESSED_SIZE_SGIX                 0x831A
 #define LOCAL_GL_UNPACK_CONSTANT_DATA_SUNX                   0x81D5
-#define LOCAL_GL_UNPACK_FLIP_Y_WEBGL                         0x9240
 #define LOCAL_GL_UNPACK_IMAGE_DEPTH_SGIS                     0x8133
 #define LOCAL_GL_UNPACK_IMAGE_HEIGHT                         0x806E
 #define LOCAL_GL_UNPACK_IMAGE_HEIGHT_EXT                     0x806E
 #define LOCAL_GL_UNPACK_LSB_FIRST                            0x0CF1
-#define LOCAL_GL_UNPACK_PREMULTIPLY_ALPHA_WEBGL              0x9241
 #define LOCAL_GL_UNPACK_RESAMPLE_OML                         0x8985
 #define LOCAL_GL_UNPACK_RESAMPLE_SGIX                        0x842D
 #define LOCAL_GL_UNPACK_ROW_BYTES_APPLE                      0x8A16
diff --git a/gfx/gl/GLContext.cpp b/gfx/gl/GLContext.cpp
index aa78909cc894..1c4fa209a6b3 100644
--- a/gfx/gl/GLContext.cpp
+++ b/gfx/gl/GLContext.cpp
@@ -794,7 +794,7 @@ GLContext::InitWithPrefix(const char *prefix, bool trygl)
             }
         }
 
-        if (IsExtensionSupported(ARB_sync)) {
+        if (IsSupported(GLFeature::sync)) {
             SymLoadStruct syncSymbols[] = {
                 { (PRFuncPtr*) &mSymbols.fFenceSync,      { "FenceSync",      nullptr } },
                 { (PRFuncPtr*) &mSymbols.fIsSync,         { "IsSync",         nullptr } },
@@ -807,7 +807,7 @@ GLContext::InitWithPrefix(const char *prefix, bool trygl)
             };
 
             if (!LoadSymbols(&syncSymbols[0], trygl, prefix)) {
-                NS_ERROR("GL supports ARB_sync without supplying its functions.");
+                NS_ERROR("GL supports sync without supplying its functions.");
 
                 MarkExtensionUnsupported(ARB_sync);
                 ClearSymbols(syncSymbols);
diff --git a/gfx/gl/GLContext.h b/gfx/gl/GLContext.h
index ee3382349755..83d2fb8ad25e 100644
--- a/gfx/gl/GLContext.h
+++ b/gfx/gl/GLContext.h
@@ -122,6 +122,7 @@ enum class GLFeature {
     sRGB_texture,
     sampler_objects,
     standard_derivatives,
+    sync,
     texture_3D,
     texture_3D_compressed,
     texture_3D_copy,
diff --git a/gfx/gl/GLContextFeatures.cpp b/gfx/gl/GLContextFeatures.cpp
index 7506ca84ccfc..fefba7e38839 100644
--- a/gfx/gl/GLContextFeatures.cpp
+++ b/gfx/gl/GLContextFeatures.cpp
@@ -529,6 +529,15 @@ static const FeatureInfo sFeatureInfoArr[] = {
             GLContext::Extensions_End
         }
     },
+    {
+        "sync",
+        GLVersion::GL3_2,
+        GLESVersion::ES3,
+        GLContext::ARB_sync,
+        {
+            GLContext::Extensions_End
+        }
+    },
     {
         "texture_3D",
         GLVersion::GL1_2,
diff --git a/gfx/gl/GLReadTexImageHelper.cpp b/gfx/gl/GLReadTexImageHelper.cpp
index 2b72cc139f75..48705a5949c7 100644
--- a/gfx/gl/GLReadTexImageHelper.cpp
+++ b/gfx/gl/GLReadTexImageHelper.cpp
@@ -217,7 +217,10 @@ static void
 SwapRAndBComponents(DataSourceSurface* surf)
 {
     DataSourceSurface::MappedSurface map;
-    MOZ_ALWAYS_TRUE( surf->Map(DataSourceSurface::MapType::READ_WRITE, &map) );
+    if (!surf->Map(DataSourceSurface::MapType::READ_WRITE, &map)) {
+        MOZ_ASSERT(false, "SwapRAndBComponents: Failed to map surface.");
+        return;
+    }
     MOZ_ASSERT(map.mStride >= 0);
 
     const size_t rowBytes = surf->GetSize().width*4;
@@ -288,8 +291,11 @@ CopyDataSourceSurface(DataSourceSurface* aSource,
 
     DataSourceSurface::MappedSurface srcMap;
     DataSourceSurface::MappedSurface destMap;
-    MOZ_ALWAYS_TRUE( aSource->Map(DataSourceSurface::MapType::READ, &srcMap) );
-    MOZ_ALWAYS_TRUE( aDest->Map(DataSourceSurface::MapType::WRITE, &destMap) );
+    if (!aSource->Map(DataSourceSurface::MapType::READ, &srcMap) ||
+        !aDest->Map(DataSourceSurface::MapType::WRITE, &destMap)) {
+        MOZ_ASSERT(false, "CopyDataSourceSurface: Failed to map surface.");
+        return;
+    }
     MOZ_ASSERT(srcMap.mStride >= 0);
     MOZ_ASSERT(destMap.mStride >= 0);
 
diff --git a/gfx/ipc/GfxMessageUtils.h b/gfx/ipc/GfxMessageUtils.h
index 4704fa2f7c0b..d83dac7abda0 100644
--- a/gfx/ipc/GfxMessageUtils.h
+++ b/gfx/ipc/GfxMessageUtils.h
@@ -721,7 +721,7 @@ struct ParamTraits<mozilla::layers::FrameMetrics>
     WriteParam(aMsg, aParam.mZoom);
     WriteParam(aMsg, aParam.mDevPixelsPerCSSPixel);
     WriteParam(aMsg, aParam.mPresShellId);
-    WriteParam(aMsg, aParam.mIsRoot);
+    WriteParam(aMsg, aParam.mIsRootContent);
     WriteParam(aMsg, aParam.mHasScrollgrab);
     WriteParam(aMsg, aParam.mUpdateScrollOffset);
     WriteParam(aMsg, aParam.mScrollGeneration);
@@ -766,7 +766,7 @@ struct ParamTraits<mozilla::layers::FrameMetrics>
             ReadParam(aMsg, aIter, &aResult->mZoom) &&
             ReadParam(aMsg, aIter, &aResult->mDevPixelsPerCSSPixel) &&
             ReadParam(aMsg, aIter, &aResult->mPresShellId) &&
-            ReadParam(aMsg, aIter, &aResult->mIsRoot) &&
+            ReadParam(aMsg, aIter, &aResult->mIsRootContent) &&
             ReadParam(aMsg, aIter, &aResult->mHasScrollgrab) &&
             ReadParam(aMsg, aIter, &aResult->mUpdateScrollOffset) &&
             ReadParam(aMsg, aIter, &aResult->mScrollGeneration) &&
diff --git a/gfx/layers/FrameMetrics.h b/gfx/layers/FrameMetrics.h
index f31c4adde318..d5cf7af8bbdc 100644
--- a/gfx/layers/FrameMetrics.h
+++ b/gfx/layers/FrameMetrics.h
@@ -48,7 +48,7 @@ public:
     , mScrollableRect(0, 0, 0, 0)
     , mCumulativeResolution()
     , mDevPixelsPerCSSPixel(1)
-    , mIsRoot(false)
+    , mIsRootContent(false)
     , mHasScrollgrab(false)
     , mScrollId(NULL_SCROLL_ID)
     , mScrollParentId(NULL_SCROLL_ID)
@@ -89,7 +89,7 @@ public:
            mCumulativeResolution == aOther.mCumulativeResolution &&
            mDevPixelsPerCSSPixel == aOther.mDevPixelsPerCSSPixel &&
            mPresShellId == aOther.mPresShellId &&
-           mIsRoot == aOther.mIsRoot &&
+           mIsRootContent == aOther.mIsRootContent &&
            mScrollId == aOther.mScrollId &&
            mScrollParentId == aOther.mScrollParentId &&
            mScrollOffset == aOther.mScrollOffset &&
@@ -120,11 +120,6 @@ public:
     return (def == *this);
   }
 
-  bool IsRootScrollable() const
-  {
-    return mIsRoot;
-  }
-
   bool IsScrollable() const
   {
     return mScrollId != NULL_SCROLL_ID;
@@ -298,14 +293,14 @@ public:
     return mDevPixelsPerCSSPixel;
   }
 
-  void SetIsRoot(bool aIsRoot)
+  void SetIsRootContent(bool aIsRootContent)
   {
-    mIsRoot = aIsRoot;
+    mIsRootContent = aIsRootContent;
   }
 
-  bool GetIsRoot() const
+  bool IsRootContent() const
   {
-    return mIsRoot;
+    return mIsRootContent;
   }
 
   void SetHasScrollgrab(bool aHasScrollgrab)
@@ -626,7 +621,7 @@ private:
   CSSToLayoutDeviceScale mDevPixelsPerCSSPixel;
 
   // Whether or not this is the root scroll frame for the root content document.
-  bool mIsRoot;
+  bool mIsRootContent;
 
   // Whether or not this frame is for an element marked 'scrollgrab'.
   bool mHasScrollgrab;
diff --git a/gfx/layers/ImageContainer.cpp b/gfx/layers/ImageContainer.cpp
index 4398008abbb4..154572dea126 100644
--- a/gfx/layers/ImageContainer.cpp
+++ b/gfx/layers/ImageContainer.cpp
@@ -476,7 +476,12 @@ PlanarYCbCrImage::GetAsSourceSurface()
     return nullptr;
   }
 
-  gfx::ConvertYCbCrToRGB(mData, format, size, surface->GetData(), surface->Stride());
+  DataSourceSurface::ScopedMap mapping(surface, DataSourceSurface::WRITE);
+  if (NS_WARN_IF(!mapping.IsMapped())) {
+    return nullptr;
+  }
+
+  gfx::ConvertYCbCrToRGB(mData, format, size, mapping.GetData(), mapping.GetStride());
 
   mSourceSurface = surface;
 
diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp
index af32e0552777..7553bb126a31 100644
--- a/gfx/layers/YCbCrImageDataSerializer.cpp
+++ b/gfx/layers/YCbCrImageDataSerializer.cpp
@@ -287,7 +287,9 @@ YCbCrImageDataDeserializer::ToDataSourceSurface()
   }
 
   DataSourceSurface::MappedSurface map;
-  result->Map(DataSourceSurface::MapType::WRITE, &map);
+  if (NS_WARN_IF(!result->Map(DataSourceSurface::MapType::WRITE, &map))) {
+    return nullptr;
+  }
 
   gfx::ConvertYCbCrToRGB32(GetYData(), GetCbData(), GetCrData(),
                            map.mData,
diff --git a/gfx/layers/apz/public/GeckoContentController.h b/gfx/layers/apz/public/GeckoContentController.h
index 9756f8e95294..79db6c805d10 100644
--- a/gfx/layers/apz/public/GeckoContentController.h
+++ b/gfx/layers/apz/public/GeckoContentController.h
@@ -79,7 +79,7 @@ public:
    * |aContentRect| is in CSS pixels, relative to the current cssPage.
    * |aScrollableSize| is the current content width/height in CSS pixels.
    */
-  virtual void SendAsyncScrollDOMEvent(bool aIsRoot,
+  virtual void SendAsyncScrollDOMEvent(bool aIsRootContent,
                                        const CSSRect &aContentRect,
                                        const CSSSize &aScrollableSize) = 0;
 
diff --git a/gfx/layers/apz/src/APZCTreeManager.cpp b/gfx/layers/apz/src/APZCTreeManager.cpp
index ad20adfb6d32..c847248462c8 100644
--- a/gfx/layers/apz/src/APZCTreeManager.cpp
+++ b/gfx/layers/apz/src/APZCTreeManager.cpp
@@ -464,21 +464,22 @@ APZCTreeManager::PrepareNodeForLayer(const LayerMetricsWrapper& aLayer,
     }
 
     if (newApzc) {
-      if (apzc->HasNoParentWithSameLayersId()) {
-        // If we just created a new apzc that is the root for its layers ID, then
-        // we need to update its zoom constraints which might have arrived before this
-        // was created
+      if (apzc->IsRootContent()) {
+        // If we just created a new root-content apzc, then we need to update
+        // its zoom constraints which might have arrived before it was created.
         ZoomConstraints constraints;
         if (state->mController->GetRootZoomConstraints(&constraints)) {
           apzc->UpdateZoomConstraints(constraints);
         }
-      } else {
-        // For an apzc that is not the root for its layers ID, we give it the
-        // same zoom constraints as its parent. This ensures that if e.g.
-        // user-scalable=no was specified, none of the APZCs allow double-tap
-        // to zoom.
+      } else if (!apzc->HasNoParentWithSameLayersId()) {
+        // Otherwise, an APZC that has a parent in the same layer tree gets
+        // the same zoom constraints as its parent. This ensures that if e.g.
+        // user-scalable=no was specified on the root, none of the APZCs allow
+        // double-tap to zoom.
         apzc->UpdateZoomConstraints(apzc->GetParent()->GetZoomConstraints());
       }
+      // Otherwise, if the APZC has no parent in the same layer tree, leave
+      // it with the existing zoom constraints.
     }
 
     // Add a guid -> APZC mapping for the newly created APZC.
@@ -1033,9 +1034,9 @@ APZCTreeManager::UpdateZoomConstraints(const ScrollableLayerGuid& aGuid,
   nsRefPtr<HitTestingTreeNode> node = GetTargetNode(aGuid, nullptr);
   MOZ_ASSERT(!node || node->GetApzc()); // any node returned must have an APZC
 
-  // For a given layers id, non-root APZCs inherit the zoom constraints
+  // For a given layers id, non-{root content} APZCs inherit the zoom constraints
   // of their root.
-  if (node && node->GetApzc()->HasNoParentWithSameLayersId()) {
+  if (node && node->GetApzc()->IsRootContent()) {
     UpdateZoomConstraintsRecursively(node.get(), aConstraints);
   }
 }
@@ -1338,7 +1339,7 @@ APZCTreeManager::BuildOverscrollHandoffChain(const nsRefPtr<AsyncPanZoomControll
     result->Add(apzc);
 
     if (apzc->GetScrollHandoffParentId() == FrameMetrics::NULL_SCROLL_ID) {
-      if (!apzc->HasNoParentWithSameLayersId()) {
+      if (!apzc->IsRootForLayersId()) {
         // This probably indicates a bug or missed case in layout code
         NS_WARNING("Found a non-root APZ with no handoff parent");
       }
@@ -1351,9 +1352,9 @@ APZCTreeManager::BuildOverscrollHandoffChain(const nsRefPtr<AsyncPanZoomControll
     MOZ_ASSERT(apzc->GetScrollHandoffParentId() != apzc->GetGuid().mScrollId);
 
     // Find the AsyncPanZoomController instance with a matching layersId and
-    // the scroll id that matches apzc->GetScrollHandoffParentId(). To do this
-    // search the subtree with the same layersId for the apzc with the specified
-    // scroll id.
+    // the scroll id that matches apzc->GetScrollHandoffParentId().
+    // As an optimization, we start by walking up the APZC tree from 'apzc'
+    // until we reach the top of the layer subtree for this layers id.
     AsyncPanZoomController* scrollParent = nullptr;
     AsyncPanZoomController* parent = apzc;
     while (!parent->HasNoParentWithSameLayersId()) {
@@ -1366,6 +1367,7 @@ APZCTreeManager::BuildOverscrollHandoffChain(const nsRefPtr<AsyncPanZoomControll
         break;
       }
     }
+    // If that heuristic didn't turn up the scroll parent, do a full tree search.
     if (!scrollParent) {
       ScrollableLayerGuid guid(parent->GetGuid().mLayersId, 0, apzc->GetScrollHandoffParentId());
       nsRefPtr<HitTestingTreeNode> node = GetTargetNode(guid, &GuidComparatorIgnoringPresShell);
@@ -1477,26 +1479,30 @@ APZCTreeManager::GetAPZCAtPoint(HitTestingTreeNode* aNode,
   return nullptr;
 }
 
-AsyncPanZoomController*
-APZCTreeManager::FindRootApzcForLayersId(uint64_t aLayersId) const
+/*
+ * Do a breadth-first search of the tree rooted at |aRoot|, and return the
+ * first visited node that satisfies |aCondition|, or nullptr if no such node
+ * was found.
+ *
+ * |Node| should have methods GetLastChild() and GetPrevSibling().
+ */
+template <typename Node, typename Condition>
+static const Node* BreadthFirstSearch(const Node* aRoot, const Condition& aCondition)
 {
-  mTreeLock.AssertCurrentThreadOwns();
-
-  if (!mRootNode) {
+  if (!aRoot) {
     return nullptr;
   }
-  std::deque<const HitTestingTreeNode*> queue;
-  queue.push_back(mRootNode);
+  std::deque<const Node*> queue;
+  queue.push_back(aRoot);
   while (!queue.empty()) {
-    const HitTestingTreeNode* node = queue.front();
+    const Node* node = queue.front();
     queue.pop_front();
 
-    AsyncPanZoomController* apzc = node->GetApzc();
-    if (apzc && apzc->GetLayersId() == aLayersId && apzc->IsRootForLayersId()) {
-      return apzc;
+    if (aCondition(node)) {
+      return node;
     }
 
-    for (HitTestingTreeNode* child = node->GetLastChild();
+    for (const Node* child = node->GetLastChild();
          child;
          child = child->GetPrevSibling()) {
       queue.push_back(child);
@@ -1506,6 +1512,44 @@ APZCTreeManager::FindRootApzcForLayersId(uint64_t aLayersId) const
   return nullptr;
 }
 
+AsyncPanZoomController*
+APZCTreeManager::FindRootApzcForLayersId(uint64_t aLayersId) const
+{
+  mTreeLock.AssertCurrentThreadOwns();
+
+  struct RootForLayersIdMatcher {
+    uint64_t mLayersId;
+    bool operator()(const HitTestingTreeNode* aNode) const {
+      AsyncPanZoomController* apzc = aNode->GetApzc();
+      return apzc
+          && apzc->GetLayersId() == mLayersId
+          && apzc->IsRootForLayersId();
+    }
+  };
+  const HitTestingTreeNode* resultNode = BreadthFirstSearch(mRootNode.get(),
+      RootForLayersIdMatcher{aLayersId});
+  return resultNode ? resultNode->GetApzc() : nullptr;
+}
+
+AsyncPanZoomController*
+APZCTreeManager::FindRootContentApzcForLayersId(uint64_t aLayersId) const
+{
+  mTreeLock.AssertCurrentThreadOwns();
+
+  struct RootContentForLayersIdMatcher {
+    uint64_t mLayersId;
+    bool operator()(const HitTestingTreeNode* aNode) const {
+      AsyncPanZoomController* apzc = aNode->GetApzc();
+      return apzc
+          && apzc->GetLayersId() == mLayersId
+          && apzc->IsRootContent();
+    }
+  };
+  const HitTestingTreeNode* resultNode = BreadthFirstSearch(mRootNode.get(),
+      RootContentForLayersIdMatcher{aLayersId});
+  return resultNode ? resultNode->GetApzc() : nullptr;
+}
+
 /* The methods GetScreenToApzcTransform() and GetApzcToGeckoTransform() return
    some useful transformations that input events may need applied. This is best
    illustrated with an example. Consider a chain of layers, L, M, N, O, P, Q, R. Layer L
@@ -1674,10 +1718,23 @@ APZCTreeManager::GetApzcToGeckoTransform(const AsyncPanZoomController *aApzc) co
 already_AddRefed<AsyncPanZoomController>
 APZCTreeManager::GetMultitouchTarget(AsyncPanZoomController* aApzc1, AsyncPanZoomController* aApzc2) const
 {
-  nsRefPtr<AsyncPanZoomController> apzc = CommonAncestor(aApzc1, aApzc2);
-  // For now, we only ever want to do pinching on the root APZC for a given layers id. So
-  // when we find the common ancestor of multiple points, also walk up to the root APZC.
-  apzc = RootAPZCForLayersId(apzc);
+  nsRefPtr<AsyncPanZoomController> apzc;
+  // For now, we only ever want to do pinching on the root-content APZC for
+  // a given layers id.
+  if (aApzc1 && aApzc2 && aApzc1->GetLayersId() == aApzc2->GetLayersId()) {
+    // If the two APZCs have the same layers id, find the root-content APZC
+    // for that layers id. Don't call CommonAncestor() because there may not
+    // be a common ancestor for the layers id (e.g. if one APZCs is inside a
+    // fixed-position element).
+    apzc = FindRootContentApzcForLayersId(aApzc1->GetLayersId());
+  } else {
+    // Otherwise, find the common ancestor (to reach a common layers id), and
+    // get the root-content APZC for that layers id.
+    apzc = CommonAncestor(aApzc1, aApzc2);
+    if (apzc) {
+      apzc = FindRootContentApzcForLayersId(apzc->GetLayersId());
+    }
+  }
   return apzc.forget();
 }
 
@@ -1727,16 +1784,5 @@ APZCTreeManager::CommonAncestor(AsyncPanZoomController* aApzc1, AsyncPanZoomCont
   return ancestor.forget();
 }
 
-already_AddRefed<AsyncPanZoomController>
-APZCTreeManager::RootAPZCForLayersId(AsyncPanZoomController* aApzc) const
-{
-  MonitorAutoLock lock(mTreeLock);
-  nsRefPtr<AsyncPanZoomController> apzc = aApzc;
-  while (apzc && !apzc->HasNoParentWithSameLayersId()) {
-    apzc = apzc->GetParent();
-  }
-  return apzc.forget();
-}
-
 }
 }
diff --git a/gfx/layers/apz/src/APZCTreeManager.h b/gfx/layers/apz/src/APZCTreeManager.h
index cd4707a23d93..daa569c9aa29 100644
--- a/gfx/layers/apz/src/APZCTreeManager.h
+++ b/gfx/layers/apz/src/APZCTreeManager.h
@@ -413,9 +413,9 @@ private:
                                          const ParentLayerPoint& aHitTestPoint,
                                          HitTestResult* aOutHitResult);
   AsyncPanZoomController* FindRootApzcForLayersId(uint64_t aLayersId) const;
+  AsyncPanZoomController* FindRootContentApzcForLayersId(uint64_t aLayersId) const;
   already_AddRefed<AsyncPanZoomController> GetMultitouchTarget(AsyncPanZoomController* aApzc1, AsyncPanZoomController* aApzc2) const;
   already_AddRefed<AsyncPanZoomController> CommonAncestor(AsyncPanZoomController* aApzc1, AsyncPanZoomController* aApzc2) const;
-  already_AddRefed<AsyncPanZoomController> RootAPZCForLayersId(AsyncPanZoomController* aApzc) const;
   already_AddRefed<AsyncPanZoomController> GetTouchInputBlockAPZC(const MultiTouchInput& aEvent,
                                                                   HitTestResult* aOutHitResult);
   nsEventStatus ProcessTouchInput(MultiTouchInput& aInput,
diff --git a/gfx/layers/apz/src/AsyncPanZoomController.cpp b/gfx/layers/apz/src/AsyncPanZoomController.cpp
index b8b3db877446..6ac35f994614 100644
--- a/gfx/layers/apz/src/AsyncPanZoomController.cpp
+++ b/gfx/layers/apz/src/AsyncPanZoomController.cpp
@@ -1287,7 +1287,7 @@ nsEventStatus AsyncPanZoomController::OnScale(const PinchGestureInput& aEvent) {
   // would have to be adjusted (as e.g. it would no longer be valid to take
   // the minimum or maximum of the ratios of the widths and heights of the
   // page rect and the composition bounds).
-  MOZ_ASSERT(mFrameMetrics.IsRootScrollable());
+  MOZ_ASSERT(mFrameMetrics.IsRootContent());
   MOZ_ASSERT(mFrameMetrics.GetZoom().AreScalesSame());
 
   float prevSpan = aEvent.mPreviousSpan;
@@ -1433,7 +1433,7 @@ AsyncPanZoomController::GetScrollWheelDelta(const ScrollWheelInput& aEvent) cons
       MOZ_ASSERT_UNREACHABLE("unexpected scroll delta type");
   }
 
-  if (mFrameMetrics.GetIsRoot() && gfxPrefs::MouseWheelHasRootScrollDeltaOverride()) {
+  if (mFrameMetrics.IsRootContent() && gfxPrefs::MouseWheelHasRootScrollDeltaOverride()) {
     // Only apply delta multipliers if we're increasing the delta.
     double hfactor = double(gfxPrefs::MouseWheelRootHScrollDeltaFactor()) / 100;
     double vfactor = double(gfxPrefs::MouseWheelRootVScrollDeltaFactor()) / 100;
@@ -2996,7 +2996,7 @@ void AsyncPanZoomController::ZoomToRect(CSSRect aRect) {
   // would have to be adjusted (as e.g. it would no longer be valid to take
   // the minimum or maximum of the ratios of the widths and heights of the
   // page rect and the composition bounds).
-  MOZ_ASSERT(mFrameMetrics.IsRootScrollable());
+  MOZ_ASSERT(mFrameMetrics.IsRootContent());
   MOZ_ASSERT(mFrameMetrics.GetZoom().AreScalesSame());
 
   SetState(ANIMATING_ZOOM);
@@ -3190,19 +3190,19 @@ void AsyncPanZoomController::SendAsyncScrollEvent() {
     return;
   }
 
-  bool isRoot;
+  bool isRootContent;
   CSSRect contentRect;
   CSSSize scrollableSize;
   {
     ReentrantMonitorAutoEnter lock(mMonitor);
 
-    isRoot = mFrameMetrics.GetIsRoot();
+    isRootContent = mFrameMetrics.IsRootContent();
     scrollableSize = mFrameMetrics.GetScrollableRect().Size();
     contentRect = mFrameMetrics.CalculateCompositedRectInCssPixels();
     contentRect.MoveTo(mCurrentAsyncScrollOffset);
   }
 
-  controller->SendAsyncScrollDOMEvent(isRoot, contentRect, scrollableSize);
+  controller->SendAsyncScrollDOMEvent(isRootContent, contentRect, scrollableSize);
 }
 
 bool AsyncPanZoomController::Matches(const ScrollableLayerGuid& aGuid)
diff --git a/gfx/layers/apz/src/AsyncPanZoomController.h b/gfx/layers/apz/src/AsyncPanZoomController.h
index afaf3c22a4a1..52ad0f68dbe2 100644
--- a/gfx/layers/apz/src/AsyncPanZoomController.h
+++ b/gfx/layers/apz/src/AsyncPanZoomController.h
@@ -899,8 +899,7 @@ public:
   }
 
   /* Returns true if there is no APZC higher in the tree with the same
-   * layers id. Deprecated. New code shouldn't use this. Old code should be
-   * updated to not use this.
+   * layers id.
    */
   bool HasNoParentWithSameLayersId() const {
     return !mParent || (mParent->mLayersId != mLayersId);
@@ -911,6 +910,11 @@ public:
     return mFrameMetrics.IsLayersIdRoot();
   }
 
+  bool IsRootContent() const {
+    ReentrantMonitorAutoEnter lock(mMonitor);
+    return mFrameMetrics.IsRootContent();
+  }
+
 private:
   // This is a raw pointer to avoid introducing a reference cycle between
   // AsyncPanZoomController and APZCTreeManager. Since these objects don't
diff --git a/gfx/layers/apz/util/ChromeProcessController.h b/gfx/layers/apz/util/ChromeProcessController.h
index 19e301d1f3e9..500162ac698f 100644
--- a/gfx/layers/apz/util/ChromeProcessController.h
+++ b/gfx/layers/apz/util/ChromeProcessController.h
@@ -49,7 +49,7 @@ public:
   virtual void HandleLongTap(const mozilla::CSSPoint& aPoint, Modifiers aModifiers,
                                const ScrollableLayerGuid& aGuid,
                                uint64_t aInputBlockId) override;
-  virtual void SendAsyncScrollDOMEvent(bool aIsRoot, const mozilla::CSSRect &aContentRect,
+  virtual void SendAsyncScrollDOMEvent(bool aIsRootContent, const mozilla::CSSRect &aContentRect,
                                        const mozilla::CSSSize &aScrollableSize) override {}
   virtual void NotifyAPZStateChange(const ScrollableLayerGuid& aGuid,
                                     APZStateChange aChange,
diff --git a/gfx/layers/composite/AsyncCompositionManager.cpp b/gfx/layers/composite/AsyncCompositionManager.cpp
index 31786dabccb8..76df089fbc21 100644
--- a/gfx/layers/composite/AsyncCompositionManager.cpp
+++ b/gfx/layers/composite/AsyncCompositionManager.cpp
@@ -813,11 +813,11 @@ ApplyAsyncTransformToScrollbarForContent(Layer* aScrollbar,
     const ParentLayerCoord thumbOriginDeltaPL = thumbOriginDelta * effectiveZoom;
     yTranslation -= thumbOriginDeltaPL;
 
-    if (metrics.IsRootScrollable()) {
+    if (metrics.IsRootContent()) {
       // Scrollbar for the root are painted at the same resolution as the
       // content. Since the coordinate space we apply this transform in includes
       // the resolution, we need to adjust for it as well here. Note that in
-      // another metrics.IsRootScrollable() hunk below we apply a
+      // another metrics.IsRootContent() hunk below we apply a
       // resolution-cancelling transform which ensures the scroll thumb isn't
       // actually rendered at a larger scale.
       yTranslation *= metrics.GetPresShellResolution();
@@ -846,7 +846,7 @@ ApplyAsyncTransformToScrollbarForContent(Layer* aScrollbar,
     const ParentLayerCoord thumbOriginDeltaPL = thumbOriginDelta * effectiveZoom;
     xTranslation -= thumbOriginDeltaPL;
 
-    if (metrics.IsRootScrollable()) {
+    if (metrics.IsRootContent()) {
       xTranslation *= metrics.GetPresShellResolution();
     }
 
@@ -862,7 +862,7 @@ ApplyAsyncTransformToScrollbarForContent(Layer* aScrollbar,
   // thumb's size to vary with the zoom (other than its length reflecting the
   // fraction of the scrollable length that's in view, which is taken care of
   // above), we apply a transform to cancel out this resolution.
-  if (metrics.IsRootScrollable()) {
+  if (metrics.IsRootContent()) {
     compensation =
         Matrix4x4::Scaling(metrics.GetPresShellResolution(),
                            metrics.GetPresShellResolution(),
diff --git a/gfx/layers/composite/FrameUniformityData.cpp b/gfx/layers/composite/FrameUniformityData.cpp
index eb2c3db78927..6027a14706f7 100644
--- a/gfx/layers/composite/FrameUniformityData.cpp
+++ b/gfx/layers/composite/FrameUniformityData.cpp
@@ -137,7 +137,8 @@ FrameUniformityData::ToJS(JS::MutableHandleValue aOutValue, JSContext* aContext)
     uintptr_t layerAddr = iter->first;
     float uniformity = iter->second;
 
-    layers.AppendElement();
+    // FIXME: Make this infallible after bug 968520 is done.
+    MOZ_ALWAYS_TRUE(layers.AppendElement(fallible));
     dom::FrameUniformity& entry = layers.LastElement();
 
     entry.mLayerAddress.Construct() = layerAddr;
diff --git a/gfx/layers/d3d11/TextureD3D11.cpp b/gfx/layers/d3d11/TextureD3D11.cpp
index 366215d1ea23..a1baca00bad5 100644
--- a/gfx/layers/d3d11/TextureD3D11.cpp
+++ b/gfx/layers/d3d11/TextureD3D11.cpp
@@ -851,7 +851,11 @@ DataTextureSourceD3D11::Update(DataSourceSurface* aSurface,
     }
 
     DataSourceSurface::MappedSurface map;
-    aSurface->Map(DataSourceSurface::MapType::READ, &map);
+    if (!aSurface->Map(DataSourceSurface::MapType::READ, &map)) {
+      gfxCriticalError() << "Failed to map surface.";
+      Reset();
+      return false;
+    }
 
     if (aDestRegion) {
       nsIntRegionRectIterator iter(*aDestRegion);
diff --git a/gfx/src/nsRect.h b/gfx/src/nsRect.h
index 8d402c749ceb..5bcb7cfc7206 100644
--- a/gfx/src/nsRect.h
+++ b/gfx/src/nsRect.h
@@ -10,7 +10,6 @@
 #include <stdio.h>                      // for FILE
 #include <stdint.h>                     // for int32_t, int64_t
 #include <algorithm>                    // for min/max
-#include "nsDebug.h"                    // for NS_WARNING
 #include "gfxCore.h"                    // for NS_GFX
 #include "mozilla/Likely.h"             // for MOZ_UNLIKELY
 #include "mozilla/gfx/Rect.h"
@@ -80,7 +79,6 @@ struct NS_GFX nsRect :
     result.x = std::min(aRect.x, x);
     int64_t w = std::max(int64_t(aRect.x) + aRect.width, int64_t(x) + width) - result.x;
     if (MOZ_UNLIKELY(w > nscoord_MAX)) {
-      NS_WARNING("Overflowed nscoord_MAX in conversion to nscoord width");
       // Clamp huge negative x to nscoord_MIN / 2 and try again.
       result.x = std::max(result.x, nscoord_MIN / 2);
       w = std::max(int64_t(aRect.x) + aRect.width, int64_t(x) + width) - result.x;
@@ -93,7 +91,6 @@ struct NS_GFX nsRect :
     result.y = std::min(aRect.y, y);
     int64_t h = std::max(int64_t(aRect.y) + aRect.height, int64_t(y) + height) - result.y;
     if (MOZ_UNLIKELY(h > nscoord_MAX)) {
-      NS_WARNING("Overflowed nscoord_MAX in conversion to nscoord height");
       // Clamp huge negative y to nscoord_MIN / 2 and try again.
       result.y = std::max(result.y, nscoord_MIN / 2);
       h = std::max(int64_t(aRect.y) + aRect.height, int64_t(y) + height) - result.y;
diff --git a/gfx/tests/gtest/TestAsyncPanZoomController.cpp b/gfx/tests/gtest/TestAsyncPanZoomController.cpp
index b8e8aae3f351..8051f4cfe5a4 100644
--- a/gfx/tests/gtest/TestAsyncPanZoomController.cpp
+++ b/gfx/tests/gtest/TestAsyncPanZoomController.cpp
@@ -780,7 +780,7 @@ protected:
     fm.SetScrollOffset(CSSPoint(300, 300));
     fm.SetZoom(CSSToParentLayerScale2D(2.0, 2.0));
     // APZC only allows zooming on the root scrollable frame.
-    fm.SetIsRoot(true);
+    fm.SetIsRootContent(true);
     // the visible area of the document in CSS pixels is x=300 y=300 w=50 h=100
     return fm;
   }
@@ -921,7 +921,7 @@ TEST_F(APZCBasicTester, Overzoom) {
   fm.SetScrollableRect(CSSRect(0, 0, 125, 150));
   fm.SetScrollOffset(CSSPoint(10, 0));
   fm.SetZoom(CSSToParentLayerScale2D(1.0, 1.0));
-  fm.SetIsRoot(true);
+  fm.SetIsRootContent(true);
   apzc->SetFrameMetrics(fm);
 
   MakeApzcZoomable();
diff --git a/gfx/thebes/gfxContext.cpp b/gfx/thebes/gfxContext.cpp
index 4c93001b84ce..c17c20c7c24b 100644
--- a/gfx/thebes/gfxContext.cpp
+++ b/gfx/thebes/gfxContext.cpp
@@ -636,6 +636,40 @@ gfxContext::HasComplexClip() const
   return false;
 }
 
+bool
+gfxContext::ExportClip(ClipExporter& aExporter)
+{
+  unsigned int lastReset = 0;
+  for (int i = mStateStack.Length() - 1; i > 0; i--) {
+    if (mStateStack[i].clipWasReset) {
+      lastReset = i;
+      break;
+    }
+  }
+
+  for (unsigned int i = lastReset; i < mStateStack.Length(); i++) {
+    for (unsigned int c = 0; c < mStateStack[i].pushedClips.Length(); c++) {
+      AzureState::PushedClip &clip = mStateStack[i].pushedClips[c];
+      gfx::Matrix transform = clip.transform;
+      transform.PostTranslate(-GetDeviceOffset());
+
+      aExporter.BeginClip(transform);
+      if (clip.path) {
+        clip.path->StreamToSink(&aExporter);
+      } else {
+        aExporter.MoveTo(clip.rect.TopLeft());
+        aExporter.LineTo(clip.rect.TopRight());
+        aExporter.LineTo(clip.rect.BottomRight());
+        aExporter.LineTo(clip.rect.BottomLeft());
+        aExporter.Close();
+      }
+      aExporter.EndClip();
+    }
+  }
+
+  return true;
+}
+
 bool
 gfxContext::ClipContainsRect(const gfxRect& aRect)
 {
diff --git a/gfx/thebes/gfxContext.h b/gfx/thebes/gfxContext.h
index d88cc3677171..268a59fd4221 100644
--- a/gfx/thebes/gfxContext.h
+++ b/gfx/thebes/gfxContext.h
@@ -28,6 +28,8 @@ struct RectCornerRadii;
 }
 }
 
+class ClipExporter;
+
 /**
  * This is the main class for doing actual drawing. It is initialized using
  * a surface and can be drawn on. It manages various state information like
@@ -457,6 +459,11 @@ public:
      */
     bool ClipContainsRect(const gfxRect& aRect);
 
+     /**
+      * Exports the current clip using the provided exporter.
+      */
+    bool ExportClip(ClipExporter& aExporter);
+
     /**
      * Groups
      */
@@ -728,4 +735,12 @@ private:
   mozilla::gfx::Pattern *mPattern;
 };
 
+/* This interface should be implemented to handle exporting the clip from a context.
+ */
+class ClipExporter : public mozilla::gfx::PathSink {
+public:
+  virtual void BeginClip(const mozilla::gfx::Matrix& aMatrix) = 0;
+  virtual void EndClip() = 0;
+};
+
 #endif /* GFX_CONTEXT_H */
diff --git a/gfx/thebes/gfxDWriteFontList.cpp b/gfx/thebes/gfxDWriteFontList.cpp
index 17bd3af2f10f..66e7f0c93d90 100644
--- a/gfx/thebes/gfxDWriteFontList.cpp
+++ b/gfx/thebes/gfxDWriteFontList.cpp
@@ -311,7 +311,7 @@ gfxDWriteFontFamily::LocalizedName(nsAString &aLocalizedName)
         return;
     }
     
-    if (!famName.SetLength(length + 1)) {
+    if (!famName.SetLength(length + 1, fallible)) {
         // Eeep - running out of memory. Unlikely to end well.
         return;
     }
@@ -403,7 +403,7 @@ gfxDWriteFontEntry::CopyFontTable(uint32_t aTableTag,
                               NativeEndian::swapToBigEndian(aTableTag), 0,
                               nullptr, 0);
             if (tableSize != GDI_ERROR) {
-                if (aBuffer.SetLength(tableSize)) {
+                if (aBuffer.SetLength(tableSize, fallible)) {
                     ::GetFontData(dc.GetDC(),
                                   NativeEndian::swapToBigEndian(aTableTag), 0,
                                   aBuffer.Elements(), aBuffer.Length());
@@ -433,7 +433,7 @@ gfxDWriteFontEntry::CopyFontTable(uint32_t aTableTag,
         return NS_ERROR_FAILURE;
     }
 
-    if (aBuffer.SetLength(len)) {
+    if (aBuffer.SetLength(len, fallible)) {
         memcpy(aBuffer.Elements(), tableData, len);
         rv = NS_OK;
     } else {
@@ -1122,7 +1122,7 @@ gfxDWriteFontList::GetFontsFromCollection(IDWriteFontCollection* aCollection)
             continue;
         }
 
-        if (!enName.SetLength(length + 1)) {
+        if (!enName.SetLength(length + 1, fallible)) {
             // Eeep - running out of memory. Unlikely to end well.
             continue;
         }
@@ -1171,7 +1171,7 @@ gfxDWriteFontList::GetFontsFromCollection(IDWriteFontCollection* aCollection)
                 continue;
             }
 
-            if (!localizedName.SetLength(nameLen + 1)) {
+            if (!localizedName.SetLength(nameLen + 1, fallible)) {
                 continue;
             }
 
@@ -1406,7 +1406,7 @@ static HRESULT GetFamilyName(IDWriteFont *aFont, nsString& aFamilyName)
         return hr;
     }
 
-    if (!name.SetLength(length + 1)) {
+    if (!name.SetLength(length + 1, fallible)) {
         return E_FAIL;
     }
     hr = familyNames->GetString(index, name.Elements(), length + 1);
@@ -1587,7 +1587,7 @@ DirectWriteFontInfo::LoadFontFamilyData(const nsAString& aFamilyName)
     nsAutoTArray<wchar_t, 32> famName;
 
     uint32_t len = aFamilyName.Length();
-    famName.SetLength(len + 1);
+    famName.SetLength(len + 1, fallible);
     memcpy(famName.Elements(), aFamilyName.BeginReading(), len * sizeof(char16_t));
     famName[len] = 0;
 
diff --git a/gfx/thebes/gfxFT2FontList.cpp b/gfx/thebes/gfxFT2FontList.cpp
index a8b9bae4562d..e246c478d996 100644
--- a/gfx/thebes/gfxFT2FontList.cpp
+++ b/gfx/thebes/gfxFT2FontList.cpp
@@ -532,7 +532,7 @@ FT2FontEntry::CopyFontTable(uint32_t aTableTag,
         return NS_ERROR_FAILURE;
     }
 
-    if (!aBuffer.SetLength(len)) {
+    if (!aBuffer.SetLength(len, fallible)) {
         return NS_ERROR_OUT_OF_MEMORY;
     }
     uint8_t *buf = aBuffer.Elements();
diff --git a/gfx/thebes/gfxFcPlatformFontList.cpp b/gfx/thebes/gfxFcPlatformFontList.cpp
index 7d8af32614d9..4ede0e87a15d 100644
--- a/gfx/thebes/gfxFcPlatformFontList.cpp
+++ b/gfx/thebes/gfxFcPlatformFontList.cpp
@@ -805,7 +805,7 @@ gfxFontconfigFontEntry::CopyFontTable(uint32_t aTableTag,
     if (FT_Load_Sfnt_Table(mFTFace, aTableTag, 0, nullptr, &length) != 0) {
         return NS_ERROR_NOT_AVAILABLE;
     }
-    if (!aBuffer.SetLength(length)) {
+    if (!aBuffer.SetLength(length, fallible)) {
         return NS_ERROR_OUT_OF_MEMORY;
     }
     if (FT_Load_Sfnt_Table(mFTFace, aTableTag, 0, aBuffer.Elements(), &length) != 0) {
diff --git a/gfx/thebes/gfxFontconfigFonts.cpp b/gfx/thebes/gfxFontconfigFonts.cpp
index 069d3a1cfb9c..3a577021e2a3 100644
--- a/gfx/thebes/gfxFontconfigFonts.cpp
+++ b/gfx/thebes/gfxFontconfigFonts.cpp
@@ -184,9 +184,11 @@ public:
     {
         cairo_font_face_reference(mFontFace);
         cairo_font_face_set_user_data(mFontFace, &sFontEntryKey, this, nullptr);
-        mPatterns.AppendElement();
+
         // mPatterns is an nsAutoTArray with 1 space always available, so the
         // AppendElement always succeeds.
+        // FIXME: Make this infallible after bug 968520 is done.
+        MOZ_ALWAYS_TRUE(mPatterns.AppendElement(fallible));
         mPatterns[0] = aFontPattern;
 
         FcChar8 *name;
@@ -248,7 +250,7 @@ gfxSystemFcFontEntry::CopyFontTable(uint32_t aTableTag,
     if (FT_Load_Sfnt_Table(mFTFace, aTableTag, 0, nullptr, &length) != 0) {
         return NS_ERROR_NOT_AVAILABLE;
     }
-    if (!aBuffer.SetLength(length)) {
+    if (!aBuffer.SetLength(length, fallible)) {
         return NS_ERROR_OUT_OF_MEMORY;
     }
     if (FT_Load_Sfnt_Table(mFTFace, aTableTag, 0, aBuffer.Elements(), &length) != 0) {
@@ -419,7 +421,7 @@ public:
                         const nsTArray< nsCountedRef<FcPattern> >& aPatterns)
         : gfxUserFcFontEntry(aFontName, aWeight, aStretch, aItalic)
     {
-        if (!mPatterns.SetCapacity(aPatterns.Length()))
+        if (!mPatterns.SetCapacity(aPatterns.Length(), fallible))
             return; // OOM
 
         for (uint32_t i = 0; i < aPatterns.Length(); ++i) {
@@ -429,7 +431,8 @@ public:
 
             AdjustPatternToCSS(pattern);
 
-            mPatterns.AppendElement();
+            // FIXME: Make this infallible after bug 968520 is done.
+            MOZ_ALWAYS_TRUE(mPatterns.AppendElement(fallible));
             mPatterns[i].own(pattern);
         }
         mIsLocalUserFont = true;
@@ -617,7 +620,8 @@ gfxDownloadedFcFontEntry::InitPattern()
     AddDownloadedFontEntry(pattern, this);
 
     // There is never more than one pattern
-    mPatterns.AppendElement();
+    // FIXME: Make this infallible after bug 968520 is done.
+    MOZ_ALWAYS_TRUE(mPatterns.AppendElement(fallible));
     mPatterns[0].own(pattern);
 }
 
diff --git a/gfx/thebes/gfxGDIFontList.cpp b/gfx/thebes/gfxGDIFontList.cpp
index 7a20e2b0eab1..ac2dc854373e 100644
--- a/gfx/thebes/gfxGDIFontList.cpp
+++ b/gfx/thebes/gfxGDIFontList.cpp
@@ -245,7 +245,7 @@ GDIFontEntry::CopyFontTable(uint32_t aTableTag,
                           NativeEndian::swapToBigEndian(aTableTag),
                           0, nullptr, 0);
         if (tableSize != GDI_ERROR) {
-            if (aBuffer.SetLength(tableSize)) {
+            if (aBuffer.SetLength(tableSize, fallible)) {
                 ::GetFontData(dc.GetDC(),
                               NativeEndian::swapToBigEndian(aTableTag), 0,
                               aBuffer.Elements(), tableSize);
@@ -976,7 +976,7 @@ int CALLBACK GDIFontInfo::EnumerateFontsForFamily(
         nameSize = ::GetFontData(hdc, kNAME, 0, nullptr, 0);
         if (nameSize != GDI_ERROR &&
             nameSize > 0 &&
-            nameData.SetLength(nameSize)) {
+            nameData.SetLength(nameSize, fallible)) {
             ::GetFontData(hdc, kNAME, 0, nameData.Elements(), nameSize);
 
             // face names
@@ -1019,7 +1019,7 @@ int CALLBACK GDIFontInfo::EnumerateFontsForFamily(
         cmapSize = ::GetFontData(hdc, kCMAP, 0, nullptr, 0);
         if (cmapSize != GDI_ERROR &&
             cmapSize > 0 &&
-            cmapData.SetLength(cmapSize)) {
+            cmapData.SetLength(cmapSize, fallible)) {
             ::GetFontData(hdc, kCMAP, 0, cmapData.Elements(), cmapSize);
             bool cmapLoaded = false;
             bool unicodeFont = false, symbolFont = false;
diff --git a/gfx/thebes/gfxPlatformMac.cpp b/gfx/thebes/gfxPlatformMac.cpp
index cde0459ef6ad..50fe59c3047b 100644
--- a/gfx/thebes/gfxPlatformMac.cpp
+++ b/gfx/thebes/gfxPlatformMac.cpp
@@ -514,6 +514,7 @@ public:
       }
 
       mPreviousTimestamp = TimeStamp::Now();
+      mStartingVsync = true;
       if (CVDisplayLinkStart(mDisplayLink) != kCVReturnSuccess) {
         NS_WARNING("Could not activate the display link");
         CVDisplayLinkRelease(mDisplayLink);
@@ -547,6 +548,7 @@ public:
     // Normalize the timestamps given to the VsyncDispatchers to the vsync
     // that just occured, not the vsync that is upcoming.
     TimeStamp mPreviousTimestamp;
+    bool mStartingVsync;
 
   private:
     // Manages the display link render thread
@@ -575,12 +577,16 @@ static CVReturn VsyncCallback(CVDisplayLinkRef aDisplayLink,
   mozilla::TimeStamp nextVsync = mozilla::TimeStamp::FromSystemTime(nextVsyncTimestamp);
 
   mozilla::TimeStamp previousVsync = display->mPreviousTimestamp;
+  bool firstVsync = display->mStartingVsync;
+
+  display->mStartingVsync = false;
   display->mPreviousTimestamp = nextVsync;
   mozilla::TimeStamp now = TimeStamp::Now();
   if (nextVsync <= previousVsync) {
     TimeDuration next = nextVsync - now;
     TimeDuration prev = now - previousVsync;
-    printf_stderr("Next from now: %f, prev from now: %f\n", next.ToMilliseconds(), prev.ToMilliseconds());
+    printf_stderr("Next from now: %f, prev from now: %f, first vsync %d\n",
+      next.ToMilliseconds(), prev.ToMilliseconds(), firstVsync);
     MOZ_ASSERT(false, "Next vsync less than previous vsync\n");
   }
 
diff --git a/image/imgFrame.cpp b/image/imgFrame.cpp
index 4504a7c43f76..2b033e748851 100644
--- a/image/imgFrame.cpp
+++ b/image/imgFrame.cpp
@@ -484,9 +484,11 @@ imgFrame::Optimize()
     }
 
     DataSourceSurface::MappedSurface mapping;
-    DebugOnly<bool> success =
-      surf->Map(DataSourceSurface::MapType::WRITE, &mapping);
-    NS_ASSERTION(success, "Failed to map surface");
+    if (!surf->Map(DataSourceSurface::MapType::WRITE, &mapping)) {
+      gfxCriticalError() << "imgFrame::Optimize failed to map surface";
+      return NS_ERROR_FAILURE;
+    }
+
     RefPtr<DrawTarget> target =
       Factory::CreateDrawTargetForData(BackendType::CAIRO,
                                        mapping.mData,
@@ -910,9 +912,11 @@ imgFrame::Deoptimize()
       }
 
       DataSourceSurface::MappedSurface mapping;
-      DebugOnly<bool> success =
-        surf->Map(DataSourceSurface::MapType::WRITE, &mapping);
-      NS_ASSERTION(success, "Failed to map surface");
+      if (!surf->Map(DataSourceSurface::MapType::WRITE, &mapping)) {
+        gfxCriticalError() << "imgFrame::Deoptimize failed to map surface";
+        return NS_ERROR_FAILURE;
+      }
+
       RefPtr<DrawTarget> target =
         Factory::CreateDrawTargetForData(BackendType::CAIRO,
                                          mapping.mData,
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
index f37616bbdf9b..00efc418fdc3 100644
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -636,7 +636,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
     // been set up by whatever may have launched the browser.
     const char* prevInterpose = PR_GetEnv("DYLD_INSERT_LIBRARIES");
     nsCString interpose;
-    if (prevInterpose) {
+    if (prevInterpose && strlen(prevInterpose) > 0) {
       interpose.Assign(prevInterpose);
       interpose.Append(':');
     }
diff --git a/js/public/GCAPI.h b/js/public/GCAPI.h
index 3482048d9098..baa2ec7fcc08 100644
--- a/js/public/GCAPI.h
+++ b/js/public/GCAPI.h
@@ -108,7 +108,8 @@ using mozilla::UniquePtr;
     D(FULL_GC_TIMER)                            \
     D(SHUTDOWN_CC)                              \
     D(FINISH_LARGE_EVALUATE)                    \
-    D(USER_INACTIVE)
+    D(USER_INACTIVE)                            \
+    D(XPCONNECT_SHUTDOWN)
 
 namespace gcreason {
 
@@ -332,9 +333,10 @@ enum GCProgress {
 struct JS_PUBLIC_API(GCDescription) {
     bool isCompartment_;
     JSGCInvocationKind invocationKind_;
+    gcreason::Reason reason_;
 
-    GCDescription(bool isCompartment, JSGCInvocationKind kind)
-      : isCompartment_(isCompartment), invocationKind_(kind) {}
+    GCDescription(bool isCompartment, JSGCInvocationKind kind, gcreason::Reason reason)
+      : isCompartment_(isCompartment), invocationKind_(kind), reason_(reason) {}
 
     char16_t* formatSliceMessage(JSRuntime* rt) const;
     char16_t* formatSummaryMessage(JSRuntime* rt) const;
diff --git a/js/public/SliceBudget.h b/js/public/SliceBudget.h
index 316bf9e62c49..8ac0def7ac84 100644
--- a/js/public/SliceBudget.h
+++ b/js/public/SliceBudget.h
@@ -70,9 +70,9 @@ struct JS_PUBLIC_API(SliceBudget)
         return checkOverBudget();
     }
 
-    bool isUnlimited() const {
-        return deadline == unlimitedDeadline;
-    }
+    bool isWorkBudget() const { return deadline == 0; }
+    bool isTimeBudget() const { return deadline > 0 && !isUnlimited(); }
+    bool isUnlimited() const { return deadline == unlimitedDeadline; }
 
     int describe(char* buffer, size_t maxlen) const;
 
diff --git a/js/src/devtools/rootAnalysis/annotations.js b/js/src/devtools/rootAnalysis/annotations.js
index 4b82505db766..e71ed3486eeb 100644
--- a/js/src/devtools/rootAnalysis/annotations.js
+++ b/js/src/devtools/rootAnalysis/annotations.js
@@ -330,10 +330,6 @@ function isOverridableField(initialCSU, csu, field)
         if (field == 'GetWindowProxy' || field == 'GetWindowProxyPreserveColor')
             return false;
     }
-    if (initialCSU == 'nsICycleCollectorListener' && field == 'NoteWeakMapEntry')
-        return false;
-    if (initialCSU == 'nsICycleCollectorListener' && field == 'NoteEdge')
-        return false;
     return true;
 }
 
diff --git a/js/src/gc/GCRuntime.h b/js/src/gc/GCRuntime.h
index 01d3cc0b0e6a..51013b99e5cb 100644
--- a/js/src/gc/GCRuntime.h
+++ b/js/src/gc/GCRuntime.h
@@ -771,28 +771,30 @@ class GCRuntime
     JS::Zone* getCurrentZoneGroup() { return currentZoneGroup; }
     void setFoundBlackGrayEdges() { foundBlackGrayEdges = true; }
 
-    uint64_t gcNumber() { return number; }
+    uint64_t gcNumber() const { return number; }
     void incGcNumber() { ++number; }
 
-    uint64_t minorGCCount() { return minorGCNumber; }
+    uint64_t minorGCCount() const { return minorGCNumber; }
     void incMinorGcNumber() { ++minorGCNumber; }
 
-    uint64_t majorGCCount() { return majorGCNumber; }
+    uint64_t majorGCCount() const { return majorGCNumber; }
     void incMajorGcNumber() { ++majorGCNumber; }
 
-    bool isIncrementalGc() { return isIncremental; }
-    bool isFullGc() { return isFull; }
+    int64_t defaultSliceBudget() const { return sliceBudget; }
+
+    bool isIncrementalGc() const { return isIncremental; }
+    bool isFullGc() const { return isFull; }
 
     bool shouldCleanUpEverything() { return cleanUpEverything; }
 
-    bool areGrayBitsValid() { return grayBitsValid; }
+    bool areGrayBitsValid() const { return grayBitsValid; }
     void setGrayBitsInvalid() { grayBitsValid = false; }
 
     bool minorGCRequested() const { return minorGCTriggerReason != JS::gcreason::NO_REASON; }
     bool majorGCRequested() const { return majorGCTriggerReason != JS::gcreason::NO_REASON; }
     bool isGcNeeded() { return minorGCRequested() || majorGCRequested(); }
 
-    bool fullGCForAtomsRequested() { return fullGCForAtomsRequested_; }
+    bool fullGCForAtomsRequested() const { return fullGCForAtomsRequested_; }
 
     double computeHeapGrowthFactor(size_t lastBytes);
     size_t computeTriggerBytes(double growthFactor, size_t lastBytes);
@@ -1161,7 +1163,7 @@ class GCRuntime
      */
     bool interFrameGC;
 
-    /* Default budget for incremental GC slice. See SliceBudget in jsgc.h. */
+    /* Default budget for incremental GC slice. See js/SliceBudget.h. */
     int64_t sliceBudget;
 
     /*
diff --git a/js/src/gc/Statistics.cpp b/js/src/gc/Statistics.cpp
index 7e7acdd183ab..314fac5c7479 100644
--- a/js/src/gc/Statistics.cpp
+++ b/js/src/gc/Statistics.cpp
@@ -7,6 +7,7 @@
 #include "gc/Statistics.h"
 
 #include "mozilla/ArrayUtils.h"
+#include "mozilla/IntegerRange.h"
 #include "mozilla/PodOperations.h"
 #include "mozilla/UniquePtr.h"
 
@@ -27,6 +28,7 @@ using namespace js;
 using namespace js::gc;
 using namespace js::gcstats;
 
+using mozilla::MakeRange;
 using mozilla::PodArrayZero;
 using mozilla::PodZero;
 
@@ -185,7 +187,7 @@ static ExtraPhaseInfo phaseExtra[PHASE_LIMIT] = { { 0, 0 } };
 // Mapping from all nodes with a multi-parented child to a Vector of all
 // multi-parented children and their descendants. (Single-parented children will
 // not show up in this list.)
-static mozilla::Vector<Phase> dagDescendants[Statistics::MAX_MULTIPARENT_PHASES + 1];
+static mozilla::Vector<Phase> dagDescendants[Statistics::NumTimingArrays];
 
 struct AllPhaseIterator {
     int current;
@@ -193,7 +195,7 @@ struct AllPhaseIterator {
     size_t activeSlot;
     mozilla::Vector<Phase>::Range descendants;
 
-    explicit AllPhaseIterator(Statistics::PhaseTimeTable table)
+    explicit AllPhaseIterator(const Statistics::PhaseTimeTable table)
       : current(0)
       , baseLevel(0)
       , activeSlot(PHASE_DAG_NONE)
@@ -293,7 +295,7 @@ Join(const FragmentVector& fragments, const char* separator = "") {
 }
 
 static int64_t
-SumChildTimes(size_t phaseSlot, Phase phase, Statistics::PhaseTimeTable phaseTimes)
+SumChildTimes(size_t phaseSlot, Phase phase, const Statistics::PhaseTimeTable phaseTimes)
 {
     // Sum the contributions from single-parented children.
     int64_t total = 0;
@@ -398,7 +400,7 @@ Statistics::formatCompactSummaryMessage() const
 }
 
 UniqueChars
-Statistics::formatCompactSlicePhaseTimes(PhaseTimeTable phaseTimes) const
+Statistics::formatCompactSlicePhaseTimes(const PhaseTimeTable phaseTimes) const
 {
     static const int64_t MaxUnaccountedTimeUS = 100;
 
@@ -524,7 +526,7 @@ Statistics::formatDetailedSliceDescription(unsigned i, const SliceData& slice)
 }
 
 UniqueChars
-Statistics::formatDetailedPhaseTimes(PhaseTimeTable phaseTimes)
+Statistics::formatDetailedPhaseTimes(const PhaseTimeTable phaseTimes)
 {
     static const char* LevelToIndent[] = { "", "  ", "    ", "      " };
     static const int64_t MaxUnaccountedChildTimeUS = 50;
@@ -711,7 +713,7 @@ FilterJsonKey(const char*const buffer)
 }
 
 UniqueChars
-Statistics::formatJsonPhaseTimes(PhaseTimeTable phaseTimes)
+Statistics::formatJsonPhaseTimes(const PhaseTimeTable phaseTimes)
 {
     FragmentVector fragments;
     char buffer[128];
@@ -749,7 +751,7 @@ Statistics::Statistics(JSRuntime* rt)
     PodArrayZero(phaseTotals);
     PodArrayZero(counts);
     PodArrayZero(phaseStartTimes);
-    for (size_t d = 0; d < MAX_MULTIPARENT_PHASES + 1; d++)
+    for (auto d : MakeRange(NumTimingArrays))
         PodArrayZero(phaseTimes[d]);
 
     static bool initialized = false;
@@ -778,7 +780,7 @@ Statistics::Statistics(JSRuntime* rt)
                 j++;
             } while (j != PHASE_LIMIT && phases[j].parent != PHASE_MULTI_PARENTS);
         }
-        MOZ_ASSERT(dagSlot <= MAX_MULTIPARENT_PHASES);
+        MOZ_ASSERT(dagSlot <= MaxMultiparentPhases - 1);
 
         // Fill in the depth of each node in the tree. Multi-parented nodes
         // have depth 0.
@@ -846,7 +848,7 @@ static int64_t
 SumPhase(Phase phase, Statistics::PhaseTimeTable times)
 {
     int64_t sum = 0;
-    for (size_t i = 0; i < Statistics::MAX_MULTIPARENT_PHASES + 1; i++)
+    for (auto i : MakeRange(Statistics::NumTimingArrays))
         sum += times[i][phase];
     return sum;
 }
@@ -878,7 +880,7 @@ Statistics::beginGC(JSGCInvocationKind kind)
 void
 Statistics::endGC()
 {
-    for (size_t j = 0; j < MAX_MULTIPARENT_PHASES + 1; j++)
+    for (auto j : MakeRange(NumTimingArrays))
         for (int i = 0; i < PHASE_LIMIT; i++)
             phaseTotals[j][i] += phaseTimes[j][i];
 
@@ -913,7 +915,7 @@ Statistics::endGC()
     // Clear the timers at the end of a GC because we accumulate time in
     // between GCs for some (which come before PHASE_GC_BEGIN in the list.)
     PodZero(&phaseStartTimes[PHASE_GC_BEGIN], PHASE_LIMIT - PHASE_GC_BEGIN);
-    for (size_t d = PHASE_DAG_NONE; d < MAX_MULTIPARENT_PHASES + 1; d++)
+    for (size_t d = PHASE_DAG_NONE; d < NumTimingArrays; d++)
         PodZero(&phaseTimes[d][PHASE_GC_BEGIN], PHASE_LIMIT - PHASE_GC_BEGIN);
 
     aborted = false;
@@ -943,7 +945,7 @@ Statistics::beginSlice(const ZoneGCStats& zoneStats, JSGCInvocationKind gckind,
         bool wasFullGC = zoneStats.isCollectingAllZones();
         if (sliceCallback)
             (*sliceCallback)(runtime, first ? JS::GC_CYCLE_BEGIN : JS::GC_SLICE_BEGIN,
-                             JS::GCDescription(!wasFullGC, gckind));
+                             JS::GCDescription(!wasFullGC, gckind, reason));
     }
 }
 
@@ -954,8 +956,16 @@ Statistics::endSlice()
         slices.back().end = PRMJ_Now();
         slices.back().endFaults = GetPageFaultCount();
 
-        runtime->addTelemetry(JS_TELEMETRY_GC_SLICE_MS, t(slices.back().end - slices.back().start));
+        int64_t sliceTime = slices.back().end - slices.back().start;
+        runtime->addTelemetry(JS_TELEMETRY_GC_SLICE_MS, t(sliceTime));
         runtime->addTelemetry(JS_TELEMETRY_GC_RESET, !!slices.back().resetReason);
+
+        if (slices.back().budget.isTimeBudget()) {
+            int64_t budget = slices.back().budget.timeBudget.budget;
+            runtime->addTelemetry(JS_TELEMETRY_GC_BUDGET_MS, t(budget));
+            if (budget == runtime->gc.defaultSliceBudget())
+                runtime->addTelemetry(JS_TELEMETRY_GC_ANIMATION_MS, t(sliceTime));
+        }
     }
 
     bool last = !runtime->gc.isIncrementalGCInProgress();
@@ -967,7 +977,7 @@ Statistics::endSlice()
         bool wasFullGC = zoneStats.isCollectingAllZones();
         if (sliceCallback)
             (*sliceCallback)(runtime, last ? JS::GC_CYCLE_END : JS::GC_SLICE_END,
-                             JS::GCDescription(!wasFullGC, gckind));
+                             JS::GCDescription(!wasFullGC, gckind, slices.back().reason));
     }
 
     /* Do this after the slice callback since it uses these values. */
diff --git a/js/src/gc/Statistics.h b/js/src/gc/Statistics.h
index c97d3bf64559..ceb7219af322 100644
--- a/js/src/gc/Statistics.h
+++ b/js/src/gc/Statistics.h
@@ -8,6 +8,7 @@
 #define gc_Statistics_h
 
 #include "mozilla/DebugOnly.h"
+#include "mozilla/IntegerRange.h"
 #include "mozilla/PodOperations.h"
 #include "mozilla/UniquePtr.h"
 
@@ -151,7 +152,11 @@ struct Statistics
      * the few hundred bytes of savings. If we want to extend things to full
      * DAGs, this decision should be reconsidered.
      */
-    static const size_t MAX_MULTIPARENT_PHASES = 6;
+    static const size_t MaxMultiparentPhases = 6;
+    static const size_t NumTimingArrays = MaxMultiparentPhases + 1;
+
+    /* Create a convenient type for referring to tables of phase times. */
+    using PhaseTimeTable = int64_t[NumTimingArrays][PHASE_LIMIT];
 
     explicit Statistics(JSRuntime* rt);
     ~Statistics();
@@ -211,7 +216,7 @@ struct Statistics
             resetReason(nullptr),
             start(start), startFaults(startFaults)
         {
-            for (size_t i = 0; i < MAX_MULTIPARENT_PHASES + 1; i++)
+            for (auto i : mozilla::MakeRange(NumTimingArrays))
                 mozilla::PodArrayZero(phaseTimes[i]);
         }
 
@@ -220,7 +225,7 @@ struct Statistics
         const char* resetReason;
         int64_t start, end;
         size_t startFaults, endFaults;
-        int64_t phaseTimes[MAX_MULTIPARENT_PHASES + 1][PHASE_LIMIT];
+        PhaseTimeTable phaseTimes;
 
         int64_t duration() const { return end - start; }
     };
@@ -231,9 +236,6 @@ struct Statistics
     SliceRange sliceRange() const { return slices.all(); }
     size_t slicesLength() const { return slices.length(); }
 
-    /* Create a convenient typedef for referring tables of phase times. */
-    typedef int64_t const (*PhaseTimeTable)[PHASE_LIMIT];
-
   private:
     JSRuntime* runtime;
 
@@ -264,10 +266,10 @@ struct Statistics
     int64_t timedGCTime;
 
     /* Total time in a given phase for this GC. */
-    int64_t phaseTimes[MAX_MULTIPARENT_PHASES + 1][PHASE_LIMIT];
+    PhaseTimeTable phaseTimes;
 
     /* Total time in a given phase over all GCs. */
-    int64_t phaseTotals[MAX_MULTIPARENT_PHASES + 1][PHASE_LIMIT];
+    PhaseTimeTable phaseTotals;
 
     /* Number of events of this type for this GC. */
     unsigned int counts[STAT_LIMIT];
@@ -312,16 +314,16 @@ struct Statistics
     void sccDurations(int64_t* total, int64_t* maxPause);
     void printStats();
 
-    UniqueChars formatCompactSlicePhaseTimes(PhaseTimeTable phaseTimes) const;
+    UniqueChars formatCompactSlicePhaseTimes(const PhaseTimeTable phaseTimes) const;
 
     UniqueChars formatDetailedDescription();
     UniqueChars formatDetailedSliceDescription(unsigned i, const SliceData& slice);
-    UniqueChars formatDetailedPhaseTimes(PhaseTimeTable phaseTimes);
+    UniqueChars formatDetailedPhaseTimes(const PhaseTimeTable phaseTimes);
     UniqueChars formatDetailedTotals();
 
     UniqueChars formatJsonDescription(uint64_t timestamp);
     UniqueChars formatJsonSliceDescription(unsigned i, const SliceData& slice);
-    UniqueChars formatJsonPhaseTimes(PhaseTimeTable phaseTimes);
+    UniqueChars formatJsonPhaseTimes(const PhaseTimeTable phaseTimes);
 
     double computeMMU(int64_t resolution) const;
 };
diff --git a/js/src/jit-test/tests/basic/statement-after-return.js b/js/src/jit-test/tests/basic/statement-after-return.js
index bfb9bed6ec46..7f3906a845ae 100644
--- a/js/src/jit-test/tests/basic/statement-after-return.js
+++ b/js/src/jit-test/tests/basic/statement-after-return.js
@@ -2,47 +2,36 @@
 
 load(libdir + "class.js");
 
-if (options().indexOf("werror") == -1)
-  options("werror");
-
 function testWarn(code, lineNumber, columnNumber) {
-  var caught = false;
-  try {
-    eval(code);
-  } catch (e) {
-    caught = true;
-    assertEq(e.constructor, SyntaxError);
-    assertEq(e.lineNumber, lineNumber);
-    assertEq(e.columnNumber, columnNumber);
-  }
-  assertEq(caught, true, "warning should be caught for " + code);
+  enableLastWarning();
+  eval(code);
+  var warning = getLastWarning();
+  assertEq(warning !== null, true, "warning should be caught for " + code);
+  assertEq(warning.name, "None");
+  assertEq(warning.lineNumber, lineNumber);
+  assertEq(warning.columnNumber, columnNumber);
 
-  caught = false;
-  try {
-    Reflect.parse(code);
-  } catch (e) {
-    caught = true;
-    assertEq(e.constructor, SyntaxError);
-  }
-  assertEq(caught, true, "warning should be caught for " + code);
+  clearLastWarning();
+  Reflect.parse(code);
+  warning = getLastWarning();
+  assertEq(warning !== null, true, "warning should be caught for " + code);
+  assertEq(warning.name, "None");
+  // Warning generated by Reflect.parse has line/column number for Reflect.parse
+  // itself, not parsed code.
+  disableLastWarning();
 }
 
 function testPass(code) {
-  var caught = false;
-  try {
-    eval(code);
-  } catch (e) {
-    caught = true;
-  }
-  assertEq(caught, false, "warning should not be caught for " + code);
+  enableLastWarning();
+  eval(code);
+  var warning = getLastWarning();
+  assertEq(warning, null, "warning should not be caught for " + code);
 
-  caught = false;
-  try {
-    Reflect.parse(code);
-  } catch (e) {
-    caught = true;
-  }
-  assertEq(caught, false, "warning should not be caught for " + code);
+  clearLastWarning();
+  Reflect.parse(code);
+  warning = getLastWarning();
+  assertEq(warning, null, "warning should not be caught for " + code);
+  disableLastWarning();
 }
 
 testPass(`
diff --git a/js/src/jit-test/tests/basic/syntax-error-illegal-character.js b/js/src/jit-test/tests/basic/syntax-error-illegal-character.js
index 1a8551bafa70..0205bbcdd45f 100644
--- a/js/src/jit-test/tests/basic/syntax-error-illegal-character.js
+++ b/js/src/jit-test/tests/basic/syntax-error-illegal-character.js
@@ -1,3 +1,5 @@
+load(libdir + "class.js");
+
 var JSMSG_ILLEGAL_CHARACTER = "illegal character";
 var JSMSG_UNTERMINATED_STRING = "unterminated string literal";
 
@@ -25,7 +27,6 @@ function test_eval(code) {
   assertEq(caught, true);
 }
 
-
 function test(code) {
   test_reflect(code);
   test_reflect("'use strict'; " + code);
@@ -468,16 +469,18 @@ test_no_fun_no_eval("export const a = 1, b = @");
 test_no_fun_no_eval("export const a = 1, b = 2 @");
 test_no_fun_no_eval("export const a = 1, b = 2; @");
 
-test_no_fun_no_eval("export class @");
-test_no_fun_no_eval("export class Foo @");
-test_no_fun_no_eval("export class Foo {  @");
-test_no_fun_no_eval("export class Foo { constructor @");
-test_no_fun_no_eval("export class Foo { constructor( @");
-test_no_fun_no_eval("export class Foo { constructor() @");
-test_no_fun_no_eval("export class Foo { constructor() { @");
-test_no_fun_no_eval("export class Foo { constructor() {} @");
-test_no_fun_no_eval("export class Foo { constructor() {} } @");
-test_no_fun_no_eval("export class Foo { constructor() {} }; @");
+if (classesEnabled()) {
+    test_no_fun_no_eval("export class @");
+    test_no_fun_no_eval("export class Foo @");
+    test_no_fun_no_eval("export class Foo {  @");
+    test_no_fun_no_eval("export class Foo { constructor @");
+    test_no_fun_no_eval("export class Foo { constructor( @");
+    test_no_fun_no_eval("export class Foo { constructor() @");
+    test_no_fun_no_eval("export class Foo { constructor() { @");
+    test_no_fun_no_eval("export class Foo { constructor() {} @");
+    test_no_fun_no_eval("export class Foo { constructor() {} } @");
+    test_no_fun_no_eval("export class Foo { constructor() {} }; @");
+}
 
 test_no_fun_no_eval("export default @");
 test_no_fun_no_eval("export default 1 @");
@@ -496,25 +499,27 @@ test_no_fun_no_eval("export default function foo() { @");
 test_no_fun_no_eval("export default function foo() {} @");
 test_no_fun_no_eval("export default function foo() {}; @");
 
-test_no_fun_no_eval("export default class @");
-test_no_fun_no_eval("export default class { @");
-test_no_fun_no_eval("export default class { constructor @");
-test_no_fun_no_eval("export default class { constructor( @");
-test_no_fun_no_eval("export default class { constructor() @");
-test_no_fun_no_eval("export default class { constructor() { @");
-test_no_fun_no_eval("export default class { constructor() {} @");
-test_no_fun_no_eval("export default class { constructor() {} } @");
-test_no_fun_no_eval("export default class { constructor() {} }; @");
+if (classesEnabled()) {
+    test_no_fun_no_eval("export default class @");
+    test_no_fun_no_eval("export default class { @");
+    test_no_fun_no_eval("export default class { constructor @");
+    test_no_fun_no_eval("export default class { constructor( @");
+    test_no_fun_no_eval("export default class { constructor() @");
+    test_no_fun_no_eval("export default class { constructor() { @");
+    test_no_fun_no_eval("export default class { constructor() {} @");
+    test_no_fun_no_eval("export default class { constructor() {} } @");
+    test_no_fun_no_eval("export default class { constructor() {} }; @");
 
-test_no_fun_no_eval("export default class Foo @");
-test_no_fun_no_eval("export default class Foo { @");
-test_no_fun_no_eval("export default class Foo { constructor @");
-test_no_fun_no_eval("export default class Foo { constructor( @");
-test_no_fun_no_eval("export default class Foo { constructor() @");
-test_no_fun_no_eval("export default class Foo { constructor() { @");
-test_no_fun_no_eval("export default class Foo { constructor() {} @");
-test_no_fun_no_eval("export default class Foo { constructor() {} } @");
-test_no_fun_no_eval("export default class Foo { constructor() {} }; @");
+    test_no_fun_no_eval("export default class Foo @");
+    test_no_fun_no_eval("export default class Foo { @");
+    test_no_fun_no_eval("export default class Foo { constructor @");
+    test_no_fun_no_eval("export default class Foo { constructor( @");
+    test_no_fun_no_eval("export default class Foo { constructor() @");
+    test_no_fun_no_eval("export default class Foo { constructor() { @");
+    test_no_fun_no_eval("export default class Foo { constructor() {} @");
+    test_no_fun_no_eval("export default class Foo { constructor() {} } @");
+    test_no_fun_no_eval("export default class Foo { constructor() {} }; @");
+}
 
 // import
 
diff --git a/js/src/jit-test/tests/collections/Map-constructor-1.js b/js/src/jit-test/tests/collections/Map-constructor-1.js
index 44a6be9ee3f8..528f43cc2340 100644
--- a/js/src/jit-test/tests/collections/Map-constructor-1.js
+++ b/js/src/jit-test/tests/collections/Map-constructor-1.js
@@ -10,8 +10,7 @@ m = new Map(null);
 assertEq(m.size, 0);
 
 // FIXME: bug 1083752
-options("werror");
-assertEq(evaluate("Map()", {catchTermination: true}), "terminated");
+assertWarning(() => Map(), "None");
 // assertThrowsInstanceOf(() => Map(), TypeError);
 // assertThrowsInstanceOf(() => Map(undefined), TypeError);
 // assertThrowsInstanceOf(() => Map(null), TypeError);
diff --git a/js/src/jit-test/tests/collections/Set-constructor-1.js b/js/src/jit-test/tests/collections/Set-constructor-1.js
index 35a2dedb5e04..47913f869160 100644
--- a/js/src/jit-test/tests/collections/Set-constructor-1.js
+++ b/js/src/jit-test/tests/collections/Set-constructor-1.js
@@ -10,8 +10,7 @@ s = new Set(null);
 assertEq(s.size, 0);
 
 // FIXME: bug 1083752
-options("werror");
-assertEq(evaluate("Set()", {catchTermination: true}), "terminated");
+assertWarning(() => Set(), "None");
 // assertThrowsInstanceOf(() => Set(), TypeError);
 // assertThrowsInstanceOf(() => Set(undefined), TypeError);
 // assertThrowsInstanceOf(() => Set(null), TypeError);
diff --git a/js/src/jit-test/tests/collections/WeakMap-constructor-1.js b/js/src/jit-test/tests/collections/WeakMap-constructor-1.js
index 826aa1d27416..bfeaa2511a3f 100644
--- a/js/src/jit-test/tests/collections/WeakMap-constructor-1.js
+++ b/js/src/jit-test/tests/collections/WeakMap-constructor-1.js
@@ -7,8 +7,7 @@ new WeakMap(undefined);
 new WeakMap(null);
 
 // FIXME: bug 1083752
-options("werror");
-assertEq(evaluate("WeakMap()", {catchTermination: true}), "terminated");
+assertWarning(() => WeakMap(), "None");
 // assertThrowsInstanceOf(() => WeakMap(), TypeError);
 // assertThrowsInstanceOf(() => WeakMap(undefined), TypeError);
 // assertThrowsInstanceOf(() => WeakMap(null), TypeError);
diff --git a/js/src/jit-test/tests/ion/recover-empty-new-object.js b/js/src/jit-test/tests/ion/recover-empty-new-object.js
index 459f11f3b744..a34f0d36fb44 100644
--- a/js/src/jit-test/tests/ion/recover-empty-new-object.js
+++ b/js/src/jit-test/tests/ion/recover-empty-new-object.js
@@ -1,3 +1,8 @@
+// |jit-test| test-join=--no-unboxed-objects
+//
+// Unboxed object optimization might not trigger in all cases, thus we ensure
+// that Sink optimization is working well independently of the
+// object representation.
 
 // Ion eager fails the test below because we have not yet created any
 // template object in baseline before running the content of the top-level
@@ -5,6 +10,9 @@
 if (getJitCompilerOptions()["ion.warmup.trigger"] <= 20)
     setJitCompilerOption("ion.warmup.trigger", 20);
 
+// These arguments have to be computed by baseline, and thus captured in a
+// resume point. The next function checks that we can remove the computation of
+// these arguments.
 function f(a, b, c, d) { }
 
 function topLevel() {
diff --git a/js/src/jit-test/tests/ion/recover-iterator-next.js b/js/src/jit-test/tests/ion/recover-iterator-next.js
new file mode 100644
index 000000000000..ca51fb168151
--- /dev/null
+++ b/js/src/jit-test/tests/ion/recover-iterator-next.js
@@ -0,0 +1,39 @@
+// |jit-test| test-join=--no-unboxed-objects
+//
+// Unboxed object optimization might not trigger in all cases, thus we ensure
+// that Scalar Replacement optimization is working well independently of the
+// object representation.
+
+// Ion eager fails the test below because we have not yet created any
+// template object in baseline before running the content of the top-level
+// function.
+if (getJitCompilerOptions()["ion.warmup.trigger"] <= 90)
+    setJitCompilerOption("ion.warmup.trigger", 90);
+
+// This test checks that we are able to remove the getprop & setprop with scalar
+// replacement, so we should not force inline caches, as this would skip the
+// generation of getprop & setprop instructions.
+if (getJitCompilerOptions()["ion.forceinlineCaches"])
+    setJitCompilerOption("ion.forceinlineCaches", 0);
+
+var arr = new Array();
+var max = 2000;
+for (var i=0; i < max; i++)
+    arr[i] = i;
+
+function f() {
+    var res = 0;
+    var nextObj;
+    var itr = arr[Symbol.iterator]();
+    do {
+        nextObj = itr.next();
+        if (nextObj.done)
+          break;
+        res += nextObj.value;
+        assertRecoveredOnBailout(nextObj, true);
+    } while (true);
+    return res;
+}
+
+for (var j = 0; j < 10; j++)
+  assertEq(f(), max * (max - 1) / 2);
diff --git a/js/src/jit-test/tests/ion/recover-objects.js b/js/src/jit-test/tests/ion/recover-objects.js
index c2cbf50af4c7..30274f7efa65 100644
--- a/js/src/jit-test/tests/ion/recover-objects.js
+++ b/js/src/jit-test/tests/ion/recover-objects.js
@@ -1,3 +1,9 @@
+// |jit-test| test-join=--no-unboxed-objects
+//
+// Unboxed object optimization might not trigger in all cases, thus we ensure
+// that Scalar Replacement optimization is working well independently of the
+// object representation.
+
 // Ion eager fails the test below because we have not yet created any
 // template object in baseline before running the content of the top-level
 // function.
@@ -10,12 +16,14 @@ if (getJitCompilerOptions()["ion.warmup.trigger"] <= 90)
 if (getJitCompilerOptions()["ion.forceinlineCaches"])
     setJitCompilerOption("ion.forceinlineCaches", 0);
 
+function resumeHere() {}
 var uceFault = function (i) {
     if (i > 98)
         uceFault = function (i) { return true; };
     return false;
 };
 
+
 // Without "use script" in the inner function, the arguments might be
 // obersvable.
 function inline_notSoEmpty1(a, b, c, d) {
@@ -25,11 +33,11 @@ function inline_notSoEmpty1(a, b, c, d) {
 }
 var uceFault_notSoEmpty1 = eval(uneval(uceFault).replace('uceFault', 'uceFault_notSoEmpty1'));
 function notSoEmpty1() {
-    var a = { v: i, notunboxed: undefined };
-    var b = { v: 1 + a.v, notunboxed: undefined };
-    var c = { v: 2 + b.v, notunboxed: undefined };
-    var d = { v: 3 + c.v, notunboxed: undefined };
-    var unused = { v: 4 + d.v, notunboxed: undefined };
+    var a = { v: i };
+    var b = { v: 1 + a.v };
+    var c = { v: 2 + b.v };
+    var d = { v: 3 + c.v };
+    var unused = { v: 4 + d.v };
     var res = inline_notSoEmpty1(a, b, c, d);
     if (uceFault_notSoEmpty1(i) || uceFault_notSoEmpty1(i))
         assertEq(i, res.v);
@@ -42,23 +50,23 @@ function notSoEmpty1() {
     assertRecoveredOnBailout(c, true);
     assertRecoveredOnBailout(d, true);
     assertRecoveredOnBailout(unused, true);
-    // Scalar Replacement is coming after the branch removal made by GVN, and
-    // the ucefault branch is not taken yet.
-    assertRecoveredOnBailout(res, false);
+    // The ucefault branch is not taken yet, and GVN removes it. Scalar
+    // Replacement thus removes the creation of the object.
+    assertRecoveredOnBailout(res, true);
 }
 
 // Check that we can recover objects with their content.
 function inline_notSoEmpty2(a, b, c, d) {
     "use strict";
-    return { v: (a.v + b.v + c.v + d.v - 10) / 4, notunboxed: undefined };
+    return { v: (a.v + b.v + c.v + d.v - 10) / 4 };
 }
 var uceFault_notSoEmpty2 = eval(uneval(uceFault).replace('uceFault', 'uceFault_notSoEmpty2'));
 function notSoEmpty2(i) {
-    var a = { v: i, notunboxed: undefined };
-    var b = { v: 1 + a.v, notunboxed: undefined };
-    var c = { v: 2 + b.v, notunboxed: undefined };
-    var d = { v: 3 + c.v, notunboxed: undefined };
-    var unused = { v: 4 + d.v, notunboxed: undefined };
+    var a = { v: i };
+    var b = { v: 1 + a.v };
+    var c = { v: 2 + b.v };
+    var d = { v: 3 + c.v };
+    var unused = { v: 4 + d.v };
     var res = inline_notSoEmpty2(a, b, c, d);
     if (uceFault_notSoEmpty2(i) || uceFault_notSoEmpty2(i))
         assertEq(i, res.v);
@@ -67,22 +75,22 @@ function notSoEmpty2(i) {
     assertRecoveredOnBailout(c, true);
     assertRecoveredOnBailout(d, true);
     assertRecoveredOnBailout(unused, true);
-    // Scalar Replacement is coming after the branch removal made by GVN, and
-    // the ucefault branch is not taken yet.
-    assertRecoveredOnBailout(res, false);
+    // The ucefault branch is not taken yet, and GVN removes it. Scalar
+    // Replacement thus removes the creation of the object.
+    assertRecoveredOnBailout(res, true);
 }
 
 // Check that we can recover objects with their content.
 var argFault_observeArg = function (i) {
     if (i > 98)
         return inline_observeArg.arguments[0];
-    return { test : i, notunboxed: undefined };
+    return { test : i };
 };
 function inline_observeArg(obj, i) {
     return argFault_observeArg(i);
 }
 function observeArg(i) {
-    var obj = { test: i, notunboxed: undefined };
+    var obj = { test: i };
     var res = inline_observeArg(obj, i);
     assertEq(res.test, i);
     assertRecoveredOnBailout(obj, true);
@@ -90,7 +98,7 @@ function observeArg(i) {
 
 // Check case where one successor can have multiple times the same predecessor.
 function complexPhi(i) {
-    var obj = { test: i, notunboxed: undefined };
+    var obj = { test: i };
     switch (i) { // TableSwitch
         case 0: obj.test = 0; break;
         case 1: obj.test = 1; break;
@@ -109,12 +117,12 @@ function complexPhi(i) {
 function withinIf(i) {
     var x = undefined;
     if (i % 2 == 0) {
-        let obj = { foo: i, notunboxed: undefined };
+        let obj = { foo: i };
         x = obj.foo;
         assertRecoveredOnBailout(obj, true);
         obj = undefined;
     } else {
-        let obj = { bar: i, notunboxed: undefined };
+        let obj = { bar: i };
         x = obj.bar;
         assertRecoveredOnBailout(obj, true);
         obj = undefined;
@@ -124,22 +132,20 @@ function withinIf(i) {
 
 // Check case where one successor can have multiple times the same predecessor.
 function unknownLoad(i) {
-    var obj = { foo: i, notunboxed: undefined };
+    var obj = { foo: i };
     assertEq(obj.bar, undefined);
     // Unknown properties are using GetPropertyCache.
     assertRecoveredOnBailout(obj, false);
 }
 
 // Check with dynamic slots.
-function resumeHere() {}
 function dynamicSlots(i) {
     var obj = {
         p0: i + 0, p1: i + 1, p2: i + 2, p3: i + 3, p4: i + 4, p5: i + 5, p6: i + 6, p7: i + 7, p8: i + 8, p9: i + 9, p10: i + 10,
         p11: i + 11, p12: i + 12, p13: i + 13, p14: i + 14, p15: i + 15, p16: i + 16, p17: i + 17, p18: i + 18, p19: i + 19, p20: i + 20,
         p21: i + 21, p22: i + 22, p23: i + 23, p24: i + 24, p25: i + 25, p26: i + 26, p27: i + 27, p28: i + 28, p29: i + 29, p30: i + 30,
         p31: i + 31, p32: i + 32, p33: i + 33, p34: i + 34, p35: i + 35, p36: i + 36, p37: i + 37, p38: i + 38, p39: i + 39, p40: i + 40,
-        p41: i + 41, p42: i + 42, p43: i + 43, p44: i + 44, p45: i + 45, p46: i + 46, p47: i + 47, p48: i + 48, p49: i + 49, p50: i + 50,
-        notunboxed: undefined
+        p41: i + 41, p42: i + 42, p43: i + 43, p44: i + 44, p45: i + 45, p46: i + 46, p47: i + 47, p48: i + 48, p49: i + 49, p50: i + 50
     };
     // Add a function call to capture a resumepoint at the end of the call or
     // inside the inlined block, such as the bailout does not rewind to the
@@ -154,7 +160,6 @@ function Point(x, y)
 {
     this.x = x;
     this.y = y;
-    this.notUnboxed = undefined;
 }
 
 function createThisWithTemplate(i)
@@ -165,7 +170,6 @@ function createThisWithTemplate(i)
     assertRecoveredOnBailout(p, true);
 }
 
-
 for (var i = 0; i < 100; i++) {
     notSoEmpty1(i);
     notSoEmpty2(i);
diff --git a/js/src/jit-test/tests/modules/export-declaration.js b/js/src/jit-test/tests/modules/export-declaration.js
index 3dc2869b2b30..4036a7488524 100644
--- a/js/src/jit-test/tests/modules/export-declaration.js
+++ b/js/src/jit-test/tests/modules/export-declaration.js
@@ -1,5 +1,6 @@
 load(libdir + "match.js");
 load(libdir + "asserts.js");
+load(libdir + "class.js");
 
 var { Pattern, MatchError } = Match;
 
@@ -202,16 +203,18 @@ program([
     )
 ]).assert(Reflect.parse("export function f() {}"));
 
-program([
-    exportDeclaration(
-        classDeclaration(
-            ident("Foo")
-        ),
-        null,
-        null,
-        false
-    )
-]).assert(Reflect.parse("export class Foo { constructor() {} }"));
+if (classesEnabled()) {
+    program([
+        exportDeclaration(
+            classDeclaration(
+                ident("Foo")
+            ),
+            null,
+            null,
+            false
+        )
+    ]).assert(Reflect.parse("export class Foo { constructor() {} }"));
+}
 
 program([
     exportDeclaration(
@@ -292,27 +295,29 @@ program([
     )
 ]).assert(Reflect.parse("export default function foo() {}"));
 
-program([
-    exportDeclaration(
-        classDeclaration(
-            ident("*default*")
-        ),
-        null,
-        null,
-        true
-    )
-]).assert(Reflect.parse("export default class { constructor() {} }"));
+if (classesEnabled()) {
+    program([
+        exportDeclaration(
+            classDeclaration(
+                ident("*default*")
+            ),
+            null,
+            null,
+            true
+        )
+    ]).assert(Reflect.parse("export default class { constructor() {} }"));
 
-program([
-    exportDeclaration(
-        classDeclaration(
-            ident("Foo")
-        ),
-        null,
-        null,
-        true
-    )
-]).assert(Reflect.parse("export default class Foo { constructor() {} }"));
+    program([
+        exportDeclaration(
+            classDeclaration(
+                ident("Foo")
+            ),
+            null,
+            null,
+            true
+        )
+    ]).assert(Reflect.parse("export default class Foo { constructor() {} }"));
+}
 
 program([
     exportDeclaration(
diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp
index de1e86e9da9b..7815a0cd3f19 100644
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -372,8 +372,9 @@ struct BaselineStackBuilder
         MOZ_ASSERT(BaselineFrameReg == FramePointer);
         priorOffset -= sizeof(void*);
         return virtualPointerAtStackOffset(priorOffset);
-#elif defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_ARM) || defined(JS_CODEGEN_MIPS)
-        // On X64, ARM and MIPS, the frame pointer save location depends on
+#elif defined(JS_CODEGEN_ARM) || defined(JS_CODEGEN_ARM64) || \
+      defined(JS_CODEGEN_X64) || defined(JS_CODEGEN_MIPS)
+        // On X64, ARM, ARM64, and MIPS, the frame pointer save location depends on
         // the caller of the rectifier frame.
         BufferPointer<RectifierFrameLayout> priorFrame =
             pointerAtStackOffset<RectifierFrameLayout>(priorOffset);
@@ -1569,9 +1570,9 @@ jit::BailoutIonToBaseline(JSContext* cx, JitActivation* activation, JitFrameIter
 
     // Do stack check.
     bool overRecursed = false;
-    BaselineBailoutInfo* info = builder.info();
+    BaselineBailoutInfo *info = builder.info();
     uint8_t* newsp = info->incomingStack - (info->copyStackTop - info->copyStackBottom);
-#if defined(JS_ARM_SIMULATOR) || defined(JS_MIPS_SIMULATOR)
+#if defined(JS_ARM_SIMULATOR) || defined(JS_ARM64_SIMULATOR) || defined(JS_MIPS_SIMULATOR)
     if (Simulator::Current()->overRecursed(uintptr_t(newsp)))
         overRecursed = true;
 #else
diff --git a/js/src/jit/BaselineCompiler.cpp b/js/src/jit/BaselineCompiler.cpp
index 14a812acd6f4..c7383d82f63c 100644
--- a/js/src/jit/BaselineCompiler.cpp
+++ b/js/src/jit/BaselineCompiler.cpp
@@ -345,13 +345,11 @@ BaselineCompiler::emitPrologue()
     emitProfilerEnterFrame();
 
     masm.push(BaselineFrameReg);
-    masm.mov(BaselineStackReg, BaselineFrameReg);
-
-    masm.subPtr(Imm32(BaselineFrame::Size()), BaselineStackReg);
+    masm.moveStackPtrTo(BaselineFrameReg);
+    masm.subFromStackPtr(Imm32(BaselineFrame::Size()));
 
     // Initialize BaselineFrame. For eval scripts, the scope chain
-    // is passed in R1, so we have to be careful not to clobber
-    // it.
+    // is passed in R1, so we have to be careful not to clobber it.
 
     // Initialize BaselineFrame::flags.
     uint32_t flags = 0;
@@ -453,7 +451,7 @@ BaselineCompiler::emitEpilogue()
         return false;
 #endif
 
-    masm.mov(BaselineFrameReg, BaselineStackReg);
+    masm.moveToStackPtr(BaselineFrameReg);
     masm.pop(BaselineFrameReg);
 
     emitProfilerExitFrame();
@@ -479,7 +477,7 @@ BaselineCompiler::emitOutOfLinePostBarrierSlot()
     regs.take(objReg);
     regs.take(BaselineFrameReg);
     Register scratch = regs.takeAny();
-#if defined(JS_CODEGEN_ARM)
+#if defined(JS_CODEGEN_ARM) || defined(JS_CODEGEN_ARM64)
     // On ARM, save the link register before calling.  It contains the return
     // address.  The |masm.ret()| later will pop this into |pc| to return.
     masm.push(lr);
@@ -527,7 +525,7 @@ BaselineCompiler::emitStackCheck(bool earlyCheck)
     uint32_t slotsSize = script->nslots() * sizeof(Value);
     uint32_t tolerance = earlyCheck ? slotsSize : 0;
 
-    masm.movePtr(BaselineStackReg, R1.scratchReg());
+    masm.moveStackPtrTo(R1.scratchReg());
 
     // If this is the early stack check, locals haven't been pushed yet.  Adjust the
     // stack pointer to account for the locals that would be pushed before performing
@@ -3710,7 +3708,7 @@ BaselineCompiler::emit_JSOP_RESUME()
     // Update BaselineFrame frameSize field and create the frame descriptor.
     masm.computeEffectiveAddress(Address(BaselineFrameReg, BaselineFrame::FramePointerOffset),
                                  scratch2);
-    masm.subPtr(BaselineStackReg, scratch2);
+    masm.subStackPtrFrom(scratch2);
     masm.store32(scratch2, Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfFrameSize()));
     masm.makeFrameDescriptor(scratch2, JitFrame_BaselineJS);
 
@@ -3755,8 +3753,8 @@ BaselineCompiler::emit_JSOP_RESUME()
 
     // Construct BaselineFrame.
     masm.push(BaselineFrameReg);
-    masm.mov(BaselineStackReg, BaselineFrameReg);
-    masm.subPtr(Imm32(BaselineFrame::Size()), BaselineStackReg);
+    masm.moveStackPtrTo(BaselineFrameReg);
+    masm.subFromStackPtr(Imm32(BaselineFrame::Size()));
     masm.checkStackAlignment();
 
     // Store flags and scope chain.
@@ -3823,7 +3821,7 @@ BaselineCompiler::emit_JSOP_RESUME()
         masm.computeEffectiveAddress(Address(BaselineFrameReg, BaselineFrame::FramePointerOffset),
                                      scratch2);
         masm.movePtr(scratch2, scratch1);
-        masm.subPtr(BaselineStackReg, scratch2);
+        masm.subStackPtrFrom(scratch2);
         masm.store32(scratch2, Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfFrameSize()));
         masm.loadBaselineFramePtr(BaselineFrameReg, scratch2);
 
@@ -3838,14 +3836,18 @@ BaselineCompiler::emit_JSOP_RESUME()
             return false;
 
         // Create the frame descriptor.
-        masm.subPtr(BaselineStackReg, scratch1);
+        masm.subStackPtrFrom(scratch1);
         masm.makeFrameDescriptor(scratch1, JitFrame_BaselineJS);
 
         // Push the frame descriptor and a dummy return address (it doesn't
         // matter what we push here, frame iterators will use the frame pc
         // set in jit::GeneratorThrowOrClose).
         masm.push(scratch1);
+
+        // On ARM64, the callee will push the return address.
+#ifndef JS_CODEGEN_ARM64
         masm.push(ImmWord(0));
+#endif
         masm.jump(code);
     }
 
@@ -3872,7 +3874,7 @@ BaselineCompiler::emit_JSOP_RESUME()
     // After the generator returns, we restore the stack pointer, push the
     // return value and we're done.
     masm.bind(&returnTarget);
-    masm.computeEffectiveAddress(frame.addressOfStackValue(frame.peek(-1)), BaselineStackReg);
+    masm.computeEffectiveAddress(frame.addressOfStackValue(frame.peek(-1)), masm.getStackPointer());
     frame.popn(2);
     frame.push(R0);
     return true;
diff --git a/js/src/jit/BaselineCompiler.h b/js/src/jit/BaselineCompiler.h
index 492f469602d9..b13a74e4ce5b 100644
--- a/js/src/jit/BaselineCompiler.h
+++ b/js/src/jit/BaselineCompiler.h
@@ -14,6 +14,8 @@
 # include "jit/x64/BaselineCompiler-x64.h"
 #elif defined(JS_CODEGEN_ARM)
 # include "jit/arm/BaselineCompiler-arm.h"
+#elif defined(JS_CODEGEN_ARM64)
+# include "jit/arm64/BaselineCompiler-arm64.h"
 #elif defined(JS_CODEGEN_MIPS)
 # include "jit/mips/BaselineCompiler-mips.h"
 #elif defined(JS_CODEGEN_NONE)
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
index 7cf1f090a9d2..765eed07d6e7 100644
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -189,7 +189,7 @@ CodeGenerator::visitValueToInt32(LValueToInt32* lir)
         Register stringReg;
         if (input->mightBeType(MIRType_String)) {
             stringReg = ToRegister(lir->temp());
-            OutOfLineCode* oolString = oolCallVM(StringToNumberInfo, lir, (ArgList(), stringReg),
+            OutOfLineCode* oolString = oolCallVM(StringToNumberInfo, lir, ArgList(stringReg),
                                                  StoreFloatRegisterTo(temp));
             stringEntry = oolString->entry();
             stringRejoin = oolString->rejoin();
@@ -850,7 +850,7 @@ CodeGenerator::visitIntToString(LIntToString* lir)
     Register input = ToRegister(lir->input());
     Register output = ToRegister(lir->output());
 
-    OutOfLineCode* ool = oolCallVM(IntToStringInfo, lir, (ArgList(), input),
+    OutOfLineCode* ool = oolCallVM(IntToStringInfo, lir, ArgList(input),
                                    StoreRegisterTo(output));
 
     emitIntToString(input, output, ool->entry());
@@ -868,7 +868,7 @@ CodeGenerator::visitDoubleToString(LDoubleToString* lir)
     Register temp = ToRegister(lir->tempInt());
     Register output = ToRegister(lir->output());
 
-    OutOfLineCode* ool = oolCallVM(DoubleToStringInfo, lir, (ArgList(), input),
+    OutOfLineCode* ool = oolCallVM(DoubleToStringInfo, lir, ArgList(input),
                                    StoreRegisterTo(output));
 
     // Try double to integer conversion and run integer to string code.
@@ -887,7 +887,7 @@ CodeGenerator::visitValueToString(LValueToString* lir)
     ValueOperand input = ToValue(lir, LValueToString::Input);
     Register output = ToRegister(lir->output());
 
-    OutOfLineCode* ool = oolCallVM(PrimitiveToStringInfo, lir, (ArgList(), input),
+    OutOfLineCode* ool = oolCallVM(PrimitiveToStringInfo, lir, ArgList(input),
                                    StoreRegisterTo(output));
 
     Label done;
@@ -982,7 +982,7 @@ CodeGenerator::visitValueToObjectOrNull(LValueToObjectOrNull* lir)
     ValueOperand input = ToValue(lir, LValueToObjectOrNull::Input);
     Register output = ToRegister(lir->output());
 
-    OutOfLineCode* ool = oolCallVM(ToObjectInfo, lir, (ArgList(), input, Imm32(0)),
+    OutOfLineCode* ool = oolCallVM(ToObjectInfo, lir, ArgList(input, Imm32(0)),
                                    StoreRegisterTo(output));
 
     Label done;
@@ -1701,7 +1701,7 @@ CodeGenerator::visitLambda(LLambda* lir)
     Register tempReg = ToRegister(lir->temp());
     const LambdaFunctionInfo& info = lir->mir()->info();
 
-    OutOfLineCode* ool = oolCallVM(LambdaInfo, lir, (ArgList(), ImmGCPtr(info.fun), scopeChain),
+    OutOfLineCode* ool = oolCallVM(LambdaInfo, lir, ArgList(ImmGCPtr(info.fun), scopeChain),
                                    StoreRegisterTo(output));
 
     MOZ_ASSERT(!info.singletonType);
@@ -2515,7 +2515,7 @@ CodeGenerator::visitConvertElementsToDoubles(LConvertElementsToDoubles* lir)
     Register elements = ToRegister(lir->elements());
 
     OutOfLineCode* ool = oolCallVM(ConvertElementsToDoublesInfo, lir,
-                                   (ArgList(), elements), StoreNothing());
+                                   ArgList(elements), StoreNothing());
 
     Address convertedAddress(elements, ObjectElements::offsetOfFlags());
     Imm32 bit(ObjectElements::CONVERT_DOUBLE_ELEMENTS);
@@ -2561,7 +2561,7 @@ CodeGenerator::visitMaybeCopyElementsForWrite(LMaybeCopyElementsForWrite* lir)
     Register temp = ToRegister(lir->temp());
 
     OutOfLineCode* ool = oolCallVM(CopyElementsForWriteInfo, lir,
-                                   (ArgList(), object), StoreNothing());
+                                   ArgList(object), StoreNothing());
 
     if (lir->mir()->checkNative()) {
         masm.loadObjClass(object, temp);
@@ -4299,7 +4299,7 @@ CodeGenerator::visitNewArrayCopyOnWrite(LNewArrayCopyOnWrite* lir)
 
     // If we have a template object, we can inline call object creation.
     OutOfLineCode* ool = oolCallVM(NewArrayCopyOnWriteInfo, lir,
-                                   (ArgList(), ImmGCPtr(templateObject), Imm32(initialHeap)),
+                                   ArgList(ImmGCPtr(templateObject), Imm32(initialHeap)),
                                    StoreRegisterTo(objReg));
 
     masm.createGCObject(objReg, tempReg, templateObject, initialHeap, ool->entry());
@@ -4322,7 +4322,7 @@ CodeGenerator::visitNewArrayDynamicLength(LNewArrayDynamicLength* lir)
     gc::InitialHeap initialHeap = lir->mir()->initialHeap();
 
     OutOfLineCode* ool = oolCallVM(ArrayConstructorOneArgInfo, lir,
-                                   (ArgList(), ImmGCPtr(templateObject->group()), lengthReg),
+                                   ArgList(ImmGCPtr(templateObject->group()), lengthReg),
                                    StoreRegisterTo(objReg));
 
     bool canInline = true;
@@ -4559,7 +4559,7 @@ CodeGenerator::visitNewTypedObject(LNewTypedObject* lir)
     gc::InitialHeap initialHeap = lir->mir()->initialHeap();
 
     OutOfLineCode* ool = oolCallVM(NewTypedObjectInfo, lir,
-                                   (ArgList(), ImmGCPtr(templateObject), Imm32(initialHeap)),
+                                   ArgList(ImmGCPtr(templateObject), Imm32(initialHeap)),
                                    StoreRegisterTo(object));
 
     masm.createGCObject(object, temp, templateObject, initialHeap, ool->entry());
@@ -4581,7 +4581,7 @@ CodeGenerator::visitSimdBox(LSimdBox* lir)
     MOZ_ASSERT(lir->safepoint()->liveRegs().has(in),
                "Save the input register across the oolCallVM");
     OutOfLineCode* ool = oolCallVM(NewTypedObjectInfo, lir,
-                                   (ArgList(), ImmGCPtr(templateObject), Imm32(initialHeap)),
+                                   ArgList(ImmGCPtr(templateObject), Imm32(initialHeap)),
                                    StoreRegisterTo(object));
 
     masm.createGCObject(object, temp, templateObject, initialHeap, ool->entry());
@@ -4705,8 +4705,7 @@ CodeGenerator::visitNewDeclEnvObject(LNewDeclEnvObject* lir)
 
     // If we have a template object, we can inline call object creation.
     OutOfLineCode* ool = oolCallVM(NewDeclEnvObjectInfo, lir,
-                                   (ArgList(), ImmGCPtr(info.funMaybeLazy()),
-                                    Imm32(gc::DefaultHeap)),
+                                   ArgList(ImmGCPtr(info.funMaybeLazy()), Imm32(gc::DefaultHeap)),
                                    StoreRegisterTo(objReg));
 
     bool initContents = ShouldInitFixedSlots(lir, templateObj);
@@ -4731,9 +4730,9 @@ CodeGenerator::visitNewCallObject(LNewCallObject* lir)
     JSScript* script = lir->mir()->block()->info().script();
     uint32_t lexicalBegin = script->bindings.aliasedBodyLevelLexicalBegin();
     OutOfLineCode* ool = oolCallVM(NewCallObjectInfo, lir,
-                                   (ArgList(), ImmGCPtr(templateObj->lastProperty()),
-                                               ImmGCPtr(templateObj->group()),
-                                               Imm32(lexicalBegin)),
+                                   ArgList(ImmGCPtr(templateObj->lastProperty()),
+                                           ImmGCPtr(templateObj->group()),
+                                           Imm32(lexicalBegin)),
                                    StoreRegisterTo(objReg));
 
     // Inline call object creation, using the OOL path only for tricky cases.
@@ -4759,8 +4758,8 @@ CodeGenerator::visitNewSingletonCallObject(LNewSingletonCallObject* lir)
     uint32_t lexicalBegin = script->bindings.aliasedBodyLevelLexicalBegin();
     OutOfLineCode* ool;
     ool = oolCallVM(NewSingletonCallObjectInfo, lir,
-                    (ArgList(), ImmGCPtr(templateObj->as<CallObject>().lastProperty()),
-                                Imm32(lexicalBegin)),
+                    ArgList(ImmGCPtr(templateObj->as<CallObject>().lastProperty()),
+                            Imm32(lexicalBegin)),
                     StoreRegisterTo(objReg));
 
     // Objects can only be given singleton types in VM calls.  We make the call
@@ -4782,7 +4781,7 @@ CodeGenerator::visitNewStringObject(LNewStringObject* lir)
 
     StringObject* templateObj = lir->mir()->templateObj();
 
-    OutOfLineCode* ool = oolCallVM(NewStringObjectInfo, lir, (ArgList(), input),
+    OutOfLineCode* ool = oolCallVM(NewStringObjectInfo, lir, ArgList(input),
                                    StoreRegisterTo(output));
 
     masm.createGCObject(output, temp, templateObj, gc::DefaultHeap, ool->entry());
@@ -4934,7 +4933,7 @@ CodeGenerator::visitCreateThisWithTemplate(LCreateThisWithTemplate* lir)
     Register tempReg = ToRegister(lir->temp());
 
     OutOfLineCode* ool = oolCallVM(NewInitObjectWithTemplateInfo, lir,
-                                   (ArgList(), ImmGCPtr(templateObject)),
+                                   ArgList(ImmGCPtr(templateObject)),
                                    StoreRegisterTo(objReg));
 
     // Allocate. If the FreeList is empty, call to VM, which may GC.
@@ -5037,7 +5036,7 @@ CodeGenerator::visitComputeThis(LComputeThis* lir)
     ValueOperand value = ToValue(lir, LComputeThis::ValueIndex);
     Register output = ToRegister(lir->output());
 
-    OutOfLineCode* ool = oolCallVM(BoxNonStrictThisInfo, lir, (ArgList(), value),
+    OutOfLineCode* ool = oolCallVM(BoxNonStrictThisInfo, lir, ArgList(value),
                                    StoreRegisterTo(output));
 
     masm.branchTestObject(Assembler::NotEqual, value, ool->entry());
@@ -5465,10 +5464,10 @@ CodeGenerator::emitCompareS(LInstruction* lir, JSOp op, Register left, Register
     OutOfLineCode* ool = nullptr;
 
     if (op == JSOP_EQ || op == JSOP_STRICTEQ) {
-        ool = oolCallVM(StringsEqualInfo, lir, (ArgList(), left, right),  StoreRegisterTo(output));
+        ool = oolCallVM(StringsEqualInfo, lir, ArgList(left, right),  StoreRegisterTo(output));
     } else {
         MOZ_ASSERT(op == JSOP_NE || op == JSOP_STRICTNE);
-        ool = oolCallVM(StringsNotEqualInfo, lir, (ArgList(), left, right), StoreRegisterTo(output));
+        ool = oolCallVM(StringsNotEqualInfo, lir, ArgList(left, right), StoreRegisterTo(output));
     }
 
     masm.compareStrings(op, left, right, output, ool->entry());
@@ -5819,7 +5818,7 @@ static const VMFunction ConcatStringsInfo = FunctionInfo<ConcatStringsFn>(Concat
 void
 CodeGenerator::emitConcat(LInstruction* lir, Register lhs, Register rhs, Register output)
 {
-    OutOfLineCode* ool = oolCallVM(ConcatStringsInfo, lir, (ArgList(), lhs, rhs),
+    OutOfLineCode* ool = oolCallVM(ConcatStringsInfo, lir, ArgList(lhs, rhs),
                                    StoreRegisterTo(output));
 
     JitCode* stringConcatStub = gen->compartment->jitCompartment()->stringConcatStubNoBarrier();
@@ -6009,8 +6008,8 @@ CodeGenerator::visitSubstr(LSubstr* lir)
     // can be handled by allocate in ool code and returning to jit code to fill
     // in all data.
     OutOfLineCode* ool = oolCallVM(SubstringKernelInfo, lir,
-                                   (ArgList(), string, begin, length),
-                                    StoreRegisterTo(output));
+                                   ArgList(string, begin, length),
+                                   StoreRegisterTo(output));
     Label* slowPath = ool->entry();
     Label* done = ool->rejoin();
 
@@ -6338,7 +6337,7 @@ CodeGenerator::visitCharCodeAt(LCharCodeAt* lir)
     Register index = ToRegister(lir->index());
     Register output = ToRegister(lir->output());
 
-    OutOfLineCode* ool = oolCallVM(CharCodeAtInfo, lir, (ArgList(), str, index), StoreRegisterTo(output));
+    OutOfLineCode* ool = oolCallVM(CharCodeAtInfo, lir, ArgList(str, index), StoreRegisterTo(output));
 
     masm.branchIfRope(str, ool->entry());
     masm.loadStringChar(str, index, output);
@@ -6355,7 +6354,7 @@ CodeGenerator::visitFromCharCode(LFromCharCode* lir)
     Register code = ToRegister(lir->code());
     Register output = ToRegister(lir->output());
 
-    OutOfLineCode* ool = oolCallVM(StringFromCharCodeInfo, lir, (ArgList(), code), StoreRegisterTo(output));
+    OutOfLineCode* ool = oolCallVM(StringFromCharCodeInfo, lir, ArgList(code), StoreRegisterTo(output));
 
     // OOL path if code >= UNIT_STATIC_LIMIT.
     masm.branch32(Assembler::AboveOrEqual, code, Imm32(StaticStrings::UNIT_STATIC_LIMIT),
@@ -6996,7 +6995,7 @@ CodeGenerator::visitConvertUnboxedObjectToNative(LConvertUnboxedObjectToNative*
     OutOfLineCode* ool = oolCallVM(lir->mir()->group()->unboxedLayoutDontCheckGeneration().isArray()
                                    ? ConvertUnboxedArrayObjectToNativeInfo
                                    : ConvertUnboxedPlainObjectToNativeInfo,
-                                   lir, (ArgList(), object), StoreNothing());
+                                   lir, ArgList(object), StoreNothing());
 
     masm.branchPtr(Assembler::Equal, Address(object, JSObject::offsetOfGroup()),
                    ImmGCPtr(lir->mir()->group()), ool->entry());
@@ -7014,10 +7013,10 @@ CodeGenerator::emitArrayPopShift(LInstruction* lir, const MArrayPopShift* mir, R
     OutOfLineCode* ool;
 
     if (mir->mode() == MArrayPopShift::Pop) {
-        ool = oolCallVM(ArrayPopDenseInfo, lir, (ArgList(), obj), StoreValueTo(out));
+        ool = oolCallVM(ArrayPopDenseInfo, lir, ArgList(obj), StoreValueTo(out));
     } else {
         MOZ_ASSERT(mir->mode() == MArrayPopShift::Shift);
-        ool = oolCallVM(ArrayShiftDenseInfo, lir, (ArgList(), obj), StoreValueTo(out));
+        ool = oolCallVM(ArrayShiftDenseInfo, lir, ArgList(obj), StoreValueTo(out));
     }
 
     // VM call if a write barrier is necessary.
@@ -7138,7 +7137,7 @@ void
 CodeGenerator::emitArrayPush(LInstruction* lir, const MArrayPush* mir, Register obj,
                              ConstantOrRegister value, Register elementsTemp, Register length)
 {
-    OutOfLineCode* ool = oolCallVM(ArrayPushDenseInfo, lir, (ArgList(), obj, value), StoreRegisterTo(length));
+    OutOfLineCode* ool = oolCallVM(ArrayPushDenseInfo, lir, ArgList(obj, value), StoreRegisterTo(length));
 
     Int32Key key = Int32Key(length);
     if (mir->unboxedType() == JSVAL_TYPE_MAGIC) {
@@ -7328,7 +7327,7 @@ CodeGenerator::visitIteratorStart(LIteratorStart* lir)
     uint32_t flags = lir->mir()->flags();
 
     OutOfLineCode* ool = oolCallVM(GetIteratorObjectInfo, lir,
-                                   (ArgList(), obj, Imm32(flags)), StoreRegisterTo(output));
+                                   ArgList(obj, Imm32(flags)), StoreRegisterTo(output));
 
     const Register temp1 = ToRegister(lir->temp1());
     const Register temp2 = ToRegister(lir->temp2());
@@ -7457,7 +7456,7 @@ CodeGenerator::visitIteratorMore(LIteratorMore* lir)
     const ValueOperand output = ToOutValue(lir);
     const Register temp = ToRegister(lir->temp());
 
-    OutOfLineCode* ool = oolCallVM(IteratorMoreInfo, lir, (ArgList(), obj), StoreValueTo(output));
+    OutOfLineCode* ool = oolCallVM(IteratorMoreInfo, lir, ArgList(obj), StoreValueTo(output));
 
     Register outputScratch = output.scratchReg();
     LoadNativeIterator(masm, obj, outputScratch, ool->entry());
@@ -7512,7 +7511,7 @@ CodeGenerator::visitIteratorEnd(LIteratorEnd* lir)
     const Register temp2 = ToRegister(lir->temp2());
     const Register temp3 = ToRegister(lir->temp3());
 
-    OutOfLineCode* ool = oolCallVM(CloseIteratorInfo, lir, (ArgList(), obj), StoreNothing());
+    OutOfLineCode* ool = oolCallVM(CloseIteratorInfo, lir, ArgList(obj), StoreNothing());
 
     LoadNativeIterator(masm, obj, temp1, ool->entry());
 
@@ -8869,11 +8868,10 @@ CodeGenerator::visitToIdV(LToIdV* lir)
     ValueOperand index = ToValue(lir, LToIdV::Index);
 
     OutOfLineCode* ool = oolCallVM(ToIdInfo, lir,
-                                   (ArgList(),
-                                   ImmGCPtr(current->mir()->info().script()),
-                                   ImmPtr(lir->mir()->resumePoint()->pc()),
-                                   ToValue(lir, LToIdV::Object),
-                                   ToValue(lir, LToIdV::Index)),
+                                   ArgList(ImmGCPtr(current->mir()->info().script()),
+                                           ImmPtr(lir->mir()->resumePoint()->pc()),
+                                           ToValue(lir, LToIdV::Object),
+                                           ToValue(lir, LToIdV::Index)),
                                    StoreValueTo(out));
 
     Register tag = masm.splitTagForTest(index);
@@ -9092,7 +9090,7 @@ CodeGenerator::visitLoadUnboxedScalar(LLoadUnboxedScalar* lir)
     Scalar::Type readType = mir->readType();
     unsigned numElems = mir->numElems();
 
-    int width = Scalar::byteSize(mir->indexType());
+    int width = Scalar::byteSize(mir->storageType());
     bool canonicalizeDouble = mir->canonicalizeDoubles();
 
     Label fail;
@@ -9179,7 +9177,7 @@ CodeGenerator::visitStoreUnboxedScalar(LStoreUnboxedScalar* lir)
     Scalar::Type writeType = mir->writeType();
     unsigned numElems = mir->numElems();
 
-    int width = Scalar::byteSize(mir->indexType());
+    int width = Scalar::byteSize(mir->storageType());
 
     if (lir->index()->isConstant()) {
         Address dest(elements, ToInt32(lir->index()) * width + mir->offsetAdjustment());
@@ -9346,7 +9344,7 @@ CodeGenerator::visitClampVToUint8(LClampVToUint8* lir)
     Label* stringEntry;
     Label* stringRejoin;
     if (input->mightBeType(MIRType_String)) {
-        OutOfLineCode* oolString = oolCallVM(StringToNumberInfo, lir, (ArgList(), output),
+        OutOfLineCode* oolString = oolCallVM(StringToNumberInfo, lir, ArgList(output),
                                              StoreFloatRegisterTo(tempFloat));
         stringEntry = oolString->entry();
         stringRejoin = oolString->rejoin();
@@ -9398,7 +9396,7 @@ CodeGenerator::visitInArray(LInArray* lir)
         MOZ_ASSERT_IF(index < 0, mir->needsNegativeIntCheck());
         if (mir->needsNegativeIntCheck()) {
             ool = oolCallVM(OperatorInIInfo, lir,
-                            (ArgList(), Imm32(index), ToRegister(lir->object())),
+                            ArgList(Imm32(index), ToRegister(lir->object())),
                             StoreRegisterTo(output));
             failedInitLength = ool->entry();
         }
@@ -9426,7 +9424,7 @@ CodeGenerator::visitInArray(LInArray* lir)
         if (mir->needsNegativeIntCheck()) {
             masm.bind(&negativeIntCheck);
             ool = oolCallVM(OperatorInIInfo, lir,
-                            (ArgList(), index, ToRegister(lir->object())),
+                            ArgList(index, ToRegister(lir->object())),
                             StoreRegisterTo(output));
 
             masm.branch32(Assembler::LessThan, index, Imm32(0), ool->entry());
@@ -9528,7 +9526,7 @@ CodeGenerator::emitInstanceOf(LInstruction* ins, JSObject* prototypeObject)
     // register is already correct.
 
     OutOfLineCode* ool = oolCallVM(IsDelegateObjectInfo, ins,
-                                   (ArgList(), ImmGCPtr(prototypeObject), objReg),
+                                   ArgList(ImmGCPtr(prototypeObject), objReg),
                                    StoreRegisterTo(output));
 
     // Regenerate the original lhs object for the VM call.
@@ -10060,7 +10058,7 @@ CodeGenerator::visitAssertRangeV(LAssertRangeV* ins)
 void
 CodeGenerator::visitInterruptCheck(LInterruptCheck* lir)
 {
-    OutOfLineCode* ool = oolCallVM(InterruptCheckInfo, lir, (ArgList()), StoreNothing());
+    OutOfLineCode* ool = oolCallVM(InterruptCheckInfo, lir, ArgList(), StoreNothing());
 
     AbsoluteAddress interruptAddr(GetJitContext()->runtime->addressOfInterruptUint32());
     masm.branch32(Assembler::NotEqual, interruptAddr, Imm32(0), ool->entry());
@@ -10096,9 +10094,9 @@ CodeGenerator::visitRecompileCheck(LRecompileCheck* ins)
     Register tmp = ToRegister(ins->scratch());
     OutOfLineCode* ool;
     if (ins->mir()->forceRecompilation())
-        ool = oolCallVM(ForcedRecompileFnInfo, ins, (ArgList()), StoreRegisterTo(tmp));
+        ool = oolCallVM(ForcedRecompileFnInfo, ins, ArgList(), StoreRegisterTo(tmp));
     else
-        ool = oolCallVM(RecompileFnInfo, ins, (ArgList()), StoreRegisterTo(tmp));
+        ool = oolCallVM(RecompileFnInfo, ins, ArgList(), StoreRegisterTo(tmp));
 
     // Check if warm-up counter is high enough.
     AbsoluteAddress warmUpCount = AbsoluteAddress(ins->mir()->script()->addressOfWarmUpCounter());
diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
index 1c9599881feb..93bdab24501e 100644
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -1350,16 +1350,14 @@ OptimizeMIR(MIRGenerator* mir)
             return false;
     }
 
-    if (mir->optimizationInfo().scalarReplacementEnabled()) {
-        AutoTraceLog log(logger, TraceLogger_ScalarReplacement);
-        if (!ScalarReplacement(mir, graph))
-            return false;
-        gs.spewPass("Scalar Replacement");
-        AssertGraphCoherency(graph);
+    ValueNumberer gvn(mir, graph);
+    if (!gvn.init())
+        return false;
 
-        if (mir->shouldCancel("Scalar Replacement"))
-            return false;
-    }
+    size_t doRepeatOptimizations = 0;
+  repeatOptimizations:
+    doRepeatOptimizations++;
+    MOZ_ASSERT(doRepeatOptimizations <= 2);
 
     if (!mir->compilingAsmJS()) {
         AutoTraceLog log(logger, TraceLogger_ApplyTypes);
@@ -1395,10 +1393,6 @@ OptimizeMIR(MIRGenerator* mir)
             return false;
     }
 
-    ValueNumberer gvn(mir, graph);
-    if (!gvn.init())
-        return false;
-
     // Alias analysis is required for LICM and GVN so that we don't move
     // loads across stores.
     if (mir->optimizationInfo().licmEnabled() ||
@@ -1454,6 +1448,26 @@ OptimizeMIR(MIRGenerator* mir)
         }
     }
 
+    if (mir->optimizationInfo().scalarReplacementEnabled() && doRepeatOptimizations <= 1) {
+        AutoTraceLog log(logger, TraceLogger_ScalarReplacement);
+        bool success = false;
+        if (!ScalarReplacement(mir, graph, &success))
+            return false;
+        gs.spewPass("Scalar Replacement");
+        AssertGraphCoherency(graph);
+
+        if (mir->shouldCancel("Scalar Replacement"))
+            return false;
+
+        // We got some success at removing objects allocation and removing the
+        // loads and stores, unfortunately, this phase is terrible at keeping
+        // the type consistency, so we re-run the Apply Type phase.  As this
+        // optimization folds loads and stores, it might also introduce new
+        // opportunities for GVN and LICM, so re-run them as well.
+        if (success)
+            goto repeatOptimizations;
+    }
+
     if (mir->optimizationInfo().rangeAnalysisEnabled()) {
         AutoTraceLog log(logger, TraceLogger_RangeAnalysis);
         RangeAnalysis r(mir, graph);
@@ -2415,8 +2429,10 @@ jit::CanEnter(JSContext* cx, RunState& state)
             return Method_CantCompile;
         }
 
-        if (!state.maybeCreateThisForConstructor(cx))
+        if (!state.maybeCreateThisForConstructor(cx)) {
+            cx->recoverFromOutOfMemory();
             return Method_Skipped;
+        }
     }
 
     // If --ion-eager is used, compile with Baseline first, so that we
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index 068884a70643..f9843525d5b5 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -7628,17 +7628,13 @@ IonBuilder::jsop_getgname(PropertyName* name)
     if (!getStaticName(obj, name, &emitted) || emitted)
         return emitted;
 
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache;
-
-    {
+    if (!forceInlineCaches()) {
         TemporaryTypeSet* types = bytecodeTypes(pc);
         MDefinition* globalObj = constant(ObjectValue(*obj));
         if (!getPropTryCommonGetter(&emitted, globalObj, name, types) || emitted)
             return emitted;
     }
 
-  do_InlineCache:
     return jsop_getname(name);
 }
 
@@ -7762,38 +7758,37 @@ IonBuilder::jsop_getelem()
     obj = maybeUnboxForPropertyAccess(obj);
 
     bool emitted = false;
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache;
 
-    trackOptimizationAttempt(TrackedStrategy::GetElem_TypedObject);
-    if (!getElemTryTypedObject(&emitted, obj, index) || emitted)
-        return emitted;
+    if (!forceInlineCaches()) {
+        trackOptimizationAttempt(TrackedStrategy::GetElem_TypedObject);
+        if (!getElemTryTypedObject(&emitted, obj, index) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetElem_Dense);
-    if (!getElemTryDense(&emitted, obj, index) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetElem_Dense);
+        if (!getElemTryDense(&emitted, obj, index) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetElem_TypedStatic);
-    if (!getElemTryTypedStatic(&emitted, obj, index) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetElem_TypedStatic);
+        if (!getElemTryTypedStatic(&emitted, obj, index) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetElem_TypedArray);
-    if (!getElemTryTypedArray(&emitted, obj, index) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetElem_TypedArray);
+        if (!getElemTryTypedArray(&emitted, obj, index) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetElem_String);
-    if (!getElemTryString(&emitted, obj, index) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetElem_String);
+        if (!getElemTryString(&emitted, obj, index) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetElem_Arguments);
-    if (!getElemTryArguments(&emitted, obj, index) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetElem_Arguments);
+        if (!getElemTryArguments(&emitted, obj, index) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetElem_ArgumentsInlined);
-    if (!getElemTryArgumentsInlined(&emitted, obj, index) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetElem_ArgumentsInlined);
+        if (!getElemTryArgumentsInlined(&emitted, obj, index) || emitted)
+            return emitted;
+    }
 
-  do_InlineCache:
     if (script()->argumentsHasVarBinding() && obj->mightBeType(MIRType_MagicOptimizedArguments))
         return abort("Type is not definitely lazy arguments.");
 
@@ -8816,34 +8811,30 @@ IonBuilder::jsop_setelem()
         return resumeAfter(ins);
     }
 
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache;
+    if (!forceInlineCaches()) {
+        trackOptimizationAttempt(TrackedStrategy::SetElem_TypedObject);
+        if (!setElemTryTypedObject(&emitted, object, index, value) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::SetElem_TypedObject);
-    if (!setElemTryTypedObject(&emitted, object, index, value) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::SetElem_TypedStatic);
+        if (!setElemTryTypedStatic(&emitted, object, index, value) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::SetElem_TypedStatic);
-    if (!setElemTryTypedStatic(&emitted, object, index, value) || emitted)
-        return emitted;
+        trackOptimizationAttempt(TrackedStrategy::SetElem_TypedArray);
+        if (!setElemTryTypedArray(&emitted, object, index, value) || emitted)
+            return emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::SetElem_TypedArray);
-    if (!setElemTryTypedArray(&emitted, object, index, value) || emitted)
-        return emitted;
-
-    {
         trackOptimizationAttempt(TrackedStrategy::SetElem_Dense);
         SetElemICInspector icInspect(inspector->setElemICInspector(pc));
         bool writeHole = icInspect.sawOOBDenseWrite();
         if (!setElemTryDense(&emitted, object, index, value, writeHole) || emitted)
             return emitted;
+
+        trackOptimizationAttempt(TrackedStrategy::SetElem_Arguments);
+        if (!setElemTryArguments(&emitted, object, index, value) || emitted)
+            return emitted;
     }
 
-    trackOptimizationAttempt(TrackedStrategy::SetElem_Arguments);
-    if (!setElemTryArguments(&emitted, object, index, value) || emitted)
-        return emitted;
-
-  do_InlineCache:
     if (script()->argumentsHasVarBinding() &&
         object->mightBeType(MIRType_MagicOptimizedArguments) &&
         info().analysisMode() != Analysis_ArgumentsUsage)
@@ -10122,45 +10113,43 @@ IonBuilder::jsop_getprop(PropertyName* name)
     if (!getPropTryInnerize(&emitted, obj, name, types) || emitted)
         return emitted;
 
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache;
+    if (!forceInlineCaches()) {
+        // Try to hardcode known constants.
+        trackOptimizationAttempt(TrackedStrategy::GetProp_Constant);
+        if (!getPropTryConstant(&emitted, obj, name, types) || emitted)
+            return emitted;
 
-    // Try to hardcode known constants.
-    trackOptimizationAttempt(TrackedStrategy::GetProp_Constant);
-    if (!getPropTryConstant(&emitted, obj, name, types) || emitted)
-        return emitted;
+        // Try to emit SIMD getter loads
+        trackOptimizationAttempt(TrackedStrategy::GetProp_SimdGetter);
+        if (!getPropTrySimdGetter(&emitted, obj, name) || emitted)
+            return emitted;
 
-    // Try to emit SIMD getter loads
-    trackOptimizationAttempt(TrackedStrategy::GetProp_SimdGetter);
-    if (!getPropTrySimdGetter(&emitted, obj, name) || emitted)
-        return emitted;
+        // Try to emit loads from known binary data blocks
+        trackOptimizationAttempt(TrackedStrategy::GetProp_TypedObject);
+        if (!getPropTryTypedObject(&emitted, obj, name) || emitted)
+            return emitted;
 
-    // Try to emit loads from known binary data blocks
-    trackOptimizationAttempt(TrackedStrategy::GetProp_TypedObject);
-    if (!getPropTryTypedObject(&emitted, obj, name) || emitted)
-        return emitted;
+        // Try to emit loads from definite slots.
+        trackOptimizationAttempt(TrackedStrategy::GetProp_DefiniteSlot);
+        if (!getPropTryDefiniteSlot(&emitted, obj, name, barrier, types) || emitted)
+            return emitted;
 
-    // Try to emit loads from definite slots.
-    trackOptimizationAttempt(TrackedStrategy::GetProp_DefiniteSlot);
-    if (!getPropTryDefiniteSlot(&emitted, obj, name, barrier, types) || emitted)
-        return emitted;
+        // Try to emit loads from unboxed objects.
+        trackOptimizationAttempt(TrackedStrategy::GetProp_Unboxed);
+        if (!getPropTryUnboxed(&emitted, obj, name, barrier, types) || emitted)
+            return emitted;
 
-    // Try to emit loads from unboxed objects.
-    trackOptimizationAttempt(TrackedStrategy::GetProp_Unboxed);
-    if (!getPropTryUnboxed(&emitted, obj, name, barrier, types) || emitted)
-        return emitted;
+        // Try to inline a common property getter, or make a call.
+        trackOptimizationAttempt(TrackedStrategy::GetProp_CommonGetter);
+        if (!getPropTryCommonGetter(&emitted, obj, name, types) || emitted)
+            return emitted;
 
-    // Try to inline a common property getter, or make a call.
-    trackOptimizationAttempt(TrackedStrategy::GetProp_CommonGetter);
-    if (!getPropTryCommonGetter(&emitted, obj, name, types) || emitted)
-        return emitted;
+        // Try to emit a monomorphic/polymorphic access based on baseline caches.
+        trackOptimizationAttempt(TrackedStrategy::GetProp_InlineAccess);
+        if (!getPropTryInlineAccess(&emitted, obj, name, barrier, types) || emitted)
+            return emitted;
+    }
 
-    // Try to emit a monomorphic/polymorphic access based on baseline caches.
-    trackOptimizationAttempt(TrackedStrategy::GetProp_InlineAccess);
-    if (!getPropTryInlineAccess(&emitted, obj, name, barrier, types) || emitted)
-        return emitted;
-
-  do_InlineCache:
     // Try to emit a polymorphic cache.
     trackOptimizationAttempt(TrackedStrategy::GetProp_InlineCache);
     if (!getPropTryCache(&emitted, obj, name, barrier, types) || emitted)
@@ -10612,43 +10601,45 @@ MInstruction*
 IonBuilder::loadUnboxedProperty(MDefinition* obj, size_t offset, JSValueType unboxedType,
                                 BarrierKind barrier, TemporaryTypeSet* types)
 {
-    size_t scaledOffsetConstant = offset / UnboxedTypeSize(unboxedType);
-    MInstruction* scaledOffset = MConstant::New(alloc(), Int32Value(scaledOffsetConstant));
-    current->add(scaledOffset);
+    // loadUnboxedValue is designed to load any value as if it were contained in
+    // an array. Thus a property offset is converted to an index, when the
+    // object is reinterpreted as an array of properties of the same size.
+    size_t index = offset / UnboxedTypeSize(unboxedType);
+    MInstruction* indexConstant = MConstant::New(alloc(), Int32Value(index));
+    current->add(indexConstant);
 
     return loadUnboxedValue(obj, UnboxedPlainObject::offsetOfData(),
-                            scaledOffset, unboxedType, barrier, types);
+                            indexConstant, unboxedType, barrier, types);
 }
 
 MInstruction*
 IonBuilder::loadUnboxedValue(MDefinition* elements, size_t elementsOffset,
-                             MDefinition* scaledOffset, JSValueType unboxedType,
+                             MDefinition* index, JSValueType unboxedType,
                              BarrierKind barrier, TemporaryTypeSet* types)
 {
-
     MInstruction* load;
     switch (unboxedType) {
       case JSVAL_TYPE_BOOLEAN:
-        load = MLoadUnboxedScalar::New(alloc(), elements, scaledOffset, Scalar::Uint8,
+        load = MLoadUnboxedScalar::New(alloc(), elements, index, Scalar::Uint8,
                                        DoesNotRequireMemoryBarrier, elementsOffset);
         load->setResultType(MIRType_Boolean);
         break;
 
       case JSVAL_TYPE_INT32:
-        load = MLoadUnboxedScalar::New(alloc(), elements, scaledOffset, Scalar::Int32,
+        load = MLoadUnboxedScalar::New(alloc(), elements, index, Scalar::Int32,
                                        DoesNotRequireMemoryBarrier, elementsOffset);
         load->setResultType(MIRType_Int32);
         break;
 
       case JSVAL_TYPE_DOUBLE:
-        load = MLoadUnboxedScalar::New(alloc(), elements, scaledOffset, Scalar::Float64,
+        load = MLoadUnboxedScalar::New(alloc(), elements, index, Scalar::Float64,
                                        DoesNotRequireMemoryBarrier, elementsOffset,
                                        /* canonicalizeDoubles = */ false);
         load->setResultType(MIRType_Double);
         break;
 
       case JSVAL_TYPE_STRING:
-        load = MLoadUnboxedString::New(alloc(), elements, scaledOffset, elementsOffset);
+        load = MLoadUnboxedString::New(alloc(), elements, index, elementsOffset);
         break;
 
       case JSVAL_TYPE_OBJECT: {
@@ -10657,7 +10648,7 @@ IonBuilder::loadUnboxedValue(MDefinition* elements, size_t elementsOffset,
             nullBehavior = MLoadUnboxedObjectOrNull::HandleNull;
         else
             nullBehavior = MLoadUnboxedObjectOrNull::NullNotPossible;
-        load = MLoadUnboxedObjectOrNull::New(alloc(), elements, scaledOffset, nullBehavior,
+        load = MLoadUnboxedObjectOrNull::New(alloc(), elements, index, nullBehavior,
                                              elementsOffset);
         break;
       }
@@ -11150,31 +11141,29 @@ IonBuilder::getPropTryInnerize(bool* emitted, MDefinition* obj, PropertyName* na
     if (inner == obj)
         return true;
 
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache;
+    if (!forceInlineCaches()) {
+        // Note: the Baseline ICs don't know about this optimization, so it's
+        // possible the global property's HeapTypeSet has not been initialized
+        // yet. In this case we'll fall back to getPropTryCache for now.
 
-    // Note: the Baseline ICs don't know about this optimization, so it's
-    // possible the global property's HeapTypeSet has not been initialized
-    // yet. In this case we'll fall back to getPropTryCache for now.
+        // Note that it's important that we do this _before_ we'd try to
+        // do the optimizations below on obj normally, since some of those
+        // optimizations have fallback paths that are slower than the path
+        // we'd produce here.
 
-    // Note that it's important that we do this _before_ we'd try to
-    // do the optimizations below on obj normally, since some of those
-    // optimizations have fallback paths that are slower than the path
-    // we'd produce here.
+        trackOptimizationAttempt(TrackedStrategy::GetProp_Constant);
+        if (!getPropTryConstant(emitted, inner, name, types) || *emitted)
+            return *emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetProp_Constant);
-    if (!getPropTryConstant(emitted, inner, name, types) || *emitted)
-        return *emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetProp_StaticName);
+        if (!getStaticName(&script()->global(), name, emitted) || *emitted)
+            return *emitted;
 
-    trackOptimizationAttempt(TrackedStrategy::GetProp_StaticName);
-    if (!getStaticName(&script()->global(), name, emitted) || *emitted)
-        return *emitted;
+        trackOptimizationAttempt(TrackedStrategy::GetProp_CommonGetter);
+        if (!getPropTryCommonGetter(emitted, inner, name, types) || *emitted)
+            return *emitted;
+    }
 
-    trackOptimizationAttempt(TrackedStrategy::GetProp_CommonGetter);
-    if (!getPropTryCommonGetter(emitted, inner, name, types) || *emitted)
-        return *emitted;
-
-  do_InlineCache:
     // Passing the inner object to GetProperty IC is safe, see the
     // needsOuterizedThisObject check in IsCacheableGetPropCallNative.
     BarrierKind barrier = PropertyReadNeedsTypeBarrier(analysisContext, constraints(),
@@ -11208,52 +11197,46 @@ IonBuilder::jsop_setprop(PropertyName* name)
         return resumeAfter(ins);
     }
 
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache_step1;
+    if (!forceInlineCaches()) {
+        // Try to inline a common property setter, or make a call.
+        trackOptimizationAttempt(TrackedStrategy::SetProp_CommonSetter);
+        if (!setPropTryCommonSetter(&emitted, obj, name, value) || emitted)
+            return emitted;
 
-    // Try to inline a common property setter, or make a call.
-    trackOptimizationAttempt(TrackedStrategy::SetProp_CommonSetter);
-    if (!setPropTryCommonSetter(&emitted, obj, name, value) || emitted)
-        return emitted;
+        // Try to emit stores to known binary data blocks
+        trackOptimizationAttempt(TrackedStrategy::SetProp_TypedObject);
+        if (!setPropTryTypedObject(&emitted, obj, name, value) || emitted)
+            return emitted;
+    }
 
-    // Try to emit stores to known binary data blocks
-    trackOptimizationAttempt(TrackedStrategy::SetProp_TypedObject);
-    if (!setPropTryTypedObject(&emitted, obj, name, value) || emitted)
-        return emitted;
-
-  do_InlineCache_step1:
     TemporaryTypeSet* objTypes = obj->resultTypeSet();
     bool barrier = PropertyWriteNeedsTypeBarrier(alloc(), constraints(), current, &obj, name, &value,
                                                  /* canModify = */ true);
 
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache_step2;
+    if (!forceInlineCaches()) {
+        // Try to emit stores to unboxed objects.
+        trackOptimizationAttempt(TrackedStrategy::SetProp_Unboxed);
+        if (!setPropTryUnboxed(&emitted, obj, name, value, barrier, objTypes) || emitted)
+            return emitted;
+    }
 
-    // Try to emit stores to unboxed objects.
-    trackOptimizationAttempt(TrackedStrategy::SetProp_Unboxed);
-    if (!setPropTryUnboxed(&emitted, obj, name, value, barrier, objTypes) || emitted)
-        return emitted;
-
-  do_InlineCache_step2:
     // Add post barrier if needed. The instructions above manage any post
     // barriers they need directly.
     if (NeedsPostBarrier(info(), value))
         current->add(MPostWriteBarrier::New(alloc(), obj, value));
 
-    if (MOZ_UNLIKELY(js_JitOptions.forceInlineCaches))
-        goto do_InlineCache_step3;
+    if (!forceInlineCaches()) {
+        // Try to emit store from definite slots.
+        trackOptimizationAttempt(TrackedStrategy::SetProp_DefiniteSlot);
+        if (!setPropTryDefiniteSlot(&emitted, obj, name, value, barrier, objTypes) || emitted)
+            return emitted;
 
-    // Try to emit store from definite slots.
-    trackOptimizationAttempt(TrackedStrategy::SetProp_DefiniteSlot);
-    if (!setPropTryDefiniteSlot(&emitted, obj, name, value, barrier, objTypes) || emitted)
-        return emitted;
+        // Try to emit a monomorphic/polymorphic store based on baseline caches.
+        trackOptimizationAttempt(TrackedStrategy::SetProp_InlineAccess);
+        if (!setPropTryInlineAccess(&emitted, obj, name, value, barrier, objTypes) || emitted)
+            return emitted;
+    }
 
-    // Try to emit a monomorphic/polymorphic store based on baseline caches.
-    trackOptimizationAttempt(TrackedStrategy::SetProp_InlineAccess);
-    if (!setPropTryInlineAccess(&emitted, obj, name, value, barrier, objTypes) || emitted)
-        return emitted;
-
-  do_InlineCache_step3:
     // Emit a polymorphic cache.
     trackOptimizationAttempt(TrackedStrategy::SetProp_InlineCache);
     return setPropTryCache(&emitted, obj, name, value, barrier, objTypes);
diff --git a/js/src/jit/IonBuilder.h b/js/src/jit/IonBuilder.h
index 0aca0fb31eca..46303637523f 100644
--- a/js/src/jit/IonBuilder.h
+++ b/js/src/jit/IonBuilder.h
@@ -1210,6 +1210,10 @@ class IonBuilder
             trackInlineSuccessUnchecked(status);
     }
 
+    bool forceInlineCaches() {
+        return MOZ_UNLIKELY(js_JitOptions.forceInlineCaches);
+    }
+
     // Out-of-line variants that don't check if optimization tracking is
     // enabled.
     void trackTypeInfoUnchecked(JS::TrackedTypeSite site, MIRType mirType,
diff --git a/js/src/jit/JitSpewer.cpp b/js/src/jit/JitSpewer.cpp
index 08fccf6ad710..4b064bf2be3c 100644
--- a/js/src/jit/JitSpewer.cpp
+++ b/js/src/jit/JitSpewer.cpp
@@ -97,6 +97,13 @@ static const char * const ChannelNames[] =
 #undef JITSPEW_CHANNEL
 };
 
+static size_t ChannelIndentLevel[] =
+{
+#define JITSPEW_CHANNEL(name) 0,
+    JITSPEW_CHANNEL_LIST(JITSPEW_CHANNEL)
+#undef JITSPEW_CHANNEL
+};
+
 static bool
 FilterContainsLocation(JSScript* function)
 {
@@ -501,6 +508,17 @@ jit::CheckLogging()
     JitSpewPrinter().init(stderr);
 }
 
+JitSpewIndent::JitSpewIndent(JitSpewChannel channel)
+  : channel_(channel)
+{
+    ChannelIndentLevel[channel]++;
+}
+
+JitSpewIndent::~JitSpewIndent()
+{
+    ChannelIndentLevel[channel_]--;
+}
+
 void
 jit::JitSpewStartVA(JitSpewChannel channel, const char* fmt, va_list ap)
 {
@@ -508,7 +526,8 @@ jit::JitSpewStartVA(JitSpewChannel channel, const char* fmt, va_list ap)
         return;
 
     JitSpewHeader(channel);
-    vfprintf(stderr, fmt, ap);
+    Fprinter& out = JitSpewPrinter();
+    out.vprintf(fmt, ap);
 }
 
 void
@@ -517,7 +536,8 @@ jit::JitSpewContVA(JitSpewChannel channel, const char* fmt, va_list ap)
     if (!JitSpewEnabled(channel))
         return;
 
-    vfprintf(stderr, fmt, ap);
+    Fprinter& out = JitSpewPrinter();
+    out.vprintf(fmt, ap);
 }
 
 void
@@ -526,7 +546,8 @@ jit::JitSpewFin(JitSpewChannel channel)
     if (!JitSpewEnabled(channel))
         return;
 
-    fprintf(stderr, "\n");
+    Fprinter& out = JitSpewPrinter();
+    out.put("\n");
 }
 
 void
@@ -581,7 +602,10 @@ jit::JitSpewHeader(JitSpewChannel channel)
     if (!JitSpewEnabled(channel))
         return;
 
-    fprintf(stderr, "[%s] ", ChannelNames[channel]);
+    Fprinter& out = JitSpewPrinter();
+    out.printf("[%s] ", ChannelNames[channel]);
+    for (size_t i = ChannelIndentLevel[channel]; i != 0; i--)
+        out.put("  ");
 }
 
 bool
diff --git a/js/src/jit/JitSpewer.h b/js/src/jit/JitSpewer.h
index 261392f06014..b46e3caa70bb 100644
--- a/js/src/jit/JitSpewer.h
+++ b/js/src/jit/JitSpewer.h
@@ -150,6 +150,16 @@ class AutoSpewEndFunction
 
 void CheckLogging();
 Fprinter& JitSpewPrinter();
+
+class JitSpewIndent
+{
+    JitSpewChannel channel_;
+
+  public:
+    explicit JitSpewIndent(JitSpewChannel channel);
+    ~JitSpewIndent();
+};
+
 void JitSpew(JitSpewChannel channel, const char* fmt, ...);
 void JitSpewStart(JitSpewChannel channel, const char* fmt, ...);
 void JitSpewCont(JitSpewChannel channel, const char* fmt, ...);
@@ -199,6 +209,14 @@ static inline Fprinter& JitSpewPrinter()
 {
     MOZ_CRASH("No empty backend for JitSpewPrinter");
 }
+
+class JitSpewIndent
+{
+  public:
+    explicit JitSpewIndent(JitSpewChannel channel) {}
+    ~JitSpewIndent() {}
+};
+
 static inline void JitSpew(JitSpewChannel, const char* fmt, ...)
 { }
 static inline void JitSpewStart(JitSpewChannel channel, const char* fmt, ...)
diff --git a/js/src/jit/MIR.cpp b/js/src/jit/MIR.cpp
index dd3ca8d9b8d2..adbcd2fb945d 100644
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -775,12 +775,12 @@ MConstant::printOpcode(GenericPrinter& out) const
         out.printf("0x%x", value().toInt32());
         break;
       case MIRType_Double:
-        out.printf("%f", value().toDouble());
+        out.printf("%.16g", value().toDouble());
         break;
       case MIRType_Float32:
       {
         float val = value().toDouble();
-        out.printf("%f", val);
+        out.printf("%.16g", val);
         break;
       }
       case MIRType_Object:
@@ -1076,7 +1076,7 @@ void
 MLoadUnboxedScalar::printOpcode(GenericPrinter& out) const
 {
     MDefinition::printOpcode(out);
-    out.printf(" %s", ScalarTypeDescr::typeName(indexType()));
+    out.printf(" %s", ScalarTypeDescr::typeName(storageType()));
 }
 
 void
@@ -3929,20 +3929,75 @@ MCreateThisWithTemplate::canRecoverOnBailout() const
     return true;
 }
 
-MObjectState::MObjectState(MDefinition* obj)
+bool
+OperandIndexMap::init(TempAllocator& alloc, JSObject* templateObject)
+{
+    const UnboxedLayout& layout =
+        templateObject->as<UnboxedPlainObject>().layoutDontCheckGeneration();
+
+    // 0 is used as an error code.
+    const UnboxedLayout::PropertyVector& properties = layout.properties();
+    MOZ_ASSERT(properties.length() < 255);
+
+    // Allocate an array of indexes, where the top of each field correspond to
+    // the index of the operand in the MObjectState instance.
+    if (!map.init(alloc, layout.size()))
+        return false;
+
+    // Reset all indexes to 0, which is an error code.
+    for (size_t i = 0; i < map.length(); i++)
+        map[i] = 0;
+
+    // Map the property offsets to the indexes of MObjectState operands.
+    uint8_t index = 1;
+    for (size_t i = 0; i < properties.length(); i++, index++)
+        map[properties[i].offset] = index;
+
+    return true;
+}
+
+MObjectState::MObjectState(MObjectState* state)
+  : numSlots_(state->numSlots_),
+    numFixedSlots_(state->numFixedSlots_),
+    operandIndex_(state->operandIndex_)
 {
     // This instruction is only used as a summary for bailout paths.
     setResultType(MIRType_Object);
     setRecoveredOnBailout();
-    NativeObject* templateObject = nullptr;
+}
+
+MObjectState::MObjectState(JSObject *templateObject, OperandIndexMap* operandIndex)
+{
+    // This instruction is only used as a summary for bailout paths.
+    setResultType(MIRType_Object);
+    setRecoveredOnBailout();
+
+    if (templateObject->is<NativeObject>()) {
+        NativeObject* nativeObject = &templateObject->as<NativeObject>();
+        numSlots_ = nativeObject->slotSpan();
+        numFixedSlots_ = nativeObject->numFixedSlots();
+    } else {
+        const UnboxedLayout& layout =
+            templateObject->as<UnboxedPlainObject>().layoutDontCheckGeneration();
+        // Same as UnboxedLayout::makeNativeGroup
+        numSlots_ = layout.properties().length();
+        numFixedSlots_ = gc::GetGCKindSlots(layout.getAllocKind());
+    }
+
+    operandIndex_ = operandIndex;
+}
+
+JSObject*
+MObjectState::templateObjectOf(MDefinition* obj)
+{
     if (obj->isNewObject())
-        templateObject = &obj->toNewObject()->templateObject()->as<PlainObject>();
+        return obj->toNewObject()->templateObject();
     else if (obj->isCreateThisWithTemplate())
-        templateObject = &obj->toCreateThisWithTemplate()->templateObject()->as<PlainObject>();
+        return obj->toCreateThisWithTemplate()->templateObject();
     else
-        templateObject = obj->toNewCallObject()->templateObject();
-    numSlots_ = templateObject->slotSpan();
-    numFixedSlots_ = templateObject->numFixedSlots();
+        return obj->toNewCallObject()->templateObject();
+
+    return nullptr;
 }
 
 bool
@@ -3958,7 +4013,17 @@ MObjectState::init(TempAllocator& alloc, MDefinition* obj)
 MObjectState*
 MObjectState::New(TempAllocator& alloc, MDefinition* obj, MDefinition* undefinedVal)
 {
-    MObjectState* res = new(alloc) MObjectState(obj);
+    JSObject* templateObject = templateObjectOf(obj);
+    MOZ_ASSERT(templateObject, "Unexpected object creation.");
+
+    OperandIndexMap* operandIndex = nullptr;
+    if (templateObject->is<UnboxedPlainObject>()) {
+        operandIndex = new(alloc) OperandIndexMap;
+        if (!operandIndex || !operandIndex->init(alloc, templateObject))
+            return nullptr;
+    }
+
+    MObjectState* res = new(alloc) MObjectState(templateObject, operandIndex);
     if (!res || !res->init(alloc, obj))
         return nullptr;
     for (size_t i = 0; i < res->numSlots(); i++)
@@ -3969,9 +4034,8 @@ MObjectState::New(TempAllocator& alloc, MDefinition* obj, MDefinition* undefined
 MObjectState*
 MObjectState::Copy(TempAllocator& alloc, MObjectState* state)
 {
-    MDefinition* obj = state->object();
-    MObjectState* res = new(alloc) MObjectState(obj);
-    if (!res || !res->init(alloc, obj))
+    MObjectState* res = new(alloc) MObjectState(state);
+    if (!res || !res->init(alloc, state->object()))
         return nullptr;
     for (size_t i = 0; i < res->numSlots(); i++)
         res->initSlot(i, state->getSlot(i));
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index a2cff67290ab..f5040e628e00 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -3359,6 +3359,18 @@ class MNewDerivedTypedObject
     }
 };
 
+// This vector is used when the recovered object is kept unboxed. We map the
+// offset of each property to the index of the corresponding operands in the
+// object state.
+struct OperandIndexMap : public TempObject
+{
+    // The number of properties is limited by scalar replacement. Thus we cannot
+    // have any large number of properties.
+    FixedList<uint8_t> map;
+
+    bool init(TempAllocator& alloc, JSObject* templateObject);
+};
+
 // Represent the content of all slots of an object.  This instruction is not
 // lowered and is not used to generate code.
 class MObjectState
@@ -3367,9 +3379,15 @@ class MObjectState
 {
   private:
     uint32_t numSlots_;
-    uint32_t numFixedSlots_;
+    uint32_t numFixedSlots_;        // valid if isUnboxed() == false.
+    OperandIndexMap* operandIndex_; // valid if isUnboxed() == true.
 
-    explicit MObjectState(MDefinition* obj);
+    bool isUnboxed() const {
+        return operandIndex_ != nullptr;
+    }
+
+    MObjectState(JSObject *templateObject, OperandIndexMap* operandIndex);
+    explicit MObjectState(MObjectState* state);
 
     bool init(TempAllocator& alloc, MDefinition* obj);
 
@@ -3380,6 +3398,10 @@ class MObjectState
   public:
     INSTRUCTION_HEADER(ObjectState)
 
+    // Return the template object of any object creation which can be recovered
+    // on bailout.
+    static JSObject* templateObjectOf(MDefinition* obj);
+
     static MObjectState* New(TempAllocator& alloc, MDefinition* obj, MDefinition* undefinedVal);
     static MObjectState* Copy(TempAllocator& alloc, MObjectState* state);
 
@@ -3388,6 +3410,7 @@ class MObjectState
     }
 
     size_t numFixedSlots() const {
+        MOZ_ASSERT(!isUnboxed());
         return numFixedSlots_;
     }
     size_t numSlots() const {
@@ -3423,6 +3446,18 @@ class MObjectState
         setSlot(slot + numFixedSlots(), def);
     }
 
+    // Interface reserved for unboxed objects.
+    bool hasOffset(uint32_t offset) const {
+        MOZ_ASSERT(isUnboxed());
+        return offset < operandIndex_->map.length() && operandIndex_->map[offset] != 0;
+    }
+    MDefinition* getOffset(uint32_t offset) const {
+        return getOperand(operandIndex_->map[offset]);
+    }
+    void setOffset(uint32_t offset, MDefinition* def) {
+        replaceOperand(operandIndex_->map[offset], def);
+    }
+
     bool writeRecoverData(CompactBufferWriter& writer) const override;
     bool canRecoverOnBailout() const override {
         return true;
@@ -9323,7 +9358,7 @@ class MLoadUnboxedScalar
   : public MBinaryInstruction,
     public SingleObjectPolicy::Data
 {
-    Scalar::Type indexType_;
+    Scalar::Type storageType_;
     Scalar::Type readType_;
     unsigned numElems_; // used only for SIMD
     bool requiresBarrier_;
@@ -9331,11 +9366,11 @@ class MLoadUnboxedScalar
     bool canonicalizeDoubles_;
 
     MLoadUnboxedScalar(MDefinition* elements, MDefinition* index,
-                       Scalar::Type indexType, MemoryBarrierRequirement requiresBarrier,
+                       Scalar::Type storageType, MemoryBarrierRequirement requiresBarrier,
                        int32_t offsetAdjustment, bool canonicalizeDoubles)
       : MBinaryInstruction(elements, index),
-        indexType_(indexType),
-        readType_(indexType),
+        storageType_(storageType),
+        readType_(storageType),
         numElems_(1),
         requiresBarrier_(requiresBarrier == DoesRequireMemoryBarrier),
         offsetAdjustment_(offsetAdjustment),
@@ -9348,20 +9383,20 @@ class MLoadUnboxedScalar
             setMovable();
         MOZ_ASSERT(IsValidElementsType(elements, offsetAdjustment));
         MOZ_ASSERT(index->type() == MIRType_Int32);
-        MOZ_ASSERT(indexType >= 0 && indexType < Scalar::MaxTypedArrayViewType);
+        MOZ_ASSERT(storageType >= 0 && storageType < Scalar::MaxTypedArrayViewType);
     }
 
   public:
     INSTRUCTION_HEADER(LoadUnboxedScalar)
 
     static MLoadUnboxedScalar* New(TempAllocator& alloc, MDefinition* elements, MDefinition* index,
-                                   Scalar::Type indexType,
+                                   Scalar::Type storageType,
                                    MemoryBarrierRequirement requiresBarrier
                                        = DoesNotRequireMemoryBarrier,
                                    int32_t offsetAdjustment = 0,
                                    bool canonicalizeDoubles = true)
     {
-        return new(alloc) MLoadUnboxedScalar(elements, index, indexType,
+        return new(alloc) MLoadUnboxedScalar(elements, index, storageType,
                                              requiresBarrier, offsetAdjustment,
                                              canonicalizeDoubles);
     }
@@ -9377,8 +9412,8 @@ class MLoadUnboxedScalar
         return readType_;
     }
 
-    Scalar::Type indexType() const {
-        return indexType_;
+    Scalar::Type storageType() const {
+        return storageType_;
     }
     bool fallible() const {
         // Bailout if the result does not fit in an int32.
@@ -9413,7 +9448,7 @@ class MLoadUnboxedScalar
         if (!ins->isLoadUnboxedScalar())
             return false;
         const MLoadUnboxedScalar* other = ins->toLoadUnboxedScalar();
-        if (indexType_ != other->indexType_)
+        if (storageType_ != other->storageType_)
             return false;
         if (readType_ != other->readType_)
             return false;
@@ -9430,7 +9465,7 @@ class MLoadUnboxedScalar
 
     void computeRange(TempAllocator& alloc) override;
 
-    bool canProduceFloat32() const override { return indexType_ == Scalar::Float32; }
+    bool canProduceFloat32() const override { return storageType_ == Scalar::Float32; }
 
     ALLOW_CLONE(MLoadUnboxedScalar)
 };
@@ -9609,17 +9644,17 @@ class MStoreUnboxedScalar
     public StoreUnboxedScalarBase,
     public StoreUnboxedScalarPolicy::Data
 {
-    Scalar::Type indexType_;
+    Scalar::Type storageType_;
     bool requiresBarrier_;
     int32_t offsetAdjustment_;
     unsigned numElems_; // used only for SIMD
 
     MStoreUnboxedScalar(MDefinition* elements, MDefinition* index, MDefinition* value,
-                        Scalar::Type indexType, MemoryBarrierRequirement requiresBarrier,
+                        Scalar::Type storageType, MemoryBarrierRequirement requiresBarrier,
                         int32_t offsetAdjustment)
       : MTernaryInstruction(elements, index, value),
-        StoreUnboxedScalarBase(indexType),
-        indexType_(indexType),
+        StoreUnboxedScalarBase(storageType),
+        storageType_(storageType),
         requiresBarrier_(requiresBarrier == DoesRequireMemoryBarrier),
         offsetAdjustment_(offsetAdjustment),
         numElems_(1)
@@ -9630,7 +9665,7 @@ class MStoreUnboxedScalar
             setMovable();
         MOZ_ASSERT(IsValidElementsType(elements, offsetAdjustment));
         MOZ_ASSERT(index->type() == MIRType_Int32);
-        MOZ_ASSERT(indexType >= 0 && indexType < Scalar::MaxTypedArrayViewType);
+        MOZ_ASSERT(storageType >= 0 && storageType < Scalar::MaxTypedArrayViewType);
     }
 
   public:
@@ -9638,12 +9673,12 @@ class MStoreUnboxedScalar
 
     static MStoreUnboxedScalar* New(TempAllocator& alloc,
                                     MDefinition* elements, MDefinition* index,
-                                    MDefinition* value, Scalar::Type indexType,
+                                    MDefinition* value, Scalar::Type storageType,
                                     MemoryBarrierRequirement requiresBarrier =
                                         DoesNotRequireMemoryBarrier,
                                     int32_t offsetAdjustment = 0)
     {
-        return new(alloc) MStoreUnboxedScalar(elements, index, value, indexType,
+        return new(alloc) MStoreUnboxedScalar(elements, index, value, storageType,
                                               requiresBarrier, offsetAdjustment);
     }
 
@@ -9655,8 +9690,8 @@ class MStoreUnboxedScalar
     unsigned numElems() const {
         return numElems_;
     }
-    Scalar::Type indexType() const {
-        return indexType_;
+    Scalar::Type storageType() const {
+        return storageType_;
     }
     MDefinition* elements() const {
         return getOperand(0);
diff --git a/js/src/jit/Recover.cpp b/js/src/jit/Recover.cpp
index 1c315946fd61..51e441ad7bb4 100644
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -1253,24 +1253,20 @@ MCreateThisWithTemplate::writeRecoverData(CompactBufferWriter& writer) const
 {
     MOZ_ASSERT(canRecoverOnBailout());
     writer.writeUnsigned(uint32_t(RInstruction::Recover_CreateThisWithTemplate));
-    writer.writeByte(bool(initialHeap() == gc::TenuredHeap));
     return true;
 }
 
 RCreateThisWithTemplate::RCreateThisWithTemplate(CompactBufferReader& reader)
 {
-    tenuredHeap_ = reader.readByte();
 }
 
 bool
 RCreateThisWithTemplate::recover(JSContext* cx, SnapshotIterator& iter) const
 {
-    RootedPlainObject templateObject(cx, &iter.read().toObject().as<PlainObject>());
+    RootedObject templateObject(cx, &iter.read().toObject());
 
     // See CodeGenerator::visitCreateThisWithTemplate
-    gc::AllocKind allocKind = templateObject->asTenured().getAllocKind();
-    gc::InitialHeap initialHeap = tenuredHeap_ ? gc::TenuredHeap : gc::DefaultHeap;
-    JSObject* resultObject = NativeObject::copy(cx, allocKind, initialHeap, templateObject);
+    JSObject* resultObject = NewObjectOperationWithTemplate(cx, templateObject);
     if (!resultObject)
         return false;
 
@@ -1373,13 +1369,30 @@ RObjectState::RObjectState(CompactBufferReader& reader)
 bool
 RObjectState::recover(JSContext* cx, SnapshotIterator& iter) const
 {
-    RootedNativeObject object(cx, &iter.read().toObject().as<NativeObject>());
-    MOZ_ASSERT(object->slotSpan() == numSlots());
-
+    RootedObject object(cx, &iter.read().toObject());
     RootedValue val(cx);
-    for (size_t i = 0; i < numSlots(); i++) {
-        val = iter.read();
-        object->setSlot(i, val);
+
+    if (object->is<UnboxedPlainObject>()) {
+        const UnboxedLayout& layout = object->as<UnboxedPlainObject>().layout();
+
+        const UnboxedLayout::PropertyVector& properties = layout.properties();
+        for (size_t i = 0; i < properties.length(); i++) {
+            val = iter.read();
+            // This is the default placeholder value of MObjectState, when no
+            // properties are defined yet.
+            if (val.isUndefined())
+                continue;
+
+            MOZ_ALWAYS_TRUE(object->as<UnboxedPlainObject>().setValue(cx, properties[i], val));
+        }
+    } else {
+        RootedNativeObject nativeObject(cx, &object->as<NativeObject>());
+        MOZ_ASSERT(nativeObject->slotSpan() == numSlots());
+
+        for (size_t i = 0; i < numSlots(); i++) {
+            val = iter.read();
+            nativeObject->setSlot(i, val);
+        }
     }
 
     val.setObject(*object);
diff --git a/js/src/jit/Recover.h b/js/src/jit/Recover.h
index 84e82fe63cc2..81473c07dbad 100644
--- a/js/src/jit/Recover.h
+++ b/js/src/jit/Recover.h
@@ -19,6 +19,43 @@ struct JSContext;
 namespace js {
 namespace jit {
 
+// This file contains all recover instructions.
+//
+// A recover instruction is an equivalent of a MIR instruction which is executed
+// before the reconstruction of a baseline frame. Recover instructions are used
+// by resume points to fill the value which are not produced by the code
+// compiled by IonMonkey. For example, if a value is optimized away by
+// IonMonkey, but required by Baseline, then we should have a recover
+// instruction to fill the missing baseline frame slot.
+//
+// Recover instructions are executed either during a bailout, or under a call
+// when the stack frame is introspected. If the stack is introspected, then any
+// use of recover instruction must lead to an invalidation of the code.
+//
+// For each MIR instruction where |canRecoverOnBailout| might return true, we
+// have a RInstruction of the same name.
+//
+// Recover instructions are encoded by code generator into a compact buffer
+// (RecoverWriter). The MIR instruction method |writeRecoverData| should write a
+// tag in the |CompactBufferWriter| which is used by
+// |RInstruction::readRecoverData| to dispatch to the right Recover
+// instruction. Then |writeRecoverData| writes any local fields which are
+// necessary for the execution of the |recover| method. These fields are decoded
+// by the Recover instruction constructor which has a |CompactBufferReader| as
+// argument. The constructor of the Recover instruction should follow the same
+// sequence as the |writeRecoverData| method of the MIR instruction.
+//
+// Recover instructions are decoded by the |SnapshotIterator| (RecoverReader),
+// which is given as argument of the |recover| methods, in order to read the
+// operands.  The number of operands read should be the same as the result of
+// |numOperands|, which corresponds to the number of operands of the MIR
+// instruction.  Operands should be decoded in the same order as the operands of
+// the MIR instruction.
+//
+// The result of the |recover| method should either be a failure, or a value
+// stored on the |SnapshotIterator|, by using the |storeInstructionResult|
+// method.
+
 #define RECOVER_OPCODE_LIST(_)                  \
     _(ResumePoint)                              \
     _(BitNot)                                   \
@@ -660,9 +697,6 @@ class RNewDerivedTypedObject final : public RInstruction
 
 class RCreateThisWithTemplate final : public RInstruction
 {
-  private:
-    bool tenuredHeap_;
-
   public:
     RINSTRUCTION_HEADER_(CreateThisWithTemplate)
 
diff --git a/js/src/jit/ScalarReplacement.cpp b/js/src/jit/ScalarReplacement.cpp
index 915b9ad6876d..d708e7a028d9 100644
--- a/js/src/jit/ScalarReplacement.cpp
+++ b/js/src/jit/ScalarReplacement.cpp
@@ -91,34 +91,68 @@ EmulateStateOf<MemoryView>::run(MemoryView& view)
     return true;
 }
 
+static bool
+IsObjectEscaped(MInstruction* ins, JSObject* objDefault = nullptr);
+
+// Returns False if the lambda is not escaped and if it is optimizable by
+// ScalarReplacementOfObject.
+static bool
+IsLambdaEscaped(MLambda* lambda, JSObject* obj)
+{
+    JitSpewDef(JitSpew_Escape, "Check lambda\n", lambda);
+    JitSpewIndent spewIndent(JitSpew_Escape);
+
+    // The scope chain is not escaped if none of the Lambdas which are
+    // capturing it are escaped.
+    for (MUseIterator i(lambda->usesBegin()); i != lambda->usesEnd(); i++) {
+        MNode* consumer = (*i)->consumer();
+        if (!consumer->isDefinition()) {
+            // Cannot optimize if it is observable from fun.arguments or others.
+            if (!consumer->toResumePoint()->isRecoverableOperand(*i)) {
+                JitSpew(JitSpew_Escape, "Observable lambda cannot be recovered");
+                return true;
+            }
+            continue;
+        }
+
+        MDefinition* def = consumer->toDefinition();
+        if (!def->isFunctionEnvironment()) {
+            JitSpewDef(JitSpew_Escape, "is escaped by\n", def);
+            return true;
+        }
+
+        if (IsObjectEscaped(def->toInstruction(), obj)) {
+            JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def);
+            return true;
+        }
+    }
+    JitSpew(JitSpew_Escape, "Lambda is not escaped");
+    return false;
+}
+
 // Returns False if the object is not escaped and if it is optimizable by
 // ScalarReplacementOfObject.
 //
 // For the moment, this code is dumb as it only supports objects which are not
 // changing shape, and which are known by TI at the object creation.
 static bool
-IsObjectEscaped(MInstruction* ins, JSObject* objDefault = nullptr)
+IsObjectEscaped(MInstruction* ins, JSObject* objDefault)
 {
     MOZ_ASSERT(ins->type() == MIRType_Object);
     MOZ_ASSERT(ins->isNewObject() || ins->isGuardShape() || ins->isCreateThisWithTemplate() ||
                ins->isNewCallObject() || ins->isFunctionEnvironment());
 
-    JSObject* obj = nullptr;
-    if (ins->isNewObject())
-        obj = ins->toNewObject()->templateObject();
-    else if (ins->isCreateThisWithTemplate())
-        obj = ins->toCreateThisWithTemplate()->templateObject();
-    else if (ins->isNewCallObject())
-        obj = ins->toNewCallObject()->templateObject();
-    else
-        obj = objDefault;
+    JitSpewDef(JitSpew_Escape, "Check object\n", ins);
+    JitSpewIndent spewIndent(JitSpew_Escape);
 
+    JSObject* obj = objDefault;
     if (!obj)
-        return true;
+        obj = MObjectState::templateObjectOf(ins);
 
-    // Don't optimize unboxed objects, which aren't handled by MObjectState.
-    if (obj->is<UnboxedPlainObject>())
+    if (!obj) {
+        JitSpew(JitSpew_Escape, "No template object defined.");
         return true;
+    }
 
     // Check if the object is escaped. If the object is not the first argument
     // of either a known Store / Load, then we consider it as escaped. This is a
@@ -128,7 +162,7 @@ IsObjectEscaped(MInstruction* ins, JSObject* objDefault = nullptr)
         if (!consumer->isDefinition()) {
             // Cannot optimize if it is observable from fun.arguments or others.
             if (!consumer->toResumePoint()->isRecoverableOperand(*i)) {
-                JitSpewDef(JitSpew_Escape, "Observable object cannot be recovered\n", ins);
+                JitSpew(JitSpew_Escape, "Observable object cannot be recovered");
                 return true;
             }
             continue;
@@ -142,10 +176,28 @@ IsObjectEscaped(MInstruction* ins, JSObject* objDefault = nullptr)
             if (def->indexOf(*i) == 0)
                 break;
 
-            JitSpewDef(JitSpew_Escape, "Object ", ins);
-            JitSpewDef(JitSpew_Escape, "  is escaped by\n", def);
+            JitSpewDef(JitSpew_Escape, "is escaped by\n", def);
             return true;
 
+          case MDefinition::Op_LoadUnboxedScalar:
+          case MDefinition::Op_StoreUnboxedScalar:
+          case MDefinition::Op_LoadUnboxedObjectOrNull:
+          case MDefinition::Op_StoreUnboxedObjectOrNull:
+          case MDefinition::Op_LoadUnboxedString:
+          case MDefinition::Op_StoreUnboxedString:
+            // Not escaped if it is the first argument.
+            if (def->indexOf(*i) != 0) {
+                JitSpewDef(JitSpew_Escape, "is escaped by\n", def);
+                return true;
+            }
+
+            if (!def->getOperand(1)->isConstant()) {
+                JitSpewDef(JitSpew_Escape, "is addressed with unknown index\n", def);
+                return true;
+            }
+
+            break;
+
           case MDefinition::Op_PostWriteBarrier:
             break;
 
@@ -169,38 +221,22 @@ IsObjectEscaped(MInstruction* ins, JSObject* objDefault = nullptr)
             MGuardShape* guard = def->toGuardShape();
             MOZ_ASSERT(!ins->isGuardShape());
             if (obj->as<NativeObject>().lastProperty() != guard->shape()) {
-                JitSpewDef(JitSpew_Escape, "Object ", ins);
-                JitSpewDef(JitSpew_Escape, "  has a non-matching guard shape\n", guard);
+                JitSpewDef(JitSpew_Escape, "has a non-matching guard shape\n", guard);
                 return true;
             }
-            if (IsObjectEscaped(def->toInstruction(), obj))
+            if (IsObjectEscaped(def->toInstruction(), obj)) {
+                JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def);
                 return true;
+            }
             break;
           }
 
           case MDefinition::Op_Lambda: {
             MLambda* lambda = def->toLambda();
-            // The scope chain is not escaped if none of the Lambdas which are
-            // capturing it are escaped.
-            for (MUseIterator i(lambda->usesBegin()); i != lambda->usesEnd(); i++) {
-                MNode* consumer = (*i)->consumer();
-                if (!consumer->isDefinition()) {
-                    // Cannot optimize if it is observable from fun.arguments or others.
-                    if (!consumer->toResumePoint()->isRecoverableOperand(*i)) {
-                        JitSpewDef(JitSpew_Escape, "Observable object cannot be recovered\n", ins);
-                        return true;
-                    }
-                    continue;
-                }
-
-                MDefinition* def = consumer->toDefinition();
-                if (!def->isFunctionEnvironment() || IsObjectEscaped(def->toInstruction(), obj)) {
-                    JitSpewDef(JitSpew_Escape, "Object ", ins);
-                    JitSpewDef(JitSpew_Escape, "  is escaped through a lambda by\n", def);
-                    return true;
-                }
+            if (IsLambdaEscaped(lambda, obj)) {
+                JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", lambda);
+                return true;
             }
-
             break;
           }
 
@@ -210,13 +246,12 @@ IsObjectEscaped(MInstruction* ins, JSObject* objDefault = nullptr)
             break;
 
           default:
-            JitSpewDef(JitSpew_Escape, "Object ", ins);
-            JitSpewDef(JitSpew_Escape, "  is escaped by\n", def);
+            JitSpewDef(JitSpew_Escape, "is escaped by\n", def);
             return true;
         }
     }
 
-    JitSpewDef(JitSpew_Escape, "Object is not escaped\n", ins);
+    JitSpew(JitSpew_Escape, "Object is not escaped");
     return false;
 }
 
@@ -262,6 +297,16 @@ class ObjectMemoryView : public MDefinitionVisitorDefaultNoop
     void visitGuardShape(MGuardShape* ins);
     void visitFunctionEnvironment(MFunctionEnvironment* ins);
     void visitLambda(MLambda* ins);
+    void visitStoreUnboxedScalar(MStoreUnboxedScalar* ins);
+    void visitLoadUnboxedScalar(MLoadUnboxedScalar* ins);
+    void visitStoreUnboxedObjectOrNull(MStoreUnboxedObjectOrNull* ins);
+    void visitLoadUnboxedObjectOrNull(MLoadUnboxedObjectOrNull* ins);
+    void visitStoreUnboxedString(MStoreUnboxedString* ins);
+    void visitLoadUnboxedString(MLoadUnboxedString* ins);
+
+  private:
+    void storeOffset(MInstruction* ins, size_t offset, MDefinition* value);
+    void loadOffset(MInstruction* ins, size_t offset);
 };
 
 const char* ObjectMemoryView::phaseName = "Scalar Replacement of Object";
@@ -574,6 +619,116 @@ ObjectMemoryView::visitLambda(MLambda* ins)
     ins->setIncompleteObject();
 }
 
+static size_t
+GetOffsetOf(MDefinition* index, size_t width, int32_t baseOffset)
+{
+    int32_t idx = index->toConstant()->value().toInt32();
+    MOZ_ASSERT(idx >= 0);
+    MOZ_ASSERT(baseOffset >= 0 && size_t(baseOffset) >= UnboxedPlainObject::offsetOfData());
+    return idx * width + baseOffset - UnboxedPlainObject::offsetOfData();
+}
+
+static size_t
+GetOffsetOf(MDefinition* index, Scalar::Type type, int32_t baseOffset)
+{
+    return GetOffsetOf(index, Scalar::byteSize(type), baseOffset);
+}
+
+void
+ObjectMemoryView::storeOffset(MInstruction* ins, size_t offset, MDefinition* value)
+{
+    // Clone the state and update the slot value.
+    MOZ_ASSERT(state_->hasOffset(offset));
+    state_ = BlockState::Copy(alloc_, state_);
+    state_->setOffset(offset, value);
+    ins->block()->insertBefore(ins, state_);
+
+    // Remove original instruction.
+    ins->block()->discard(ins);
+}
+
+void
+ObjectMemoryView::loadOffset(MInstruction* ins, size_t offset)
+{
+    // Replace load by the slot value.
+    MOZ_ASSERT(state_->hasOffset(offset));
+    ins->replaceAllUsesWith(state_->getOffset(offset));
+
+    // Remove original instruction.
+    ins->block()->discard(ins);
+}
+
+void
+ObjectMemoryView::visitStoreUnboxedScalar(MStoreUnboxedScalar* ins)
+{
+    // Skip stores made on other objects.
+    if (ins->elements() != obj_)
+        return;
+
+    size_t offset = GetOffsetOf(ins->index(), ins->storageType(), ins->offsetAdjustment());
+    storeOffset(ins, offset, ins->value());
+}
+
+void
+ObjectMemoryView::visitLoadUnboxedScalar(MLoadUnboxedScalar* ins)
+{
+    // Skip loads made on other objects.
+    if (ins->elements() != obj_)
+        return;
+
+    // Replace load by the slot value.
+    size_t offset = GetOffsetOf(ins->index(), ins->storageType(), ins->offsetAdjustment());
+    loadOffset(ins, offset);
+}
+
+void
+ObjectMemoryView::visitStoreUnboxedObjectOrNull(MStoreUnboxedObjectOrNull* ins)
+{
+    // Skip stores made on other objects.
+    if (ins->elements() != obj_)
+        return;
+
+    // Clone the state and update the slot value.
+    size_t offset = GetOffsetOf(ins->index(), sizeof(uintptr_t), ins->offsetAdjustment());
+    storeOffset(ins, offset, ins->value());
+}
+
+void
+ObjectMemoryView::visitLoadUnboxedObjectOrNull(MLoadUnboxedObjectOrNull* ins)
+{
+    // Skip loads made on other objects.
+    if (ins->elements() != obj_)
+        return;
+
+    // Replace load by the slot value.
+    size_t offset = GetOffsetOf(ins->index(), sizeof(uintptr_t), ins->offsetAdjustment());
+    loadOffset(ins, offset);
+}
+
+void
+ObjectMemoryView::visitStoreUnboxedString(MStoreUnboxedString* ins)
+{
+    // Skip stores made on other objects.
+    if (ins->elements() != obj_)
+        return;
+
+    // Clone the state and update the slot value.
+    size_t offset = GetOffsetOf(ins->index(), sizeof(uintptr_t), ins->offsetAdjustment());
+    storeOffset(ins, offset, ins->value());
+}
+
+void
+ObjectMemoryView::visitLoadUnboxedString(MLoadUnboxedString* ins)
+{
+    // Skip loads made on other objects.
+    if (ins->elements() != obj_)
+        return;
+
+    // Replace load by the slot value.
+    size_t offset = GetOffsetOf(ins->index(), sizeof(uintptr_t), ins->offsetAdjustment());
+    loadOffset(ins, offset);
+}
+
 static bool
 IndexOf(MDefinition* ins, int32_t* res)
 {
@@ -593,6 +748,105 @@ IndexOf(MDefinition* ins, int32_t* res)
     return true;
 }
 
+// Returns False if the elements is not escaped and if it is optimizable by
+// ScalarReplacementOfArray.
+static bool
+IsElementEscaped(MElements* def, uint32_t arraySize)
+{
+    JitSpewDef(JitSpew_Escape, "Check elements\n", def);
+    JitSpewIndent spewIndent(JitSpew_Escape);
+
+    for (MUseIterator i(def->usesBegin()); i != def->usesEnd(); i++) {
+        // The MIRType_Elements cannot be captured in a resume point as
+        // it does not represent a value allocation.
+        MDefinition* access = (*i)->consumer()->toDefinition();
+
+        switch (access->op()) {
+          case MDefinition::Op_LoadElement: {
+            MOZ_ASSERT(access->toLoadElement()->elements() == def);
+
+            // If we need hole checks, then the array cannot be escaped
+            // as the array might refer to the prototype chain to look
+            // for properties, thus it might do additional side-effects
+            // which are not reflected by the alias set, is we are
+            // bailing on holes.
+            if (access->toLoadElement()->needsHoleCheck()) {
+                JitSpewDef(JitSpew_Escape,
+                           "has a load element with a hole check\n", access);
+                return true;
+            }
+
+            // If the index is not a constant then this index can alias
+            // all others. We do not handle this case.
+            int32_t index;
+            if (!IndexOf(access, &index)) {
+                JitSpewDef(JitSpew_Escape,
+                           "has a load element with a non-trivial index\n", access);
+                return true;
+            }
+            if (index < 0 || arraySize <= uint32_t(index)) {
+                JitSpewDef(JitSpew_Escape,
+                           "has a load element with an out-of-bound index\n", access);
+                return true;
+            }
+            break;
+          }
+
+          case MDefinition::Op_StoreElement: {
+            MOZ_ASSERT(access->toStoreElement()->elements() == def);
+
+            // If we need hole checks, then the array cannot be escaped
+            // as the array might refer to the prototype chain to look
+            // for properties, thus it might do additional side-effects
+            // which are not reflected by the alias set, is we are
+            // bailing on holes.
+            if (access->toStoreElement()->needsHoleCheck()) {
+                JitSpewDef(JitSpew_Escape,
+                           "has a store element with a hole check\n", access);
+                return true;
+            }
+
+            // If the index is not a constant then this index can alias
+            // all others. We do not handle this case.
+            int32_t index;
+            if (!IndexOf(access, &index)) {
+                JitSpewDef(JitSpew_Escape, "has a store element with a non-trivial index\n", access);
+                return true;
+            }
+            if (index < 0 || arraySize <= uint32_t(index)) {
+                JitSpewDef(JitSpew_Escape, "has a store element with an out-of-bound index\n", access);
+                return true;
+            }
+
+            // We are not yet encoding magic hole constants in resume points.
+            if (access->toStoreElement()->value()->type() == MIRType_MagicHole) {
+                JitSpewDef(JitSpew_Escape, "has a store element with an magic-hole constant\n", access);
+                return true;
+            }
+            break;
+          }
+
+          case MDefinition::Op_SetInitializedLength:
+            MOZ_ASSERT(access->toSetInitializedLength()->elements() == def);
+            break;
+
+          case MDefinition::Op_InitializedLength:
+            MOZ_ASSERT(access->toInitializedLength()->elements() == def);
+            break;
+
+          case MDefinition::Op_ArrayLength:
+            MOZ_ASSERT(access->toArrayLength()->elements() == def);
+            break;
+
+          default:
+            JitSpewDef(JitSpew_Escape, "is escaped by\n", access);
+            return true;
+        }
+    }
+    JitSpew(JitSpew_Escape, "Elements is not escaped");
+    return false;
+}
+
 // Returns False if the array is not escaped and if it is optimizable by
 // ScalarReplacementOfArray.
 //
@@ -605,12 +859,22 @@ IsArrayEscaped(MInstruction* ins)
     MOZ_ASSERT(ins->isNewArray());
     uint32_t count = ins->toNewArray()->count();
 
+    JitSpewDef(JitSpew_Escape, "Check array\n", ins);
+    JitSpewIndent spewIndent(JitSpew_Escape);
+
     JSObject* obj = ins->toNewArray()->templateObject();
-    if (!obj || obj->is<UnboxedArrayObject>())
+    if (!obj) {
+        JitSpew(JitSpew_Escape, "No template object defined.");
         return true;
+    }
+
+    if (obj->is<UnboxedArrayObject>()) {
+        JitSpew(JitSpew_Escape, "Template object is an unboxed plain object.");
+        return true;
+    }
 
     if (count >= 16) {
-        JitSpewDef(JitSpew_Escape, "Array has too many elements\n", ins);
+        JitSpew(JitSpew_Escape, "Array has too many elements");
         return true;
     }
 
@@ -622,7 +886,7 @@ IsArrayEscaped(MInstruction* ins)
         if (!consumer->isDefinition()) {
             // Cannot optimize if it is observable from fun.arguments or others.
             if (!consumer->toResumePoint()->isRecoverableOperand(*i)) {
-                JitSpewDef(JitSpew_Escape, "Observable array cannot be recovered\n", ins);
+                JitSpew(JitSpew_Escape, "Observable array cannot be recovered");
                 return true;
             }
             continue;
@@ -631,101 +895,11 @@ IsArrayEscaped(MInstruction* ins)
         MDefinition* def = consumer->toDefinition();
         switch (def->op()) {
           case MDefinition::Op_Elements: {
-            MOZ_ASSERT(def->toElements()->object() == ins);
-            for (MUseIterator i(def->usesBegin()); i != def->usesEnd(); i++) {
-                // The MIRType_Elements cannot be captured in a resume point as
-                // it does not represent a value allocation.
-                MDefinition* access = (*i)->consumer()->toDefinition();
-
-                switch (access->op()) {
-                  case MDefinition::Op_LoadElement: {
-                    MOZ_ASSERT(access->toLoadElement()->elements() == def);
-
-                    // If we need hole checks, then the array cannot be escaped
-                    // as the array might refer to the prototype chain to look
-                    // for properties, thus it might do additional side-effects
-                    // which are not reflected by the alias set, is we are
-                    // bailing on holes.
-                    if (access->toLoadElement()->needsHoleCheck()) {
-                        JitSpewDef(JitSpew_Escape, "Array ", ins);
-                        JitSpewDef(JitSpew_Escape,
-                                   "  has a load element with a hole check\n", access);
-                        return true;
-                    }
-
-                    // If the index is not a constant then this index can alias
-                    // all others. We do not handle this case.
-                    int32_t index;
-                    if (!IndexOf(access, &index)) {
-                        JitSpewDef(JitSpew_Escape, "Array ", ins);
-                        JitSpewDef(JitSpew_Escape,
-                                   "  has a load element with a non-trivial index\n", access);
-                        return true;
-                    }
-                    if (index < 0 || count <= uint32_t(index)) {
-                        JitSpewDef(JitSpew_Escape, "Array ", ins);
-                        JitSpewDef(JitSpew_Escape,
-                                   "  has a load element with an out-of-bound index\n", access);
-                        return true;
-                    }
-                    break;
-                  }
-
-                  case MDefinition::Op_StoreElement: {
-                    MOZ_ASSERT(access->toStoreElement()->elements() == def);
-
-                    // If we need hole checks, then the array cannot be escaped
-                    // as the array might refer to the prototype chain to look
-                    // for properties, thus it might do additional side-effects
-                    // which are not reflected by the alias set, is we are
-                    // bailing on holes.
-                    if (access->toStoreElement()->needsHoleCheck()) {
-                        JitSpewDef(JitSpew_Escape, "Array ", ins);
-                        JitSpewDef(JitSpew_Escape,
-                                   "  has a store element with a hole check\n", access);
-                        return true;
-                    }
-
-                    // If the index is not a constant then this index can alias
-                    // all others. We do not handle this case.
-                    int32_t index;
-                    if (!IndexOf(access, &index)) {
-                        JitSpewDef(JitSpew_Escape, "Array ", ins);
-                        JitSpewDef(JitSpew_Escape, "  has a store element with a non-trivial index\n", access);
-                        return true;
-                    }
-                    if (index < 0 || count <= uint32_t(index)) {
-                        JitSpewDef(JitSpew_Escape, "Array ", ins);
-                        JitSpewDef(JitSpew_Escape, "  has a store element with an out-of-bound index\n", access);
-                        return true;
-                    }
-
-                    // We are not yet encoding magic hole constants in resume points.
-                    if (access->toStoreElement()->value()->type() == MIRType_MagicHole) {
-                        JitSpewDef(JitSpew_Escape, "Array ", ins);
-                        JitSpewDef(JitSpew_Escape, "  has a store element with an magic-hole constant\n", access);
-                        return true;
-                    }
-                    break;
-                  }
-
-                  case MDefinition::Op_SetInitializedLength:
-                    MOZ_ASSERT(access->toSetInitializedLength()->elements() == def);
-                    break;
-
-                  case MDefinition::Op_InitializedLength:
-                    MOZ_ASSERT(access->toInitializedLength()->elements() == def);
-                    break;
-
-                  case MDefinition::Op_ArrayLength:
-                    MOZ_ASSERT(access->toArrayLength()->elements() == def);
-                    break;
-
-                  default:
-                    JitSpewDef(JitSpew_Escape, "Array's element ", ins);
-                    JitSpewDef(JitSpew_Escape, "  is escaped by\n", def);
-                    return true;
-                }
+            MElements *elem = def->toElements();
+            MOZ_ASSERT(elem->object() == ins);
+            if (IsElementEscaped(elem, count)) {
+                JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", elem);
+                return true;
             }
 
             break;
@@ -737,13 +911,12 @@ IsArrayEscaped(MInstruction* ins)
             break;
 
           default:
-            JitSpewDef(JitSpew_Escape, "Array ", ins);
-            JitSpewDef(JitSpew_Escape, "  is escaped by\n", def);
+            JitSpewDef(JitSpew_Escape, "is escaped by\n", def);
             return true;
         }
     }
 
-    JitSpewDef(JitSpew_Escape, "Array is not escaped\n", ins);
+    JitSpew(JitSpew_Escape, "Array is not escaped");
     return false;
 }
 
@@ -1067,11 +1240,12 @@ ArrayMemoryView::visitArrayLength(MArrayLength* ins)
 }
 
 bool
-ScalarReplacement(MIRGenerator* mir, MIRGraph& graph)
+ScalarReplacement(MIRGenerator* mir, MIRGraph& graph, bool* success)
 {
     EmulateStateOf<ObjectMemoryView> replaceObject(mir, graph);
     EmulateStateOf<ArrayMemoryView> replaceArray(mir, graph);
     bool addedPhi = false;
+    *success = false;
 
     for (ReversePostorderIterator block = graph.rpoBegin(); block != graph.rpoEnd(); block++) {
         if (mir->shouldCancel("Scalar Replacement (main loop)"))
@@ -1085,6 +1259,7 @@ ScalarReplacement(MIRGenerator* mir, MIRGraph& graph)
                 if (!replaceObject.run(view))
                     return false;
                 view.assertSuccess();
+                *success = true;
                 addedPhi = true;
                 continue;
             }
@@ -1094,6 +1269,7 @@ ScalarReplacement(MIRGenerator* mir, MIRGraph& graph)
                 if (!replaceArray.run(view))
                     return false;
                 view.assertSuccess();
+                *success = true;
                 addedPhi = true;
                 continue;
             }
diff --git a/js/src/jit/ScalarReplacement.h b/js/src/jit/ScalarReplacement.h
index 836367f0f0f3..1869471a3147 100644
--- a/js/src/jit/ScalarReplacement.h
+++ b/js/src/jit/ScalarReplacement.h
@@ -15,7 +15,7 @@ class MIRGenerator;
 class MIRGraph;
 
 bool
-ScalarReplacement(MIRGenerator* mir, MIRGraph& graph);
+ScalarReplacement(MIRGenerator* mir, MIRGraph& graph, bool* success);
 
 } // namespace jit
 } // namespace js
diff --git a/js/src/jit/SharedICHelpers.h b/js/src/jit/SharedICHelpers.h
index df81577dc6d1..beaad3c07476 100644
--- a/js/src/jit/SharedICHelpers.h
+++ b/js/src/jit/SharedICHelpers.h
@@ -13,6 +13,8 @@
 # include "jit/x64/SharedICHelpers-x64.h"
 #elif defined(JS_CODEGEN_ARM)
 # include "jit/arm/SharedICHelpers-arm.h"
+#elif defined(JS_CODEGEN_ARM64)
+# include "jit/arm64/SharedICHelpers-arm64.h"
 #elif defined(JS_CODEGEN_MIPS)
 # include "jit/mips/SharedICHelpers-mips.h"
 #elif defined(JS_CODEGEN_NONE)
diff --git a/js/src/jit/SharedICRegisters.h b/js/src/jit/SharedICRegisters.h
index df52efddaea3..efa2029e2b30 100644
--- a/js/src/jit/SharedICRegisters.h
+++ b/js/src/jit/SharedICRegisters.h
@@ -13,6 +13,8 @@
 # include "jit/x64/SharedICRegisters-x64.h"
 #elif defined(JS_CODEGEN_ARM)
 # include "jit/arm/SharedICRegisters-arm.h"
+#elif defined(JS_CODEGEN_ARM64)
+# include "jit/arm64/SharedICRegisters-arm64.h"
 #elif defined(JS_CODEGEN_MIPS)
 # include "jit/mips/SharedICRegisters-mips.h"
 #elif defined(JS_CODEGEN_NONE)
diff --git a/js/src/jit/VMFunctions.h b/js/src/jit/VMFunctions.h
index 74bb7ab615e8..0fee01d4fd77 100644
--- a/js/src/jit/VMFunctions.h
+++ b/js/src/jit/VMFunctions.h
@@ -7,6 +7,8 @@
 #ifndef jit_VMFunctions_h
 #define jit_VMFunctions_h
 
+#include "mozilla/Attributes.h"
+
 #include "jspubtd.h"
 
 #include "jit/CompileInfo.h"
@@ -440,176 +442,114 @@ template <> struct MatchContext<ExclusiveContext*> {
     static const bool valid = true;
 };
 
-#define FOR_EACH_ARGS_1(Macro, Sep, Last) Macro(1) Last(1)
-#define FOR_EACH_ARGS_2(Macro, Sep, Last) FOR_EACH_ARGS_1(Macro, Sep, Sep) Macro(2) Last(2)
-#define FOR_EACH_ARGS_3(Macro, Sep, Last) FOR_EACH_ARGS_2(Macro, Sep, Sep) Macro(3) Last(3)
-#define FOR_EACH_ARGS_4(Macro, Sep, Last) FOR_EACH_ARGS_3(Macro, Sep, Sep) Macro(4) Last(4)
-#define FOR_EACH_ARGS_5(Macro, Sep, Last) FOR_EACH_ARGS_4(Macro, Sep, Sep) Macro(5) Last(5)
-#define FOR_EACH_ARGS_6(Macro, Sep, Last) FOR_EACH_ARGS_5(Macro, Sep, Sep) Macro(6) Last(6)
-#define FOR_EACH_ARGS_7(Macro, Sep, Last) FOR_EACH_ARGS_6(Macro, Sep, Sep) Macro(7) Last(7)
+// Extract the last element of a list of types.
+template <typename... ArgTypes>
+struct LastArg;
 
-#define COMPUTE_INDEX(NbArg) NbArg
-#define COMPUTE_OUTPARAM_RESULT(NbArg) OutParamToDataType<A ## NbArg>::result
-#define COMPUTE_OUTPARAM_ROOT(NbArg) OutParamToRootType<A ## NbArg>::result
-#define COMPUTE_ARG_PROP(NbArg) (TypeToArgProperties<A ## NbArg>::result << (2 * (NbArg - 1)))
-#define COMPUTE_ARG_ROOT(NbArg) (uint64_t(TypeToRootType<A ## NbArg>::result) << (3 * (NbArg - 1)))
-#define COMPUTE_ARG_FLOAT(NbArg) (TypeToPassInFloatReg<A ## NbArg>::result) << (NbArg - 1)
-#define SEP_OR(_) |
-#define NOTHING(_)
-
-#define FUNCTION_INFO_STRUCT_BODY(ForEachNb)                                            \
-    static inline DataType returnType() {                                               \
-        return TypeToDataType<R>::result;                                               \
-    }                                                                                   \
-    static inline DataType outParam() {                                                 \
-        return ForEachNb(NOTHING, NOTHING, COMPUTE_OUTPARAM_RESULT);                    \
-    }                                                                                   \
-    static inline RootType outParamRootType() {                                         \
-        return ForEachNb(NOTHING, NOTHING, COMPUTE_OUTPARAM_ROOT);                      \
-    }                                                                                   \
-    static inline size_t NbArgs() {                                                     \
-        return ForEachNb(NOTHING, NOTHING, COMPUTE_INDEX);                              \
-    }                                                                                   \
-    static inline size_t explicitArgs() {                                               \
-        return NbArgs() - (outParam() != Type_Void ? 1 : 0);                            \
-    }                                                                                   \
-    static inline uint32_t argumentProperties() {                                       \
-        return ForEachNb(COMPUTE_ARG_PROP, SEP_OR, NOTHING);                            \
-    }                                                                                   \
-    static inline uint32_t argumentPassedInFloatRegs() {                                \
-        return ForEachNb(COMPUTE_ARG_FLOAT, SEP_OR, NOTHING);                           \
-    }                                                                                   \
-    static inline uint64_t argumentRootTypes() {                                        \
-        return ForEachNb(COMPUTE_ARG_ROOT, SEP_OR, NOTHING);                            \
-    }                                                                                   \
-    explicit FunctionInfo(pf fun, MaybeTailCall expectTailCall,                         \
-                          PopValues extraValuesToPop = PopValues(0))                    \
-        : VMFunction(JS_FUNC_TO_DATA_PTR(void*, fun), explicitArgs(),                  \
-                     argumentProperties(), argumentPassedInFloatRegs(),                 \
-                     argumentRootTypes(), outParam(), outParamRootType(),               \
-                     returnType(), extraValuesToPop.numValues, expectTailCall)          \
-    {                                                                                   \
-        static_assert(MatchContext<Context>::valid, "Invalid cx type in VMFunction");   \
-    }                                                                                   \
-    explicit FunctionInfo(pf fun, PopValues extraValuesToPop = PopValues(0))            \
-        : VMFunction(JS_FUNC_TO_DATA_PTR(void*, fun), explicitArgs(),                  \
-                     argumentProperties(), argumentPassedInFloatRegs(),                 \
-                     argumentRootTypes(), outParam(), outParamRootType(),               \
-                     returnType(), extraValuesToPop.numValues, NonTailCall)             \
-    {                                                                                   \
-        static_assert(MatchContext<Context>::valid, "Invalid cx type in VMFunction");   \
-    }
-
-template <typename Fun>
-struct FunctionInfo {
+template <>
+struct LastArg<>
+{
+    typedef void Type;
+    static MOZ_CONSTEXPR_VAR size_t nbArgs = 0;
 };
 
-// VMFunction wrapper with no explicit arguments.
-template <class R, class Context>
-struct FunctionInfo<R (*)(Context)> : public VMFunction {
-    typedef R (*pf)(Context);
+template <typename HeadType>
+struct LastArg<HeadType>
+{
+    typedef HeadType Type;
+    static MOZ_CONSTEXPR_VAR size_t nbArgs = 1;
+};
 
-    static inline DataType returnType() {
+template <typename HeadType, typename... TailTypes>
+struct LastArg<HeadType, TailTypes...>
+{
+    typedef typename LastArg<TailTypes...>::Type Type;
+    static MOZ_CONSTEXPR_VAR size_t nbArgs = LastArg<TailTypes...>::nbArgs + 1;
+};
+
+// Construct a bit mask from a list of types.  The mask is constructed as an OR
+// of the mask produced for each argument. The result of each argument is
+// shifted by its index, such that the result of the first argument is on the
+// low bits of the mask, and the result of the last argument in part of the
+// high bits of the mask.
+template <template<typename> class Each, typename ResultType, size_t Shift,
+          typename... Args>
+struct BitMask;
+
+template <template<typename> class Each, typename ResultType, size_t Shift>
+struct BitMask<Each, ResultType, Shift>
+{
+    static MOZ_CONSTEXPR_VAR ResultType result = ResultType();
+};
+
+template <template<typename> class Each, typename ResultType, size_t Shift,
+          typename HeadType, typename... TailTypes>
+struct BitMask<Each, ResultType, Shift, HeadType, TailTypes...>
+{
+    static_assert(ResultType(Each<HeadType>::result) < (1 << Shift),
+                  "not enough bits reserved by the shift for individual results");
+    static_assert(LastArg<TailTypes...>::nbArgs < (8 * sizeof(ResultType) / Shift),
+                  "not enough bits in the result type to store all bit masks");
+
+    static MOZ_CONSTEXPR_VAR ResultType result =
+        ResultType(Each<HeadType>::result) |
+        (BitMask<Each, ResultType, Shift, TailTypes...>::result << Shift);
+};
+
+// Extract VMFunction properties based on the signature of the function. The
+// properties are used to generate the logic for calling the VM function, and
+// also for marking the stack during GCs.
+template <typename... Args>
+struct FunctionInfo;
+
+template <class R, class Context, typename... Args>
+struct FunctionInfo<R (*)(Context, Args...)> : public VMFunction
+{
+    typedef R (*pf)(Context, Args...);
+
+    static DataType returnType() {
         return TypeToDataType<R>::result;
     }
-    static inline DataType outParam() {
-        return Type_Void;
+    static DataType outParam() {
+        return OutParamToDataType<typename LastArg<Args...>::Type>::result;
     }
-    static inline RootType outParamRootType() {
-        return RootNone;
+    static RootType outParamRootType() {
+        return OutParamToRootType<typename LastArg<Args...>::Type>::result;
     }
-    static inline size_t explicitArgs() {
-        return 0;
+    static size_t NbArgs() {
+        return LastArg<Args...>::nbArgs;
     }
-    static inline uint32_t argumentProperties() {
-        return 0;
+    static size_t explicitArgs() {
+        return NbArgs() - (outParam() != Type_Void ? 1 : 0);
     }
-    static inline uint32_t argumentPassedInFloatRegs() {
-        return 0;
+    static uint32_t argumentProperties() {
+        return BitMask<TypeToArgProperties, uint32_t, 2, Args...>::result;
     }
-    static inline uint64_t argumentRootTypes() {
-        return 0;
+    static uint32_t argumentPassedInFloatRegs() {
+        return BitMask<TypeToPassInFloatReg, uint32_t, 2, Args...>::result;
     }
-    explicit FunctionInfo(pf fun)
-      : VMFunction(JS_FUNC_TO_DATA_PTR(void*, fun), explicitArgs(),
-                   argumentProperties(), argumentPassedInFloatRegs(),
-                   argumentRootTypes(), outParam(), outParamRootType(),
-                   returnType(), 0, NonTailCall)
+    static uint64_t argumentRootTypes() {
+        return BitMask<TypeToRootType, uint64_t, 3, Args...>::result;
+    }
+    explicit FunctionInfo(pf fun, PopValues extraValuesToPop = PopValues(0))
+        : VMFunction(JS_FUNC_TO_DATA_PTR(void*, fun), explicitArgs(),
+                     argumentProperties(), argumentPassedInFloatRegs(),
+                     argumentRootTypes(), outParam(), outParamRootType(),
+                     returnType(), extraValuesToPop.numValues, NonTailCall)
     {
         static_assert(MatchContext<Context>::valid, "Invalid cx type in VMFunction");
     }
-    explicit FunctionInfo(pf fun, MaybeTailCall expectTailCall)
-      : VMFunction(JS_FUNC_TO_DATA_PTR(void*, fun), explicitArgs(),
-                   argumentProperties(), argumentPassedInFloatRegs(),
-                   argumentRootTypes(), outParam(), outParamRootType(),
-                   returnType(), expectTailCall)
+    explicit FunctionInfo(pf fun, MaybeTailCall expectTailCall,
+                          PopValues extraValuesToPop = PopValues(0))
+        : VMFunction(JS_FUNC_TO_DATA_PTR(void*, fun), explicitArgs(),
+                     argumentProperties(), argumentPassedInFloatRegs(),
+                     argumentRootTypes(), outParam(), outParamRootType(),
+                     returnType(), extraValuesToPop.numValues, expectTailCall)
     {
         static_assert(MatchContext<Context>::valid, "Invalid cx type in VMFunction");
     }
 };
 
-// Specialize the class for each number of argument used by VMFunction.
-// Keep it verbose unless you find a readable macro for it.
-template <class R, class Context, class A1>
-struct FunctionInfo<R (*)(Context, A1)> : public VMFunction {
-    typedef R (*pf)(Context, A1);
-    FUNCTION_INFO_STRUCT_BODY(FOR_EACH_ARGS_1)
-};
-
-template <class R, class Context, class A1, class A2>
-struct FunctionInfo<R (*)(Context, A1, A2)> : public VMFunction {
-    typedef R (*pf)(Context, A1, A2);
-    FUNCTION_INFO_STRUCT_BODY(FOR_EACH_ARGS_2)
-};
-
-template <class R, class Context, class A1, class A2, class A3>
-struct FunctionInfo<R (*)(Context, A1, A2, A3)> : public VMFunction {
-    typedef R (*pf)(Context, A1, A2, A3);
-    FUNCTION_INFO_STRUCT_BODY(FOR_EACH_ARGS_3)
-};
-
-template <class R, class Context, class A1, class A2, class A3, class A4>
-struct FunctionInfo<R (*)(Context, A1, A2, A3, A4)> : public VMFunction {
-    typedef R (*pf)(Context, A1, A2, A3, A4);
-    FUNCTION_INFO_STRUCT_BODY(FOR_EACH_ARGS_4)
-};
-
-template <class R, class Context, class A1, class A2, class A3, class A4, class A5>
-    struct FunctionInfo<R (*)(Context, A1, A2, A3, A4, A5)> : public VMFunction {
-    typedef R (*pf)(Context, A1, A2, A3, A4, A5);
-    FUNCTION_INFO_STRUCT_BODY(FOR_EACH_ARGS_5)
-};
-
-template <class R, class Context, class A1, class A2, class A3, class A4, class A5, class A6>
-    struct FunctionInfo<R (*)(Context, A1, A2, A3, A4, A5, A6)> : public VMFunction {
-    typedef R (*pf)(Context, A1, A2, A3, A4, A5, A6);
-    FUNCTION_INFO_STRUCT_BODY(FOR_EACH_ARGS_6)
-};
-
-template <class R, class Context, class A1, class A2, class A3, class A4, class A5, class A6, class A7>
-    struct FunctionInfo<R (*)(Context, A1, A2, A3, A4, A5, A6, A7)> : public VMFunction {
-    typedef R (*pf)(Context, A1, A2, A3, A4, A5, A6, A7);
-    FUNCTION_INFO_STRUCT_BODY(FOR_EACH_ARGS_7)
-};
-
-#undef FUNCTION_INFO_STRUCT_BODY
-
-#undef FOR_EACH_ARGS_7
-#undef FOR_EACH_ARGS_6
-#undef FOR_EACH_ARGS_5
-#undef FOR_EACH_ARGS_4
-#undef FOR_EACH_ARGS_3
-#undef FOR_EACH_ARGS_2
-#undef FOR_EACH_ARGS_1
-
-#undef COMPUTE_INDEX
-#undef COMPUTE_OUTPARAM_RESULT
-#undef COMPUTE_OUTPARAM_ROOT
-#undef COMPUTE_ARG_PROP
-#undef COMPUTE_ARG_FLOAT
-#undef SEP_OR
-#undef NOTHING
-
 class AutoDetectInvalidation
 {
     JSContext* cx_;
diff --git a/js/src/jit/arm/Simulator-arm.cpp b/js/src/jit/arm/Simulator-arm.cpp
index 1f2ffdf0493f..e26c5b005e7b 100644
--- a/js/src/jit/arm/Simulator-arm.cpp
+++ b/js/src/jit/arm/Simulator-arm.cpp
@@ -692,7 +692,7 @@ ArmDebugger::debug()
                                 i < 8 &&
                                 (i % 2) == 0) {
                                 dvalue = getRegisterPairDoubleValue(i);
-                                printf(" (%f)\n", dvalue);
+                                printf(" (%.16g)\n", dvalue);
                             } else {
                                 printf("\n");
                             }
@@ -700,7 +700,7 @@ ArmDebugger::debug()
                         for (uint32_t i = 0; i < FloatRegisters::TotalPhys; i++) {
                             dvalue = getVFPDoubleRegisterValue(i);
                             uint64_t as_words = mozilla::BitwiseCast<uint64_t>(dvalue);
-                            printf("%3s: %f 0x%08x %08x\n",
+                            printf("%3s: %.16g 0x%08x %08x\n",
                                    FloatRegister::FromCode(i).name(),
                                    dvalue,
                                    static_cast<uint32_t>(as_words >> 32),
@@ -711,7 +711,7 @@ ArmDebugger::debug()
                             printf("%s: 0x%08x %d \n", arg1, value, value);
                         } else if (getVFPDoubleValue(arg1, &dvalue)) {
                             uint64_t as_words = mozilla::BitwiseCast<uint64_t>(dvalue);
-                            printf("%s: %f 0x%08x %08x\n",
+                            printf("%s: %.16g 0x%08x %08x\n",
                                    arg1,
                                    dvalue,
                                    static_cast<uint32_t>(as_words >> 32),
diff --git a/js/src/jit/arm64/Architecture-arm64.cpp b/js/src/jit/arm64/Architecture-arm64.cpp
new file mode 100644
index 000000000000..a5e62fb61c84
--- /dev/null
+++ b/js/src/jit/arm64/Architecture-arm64.cpp
@@ -0,0 +1,75 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "jit/arm64/Architecture-arm64.h"
+
+#include <cstring>
+
+#include "jit/RegisterSets.h"
+
+namespace js {
+namespace jit {
+
+Registers::Code
+Registers::FromName(const char* name)
+{
+    // Check for some register aliases first.
+    if (strcmp(name, "ip0") == 0)
+        return ip0;
+    if (strcmp(name, "ip1") == 0)
+        return ip1;
+    if (strcmp(name, "fp") == 0)
+        return fp;
+
+    for (uint32_t i = 0; i < Total; i++) {
+        if (strcmp(GetName(Code(i)), name) == 0)
+            return Code(i);
+    }
+
+    return invalid_reg;
+}
+
+FloatRegisters::Code
+FloatRegisters::FromName(const char* name)
+{
+    for (size_t i = 0; i < Total; i++) {
+        if (strcmp(GetName(Code(i)), name) == 0)
+            return Code(i);
+    }
+
+    return invalid_fpreg;
+}
+
+FloatRegisterSet
+FloatRegister::ReduceSetForPush(const FloatRegisterSet& s)
+{
+    LiveFloatRegisterSet ret;
+    for (FloatRegisterIterator iter(s); iter.more(); ++iter)
+        ret.addUnchecked(FromCode((*iter).encoding()));
+    return ret.set();
+}
+
+uint32_t
+FloatRegister::GetSizeInBytes(const FloatRegisterSet& s)
+{
+    return s.size() * sizeof(double);
+}
+
+uint32_t
+FloatRegister::GetPushSizeInBytes(const FloatRegisterSet& s)
+{
+    return s.size() * sizeof(double);
+}
+
+uint32_t
+FloatRegister::getRegisterDumpOffsetInBytes()
+{
+    // Although registers are 128-bits wide, only the first 64 need saving per ABI.
+    return encoding() * sizeof(double);
+}
+
+} // namespace jit
+} // namespace js
diff --git a/js/src/jit/arm64/Architecture-arm64.h b/js/src/jit/arm64/Architecture-arm64.h
new file mode 100644
index 000000000000..d46da4c02f33
--- /dev/null
+++ b/js/src/jit/arm64/Architecture-arm64.h
@@ -0,0 +1,462 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef jit_arm64_Architecture_arm64_h
+#define jit_arm64_Architecture_arm64_h
+
+#include "mozilla/Assertions.h"
+#include "mozilla/MathAlgorithms.h"
+
+#include "js/Utility.h"
+
+namespace js {
+namespace jit {
+
+// AArch64 has 32 64-bit integer registers, x0 though x31.
+//  x31 is special and functions as both the stack pointer and a zero register.
+//  The bottom 32 bits of each of the X registers is accessible as w0 through w31.
+//  The program counter is no longer accessible as a register.
+// SIMD and scalar floating-point registers share a register bank.
+//  32 bit float registers are s0 through s31.
+//  64 bit double registers are d0 through d31.
+//  128 bit SIMD registers are v0 through v31.
+// e.g., s0 is the bottom 32 bits of d0, which is the bottom 64 bits of v0.
+
+// AArch64 Calling Convention:
+//  x0 - x7: arguments and return value
+//  x8: indirect result (struct) location
+//  x9 - x15: temporary registers
+//  x16 - x17: intra-call-use registers (PLT, linker)
+//  x18: platform specific use (TLS)
+//  x19 - x28: callee-saved registers
+//  x29: frame pointer
+//  x30: link register
+
+// AArch64 Calling Convention for Floats:
+//  d0 - d7: arguments and return value
+//  d8 - d15: callee-saved registers
+//   Bits 64:128 are not saved for v8-v15.
+//  d16 - d31: temporary registers
+
+// AArch64 does not have soft float.
+
+class Registers {
+  public:
+    enum RegisterID {
+        w0  =  0, x0  =  0,
+        w1  =  1, x1  =  1,
+        w2  =  2, x2  =  2,
+        w3  =  3, x3  =  3,
+        w4  =  4, x4  =  4,
+        w5  =  5, x5  =  5,
+        w6  =  6, x6  =  6,
+        w7  =  7, x7  =  7,
+        w8  =  8, x8  =  8,
+        w9  =  9, x9  =  9,
+        w10 = 10, x10 = 10,
+        w11 = 11, x11 = 11,
+        w12 = 12, x12 = 12,
+        w13 = 13, x13 = 13,
+        w14 = 14, x14 = 14,
+        w15 = 15, x15 = 15,
+        w16 = 16, x16 = 16, ip0 = 16, // MacroAssembler scratch register 1.
+        w17 = 17, x17 = 17, ip1 = 17, // MacroAssembler scratch register 2.
+        w18 = 18, x18 = 18, tls = 18, // Platform-specific use (TLS).
+        w19 = 19, x19 = 19,
+        w20 = 20, x20 = 20,
+        w21 = 21, x21 = 21,
+        w22 = 22, x22 = 22,
+        w23 = 23, x23 = 23,
+        w24 = 24, x24 = 24,
+        w25 = 25, x25 = 25,
+        w26 = 26, x26 = 26,
+        w27 = 27, x27 = 27,
+        w28 = 28, x28 = 28,
+        w29 = 29, x29 = 29, fp = 29,
+        w30 = 30, x30 = 30, lr = 30,
+        w31 = 31, x31 = 31, wzr = 31, xzr = 31, sp = 31, // Special: both stack pointer and a zero register.
+        invalid_reg
+    };
+    typedef uint8_t Code;
+    typedef uint32_t Encoding;
+    typedef uint32_t SetType;
+
+    union RegisterContent {
+        uintptr_t r;
+    };
+
+    static uint32_t SetSize(SetType x) {
+        static_assert(sizeof(SetType) == 4, "SetType must be 32 bits");
+        return mozilla::CountPopulation32(x);
+    }
+    static uint32_t FirstBit(SetType x) {
+        return mozilla::CountTrailingZeroes32(x);
+    }
+    static uint32_t LastBit(SetType x) {
+        return 31 - mozilla::CountLeadingZeroes32(x);
+    }
+
+    static const char* GetName(Code code) {
+        static const char* const Names[] =
+            { "x0",  "x1",  "x2",  "x3",  "x4",  "x5",  "x6",  "x7",  "x8",  "x9",
+              "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x18", "x19",
+              "x20", "x21", "x22", "x23", "x24", "x25", "x26", "x27", "x28", "x29",
+              "lr", "sp", "invalid" };
+        return Names[code];
+    }
+    static const char* GetName(uint32_t i) {
+        MOZ_ASSERT(i < Total);
+        return GetName(Code(i));
+    }
+
+    static Code FromName(const char* name);
+
+    // If SP is used as the base register for a memory load or store, then the value
+    // of the stack pointer prior to adding any offset must be quadword (16 byte) aligned,
+    // or else a stack aligment exception will be generated.
+    static const Code StackPointer = sp;
+
+    static const Code Invalid = invalid_reg;
+
+    static const uint32_t Total = 32;
+    static const uint32_t TotalPhys = 32;
+    static const uint32_t Allocatable = 27; // No named special-function registers.
+
+    static const SetType AllMask = 0xFFFFFFFF;
+
+    static const SetType ArgRegMask =
+        (1 << Registers::x0) | (1 << Registers::x1) |
+        (1 << Registers::x2) | (1 << Registers::x3) |
+        (1 << Registers::x4) | (1 << Registers::x5) |
+        (1 << Registers::x6) | (1 << Registers::x7) |
+        (1 << Registers::x8);
+
+    static const SetType VolatileMask =
+        (1 << Registers::x0) | (1 << Registers::x1) |
+        (1 << Registers::x2) | (1 << Registers::x3) |
+        (1 << Registers::x4) | (1 << Registers::x5) |
+        (1 << Registers::x6) | (1 << Registers::x7) |
+        (1 << Registers::x8) | (1 << Registers::x9) |
+        (1 << Registers::x10) | (1 << Registers::x11) |
+        (1 << Registers::x11) | (1 << Registers::x12) |
+        (1 << Registers::x13) | (1 << Registers::x14) |
+        (1 << Registers::x14) | (1 << Registers::x15) |
+        (1 << Registers::x16) | (1 << Registers::x17) |
+        (1 << Registers::x18);
+
+    static const SetType NonVolatileMask =
+        (1 << Registers::x19) | (1 << Registers::x20) |
+        (1 << Registers::x21) | (1 << Registers::x22) |
+        (1 << Registers::x23) | (1 << Registers::x24) |
+        (1 << Registers::x25) | (1 << Registers::x26) |
+        (1 << Registers::x27) | (1 << Registers::x28) |
+        (1 << Registers::x29) | (1 << Registers::x30);
+
+    static const SetType SingleByteRegs = VolatileMask | NonVolatileMask;
+
+    static const SetType NonAllocatableMask =
+        (1 << Registers::x28) | // PseudoStackPointer.
+        (1 << Registers::ip0) | // First scratch register.
+        (1 << Registers::ip1) | // Second scratch register.
+        (1 << Registers::tls) |
+        (1 << Registers::lr) |
+        (1 << Registers::sp);
+
+    // Registers that can be allocated without being saved, generally.
+    static const SetType TempMask = VolatileMask & ~NonAllocatableMask;
+
+    static const SetType WrapperMask = VolatileMask;
+
+    // Registers returned from a JS -> JS call.
+    static const SetType JSCallMask = (1 << Registers::x2);
+
+    // Registers returned from a JS -> C call.
+    static const SetType CallMask = (1 << Registers::x0);
+
+    static const SetType AllocatableMask = AllMask & ~NonAllocatableMask;
+};
+
+// Smallest integer type that can hold a register bitmask.
+typedef uint32_t PackedRegisterMask;
+
+template <typename T>
+class TypedRegisterSet;
+
+class FloatRegisters
+{
+  public:
+    enum FPRegisterID {
+        s0  =  0, d0  =  0, v0  =  0,
+        s1  =  1, d1  =  1, v1  =  1,
+        s2  =  2, d2  =  2, v2  =  2,
+        s3  =  3, d3  =  3, v3  =  3,
+        s4  =  4, d4  =  4, v4  =  4,
+        s5  =  5, d5  =  5, v5  =  5,
+        s6  =  6, d6  =  6, v6  =  6,
+        s7  =  7, d7  =  7, v7  =  7,
+        s8  =  8, d8  =  8, v8  =  8,
+        s9  =  9, d9  =  9, v9  =  9,
+        s10 = 10, d10 = 10, v10 = 10,
+        s11 = 11, d11 = 11, v11 = 11,
+        s12 = 12, d12 = 12, v12 = 12,
+        s13 = 13, d13 = 13, v13 = 13,
+        s14 = 14, d14 = 14, v14 = 14,
+        s15 = 15, d15 = 15, v15 = 15,
+        s16 = 16, d16 = 16, v16 = 16,
+        s17 = 17, d17 = 17, v17 = 17,
+        s18 = 18, d18 = 18, v18 = 18,
+        s19 = 19, d19 = 19, v19 = 19,
+        s20 = 20, d20 = 20, v20 = 20,
+        s21 = 21, d21 = 21, v21 = 21,
+        s22 = 22, d22 = 22, v22 = 22,
+        s23 = 23, d23 = 23, v23 = 23,
+        s24 = 24, d24 = 24, v24 = 24,
+        s25 = 25, d25 = 25, v25 = 25,
+        s26 = 26, d26 = 26, v26 = 26,
+        s27 = 27, d27 = 27, v27 = 27,
+        s28 = 28, d28 = 28, v28 = 28,
+        s29 = 29, d29 = 29, v29 = 29,
+        s30 = 30, d30 = 30, v30 = 30,
+        s31 = 31, d31 = 31, v31 = 31, // Scratch register.
+        invalid_fpreg
+    };
+    typedef uint8_t Code;
+    typedef FPRegisterID Encoding;
+    typedef uint64_t SetType;
+
+    static const char* GetName(Code code) {
+        static const char* const Names[] =
+            { "d0",  "d1",  "d2",  "d3",  "d4",  "d5",  "d6",  "d7",  "d8",  "d9",
+              "d10", "d11", "d12", "d13", "d14", "d15", "d16", "d17", "d18", "d19",
+              "d20", "d21", "d22", "d23", "d24", "d25", "d26", "d27", "d28", "d29",
+              "d30", "d31", "invalid" };
+        return Names[code];
+    }
+
+    static const char* GetName(uint32_t i) {
+        MOZ_ASSERT(i < TotalPhys);
+        return GetName(Code(i));
+    }
+
+    static Code FromName(const char* name);
+
+    static const Code Invalid = invalid_fpreg;
+
+    static const uint32_t Total = 64;
+    static const uint32_t TotalPhys = 32;
+    static const SetType AllMask = 0xFFFFFFFFFFFFFFFFULL;
+    static const SetType AllPhysMask = 0xFFFFFFFFULL;
+    static const SetType SpreadCoefficient = 0x100000001ULL;
+
+    static const uint32_t Allocatable = 31; // Without d31, the scratch register.
+
+    // d31 is the ScratchFloatReg.
+    static const SetType NonVolatileMask =
+        SetType((1 << FloatRegisters::d8) | (1 << FloatRegisters::d9) |
+                (1 << FloatRegisters::d10) | (1 << FloatRegisters::d11) |
+                (1 << FloatRegisters::d12) | (1 << FloatRegisters::d13) |
+                (1 << FloatRegisters::d14) | (1 << FloatRegisters::d15) |
+                (1 << FloatRegisters::d16) | (1 << FloatRegisters::d17) |
+                (1 << FloatRegisters::d18) | (1 << FloatRegisters::d19) |
+                (1 << FloatRegisters::d20) | (1 << FloatRegisters::d21) |
+                (1 << FloatRegisters::d22) | (1 << FloatRegisters::d23) |
+                (1 << FloatRegisters::d24) | (1 << FloatRegisters::d25) |
+                (1 << FloatRegisters::d26) | (1 << FloatRegisters::d27) |
+                (1 << FloatRegisters::d28) | (1 << FloatRegisters::d29) |
+                (1 << FloatRegisters::d30)) * SpreadCoefficient;
+
+    static const SetType VolatileMask = AllMask & ~NonVolatileMask;
+    static const SetType AllDoubleMask = AllMask;
+
+    static const SetType WrapperMask = VolatileMask;
+
+    // d31 is the ScratchFloatReg.
+    static const SetType NonAllocatableMask = (SetType(1) << FloatRegisters::d31) * SpreadCoefficient;
+
+    // Registers that can be allocated without being saved, generally.
+    static const SetType TempMask = VolatileMask & ~NonAllocatableMask;
+
+    static const SetType AllocatableMask = AllMask & ~NonAllocatableMask;
+    union RegisterContent {
+        float s;
+        double d;
+    };
+    enum Kind {
+        Double,
+        Single
+    };
+};
+
+// In bytes: slots needed for potential memory->memory move spills.
+//   +8 for cycles
+//   +8 for gpr spills
+//   +8 for double spills
+static const uint32_t ION_FRAME_SLACK_SIZE = 24;
+
+static const uint32_t ShadowStackSpace = 0;
+
+static const uint32_t ABIStackAlignment = 16;
+static const uint32_t CodeAlignment = 16;
+static const bool StackKeptAligned = false;
+
+// Although sp is only usable if 16-byte alignment is kept,
+// the Pseudo-StackPointer enables use of 8-byte alignment.
+static const uint32_t StackAlignment = 8;
+static const uint32_t NativeFrameSize = 8;
+
+struct FloatRegister
+{
+    typedef FloatRegisters Codes;
+    typedef Codes::Code Code;
+    typedef Codes::Encoding Encoding;
+    typedef Codes::SetType SetType;
+
+    union RegisterContent {
+        float s;
+        double d;
+    };
+
+    constexpr FloatRegister(uint32_t code, FloatRegisters::Kind k)
+      : code_(FloatRegisters::Code(code & 31)),
+        k_(k)
+    { }
+
+    constexpr FloatRegister(uint32_t code)
+      : code_(FloatRegisters::Code(code & 31)),
+        k_(FloatRegisters::Kind(code >> 5))
+    { }
+
+    constexpr FloatRegister()
+      : code_(FloatRegisters::Code(-1)),
+        k_(FloatRegisters::Double)
+    { }
+
+    static uint32_t SetSize(SetType x) {
+        static_assert(sizeof(SetType) == 8, "SetType must be 64 bits");
+        x |= x >> FloatRegisters::TotalPhys;
+        x &= FloatRegisters::AllPhysMask;
+        return mozilla::CountPopulation32(x);
+    }
+
+    static FloatRegister FromCode(uint32_t i) {
+        MOZ_ASSERT(i < FloatRegisters::Total);
+        FloatRegister r(i);
+        return r;
+    }
+    Code code() const {
+        MOZ_ASSERT((uint32_t)code_ < FloatRegisters::Total);
+        return Code(code_ | (k_ << 5));
+    }
+    Encoding encoding() const {
+        return Encoding(code_);
+    }
+
+    const char* name() const {
+        return FloatRegisters::GetName(code());
+    }
+    bool volatile_() const {
+        return !!((SetType(1) << code()) & FloatRegisters::VolatileMask);
+    }
+    bool operator!=(FloatRegister other) const {
+        return other.code_ != code_ || other.k_ != k_;
+    }
+    bool operator==(FloatRegister other) const {
+        return other.code_ == code_ && other.k_ == k_;
+    }
+    bool aliases(FloatRegister other) const {
+        return other.code_ == code_;
+    }
+    uint32_t numAliased() const {
+        return 2;
+    }
+    static FloatRegisters::Kind otherkind(FloatRegisters::Kind k) {
+        if (k == FloatRegisters::Double)
+            return FloatRegisters::Single;
+        return FloatRegisters::Double;
+    }
+    void aliased(uint32_t aliasIdx, FloatRegister* ret) {
+        if (aliasIdx == 0)
+            *ret = *this;
+        else
+            *ret = FloatRegister(code_, otherkind(k_));
+    }
+    // This function mostly exists for the ARM backend.  It is to ensure that two
+    // floating point registers' types are equivalent.  e.g. S0 is not equivalent
+    // to D16, since S0 holds a float32, and D16 holds a Double.
+    // Since all floating point registers on x86 and x64 are equivalent, it is
+    // reasonable for this function to do the same.
+    bool equiv(FloatRegister other) const {
+        return k_ == other.k_;
+    }
+    MOZ_CONSTEXPR uint32_t size() const {
+        return k_ == FloatRegisters::Double ? sizeof(double) : sizeof(float);
+    }
+    uint32_t numAlignedAliased() {
+        return numAliased();
+    }
+    void alignedAliased(uint32_t aliasIdx, FloatRegister* ret) {
+        MOZ_ASSERT(aliasIdx == 0);
+        aliased(aliasIdx, ret);
+    }
+    SetType alignedOrDominatedAliasedSet() const {
+        return Codes::SpreadCoefficient << code_;
+    }
+
+    bool isSingle() const {
+        return k_ == FloatRegisters::Single;
+    }
+    bool isDouble() const {
+        return k_ == FloatRegisters::Double;
+    }
+    bool isInt32x4() const {
+        return false;
+    }
+    bool isFloat32x4() const {
+        return false;
+    }
+
+    static uint32_t FirstBit(SetType x) {
+        JS_STATIC_ASSERT(sizeof(SetType) == 8);
+        return mozilla::CountTrailingZeroes64(x);
+    }
+    static uint32_t LastBit(SetType x) {
+        JS_STATIC_ASSERT(sizeof(SetType) == 8);
+        return 63 - mozilla::CountLeadingZeroes64(x);
+    }
+
+    static TypedRegisterSet<FloatRegister> ReduceSetForPush(const TypedRegisterSet<FloatRegister>& s);
+    static uint32_t GetSizeInBytes(const TypedRegisterSet<FloatRegister>& s);
+    static uint32_t GetPushSizeInBytes(const TypedRegisterSet<FloatRegister>& s);
+    uint32_t getRegisterDumpOffsetInBytes();
+
+  public:
+    Code code_ : 8;
+    FloatRegisters::Kind k_ : 1;
+};
+
+// ARM/D32 has double registers that cannot be treated as float32.
+// Luckily, ARMv8 doesn't have the same misfortune.
+inline bool
+hasUnaliasedDouble()
+{
+    return false;
+}
+
+// ARM prior to ARMv8 also has doubles that alias multiple floats.
+// Again, ARMv8 is in the clear.
+inline bool
+hasMultiAlias()
+{
+    return false;
+}
+
+static const size_t AsmJSCheckedImmediateRange = 0;
+static const size_t AsmJSImmediateRange = 0;
+
+} // namespace jit
+} // namespace js
+
+#endif // jit_arm64_Architecture_arm64_h
diff --git a/js/src/jit/arm64/Assembler-arm64.cpp b/js/src/jit/arm64/Assembler-arm64.cpp
new file mode 100644
index 000000000000..e0c7a9b8082e
--- /dev/null
+++ b/js/src/jit/arm64/Assembler-arm64.cpp
@@ -0,0 +1,626 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "jit/arm64/Assembler-arm64.h"
+
+#include "mozilla/DebugOnly.h"
+#include "mozilla/MathAlgorithms.h"
+
+#include "jscompartment.h"
+#include "jsutil.h"
+
+#include "gc/Marking.h"
+
+#include "jit/arm64/MacroAssembler-arm64.h"
+#include "jit/ExecutableAllocator.h"
+#include "jit/JitCompartment.h"
+
+using namespace js;
+using namespace js::jit;
+
+using mozilla::CountLeadingZeroes32;
+using mozilla::DebugOnly;
+
+// Note this is used for inter-AsmJS calls and may pass arguments and results
+// in floating point registers even if the system ABI does not.
+
+ABIArg
+ABIArgGenerator::next(MIRType type)
+{
+    switch (type) {
+      case MIRType_Int32:
+      case MIRType_Pointer:
+        if (intRegIndex_ == NumIntArgRegs) {
+            current_ = ABIArg(stackOffset_);
+            stackOffset_ += sizeof(uintptr_t);
+            break;
+        }
+        current_ = ABIArg(Register::FromCode(intRegIndex_));
+        intRegIndex_++;
+        break;
+
+      case MIRType_Float32:
+      case MIRType_Double:
+        if (floatRegIndex_ == NumFloatArgRegs) {
+            current_ = ABIArg(stackOffset_);
+            stackOffset_ += sizeof(double);
+            break;
+        }
+        current_ = ABIArg(FloatRegister(floatRegIndex_,
+                                        type == MIRType_Double ? FloatRegisters::Double
+                                                               : FloatRegisters::Single));
+        floatRegIndex_++;
+        break;
+
+      default:
+        MOZ_CRASH("Unexpected argument type");
+    }
+    return current_;
+}
+
+const Register ABIArgGenerator::NonArgReturnReg0 = r8;
+const Register ABIArgGenerator::NonArgReturnReg1 = r9;
+const Register ABIArgGenerator::NonVolatileReg = r1;
+const Register ABIArgGenerator::NonArg_VolatileReg = r13;
+const Register ABIArgGenerator::NonReturn_VolatileReg0 = r2;
+const Register ABIArgGenerator::NonReturn_VolatileReg1 = r3;
+
+namespace js {
+namespace jit {
+
+void
+Assembler::finish()
+{
+    armbuffer_.flushPool();
+
+    // The extended jump table is part of the code buffer.
+    ExtendedJumpTable_ = emitExtendedJumpTable();
+    Assembler::FinalizeCode();
+
+    // The jump relocation table starts with a fixed-width integer pointing
+    // to the start of the extended jump table.
+    if (tmpJumpRelocations_.length())
+        jumpRelocations_.writeFixedUint32_t(toFinalOffset(ExtendedJumpTable_));
+
+    for (unsigned int i = 0; i < tmpJumpRelocations_.length(); i++) {
+        JumpRelocation& reloc = tmpJumpRelocations_[i];
+
+        // Each entry in the relocations table is an (offset, extendedTableIndex) pair.
+        jumpRelocations_.writeUnsigned(toFinalOffset(reloc.jump));
+        jumpRelocations_.writeUnsigned(reloc.extendedTableIndex);
+    }
+
+    for (unsigned int i = 0; i < tmpDataRelocations_.length(); i++)
+        dataRelocations_.writeUnsigned(toFinalOffset(tmpDataRelocations_[i]));
+
+    for (unsigned int i = 0; i < tmpPreBarriers_.length(); i++)
+        preBarriers_.writeUnsigned(toFinalOffset(tmpPreBarriers_[i]));
+}
+
+BufferOffset
+Assembler::emitExtendedJumpTable()
+{
+    if (!pendingJumps_.length() || oom())
+        return BufferOffset();
+
+    armbuffer_.flushPool();
+    armbuffer_.align(SizeOfJumpTableEntry);
+
+    BufferOffset tableOffset = armbuffer_.nextOffset();
+
+    for (size_t i = 0; i < pendingJumps_.length(); i++) {
+        // Each JumpTableEntry is of the form:
+        //   LDR ip0 [PC, 8]
+        //   BR ip0
+        //   [Patchable 8-byte constant low bits]
+        //   [Patchable 8-byte constant high bits]
+        DebugOnly<size_t> preOffset = size_t(armbuffer_.nextOffset().getOffset());
+
+        ldr(vixl::ip0, ptrdiff_t(8 / vixl::kInstructionSize));
+        br(vixl::ip0);
+
+        DebugOnly<size_t> prePointer = size_t(armbuffer_.nextOffset().getOffset());
+        MOZ_ASSERT(prePointer - preOffset == OffsetOfJumpTableEntryPointer);
+
+        brk(0x0);
+        brk(0x0);
+
+        DebugOnly<size_t> postOffset = size_t(armbuffer_.nextOffset().getOffset());
+
+        MOZ_ASSERT(postOffset - preOffset == SizeOfJumpTableEntry);
+    }
+
+    return tableOffset;
+}
+
+void
+Assembler::executableCopy(uint8_t* buffer)
+{
+    // Copy the code and all constant pools into the output buffer.
+    armbuffer_.executableCopy(buffer);
+
+    // Patch any relative jumps that target code outside the buffer.
+    // The extended jump table may be used for distant jumps.
+    for (size_t i = 0; i < pendingJumps_.length(); i++) {
+        RelativePatch& rp = pendingJumps_[i];
+
+        if (!rp.target) {
+            // The patch target is nullptr for jumps that have been linked to
+            // a label within the same code block, but may be repatched later
+            // to jump to a different code block.
+            continue;
+        }
+
+        Instruction* target = (Instruction*)rp.target;
+        Instruction* branch = (Instruction*)(buffer + toFinalOffset(rp.offset));
+        JumpTableEntry* extendedJumpTable =
+            reinterpret_cast<JumpTableEntry*>(buffer + toFinalOffset(ExtendedJumpTable_));
+        if (branch->BranchType() != vixl::UnknownBranchType) {
+            if (branch->IsTargetReachable(target)) {
+                branch->SetImmPCOffsetTarget(target);
+            } else {
+                JumpTableEntry* entry = &extendedJumpTable[i];
+                branch->SetImmPCOffsetTarget(entry->getLdr());
+                entry->data = target;
+            }
+        } else {
+            // Currently a two-instruction call, it should be possible to optimize this
+            // into a single instruction call + nop in some instances, but this will work.
+        }
+    }
+}
+
+BufferOffset
+Assembler::immPool(ARMRegister dest, uint8_t* value, vixl::LoadLiteralOp op, ARMBuffer::PoolEntry* pe)
+{
+    uint32_t inst = op | Rt(dest);
+    const size_t numInst = 1;
+    const unsigned sizeOfPoolEntryInBytes = 4;
+    const unsigned numPoolEntries = sizeof(value) / sizeOfPoolEntryInBytes;
+    return armbuffer_.allocEntry(numInst, numPoolEntries, (uint8_t*)&inst, value, pe);
+}
+
+BufferOffset
+Assembler::immPool64(ARMRegister dest, uint64_t value, ARMBuffer::PoolEntry* pe)
+{
+    return immPool(dest, (uint8_t*)&value, vixl::LDR_x_lit, pe);
+}
+
+BufferOffset
+Assembler::immPool64Branch(RepatchLabel* label, ARMBuffer::PoolEntry* pe, Condition c)
+{
+    MOZ_CRASH("immPool64Branch");
+}
+
+BufferOffset
+Assembler::fImmPool(ARMFPRegister dest, uint8_t* value, vixl::LoadLiteralOp op)
+{
+    uint32_t inst = op | Rt(dest);
+    const size_t numInst = 1;
+    const unsigned sizeOfPoolEntryInBits = 32;
+    const unsigned numPoolEntries = dest.size() / sizeOfPoolEntryInBits;
+    return armbuffer_.allocEntry(numInst, numPoolEntries, (uint8_t*)&inst, value);
+}
+
+BufferOffset
+Assembler::fImmPool64(ARMFPRegister dest, double value)
+{
+    return fImmPool(dest, (uint8_t*)&value, vixl::LDR_d_lit);
+}
+BufferOffset
+Assembler::fImmPool32(ARMFPRegister dest, float value)
+{
+    return fImmPool(dest, (uint8_t*)&value, vixl::LDR_s_lit);
+}
+
+void
+Assembler::bind(Label* label, BufferOffset targetOffset)
+{
+    // Nothing has seen the label yet: just mark the location.
+    if (!label->used()) {
+        label->bind(targetOffset.getOffset());
+        return;
+    }
+
+    // Get the most recent instruction that used the label, as stored in the label.
+    // This instruction is the head of an implicit linked list of label uses.
+    uint32_t branchOffset = label->offset();
+
+    while ((int32_t)branchOffset != LabelBase::INVALID_OFFSET) {
+        Instruction* link = getInstructionAt(BufferOffset(branchOffset));
+
+        // Before overwriting the offset in this instruction, get the offset of
+        // the next link in the implicit branch list.
+        uint32_t nextLinkOffset = uint32_t(link->ImmPCRawOffset());
+        if (nextLinkOffset != uint32_t(LabelBase::INVALID_OFFSET))
+            nextLinkOffset += branchOffset;
+        // Linking against the actual (Instruction*) would be invalid,
+        // since that Instruction could be anywhere in memory.
+        // Instead, just link against the correct relative offset, assuming
+        // no constant pools, which will be taken into consideration
+        // during finalization.
+        ptrdiff_t relativeByteOffset = targetOffset.getOffset() - branchOffset;
+        Instruction* target = (Instruction*)(((uint8_t*)link) + relativeByteOffset);
+
+        // Write a new relative offset into the instruction.
+        link->SetImmPCOffsetTarget(target);
+        branchOffset = nextLinkOffset;
+    }
+
+    // Bind the label, so that future uses may encode the offset immediately.
+    label->bind(targetOffset.getOffset());
+}
+
+void
+Assembler::bind(RepatchLabel* label)
+{
+    // Nothing has seen the label yet: just mark the location.
+    if (!label->used()) {
+        label->bind(nextOffset().getOffset());
+        return;
+    }
+    int branchOffset = label->offset();
+    Instruction* inst = getInstructionAt(BufferOffset(branchOffset));
+    inst->SetImmPCOffsetTarget(inst + nextOffset().getOffset() - branchOffset);
+}
+
+void
+Assembler::trace(JSTracer* trc)
+{
+    for (size_t i = 0; i < pendingJumps_.length(); i++) {
+        RelativePatch& rp = pendingJumps_[i];
+        if (rp.kind == Relocation::JITCODE) {
+            JitCode* code = JitCode::FromExecutable((uint8_t*)rp.target);
+            TraceManuallyBarrieredEdge(trc, &code, "masmrel32");
+            MOZ_ASSERT(code == JitCode::FromExecutable((uint8_t*)rp.target));
+        }
+    }
+
+    // TODO: Trace.
+#if 0
+    if (tmpDataRelocations_.length())
+        ::TraceDataRelocations(trc, &armbuffer_, &tmpDataRelocations_);
+#endif
+}
+
+void
+Assembler::addJumpRelocation(BufferOffset src, Relocation::Kind reloc)
+{
+    // Only JITCODE relocations are patchable at runtime.
+    MOZ_ASSERT(reloc == Relocation::JITCODE);
+
+    // Each relocation requires an entry in the extended jump table.
+    tmpJumpRelocations_.append(JumpRelocation(src, pendingJumps_.length()));
+}
+
+void
+Assembler::addPendingJump(BufferOffset src, ImmPtr target, Relocation::Kind reloc)
+{
+    MOZ_ASSERT(target.value != nullptr);
+
+    if (reloc == Relocation::JITCODE)
+        addJumpRelocation(src, reloc);
+
+    // This jump is not patchable at runtime. Extended jump table entry requirements
+    // cannot be known until finalization, so to be safe, give each jump and entry.
+    // This also causes GC tracing of the target.
+    enoughMemory_ &= pendingJumps_.append(RelativePatch(src, target.value, reloc));
+}
+
+size_t
+Assembler::addPatchableJump(BufferOffset src, Relocation::Kind reloc)
+{
+    MOZ_CRASH("TODO: This is currently unused (and untested)");
+    if (reloc == Relocation::JITCODE)
+        addJumpRelocation(src, reloc);
+
+    size_t extendedTableIndex = pendingJumps_.length();
+    enoughMemory_ &= pendingJumps_.append(RelativePatch(src, nullptr, reloc));
+    return extendedTableIndex;
+}
+
+void
+PatchJump(CodeLocationJump& jump_, CodeLocationLabel label)
+{
+    MOZ_CRASH("PatchJump");
+}
+
+void
+Assembler::PatchDataWithValueCheck(CodeLocationLabel label, PatchedImmPtr newValue,
+                                   PatchedImmPtr expected)
+{
+    Instruction* i = (Instruction*)label.raw();
+    void** pValue = i->LiteralAddress<void**>();
+    MOZ_ASSERT(*pValue == expected.value);
+    *pValue = newValue.value;
+}
+
+void
+Assembler::PatchDataWithValueCheck(CodeLocationLabel label, ImmPtr newValue, ImmPtr expected)
+{
+    PatchDataWithValueCheck(label, PatchedImmPtr(newValue.value), PatchedImmPtr(expected.value));
+}
+
+void
+Assembler::ToggleToJmp(CodeLocationLabel inst_)
+{
+    Instruction* i = (Instruction*)inst_.raw();
+    MOZ_ASSERT(i->IsAddSubImmediate());
+
+    // Refer to instruction layout in ToggleToCmp().
+    int imm19 = (int)i->Bits(23, 5);
+    MOZ_ASSERT(vixl::is_int19(imm19));
+
+    b(i, imm19, Always);
+}
+
+void
+Assembler::ToggleToCmp(CodeLocationLabel inst_)
+{
+    Instruction* i = (Instruction*)inst_.raw();
+    MOZ_ASSERT(i->IsCondB());
+
+    int imm19 = i->ImmCondBranch();
+    // bit 23 is reserved, and the simulator throws an assertion when this happens
+    // It'll be messy to decode, but we can steal bit 30 or bit 31.
+    MOZ_ASSERT(vixl::is_int18(imm19));
+
+    // 31 - 64-bit if set, 32-bit if unset. (OK!)
+    // 30 - sub if set, add if unset. (OK!)
+    // 29 - SetFlagsBit. Must be set.
+    // 22:23 - ShiftAddSub. (OK!)
+    // 10:21 - ImmAddSub. (OK!)
+    // 5:9 - First source register (Rn). (OK!)
+    // 0:4 - Destination Register. Must be xzr.
+
+    // From the above, there is a safe 19-bit contiguous region from 5:23.
+    Emit(i, vixl::ThirtyTwoBits | vixl::AddSubImmediateFixed | vixl::SUB | Flags(vixl::SetFlags) |
+            Rd(vixl::xzr) | (imm19 << vixl::Rn_offset));
+}
+
+void
+Assembler::ToggleCall(CodeLocationLabel inst_, bool enabled)
+{
+    Instruction* first = (Instruction*)inst_.raw();
+    Instruction* load;
+    Instruction* call;
+
+    if (first->InstructionBits() == 0x9100039f) {
+        load = (Instruction*)NextInstruction(first);
+        call = NextInstruction(load);
+    } else {
+        load = first;
+        call = NextInstruction(first);
+    }
+
+    if (call->IsBLR() == enabled)
+        return;
+
+    if (call->IsBLR()) {
+        // if the second instruction is blr(), then wehave:
+        // ldr x17, [pc, offset]
+        // blr x17
+        // we want to transform this to:
+        // adr xzr, [pc, offset]
+        // nop
+        int32_t offset = load->ImmLLiteral();
+        adr(load, xzr, int32_t(offset));
+        nop(call);
+    } else {
+        // we have adr xzr, [pc, offset]
+        // nop
+        // transform this to
+        // ldr x17, [pc, offset]
+        // blr x17
+
+        int32_t offset = (int)load->ImmPCRawOffset();
+        MOZ_ASSERT(vixl::is_int19(offset));
+        ldr(load, ScratchReg2_64, int32_t(offset));
+        blr(call, ScratchReg2_64);
+    }
+}
+
+class RelocationIterator
+{
+    CompactBufferReader reader_;
+    uint32_t tableStart_;
+    uint32_t offset_;
+    uint32_t extOffset_;
+
+  public:
+    explicit RelocationIterator(CompactBufferReader& reader)
+      : reader_(reader)
+    {
+        // The first uint32_t stores the extended table offset.
+        tableStart_ = reader_.readFixedUint32_t();
+    }
+
+    bool read() {
+        if (!reader_.more())
+            return false;
+        offset_ = reader_.readUnsigned();
+        extOffset_ = reader_.readUnsigned();
+        return true;
+    }
+
+    uint32_t offset() const {
+        return offset_;
+    }
+    uint32_t extendedOffset() const {
+        return extOffset_;
+    }
+};
+
+static JitCode*
+CodeFromJump(JitCode* code, uint8_t* jump)
+{
+    Instruction* branch = (Instruction*)jump;
+    uint8_t* target;
+    // If this is a toggled branch, and is currently off, then we have some 'splainin
+    if (branch->BranchType() == vixl::UnknownBranchType)
+        target = (uint8_t*)branch->Literal64();
+    else
+        target = (uint8_t*)branch->ImmPCOffsetTarget();
+
+    // If the jump is within the code buffer, it uses the extended jump table.
+    if (target >= code->raw() && target < code->raw() + code->instructionsSize()) {
+        MOZ_ASSERT(target + Assembler::SizeOfJumpTableEntry <= code->raw() + code->instructionsSize());
+
+        uint8_t** patchablePtr = (uint8_t**)(target + Assembler::OffsetOfJumpTableEntryPointer);
+        target = *patchablePtr;
+    }
+
+    return JitCode::FromExecutable(target);
+}
+
+void
+Assembler::TraceJumpRelocations(JSTracer* trc, JitCode* code, CompactBufferReader& reader)
+{
+    RelocationIterator iter(reader);
+    while (iter.read()) {
+        JitCode* child = CodeFromJump(code, code->raw() + iter.offset());
+        TraceManuallyBarrieredEdge(trc, &child, "rel32");
+        MOZ_ASSERT(child == CodeFromJump(code, code->raw() + iter.offset()));
+    }
+}
+
+static void
+TraceDataRelocations(JSTracer* trc, uint8_t* buffer, CompactBufferReader& reader)
+{
+    while (reader.more()) {
+        size_t offset = reader.readUnsigned();
+        Instruction* load = (Instruction*)&buffer[offset];
+
+        // The only valid traceable operation is a 64-bit load to an ARMRegister.
+        // Refer to movePatchablePtr() for generation.
+        MOZ_ASSERT(load->Mask(vixl::LoadLiteralMask) == vixl::LDR_x_lit);
+
+        uintptr_t* literalAddr = load->LiteralAddress<uintptr_t*>();
+        uintptr_t literal = *literalAddr;
+
+        // All pointers on AArch64 will have the top bits cleared.
+        // If those bits are not cleared, this must be a Value.
+        if (literal >> JSVAL_TAG_SHIFT) {
+            jsval_layout layout;
+            layout.asBits = literal;
+            Value v = IMPL_TO_JSVAL(layout);
+            TraceManuallyBarrieredEdge(trc, &v, "ion-masm-value");
+            *literalAddr = JSVAL_TO_IMPL(v).asBits;
+
+            // TODO: When we can, flush caches here if a pointer was moved.
+            continue;
+        }
+
+        // No barriers needed since the pointers are constants.
+        TraceManuallyBarrieredGenericPointerEdge(trc, reinterpret_cast<gc::Cell**>(literalAddr),
+                                                 "ion-masm-ptr");
+
+        // TODO: Flush caches at end?
+    }
+}
+
+void
+Assembler::TraceDataRelocations(JSTracer* trc, JitCode* code, CompactBufferReader& reader)
+{
+    ::TraceDataRelocations(trc, code->raw(), reader);
+}
+
+void
+Assembler::FixupNurseryObjects(JSContext* cx, JitCode* code, CompactBufferReader& reader,
+                               const ObjectVector& nurseryObjects)
+{
+
+    MOZ_ASSERT(!nurseryObjects.empty());
+
+    uint8_t* buffer = code->raw();
+    bool hasNurseryPointers = false;
+
+    while (reader.more()) {
+        size_t offset = reader.readUnsigned();
+        Instruction* ins = (Instruction*)&buffer[offset];
+
+        uintptr_t* literalAddr = ins->LiteralAddress<uintptr_t*>();
+        uintptr_t literal = *literalAddr;
+
+        if (literal >> JSVAL_TAG_SHIFT)
+            continue; // This is a Value.
+
+        if (!(literal & 0x1))
+            continue;
+
+        uint32_t index = literal >> 1;
+        JSObject* obj = nurseryObjects[index];
+        *literalAddr = uintptr_t(obj);
+
+        // Either all objects are still in the nursery, or all objects are tenured.
+        MOZ_ASSERT_IF(hasNurseryPointers, IsInsideNursery(obj));
+
+        if (!hasNurseryPointers && IsInsideNursery(obj))
+            hasNurseryPointers = true;
+    }
+
+    if (hasNurseryPointers)
+        cx->runtime()->gc.storeBuffer.putWholeCellFromMainThread(code);
+}
+
+int32_t
+Assembler::ExtractCodeLabelOffset(uint8_t* code)
+{
+    return *(int32_t*)code;
+}
+
+void
+Assembler::PatchInstructionImmediate(uint8_t* code, PatchedImmPtr imm)
+{
+    MOZ_CRASH("PatchInstructionImmediate()");
+}
+
+void
+Assembler::UpdateBoundsCheck(uint32_t heapSize, Instruction* inst)
+{
+    int32_t mask = ~(heapSize - 1);
+    unsigned n, imm_s, imm_r;
+    if (!IsImmLogical(mask, 32, &n, &imm_s, &imm_r))
+        MOZ_CRASH("Could not encode immediate!?");
+
+    inst->SetImmR(imm_r);
+    inst->SetImmS(imm_s);
+    inst->SetBitN(n);
+}
+
+void
+Assembler::retarget(Label* label, Label* target)
+{
+    if (label->used()) {
+        if (target->bound()) {
+            bind(label, BufferOffset(target));
+        } else if (target->used()) {
+            // The target is not bound but used. Prepend label's branch list
+            // onto target's.
+            BufferOffset labelBranchOffset(label);
+            BufferOffset next;
+
+            // Find the head of the use chain for label.
+            while (nextLink(labelBranchOffset, &next))
+                labelBranchOffset = next;
+
+            // Then patch the head of label's use chain to the tail of target's
+            // use chain, prepending the entire use chain of target.
+            Instruction* branch = getInstructionAt(labelBranchOffset);
+            target->use(label->offset());
+            branch->SetImmPCOffsetTarget(branch - labelBranchOffset.getOffset());
+        } else {
+            // The target is unbound and unused. We can just take the head of
+            // the list hanging off of label, and dump that into target.
+            DebugOnly<uint32_t> prev = target->use(label->offset());
+            MOZ_ASSERT((int32_t)prev == Label::INVALID_OFFSET);
+        }
+    }
+    label->reset();
+}
+
+} // namespace jit
+} // namespace js
diff --git a/js/src/jit/arm64/Assembler-arm64.h b/js/src/jit/arm64/Assembler-arm64.h
new file mode 100644
index 000000000000..62d166397782
--- /dev/null
+++ b/js/src/jit/arm64/Assembler-arm64.h
@@ -0,0 +1,587 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef A64_ASSEMBLER_A64_H_
+#define A64_ASSEMBLER_A64_H_
+
+#include "jit/arm64/vixl/Assembler-vixl.h"
+
+#include "jit/JitCompartment.h"
+
+namespace js {
+namespace jit {
+
+// VIXL imports.
+typedef vixl::Register ARMRegister;
+typedef vixl::FPRegister ARMFPRegister;
+using vixl::ARMBuffer;
+using vixl::Instruction;
+
+static const uint32_t AlignmentAtPrologue = 0;
+static const uint32_t AlignmentMidPrologue = 8;
+static const Scale ScalePointer = TimesEight;
+static const uint32_t AlignmentAtAsmJSPrologue = sizeof(void*);
+
+// The MacroAssembler uses scratch registers extensively and unexpectedly.
+// For safety, scratch registers should always be acquired using
+// vixl::UseScratchRegisterScope.
+static constexpr Register ScratchReg = { Registers::ip0 };
+static constexpr ARMRegister ScratchReg64 = { ScratchReg, 64 };
+
+static constexpr Register ScratchReg2 = { Registers::ip1 };
+static constexpr ARMRegister ScratchReg2_64 = { ScratchReg2, 64 };
+
+static constexpr FloatRegister ScratchDoubleReg = { FloatRegisters::d31 };
+static constexpr FloatRegister ReturnDoubleReg = { FloatRegisters::d0 };
+
+static constexpr FloatRegister ReturnFloat32Reg = { FloatRegisters::s0 , FloatRegisters::Single };
+static constexpr FloatRegister ScratchFloat32Reg = { FloatRegisters::s31 , FloatRegisters::Single };
+
+static constexpr Register InvalidReg = { Registers::invalid_reg };
+static constexpr FloatRegister InvalidFloatReg = { FloatRegisters::invalid_fpreg };
+
+static constexpr FloatRegister ReturnInt32x4Reg = InvalidFloatReg;
+static constexpr FloatRegister ReturnFloat32x4Reg = InvalidFloatReg;
+
+static constexpr Register OsrFrameReg = { Registers::x3 };
+static constexpr Register ArgumentsRectifierReg = { Registers::x8 };
+static constexpr Register CallTempReg0 = { Registers::x9 };
+static constexpr Register CallTempReg1 = { Registers::x10 };
+static constexpr Register CallTempReg2 = { Registers::x11 };
+static constexpr Register CallTempReg3 = { Registers::x12 };
+static constexpr Register CallTempReg4 = { Registers::x13 };
+static constexpr Register CallTempReg5 = { Registers::x14 };
+
+static constexpr Register PreBarrierReg = { Registers::x1 };
+
+static constexpr Register ReturnReg = { Registers::x0 };
+static constexpr Register JSReturnReg = { Registers::x2 };
+static constexpr Register FramePointer = { Registers::fp };
+static constexpr Register ZeroRegister = { Registers::sp };
+static constexpr ARMRegister ZeroRegister64 = { Registers::sp, 64 };
+static constexpr ARMRegister ZeroRegister32 = { Registers::sp, 32 };
+
+static constexpr FloatRegister ReturnFloatReg = { FloatRegisters::d0 };
+static constexpr FloatRegister ScratchFloatReg = { FloatRegisters::d31 };
+
+static constexpr FloatRegister ReturnSimdReg = InvalidFloatReg;
+static constexpr FloatRegister ScratchSimdReg = InvalidFloatReg;
+
+// StackPointer is intentionally undefined on ARM64 to prevent misuse:
+//  using sp as a base register is only valid if sp % 16 == 0.
+static constexpr Register RealStackPointer = { Registers::sp };
+// TODO: We're not quite there yet.
+static constexpr Register StackPointer = { Registers::sp };
+
+static constexpr Register PseudoStackPointer = { Registers::x28 };
+static constexpr ARMRegister PseudoStackPointer64 = { Registers::x28, 64 };
+static constexpr ARMRegister PseudoStackPointer32 = { Registers::x28, 32 };
+
+// StackPointer for use by irregexp.
+static constexpr Register RegExpStackPointer = PseudoStackPointer;
+
+static constexpr Register IntArgReg0 = { Registers::x0 };
+static constexpr Register IntArgReg1 = { Registers::x1 };
+static constexpr Register IntArgReg2 = { Registers::x2 };
+static constexpr Register IntArgReg3 = { Registers::x3 };
+static constexpr Register IntArgReg4 = { Registers::x4 };
+static constexpr Register IntArgReg5 = { Registers::x5 };
+static constexpr Register IntArgReg6 = { Registers::x6 };
+static constexpr Register IntArgReg7 = { Registers::x7 };
+static constexpr Register GlobalReg =  { Registers::x20 };
+static constexpr Register HeapReg = { Registers::x21 };
+static constexpr Register HeapLenReg = { Registers::x22 };
+
+// Define unsized Registers.
+#define DEFINE_UNSIZED_REGISTERS(N)  \
+static constexpr Register r##N = { Registers::x##N };
+REGISTER_CODE_LIST(DEFINE_UNSIZED_REGISTERS)
+#undef DEFINE_UNSIZED_REGISTERS
+static constexpr Register ip0 = { Registers::x16 };
+static constexpr Register ip1 = { Registers::x16 };
+static constexpr Register fp  = { Registers::x30 };
+static constexpr Register lr  = { Registers::x30 };
+static constexpr Register rzr = { Registers::xzr };
+
+// Import VIXL registers into the js::jit namespace.
+#define IMPORT_VIXL_REGISTERS(N)  \
+static constexpr ARMRegister w##N = vixl::w##N;  \
+static constexpr ARMRegister x##N = vixl::x##N;
+REGISTER_CODE_LIST(IMPORT_VIXL_REGISTERS)
+#undef IMPORT_VIXL_REGISTERS
+static constexpr ARMRegister wzr = vixl::wzr;
+static constexpr ARMRegister xzr = vixl::xzr;
+static constexpr ARMRegister wsp = vixl::wsp;
+static constexpr ARMRegister sp = vixl::sp;
+
+// Import VIXL VRegisters into the js::jit namespace.
+#define IMPORT_VIXL_VREGISTERS(N)  \
+static constexpr ARMFPRegister s##N = vixl::s##N;  \
+static constexpr ARMFPRegister d##N = vixl::d##N;
+REGISTER_CODE_LIST(IMPORT_VIXL_VREGISTERS)
+#undef IMPORT_VIXL_VREGISTERS
+
+static constexpr ValueOperand JSReturnOperand = ValueOperand(JSReturnReg);
+
+// Registers used in the GenerateFFIIonExit Enable Activation block.
+static constexpr Register AsmJSIonExitRegCallee = r8;
+static constexpr Register AsmJSIonExitRegE0 = r0;
+static constexpr Register AsmJSIonExitRegE1 = r1;
+static constexpr Register AsmJSIonExitRegE2 = r2;
+static constexpr Register AsmJSIonExitRegE3 = r3;
+
+// Registers used in the GenerateFFIIonExit Disable Activation block.
+// None of these may be the second scratch register.
+static constexpr Register AsmJSIonExitRegReturnData = r2;
+static constexpr Register AsmJSIonExitRegReturnType = r3;
+static constexpr Register AsmJSIonExitRegD0 = r0;
+static constexpr Register AsmJSIonExitRegD1 = r1;
+static constexpr Register AsmJSIonExitRegD2 = r4;
+
+static constexpr Register JSReturnReg_Type = r3;
+static constexpr Register JSReturnReg_Data = r2;
+
+static constexpr FloatRegister NANReg = { FloatRegisters::d14 };
+// N.B. r8 isn't listed as an aapcs temp register, but we can use it as such because we never
+// use return-structs.
+static constexpr Register CallTempNonArgRegs[] = { r8, r9, r10, r11, r12, r13, r14, r15 };
+static const uint32_t NumCallTempNonArgRegs =
+    mozilla::ArrayLength(CallTempNonArgRegs);
+
+static constexpr uint32_t JitStackAlignment = 16;
+
+static constexpr uint32_t JitStackValueAlignment = JitStackAlignment / sizeof(Value);
+static_assert(JitStackAlignment % sizeof(Value) == 0 && JitStackValueAlignment >= 1,
+  "Stack alignment should be a non-zero multiple of sizeof(Value)");
+
+// This boolean indicates whether we support SIMD instructions flavoured for
+// this architecture or not. Rather than a method in the LIRGenerator, it is
+// here such that it is accessible from the entire codebase. Once full support
+// for SIMD is reached on all tier-1 platforms, this constant can be deleted.
+static constexpr bool SupportsSimd = false;
+static constexpr uint32_t SimdMemoryAlignment = 16;
+
+static_assert(CodeAlignment % SimdMemoryAlignment == 0,
+  "Code alignment should be larger than any of the alignments which are used for "
+  "the constant sections of the code buffer.  Thus it should be larger than the "
+  "alignment for SIMD constants.");
+
+static const uint32_t AsmJSStackAlignment = SimdMemoryAlignment;
+static const int32_t AsmJSGlobalRegBias = 1024;
+
+class Assembler : public vixl::Assembler
+{
+  public:
+    Assembler()
+      : vixl::Assembler()
+    { }
+
+    typedef vixl::Condition Condition;
+
+    void finish();
+    void trace(JSTracer* trc);
+
+    // Emit the jump table, returning the BufferOffset to the first entry in the table.
+    BufferOffset emitExtendedJumpTable();
+    BufferOffset ExtendedJumpTable_;
+    void executableCopy(uint8_t* buffer);
+
+    BufferOffset immPool(ARMRegister dest, uint8_t* value, vixl::LoadLiteralOp op,
+                         ARMBuffer::PoolEntry* pe = nullptr);
+    BufferOffset immPool64(ARMRegister dest, uint64_t value, ARMBuffer::PoolEntry* pe = nullptr);
+    BufferOffset immPool64Branch(RepatchLabel* label, ARMBuffer::PoolEntry* pe, vixl::Condition c);
+    BufferOffset fImmPool(ARMFPRegister dest, uint8_t* value, vixl::LoadLiteralOp op);
+    BufferOffset fImmPool64(ARMFPRegister dest, double value);
+    BufferOffset fImmPool32(ARMFPRegister dest, float value);
+
+    void bind(Label* label) { bind(label, nextOffset()); }
+    void bind(Label* label, BufferOffset boff);
+    void bind(RepatchLabel* label);
+
+    bool oom() const {
+        return AssemblerShared::oom() ||
+            armbuffer_.oom() ||
+            jumpRelocations_.oom() ||
+            dataRelocations_.oom() ||
+            preBarriers_.oom();
+    }
+
+    void copyJumpRelocationTable(uint8_t* dest) const {
+        if (jumpRelocations_.length())
+            memcpy(dest, jumpRelocations_.buffer(), jumpRelocations_.length());
+    }
+    void copyDataRelocationTable(uint8_t* dest) const {
+        if (dataRelocations_.length())
+            memcpy(dest, dataRelocations_.buffer(), dataRelocations_.length());
+    }
+    void copyPreBarrierTable(uint8_t* dest) const {
+        if (preBarriers_.length())
+            memcpy(dest, preBarriers_.buffer(), preBarriers_.length());
+    }
+
+    size_t jumpRelocationTableBytes() const {
+        return jumpRelocations_.length();
+    }
+    size_t dataRelocationTableBytes() const {
+        return dataRelocations_.length();
+    }
+    size_t preBarrierTableBytes() const {
+        return preBarriers_.length();
+    }
+    size_t bytesNeeded() const {
+        return SizeOfCodeGenerated() +
+            jumpRelocationTableBytes() +
+            dataRelocationTableBytes() +
+            preBarrierTableBytes();
+    }
+
+    BufferOffset nextOffset() const {
+        return armbuffer_.nextOffset();
+    }
+
+    void addCodeLabel(CodeLabel label) {
+        propagateOOM(codeLabels_.append(label));
+    }
+    size_t numCodeLabels() const {
+        return codeLabels_.length();
+    }
+    CodeLabel codeLabel(size_t i) {
+        return codeLabels_[i];
+    }
+    void processCodeLabels(uint8_t* rawCode) {
+        for (size_t i = 0; i < codeLabels_.length(); i++) {
+            CodeLabel label = codeLabels_[i];
+            Bind(rawCode, label.dest(), rawCode + actualOffset(label.src()->offset()));
+        }
+    }
+
+    void Bind(uint8_t* rawCode, AbsoluteLabel* label, const void* address) {
+        uint32_t off = actualOffset(label->offset());
+        *reinterpret_cast<const void**>(rawCode + off) = address;
+    }
+    bool nextLink(BufferOffset cur, BufferOffset* next) {
+        Instruction* link = getInstructionAt(cur);
+        uint32_t nextLinkOffset = uint32_t(link->ImmPCRawOffset());
+        if (nextLinkOffset == uint32_t(LabelBase::INVALID_OFFSET))
+            return false;
+        *next = BufferOffset(nextLinkOffset + cur.getOffset());
+        return true;
+    }
+    void retarget(Label* cur, Label* next);
+
+    // The buffer is about to be linked. Ensure any constant pools or
+    // excess bookkeeping has been flushed to the instruction stream.
+    void flush() {
+        armbuffer_.flushPool();
+    }
+
+    int actualOffset(int curOffset) {
+        return curOffset + armbuffer_.poolSizeBefore(curOffset);
+    }
+    int actualIndex(int curOffset) {
+        ARMBuffer::PoolEntry pe(curOffset);
+        return armbuffer_.poolEntryOffset(pe);
+    }
+    int labelOffsetToPatchOffset(int labelOff) {
+        return actualOffset(labelOff);
+    }
+    static uint8_t* PatchableJumpAddress(JitCode* code, uint32_t index) {
+        return code->raw() + index;
+    }
+    void setPrinter(Sprinter* sp) {
+    }
+
+    static bool SupportsFloatingPoint() { return true; }
+    static bool SupportsSimd() { return js::jit::SupportsSimd; }
+
+    // Tracks a jump that is patchable after finalization.
+    void addJumpRelocation(BufferOffset src, Relocation::Kind reloc);
+
+  protected:
+    // Add a jump whose target is unknown until finalization.
+    // The jump may not be patched at runtime.
+    void addPendingJump(BufferOffset src, ImmPtr target, Relocation::Kind kind);
+
+    // Add a jump whose target is unknown until finalization, and may change
+    // thereafter. The jump is patchable at runtime.
+    size_t addPatchableJump(BufferOffset src, Relocation::Kind kind);
+
+  public:
+    static uint32_t PatchWrite_NearCallSize() {
+        return 4;
+    }
+
+    static uint32_t NopSize() {
+        return 4;
+    }
+
+    static void PatchWrite_NearCall(CodeLocationLabel start, CodeLocationLabel toCall) {
+        Instruction* dest = (Instruction*)start.raw();
+        //printf("patching %p with call to %p\n", start.raw(), toCall.raw());
+        bl(dest, ((Instruction*)toCall.raw() - dest)>>2);
+
+    }
+    static void PatchDataWithValueCheck(CodeLocationLabel label,
+                                        PatchedImmPtr newValue,
+                                        PatchedImmPtr expected);
+
+    static void PatchDataWithValueCheck(CodeLocationLabel label,
+                                        ImmPtr newValue,
+                                        ImmPtr expected);
+
+    static void PatchWrite_Imm32(CodeLocationLabel label, Imm32 imm) {
+        // Raw is going to be the return address.
+        uint32_t* raw = (uint32_t*)label.raw();
+        // Overwrite the 4 bytes before the return address, which will end up being
+        // the call instruction.
+        *(raw - 1) = imm.value;
+    }
+    static uint32_t AlignDoubleArg(uint32_t offset) {
+        MOZ_CRASH("AlignDoubleArg()");
+    }
+    static Instruction* NextInstruction(Instruction* instruction, uint32_t* count = nullptr) {
+        if (count != nullptr)
+            *count += 4;
+        Instruction* cur = instruction;
+        Instruction* next = cur + 4;
+        // Artificial pool guards can only be B (rather than BR)
+        if (next->IsUncondB()) {
+            uint32_t* snd = (uint32_t*)(instruction + 8);
+            // test both the upper 16 bits, but also bit 15, which should be unset
+            // for an artificial branch guard.
+            if ((*snd & 0xffff8000) == 0xffff0000) {
+                // that was a guard before a pool, step over the pool.
+                int poolSize =  (*snd & 0x7fff);
+                return (Instruction*)(snd + poolSize);
+            }
+        } else if (cur->IsBR() || cur->IsUncondB()) {
+            // natural pool guards can be anything
+            // but they need to have bit 15 set.
+            if ((next->InstructionBits() & 0xffff0000) == 0xffff0000) {
+                int poolSize = (next->InstructionBits() & 0x7fff);
+                Instruction* ret = (next + (poolSize << 2));
+                return ret;
+            }
+        }
+        return (instruction + 4);
+
+    }
+    static uint8_t* NextInstruction(uint8_t* instruction, uint32_t* count = nullptr) {
+        return (uint8_t*)NextInstruction((Instruction*)instruction, count);
+    }
+    static uintptr_t GetPointer(uint8_t* ptr) {
+        Instruction* i = reinterpret_cast<Instruction*>(ptr);
+        uint64_t ret = i->Literal64();
+        return ret;
+    }
+
+    // Toggle a jmp or cmp emitted by toggledJump().
+    static void ToggleToJmp(CodeLocationLabel inst_);
+    static void ToggleToCmp(CodeLocationLabel inst_);
+    static void ToggleCall(CodeLocationLabel inst_, bool enabled);
+
+    static void TraceJumpRelocations(JSTracer* trc, JitCode* code, CompactBufferReader& reader);
+    static void TraceDataRelocations(JSTracer* trc, JitCode* code, CompactBufferReader& reader);
+
+    static int32_t ExtractCodeLabelOffset(uint8_t* code);
+    static void PatchInstructionImmediate(uint8_t* code, PatchedImmPtr imm);
+
+    static void FixupNurseryObjects(JSContext* cx, JitCode* code, CompactBufferReader& reader,
+                                    const ObjectVector& nurseryObjects);
+
+    // Convert a BufferOffset to a final byte offset from the start of the code buffer.
+    size_t toFinalOffset(BufferOffset offset) {
+        return size_t(offset.getOffset() + armbuffer_.poolSizeBefore(offset.getOffset()));
+    }
+
+  public:
+    // A Jump table entry is 2 instructions, with 8 bytes of raw data
+    static const size_t SizeOfJumpTableEntry = 16;
+
+    struct JumpTableEntry
+    {
+        uint32_t ldr;
+        uint32_t br;
+        void* data;
+
+        Instruction* getLdr() {
+            return reinterpret_cast<Instruction*>(&ldr);
+        }
+    };
+
+    // Offset of the patchable target for the given entry.
+    static const size_t OffsetOfJumpTableEntryPointer = 8;
+
+  public:
+    static void UpdateBoundsCheck(uint32_t logHeapSize, Instruction* inst);
+
+    void writeCodePointer(AbsoluteLabel* absoluteLabel) {
+        MOZ_ASSERT(!absoluteLabel->bound());
+        uintptr_t x = LabelBase::INVALID_OFFSET;
+        BufferOffset off = EmitData(&x, sizeof(uintptr_t));
+
+        // The x86/x64 makes general use of AbsoluteLabel and weaves a linked list
+        // of uses of an AbsoluteLabel through the assembly. ARM only uses labels
+        // for the case statements of switch jump tables. Thus, for simplicity, we
+        // simply treat the AbsoluteLabel as a label and bind it to the offset of
+        // the jump table entry that needs to be patched.
+        LabelBase* label = absoluteLabel;
+        label->bind(off.getOffset());
+    }
+
+    void verifyHeapAccessDisassembly(uint32_t begin, uint32_t end,
+                                     const Disassembler::HeapAccess& heapAccess)
+    {
+        MOZ_CRASH("verifyHeapAccessDisassembly");
+    }
+
+  protected:
+    // Because jumps may be relocated to a target inaccessible by a short jump,
+    // each relocatable jump must have a unique entry in the extended jump table.
+    // Valid relocatable targets are of type Relocation::JITCODE.
+    struct JumpRelocation
+    {
+        BufferOffset jump; // Offset to the short jump, from the start of the code buffer.
+        uint32_t extendedTableIndex; // Unique index within the extended jump table.
+
+        JumpRelocation(BufferOffset jump, uint32_t extendedTableIndex)
+          : jump(jump), extendedTableIndex(extendedTableIndex)
+        { }
+    };
+
+    // Because ARM and A64 use a code buffer that allows for constant pool insertion,
+    // the actual offset of each jump cannot be known until finalization.
+    // These vectors store the WIP offsets.
+    js::Vector<BufferOffset, 0, SystemAllocPolicy> tmpDataRelocations_;
+    js::Vector<BufferOffset, 0, SystemAllocPolicy> tmpPreBarriers_;
+    js::Vector<JumpRelocation, 0, SystemAllocPolicy> tmpJumpRelocations_;
+
+    // Structure for fixing up pc-relative loads/jumps when the machine
+    // code gets moved (executable copy, gc, etc.).
+    struct RelativePatch
+    {
+        BufferOffset offset;
+        void* target;
+        Relocation::Kind kind;
+
+        RelativePatch(BufferOffset offset, void* target, Relocation::Kind kind)
+          : offset(offset), target(target), kind(kind)
+        { }
+    };
+
+    js::Vector<CodeLabel, 0, SystemAllocPolicy> codeLabels_;
+
+    // List of jumps for which the target is either unknown until finalization,
+    // or cannot be known due to GC. Each entry here requires a unique entry
+    // in the extended jump table, and is patched at finalization.
+    js::Vector<RelativePatch, 8, SystemAllocPolicy> pendingJumps_;
+
+    // Final output formatters.
+    CompactBufferWriter jumpRelocations_;
+    CompactBufferWriter dataRelocations_;
+    CompactBufferWriter preBarriers_;
+};
+
+static const uint32_t NumIntArgRegs = 8;
+static const uint32_t NumFloatArgRegs = 8;
+
+class ABIArgGenerator
+{
+  public:
+    ABIArgGenerator()
+      : intRegIndex_(0),
+        floatRegIndex_(0),
+        stackOffset_(0),
+        current_()
+    { }
+
+    ABIArg next(MIRType argType);
+    ABIArg& current() { return current_; }
+    uint32_t stackBytesConsumedSoFar() const { return stackOffset_; }
+
+  public:
+    static const Register NonArgReturnReg0;
+    static const Register NonArgReturnReg1;
+    static const Register NonVolatileReg;
+    static const Register NonArg_VolatileReg;
+    static const Register NonReturn_VolatileReg0;
+    static const Register NonReturn_VolatileReg1;
+
+  protected:
+    unsigned intRegIndex_;
+    unsigned floatRegIndex_;
+    uint32_t stackOffset_;
+    ABIArg current_;
+};
+
+static inline bool
+GetIntArgReg(uint32_t usedIntArgs, uint32_t usedFloatArgs, Register* out)
+{
+    if (usedIntArgs >= NumIntArgRegs)
+        return false;
+    *out = Register::FromCode(usedIntArgs);
+    return true;
+}
+
+static inline bool
+GetFloatArgReg(uint32_t usedIntArgs, uint32_t usedFloatArgs, FloatRegister* out)
+{
+    if (usedFloatArgs >= NumFloatArgRegs)
+        return false;
+    *out = FloatRegister::FromCode(usedFloatArgs);
+    return true;
+}
+
+// Get a register in which we plan to put a quantity that will be used as an
+// integer argument.  This differs from GetIntArgReg in that if we have no more
+// actual argument registers to use we will fall back on using whatever
+// CallTempReg* don't overlap the argument registers, and only fail once those
+// run out too.
+static inline bool
+GetTempRegForIntArg(uint32_t usedIntArgs, uint32_t usedFloatArgs, Register* out)
+{
+    if (GetIntArgReg(usedIntArgs, usedFloatArgs, out))
+        return true;
+    // Unfortunately, we have to assume things about the point at which
+    // GetIntArgReg returns false, because we need to know how many registers it
+    // can allocate.
+    usedIntArgs -= NumIntArgRegs;
+    if (usedIntArgs >= NumCallTempNonArgRegs)
+        return false;
+    *out = CallTempNonArgRegs[usedIntArgs];
+    return true;
+
+}
+
+void PatchJump(CodeLocationJump& jump_, CodeLocationLabel label);
+
+static inline void
+PatchBackedge(CodeLocationJump& jump_, CodeLocationLabel label, JitRuntime::BackedgeTarget target)
+{
+    PatchJump(jump_, label);
+}
+
+// Forbids pool generation during a specified interval. Not nestable.
+class AutoForbidPools
+{
+    Assembler* asm_;
+
+  public:
+    AutoForbidPools(Assembler* asm_, size_t maxInst)
+      : asm_(asm_)
+    {
+        asm_->enterNoPool(maxInst);
+    }
+
+    ~AutoForbidPools() {
+        asm_->leaveNoPool();
+    }
+};
+
+} // namespace jit
+} // namespace js
+
+#endif // A64_ASSEMBLER_A64_H_
diff --git a/js/src/jit/arm64/AtomicOperations-arm64.h b/js/src/jit/arm64/AtomicOperations-arm64.h
new file mode 100644
index 000000000000..3742674fd646
--- /dev/null
+++ b/js/src/jit/arm64/AtomicOperations-arm64.h
@@ -0,0 +1,104 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* For documentation, see jit/AtomicOperations.h */
+
+#ifndef jit_arm64_AtomicOperations_arm64_h
+#define jit_arm64_AtomicOperations_arm64_h
+
+#include "jit/arm64/Architecture-arm64.h"
+#include "jit/AtomicOperations.h"
+
+inline bool
+js::jit::AtomicOperations::isLockfree8()
+{
+    MOZ_CRASH("isLockfree8()");
+}
+
+inline void
+js::jit::AtomicOperations::fenceSeqCst()
+{
+    MOZ_CRASH("fenceSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::loadSeqCst(T* addr)
+{
+    MOZ_CRASH("loadSeqCst()");
+}
+
+template<typename T>
+inline void
+js::jit::AtomicOperations::storeSeqCst(T* addr, T val)
+{
+    MOZ_CRASH("storeSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::exchangeSeqCst(T* addr, T val)
+{
+    MOZ_CRASH("exchangeSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::compareExchangeSeqCst(T* addr, T oldval, T newval)
+{
+    MOZ_CRASH("compareExchangeSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::fetchAddSeqCst(T* addr, T val)
+{
+    MOZ_CRASH("fetchAddSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::fetchSubSeqCst(T* addr, T val)
+{
+    MOZ_CRASH("fetchSubSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::fetchAndSeqCst(T* addr, T val)
+{
+    MOZ_CRASH("fetchAndSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::fetchOrSeqCst(T* addr, T val)
+{
+    MOZ_CRASH("fetchOrSeqCst()");
+}
+
+template<typename T>
+inline T
+js::jit::AtomicOperations::fetchXorSeqCst(T* addr, T val)
+{
+    MOZ_CRASH("fetchXorSeqCst()");
+}
+
+template<size_t nbytes>
+inline void
+js::jit::RegionLock::acquire(void* addr)
+{
+    MOZ_CRASH("acquire()");
+}
+
+template<size_t nbytes>
+inline void
+js::jit::RegionLock::release(void* addr)
+{
+    MOZ_CRASH("release()");
+}
+
+#endif // jit_arm64_AtomicOperations_arm64_h
diff --git a/js/src/jit/arm64/BaselineCompiler-arm64.h b/js/src/jit/arm64/BaselineCompiler-arm64.h
new file mode 100644
index 000000000000..946099ff15c0
--- /dev/null
+++ b/js/src/jit/arm64/BaselineCompiler-arm64.h
@@ -0,0 +1,28 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef jit_arm64_BaselineCompiler_arm64_h
+#define jit_arm64_BaselineCompiler_arm64_h
+
+#include "jit/shared/BaselineCompiler-shared.h"
+
+namespace js {
+namespace jit {
+
+class BaselineCompilerARM64 : public BaselineCompilerShared
+{
+  protected:
+    BaselineCompilerARM64(JSContext* cx, TempAllocator& alloc, JSScript* script)
+      : BaselineCompilerShared(cx, alloc, script)
+    { }
+};
+
+typedef BaselineCompilerARM64 BaselineCompilerSpecific;
+
+} // namespace jit
+} // namespace js
+
+#endif /* jit_arm64_BaselineCompiler_arm64_h */
diff --git a/js/src/jit/arm64/BaselineIC-arm64.cpp b/js/src/jit/arm64/BaselineIC-arm64.cpp
new file mode 100644
index 000000000000..168936964548
--- /dev/null
+++ b/js/src/jit/arm64/BaselineIC-arm64.cpp
@@ -0,0 +1,269 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "jit/SharedIC.h"
+#include "jit/SharedICHelpers.h"
+
+#ifdef JS_ARM64_SIMULATOR
+#include "jit/arm64/Assembler-arm64.h"
+#include "jit/arm64/BaselineCompiler-arm64.h"
+#include "jit/arm64/vixl/Debugger-vixl.h"
+#endif
+
+
+using namespace js;
+using namespace js::jit;
+
+namespace js {
+namespace jit {
+
+// ICCompare_Int32
+
+bool
+ICCompare_Int32::Compiler::generateStubCode(MacroAssembler& masm)
+{
+    // Guard that R0 is an integer and R1 is an integer.
+    Label failure;
+    masm.branchTestInt32(Assembler::NotEqual, R0, &failure);
+    masm.branchTestInt32(Assembler::NotEqual, R1, &failure);
+
+    // Compare payload regs of R0 and R1.
+    Assembler::Condition cond = JSOpToCondition(op, /* signed = */true);
+    masm.cmp32(R0.valueReg(), R1.valueReg());
+    masm.Cset(ARMRegister(R0.valueReg(), 32), cond);
+
+    // Result is implicitly boxed already.
+    masm.tagValue(JSVAL_TYPE_BOOLEAN, R0.valueReg(), R0);
+    EmitReturnFromIC(masm);
+
+    // Failure case - jump to next stub.
+    masm.bind(&failure);
+    EmitStubGuardFailure(masm);
+
+    return true;
+}
+
+bool
+ICCompare_Double::Compiler::generateStubCode(MacroAssembler& masm)
+{
+    Label failure, isNaN;
+    masm.ensureDouble(R0, FloatReg0, &failure);
+    masm.ensureDouble(R1, FloatReg1, &failure);
+
+    Register dest = R0.valueReg();
+
+    Assembler::DoubleCondition doubleCond = JSOpToDoubleCondition(op);
+    Assembler::Condition cond = Assembler::ConditionFromDoubleCondition(doubleCond);
+
+    masm.compareDouble(doubleCond, FloatReg0, FloatReg1);
+    masm.Cset(ARMRegister(dest, 32), cond);
+
+    masm.tagValue(JSVAL_TYPE_BOOLEAN, dest, R0);
+    EmitReturnFromIC(masm);
+
+    // Failure case - jump to next stub.
+    masm.bind(&failure);
+    EmitStubGuardFailure(masm);
+    return true;
+}
+
+// ICBinaryArith_Int32
+
+bool
+ICBinaryArith_Int32::Compiler::generateStubCode(MacroAssembler& masm)
+{
+    // Guard that R0 is an integer and R1 is an integer.
+    Label failure;
+    masm.branchTestInt32(Assembler::NotEqual, R0, &failure);
+    masm.branchTestInt32(Assembler::NotEqual, R1, &failure);
+
+    // Add R0 and R1. Don't need to explicitly unbox, just use R2.
+    Register Rscratch = R2_;
+    ARMRegister Wscratch = ARMRegister(Rscratch, 32);
+#ifdef MERGE
+    // DIV and MOD need an extra non-volatile ValueOperand to hold R0.
+    AllocatableGeneralRegisterSet savedRegs(availableGeneralRegs(2));
+    savedRegs.set() = GeneralRegisterSet::Intersect(GeneralRegisterSet::NonVolatile(), savedRegs);
+#endif
+    // get some more ARM-y names for the registers
+    ARMRegister W0(R0_, 32);
+    ARMRegister X0(R0_, 64);
+    ARMRegister W1(R1_, 32);
+    ARMRegister X1(R1_, 64);
+    ARMRegister WTemp(ExtractTemp0, 32);
+    ARMRegister XTemp(ExtractTemp0, 64);
+    Label maybeNegZero, revertRegister;
+    switch(op_) {
+      case JSOP_ADD:
+        masm.Adds(WTemp, W0, Operand(W1));
+
+        // Just jump to failure on overflow. R0 and R1 are preserved, so we can
+        // just jump to the next stub.
+        masm.j(Assembler::Overflow, &failure);
+
+        // Box the result and return. We know R0 already contains the
+        // integer tag, so we just need to move the payload into place.
+        masm.movePayload(ExtractTemp0, R0_);
+        break;
+
+      case JSOP_SUB:
+        masm.Subs(WTemp, W0, Operand(W1));
+        masm.j(Assembler::Overflow, &failure);
+        masm.movePayload(ExtractTemp0, R0_);
+        break;
+
+      case JSOP_MUL:
+        masm.mul32(R0.valueReg(), R1.valueReg(), Rscratch, &failure, &maybeNegZero);
+        masm.movePayload(Rscratch, R0_);
+        break;
+
+      case JSOP_DIV:
+      case JSOP_MOD: {
+
+        // Check for INT_MIN / -1, it results in a double.
+        Label check2;
+        masm.Cmp(W0, Operand(INT_MIN));
+        masm.B(&check2, Assembler::NotEqual);
+        masm.Cmp(W1, Operand(-1));
+        masm.j(Assembler::Equal, &failure);
+        masm.bind(&check2);
+        Label no_fail;
+        // Check for both division by zero and 0 / X with X < 0 (results in -0).
+        masm.Cmp(W1, Operand(0));
+        // If x > 0, then it can't be bad.
+        masm.B(&no_fail, Assembler::GreaterThan);
+        // if x == 0, then ignore any comparison, and force
+        // it to fail, if x < 0 (the only other case)
+        // then do the comparison, and fail if y == 0
+        masm.Ccmp(W0, Operand(0), vixl::ZFlag, Assembler::NotEqual);
+        masm.B(&failure, Assembler::Equal);
+        masm.bind(&no_fail);
+        masm.Sdiv(Wscratch, W0, W1);
+        // Start calculating the remainder, x - (x / y) * y.
+        masm.mul(WTemp, W1, Wscratch);
+        if (op_ == JSOP_DIV) {
+            // Result is a double if the remainder != 0, which happens
+            // when (x/y)*y != x.
+            masm.branch32(Assembler::NotEqual, R0.valueReg(), ExtractTemp0, &revertRegister);
+            masm.movePayload(Rscratch, R0_);
+        } else {
+            // Calculate the actual mod. Set the condition code, so we can see if it is non-zero.
+            masm.Subs(WTemp, W0, WTemp);
+
+            // If X % Y == 0 and X < 0, the result is -0.
+            masm.Ccmp(W0, Operand(0), vixl::NoFlag, Assembler::Equal);
+            masm.branch(Assembler::LessThan, &revertRegister);
+            masm.movePayload(ExtractTemp0, R0_);
+        }
+        break;
+      }
+        // ORR, EOR, AND can trivially be coerced int
+        // working without affecting the tag of the dest..
+      case JSOP_BITOR:
+        masm.Orr(X0, X0, Operand(X1));
+        break;
+      case JSOP_BITXOR:
+        masm.Eor(X0, X0, Operand(W1, vixl::UXTW));
+        break;
+      case JSOP_BITAND:
+        masm.And(X0, X0, Operand(X1));
+        break;
+        // LSH, RSH and URSH can not.
+      case JSOP_LSH:
+        // ARM will happily try to shift by more than 0x1f.
+        masm.Lsl(Wscratch, W0, W1);
+        masm.movePayload(Rscratch, R0.valueReg());
+        break;
+      case JSOP_RSH:
+        masm.Asr(Wscratch, W0, W1);
+        masm.movePayload(Rscratch, R0.valueReg());
+        break;
+      case JSOP_URSH:
+        masm.Lsr(Wscratch, W0, W1);
+        if (allowDouble_) {
+            Label toUint;
+            // Testing for negative is equivalent to testing bit 31
+            masm.Tbnz(Wscratch, 31, &toUint);
+            // Move result and box for return.
+            masm.movePayload(Rscratch, R0_);
+            EmitReturnFromIC(masm);
+
+            masm.bind(&toUint);
+            masm.convertUInt32ToDouble(Rscratch, ScratchDoubleReg);
+            masm.boxDouble(ScratchDoubleReg, R0);
+        } else {
+            // Testing for negative is equivalent to testing bit 31
+            masm.Tbnz(Wscratch, 31, &failure);
+            // Move result for return.
+            masm.movePayload(Rscratch, R0_);
+        }
+        break;
+      default:
+        MOZ_CRASH("Unhandled op for BinaryArith_Int32.");
+    }
+
+    EmitReturnFromIC(masm);
+
+    switch (op_) {
+      case JSOP_MUL:
+        masm.bind(&maybeNegZero);
+
+        // Result is -0 if exactly one of lhs or rhs is negative.
+        masm.Cmn(W0, W1);
+        masm.j(Assembler::Signed, &failure);
+
+        // Result is +0, so use the zero register.
+        masm.movePayload(rzr, R0_);
+        EmitReturnFromIC(masm);
+        break;
+      case JSOP_DIV:
+      case JSOP_MOD:
+        masm.bind(&revertRegister);
+        break;
+      default:
+        break;
+    }
+
+    // Failure case - jump to next stub.
+    masm.bind(&failure);
+    EmitStubGuardFailure(masm);
+
+    return true;
+}
+
+bool
+ICUnaryArith_Int32::Compiler::generateStubCode(MacroAssembler& masm)
+{
+    Label failure;
+    masm.branchTestInt32(Assembler::NotEqual, R0, &failure);
+
+    switch (op) {
+      case JSOP_BITNOT:
+        masm.Mvn(ARMRegister(R1.valueReg(), 32), ARMRegister(R0.valueReg(), 32));
+        masm.movePayload(R1.valueReg(), R0.valueReg());
+        break;
+      case JSOP_NEG:
+        // Guard against 0 and MIN_INT, both result in a double.
+        masm.branchTest32(Assembler::Zero, R0.valueReg(), Imm32(0x7fffffff), &failure);
+
+        // Compile -x as 0 - x.
+        masm.Sub(ARMRegister(R1.valueReg(), 32), wzr, ARMRegister(R0.valueReg(), 32));
+        masm.movePayload(R1.valueReg(), R0.valueReg());
+        break;
+      default:
+        MOZ_CRASH("Unexpected op");
+    }
+
+    EmitReturnFromIC(masm);
+
+    masm.bind(&failure);
+    EmitStubGuardFailure(masm);
+    return true;
+
+}
+
+} // namespace jit
+} // namespace js
diff --git a/js/src/jit/arm64/MacroAssembler-arm64.cpp b/js/src/jit/arm64/MacroAssembler-arm64.cpp
new file mode 100644
index 000000000000..7b1d7b494e7e
--- /dev/null
+++ b/js/src/jit/arm64/MacroAssembler-arm64.cpp
@@ -0,0 +1,688 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "jit/arm64/MacroAssembler-arm64.h"
+
+// TODO #include "jit/arm64/MoveEmitter-arm64.h"
+#include "jit/arm64/SharedICRegisters-arm64.h"
+#include "jit/Bailouts.h"
+#include "jit/BaselineFrame.h"
+#include "jit/MacroAssembler.h"
+
+namespace js {
+namespace jit {
+
+void
+MacroAssembler::clampDoubleToUint8(FloatRegister input, Register output)
+{
+    ARMRegister dest(output, 32);
+    Fcvtns(dest, ARMFPRegister(input, 64));
+
+    {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+
+        Mov(scratch32, Operand(0xff));
+        Cmp(dest, scratch32);
+        Csel(dest, dest, scratch32, LessThan);
+    }
+
+    Cmp(dest, Operand(0));
+    Csel(dest, wzr, dest, LessThan);
+}
+
+void
+MacroAssemblerCompat::buildFakeExitFrame(Register scratch, uint32_t* offset)
+{
+    mozilla::DebugOnly<uint32_t> initialDepth = framePushed();
+    uint32_t descriptor = MakeFrameDescriptor(framePushed(), JitFrame_IonJS);
+
+    asMasm().Push(Imm32(descriptor)); // descriptor_
+
+    enterNoPool(3);
+    Label fakeCallsite;
+    Adr(ARMRegister(scratch, 64), &fakeCallsite);
+    asMasm().Push(scratch);
+    bind(&fakeCallsite);
+    uint32_t pseudoReturnOffset = currentOffset();
+    leaveNoPool();
+
+    MOZ_ASSERT(framePushed() == initialDepth + ExitFrameLayout::Size());
+
+    *offset = pseudoReturnOffset;
+}
+
+void
+MacroAssemblerCompat::callWithExitFrame(JitCode* target)
+{
+    uint32_t descriptor = MakeFrameDescriptor(framePushed(), JitFrame_IonJS);
+    asMasm().Push(Imm32(descriptor));
+    call(target);
+}
+
+void
+MacroAssembler::alignFrameForICArguments(MacroAssembler::AfterICSaveLive& aic)
+{
+    // Exists for MIPS compatibility.
+}
+
+void
+MacroAssembler::restoreFrameAlignmentForICArguments(MacroAssembler::AfterICSaveLive& aic)
+{
+    // Exists for MIPS compatibility.
+}
+
+js::jit::MacroAssembler&
+MacroAssemblerCompat::asMasm()
+{
+    return *static_cast<js::jit::MacroAssembler*>(this);
+}
+
+const js::jit::MacroAssembler&
+MacroAssemblerCompat::asMasm() const
+{
+    return *static_cast<const js::jit::MacroAssembler*>(this);
+}
+
+vixl::MacroAssembler&
+MacroAssemblerCompat::asVIXL()
+{
+    return *static_cast<vixl::MacroAssembler*>(this);
+}
+
+const vixl::MacroAssembler&
+MacroAssemblerCompat::asVIXL() const
+{
+    return *static_cast<const vixl::MacroAssembler*>(this);
+}
+
+BufferOffset
+MacroAssemblerCompat::movePatchablePtr(ImmPtr ptr, Register dest)
+{
+    const size_t numInst = 1; // Inserting one load instruction.
+    const unsigned numPoolEntries = 2; // Every pool entry is 4 bytes.
+    uint8_t* literalAddr = (uint8_t*)(&ptr.value); // TODO: Should be const.
+
+    // Scratch space for generating the load instruction.
+    //
+    // allocEntry() will use InsertIndexIntoTag() to store a temporary
+    // index to the corresponding PoolEntry in the instruction itself.
+    //
+    // That index will be fixed up later when finishPool()
+    // walks over all marked loads and calls PatchConstantPoolLoad().
+    uint32_t instructionScratch = 0;
+
+    // Emit the instruction mask in the scratch space.
+    // The offset doesn't matter: it will be fixed up later.
+    vixl::Assembler::ldr((Instruction*)&instructionScratch, ARMRegister(dest, 64), 0);
+
+    // Add the entry to the pool, fix up the LDR imm19 offset,
+    // and add the completed instruction to the buffer.
+    return armbuffer_.allocEntry(numInst, numPoolEntries,
+                                 (uint8_t*)&instructionScratch, literalAddr);
+}
+
+BufferOffset
+MacroAssemblerCompat::movePatchablePtr(ImmWord ptr, Register dest)
+{
+    const size_t numInst = 1; // Inserting one load instruction.
+    const unsigned numPoolEntries = 2; // Every pool entry is 4 bytes.
+    uint8_t* literalAddr = (uint8_t*)(&ptr.value);
+
+    // Scratch space for generating the load instruction.
+    //
+    // allocEntry() will use InsertIndexIntoTag() to store a temporary
+    // index to the corresponding PoolEntry in the instruction itself.
+    //
+    // That index will be fixed up later when finishPool()
+    // walks over all marked loads and calls PatchConstantPoolLoad().
+    uint32_t instructionScratch = 0;
+
+    // Emit the instruction mask in the scratch space.
+    // The offset doesn't matter: it will be fixed up later.
+    vixl::Assembler::ldr((Instruction*)&instructionScratch, ARMRegister(dest, 64), 0);
+
+    // Add the entry to the pool, fix up the LDR imm19 offset,
+    // and add the completed instruction to the buffer.
+    return armbuffer_.allocEntry(numInst, numPoolEntries,
+                                 (uint8_t*)&instructionScratch, literalAddr);
+}
+
+void
+MacroAssemblerCompat::handleFailureWithHandlerTail(void* handler)
+{
+    // Reserve space for exception information.
+    int64_t size = (sizeof(ResumeFromException) + 7) & ~7;
+    Sub(GetStackPointer64(), GetStackPointer64(), Operand(size));
+    if (!GetStackPointer64().Is(sp))
+        Mov(sp, GetStackPointer64());
+
+    Mov(x0, GetStackPointer64());
+
+    // Call the handler.
+    setupUnalignedABICall(1, r1);
+    passABIArg(r0);
+    callWithABI(handler);
+
+    Label entryFrame;
+    Label catch_;
+    Label finally;
+    Label return_;
+    Label bailout;
+
+    MOZ_ASSERT(GetStackPointer64().Is(x28)); // Lets the code below be a little cleaner.
+
+    loadPtr(Address(r28, offsetof(ResumeFromException, kind)), r0);
+    branch32(Assembler::Equal, r0, Imm32(ResumeFromException::RESUME_ENTRY_FRAME), &entryFrame);
+    branch32(Assembler::Equal, r0, Imm32(ResumeFromException::RESUME_CATCH), &catch_);
+    branch32(Assembler::Equal, r0, Imm32(ResumeFromException::RESUME_FINALLY), &finally);
+    branch32(Assembler::Equal, r0, Imm32(ResumeFromException::RESUME_FORCED_RETURN), &return_);
+    branch32(Assembler::Equal, r0, Imm32(ResumeFromException::RESUME_BAILOUT), &bailout);
+
+    breakpoint(); // Invalid kind.
+
+    // No exception handler. Load the error value, load the new stack pointer,
+    // and return from the entry frame.
+    bind(&entryFrame);
+    moveValue(MagicValue(JS_ION_ERROR), JSReturnOperand);
+    loadPtr(Address(r28, offsetof(ResumeFromException, stackPointer)), r28);
+    retn(Imm32(1 * sizeof(void*))); // Pop from stack and return.
+
+    // If we found a catch handler, this must be a baseline frame. Restore state
+    // and jump to the catch block.
+    bind(&catch_);
+    loadPtr(Address(r28, offsetof(ResumeFromException, target)), r0);
+    loadPtr(Address(r28, offsetof(ResumeFromException, framePointer)), BaselineFrameReg);
+    loadPtr(Address(r28, offsetof(ResumeFromException, stackPointer)), r28);
+    syncStackPtr();
+    Br(x0);
+
+    // If we found a finally block, this must be a baseline frame.
+    // Push two values expected by JSOP_RETSUB: BooleanValue(true)
+    // and the exception.
+    bind(&finally);
+    ARMRegister exception = x1;
+    Ldr(exception, MemOperand(GetStackPointer64(), offsetof(ResumeFromException, exception)));
+    Ldr(x0, MemOperand(GetStackPointer64(), offsetof(ResumeFromException, target)));
+    Ldr(ARMRegister(BaselineFrameReg, 64),
+        MemOperand(GetStackPointer64(), offsetof(ResumeFromException, framePointer)));
+    Ldr(GetStackPointer64(), MemOperand(GetStackPointer64(), offsetof(ResumeFromException, stackPointer)));
+    syncStackPtr();
+    pushValue(BooleanValue(true));
+    push(exception);
+    Br(x0);
+
+    // Only used in debug mode. Return BaselineFrame->returnValue() to the caller.
+    bind(&return_);
+    loadPtr(Address(r28, offsetof(ResumeFromException, framePointer)), BaselineFrameReg);
+    loadPtr(Address(r28, offsetof(ResumeFromException, stackPointer)), r28);
+    loadValue(Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfReturnValue()),
+              JSReturnOperand);
+    movePtr(BaselineFrameReg, r28);
+    vixl::MacroAssembler::Pop(ARMRegister(BaselineFrameReg, 64), vixl::lr);
+    syncStackPtr();
+    vixl::MacroAssembler::Ret(vixl::lr);
+
+    // If we are bailing out to baseline to handle an exception,
+    // jump to the bailout tail stub.
+    bind(&bailout);
+    Ldr(x2, MemOperand(GetStackPointer64(), offsetof(ResumeFromException, bailoutInfo)));
+    Ldr(x1, MemOperand(GetStackPointer64(), offsetof(ResumeFromException, target)));
+    Mov(x0, BAILOUT_RETURN_OK);
+    Br(x1);
+}
+
+void
+MacroAssemblerCompat::setupABICall(uint32_t args)
+{
+    MOZ_ASSERT(!inCall_);
+    inCall_ = true;
+
+    args_ = args;
+    usedOutParam_ = false;
+    passedIntArgs_ = 0;
+    passedFloatArgs_ = 0;
+    passedArgTypes_ = 0;
+    stackForCall_ = ShadowStackSpace;
+}
+
+void
+MacroAssemblerCompat::setupUnalignedABICall(uint32_t args, Register scratch)
+{
+    setupABICall(args);
+    dynamicAlignment_ = true;
+
+    int64_t alignment = ~(int64_t(ABIStackAlignment) - 1);
+    ARMRegister scratch64(scratch, 64);
+
+    // Always save LR -- Baseline ICs assume that LR isn't modified.
+    push(lr);
+
+    // Unhandled for sp -- needs slightly different logic.
+    MOZ_ASSERT(!GetStackPointer64().Is(sp));
+
+    // Remember the stack address on entry.
+    Mov(scratch64, GetStackPointer64());
+
+    // Make alignment, including the effective push of the previous sp.
+    Sub(GetStackPointer64(), GetStackPointer64(), Operand(8));
+    And(GetStackPointer64(), GetStackPointer64(), Operand(alignment));
+
+    // If the PseudoStackPointer is used, sp must be <= psp before a write is valid.
+    syncStackPtr();
+
+    // Store previous sp to the top of the stack, aligned.
+    Str(scratch64, MemOperand(GetStackPointer64(), 0));
+}
+
+void
+MacroAssemblerCompat::passABIArg(const MoveOperand& from, MoveOp::Type type)
+{
+    if (!enoughMemory_)
+        return;
+
+    Register activeSP = Register::FromCode(GetStackPointer64().code());
+    if (type == MoveOp::GENERAL) {
+        Register dest;
+        passedArgTypes_ = (passedArgTypes_ << ArgType_Shift) | ArgType_General;
+        if (GetIntArgReg(passedIntArgs_++, passedFloatArgs_, &dest)) {
+            if (!from.isGeneralReg() || from.reg() != dest)
+                enoughMemory_ = moveResolver_.addMove(from, MoveOperand(dest), type);
+            return;
+        }
+
+        enoughMemory_ = moveResolver_.addMove(from, MoveOperand(activeSP, stackForCall_), type);
+        stackForCall_ += sizeof(int64_t);
+        return;
+    }
+
+    MOZ_ASSERT(type == MoveOp::FLOAT32 || type == MoveOp::DOUBLE);
+    if (type == MoveOp::FLOAT32)
+        passedArgTypes_ = (passedArgTypes_ << ArgType_Shift) | ArgType_Float32;
+    else
+        passedArgTypes_ = (passedArgTypes_ << ArgType_Shift) | ArgType_Double;
+
+    FloatRegister fdest;
+    if (GetFloatArgReg(passedIntArgs_, passedFloatArgs_++, &fdest)) {
+        if (!from.isFloatReg() || from.floatReg() != fdest)
+            enoughMemory_ = moveResolver_.addMove(from, MoveOperand(fdest), type);
+        return;
+    }
+
+    enoughMemory_ = moveResolver_.addMove(from, MoveOperand(activeSP, stackForCall_), type);
+    switch (type) {
+      case MoveOp::FLOAT32: stackForCall_ += sizeof(float);  break;
+      case MoveOp::DOUBLE:  stackForCall_ += sizeof(double); break;
+      default: MOZ_CRASH("Unexpected float register class argument type");
+    }
+}
+
+void
+MacroAssemblerCompat::passABIArg(Register reg)
+{
+    passABIArg(MoveOperand(reg), MoveOp::GENERAL);
+}
+
+void
+MacroAssemblerCompat::passABIArg(FloatRegister reg, MoveOp::Type type)
+{
+    passABIArg(MoveOperand(reg), type);
+}
+void
+MacroAssemblerCompat::passABIOutParam(Register reg)
+{
+    if (!enoughMemory_)
+        return;
+    MOZ_ASSERT(!usedOutParam_);
+    usedOutParam_ = true;
+    if (reg == r8)
+        return;
+    enoughMemory_ = moveResolver_.addMove(MoveOperand(reg), MoveOperand(r8), MoveOp::GENERAL);
+
+}
+
+void
+MacroAssemblerCompat::callWithABIPre(uint32_t* stackAdjust)
+{
+    *stackAdjust = stackForCall_;
+    // ARM64 /really/ wants the stack to always be aligned.  Since we're already tracking it
+    // getting it aligned for an abi call is pretty easy.
+    *stackAdjust += ComputeByteAlignment(*stackAdjust, StackAlignment);
+    asMasm().reserveStack(*stackAdjust);
+    {
+        moveResolver_.resolve();
+        MoveEmitter emitter(asMasm());
+        emitter.emit(moveResolver_);
+        emitter.finish();
+    }
+
+    // Call boundaries communicate stack via sp.
+    syncStackPtr();
+}
+
+void
+MacroAssemblerCompat::callWithABIPost(uint32_t stackAdjust, MoveOp::Type result)
+{
+    // Call boundaries communicate stack via sp.
+    if (!GetStackPointer64().Is(sp))
+        Mov(GetStackPointer64(), sp);
+
+    inCall_ = false;
+    asMasm().freeStack(stackAdjust);
+
+    // Restore the stack pointer from entry.
+    if (dynamicAlignment_)
+        Ldr(GetStackPointer64(), MemOperand(GetStackPointer64(), 0));
+
+    // Restore LR.
+    pop(lr);
+
+    // TODO: This one shouldn't be necessary -- check that callers
+    // aren't enforcing the ABI themselves!
+    syncStackPtr();
+
+    // If the ABI's return regs are where ION is expecting them, then
+    // no other work needs to be done.
+}
+
+#if defined(DEBUG) && defined(JS_ARM64_SIMULATOR)
+static void
+AssertValidABIFunctionType(uint32_t passedArgTypes)
+{
+    switch (passedArgTypes) {
+      case Args_General0:
+      case Args_General1:
+      case Args_General2:
+      case Args_General3:
+      case Args_General4:
+      case Args_General5:
+      case Args_General6:
+      case Args_General7:
+      case Args_General8:
+      case Args_Double_None:
+      case Args_Int_Double:
+      case Args_Float32_Float32:
+      case Args_Double_Double:
+      case Args_Double_Int:
+      case Args_Double_DoubleInt:
+      case Args_Double_DoubleDouble:
+      case Args_Double_DoubleDoubleDouble:
+      case Args_Double_DoubleDoubleDoubleDouble:
+      case Args_Double_IntDouble:
+      case Args_Int_IntDouble:
+        break;
+      default:
+        MOZ_CRASH("Unexpected type");
+    }
+}
+#endif // DEBUG && JS_ARM64_SIMULATOR
+
+void
+MacroAssemblerCompat::callWithABI(void* fun, MoveOp::Type result)
+{
+#ifdef JS_ARM64_SIMULATOR
+    MOZ_ASSERT(passedIntArgs_ + passedFloatArgs_ <= 15);
+    passedArgTypes_ <<= ArgType_Shift;
+    switch (result) {
+      case MoveOp::GENERAL: passedArgTypes_ |= ArgType_General; break;
+      case MoveOp::DOUBLE:  passedArgTypes_ |= ArgType_Double;  break;
+      case MoveOp::FLOAT32: passedArgTypes_ |= ArgType_Float32; break;
+      default: MOZ_CRASH("Invalid return type");
+    }
+# ifdef DEBUG
+    AssertValidABIFunctionType(passedArgTypes_);
+# endif
+    ABIFunctionType type = ABIFunctionType(passedArgTypes_);
+    fun = vixl::Simulator::RedirectNativeFunction(fun, type);
+#endif // JS_ARM64_SIMULATOR
+
+    uint32_t stackAdjust;
+    callWithABIPre(&stackAdjust);
+    call(ImmPtr(fun));
+    callWithABIPost(stackAdjust, result);
+}
+
+void
+MacroAssemblerCompat::callWithABI(Register fun, MoveOp::Type result)
+{
+    movePtr(fun, ip0);
+
+    uint32_t stackAdjust;
+    callWithABIPre(&stackAdjust);
+    call(ip0);
+    callWithABIPost(stackAdjust, result);
+}
+
+void
+MacroAssemblerCompat::callWithABI(AsmJSImmPtr imm, MoveOp::Type result)
+{
+    uint32_t stackAdjust;
+    callWithABIPre(&stackAdjust);
+    call(imm);
+    callWithABIPost(stackAdjust, result);
+}
+
+void
+MacroAssemblerCompat::callWithABI(Address fun, MoveOp::Type result)
+{
+    loadPtr(fun, ip0);
+
+    uint32_t stackAdjust;
+    callWithABIPre(&stackAdjust);
+    call(ip0);
+    callWithABIPost(stackAdjust, result);
+}
+
+void
+MacroAssemblerCompat::branchPtrInNurseryRange(Condition cond, Register ptr, Register temp,
+                                              Label* label)
+{
+    MOZ_ASSERT(cond == Assembler::Equal || cond == Assembler::NotEqual);
+    MOZ_ASSERT(ptr != temp);
+    MOZ_ASSERT(ptr != ScratchReg && ptr != ScratchReg2); // Both may be used internally.
+    MOZ_ASSERT(temp != ScratchReg && temp != ScratchReg2);
+
+    const Nursery& nursery = GetJitContext()->runtime->gcNursery();
+    movePtr(ImmWord(-ptrdiff_t(nursery.start())), temp);
+    addPtr(ptr, temp);
+    branchPtr(cond == Assembler::Equal ? Assembler::Below : Assembler::AboveOrEqual,
+              temp, ImmWord(nursery.nurserySize()), label);
+}
+
+void
+MacroAssemblerCompat::branchValueIsNurseryObject(Condition cond, ValueOperand value, Register temp,
+                                                 Label* label)
+{
+    MOZ_ASSERT(cond == Assembler::Equal || cond == Assembler::NotEqual);
+    MOZ_ASSERT(temp != ScratchReg && temp != ScratchReg2); // Both may be used internally.
+
+    // 'Value' representing the start of the nursery tagged as a JSObject
+    const Nursery& nursery = GetJitContext()->runtime->gcNursery();
+    Value start = ObjectValue(*reinterpret_cast<JSObject*>(nursery.start()));
+
+    movePtr(ImmWord(-ptrdiff_t(start.asRawBits())), temp);
+    addPtr(value.valueReg(), temp);
+    branchPtr(cond == Assembler::Equal ? Assembler::Below : Assembler::AboveOrEqual,
+              temp, ImmWord(nursery.nurserySize()), label);
+}
+
+void
+MacroAssemblerCompat::callAndPushReturnAddress(Label* label)
+{
+    // FIXME: Jandem said he would refactor the code to avoid making
+    // this instruction required, but probably forgot about it.
+    // Instead of implementing this function, we should make it unnecessary.
+    Label ret;
+    {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+
+        Adr(scratch64, &ret);
+        asMasm().Push(scratch64.asUnsized());
+    }
+
+    Bl(label);
+    bind(&ret);
+}
+
+void
+MacroAssemblerCompat::breakpoint()
+{
+    static int code = 0xA77;
+    Brk((code++) & 0xffff);
+}
+
+// ===============================================================
+// Stack manipulation functions.
+
+void
+MacroAssembler::reserveStack(uint32_t amount)
+{
+    // TODO: This bumps |sp| every time we reserve using a second register.
+    // It would save some instructions if we had a fixed frame size.
+    vixl::MacroAssembler::Claim(Operand(amount));
+    adjustFrame(amount);
+}
+
+void
+MacroAssembler::PushRegsInMask(LiveRegisterSet set)
+{
+    for (GeneralRegisterBackwardIterator iter(set.gprs()); iter.more(); ) {
+        vixl::CPURegister src[4] = { vixl::NoCPUReg, vixl::NoCPUReg, vixl::NoCPUReg, vixl::NoCPUReg };
+
+        for (size_t i = 0; i < 4 && iter.more(); i++) {
+            src[i] = ARMRegister(*iter, 64);
+            ++iter;
+            adjustFrame(8);
+        }
+        vixl::MacroAssembler::Push(src[0], src[1], src[2], src[3]);
+    }
+
+    for (FloatRegisterBackwardIterator iter(set.fpus().reduceSetForPush()); iter.more(); ) {
+        vixl::CPURegister src[4] = { vixl::NoCPUReg, vixl::NoCPUReg, vixl::NoCPUReg, vixl::NoCPUReg };
+
+        for (size_t i = 0; i < 4 && iter.more(); i++) {
+            src[i] = ARMFPRegister(*iter, 64);
+            ++iter;
+            adjustFrame(8);
+        }
+        vixl::MacroAssembler::Push(src[0], src[1], src[2], src[3]);
+    }
+}
+
+void
+MacroAssembler::PopRegsInMaskIgnore(LiveRegisterSet set, LiveRegisterSet ignore)
+{
+    // The offset of the data from the stack pointer.
+    uint32_t offset = 0;
+
+    for (FloatRegisterIterator iter(set.fpus().reduceSetForPush()); iter.more(); ) {
+        vixl::CPURegister dest[2] = { vixl::NoCPUReg, vixl::NoCPUReg };
+        uint32_t nextOffset = offset;
+
+        for (size_t i = 0; i < 2 && iter.more(); i++) {
+            if (!ignore.has(*iter))
+                dest[i] = ARMFPRegister(*iter, 64);
+            ++iter;
+            nextOffset += sizeof(double);
+        }
+
+        if (!dest[0].IsNone() && !dest[1].IsNone())
+            Ldp(dest[0], dest[1], MemOperand(GetStackPointer64(), offset));
+        else if (!dest[0].IsNone())
+            Ldr(dest[0], MemOperand(GetStackPointer64(), offset));
+        else if (!dest[1].IsNone())
+            Ldr(dest[1], MemOperand(GetStackPointer64(), offset + sizeof(double)));
+
+        offset = nextOffset;
+    }
+
+    MOZ_ASSERT(offset == set.fpus().getPushSizeInBytes());
+
+    for (GeneralRegisterIterator iter(set.gprs()); iter.more(); ) {
+        vixl::CPURegister dest[2] = { vixl::NoCPUReg, vixl::NoCPUReg };
+        uint32_t nextOffset = offset;
+
+        for (size_t i = 0; i < 2 && iter.more(); i++) {
+            if (!ignore.has(*iter))
+                dest[i] = ARMRegister(*iter, 64);
+            ++iter;
+            nextOffset += sizeof(uint64_t);
+        }
+
+        if (!dest[0].IsNone() && !dest[1].IsNone())
+            Ldp(dest[0], dest[1], MemOperand(GetStackPointer64(), offset));
+        else if (!dest[0].IsNone())
+            Ldr(dest[0], MemOperand(GetStackPointer64(), offset));
+        else if (!dest[1].IsNone())
+            Ldr(dest[1], MemOperand(GetStackPointer64(), offset + sizeof(uint64_t)));
+
+        offset = nextOffset;
+    }
+
+    size_t bytesPushed = set.gprs().size() * sizeof(uint64_t) + set.fpus().getPushSizeInBytes();
+    MOZ_ASSERT(offset == bytesPushed);
+    freeStack(bytesPushed);
+}
+
+void
+MacroAssembler::Push(Register reg)
+{
+    push(reg);
+    adjustFrame(sizeof(intptr_t));
+}
+
+void
+MacroAssembler::Push(const Imm32 imm)
+{
+    push(imm);
+    adjustFrame(sizeof(intptr_t));
+}
+
+void
+MacroAssembler::Push(const ImmWord imm)
+{
+    push(imm);
+    adjustFrame(sizeof(intptr_t));
+}
+
+void
+MacroAssembler::Push(const ImmPtr imm)
+{
+    push(imm);
+    adjustFrame(sizeof(intptr_t));
+}
+
+void
+MacroAssembler::Push(const ImmGCPtr ptr)
+{
+    push(ptr);
+    adjustFrame(sizeof(intptr_t));
+}
+
+void
+MacroAssembler::Push(FloatRegister f)
+{
+    push(f);
+    adjustFrame(sizeof(double));
+}
+
+void
+MacroAssembler::Pop(const Register reg)
+{
+    pop(reg);
+    adjustFrame(-1 * int64_t(sizeof(int64_t)));
+}
+
+void
+MacroAssembler::Pop(const ValueOperand& val)
+{
+    pop(val);
+    adjustFrame(-1 * int64_t(sizeof(int64_t)));
+}
+
+} // namespace jit
+} // namespace js
diff --git a/js/src/jit/arm64/MacroAssembler-arm64.h b/js/src/jit/arm64/MacroAssembler-arm64.h
new file mode 100644
index 000000000000..b7f1c2301cc7
--- /dev/null
+++ b/js/src/jit/arm64/MacroAssembler-arm64.h
@@ -0,0 +1,3317 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef jit_arm64_MacroAssembler_arm64_h
+#define jit_arm64_MacroAssembler_arm64_h
+
+#include "jit/arm64/Assembler-arm64.h"
+#include "jit/arm64/vixl/Debugger-vixl.h"
+#include "jit/arm64/vixl/MacroAssembler-vixl.h"
+
+#include "jit/AtomicOp.h"
+#include "jit/JitFrames.h"
+#include "jit/MoveResolver.h"
+
+namespace js {
+namespace jit {
+
+// Import VIXL operands directly into the jit namespace for shared code.
+using vixl::Operand;
+using vixl::MemOperand;
+
+struct ImmShiftedTag : public ImmWord
+{
+    ImmShiftedTag(JSValueShiftedTag shtag)
+      : ImmWord((uintptr_t)shtag)
+    { }
+
+    ImmShiftedTag(JSValueType type)
+      : ImmWord(uintptr_t(JSValueShiftedTag(JSVAL_TYPE_TO_SHIFTED_TAG(type))))
+    { }
+};
+
+struct ImmTag : public Imm32
+{
+    ImmTag(JSValueTag tag)
+      : Imm32(tag)
+    { }
+};
+
+class MacroAssemblerCompat : public vixl::MacroAssembler
+{
+  public:
+    typedef vixl::Condition Condition;
+
+  private:
+    // Perform a downcast. Should be removed by Bug 996602.
+    js::jit::MacroAssembler& asMasm();
+    const js::jit::MacroAssembler& asMasm() const;
+
+  public:
+    // Restrict to only VIXL-internal functions.
+    vixl::MacroAssembler& asVIXL();
+    const MacroAssembler& asVIXL() const;
+
+  protected:
+    bool enoughMemory_;
+    uint32_t framePushed_;
+
+    // TODO: Can this be moved out of the MacroAssembler and into some shared code?
+    // TODO: All the code seems to be arch-independent, and it's weird to have this here.
+    bool inCall_;
+    bool usedOutParam_;
+    uint32_t args_;
+    uint32_t passedIntArgs_;
+    uint32_t passedFloatArgs_;
+    uint32_t passedArgTypes_;
+    uint32_t stackForCall_;
+    bool dynamicAlignment_;
+
+    MacroAssemblerCompat()
+      : vixl::MacroAssembler(),
+        enoughMemory_(true),
+        framePushed_(0),
+        inCall_(false),
+        usedOutParam_(false),
+        args_(0),
+        passedIntArgs_(0),
+        passedFloatArgs_(0),
+        passedArgTypes_(0),
+        stackForCall_(0),
+        dynamicAlignment_(false)
+    { }
+
+  protected:
+    MoveResolver moveResolver_;
+
+  public:
+    bool oom() const {
+        return Assembler::oom() || !enoughMemory_;
+    }
+    static MemOperand toMemOperand(Address& a) {
+        return MemOperand(ARMRegister(a.base, 64), a.offset);
+    }
+    void doBaseIndex(const vixl::CPURegister& rt, const BaseIndex& addr, vixl::LoadStoreOp op) {
+        const ARMRegister base = ARMRegister(addr.base, 64);
+        const ARMRegister index = ARMRegister(addr.index, 64);
+        const unsigned scale = addr.scale;
+
+        if (!addr.offset && (!scale || scale == static_cast<unsigned>(CalcLSDataSize(op)))) {
+            LoadStoreMacro(rt, MemOperand(base, index, vixl::LSL, scale), op);
+            return;
+        }
+
+        vixl::UseScratchRegisterScope temps(this);
+        ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(!scratch64.Is(rt));
+        MOZ_ASSERT(!scratch64.Is(base));
+        MOZ_ASSERT(!scratch64.Is(index));
+
+        Add(scratch64, base, Operand(index, vixl::LSL, scale));
+        LoadStoreMacro(rt, MemOperand(scratch64, addr.offset), op);
+    }
+    void Push(ARMRegister reg) {
+        push(reg);
+        adjustFrame(reg.size() / 8);
+    }
+    void Push(Register reg) {
+        vixl::MacroAssembler::Push(ARMRegister(reg, 64));
+        adjustFrame(8);
+    }
+    void Push(Imm32 imm) {
+        push(imm);
+        adjustFrame(8);
+    }
+    void Push(FloatRegister f) {
+        push(ARMFPRegister(f, 64));
+        adjustFrame(8);
+    }
+    void Push(ImmPtr imm) {
+        push(imm);
+        adjustFrame(sizeof(void*));
+    }
+    void push(FloatRegister f) {
+        vixl::MacroAssembler::Push(ARMFPRegister(f, 64));
+    }
+    void push(ARMFPRegister f) {
+        vixl::MacroAssembler::Push(f);
+    }
+    void push(Imm32 imm) {
+        if (imm.value == 0) {
+            vixl::MacroAssembler::Push(vixl::xzr);
+        } else {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            move32(imm, scratch64.asUnsized());
+            vixl::MacroAssembler::Push(scratch64);
+        }
+    }
+    void push(ImmWord imm) {
+        if (imm.value == 0) {
+            vixl::MacroAssembler::Push(vixl::xzr);
+        } else {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            Mov(scratch64, imm.value);
+            vixl::MacroAssembler::Push(scratch64);
+        }
+    }
+    void push(ImmPtr imm) {
+        if (imm.value == nullptr) {
+            vixl::MacroAssembler::Push(vixl::xzr);
+        } else {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            movePtr(imm, scratch64.asUnsized());
+            vixl::MacroAssembler::Push(scratch64);
+        }
+    }
+    void push(ImmGCPtr imm) {
+        if (imm.value == nullptr) {
+            vixl::MacroAssembler::Push(vixl::xzr);
+        } else {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            movePtr(imm, scratch64.asUnsized());
+            vixl::MacroAssembler::Push(scratch64);
+        }
+    }
+    void push(ImmMaybeNurseryPtr imm) {
+        push(noteMaybeNurseryPtr(imm));
+    }
+    void push(ARMRegister reg) {
+        vixl::MacroAssembler::Push(reg);
+    }
+    void push(Address a) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(a.base != scratch64.asUnsized());
+        loadPtr(a, scratch64.asUnsized());
+        vixl::MacroAssembler::Push(scratch64);
+    }
+
+    // Push registers.
+    void push(Register reg) {
+        vixl::MacroAssembler::Push(ARMRegister(reg, 64));
+    }
+    void push(Register r0, Register r1) {
+        vixl::MacroAssembler::Push(ARMRegister(r0, 64), ARMRegister(r1, 64));
+    }
+    void push(Register r0, Register r1, Register r2) {
+        vixl::MacroAssembler::Push(ARMRegister(r0, 64), ARMRegister(r1, 64), ARMRegister(r2, 64));
+    }
+    void push(Register r0, Register r1, Register r2, Register r3) {
+        vixl::MacroAssembler::Push(ARMRegister(r0, 64), ARMRegister(r1, 64),
+                                   ARMRegister(r2, 64), ARMRegister(r3, 64));
+    }
+    void push(ARMFPRegister r0, ARMFPRegister r1, ARMFPRegister r2, ARMFPRegister r3) {
+        vixl::MacroAssembler::Push(r0, r1, r2, r3);
+    }
+
+    // Pop registers.
+    void pop(Register reg) {
+        vixl::MacroAssembler::Pop(ARMRegister(reg, 64));
+    }
+    void pop(Register r0, Register r1) {
+        vixl::MacroAssembler::Pop(ARMRegister(r0, 64), ARMRegister(r1, 64));
+    }
+    void pop(Register r0, Register r1, Register r2) {
+        vixl::MacroAssembler::Pop(ARMRegister(r0, 64), ARMRegister(r1, 64), ARMRegister(r2, 64));
+    }
+    void pop(Register r0, Register r1, Register r2, Register r3) {
+        vixl::MacroAssembler::Pop(ARMRegister(r0, 64), ARMRegister(r1, 64),
+                                  ARMRegister(r2, 64), ARMRegister(r3, 64));
+    }
+    void pop(ARMFPRegister r0, ARMFPRegister r1, ARMFPRegister r2, ARMFPRegister r3) {
+        vixl::MacroAssembler::Pop(r0, r1, r2, r3);
+    }
+
+    void pushReturnAddress() {
+        push(lr);
+    }
+    void pop(const ValueOperand& v) {
+        pop(v.valueReg());
+    }
+    void pop(const FloatRegister& f) {
+        vixl::MacroAssembler::Pop(ARMRegister(f.code(), 64));
+    }
+
+    void implicitPop(uint32_t args) {
+        MOZ_ASSERT(args % sizeof(intptr_t) == 0);
+        adjustFrame(-args);
+    }
+    void Pop(ARMRegister r) {
+        vixl::MacroAssembler::Pop(r);
+        adjustFrame(- r.size() / 8);
+    }
+    // FIXME: This is the same on every arch.
+    // FIXME: If we can share framePushed_, we can share this.
+    // FIXME: Or just make it at the highest level.
+    CodeOffsetLabel PushWithPatch(ImmWord word) {
+        framePushed_ += sizeof(word.value);
+        return pushWithPatch(word);
+    }
+    CodeOffsetLabel PushWithPatch(ImmPtr ptr) {
+        return PushWithPatch(ImmWord(uintptr_t(ptr.value)));
+    }
+
+    uint32_t framePushed() const {
+        return framePushed_;
+    }
+    void adjustFrame(int32_t diff) {
+        setFramePushed(framePushed_ + diff);
+    }
+
+    void setFramePushed(uint32_t framePushed) {
+        framePushed_ = framePushed;
+    }
+
+    void freeStack(Register amount) {
+        vixl::MacroAssembler::Drop(Operand(ARMRegister(amount, 64)));
+    }
+
+    // Update sp with the value of the current active stack pointer, if necessary.
+    void syncStackPtr() {
+        if (!GetStackPointer64().Is(vixl::sp))
+            Mov(vixl::sp, GetStackPointer64());
+    }
+    void initStackPtr() {
+        if (!GetStackPointer64().Is(vixl::sp))
+            Mov(GetStackPointer64(), vixl::sp);
+    }
+    void storeValue(ValueOperand val, const Address& dest) {
+        storePtr(val.valueReg(), dest);
+    }
+
+    template <typename T>
+    void storeValue(JSValueType type, Register reg, const T& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != reg);
+        tagValue(type, reg, ValueOperand(scratch));
+        storeValue(ValueOperand(scratch), dest);
+    }
+    template <typename T>
+    void storeValue(const Value& val, const T& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        moveValue(val, ValueOperand(scratch));
+        storeValue(ValueOperand(scratch), dest);
+    }
+    void storeValue(ValueOperand val, BaseIndex dest) {
+        storePtr(val.valueReg(), dest);
+    }
+
+    template <typename T>
+    void storeUnboxedValue(ConstantOrRegister value, MIRType valueType, const T& dest, MIRType slotType) {
+        if (valueType == MIRType_Double) {
+            storeDouble(value.reg().typedReg().fpu(), dest);
+            return;
+        }
+
+        // For known integers and booleans, we can just store the unboxed value if
+        // the slot has the same type.
+        if ((valueType == MIRType_Int32 || valueType == MIRType_Boolean) && slotType == valueType) {
+            if (value.constant()) {
+                Value val = value.value();
+                if (valueType == MIRType_Int32)
+                    store32(Imm32(val.toInt32()), dest);
+                else
+                    store32(Imm32(val.toBoolean() ? 1 : 0), dest);
+            } else {
+                store32(value.reg().typedReg().gpr(), dest);
+            }
+            return;
+        }
+
+        if (value.constant())
+            storeValue(value.value(), dest);
+        else
+            storeValue(ValueTypeFromMIRType(valueType), value.reg().typedReg().gpr(), dest);
+
+    }
+    void loadValue(Address src, Register val) {
+        Ldr(ARMRegister(val, 64), MemOperand(src));
+    }
+    void loadValue(Address src, ValueOperand val) {
+        Ldr(ARMRegister(val.valueReg(), 64), MemOperand(src));
+    }
+    void loadValue(const BaseIndex& src, ValueOperand val) {
+        doBaseIndex(ARMRegister(val.valueReg(), 64), src, vixl::LDR_x);
+    }
+    void tagValue(JSValueType type, Register payload, ValueOperand dest) {
+        // This could be cleverer, but the first attempt had bugs.
+        Orr(ARMRegister(dest.valueReg(), 64), ARMRegister(payload, 64), Operand(ImmShiftedTag(type).value));
+    }
+    void pushValue(ValueOperand val) {
+        vixl::MacroAssembler::Push(ARMRegister(val.valueReg(), 64));
+    }
+    void popValue(ValueOperand val) {
+        vixl::MacroAssembler::Pop(ARMRegister(val.valueReg(), 64));
+    }
+    void pushValue(const Value& val) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        jsval_layout jv = JSVAL_TO_IMPL(val);
+        if (val.isMarkable()) {
+            BufferOffset load = movePatchablePtr(ImmPtr((void*)jv.asBits), scratch);
+            writeDataRelocation(val, load);
+            push(scratch);
+        } else {
+            moveValue(val, scratch);
+            push(scratch);
+        }
+    }
+    void pushValue(JSValueType type, Register reg) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != reg);
+        tagValue(type, reg, ValueOperand(scratch));
+        push(scratch);
+    }
+    void pushValue(const Address& addr) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != addr.base);
+        loadValue(addr, scratch);
+        push(scratch);
+    }
+    template <typename T>
+    void storeUnboxedPayload(ValueOperand value, T address, size_t nbytes) {
+        switch (nbytes) {
+          case 8: {
+            vixl::UseScratchRegisterScope temps(this);
+            const Register scratch = temps.AcquireX().asUnsized();
+            unboxNonDouble(value, scratch);
+            storePtr(scratch, address);
+            return;
+          }
+          case 4:
+            storePtr(value.valueReg(), address);
+            return;
+          case 1:
+            store8(value.valueReg(), address);
+            return;
+          default: MOZ_CRASH("Bad payload width");
+        }
+    }
+    void moveValue(const Value& val, Register dest) {
+        if (val.isMarkable()) {
+            BufferOffset load = movePatchablePtr(ImmPtr((void*)val.asRawBits()), dest);
+            writeDataRelocation(val, load);
+        } else {
+            movePtr(ImmWord(val.asRawBits()), dest);
+        }
+    }
+    void moveValue(const Value& src, const ValueOperand& dest) {
+        moveValue(src, dest.valueReg());
+    }
+    void moveValue(const ValueOperand& src, const ValueOperand& dest) {
+        if (src.valueReg() != dest.valueReg())
+            movePtr(src.valueReg(), dest.valueReg());
+    }
+
+    CodeOffsetLabel pushWithPatch(ImmWord imm) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        CodeOffsetLabel label = movWithPatch(imm, scratch);
+        push(scratch);
+        return label;
+    }
+
+    CodeOffsetLabel movWithPatch(ImmWord imm, Register dest) {
+        BufferOffset off = immPool64(ARMRegister(dest, 64), imm.value);
+        return CodeOffsetLabel(off.getOffset());
+    }
+    CodeOffsetLabel movWithPatch(ImmPtr imm, Register dest) {
+        BufferOffset off = immPool64(ARMRegister(dest, 64), uint64_t(imm.value));
+        return CodeOffsetLabel(off.getOffset());
+    }
+
+    void boxValue(JSValueType type, Register src, Register dest) {
+        Orr(ARMRegister(dest, 64), ARMRegister(src, 64), Operand(ImmShiftedTag(type).value));
+    }
+    void splitTag(Register src, Register dest) {
+        ubfx(ARMRegister(dest, 64), ARMRegister(src, 64), JSVAL_TAG_SHIFT, (64 - JSVAL_TAG_SHIFT));
+    }
+    Register extractTag(const Address& address, Register scratch) {
+        loadPtr(address, scratch);
+        splitTag(scratch, scratch);
+        return scratch;
+    }
+    Register extractTag(const ValueOperand& value, Register scratch) {
+        splitTag(value.valueReg(), scratch);
+        return scratch;
+    }
+    Register extractObject(const Address& address, Register scratch) {
+        loadPtr(address, scratch);
+        unboxObject(scratch, scratch);
+        return scratch;
+    }
+    Register extractObject(const ValueOperand& value, Register scratch) {
+        unboxObject(value, scratch);
+        return scratch;
+    }
+    Register extractInt32(const ValueOperand& value, Register scratch) {
+        unboxInt32(value, scratch);
+        return scratch;
+    }
+    Register extractBoolean(const ValueOperand& value, Register scratch) {
+        unboxBoolean(value, scratch);
+        return scratch;
+    }
+
+    // If source is a double, load into dest.
+    // If source is int32, convert to double and store in dest.
+    // Else, branch to failure.
+    void ensureDouble(const ValueOperand& source, FloatRegister dest, Label* failure) {
+        Label isDouble, done;
+
+        // TODO: splitTagForTest really should not leak a scratch register.
+        Register tag = splitTagForTest(source);
+        {
+            vixl::UseScratchRegisterScope temps(this);
+            temps.Exclude(ARMRegister(tag, 64));
+
+            branchTestDouble(Assembler::Equal, tag, &isDouble);
+            branchTestInt32(Assembler::NotEqual, tag, failure);
+        }
+
+        convertInt32ToDouble(source.valueReg(), dest);
+        jump(&done);
+
+        bind(&isDouble);
+        unboxDouble(source, dest);
+
+        bind(&done);
+    }
+
+    void emitSet(Condition cond, Register dest) {
+        Cset(ARMRegister(dest, 64), cond);
+    }
+
+    template <typename T1, typename T2>
+    void cmpPtrSet(Condition cond, T1 lhs, T2 rhs, Register dest) {
+        cmpPtr(lhs, rhs);
+        emitSet(cond, dest);
+    }
+
+    template <typename T1, typename T2>
+    void cmp32Set(Condition cond, T1 lhs, T2 rhs, Register dest) {
+        cmp32(lhs, rhs);
+        emitSet(cond, dest);
+    }
+
+    void testNullSet(Condition cond, const ValueOperand& value, Register dest) {
+        cond = testNull(cond, value);
+        emitSet(cond, dest);
+    }
+    void testObjectSet(Condition cond, const ValueOperand& value, Register dest) {
+        cond = testObject(cond, value);
+        emitSet(cond, dest);
+    }
+    void testUndefinedSet(Condition cond, const ValueOperand& value, Register dest) {
+        cond = testUndefined(cond, value);
+        emitSet(cond, dest);
+    }
+
+    void convertBoolToInt32(Register source, Register dest) {
+        Uxtb(ARMRegister(dest, 64), ARMRegister(source, 64));
+    }
+
+    void convertInt32ToDouble(Register src, FloatRegister dest) {
+        Scvtf(ARMFPRegister(dest, 64), ARMRegister(src, 32)); // Uses FPCR rounding mode.
+    }
+    void convertInt32ToDouble(const Address& src, FloatRegister dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != src.base);
+        load32(src, scratch);
+        convertInt32ToDouble(scratch, dest);
+    }
+    void convertInt32ToDouble(const BaseIndex& src, FloatRegister dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != src.base);
+        MOZ_ASSERT(scratch != src.index);
+        load32(src, scratch);
+        convertInt32ToDouble(scratch, dest);
+    }
+
+    void convertInt32ToFloat32(Register src, FloatRegister dest) {
+        Scvtf(ARMFPRegister(dest, 32), ARMRegister(src, 32)); // Uses FPCR rounding mode.
+    }
+    void convertInt32ToFloat32(const Address& src, FloatRegister dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != src.base);
+        load32(src, scratch);
+        convertInt32ToFloat32(scratch, dest);
+    }
+
+    void convertUInt32ToDouble(Register src, FloatRegister dest) {
+        Ucvtf(ARMFPRegister(dest, 64), ARMRegister(src, 32)); // Uses FPCR rounding mode.
+    }
+    void convertUInt32ToDouble(const Address& src, FloatRegister dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != src.base);
+        load32(src, scratch);
+        convertUInt32ToDouble(scratch, dest);
+    }
+
+    void convertUInt32ToFloat32(Register src, FloatRegister dest) {
+        Ucvtf(ARMFPRegister(dest, 32), ARMRegister(src, 32)); // Uses FPCR rounding mode.
+    }
+    void convertUInt32ToFloat32(const Address& src, FloatRegister dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != src.base);
+        load32(src, scratch);
+        convertUInt32ToFloat32(scratch, dest);
+    }
+
+    void convertFloat32ToDouble(FloatRegister src, FloatRegister dest) {
+        Fcvt(ARMFPRegister(dest, 64), ARMFPRegister(src, 32));
+    }
+    void convertDoubleToFloat32(FloatRegister src, FloatRegister dest) {
+        Fcvt(ARMFPRegister(dest, 32), ARMFPRegister(src, 64));
+    }
+
+    void branchTruncateDouble(FloatRegister src, Register dest, Label* fail) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+
+        // An out of range integer will be saturated to the destination size.
+        ARMFPRegister src64(src, 64);
+        ARMRegister dest64(dest, 64);
+
+        MOZ_ASSERT(!scratch64.Is(dest64));
+
+        //breakpoint();
+        Fcvtzs(dest64, src64);
+        Add(scratch64, dest64, Operand(0x7fffffffffffffff));
+        Cmn(scratch64, 3);
+        B(fail, Assembler::Above);
+        And(dest64, dest64, Operand(0xffffffff));
+    }
+    void convertDoubleToInt32(FloatRegister src, Register dest, Label* fail,
+                              bool negativeZeroCheck = true)
+    {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMFPRegister scratch64 = temps.AcquireD();
+
+        ARMFPRegister fsrc(src, 64);
+        ARMRegister dest32(dest, 32);
+        ARMRegister dest64(dest, 64);
+
+        MOZ_ASSERT(!scratch64.Is(fsrc));
+
+        Fcvtzs(dest32, fsrc); // Convert, rounding toward zero.
+        Scvtf(scratch64, dest32); // Convert back, using FPCR rounding mode.
+        Fcmp(scratch64, fsrc);
+        B(fail, Assembler::NotEqual);
+
+        if (negativeZeroCheck) {
+            Label nonzero;
+            Cbnz(dest32, &nonzero);
+            Fmov(dest64, fsrc);
+            Cbnz(dest64, fail);
+            bind(&nonzero);
+        }
+    }
+    void convertFloat32ToInt32(FloatRegister src, Register dest, Label* fail,
+                               bool negativeZeroCheck = true)
+    {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMFPRegister scratch32 = temps.AcquireS();
+
+        ARMFPRegister fsrc(src, 32);
+        ARMRegister dest32(dest, 32);
+        ARMRegister dest64(dest, 64);
+
+        MOZ_ASSERT(!scratch32.Is(fsrc));
+
+        Fcvtzs(dest64, fsrc); // Convert, rounding toward zero.
+        Scvtf(scratch32, dest32); // Convert back, using FPCR rounding mode.
+        Fcmp(scratch32, fsrc);
+        B(fail, Assembler::NotEqual);
+
+        if (negativeZeroCheck) {
+            Label nonzero;
+            Cbnz(dest32, &nonzero);
+            Fmov(dest32, fsrc);
+            Cbnz(dest32, fail);
+            bind(&nonzero);
+        }
+        And(dest64, dest64, Operand(0xffffffff));
+    }
+
+    void branchTruncateFloat32(FloatRegister src, Register dest, Label* fail) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+
+        ARMFPRegister src32(src, 32);
+        ARMRegister dest64(dest, 64);
+
+        MOZ_ASSERT(!scratch64.Is(dest64));
+
+        Fcvtzs(dest64, src32);
+        Add(scratch64, dest64, Operand(0x7fffffffffffffff));
+        Cmn(scratch64, 3);
+        B(fail, Assembler::Above);
+        And(dest64, dest64, Operand(0xffffffff));
+    }
+    void floor(FloatRegister input, Register output, Label* bail) {
+        Label handleZero;
+        //Label handleNeg;
+        Label fin;
+        ARMFPRegister iDbl(input, 64);
+        ARMRegister o64(output, 64);
+        ARMRegister o32(output, 32);
+        Fcmp(iDbl, 0.0);
+        B(Assembler::Equal, &handleZero);
+        //B(Assembler::Signed, &handleNeg);
+        // NaN is always a bail condition, just bail directly.
+        B(Assembler::Overflow, bail);
+        Fcvtms(o64, iDbl);
+        Cmp(o64, Operand(o64, vixl::SXTW));
+        B(NotEqual, bail);
+        Mov(o32, o32);
+        B(&fin);
+
+        bind(&handleZero);
+        // Move the top word of the double into the output reg, if it is non-zero,
+        // then the original value was -0.0.
+        Fmov(o64, iDbl);
+        Cbnz(o64, bail);
+        bind(&fin);
+    }
+
+    void floorf(FloatRegister input, Register output, Label* bail) {
+        Label handleZero;
+        //Label handleNeg;
+        Label fin;
+        ARMFPRegister iFlt(input, 32);
+        ARMRegister o64(output, 64);
+        ARMRegister o32(output, 32);
+        Fcmp(iFlt, 0.0);
+        B(Assembler::Equal, &handleZero);
+        //B(Assembler::Signed, &handleNeg);
+        // NaN is always a bail condition, just bail directly.
+        B(Assembler::Overflow, bail);
+        Fcvtms(o64, iFlt);
+        Cmp(o64, Operand(o64, vixl::SXTW));
+        B(NotEqual, bail);
+        Mov(o32, o32);
+        B(&fin);
+
+        bind(&handleZero);
+        // Move the top word of the double into the output reg, if it is non-zero,
+        // then the original value was -0.0.
+        Fmov(o32, iFlt);
+        Cbnz(o32, bail);
+        bind(&fin);
+    }
+
+    void ceil(FloatRegister input, Register output, Label* bail) {
+        Label handleZero;
+        Label fin;
+        ARMFPRegister iDbl(input, 64);
+        ARMRegister o64(output, 64);
+        ARMRegister o32(output, 32);
+        Fcmp(iDbl, 0.0);
+        B(Assembler::Overflow, bail);
+        Fcvtps(o64, iDbl);
+        Cmp(o64, Operand(o64, vixl::SXTW));
+        B(NotEqual, bail);
+        Cbz(o64, &handleZero);
+        Mov(o32, o32);
+        B(&fin);
+
+        bind(&handleZero);
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch = temps.AcquireX();
+        Fmov(scratch, iDbl);
+        Cbnz(scratch, bail);
+        bind(&fin);
+    }
+
+    void ceilf(FloatRegister input, Register output, Label* bail) {
+        Label handleZero;
+        Label fin;
+        ARMFPRegister iFlt(input, 32);
+        ARMRegister o64(output, 64);
+        ARMRegister o32(output, 32);
+        Fcmp(iFlt, 0.0);
+
+        // NaN is always a bail condition, just bail directly.
+        B(Assembler::Overflow, bail);
+        Fcvtps(o64, iFlt);
+        Cmp(o64, Operand(o64, vixl::SXTW));
+        B(NotEqual, bail);
+        Cbz(o64, &handleZero);
+        Mov(o32, o32);
+        B(&fin);
+
+        bind(&handleZero);
+        // Move the top word of the double into the output reg, if it is non-zero,
+        // then the original value was -0.0.
+        Fmov(o32, iFlt);
+        Cbnz(o32, bail);
+        bind(&fin);
+    }
+
+    void jump(Label* label) {
+        B(label);
+    }
+    void jump(JitCode* code) {
+        branch(code);
+    }
+    void jump(RepatchLabel* label) {
+        MOZ_CRASH("jump (repatchlabel)");
+    }
+    void jump(Register reg) {
+        Br(ARMRegister(reg, 64));
+    }
+    void jump(const Address& addr) {
+        loadPtr(addr, ip0);
+        Br(vixl::ip0);
+    }
+
+    void align(int alignment) {
+        armbuffer_.align(alignment);
+    }
+
+    void haltingAlign(int alignment) {
+        // TODO: Implement a proper halting align.
+        // ARM doesn't have one either.
+        armbuffer_.align(alignment);
+    }
+
+    void movePtr(Register src, Register dest) {
+        Mov(ARMRegister(dest, 64), ARMRegister(src, 64));
+    }
+    void movePtr(ImmWord imm, Register dest) {
+        Mov(ARMRegister(dest, 64), int64_t(imm.value));
+    }
+    void movePtr(ImmPtr imm, Register dest) {
+        Mov(ARMRegister(dest, 64), int64_t(imm.value));
+    }
+    void movePtr(AsmJSImmPtr imm, Register dest) {
+        BufferOffset off = movePatchablePtr(ImmWord(0xffffffffffffffffULL), dest);
+        append(AsmJSAbsoluteLink(CodeOffsetLabel(off.getOffset()), imm.kind()));
+    }
+    void movePtr(ImmGCPtr imm, Register dest) {
+        BufferOffset load = movePatchablePtr(ImmPtr(imm.value), dest);
+        writeDataRelocation(imm, load);
+    }
+    void movePtr(ImmMaybeNurseryPtr imm, Register dest) {
+        movePtr(noteMaybeNurseryPtr(imm), dest);
+    }
+
+    void mov(ImmWord imm, Register dest) {
+        movePtr(imm, dest);
+    }
+
+    void move32(Imm32 imm, Register dest) {
+        Mov(ARMRegister(dest, 32), (int64_t)imm.value);
+    }
+    void move32(Register src, Register dest) {
+        Mov(ARMRegister(dest, 32), ARMRegister(src, 32));
+    }
+
+    // Move a pointer using a literal pool, so that the pointer
+    // may be easily patched or traced.
+    // Returns the BufferOffset of the load instruction emitted.
+    BufferOffset movePatchablePtr(ImmWord ptr, Register dest);
+    BufferOffset movePatchablePtr(ImmPtr ptr, Register dest);
+
+    void not32(Register reg) {
+        Orn(ARMRegister(reg, 32), vixl::wzr, ARMRegister(reg, 32));
+    }
+    void neg32(Register reg) {
+        Negs(ARMRegister(reg, 32), Operand(ARMRegister(reg, 32)));
+    }
+
+    void loadPtr(AsmJSAbsoluteAddress address, Register dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch = temps.AcquireX();
+        movePtr(AsmJSImmPtr(address.kind()), scratch.asUnsized());
+        Ldr(ARMRegister(dest, 64), MemOperand(scratch));
+    }
+    void loadPtr(AbsoluteAddress address, Register dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch = temps.AcquireX();
+        movePtr(ImmWord((uintptr_t)address.addr), scratch.asUnsized());
+        Ldr(ARMRegister(dest, 64), MemOperand(scratch));
+    }
+    void loadPtr(const Address& address, Register dest) {
+        Ldr(ARMRegister(dest, 64), MemOperand(address));
+    }
+    void loadPtr(const BaseIndex& src, Register dest) {
+        Register base = src.base;
+        uint32_t scale = Imm32::ShiftOf(src.scale).value;
+        ARMRegister dest64(dest, 64);
+        ARMRegister index64(src.index, 64);
+
+        if (src.offset) {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch = temps.AcquireX();
+            MOZ_ASSERT(!scratch.Is(ARMRegister(base, 64)));
+            MOZ_ASSERT(!scratch.Is(dest64));
+            MOZ_ASSERT(!scratch.Is(index64));
+
+            Add(scratch, ARMRegister(base, 64), Operand(int64_t(src.offset)));
+            Ldr(dest64, MemOperand(scratch, index64, vixl::LSL, scale));
+            return;
+        }
+
+        Ldr(dest64, MemOperand(ARMRegister(base, 64), index64, vixl::LSL, scale));
+    }
+    void loadPrivate(const Address& src, Register dest) {
+        loadPtr(src, dest);
+        lshiftPtr(Imm32(1), dest);
+    }
+
+    void store8(Register src, const Address& address) {
+        Strb(ARMRegister(src, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void store8(Imm32 imm, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != address.base);
+        move32(imm, scratch32.asUnsized());
+        Strb(scratch32, MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void store8(Register src, const BaseIndex& address) {
+        doBaseIndex(ARMRegister(src, 32), address, vixl::STRB_w);
+    }
+    void store8(Imm32 imm, const BaseIndex& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != address.base);
+        MOZ_ASSERT(scratch32.asUnsized() != address.index);
+        Mov(scratch32, Operand(imm.value));
+        doBaseIndex(scratch32, address, vixl::STRB_w);
+    }
+
+    void store16(Register src, const Address& address) {
+        Strh(ARMRegister(src, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void store16(Imm32 imm, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != address.base);
+        move32(imm, scratch32.asUnsized());
+        Strh(scratch32, MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void store16(Register src, const BaseIndex& address) {
+        doBaseIndex(ARMRegister(src, 32), address, vixl::STRH_w);
+    }
+    void store16(Imm32 imm, const BaseIndex& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != address.base);
+        MOZ_ASSERT(scratch32.asUnsized() != address.index);
+        Mov(scratch32, Operand(imm.value));
+        doBaseIndex(scratch32, address, vixl::STRH_w);
+    }
+
+    void storePtr(ImmWord imm, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != address.base);
+        movePtr(imm, scratch);
+        storePtr(scratch, address);
+    }
+    void storePtr(ImmPtr imm, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != address.base);
+        Mov(scratch64, uint64_t(imm.value));
+        Str(scratch64, MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void storePtr(ImmGCPtr imm, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != address.base);
+        movePtr(imm, scratch);
+        storePtr(scratch, address);
+    }
+    void storePtr(Register src, const Address& address) {
+        Str(ARMRegister(src, 64), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+
+    void storePtr(ImmWord imm, const BaseIndex& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != address.base);
+        MOZ_ASSERT(scratch64.asUnsized() != address.index);
+        Mov(scratch64, Operand(imm.value));
+        doBaseIndex(scratch64, address, vixl::STR_x);
+    }
+    void storePtr(ImmGCPtr imm, const BaseIndex& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != address.base);
+        MOZ_ASSERT(scratch != address.index);
+        movePtr(imm, scratch);
+        doBaseIndex(ARMRegister(scratch, 64), address, vixl::STR_x);
+    }
+    void storePtr(Register src, const BaseIndex& address) {
+        doBaseIndex(ARMRegister(src, 64), address, vixl::STR_x);
+    }
+
+    void storePtr(Register src, AbsoluteAddress address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        Mov(scratch64, uint64_t(address.addr));
+        Str(ARMRegister(src, 64), MemOperand(scratch64));
+    }
+
+    void store32(Register src, AbsoluteAddress address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        Mov(scratch64, uint64_t(address.addr));
+        Str(ARMRegister(src, 32), MemOperand(scratch64));
+    }
+    void store32(Imm32 imm, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != address.base);
+        Mov(scratch32, uint64_t(imm.value));
+        Str(scratch32, MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void store32(Register r, const Address& address) {
+        Str(ARMRegister(r, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void store32(Imm32 imm, const BaseIndex& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != address.base);
+        MOZ_ASSERT(scratch32.asUnsized() != address.index);
+        Mov(scratch32, imm.value);
+        doBaseIndex(scratch32, address, vixl::STR_w);
+    }
+    void store32(Register r, const BaseIndex& address) {
+        doBaseIndex(ARMRegister(r, 32), address, vixl::STR_w);
+    }
+
+    void store32_NoSecondScratch(Imm32 imm, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        temps.Exclude(ARMRegister(ScratchReg2, 32)); // Disallow ScratchReg2.
+        const ARMRegister scratch32 = temps.AcquireW();
+
+        MOZ_ASSERT(scratch32.asUnsized() != address.base);
+        Mov(scratch32, uint64_t(imm.value));
+        Str(scratch32, MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+
+    // SIMD.
+    void loadInt32x1(const Address& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadInt32x1(const BaseIndex& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadInt32x2(const Address& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadInt32x2(const BaseIndex& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadInt32x3(const Address& src, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadInt32x3(const BaseIndex& src, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void storeInt32x1(FloatRegister src, const Address& dest) { MOZ_CRASH("NYI"); }
+    void storeInt32x1(FloatRegister src, const BaseIndex& dest) { MOZ_CRASH("NYI"); }
+    void storeInt32x2(FloatRegister src, const Address& dest) { MOZ_CRASH("NYI"); }
+    void storeInt32x2(FloatRegister src, const BaseIndex& dest) { MOZ_CRASH("NYI"); }
+    void storeInt32x3(FloatRegister src, const Address& dest) { MOZ_CRASH("NYI"); }
+    void storeInt32x3(FloatRegister src, const BaseIndex& dest) { MOZ_CRASH("NYI"); }
+    void loadAlignedInt32x4(const Address& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadAlignedInt32x4(const BaseIndex& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void storeAlignedInt32x4(FloatRegister src, const Address& addr) { MOZ_CRASH("NYI"); }
+    void storeAlignedInt32x4(FloatRegister src, const BaseIndex& addr) { MOZ_CRASH("NYI"); }
+    void loadUnalignedInt32x4(const Address& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadUnalignedInt32x4(const BaseIndex& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void storeUnalignedInt32x4(FloatRegister dest, const Address& addr) { MOZ_CRASH("NYI"); }
+    void storeUnalignedInt32x4(FloatRegister dest, const BaseIndex& addr) { MOZ_CRASH("NYI"); }
+
+    void loadFloat32x3(const Address& src, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadFloat32x3(const BaseIndex& src, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void storeFloat32x3(FloatRegister src, const Address& dest) { MOZ_CRASH("NYI"); }
+    void storeFloat32x3(FloatRegister src, const BaseIndex& dest) { MOZ_CRASH("NYI"); }
+    void loadAlignedFloat32x4(const Address& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadAlignedFloat32x4(const BaseIndex& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void storeAlignedFloat32x4(FloatRegister src, const Address& addr) { MOZ_CRASH("NYI"); }
+    void storeAlignedFloat32x4(FloatRegister src, const BaseIndex& addr) { MOZ_CRASH("NYI"); }
+    void loadUnalignedFloat32x4(const Address& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void loadUnalignedFloat32x4(const BaseIndex& addr, FloatRegister dest) { MOZ_CRASH("NYI"); }
+    void storeUnalignedFloat32x4(FloatRegister dest, const Address& addr) { MOZ_CRASH("NYI"); }
+    void storeUnalignedFloat32x4(FloatRegister dest, const BaseIndex& addr) { MOZ_CRASH("NYI"); }
+
+    // StackPointer manipulation.
+    template <typename T>
+    void addToStackPtr(T t) { addPtr(t, getStackPointer()); }
+    template <typename T>
+    void addStackPtrTo(T t) { addPtr(getStackPointer(), t); }
+
+    template <typename T>
+    void subFromStackPtr(T t) { subPtr(t, getStackPointer()); syncStackPtr(); }
+    template <typename T>
+    void subStackPtrFrom(T t) { subPtr(getStackPointer(), t); }
+
+    template <typename T>
+    void andToStackPtr(T t) { andPtr(t, getStackPointer()); syncStackPtr(); }
+    template <typename T>
+    void andStackPtrTo(T t) { andPtr(getStackPointer(), t); }
+
+    template <typename T>
+    void moveToStackPtr(T t) { movePtr(t, getStackPointer()); syncStackPtr(); }
+    template <typename T>
+    void moveStackPtrTo(T t) { movePtr(getStackPointer(), t); }
+
+    template <typename T>
+    void loadStackPtr(T t) { loadPtr(t, getStackPointer()); syncStackPtr(); }
+    template <typename T>
+    void storeStackPtr(T t) { storePtr(getStackPointer(), t); }
+
+    // StackPointer testing functions.
+    template <typename T>
+    void branchTestStackPtr(Condition cond, T t, Label* label) {
+        branchTestPtr(cond, getStackPointer(), t, label);
+    }
+    template <typename T>
+    void branchStackPtr(Condition cond, T rhs, Label* label) {
+        branchPtr(cond, getStackPointer(), rhs, label);
+    }
+    template <typename T>
+    void branchStackPtrRhs(Condition cond, T lhs, Label* label) {
+        branchPtr(cond, lhs, getStackPointer(), label);
+    }
+
+    void rshiftPtr(Imm32 imm, Register dest) {
+        Lsr(ARMRegister(dest, 64), ARMRegister(dest, 64), imm.value);
+    }
+    void rshiftPtr(Imm32 imm, Register src, Register dest) {
+        Lsr(ARMRegister(dest, 64), ARMRegister(src, 64), imm.value);
+    }
+
+    void rshiftPtrArithmetic(Imm32 imm, Register dest) {
+        Asr(ARMRegister(dest, 64), ARMRegister(dest, 64), imm.value);
+    }
+    void lshiftPtr(Imm32 imm, Register dest) {
+        Lsl(ARMRegister(dest, 64), ARMRegister(dest, 64), imm.value);
+    }
+    void xorPtr(Imm32 imm, Register dest) {
+        Eor(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(imm.value));
+    }
+    void xor32(Imm32 imm, Register dest) {
+        Eor(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(imm.value));
+    }
+
+    void xorPtr(Register src, Register dest) {
+        Eor(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(ARMRegister(src, 64)));
+    }
+    void orPtr(ImmWord imm, Register dest) {
+        Orr(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(imm.value));
+    }
+    void orPtr(Imm32 imm, Register dest) {
+        Orr(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(imm.value));
+    }
+    void orPtr(Register src, Register dest) {
+        Orr(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(ARMRegister(src, 64)));
+    }
+    void or32(Imm32 imm, Register dest) {
+        Orr(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(imm.value));
+    }
+    void or32(Register src, Register dest) {
+        Orr(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(ARMRegister(src, 32)));
+    }
+    void or32(Imm32 imm, const Address& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != dest.base);
+        load32(dest, scratch32.asUnsized());
+        Orr(scratch32, scratch32, Operand(imm.value));
+        store32(scratch32.asUnsized(), dest);
+    }
+    void andPtr(Imm32 imm, Register dest) {
+        And(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(imm.value));
+    }
+    void andPtr(Register src, Register dest) {
+        And(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(ARMRegister(src, 64)));
+    }
+    void and32(Imm32 imm, Register dest) {
+        And(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(imm.value));
+    }
+    void and32(Imm32 imm, Register src, Register dest) {
+        And(ARMRegister(dest, 32), ARMRegister(src, 32), Operand(imm.value));
+    }
+
+    void and32(Register src, Register dest) {
+        And(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(ARMRegister(src, 32)));
+    }
+    void and32(Imm32 mask, Address dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != dest.base);
+        load32(dest, scratch32.asUnsized());
+        And(scratch32, scratch32, Operand(mask.value));
+        store32(scratch32.asUnsized(), dest);
+    }
+    void and32(Address src, Register dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != src.base);
+        load32(src, scratch32.asUnsized());
+        And(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(scratch32));
+    }
+
+    void testPtr(Register lhs, Register rhs) {
+        Tst(ARMRegister(lhs, 64), Operand(ARMRegister(rhs, 64)));
+    }
+    void test32(Register lhs, Register rhs) {
+        Tst(ARMRegister(lhs, 32), Operand(ARMRegister(rhs, 32)));
+    }
+    void test32(const Address& addr, Imm32 imm) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != addr.base);
+        load32(addr, scratch32.asUnsized());
+        Tst(scratch32, Operand(imm.value));
+    }
+    void test32(Register lhs, Imm32 rhs) {
+        Tst(ARMRegister(lhs, 32), Operand(rhs.value));
+    }
+    void cmp32(Register lhs, Imm32 rhs) {
+        Cmp(ARMRegister(lhs, 32), Operand(rhs.value));
+    }
+    void cmp32(Register a, Register b) {
+        Cmp(ARMRegister(a, 32), Operand(ARMRegister(b, 32)));
+    }
+    void cmp32(const Operand& lhs, Imm32 rhs) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        Mov(scratch32, lhs);
+        Cmp(scratch32, Operand(rhs.value));
+    }
+    void cmp32(const Operand& lhs, Register rhs) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        Mov(scratch32, lhs);
+        Cmp(scratch32, Operand(ARMRegister(rhs, 32)));
+    }
+
+    void cmpPtr(Register lhs, Imm32 rhs) {
+        Cmp(ARMRegister(lhs, 64), Operand(rhs.value));
+    }
+    void cmpPtr(Register lhs, ImmWord rhs) {
+        Cmp(ARMRegister(lhs, 64), Operand(rhs.value));
+    }
+    void cmpPtr(Register lhs, ImmPtr rhs) {
+        Cmp(ARMRegister(lhs, 64), Operand(uint64_t(rhs.value)));
+    }
+    void cmpPtr(Register lhs, Register rhs) {
+        Cmp(ARMRegister(lhs, 64), ARMRegister(rhs, 64));
+    }
+    void cmpPtr(Register lhs, ImmGCPtr rhs) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs);
+        movePtr(rhs, scratch);
+        cmpPtr(lhs, scratch);
+    }
+    void cmpPtr(Register lhs, ImmMaybeNurseryPtr rhs) {
+        cmpPtr(lhs, noteMaybeNurseryPtr(rhs));
+    }
+
+    void cmpPtr(const Address& lhs, Register rhs) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != lhs.base);
+        MOZ_ASSERT(scratch64.asUnsized() != rhs);
+        Ldr(scratch64, MemOperand(ARMRegister(lhs.base, 64), lhs.offset));
+        Cmp(scratch64, Operand(ARMRegister(rhs, 64)));
+    }
+    void cmpPtr(const Address& lhs, ImmWord rhs) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != lhs.base);
+        Ldr(scratch64, MemOperand(ARMRegister(lhs.base, 64), lhs.offset));
+        Cmp(scratch64, Operand(rhs.value));
+    }
+    void cmpPtr(const Address& lhs, ImmPtr rhs) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != lhs.base);
+        Ldr(scratch64, MemOperand(ARMRegister(lhs.base, 64), lhs.offset));
+        Cmp(scratch64, Operand(uint64_t(rhs.value)));
+    }
+    void cmpPtr(const Address& lhs, ImmGCPtr rhs) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs.base);
+        loadPtr(lhs, scratch);
+        cmpPtr(scratch, rhs);
+    }
+
+    void loadDouble(const Address& src, FloatRegister dest) {
+        Ldr(ARMFPRegister(dest, 64), MemOperand(ARMRegister(src.base,64), src.offset));
+    }
+    void loadDouble(const BaseIndex& src, FloatRegister dest) {
+        ARMRegister base(src.base, 64);
+        ARMRegister index(src.index, 64);
+
+        if (src.offset == 0) {
+            Ldr(ARMFPRegister(dest, 64), MemOperand(base, index, vixl::LSL, unsigned(src.scale)));
+            return;
+        }
+
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != src.base);
+        MOZ_ASSERT(scratch64.asUnsized() != src.index);
+
+        Add(scratch64, base, Operand(index, vixl::LSL, unsigned(src.scale)));
+        Ldr(ARMFPRegister(dest, 64), MemOperand(scratch64, src.offset));
+    }
+    void loadFloatAsDouble(const Address& addr, FloatRegister dest) {
+        Ldr(ARMFPRegister(dest, 32), MemOperand(ARMRegister(addr.base,64), addr.offset));
+        fcvt(ARMFPRegister(dest, 64), ARMFPRegister(dest, 32));
+    }
+    void loadFloatAsDouble(const BaseIndex& src, FloatRegister dest) {
+        ARMRegister base(src.base, 64);
+        ARMRegister index(src.index, 64);
+        if (src.offset == 0) {
+            Ldr(ARMFPRegister(dest, 32), MemOperand(base, index, vixl::LSL, unsigned(src.scale)));
+        } else {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            MOZ_ASSERT(scratch64.asUnsized() != src.base);
+            MOZ_ASSERT(scratch64.asUnsized() != src.index);
+
+            Add(scratch64, base, Operand(index, vixl::LSL, unsigned(src.scale)));
+            Ldr(ARMFPRegister(dest, 32), MemOperand(scratch64, src.offset));
+        }
+        fcvt(ARMFPRegister(dest, 64), ARMFPRegister(dest, 32));
+    }
+
+    void loadFloat32(const Address& addr, FloatRegister dest) {
+        Ldr(ARMFPRegister(dest, 32), MemOperand(ARMRegister(addr.base,64), addr.offset));
+    }
+    void loadFloat32(const BaseIndex& src, FloatRegister dest) {
+        ARMRegister base(src.base, 64);
+        ARMRegister index(src.index, 64);
+        if (src.offset == 0) {
+            Ldr(ARMFPRegister(dest, 32), MemOperand(base, index, vixl::LSL, unsigned(src.scale)));
+        } else {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            MOZ_ASSERT(scratch64.asUnsized() != src.base);
+            MOZ_ASSERT(scratch64.asUnsized() != src.index);
+
+            Add(scratch64, base, Operand(index, vixl::LSL, unsigned(src.scale)));
+            Ldr(ARMFPRegister(dest, 32), MemOperand(scratch64, src.offset));
+        }
+    }
+
+    void storeDouble(FloatRegister src, const Address& dest) {
+        Str(ARMFPRegister(src, 64), MemOperand(ARMRegister(dest.base, 64), dest.offset));
+    }
+    void storeDouble(FloatRegister src, const BaseIndex& dest) {
+        doBaseIndex(ARMFPRegister(src, 64), dest, vixl::STR_d);
+    }
+
+    void storeFloat32(FloatRegister src, Address addr) {
+        Str(ARMFPRegister(src, 32), MemOperand(ARMRegister(addr.base, 64), addr.offset));
+    }
+    void storeFloat32(FloatRegister src, BaseIndex addr) {
+        doBaseIndex(ARMFPRegister(src, 32), addr, vixl::STR_s);
+    }
+
+    void moveDouble(FloatRegister src, FloatRegister dest) {
+        fmov(ARMFPRegister(dest, 64), ARMFPRegister(src, 64));
+    }
+    void zeroDouble(FloatRegister reg) {
+        fmov(ARMFPRegister(reg, 64), vixl::xzr);
+    }
+    void zeroFloat32(FloatRegister reg) {
+        fmov(ARMFPRegister(reg, 32), vixl::wzr);
+    }
+    void negateDouble(FloatRegister reg) {
+        fneg(ARMFPRegister(reg, 64), ARMFPRegister(reg, 64));
+    }
+    void negateFloat(FloatRegister reg) {
+        fneg(ARMFPRegister(reg, 32), ARMFPRegister(reg, 32));
+    }
+    void addDouble(FloatRegister src, FloatRegister dest) {
+        fadd(ARMFPRegister(dest, 64), ARMFPRegister(dest, 64), ARMFPRegister(src, 64));
+    }
+    void subDouble(FloatRegister src, FloatRegister dest) {
+        fsub(ARMFPRegister(dest, 64), ARMFPRegister(dest, 64), ARMFPRegister(src, 64));
+    }
+    void mulDouble(FloatRegister src, FloatRegister dest) {
+        fmul(ARMFPRegister(dest, 64), ARMFPRegister(dest, 64), ARMFPRegister(src, 64));
+    }
+    void divDouble(FloatRegister src, FloatRegister dest) {
+        fdiv(ARMFPRegister(dest, 64), ARMFPRegister(dest, 64), ARMFPRegister(src, 64));
+    }
+
+    void moveFloat32(FloatRegister src, FloatRegister dest) {
+        fmov(ARMFPRegister(dest, 32), ARMFPRegister(src, 32));
+    }
+    void moveFloatAsDouble(Register src, FloatRegister dest) {
+        MOZ_CRASH("moveFloatAsDouble");
+    }
+
+    void splitTag(const ValueOperand& operand, Register dest) {
+        splitTag(operand.valueReg(), dest);
+    }
+    void splitTag(const Address& operand, Register dest) {
+        loadPtr(operand, dest);
+        splitTag(dest, dest);
+    }
+    void splitTag(const BaseIndex& operand, Register dest) {
+        loadPtr(operand, dest);
+        splitTag(dest, dest);
+    }
+
+    // Extracts the tag of a value and places it in ScratchReg.
+    Register splitTagForTest(const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != value.valueReg());
+        Lsr(scratch64, ARMRegister(value.valueReg(), 64), JSVAL_TAG_SHIFT);
+        return scratch64.asUnsized(); // FIXME: Surely we can make a better interface.
+    }
+    void cmpTag(const ValueOperand& operand, ImmTag tag) {
+        MOZ_CRASH("cmpTag");
+    }
+
+    void load32(const Address& address, Register dest) {
+        Ldr(ARMRegister(dest, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void load32(const BaseIndex& src, Register dest) {
+        doBaseIndex(ARMRegister(dest, 32), src, vixl::LDR_w);
+    }
+    void load32(AbsoluteAddress address, Register dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        movePtr(ImmWord((uintptr_t)address.addr), scratch64.asUnsized());
+        ldr(ARMRegister(dest, 32), MemOperand(scratch64));
+    }
+
+    void load8SignExtend(const Address& address, Register dest) {
+        Ldrsb(ARMRegister(dest, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void load8SignExtend(const BaseIndex& src, Register dest) {
+        doBaseIndex(ARMRegister(dest, 32), src, vixl::LDRSB_w);
+    }
+
+    void load8ZeroExtend(const Address& address, Register dest) {
+        Ldrb(ARMRegister(dest, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void load8ZeroExtend(const BaseIndex& src, Register dest) {
+        doBaseIndex(ARMRegister(dest, 32), src, vixl::LDRB_w);
+    }
+
+    void load16SignExtend(const Address& address, Register dest) {
+        Ldrsh(ARMRegister(dest, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void load16SignExtend(const BaseIndex& src, Register dest) {
+        doBaseIndex(ARMRegister(dest, 32), src, vixl::LDRSH_w);
+    }
+
+    void load16ZeroExtend(const Address& address, Register dest) {
+        Ldrh(ARMRegister(dest, 32), MemOperand(ARMRegister(address.base, 64), address.offset));
+    }
+    void load16ZeroExtend(const BaseIndex& src, Register dest) {
+        doBaseIndex(ARMRegister(dest, 32), src, vixl::LDRH_w);
+    }
+
+    void add32(Register src, Register dest) {
+        Add(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(ARMRegister(src, 32)));
+    }
+    void add32(Imm32 imm, Register dest) {
+        Add(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(imm.value));
+    }
+    void add32(Imm32 imm, const Address& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != dest.base);
+
+        Ldr(scratch32, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+        Add(scratch32, scratch32, Operand(imm.value));
+        Str(scratch32, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+    }
+
+    void adds32(Register src, Register dest) {
+        Adds(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(ARMRegister(src, 32)));
+    }
+    void adds32(Imm32 imm, Register dest) {
+        Adds(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(imm.value));
+    }
+    void adds32(Imm32 imm, const Address& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != dest.base);
+
+        Ldr(scratch32, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+        Adds(scratch32, scratch32, Operand(imm.value));
+        Str(scratch32, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+    }
+
+    void sub32(Imm32 imm, Register dest) {
+        Sub(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(imm.value));
+    }
+    void sub32(Register src, Register dest) {
+        Sub(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(ARMRegister(src, 32)));
+    }
+
+    void subs32(Imm32 imm, Register dest) {
+        Subs(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(imm.value));
+    }
+    void subs32(Register src, Register dest) {
+        Subs(ARMRegister(dest, 32), ARMRegister(dest, 32), Operand(ARMRegister(src, 32)));
+    }
+
+    void addPtr(Register src, Register dest) {
+        Add(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(ARMRegister(src, 64)));
+    }
+    void addPtr(Register src1, Register src2, Register dest) {
+        Add(ARMRegister(dest, 64), ARMRegister(src1, 64), Operand(ARMRegister(src2, 64)));
+    }
+
+    void addPtr(Imm32 imm, Register dest) {
+        Add(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(imm.value));
+    }
+    void addPtr(Imm32 imm, Register src, Register dest) {
+        Add(ARMRegister(dest, 64), ARMRegister(src, 64), Operand(imm.value));
+    }
+
+    void addPtr(Imm32 imm, const Address& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != dest.base);
+
+        Ldr(scratch64, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+        Add(scratch64, scratch64, Operand(imm.value));
+        Str(scratch64, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+    }
+    void addPtr(ImmWord imm, Register dest) {
+        Add(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(imm.value));
+    }
+    void addPtr(ImmPtr imm, Register dest) {
+        Add(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(uint64_t(imm.value)));
+    }
+    void addPtr(const Address& src, Register dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != src.base);
+
+        Ldr(scratch64, MemOperand(ARMRegister(src.base, 64), src.offset));
+        Add(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(scratch64));
+    }
+    void subPtr(Imm32 imm, Register dest) {
+        Sub(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(imm.value));
+    }
+    void subPtr(Register src, Register dest) {
+        Sub(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(ARMRegister(src, 64)));
+    }
+    void subPtr(const Address& addr, Register dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != addr.base);
+
+        Ldr(scratch64, MemOperand(ARMRegister(addr.base, 64), addr.offset));
+        Sub(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(scratch64));
+    }
+    void subPtr(Register src, const Address& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != dest.base);
+
+        Ldr(scratch64, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+        Sub(scratch64, scratch64, Operand(ARMRegister(src, 64)));
+        Str(scratch64, MemOperand(ARMRegister(dest.base, 64), dest.offset));
+    }
+    void mul32(Register src1, Register src2, Register dest, Label* onOver, Label* onZero) {
+        Smull(ARMRegister(dest, 64), ARMRegister(src1, 32), ARMRegister(src2, 32));
+        if (onOver) {
+            Cmp(ARMRegister(dest, 64), Operand(ARMRegister(dest, 32), vixl::SXTW));
+            B(onOver, NotEqual);
+        }
+        if (onZero)
+            Cbz(ARMRegister(dest, 32), onZero);
+
+        // Clear upper 32 bits.
+        Mov(ARMRegister(dest, 32), ARMRegister(dest, 32));
+    }
+
+    void ret() {
+        pop(lr);
+        abiret();
+    }
+
+    void retn(Imm32 n) {
+        // ip0 <- [sp]; sp += n; ret ip0
+        Ldr(vixl::ip0, MemOperand(GetStackPointer64(), ptrdiff_t(n.value), vixl::PostIndex));
+        syncStackPtr(); // SP is always used to transmit the stack between calls.
+        Ret(vixl::ip0);
+    }
+
+    void j(Condition code, Label* dest) {
+        b(dest, code);
+    }
+    void j(Label* dest) {
+        b(dest, Always);
+    }
+
+    void branch(Condition cond, Label* label) {
+        b(label, cond);
+    }
+    void branch(JitCode* target) {
+        syncStackPtr();
+        addPendingJump(nextOffset(), ImmPtr(target->raw()), Relocation::JITCODE);
+        b(-1); // The jump target will be patched by executableCopy().
+    }
+
+    void branch16(Condition cond, Register lhs, Register rhs, Label* label) {
+        MOZ_CRASH("branch16");
+    }
+
+    void branch32(Condition cond, const Operand& lhs, Register rhs, Label* label) {
+        // since rhs is an operand, do the compare backwards
+        Cmp(ARMRegister(rhs, 32), lhs);
+        b(label, Assembler::InvertCmpCondition(cond));
+    }
+    void branch32(Condition cond, const Operand& lhs, Imm32 rhs, Label* label) {
+        ARMRegister l = lhs.reg();
+        Cmp(l, Operand(rhs.value));
+        b(label, cond);
+    }
+    void branch32(Condition cond, Register lhs, Register rhs, Label* label) {
+        cmp32(lhs, rhs);
+        b(label, cond);
+    }
+    void branch32(Condition cond, Register lhs, Imm32 imm, Label* label) {
+        cmp32(lhs, imm);
+        b(label, cond);
+    }
+    void branch32(Condition cond, const Address& lhs, Register rhs, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs.base);
+        MOZ_ASSERT(scratch != rhs);
+        load32(lhs, scratch);
+        branch32(cond, scratch, rhs, label);
+    }
+    void branch32(Condition cond, const Address& lhs, Imm32 imm, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs.base);
+        load32(lhs, scratch);
+        branch32(cond, scratch, imm, label);
+    }
+    void branch32(Condition cond, AbsoluteAddress lhs, Register rhs, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        movePtr(ImmPtr(lhs.addr), scratch);
+        branch32(cond, Address(scratch, 0), rhs, label);
+    }
+    void branch32(Condition cond, AbsoluteAddress lhs, Imm32 rhs, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        movePtr(ImmPtr(lhs.addr), scratch);
+        branch32(cond, Address(scratch, 0), rhs, label);
+    }
+    void branch32(Condition cond, AsmJSAbsoluteAddress lhs, Imm32 rhs, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        movePtr(AsmJSImmPtr(lhs.kind()), scratch);
+        branch32(cond, Address(scratch, 0), rhs, label);
+    }
+    void branch32(Condition cond, BaseIndex lhs, Imm32 rhs, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != lhs.base);
+        MOZ_ASSERT(scratch32.asUnsized() != lhs.index);
+        doBaseIndex(scratch32, lhs, vixl::LDR_w);
+        branch32(cond, scratch32.asUnsized(), rhs, label);
+    }
+
+    void branchSub32(Condition cond, const Address& lhs, Register rhs, Label* label) {
+        MOZ_CRASH("branchSub32");
+    }
+    void branchSub32(Condition cond, const Address& lhs, Imm32 imm, Label* label) {
+        MOZ_CRASH("branchSub32");
+    }
+    void branchSub32(Condition cond, Register lhs, Imm32 imm, Label* label) {
+        MOZ_CRASH("branchSub32");
+    }
+    void branchSub32(Condition cond, Register lhs, Register rhs, Label* label) {
+        MOZ_CRASH("branchSub32");
+    }
+    void branchSub32(Condition cond, AbsoluteAddress lhs, Imm32 rhs, Label* label) {
+        MOZ_CRASH("branchSub32");
+    }
+    void branchSub32(Condition cond, AbsoluteAddress lhs, Register rhs, Label* label) {
+        MOZ_CRASH("branchSub32");
+    }
+
+    void branchTest16(Condition cond, Register lhs, Register rhs, Label* label) {
+        MOZ_CRASH("branchTest16");
+    }
+    void branchTest32(Condition cond, Register lhs, Register rhs, Label* label) {
+        MOZ_ASSERT(cond == Zero || cond == NonZero || cond == Signed || cond == NotSigned);
+        // x86 prefers |test foo, foo| to |cmp foo, #0|.
+        // Convert the former to the latter for ARM.
+        if (lhs == rhs && (cond == Zero || cond == NonZero))
+            cmp32(lhs, Imm32(0));
+        else
+            test32(lhs, rhs);
+        B(label, cond);
+    }
+    void branchTest32(Condition cond, Register lhs, Imm32 imm, Label* label) {
+        MOZ_ASSERT(cond == Zero || cond == NonZero || cond == Signed || cond == NotSigned);
+        test32(lhs, imm);
+        B(label, cond);
+    }
+    void branchTest32(Condition cond, const Address& address, Imm32 imm, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != address.base);
+        load32(address, scratch);
+        branchTest32(cond, scratch, imm, label);
+    }
+    void branchTest32(Condition cond, AbsoluteAddress address, Imm32 imm, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        loadPtr(address, scratch);
+        branchTest32(cond, scratch, imm, label);
+    }
+    CodeOffsetJump jumpWithPatch(RepatchLabel* label, Condition cond = Always) {
+        ARMBuffer::PoolEntry pe;
+        BufferOffset load_bo;
+        BufferOffset branch_bo;
+
+        // Does not overwrite condition codes from the caller.
+        {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            load_bo = immPool64(scratch64, (uint64_t)label, &pe);
+        }
+
+        MOZ_ASSERT(!label->bound());
+        if (cond != Always) {
+            Label notTaken;
+            b(&notTaken, Assembler::InvertCondition(cond));
+            branch_bo = b(-1);
+            bind(&notTaken);
+        } else {
+            nop();
+            branch_bo = b(-1);
+        }
+        label->use(branch_bo.getOffset());
+        return CodeOffsetJump(load_bo.getOffset(), pe.index());
+    }
+    CodeOffsetJump backedgeJump(RepatchLabel* label) {
+        return jumpWithPatch(label);
+    }
+    template <typename T>
+    CodeOffsetJump branchPtrWithPatch(Condition cond, Register reg, T ptr, RepatchLabel* label) {
+        cmpPtr(reg, ptr);
+        return jumpWithPatch(label, cond);
+    }
+    template <typename T>
+    CodeOffsetJump branchPtrWithPatch(Condition cond, Address addr, T ptr, RepatchLabel* label) {
+        // The scratch register is unused after the condition codes are set.
+        {
+            vixl::UseScratchRegisterScope temps(this);
+            const Register scratch = temps.AcquireX().asUnsized();
+            MOZ_ASSERT(scratch != addr.base);
+            loadPtr(addr, scratch);
+            cmpPtr(scratch, ptr);
+        }
+        return jumpWithPatch(label, cond);
+    }
+
+    void branchPtr(Condition cond, AsmJSAbsoluteAddress lhs, Register rhs, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != rhs);
+        loadPtr(lhs, scratch);
+        branchPtr(cond, scratch, rhs, label);
+    }
+    void branchPtr(Condition cond, Address lhs, ImmWord ptr, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs.base);
+        loadPtr(lhs, scratch);
+        branchPtr(cond, scratch, ptr, label);
+    }
+    void branchPtr(Condition cond, Address lhs, ImmPtr ptr, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs.base);
+        loadPtr(lhs, scratch);
+        branchPtr(cond, scratch, ptr, label);
+    }
+    void branchPtr(Condition cond, Address lhs, Register ptr, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs.base);
+        MOZ_ASSERT(scratch != ptr);
+        loadPtr(lhs, scratch);
+        branchPtr(cond, scratch, ptr, label);
+    }
+    void branchPtr(Condition cond, Register lhs, Imm32 imm, Label* label) {
+        cmpPtr(lhs, imm);
+        B(label, cond);
+    }
+    void branchPtr(Condition cond, Register lhs, ImmWord ptr, Label* label) {
+        cmpPtr(lhs, ptr);
+        B(label, cond);
+    }
+    void branchPtr(Condition cond, Register lhs, ImmPtr rhs, Label* label) {
+        cmpPtr(lhs, rhs);
+        B(label, cond);
+    }
+    void branchPtr(Condition cond, Register lhs, ImmGCPtr ptr, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs);
+        movePtr(ptr, scratch);
+        branchPtr(cond, lhs, scratch, label);
+    }
+    void branchPtr(Condition cond, Address lhs, ImmGCPtr ptr, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch1_64 = temps.AcquireX();
+        const ARMRegister scratch2_64 = temps.AcquireX();
+        MOZ_ASSERT(scratch1_64.asUnsized() != lhs.base);
+        MOZ_ASSERT(scratch2_64.asUnsized() != lhs.base);
+
+        movePtr(ptr, scratch1_64.asUnsized());
+        loadPtr(lhs, scratch2_64.asUnsized());
+        cmp(scratch2_64, scratch1_64);
+        B(cond, label);
+
+    }
+    void branchPtr(Condition cond, Address lhs, ImmMaybeNurseryPtr ptr, Label* label) {
+        branchPtr(cond, lhs, noteMaybeNurseryPtr(ptr), label);
+    }
+    void branchPtr(Condition cond, Register lhs, Register rhs, Label* label) {
+        Cmp(ARMRegister(lhs, 64), ARMRegister(rhs, 64));
+        B(label, cond);
+    }
+    void branchPtr(Condition cond, AbsoluteAddress lhs, Register rhs, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != rhs);
+        loadPtr(lhs, scratch);
+        branchPtr(cond, scratch, rhs, label);
+    }
+    void branchPtr(Condition cond, AbsoluteAddress lhs, ImmWord ptr, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        loadPtr(lhs, scratch);
+        branchPtr(cond, scratch, ptr, label);
+    }
+
+    void branchTestPtr(Condition cond, Register lhs, Register rhs, Label* label) {
+        Tst(ARMRegister(lhs, 64), Operand(ARMRegister(rhs, 64)));
+        B(label, cond);
+    }
+    void branchTestPtr(Condition cond, Register lhs, Imm32 imm, Label* label) {
+        Tst(ARMRegister(lhs, 64), Operand(imm.value));
+        B(label, cond);
+    }
+    void branchTestPtr(Condition cond, const Address& lhs, Imm32 imm, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != lhs.base);
+        loadPtr(lhs, scratch);
+        branchTestPtr(cond, scratch, imm, label);
+    }
+    void branchPrivatePtr(Condition cond, const Address& lhs, ImmPtr ptr, Label* label) {
+        branchPtr(cond, lhs, ptr, label);
+    }
+
+    void branchPrivatePtr(Condition cond, const Address& lhs, Register ptr, Label* label) {
+        branchPtr(cond, lhs, ptr, label);
+    }
+
+    void branchPrivatePtr(Condition cond, Register lhs, ImmWord ptr, Label* label) {
+        branchPtr(cond, lhs, ptr, label);
+    }
+
+    void decBranchPtr(Condition cond, Register lhs, Imm32 imm, Label* label) {
+        Subs(ARMRegister(lhs, 64), ARMRegister(lhs, 64), Operand(imm.value));
+        B(cond, label);
+    }
+
+    void branchTestUndefined(Condition cond, Register tag, Label* label) {
+        Condition c = testUndefined(cond, tag);
+        B(label, c);
+    }
+    void branchTestInt32(Condition cond, Register tag, Label* label) {
+        Condition c = testInt32(cond, tag);
+        B(label, c);
+    }
+    void branchTestDouble(Condition cond, Register tag, Label* label) {
+        Condition c = testDouble(cond, tag);
+        B(label, c);
+    }
+    void branchTestBoolean(Condition cond, Register tag, Label* label) {
+        Condition c = testBoolean(cond, tag);
+        B(label, c);
+    }
+    void branchTestNull(Condition cond, Register tag, Label* label) {
+        Condition c = testNull(cond, tag);
+        B(label, c);
+    }
+    void branchTestString(Condition cond, Register tag, Label* label) {
+        Condition c = testString(cond, tag);
+        B(label, c);
+    }
+    void branchTestSymbol(Condition cond, Register tag, Label* label) {
+        Condition c = testSymbol(cond, tag);
+        B(label, c);
+    }
+    void branchTestObject(Condition cond, Register tag, Label* label) {
+        Condition c = testObject(cond, tag);
+        B(label, c);
+    }
+    void branchTestNumber(Condition cond, Register tag, Label* label) {
+        Condition c = testNumber(cond, tag);
+        B(label, c);
+    }
+
+    void branchTestUndefined(Condition cond, const Address& address, Label* label) {
+        Condition c = testUndefined(cond, address);
+        B(label, c);
+    }
+    void branchTestInt32(Condition cond, const Address& address, Label* label) {
+        Condition c = testInt32(cond, address);
+        B(label, c);
+    }
+    void branchTestDouble(Condition cond, const Address& address, Label* label) {
+        Condition c = testDouble(cond, address);
+        B(label, c);
+    }
+    void branchTestBoolean(Condition cond, const Address& address, Label* label) {
+        Condition c = testDouble(cond, address);
+        B(label, c);
+    }
+    void branchTestNull(Condition cond, const Address& address, Label* label) {
+        Condition c = testNull(cond, address);
+        B(label, c);
+    }
+    void branchTestString(Condition cond, const Address& address, Label* label) {
+        Condition c = testString(cond, address);
+        B(label, c);
+    }
+    void branchTestSymbol(Condition cond, const Address& address, Label* label) {
+        Condition c = testSymbol(cond, address);
+        B(label, c);
+    }
+    void branchTestObject(Condition cond, const Address& address, Label* label) {
+        Condition c = testObject(cond, address);
+        B(label, c);
+    }
+    void branchTestNumber(Condition cond, const Address& address, Label* label) {
+        Condition c = testNumber(cond, address);
+        B(label, c);
+    }
+
+    // Perform a type-test on a full Value loaded into a register.
+    // Clobbers the ScratchReg.
+    void branchTestUndefined(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testUndefined(cond, src);
+        B(label, c);
+    }
+    void branchTestInt32(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testInt32(cond, src);
+        B(label, c);
+    }
+    void branchTestBoolean(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testBoolean(cond, src);
+        B(label, c);
+    }
+    void branchTestDouble(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testDouble(cond, src);
+        B(label, c);
+    }
+    void branchTestNull(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testNull(cond, src);
+        B(label, c);
+    }
+    void branchTestString(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testString(cond, src);
+        B(label, c);
+    }
+    void branchTestSymbol(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testSymbol(cond, src);
+        B(label, c);
+    }
+    void branchTestObject(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testObject(cond, src);
+        B(label, c);
+    }
+    void branchTestNumber(Condition cond, const ValueOperand& src, Label* label) {
+        Condition c = testNumber(cond, src);
+        B(label, c);
+    }
+
+    // Perform a type-test on a Value addressed by BaseIndex.
+    // Clobbers the ScratchReg.
+    void branchTestUndefined(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testUndefined(cond, address);
+        B(label, c);
+    }
+    void branchTestInt32(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testInt32(cond, address);
+        B(label, c);
+    }
+    void branchTestBoolean(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testBoolean(cond, address);
+        B(label, c);
+    }
+    void branchTestDouble(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testDouble(cond, address);
+        B(label, c);
+    }
+    void branchTestNull(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testNull(cond, address);
+        B(label, c);
+    }
+    void branchTestString(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testString(cond, address);
+        B(label, c);
+    }
+    void branchTestSymbol(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testSymbol(cond, address);
+        B(label, c);
+    }
+    void branchTestObject(Condition cond, const BaseIndex& address, Label* label) {
+        Condition c = testObject(cond, address);
+        B(label, c);
+    }
+    template <typename T>
+    void branchTestGCThing(Condition cond, const T& src, Label* label) {
+        Condition c = testGCThing(cond, src);
+        B(label, c);
+    }
+    template <typename T>
+    void branchTestPrimitive(Condition cond, const T& t, Label* label) {
+        Condition c = testPrimitive(cond, t);
+        B(label, c);
+    }
+    template <typename T>
+    void branchTestMagic(Condition cond, const T& t, Label* label) {
+        Condition c = testMagic(cond, t);
+        B(label, c);
+    }
+    void branchTestMagicValue(Condition cond, const ValueOperand& val, JSWhyMagic why, Label* label) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        branchTestValue(cond, val, MagicValue(why), label);
+    }
+    void branchTestValue(Condition cond, const ValueOperand& value, const Value& v, Label* label) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != value.valueReg());
+        moveValue(v, ValueOperand(scratch64.asUnsized()));
+        Cmp(ARMRegister(value.valueReg(), 64), scratch64);
+        B(label, cond);
+    }
+    void branchTestValue(Condition cond, const Address& valaddr, const ValueOperand& value,
+                         Label* label)
+    {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != valaddr.base);
+        MOZ_ASSERT(scratch64.asUnsized() != value.valueReg());
+        loadValue(valaddr, scratch64.asUnsized());
+        Cmp(ARMRegister(value.valueReg(), 64), Operand(scratch64));
+        B(label, cond);
+    }
+
+    void compareDouble(DoubleCondition cond, FloatRegister lhs, FloatRegister rhs) {
+        Fcmp(ARMFPRegister(lhs, 64), ARMFPRegister(rhs, 64));
+    }
+    void branchDouble(DoubleCondition cond, FloatRegister lhs, FloatRegister rhs, Label* label) {
+        compareDouble(cond, lhs, rhs);
+        switch (cond) {
+          case DoubleNotEqual: {
+            Label unordered;
+            // not equal *and* ordered
+            branch(Overflow, &unordered);
+            branch(NotEqual, label);
+            bind(&unordered);
+            break;
+          }
+          case DoubleEqualOrUnordered:
+            branch(Overflow, label);
+            branch(Equal, label);
+            break;
+          default:
+            branch(Condition(cond), label);
+        }
+    }
+
+    void compareFloat(DoubleCondition cond, FloatRegister lhs, FloatRegister rhs) {
+        Fcmp(ARMFPRegister(lhs, 32), ARMFPRegister(rhs, 32));
+    }
+    void branchFloat(DoubleCondition cond, FloatRegister lhs, FloatRegister rhs, Label* label) {
+        compareFloat(cond, lhs, rhs);
+        switch (cond) {
+          case DoubleNotEqual: {
+            Label unordered;
+            // not equal *and* ordered
+            branch(Overflow, &unordered);
+            branch(NotEqual, label);
+            bind(&unordered);
+            break;
+          }
+          case DoubleEqualOrUnordered:
+            branch(Overflow, label);
+            branch(Equal, label);
+            break;
+          default:
+            branch(Condition(cond), label);
+        }
+    }
+
+    void branchNegativeZero(FloatRegister reg, Register scratch, Label* label) {
+        MOZ_CRASH("branchNegativeZero");
+    }
+    void branchNegativeZeroFloat32(FloatRegister reg, Register scratch, Label* label) {
+        MOZ_CRASH("branchNegativeZeroFloat32");
+    }
+
+    void boxDouble(FloatRegister src, const ValueOperand& dest) {
+        Fmov(ARMRegister(dest.valueReg(), 64), ARMFPRegister(src, 64));
+    }
+    void boxNonDouble(JSValueType type, Register src, const ValueOperand& dest) {
+        boxValue(type, src, dest.valueReg());
+    }
+
+    // Note that the |dest| register here may be ScratchReg, so we shouldn't use it.
+    void unboxInt32(const ValueOperand& src, Register dest) {
+        move32(src.valueReg(), dest);
+    }
+    void unboxInt32(const Address& src, Register dest) {
+        load32(src, dest);
+    }
+    void unboxDouble(const Address& src, FloatRegister dest) {
+        loadDouble(src, dest);
+    }
+    void unboxDouble(const ValueOperand& src, FloatRegister dest) {
+        Fmov(ARMFPRegister(dest, 64), ARMRegister(src.valueReg(), 64));
+    }
+
+    void unboxArgObjMagic(const ValueOperand& src, Register dest) {
+        MOZ_CRASH("unboxArgObjMagic");
+    }
+    void unboxArgObjMagic(const Address& src, Register dest) {
+        MOZ_CRASH("unboxArgObjMagic");
+    }
+
+    void unboxBoolean(const ValueOperand& src, Register dest) {
+        move32(src.valueReg(), dest);
+    }
+    void unboxBoolean(const Address& src, Register dest) {
+        load32(src, dest);
+    }
+
+    void unboxMagic(const ValueOperand& src, Register dest) {
+        move32(src.valueReg(), dest);
+    }
+    // Unbox any non-double value into dest. Prefer unboxInt32 or unboxBoolean
+    // instead if the source type is known.
+    void unboxNonDouble(const ValueOperand& src, Register dest) {
+        unboxNonDouble(src.valueReg(), dest);
+    }
+    void unboxNonDouble(Address src, Register dest) {
+        loadPtr(src, dest);
+        unboxNonDouble(dest, dest);
+    }
+
+    void unboxNonDouble(Register src, Register dest) {
+        And(ARMRegister(dest, 64), ARMRegister(src, 64), Operand((1ULL << JSVAL_TAG_SHIFT) - 1ULL));
+    }
+
+    void unboxPrivate(const ValueOperand& src, Register dest) {
+        ubfx(ARMRegister(dest, 64), ARMRegister(src.valueReg(), 64), 1, JSVAL_TAG_SHIFT - 1);
+    }
+
+    void notBoolean(const ValueOperand& val) {
+        ARMRegister r(val.valueReg(), 64);
+        eor(r, r, Operand(1));
+    }
+    void unboxObject(const ValueOperand& src, Register dest) {
+        unboxNonDouble(src.valueReg(), dest);
+    }
+    void unboxObject(Register src, Register dest) {
+        unboxNonDouble(src, dest);
+    }
+    void unboxObject(const Address& src, Register dest) {
+        loadPtr(src, dest);
+        unboxNonDouble(dest, dest);
+    }
+    void unboxObject(const BaseIndex& src, Register dest) {
+        doBaseIndex(ARMRegister(dest, 64), src, vixl::LDR_x);
+        unboxNonDouble(dest, dest);
+    }
+
+    void unboxValue(const ValueOperand& src, AnyRegister dest) {
+        if (dest.isFloat()) {
+            Label notInt32, end;
+            branchTestInt32(Assembler::NotEqual, src, &notInt32);
+            convertInt32ToDouble(src.valueReg(), dest.fpu());
+            jump(&end);
+            bind(&notInt32);
+            unboxDouble(src, dest.fpu());
+            bind(&end);
+        } else {
+            unboxNonDouble(src, dest.gpr());
+        }
+
+    }
+    void unboxString(const ValueOperand& operand, Register dest) {
+        unboxNonDouble(operand, dest);
+    }
+    void unboxString(const Address& src, Register dest) {
+        unboxNonDouble(src, dest);
+    }
+    void unboxSymbol(const ValueOperand& operand, Register dest) {
+        unboxNonDouble(operand, dest);
+    }
+    void unboxSymbol(const Address& src, Register dest) {
+        unboxNonDouble(src, dest);
+    }
+    // These two functions use the low 32-bits of the full value register.
+    void boolValueToDouble(const ValueOperand& operand, FloatRegister dest) {
+        convertInt32ToDouble(operand.valueReg(), dest);
+    }
+    void int32ValueToDouble(const ValueOperand& operand, FloatRegister dest) {
+        convertInt32ToDouble(operand.valueReg(), dest);
+    }
+
+    void boolValueToFloat32(const ValueOperand& operand, FloatRegister dest) {
+        convertInt32ToFloat32(operand.valueReg(), dest);
+    }
+    void int32ValueToFloat32(const ValueOperand& operand, FloatRegister dest) {
+        convertInt32ToFloat32(operand.valueReg(), dest);
+    }
+
+    void loadConstantDouble(double d, FloatRegister dest) {
+        Fmov(ARMFPRegister(dest, 64), d);
+    }
+    void loadConstantFloat32(float f, FloatRegister dest) {
+        Fmov(ARMFPRegister(dest, 32), f);
+    }
+
+    // Register-based tests.
+    Condition testUndefined(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_UNDEFINED));
+        return cond;
+    }
+    Condition testInt32(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_INT32));
+        return cond;
+    }
+    Condition testBoolean(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_BOOLEAN));
+        return cond;
+    }
+    Condition testNull(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_NULL));
+        return cond;
+    }
+    Condition testString(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_STRING));
+        return cond;
+    }
+    Condition testSymbol(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_SYMBOL));
+        return cond;
+    }
+    Condition testObject(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_OBJECT));
+        return cond;
+    }
+    Condition testDouble(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, Imm32(JSVAL_TAG_MAX_DOUBLE));
+        return (cond == Equal) ? BelowOrEqual : Above;
+    }
+    Condition testNumber(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, Imm32(JSVAL_UPPER_INCL_TAG_OF_NUMBER_SET));
+        return (cond == Equal) ? BelowOrEqual : Above;
+    }
+    Condition testGCThing(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, Imm32(JSVAL_LOWER_INCL_TAG_OF_GCTHING_SET));
+        return (cond == Equal) ? AboveOrEqual : Below;
+    }
+    Condition testMagic(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, ImmTag(JSVAL_TAG_MAGIC));
+        return cond;
+    }
+    Condition testPrimitive(Condition cond, Register tag) {
+        MOZ_ASSERT(cond == Equal || cond == NotEqual);
+        cmp32(tag, Imm32(JSVAL_UPPER_EXCL_TAG_OF_PRIMITIVE_SET));
+        return (cond == Equal) ? Below : AboveOrEqual;
+    }
+    Condition testError(Condition cond, Register tag) {
+        return testMagic(cond, tag);
+    }
+
+    // ValueOperand-based tests.
+    Condition testInt32(Condition cond, const ValueOperand& value) {
+        // The incoming ValueOperand may use scratch registers.
+        vixl::UseScratchRegisterScope temps(this);
+
+        if (value.valueReg() == ScratchReg2) {
+            MOZ_ASSERT(temps.IsAvailable(ScratchReg64));
+            MOZ_ASSERT(!temps.IsAvailable(ScratchReg2_64));
+            temps.Exclude(ScratchReg64);
+
+            if (cond != Equal && cond != NotEqual)
+                MOZ_CRASH("NYI: non-equality comparisons");
+
+            // In the event that the tag is not encodable in a single cmp / teq instruction,
+            // perform the xor that teq would use, this will leave the tag bits being
+            // zero, or non-zero, which can be tested with either and or shift.
+            unsigned int n, imm_r, imm_s;
+            uint64_t immediate = uint64_t(ImmTag(JSVAL_TAG_INT32).value) << JSVAL_TAG_SHIFT;
+            if (IsImmLogical(immediate, 64, &n, &imm_s, &imm_r)) {
+                Eor(ScratchReg64, ScratchReg2_64, Operand(immediate));
+            } else {
+                Mov(ScratchReg64, immediate);
+                Eor(ScratchReg64, ScratchReg2_64, ScratchReg64);
+            }
+            Tst(ScratchReg64, Operand(-1ll << JSVAL_TAG_SHIFT));
+            return cond;
+        }
+
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != value.valueReg());
+
+        splitTag(value, scratch);
+        return testInt32(cond, scratch);
+    }
+    Condition testBoolean(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testBoolean(cond, scratch);
+    }
+    Condition testDouble(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testDouble(cond, scratch);
+    }
+    Condition testNull(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testNull(cond, scratch);
+    }
+    Condition testUndefined(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testUndefined(cond, scratch);
+    }
+    Condition testString(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testString(cond, scratch);
+    }
+    Condition testSymbol(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testSymbol(cond, scratch);
+    }
+    Condition testObject(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testObject(cond, scratch);
+    }
+    Condition testNumber(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testNumber(cond, scratch);
+    }
+    Condition testPrimitive(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testPrimitive(cond, scratch);
+    }
+    Condition testMagic(Condition cond, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(value.valueReg() != scratch);
+        splitTag(value, scratch);
+        return testMagic(cond, scratch);
+    }
+    Condition testError(Condition cond, const ValueOperand& value) {
+        return testMagic(cond, value);
+    }
+
+    // Address-based tests.
+    Condition testGCThing(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testGCThing(cond, scratch);
+    }
+    Condition testMagic(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testMagic(cond, scratch);
+    }
+    Condition testInt32(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testInt32(cond, scratch);
+    }
+    Condition testDouble(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testDouble(cond, scratch);
+    }
+    Condition testBoolean(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testBoolean(cond, scratch);
+    }
+    Condition testNull(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testNull(cond, scratch);
+    }
+    Condition testUndefined(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testUndefined(cond, scratch);
+    }
+    Condition testString(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testString(cond, scratch);
+    }
+    Condition testSymbol(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testSymbol(cond, scratch);
+    }
+    Condition testObject(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testObject(cond, scratch);
+    }
+    Condition testNumber(Condition cond, const Address& address) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(address.base != scratch);
+        splitTag(address, scratch);
+        return testNumber(cond, scratch);
+    }
+
+    // BaseIndex-based tests.
+    Condition testUndefined(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testUndefined(cond, scratch);
+    }
+    Condition testNull(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testNull(cond, scratch);
+    }
+    Condition testBoolean(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testBoolean(cond, scratch);
+    }
+    Condition testString(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testString(cond, scratch);
+    }
+    Condition testSymbol(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testSymbol(cond, scratch);
+    }
+    Condition testInt32(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testInt32(cond, scratch);
+    }
+    Condition testObject(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testObject(cond, scratch);
+    }
+    Condition testDouble(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testDouble(cond, scratch);
+    }
+    Condition testMagic(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testMagic(cond, scratch);
+    }
+    Condition testGCThing(Condition cond, const BaseIndex& src) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(src.base != scratch);
+        MOZ_ASSERT(src.index != scratch);
+        splitTag(src, scratch);
+        return testGCThing(cond, scratch);
+    }
+
+    Condition testInt32Truthy(bool truthy, const ValueOperand& operand) {
+        ARMRegister payload32(operand.valueReg(), 32);
+        Tst(payload32, payload32);
+        return truthy ? NonZero : Zero;
+    }
+    void branchTestInt32Truthy(bool truthy, const ValueOperand& operand, Label* label) {
+        Condition c = testInt32Truthy(truthy, operand);
+        B(label, c);
+    }
+
+    void branchTestDoubleTruthy(bool truthy, FloatRegister reg, Label* label) {
+        Fcmp(ARMFPRegister(reg, 64), 0.0);
+        if (!truthy) {
+            // falsy values are zero, and NaN.
+            branch(Zero, label);
+            branch(Overflow, label);
+        } else {
+            // truthy values are non-zero and not nan.
+            // If it is overflow
+            Label onFalse;
+            branch(Zero, &onFalse);
+            branch(Overflow, &onFalse);
+            b(label);
+            bind(&onFalse);
+        }
+    }
+
+    Condition testBooleanTruthy(bool truthy, const ValueOperand& operand) {
+        ARMRegister payload32(operand.valueReg(), 32);
+        Tst(payload32, payload32);
+        return truthy ? NonZero : Zero;
+    }
+    void branchTestBooleanTruthy(bool truthy, const ValueOperand& operand, Label* label) {
+        Condition c = testBooleanTruthy(truthy, operand);
+        B(label, c);
+    }
+    Condition testStringTruthy(bool truthy, const ValueOperand& value) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        const ARMRegister scratch32(scratch, 32);
+        const ARMRegister scratch64(scratch, 64);
+
+        MOZ_ASSERT(value.valueReg() != scratch);
+
+        unboxString(value, scratch);
+        Ldr(scratch32, MemOperand(scratch64, JSString::offsetOfLength()));
+        Cmp(scratch32, Operand(0));
+        return truthy ? Condition::NonZero : Condition::Zero;
+    }
+    void branchTestStringTruthy(bool truthy, const ValueOperand& value, Label* label) {
+        Condition c = testStringTruthy(truthy, value);
+        B(label, c);
+    }
+    void int32OrDouble(Register src, ARMFPRegister dest) {
+        Label isInt32;
+        Label join;
+        testInt32(Equal, ValueOperand(src));
+        B(&isInt32, Equal);
+        // is double, move teh bits as is
+        Fmov(dest, ARMRegister(src, 64));
+        B(&join);
+        bind(&isInt32);
+        // is int32, do a conversion while moving
+        Scvtf(dest, ARMRegister(src, 32));
+        bind(&join);
+    }
+    void loadUnboxedValue(Address address, MIRType type, AnyRegister dest) {
+        if (dest.isFloat()) {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            MOZ_ASSERT(scratch64.asUnsized() != address.base);
+            Ldr(scratch64, toMemOperand(address));
+            int32OrDouble(scratch64.asUnsized(), ARMFPRegister(dest.fpu(), 64));
+        } else if (type == MIRType_Int32 || type == MIRType_Boolean) {
+            load32(address, dest.gpr());
+        } else {
+            loadPtr(address, dest.gpr());
+            unboxNonDouble(dest.gpr(), dest.gpr());
+        }
+    }
+
+    void loadUnboxedValue(BaseIndex address, MIRType type, AnyRegister dest) {
+        if (dest.isFloat()) {
+            vixl::UseScratchRegisterScope temps(this);
+            const ARMRegister scratch64 = temps.AcquireX();
+            MOZ_ASSERT(scratch64.asUnsized() != address.base);
+            MOZ_ASSERT(scratch64.asUnsized() != address.index);
+            doBaseIndex(scratch64, address, vixl::LDR_x);
+            int32OrDouble(scratch64.asUnsized(), ARMFPRegister(dest.fpu(), 64));
+        }  else if (type == MIRType_Int32 || type == MIRType_Boolean) {
+            load32(address, dest.gpr());
+        } else {
+            loadPtr(address, dest.gpr());
+            unboxNonDouble(dest.gpr(), dest.gpr());
+        }
+    }
+
+    void loadInstructionPointerAfterCall(Register dest) {
+        MOZ_CRASH("loadInstructionPointerAfterCall");
+    }
+
+    // Emit a B that can be toggled to a CMP. See ToggleToJmp(), ToggleToCmp().
+    CodeOffsetLabel toggledJump(Label* label) {
+        BufferOffset offset = b(label, Always);
+        CodeOffsetLabel ret(offset.getOffset());
+        return ret;
+    }
+
+    // load: offset to the load instruction obtained by movePatchablePtr().
+    void writeDataRelocation(ImmGCPtr ptr, BufferOffset load) {
+        if (ptr.value)
+            tmpDataRelocations_.append(load);
+    }
+    void writeDataRelocation(const Value& val, BufferOffset load) {
+        if (val.isMarkable()) {
+            gc::Cell* cell = reinterpret_cast<gc::Cell*>(val.toGCThing());
+            if (cell && gc::IsInsideNursery(cell))
+                embedsNurseryPointers_ = true;
+            tmpDataRelocations_.append(load);
+        }
+    }
+
+    void writePrebarrierOffset(CodeOffsetLabel label) {
+        tmpPreBarriers_.append(BufferOffset(label.offset()));
+    }
+
+    void computeEffectiveAddress(const Address& address, Register dest) {
+        Add(ARMRegister(dest, 64), ARMRegister(address.base, 64), Operand(address.offset));
+    }
+    void computeEffectiveAddress(const BaseIndex& address, Register dest) {
+        ARMRegister dest64(dest, 64);
+        ARMRegister base64(address.base, 64);
+        ARMRegister index64(address.index, 64);
+
+        Add(dest64, base64, Operand(index64, vixl::LSL, address.scale));
+        if (address.offset)
+            Add(dest64, dest64, Operand(address.offset));
+    }
+
+  private:
+    void setupABICall(uint32_t args);
+
+  public:
+    // Setup a call to C/C++ code, given the number of general arguments it
+    // takes. Note that this only supports cdecl.
+    //
+    // In order for alignment to work correctly, the MacroAssembler must have a
+    // consistent view of the stack displacement. It is okay to call "push"
+    // manually, however, if the stack alignment were to change, the macro
+    // assembler should be notified before starting a call.
+    void setupAlignedABICall(uint32_t args) {
+        MOZ_CRASH("setupAlignedABICall");
+    }
+
+    // Sets up an ABI call for when the alignment is not known. This may need a
+    // scratch register.
+    void setupUnalignedABICall(uint32_t args, Register scratch);
+
+    // Arguments must be assigned to a C/C++ call in order. They are moved
+    // in parallel immediately before performing the call. This process may
+    // temporarily use more stack, in which case sp-relative addresses will be
+    // automatically adjusted. It is extremely important that sp-relative
+    // addresses are computed *after* setupABICall(). Furthermore, no
+    // operations should be emitted while setting arguments.
+    void passABIArg(const MoveOperand& from, MoveOp::Type type);
+    void passABIArg(Register reg);
+    void passABIArg(FloatRegister reg, MoveOp::Type type);
+    void passABIOutParam(Register reg);
+
+  private:
+    void callWithABIPre(uint32_t* stackAdjust);
+    void callWithABIPost(uint32_t stackAdjust, MoveOp::Type result);
+
+  public:
+    // Emits a call to a C/C++ function, resolving all argument moves.
+    void callWithABI(void* fun, MoveOp::Type result = MoveOp::GENERAL);
+    void callWithABI(Register fun, MoveOp::Type result = MoveOp::GENERAL);
+    void callWithABI(AsmJSImmPtr imm, MoveOp::Type result = MoveOp::GENERAL);
+    void callWithABI(Address fun, MoveOp::Type result = MoveOp::GENERAL);
+
+    CodeOffsetLabel labelForPatch() {
+        return CodeOffsetLabel(nextOffset().getOffset());
+    }
+
+    void handleFailureWithHandlerTail(void* handler);
+
+    // FIXME: This is the same on all platforms. Can be common code?
+    void makeFrameDescriptor(Register frameSizeReg, FrameType type) {
+        lshiftPtr(Imm32(FRAMESIZE_SHIFT), frameSizeReg);
+        orPtr(Imm32(type), frameSizeReg);
+    }
+
+    void callWithExitFrame(JitCode* target, Register dynStack) {
+        add32(Imm32(framePushed()), dynStack);
+        makeFrameDescriptor(dynStack, JitFrame_IonJS);
+        Push(dynStack); // descriptor
+
+        call(target);
+    }
+
+    // FIXME: See CodeGeneratorX64 calls to noteAsmJSGlobalAccess.
+    void patchAsmJSGlobalAccess(CodeOffsetLabel patchAt, uint8_t* code,
+                                uint8_t* globalData, unsigned globalDataOffset)
+    {
+        MOZ_CRASH("patchAsmJSGlobalAccess");
+    }
+
+    void memIntToValue(const Address& src, const Address& dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        MOZ_ASSERT(scratch != src.base);
+        MOZ_ASSERT(scratch != dest.base);
+        load32(src, scratch);
+        storeValue(JSVAL_TYPE_INT32, scratch, dest);
+    }
+
+    void branchPtrInNurseryRange(Condition cond, Register ptr, Register temp, Label* label);
+    void branchValueIsNurseryObject(Condition cond, ValueOperand value, Register temp, Label* label);
+
+    // Builds an exit frame on the stack, with a return address to an internal
+    // non-function. Returns offset to be passed to markSafepointAt().
+    void buildFakeExitFrame(Register scratch, uint32_t* offset);
+
+    void callWithExitFrame(Label* target) {
+        uint32_t descriptor = MakeFrameDescriptor(framePushed(), JitFrame_IonJS);
+        Push(Imm32(descriptor)); // descriptor
+
+        call(target);
+    }
+
+    void callWithExitFrame(JitCode* target);
+
+    void callJit(Register callee) {
+        // AArch64 cannot read from the PC, so pushing must be handled callee-side.
+        syncStackPtr();
+        Blr(ARMRegister(callee, 64));
+    }
+
+    void appendCallSite(const CallSiteDesc& desc) {
+        MOZ_CRASH("appendCallSite");
+    }
+
+    void call(const CallSiteDesc& desc, Label* label) {
+        syncStackPtr();
+        call(label);
+        append(desc, currentOffset(), framePushed_);
+    }
+    void call(const CallSiteDesc& desc, Register reg) {
+        syncStackPtr();
+        call(reg);
+        append(desc, currentOffset(), framePushed_);
+    }
+    void call(const CallSiteDesc& desc, AsmJSImmPtr imm) {
+        syncStackPtr();
+        call(imm);
+        append(desc, currentOffset(), framePushed_);
+    }
+
+    void call(AsmJSImmPtr imm) {
+        vixl::UseScratchRegisterScope temps(this);
+        const Register scratch = temps.AcquireX().asUnsized();
+        syncStackPtr();
+        movePtr(imm, scratch);
+        call(scratch);
+    }
+
+    void call(Register target) {
+        syncStackPtr();
+        Blr(ARMRegister(target, 64));
+    }
+    // Call a target JitCode, which must be traceable, and may be movable.
+    void call(JitCode* target) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        syncStackPtr();
+        BufferOffset off = immPool64(scratch64, uint64_t(target->raw()));
+        addPendingJump(off, ImmPtr(target->raw()), Relocation::JITCODE);
+        blr(scratch64);
+    }
+    // Call a target native function, which is neither traceable nor movable.
+    void call(ImmPtr target) {
+        syncStackPtr();
+        movePtr(target, ip0);
+        Blr(vixl::ip0);
+    }
+    void call(Label* target) {
+        syncStackPtr();
+        Bl(target);
+    }
+    void callExit(AsmJSImmPtr imm, uint32_t stackArgBytes) {
+        MOZ_CRASH("callExit");
+    }
+
+    void callJitFromAsmJS(Register reg) {
+        Blr(ARMRegister(reg, 64));
+    }
+
+    void callAndPushReturnAddress(Label* label);
+
+    void profilerEnterFrame(Register framePtr, Register scratch) {
+        AbsoluteAddress activation(GetJitContext()->runtime->addressOfProfilingActivation());
+        loadPtr(activation, scratch);
+        storePtr(framePtr, Address(scratch, JitActivation::offsetOfLastProfilingFrame()));
+        storePtr(ImmPtr(nullptr), Address(scratch, JitActivation::offsetOfLastProfilingCallSite()));
+    }
+    void profilerExitFrame() {
+        branch(GetJitContext()->runtime->jitRuntime()->getProfilerExitFrameTail());
+    }
+    Address ToPayload(Address value) {
+        return value;
+    }
+    Address ToType(Address value) {
+        return value;
+    }
+
+  private:
+    template <typename T>
+    void compareExchange(int nbytes, bool signExtend, const T& address, Register oldval,
+                         Register newval, Register output)
+    {
+        MOZ_CRASH("compareExchange");
+    }
+
+    template <typename T>
+    void atomicFetchOp(int nbytes, bool signExtend, AtomicOp op, const Imm32& value,
+                       const T& address, Register temp, Register output)
+    {
+        MOZ_CRASH("atomicFetchOp");
+    }
+
+    template <typename T>
+    void atomicFetchOp(int nbytes, bool signExtend, AtomicOp op, const Register& value,
+                       const T& address, Register temp, Register output)
+    {
+        MOZ_CRASH("atomicFetchOp");
+    }
+
+    template <typename T>
+    void atomicEffectOp(int nbytes, AtomicOp op, const Register& value, const T& mem) {
+        MOZ_CRASH("atomicEffectOp");
+    }
+
+    template <typename T>
+    void atomicEffectOp(int nbytes, AtomicOp op, const Imm32& value, const T& mem) {
+        MOZ_CRASH("atomicEffectOp");
+    }
+
+  public:
+    // T in {Address,BaseIndex}
+    // S in {Imm32,Register}
+
+    template <typename T>
+    void compareExchange8SignExtend(const T& mem, Register oldval, Register newval, Register output)
+    {
+        compareExchange(1, true, mem, oldval, newval, output);
+    }
+    template <typename T>
+    void compareExchange8ZeroExtend(const T& mem, Register oldval, Register newval, Register output)
+    {
+        compareExchange(1, false, mem, oldval, newval, output);
+    }
+    template <typename T>
+    void compareExchange16SignExtend(const T& mem, Register oldval, Register newval, Register output)
+    {
+        compareExchange(2, true, mem, oldval, newval, output);
+    }
+    template <typename T>
+    void compareExchange16ZeroExtend(const T& mem, Register oldval, Register newval, Register output)
+    {
+        compareExchange(2, false, mem, oldval, newval, output);
+    }
+    template <typename T>
+    void compareExchange32(const T& mem, Register oldval, Register newval, Register output)  {
+        compareExchange(4, false, mem, oldval, newval, output);
+    }
+
+    template <typename T, typename S>
+    void atomicFetchAdd8SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, true, AtomicFetchAddOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAdd8ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, false, AtomicFetchAddOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAdd16SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, true, AtomicFetchAddOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAdd16ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, false, AtomicFetchAddOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAdd32(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(4, false, AtomicFetchAddOp, value, mem, temp, output);
+    }
+
+    template <typename T, typename S>
+    void atomicAdd8(const S& value, const T& mem) {
+        atomicEffectOp(1, AtomicFetchAddOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicAdd16(const S& value, const T& mem) {
+        atomicEffectOp(2, AtomicFetchAddOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicAdd32(const S& value, const T& mem) {
+        atomicEffectOp(4, AtomicFetchAddOp, value, mem);
+    }
+
+    template <typename T, typename S>
+    void atomicFetchSub8SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, true, AtomicFetchSubOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchSub8ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, false, AtomicFetchSubOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchSub16SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, true, AtomicFetchSubOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchSub16ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, false, AtomicFetchSubOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchSub32(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(4, false, AtomicFetchSubOp, value, mem, temp, output);
+    }
+
+    template <typename T, typename S>
+    void atomicSub8(const S& value, const T& mem) {
+        atomicEffectOp(1, AtomicFetchSubOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicSub16(const S& value, const T& mem) {
+        atomicEffectOp(2, AtomicFetchSubOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicSub32(const S& value, const T& mem) {
+        atomicEffectOp(4, AtomicFetchSubOp, value, mem);
+    }
+
+    template <typename T, typename S>
+    void atomicFetchAnd8SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, true, AtomicFetchAndOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAnd8ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, false, AtomicFetchAndOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAnd16SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, true, AtomicFetchAndOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAnd16ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, false, AtomicFetchAndOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchAnd32(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(4, false, AtomicFetchAndOp, value, mem, temp, output);
+    }
+
+    template <typename T, typename S>
+    void atomicAnd8(const S& value, const T& mem) {
+        atomicEffectOp(1, AtomicFetchAndOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicAnd16(const S& value, const T& mem) {
+        atomicEffectOp(2, AtomicFetchAndOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicAnd32(const S& value, const T& mem) {
+        atomicEffectOp(4, AtomicFetchAndOp, value, mem);
+    }
+
+    template <typename T, typename S>
+    void atomicFetchOr8SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, true, AtomicFetchOrOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchOr8ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, false, AtomicFetchOrOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchOr16SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, true, AtomicFetchOrOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchOr16ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, false, AtomicFetchOrOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchOr32(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(4, false, AtomicFetchOrOp, value, mem, temp, output);
+    }
+
+    template <typename T, typename S>
+    void atomicOr8(const S& value, const T& mem) {
+        atomicEffectOp(1, AtomicFetchOrOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicOr16(const S& value, const T& mem) {
+        atomicEffectOp(2, AtomicFetchOrOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicOr32(const S& value, const T& mem) {
+        atomicEffectOp(4, AtomicFetchOrOp, value, mem);
+    }
+
+    template <typename T, typename S>
+    void atomicFetchXor8SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, true, AtomicFetchXorOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchXor8ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(1, false, AtomicFetchXorOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchXor16SignExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, true, AtomicFetchXorOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchXor16ZeroExtend(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(2, false, AtomicFetchXorOp, value, mem, temp, output);
+    }
+    template <typename T, typename S>
+    void atomicFetchXor32(const S& value, const T& mem, Register temp, Register output) {
+        atomicFetchOp(4, false, AtomicFetchXorOp, value, mem, temp, output);
+    }
+
+    template <typename T, typename S>
+    void atomicXor8(const S& value, const T& mem) {
+        atomicEffectOp(1, AtomicFetchXorOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicXor16(const S& value, const T& mem) {
+        atomicEffectOp(2, AtomicFetchXorOp, value, mem);
+    }
+    template <typename T, typename S>
+    void atomicXor32(const S& value, const T& mem) {
+        atomicEffectOp(4, AtomicFetchXorOp, value, mem);
+    }
+
+    // Emit a BLR or NOP instruction. ToggleCall can be used to patch
+    // this instruction.
+    CodeOffsetLabel toggledCall(JitCode* target, bool enabled) {
+        // TODO: Random pool insertion between instructions below is terrible.
+        // Unfortunately, we can't forbid pool prevention, because we're trying
+        // to add an entry to a pool. So as a temporary fix, just flush the pool
+        // now, so that it won't add later. If you're changing this, also
+        // check ToggleCall(), which will probably break.
+        armbuffer_.flushPool();
+
+        syncStackPtr();
+
+        BufferOffset offset = nextOffset();
+        BufferOffset loadOffset;
+        {
+            vixl::UseScratchRegisterScope temps(this);
+
+            // The register used for the load is hardcoded, so that ToggleCall
+            // can patch in the branch instruction easily. This could be changed,
+            // but then ToggleCall must read the target register from the load.
+            MOZ_ASSERT(temps.IsAvailable(ScratchReg2_64));
+            temps.Exclude(ScratchReg2_64);
+
+            loadOffset = immPool64(ScratchReg2_64, uint64_t(target->raw()));
+
+            if (enabled)
+                blr(ScratchReg2_64);
+            else
+                nop();
+        }
+
+        addPendingJump(loadOffset, ImmPtr(target->raw()), Relocation::JITCODE);
+        CodeOffsetLabel ret(offset.getOffset());
+        return ret;
+    }
+
+    static size_t ToggledCallSize(uint8_t* code) {
+        static const uint32_t syncStackInstruction = 0x9100039f; // mov sp, r28
+
+        // start it off as an 8 byte sequence
+        int ret = 8;
+        Instruction* cur = (Instruction*)code;
+        uint32_t* curw = (uint32_t*)code;
+
+        if (*curw == syncStackInstruction) {
+            ret += 4;
+            cur += 4;
+        }
+
+        if (cur->IsUncondB())
+            ret += cur->ImmPCRawOffset() << vixl::kInstructionSizeLog2;
+
+        return ret;
+    }
+
+    void checkARMRegAlignment(const ARMRegister& reg) {
+#ifdef DEBUG
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch64 = temps.AcquireX();
+        MOZ_ASSERT(scratch64.asUnsized() != reg.asUnsized());
+        Label aligned;
+        Mov(scratch64, reg);
+        Tst(scratch64, Operand(StackAlignment - 1));
+        B(Zero, &aligned);
+        breakpoint();
+        bind(&aligned);
+        Mov(scratch64, vixl::xzr); // Clear the scratch register for sanity.
+#endif
+    }
+
+    void checkStackAlignment() {
+#ifdef DEBUG
+        checkARMRegAlignment(GetStackPointer64());
+
+        // If another register is being used to track pushes, check sp explicitly.
+        if (!GetStackPointer64().Is(vixl::sp))
+            checkARMRegAlignment(vixl::sp);
+#endif
+    }
+
+    void abiret() {
+        syncStackPtr(); // SP is always used to transmit the stack between calls.
+        vixl::MacroAssembler::Ret(vixl::lr);
+    }
+
+    void mulBy3(Register src, Register dest) {
+        ARMRegister xdest(dest, 64);
+        ARMRegister xsrc(src, 64);
+        Add(xdest, xsrc, Operand(xsrc, vixl::LSL, 1));
+    }
+
+    template <typename T>
+    void branchAdd32(Condition cond, T src, Register dest, Label* label) {
+        adds32(src, dest);
+        branch(cond, label);
+    }
+
+    template <typename T>
+    void branchSub32(Condition cond, T src, Register dest, Label* label) {
+        subs32(src, dest);
+        branch(cond, label);
+    }
+    void clampCheck(Register r, Label* handleNotAnInt) {
+        MOZ_CRASH("clampCheck");
+    }
+
+    void memMove32(Address Source, Address Dest) {
+        MOZ_CRASH("memMove32");
+    }
+    void memMove64(Address Source, Address Dest) {
+        MOZ_CRASH("memMove64");
+    }
+
+    void stackCheck(ImmWord limitAddr, Label* label) {
+        MOZ_CRASH("stackCheck");
+    }
+    void clampIntToUint8(Register reg) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        const ARMRegister reg32(reg, 32);
+        MOZ_ASSERT(!scratch32.Is(reg32));
+
+        Cmp(reg32, Operand(reg32, vixl::UXTB));
+        Csel(reg32, reg32, vixl::wzr, Assembler::GreaterThanOrEqual);
+        Mov(scratch32, Operand(0xff));
+        Csel(reg32, reg32, scratch32, Assembler::LessThanOrEqual);
+    }
+
+    void incrementInt32Value(const Address& addr) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratch32 = temps.AcquireW();
+        MOZ_ASSERT(scratch32.asUnsized() != addr.base);
+
+        load32(addr, scratch32.asUnsized());
+        Add(scratch32, scratch32, Operand(1));
+        store32(scratch32.asUnsized(), addr);
+    }
+    void inc64(AbsoluteAddress dest) {
+        vixl::UseScratchRegisterScope temps(this);
+        const ARMRegister scratchAddr64 = temps.AcquireX();
+        const ARMRegister scratch64 = temps.AcquireX();
+
+        Mov(scratchAddr64, uint64_t(dest.addr));
+        Ldr(scratch64, MemOperand(scratchAddr64, 0));
+        Add(scratch64, scratch64, Operand(1));
+        Str(scratch64, MemOperand(scratchAddr64, 0));
+    }
+
+    void BoundsCheck(Register ptrReg, Label* onFail, vixl::CPURegister zeroMe = vixl::NoReg) {
+        // use tst rather than Tst to *ensure* that a single instrution is generated.
+        Cmp(ARMRegister(ptrReg, 32), ARMRegister(HeapLenReg, 32));
+        if (!zeroMe.IsNone()) {
+            if (zeroMe.IsRegister()) {
+                Csel(ARMRegister(zeroMe),
+                     ARMRegister(zeroMe),
+                     Operand(zeroMe.Is32Bits() ? vixl::wzr : vixl::xzr),
+                     Assembler::Below);
+            } else if (zeroMe.Is32Bits()) {
+                vixl::UseScratchRegisterScope temps(this);
+                const ARMFPRegister scratchFloat = temps.AcquireS();
+                Fmov(scratchFloat, JS::GenericNaN());
+                Fcsel(ARMFPRegister(zeroMe), ARMFPRegister(zeroMe), scratchFloat, Assembler::Below);
+            } else {
+                vixl::UseScratchRegisterScope temps(this);
+                const ARMFPRegister scratchDouble = temps.AcquireD();
+                Fmov(scratchDouble, JS::GenericNaN());
+                Fcsel(ARMFPRegister(zeroMe), ARMFPRegister(zeroMe), scratchDouble, Assembler::Below);
+            }
+        }
+        B(onFail, Assembler::AboveOrEqual);
+    }
+    void breakpoint();
+
+    // Emits a simulator directive to save the current sp on an internal stack.
+    void simulatorMarkSP() {
+#ifdef JS_ARM64_SIMULATOR
+        svc(vixl::kMarkStackPointer);
+#endif
+    }
+
+    // Emits a simulator directive to pop from its internal stack
+    // and assert that the value is equal to the current sp.
+    void simulatorCheckSP() {
+#ifdef JS_ARM64_SIMULATOR
+        svc(vixl::kCheckStackPointer);
+#endif
+    }
+
+    void loadAsmJSActivation(Register dest) {
+        loadPtr(Address(GlobalReg, AsmJSActivationGlobalDataOffset - AsmJSGlobalRegBias), dest);
+    }
+    void loadAsmJSHeapRegisterFromGlobalData() {
+        loadPtr(Address(GlobalReg, AsmJSHeapGlobalDataOffset - AsmJSGlobalRegBias), HeapReg);
+        loadPtr(Address(GlobalReg, AsmJSHeapGlobalDataOffset - AsmJSGlobalRegBias + 8), HeapLenReg);
+    }
+
+    // Overwrites the payload bits of a dest register containing a Value.
+    void movePayload(Register src, Register dest) {
+        // Bfxil cannot be used with the zero register as a source.
+        if (src == rzr)
+            And(ARMRegister(dest, 64), ARMRegister(dest, 64), Operand(~int64_t(JSVAL_PAYLOAD_MASK)));
+        else
+            Bfxil(ARMRegister(dest, 64), ARMRegister(src, 64), 0, JSVAL_TAG_SHIFT);
+    }
+
+    // FIXME: Should be in Assembler?
+    // FIXME: Should be const?
+    uint32_t currentOffset() const {
+        return nextOffset().getOffset();
+    }
+
+  protected:
+    bool buildOOLFakeExitFrame(void* fakeReturnAddr) {
+        uint32_t descriptor = MakeFrameDescriptor(framePushed(), JitFrame_IonJS);
+        Push(Imm32(descriptor));
+        Push(ImmPtr(fakeReturnAddr));
+        return true;
+    }
+};
+
+typedef MacroAssemblerCompat MacroAssemblerSpecific;
+
+} // namespace jit
+} // namespace js
+
+#endif // jit_arm64_MacroAssembler_arm64_h
diff --git a/js/src/jit/arm64/SharedICHelpers-arm64.h b/js/src/jit/arm64/SharedICHelpers-arm64.h
new file mode 100644
index 000000000000..092885a6b35c
--- /dev/null
+++ b/js/src/jit/arm64/SharedICHelpers-arm64.h
@@ -0,0 +1,309 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef jit_arm64_SharedICHelpers_arm64_h
+#define jit_arm64_SharedICHelpers_arm64_h
+
+#include "jit/BaselineFrame.h"
+#include "jit/BaselineIC.h"
+#include "jit/MacroAssembler.h"
+#include "jit/SharedICRegisters.h"
+
+namespace js {
+namespace jit {
+
+// Distance from sp to the top Value inside an IC stub (no return address on the stack on ARM).
+static const size_t ICStackValueOffset = 0;
+
+inline void
+EmitRestoreTailCallReg(MacroAssembler& masm)
+{
+    // No-op on ARM because link register is always holding the return address.
+}
+
+inline void
+EmitRepushTailCallReg(MacroAssembler& masm)
+{
+    // No-op on ARM because link register is always holding the return address.
+}
+
+inline void
+EmitCallIC(CodeOffsetLabel* patchOffset, MacroAssembler& masm)
+{
+    // Move ICEntry offset into ICStubReg
+    CodeOffsetLabel offset = masm.movWithPatch(ImmWord(-1), ICStubReg);
+    *patchOffset = offset;
+
+    // Load stub pointer into ICStubReg
+    masm.loadPtr(Address(ICStubReg, ICEntry::offsetOfFirstStub()), ICStubReg);
+
+    // Load stubcode pointer from BaselineStubEntry.
+    // R2 won't be active when we call ICs, so we can use r0.
+    MOZ_ASSERT(R2 == ValueOperand(r0));
+    masm.loadPtr(Address(ICStubReg, ICStub::offsetOfStubCode()), r0);
+
+    // Call the stubcode via a direct branch-and-link.
+    masm.Blr(x0);
+}
+
+inline void
+EmitEnterTypeMonitorIC(MacroAssembler& masm,
+                       size_t monitorStubOffset = ICMonitoredStub::offsetOfFirstMonitorStub())
+{
+    // This is expected to be called from within an IC, when ICStubReg is
+    // properly initialized to point to the stub.
+    masm.loadPtr(Address(ICStubReg, (uint32_t) monitorStubOffset), ICStubReg);
+
+    // Load stubcode pointer from BaselineStubEntry.
+    // R2 won't be active when we call ICs, so we can use r0.
+    MOZ_ASSERT(R2 == ValueOperand(r0));
+    masm.loadPtr(Address(ICStubReg, ICStub::offsetOfStubCode()), r0);
+
+    // Jump to the stubcode.
+    masm.Br(x0);
+}
+
+inline void
+EmitReturnFromIC(MacroAssembler& masm)
+{
+    masm.abiret(); // Defaults to lr.
+}
+
+inline void
+EmitChangeICReturnAddress(MacroAssembler& masm, Register reg)
+{
+    masm.movePtr(reg, lr);
+}
+
+inline void
+EmitTailCallVM(JitCode* target, MacroAssembler& masm, uint32_t argSize)
+{
+    // We assume that R0 has been pushed, and R2 is unused.
+    MOZ_ASSERT(R2 == ValueOperand(r0));
+
+    // Compute frame size into w0. Used below in makeFrameDescriptor().
+    masm.Sub(x0, BaselineFrameReg64, masm.GetStackPointer64());
+    masm.Add(w0, w0, Operand(BaselineFrame::FramePointerOffset));
+
+    // Store frame size without VMFunction arguments for GC marking.
+    {
+        vixl::UseScratchRegisterScope temps(&masm.asVIXL());
+        const ARMRegister scratch32 = temps.AcquireW();
+
+        masm.Sub(scratch32, w0, Operand(argSize));
+        masm.store32(scratch32.asUnsized(),
+                     Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfFrameSize()));
+    }
+
+    // Push frame descriptor (minus the return address) and perform the tail call.
+    MOZ_ASSERT(ICTailCallReg == lr);
+    masm.makeFrameDescriptor(r0, JitFrame_BaselineJS);
+    masm.push(r0);
+
+    // The return address will be pushed by the VM wrapper, for compatibility
+    // with direct calls. Refer to the top of generateVMWrapper().
+    // ICTailCallReg (lr) already contains the return address (as we keep
+    // it there through the stub calls).
+
+    masm.branch(target);
+}
+
+inline void
+EmitCreateStubFrameDescriptor(MacroAssembler& masm, Register reg)
+{
+    ARMRegister reg64(reg, 64);
+
+    // Compute stub frame size.
+    masm.Sub(reg64, masm.GetStackPointer64(), Operand(sizeof(void*) * 2));
+    masm.Sub(reg64, BaselineFrameReg64, reg64);
+
+    masm.makeFrameDescriptor(reg, JitFrame_BaselineStub);
+}
+
+inline void
+EmitCallVM(JitCode* target, MacroAssembler& masm)
+{
+    EmitCreateStubFrameDescriptor(masm, r0);
+    masm.push(r0);
+    masm.call(target);
+}
+
+// Size of values pushed by EmitEnterStubFrame.
+static const uint32_t STUB_FRAME_SIZE = 4 * sizeof(void*);
+static const uint32_t STUB_FRAME_SAVED_STUB_OFFSET = sizeof(void*);
+
+inline void
+EmitEnterStubFrame(MacroAssembler& masm, Register scratch)
+{
+    MOZ_ASSERT(scratch != ICTailCallReg);
+
+    // Compute frame size.
+    masm.Add(ARMRegister(scratch, 64), BaselineFrameReg64, Operand(BaselineFrame::FramePointerOffset));
+    masm.Sub(ARMRegister(scratch, 64), ARMRegister(scratch, 64), masm.GetStackPointer64());
+
+    masm.store32(scratch, Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfFrameSize()));
+
+    // Note: when making changes here, don't forget to update STUB_FRAME_SIZE.
+
+    // Push frame descriptor and return address.
+    // Save old frame pointer, stack pointer, and stub reg.
+    masm.makeFrameDescriptor(scratch, JitFrame_BaselineJS);
+    masm.push(scratch, ICTailCallReg, ICStubReg, BaselineFrameReg);
+
+    // Update the frame register.
+    masm.Mov(BaselineFrameReg64, masm.GetStackPointer64());
+
+    // Stack should remain 16-byte aligned.
+    masm.checkStackAlignment();
+}
+
+inline void
+EmitLeaveStubFrame(MacroAssembler& masm, bool calledIntoIon = false)
+{
+    vixl::UseScratchRegisterScope temps(&masm.asVIXL());
+    const ARMRegister scratch64 = temps.AcquireX();
+
+    // Ion frames do not save and restore the frame pointer. If we called
+    // into Ion, we have to restore the stack pointer from the frame descriptor.
+    // If we performed a VM call, the descriptor has been popped already so
+    // in that case we use the frame pointer.
+    if (calledIntoIon) {
+        masm.pop(scratch64.asUnsized());
+        masm.Lsr(scratch64, scratch64, FRAMESIZE_SHIFT);
+        masm.Add(masm.GetStackPointer64(), masm.GetStackPointer64(), scratch64);
+    } else {
+        masm.Mov(masm.GetStackPointer64(), BaselineFrameReg64);
+    }
+
+    // Pop values, discarding the frame descriptor.
+    masm.pop(BaselineFrameReg, ICStubReg, ICTailCallReg, scratch64.asUnsized());
+
+    // Stack should remain 16-byte aligned.
+    masm.checkStackAlignment();
+}
+
+inline void
+EmitStowICValues(MacroAssembler& masm, int values)
+{
+    switch (values) {
+      case 1:
+        // Stow R0.
+        masm.pushValue(R0);
+        break;
+      case 2:
+        // Stow R0 and R1.
+        masm.push(R0.valueReg(), R1.valueReg());
+        break;
+      default:
+        MOZ_MAKE_COMPILER_ASSUME_IS_UNREACHABLE("Expected 1 or 2 values");
+    }
+}
+
+inline void
+EmitUnstowICValues(MacroAssembler& masm, int values, bool discard = false)
+{
+    MOZ_ASSERT(values >= 0 && values <= 2);
+    switch (values) {
+      case 1:
+        // Unstow R0.
+        if (discard)
+            masm.Drop(Operand(sizeof(Value)));
+        else
+            masm.popValue(R0);
+        break;
+      case 2:
+        // Unstow R0 and R1.
+        if (discard)
+            masm.Drop(Operand(sizeof(Value) * 2));
+        else
+            masm.pop(R1.valueReg(), R0.valueReg());
+        break;
+      default:
+        MOZ_MAKE_COMPILER_ASSUME_IS_UNREACHABLE("Expected 1 or 2 values");
+    }
+}
+
+inline void
+EmitCallTypeUpdateIC(MacroAssembler& masm, JitCode* code, uint32_t objectOffset)
+{
+    // R0 contains the value that needs to be typechecked.
+    // The object we're updating is a boxed Value on the stack, at offset
+    // objectOffset from stack top, excluding the return address.
+    MOZ_ASSERT(R2 == ValueOperand(r0));
+
+    // Save the current ICStubReg to stack, as well as the TailCallReg,
+    // since on AArch64, the LR is live.
+    masm.push(ICStubReg, ICTailCallReg);
+
+    // This is expected to be called from within an IC, when ICStubReg
+    // is properly initialized to point to the stub.
+    masm.loadPtr(Address(ICStubReg, (int32_t)ICUpdatedStub::offsetOfFirstUpdateStub()),
+                 ICStubReg);
+
+    // Load stubcode pointer from ICStubReg into ICTailCallReg.
+    masm.loadPtr(Address(ICStubReg, ICStub::offsetOfStubCode()), ICTailCallReg);
+
+    // Call the stubcode.
+    masm.Blr(ARMRegister(ICTailCallReg, 64));
+
+    // Restore the old stub reg and tailcall reg.
+    masm.pop(ICTailCallReg, ICStubReg);
+
+    // The update IC will store 0 or 1 in R1.scratchReg() reflecting if the
+    // value in R0 type-checked properly or not.
+    Label success;
+    masm.cmp32(R1.scratchReg(), Imm32(1));
+    masm.j(Assembler::Equal, &success);
+
+    // If the IC failed, then call the update fallback function.
+    EmitEnterStubFrame(masm, R1.scratchReg());
+
+    masm.loadValue(Address(masm.getStackPointer(), STUB_FRAME_SIZE + objectOffset), R1);
+    masm.push(R0.valueReg(), R1.valueReg(), ICStubReg);
+
+    // Load previous frame pointer, push BaselineFrame*.
+    masm.loadPtr(Address(BaselineFrameReg, 0), R0.scratchReg());
+    masm.pushBaselineFramePtr(R0.scratchReg(), R0.scratchReg());
+
+    EmitCallVM(code, masm);
+    EmitLeaveStubFrame(masm);
+
+    // Success at end.
+    masm.bind(&success);
+}
+
+template <typename AddrType>
+inline void
+EmitPreBarrier(MacroAssembler& masm, const AddrType& addr, MIRType type)
+{
+    // On AArch64, lr is clobbered by patchableCallPreBarrier. Save it first.
+    masm.push(lr);
+    masm.patchableCallPreBarrier(addr, type);
+    masm.pop(lr);
+}
+
+inline void
+EmitStubGuardFailure(MacroAssembler& masm)
+{
+    // NOTE: This routine assumes that the stub guard code left the stack in the
+    // same state it was in when it was entered.
+
+    // BaselineStubEntry points to the current stub.
+
+    // Load next stub into ICStubReg.
+    masm.loadPtr(Address(ICStubReg, ICStub::offsetOfNext()), ICStubReg);
+
+    // Load stubcode pointer from BaselineStubEntry into scratch register.
+    masm.loadPtr(Address(ICStubReg, ICStub::offsetOfStubCode()), r0);
+
+    // Return address is already loaded, just jump to the next stubcode.
+    masm.Br(x0);
+}
+
+} // namespace jit
+} // namespace js
+
+#endif // jit_arm64_SharedICHelpers_arm64_h
diff --git a/js/src/jit/arm64/SharedICRegisters-arm64.h b/js/src/jit/arm64/SharedICRegisters-arm64.h
new file mode 100644
index 000000000000..932a16ddd91e
--- /dev/null
+++ b/js/src/jit/arm64/SharedICRegisters-arm64.h
@@ -0,0 +1,60 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef jit_arm64_SharedICRegisters_arm64_h
+#define jit_arm64_SharedICRegisters_arm64_h
+
+#include "jit/MacroAssembler.h"
+
+namespace js {
+namespace jit {
+
+// Must be a callee-saved register for preservation around generateEnterJIT().
+static constexpr Register BaselineFrameReg = r23;
+static constexpr ARMRegister BaselineFrameReg64 = { BaselineFrameReg, 64 };
+
+// The BaselineStackReg cannot be sp, because that register is treated
+// as xzr/wzr during load/store operations.
+static constexpr Register BaselineStackReg = PseudoStackPointer;
+
+// ValueOperands R0, R1, and R2.
+// R0 == JSReturnReg, and R2 uses registers not preserved across calls.
+// R1 value should be preserved across calls.
+static constexpr Register R0_ = r2;
+static constexpr Register R1_ = r19;
+static constexpr Register R2_ = r0;
+
+static constexpr ValueOperand R0(R0_);
+static constexpr ValueOperand R1(R1_);
+static constexpr ValueOperand R2(R2_);
+
+// ICTailCallReg and ICStubReg use registers that are not preserved across calls.
+static constexpr Register ICTailCallReg = r30;
+static constexpr Register ICStubReg = r9;
+
+// ExtractTemps must be callee-save registers:
+// ICSetProp_Native::Compiler::generateStubCode() stores the object
+// in ExtractTemp0, but then calls callTypeUpdateIC(), which clobbers
+// caller-save registers.
+// They should also not be the scratch registers ip0 or ip1,
+// since those get clobbered all the time.
+static constexpr Register ExtractTemp0 = r24;
+static constexpr Register ExtractTemp1 = r25;
+
+// R7 - R9 are generally available for use within stubcode.
+
+// Note that BaselineTailCallReg is actually just the link
+// register.  In ARM code emission, we do not clobber BaselineTailCallReg
+// since we keep the return address for calls there.
+
+// FloatReg0 must be equal to ReturnFloatReg.
+static constexpr FloatRegister FloatReg0 = { FloatRegisters::v0 };
+static constexpr FloatRegister FloatReg1 = { FloatRegisters::v1 };
+
+} // namespace jit
+} // namespace js
+
+#endif // jit_arm64_SharedICRegisters_arm64_h
diff --git a/js/src/jit/arm64/vixl/MacroAssembler-vixl.h b/js/src/jit/arm64/vixl/MacroAssembler-vixl.h
index d1720fa8a46b..d14538379554 100644
--- a/js/src/jit/arm64/vixl/MacroAssembler-vixl.h
+++ b/js/src/jit/arm64/vixl/MacroAssembler-vixl.h
@@ -27,8 +27,7 @@
 #ifndef VIXL_A64_MACRO_ASSEMBLER_A64_H_
 #define VIXL_A64_MACRO_ASSEMBLER_A64_H_
 
-// TODO: Re-enable once landed.
-// #include "jit/arm64/Assembler-arm64.h"
+#include "jit/arm64/Assembler-arm64.h"
 
 #include "jit/arm64/vixl/Debugger-vixl.h"
 #include "jit/arm64/vixl/Globals-vixl.h"
diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h
index 0caef861aedf..e3c8ad75bbf1 100644
--- a/js/src/jit/shared/CodeGenerator-shared.h
+++ b/js/src/jit/shared/CodeGenerator-shared.h
@@ -8,6 +8,7 @@
 #define jit_shared_CodeGenerator_shared_h
 
 #include "mozilla/Alignment.h"
+#include "mozilla/Move.h"
 
 #include "jit/JitFrames.h"
 #include "jit/LIR.h"
@@ -578,69 +579,57 @@ class OutOfLineCodeBase : public OutOfLineCode
 // ArgSeq store arguments for OutOfLineCallVM.
 //
 // OutOfLineCallVM are created with "oolCallVM" function. The third argument of
-// this function is an instance of a class which provides a "generate" function
-// to call the "pushArg" needed by the VMFunction call.  The list of argument
-// can be created by using the ArgList function which create an empty list of
-// arguments.  Arguments are added to this list by using the comma operator.
-// The type of the argument list is returned by the comma operator, and due to
-// templates arguments, it is quite painful to write by hand.  It is recommended
-// to use it directly as argument of a template function which would get its
-// arguments infered by the compiler (such as oolCallVM).  The list of arguments
-// must be written in the same order as if you were calling the function in C++.
+// this function is an instance of a class which provides a "generate" in charge
+// of pushing the argument, with "pushArg", for a VMFunction.
+//
+// Such list of arguments can be created by using the "ArgList" function which
+// creates one instance of "ArgSeq", where the type of the arguments are inferred
+// from the type of the arguments.
+//
+// The list of arguments must be written in the same order as if you were
+// calling the function in C++.
 //
 // Example:
-//   (ArgList(), ToRegister(lir->lhs()), ToRegister(lir->rhs()))
+//   ArgList(ToRegister(lir->lhs()), ToRegister(lir->rhs()))
 
-template <class SeqType, typename LastType>
-class ArgSeq : public SeqType
-{
-  private:
-    typedef ArgSeq<SeqType, LastType> ThisType;
-    LastType last_;
+template <typename... ArgTypes>
+class ArgSeq;
 
-  public:
-    ArgSeq(const SeqType& seq, const LastType& last)
-      : SeqType(seq),
-        last_(last)
-    { }
-
-    template <typename NextType>
-    inline ArgSeq<ThisType, NextType>
-    operator, (const NextType& last) const {
-        return ArgSeq<ThisType, NextType>(*this, last);
-    }
-
-    inline void generate(CodeGeneratorShared* codegen) const {
-        codegen->pushArg(last_);
-        this->SeqType::generate(codegen);
-    }
-};
-
-// Mark the end of an argument list.
 template <>
-class ArgSeq<void, void>
+class ArgSeq<>
 {
-  private:
-    typedef ArgSeq<void, void> ThisType;
-
   public:
     ArgSeq() { }
-    ArgSeq(const ThisType&) { }
-
-    template <typename NextType>
-    inline ArgSeq<ThisType, NextType>
-    operator, (const NextType& last) const {
-        return ArgSeq<ThisType, NextType>(*this, last);
-    }
 
     inline void generate(CodeGeneratorShared* codegen) const {
     }
 };
 
-inline ArgSeq<void, void>
-ArgList()
+template <typename HeadType, typename... TailTypes>
+class ArgSeq<HeadType, TailTypes...> : public ArgSeq<TailTypes...>
 {
-    return ArgSeq<void, void>();
+  private:
+    HeadType head_;
+
+  public:
+    explicit ArgSeq(HeadType&& head, TailTypes&&... tail)
+      : ArgSeq<TailTypes...>(mozilla::Move(tail)...),
+        head_(mozilla::Move(head))
+    { }
+
+    // Arguments are pushed in reverse order, from last argument to first
+    // argument.
+    inline void generate(CodeGeneratorShared* codegen) const {
+        this->ArgSeq<TailTypes...>::generate(codegen);
+        codegen->pushArg(head_);
+    }
+};
+
+template <typename... ArgTypes>
+inline ArgSeq<ArgTypes...>
+ArgList(ArgTypes... args)
+{
+    return ArgSeq<ArgTypes...>(mozilla::Move(args)...);
 }
 
 // Store wrappers, to generate the right move of data after the VM call.
diff --git a/js/src/jit/x86-shared/BaseAssembler-x86-shared.h b/js/src/jit/x86-shared/BaseAssembler-x86-shared.h
index 9b3ce2136236..8e883be6f698 100644
--- a/js/src/jit/x86-shared/BaseAssembler-x86-shared.h
+++ b/js/src/jit/x86-shared/BaseAssembler-x86-shared.h
@@ -3744,12 +3744,12 @@ threeByteOpImmSimd("vblendps", VEX_PD, OP3_BLENDPS_VpsWpsIb, ESCAPE_3A, imm, off
 
     void doubleConstant(double d)
     {
-        spew(".double %.20f", d);
+        spew(".double %.16g", d);
         m_formatter.doubleConstant(d);
     }
     void floatConstant(float f)
     {
-        spew(".float %.20f", f);
+        spew(".float %.16g", f);
         m_formatter.floatConstant(f);
     }
 
@@ -3761,7 +3761,7 @@ threeByteOpImmSimd("vblendps", VEX_PD, OP3_BLENDPS_VpsWpsIb, ESCAPE_3A, imm, off
     }
     void float32x4Constant(const float f[4])
     {
-        spew(".float %f,%f,%f,%f", f[0], f[1], f[2], f[3]);
+        spew(".float %g,%g,%g,%g", f[0], f[1], f[2], f[3]);
         MOZ_ASSERT(m_formatter.isAligned(16));
         m_formatter.float32x4Constant(f);
     }
diff --git a/js/src/js.msg b/js/src/js.msg
index d4a6a9acc477..7ae431f1d14c 100644
--- a/js/src/js.msg
+++ b/js/src/js.msg
@@ -311,7 +311,7 @@ MSG_DEF(JSMSG_SEMI_AFTER_FOR_COND,     0, JSEXN_SYNTAXERR, "missing ; after for-
 MSG_DEF(JSMSG_SEMI_AFTER_FOR_INIT,     0, JSEXN_SYNTAXERR, "missing ; after for-loop initializer")
 MSG_DEF(JSMSG_SEMI_BEFORE_STMNT,       0, JSEXN_SYNTAXERR, "missing ; before statement")
 MSG_DEF(JSMSG_SOURCE_TOO_LONG,         0, JSEXN_RANGEERR, "source is too long")
-MSG_DEF(JSMSG_STMT_AFTER_RETURN,       0, JSEXN_SYNTAXERR, "unreachable code after return statement")
+MSG_DEF(JSMSG_STMT_AFTER_RETURN,       0, JSEXN_NONE, "unreachable code after return statement")
 MSG_DEF(JSMSG_STRICT_CODE_WITH,        0, JSEXN_SYNTAXERR, "strict mode code may not contain 'with' statements")
 MSG_DEF(JSMSG_STRICT_FUNCTION_STATEMENT, 0, JSEXN_SYNTAXERR, "in strict mode code, functions may be declared only at top level or immediately within another function")
 MSG_DEF(JSMSG_TEMPLSTR_UNTERM_EXPR,    0, JSEXN_SYNTAXERR, "missing } in template string")
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
index 7e6566f53021..2036beced9bc 100644
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@@ -4018,6 +4018,9 @@ namespace JS {
  *
  * The provided chain of SavedFrame objects can live in any compartment,
  * although it will be copied to the compartment where the stack is captured.
+ *
+ * See also `js/src/doc/SavedFrame/SavedFrame.md` for documentation on async
+ * stack frames.
  */
 class MOZ_STACK_CLASS JS_PUBLIC_API(AutoSetAsyncStackForNewCalls)
 {
@@ -5301,6 +5304,8 @@ CaptureCurrentStack(JSContext* cx, MutableHandleObject stackp, unsigned maxFrame
  * caller's principals do not subsume any of the chained SavedFrame object's
  * principals, `SavedFrameResult::AccessDenied` is returned and a (hopefully)
  * sane default value is chosen for the out param.
+ *
+ * See also `js/src/doc/SavedFrame/SavedFrame.md`.
  */
 
 enum class SavedFrameResult {
diff --git a/js/src/jsfriendapi.h b/js/src/jsfriendapi.h
index 99843edb5b47..193dd0c07615 100644
--- a/js/src/jsfriendapi.h
+++ b/js/src/jsfriendapi.h
@@ -104,6 +104,8 @@ enum {
     JS_TELEMETRY_GC_REASON,
     JS_TELEMETRY_GC_IS_COMPARTMENTAL,
     JS_TELEMETRY_GC_MS,
+    JS_TELEMETRY_GC_BUDGET_MS,
+    JS_TELEMETRY_GC_ANIMATION_MS,
     JS_TELEMETRY_GC_MAX_PAUSE_MS,
     JS_TELEMETRY_GC_MARK_MS,
     JS_TELEMETRY_GC_SWEEP_MS,
diff --git a/js/src/jsgc.cpp b/js/src/jsgc.cpp
index 57c2e356b2e8..eafd362940f3 100644
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -3004,7 +3004,7 @@ SliceBudget::describe(char* buffer, size_t maxlen) const
 {
     if (isUnlimited())
         return JS_snprintf(buffer, maxlen, "unlimited");
-    else if (deadline == 0)
+    else if (isWorkBudget())
         return JS_snprintf(buffer, maxlen, "work(%lld)", workBudget.budget);
     else
         return JS_snprintf(buffer, maxlen, "%lldms", timeBudget.budget);
diff --git a/js/src/shell/js.cpp b/js/src/shell/js.cpp
index 726dbb51a666..1354e898058b 100644
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -126,6 +126,9 @@ static double gTimeoutInterval = -1.0;
 static volatile bool gServiceInterrupt = false;
 static JS::PersistentRootedValue gInterruptFunc;
 
+static bool gLastWarningEnabled = false;
+static JS::PersistentRootedValue gLastWarning;
+
 static bool enableDisassemblyDumps = false;
 static bool offthreadCompilation = false;
 static bool enableBaseline = false;
@@ -3037,6 +3040,63 @@ SetInterruptCallback(JSContext* cx, unsigned argc, Value* vp)
     return true;
 }
 
+static bool
+EnableLastWarning(JSContext* cx, unsigned argc, Value* vp)
+{
+    CallArgs args = CallArgsFromVp(argc, vp);
+
+    gLastWarningEnabled = true;
+    gLastWarning.setNull();
+
+    args.rval().setUndefined();
+    return true;
+}
+
+static bool
+DisableLastWarning(JSContext* cx, unsigned argc, Value* vp)
+{
+    CallArgs args = CallArgsFromVp(argc, vp);
+
+    gLastWarningEnabled = false;
+    gLastWarning.setNull();
+
+    args.rval().setUndefined();
+    return true;
+}
+
+static bool
+GetLastWarning(JSContext* cx, unsigned argc, Value* vp)
+{
+    CallArgs args = CallArgsFromVp(argc, vp);
+
+    if (!gLastWarningEnabled) {
+        JS_ReportError(cx, "Call enableLastWarning first.");
+        return false;
+    }
+
+    if (!JS_WrapValue(cx, &gLastWarning))
+        return false;
+
+    args.rval().set(gLastWarning);
+    return true;
+}
+
+static bool
+ClearLastWarning(JSContext* cx, unsigned argc, Value* vp)
+{
+    CallArgs args = CallArgsFromVp(argc, vp);
+
+    if (!gLastWarningEnabled) {
+        JS_ReportError(cx, "Call enableLastWarning first.");
+        return false;
+    }
+
+    gLastWarning.setNull();
+
+    args.rval().setUndefined();
+    return true;
+}
+
 #ifdef DEBUG
 static bool
 StackDump(JSContext* cx, unsigned argc, Value* vp)
@@ -4706,6 +4766,22 @@ static const JSFunctionSpecWithHelp shell_functions[] = {
 "  Sets func as the interrupt callback function.\n"
 "  Calling this function will replace any callback set by |timeout|.\n"),
 
+    JS_FN_HELP("enableLastWarning", EnableLastWarning, 0, 0,
+"enableLastWarning()",
+"  Enable storing the last warning."),
+
+    JS_FN_HELP("disableLastWarning", DisableLastWarning, 0, 0,
+"disableLastWarning()",
+"  Disable storing the last warning."),
+
+    JS_FN_HELP("getLastWarning", GetLastWarning, 0, 0,
+"getLastWarning()",
+"  Returns an object that represents the last warning."),
+
+    JS_FN_HELP("clearLastWarning", ClearLastWarning, 0, 0,
+"clearLastWarning()",
+"  Clear the last warning."),
+
     JS_FN_HELP("elapsed", Elapsed, 0, 0,
 "elapsed()",
 "  Execution time elapsed for the current context."),
@@ -5026,9 +5102,55 @@ js::shell::my_GetErrorMessage(void* userRef, const unsigned errorNumber)
     return &jsShell_ErrorFormatString[errorNumber];
 }
 
+static bool
+CreateLastWarningObject(JSContext* cx, JSErrorReport* report)
+{
+    RootedObject warningObj(cx, JS_NewObject(cx, nullptr));
+    if (!warningObj)
+        return false;
+
+    RootedString nameStr(cx);
+    if (report->exnType == JSEXN_NONE)
+        nameStr = JS_NewStringCopyZ(cx, "None");
+    else
+        nameStr = GetErrorTypeName(cx->runtime(), report->exnType);
+    if (!nameStr)
+        return false;
+    RootedValue nameVal(cx, StringValue(nameStr));
+    if (!DefineProperty(cx, warningObj, cx->names().name, nameVal))
+        return false;
+
+    RootedString messageStr(cx, JS_NewUCStringCopyZ(cx, report->ucmessage));
+    if (!messageStr)
+        return false;
+    RootedValue messageVal(cx, StringValue(messageStr));
+    if (!DefineProperty(cx, warningObj, cx->names().message, messageVal))
+        return false;
+
+    RootedValue linenoVal(cx, Int32Value(report->lineno));
+    if (!DefineProperty(cx, warningObj, cx->names().lineNumber, linenoVal))
+        return false;
+
+    RootedValue columnVal(cx, Int32Value(report->column));
+    if (!DefineProperty(cx, warningObj, cx->names().columnNumber, columnVal))
+        return false;
+
+    gLastWarning.setObject(*warningObj);
+    return true;
+}
+
 void
 js::shell::my_ErrorReporter(JSContext* cx, const char* message, JSErrorReport* report)
 {
+    if (report && JSREPORT_IS_WARNING(report->flags) && gLastWarningEnabled) {
+        JS::AutoSaveExceptionState savedExc(cx);
+        if (!CreateLastWarningObject(cx, report)) {
+            fputs("Unhandled error happened while creating last warning object.\n", gOutFile);
+            fflush(gOutFile);
+        }
+        savedExc.restore();
+    }
+
     gGotError = PrintError(cx, gErrFile, message, report, reportWarnings);
     if (report->exnType != JSEXN_NONE && !JSREPORT_IS_WARNING(report->flags)) {
         if (report->errorNumber == JSMSG_OUT_OF_MEMORY) {
@@ -6305,6 +6427,7 @@ main(int argc, char** argv, char** envp)
         return 1;
 
     gInterruptFunc.init(rt, NullValue());
+    gLastWarning.init(rt, NullValue());
 
     JS_SetGCParameter(rt, JSGC_MAX_BYTES, 0xffffffff);
 
diff --git a/js/src/tests/ecma_6/Class/newTargetMethods.js b/js/src/tests/ecma_6/Class/newTargetMethods.js
index 84dba1cec720..055ec0bf1984 100644
--- a/js/src/tests/ecma_6/Class/newTargetMethods.js
+++ b/js/src/tests/ecma_6/Class/newTargetMethods.js
@@ -1,3 +1,5 @@
+var test = `
+
 // Just like newTargetDirectInvoke, except to prove it works in functions
 // defined with method syntax as well. Note that methods, getters, and setters
 // are not constructible.
@@ -46,7 +48,10 @@ for (let i = 0; i < TEST_ITERATIONS; i++)
     clInst.cl;
 for (let i = 0; i < TEST_ITERATIONS; i++)
     clInst.cl = 4;
+`;
 
+if (classesEnabled())
+    eval(test);
 
 if (typeof reportCompare === "function")
     reportCompare(0,0,"OK");
diff --git a/js/src/tests/ecma_6/Class/superPropEvalInsideArrow.js b/js/src/tests/ecma_6/Class/superPropEvalInsideArrow.js
index 882f93ba0ace..c81d86c3dc0d 100644
--- a/js/src/tests/ecma_6/Class/superPropEvalInsideArrow.js
+++ b/js/src/tests/ecma_6/Class/superPropEvalInsideArrow.js
@@ -1,3 +1,5 @@
+var test = `
+
 class foo {
     constructor() { }
 
@@ -6,6 +8,10 @@ class foo {
     }
 }
 assertEq(new foo().method()(), Object.prototype.toString);
+`;
+
+if (classesEnabled())
+    eval(test);
 
 if (typeof reportCompare === "function")
     reportCompare(0,0,"OK");
diff --git a/js/src/tests/ecma_6/Class/superPropHeavyweightArrow.js b/js/src/tests/ecma_6/Class/superPropHeavyweightArrow.js
index ce30690d539d..dda69edc0c7c 100644
--- a/js/src/tests/ecma_6/Class/superPropHeavyweightArrow.js
+++ b/js/src/tests/ecma_6/Class/superPropHeavyweightArrow.js
@@ -1,3 +1,5 @@
+var test = `
+
 class foo {
     constructor() { }
 
@@ -7,6 +9,10 @@ class foo {
 }
 
 assertEq(new foo().method()(), Object.prototype.toString);
+`;
+
+if (classesEnabled())
+    eval(test);
 
 if (typeof reportCompare === "function")
     reportCompare(0,0,"OK");
diff --git a/js/src/tests/ecma_6/shell.js b/js/src/tests/ecma_6/shell.js
index d9d777fdd474..1d5d37460759 100644
--- a/js/src/tests/ecma_6/shell.js
+++ b/js/src/tests/ecma_6/shell.js
@@ -204,3 +204,14 @@ if (typeof assertDeepEq === 'undefined') {
         };
     })();
 }
+
+if (typeof assertWarning === 'undefined') {
+    function assertWarning(func, name) {
+        enableLastWarning();
+        func();
+        var warning = getLastWarning();
+        assertEq(warning !== null, true);
+        assertEq(warning.name, name);
+        disableLastWarning();
+    }
+}
diff --git a/js/src/tests/js1_5/String/replace-flags.js b/js/src/tests/js1_5/String/replace-flags.js
index 656d4acfa6f6..866aa877ef1a 100644
--- a/js/src/tests/js1_5/String/replace-flags.js
+++ b/js/src/tests/js1_5/String/replace-flags.js
@@ -6,10 +6,19 @@ var summary = 'Add console warnings for non-standard flag argument of String.pro
 printBugNumber(BUGNUMBER);
 printStatus (summary);
 
-options("werror");
-assertEq(evaluate("'aaaA'.match('a', 'i')", {catchTermination: true}), "terminated");
-assertEq(evaluate("'aaaA'.search('a', 'i')", {catchTermination: true}), "terminated");
-assertEq(evaluate("'aaaA'.replace('a', 'b', 'g')", {catchTermination: true}), "terminated");
+function assertWarningForComponent(code, name) {
+  enableLastWarning();
+  var g = newGlobal();
+  g.eval(code);
+  var warning = getLastWarning();
+  assertEq(warning !== null, true);
+  assertEq(warning.name, name);
+  disableLastWarning();
+}
+
+assertWarningForComponent(`'aaaA'.match('a', 'i');`, "None");
+assertWarningForComponent(`'aaaA'.search('a', 'i');`, "None");
+assertWarningForComponent(`'aaaA'.replace('a', 'b', 'g');`, "None");
 
 if (typeof reportCompare === "function")
   reportCompare(true, true);
diff --git a/js/src/tests/lib/jittests.py b/js/src/tests/lib/jittests.py
index 7fb9dce3cfe5..180234153cb6 100755
--- a/js/src/tests/lib/jittests.py
+++ b/js/src/tests/lib/jittests.py
@@ -116,6 +116,8 @@ class Test:
         self.tz_pacific = False # True means force Pacific time for the test
         self.test_also_noasmjs = False # True means run with and without asm.js
                                        # enabled.
+        self.test_also = [] # List of other configurations to test with.
+        self.test_join = [] # List of other configurations to test with all existing variants.
         self.expect_error = '' # Errors to expect and consider passing
         self.expect_status = 0 # Exit status to expect from shell
 
@@ -129,6 +131,8 @@ class Test:
         t.valgrind = self.valgrind
         t.tz_pacific = self.tz_pacific
         t.test_also_noasmjs = self.test_also_noasmjs
+        t.test_also = self.test_also
+        t.test_join = self.test_join
         t.expect_error = self.expect_error
         t.expect_status = self.expect_status
         return t
@@ -139,12 +143,14 @@ class Test:
         return t
 
     def copy_variants(self, variants):
-        # If the tests are flagged with the |jit-test| test-also-noasmjs flags,
-        # then we duplicate the variants such that the test can be used both
-        # with the interpreter and asmjs.  This is a simple way to check for
-        # differential behaviour.
-        if self.test_also_noasmjs:
-            variants = variants + [['--no-asmjs']]
+        # Append variants to be tested in addition to the current set of tests.
+        variants = variants + self.test_also
+
+        # For each existing variant, duplicates it for each list of options in
+        # test_join.  This will multiply the number of variants by 2 for set of
+        # options.
+        for join_opts in self.test_join:
+            variants = variants + [ opts + join_opts for opts in variants ];
 
         # For each list of jit flags, make a copy of the test.
         return [self.copy_and_extend_jitflags(v) for v in variants]
@@ -201,7 +207,12 @@ class Test:
                     elif name == 'tz-pacific':
                         test.tz_pacific = True
                     elif name == 'test-also-noasmjs':
-                        test.test_also_noasmjs = options.can_test_also_noasmjs
+                        if options.can_test_also_noasmjs:
+                            test.test_also.append(['--no-asmjs'])
+                    elif name.startswith('test-also='):
+                        test.test_also.append([name[len('test-also='):]])
+                    elif name.startswith('test-join='):
+                        test.test_join.append([name[len('test-join='):]])
                     elif name == 'ion-eager':
                         test.jitflags.append('--ion-eager')
                     elif name == 'dump-bytecode':
diff --git a/js/src/tests/shell/warning.js b/js/src/tests/shell/warning.js
new file mode 100644
index 000000000000..dfa1d5405fc0
--- /dev/null
+++ b/js/src/tests/shell/warning.js
@@ -0,0 +1,52 @@
+// |reftest| skip-if(!xulRuntime.shell)
+
+var BUGNUMBER = 1170716;
+var summary = 'Add js shell functions to get last warning';
+
+print(BUGNUMBER + ": " + summary);
+
+// Warning with JSEXN_NONE.
+
+enableLastWarning();
+
+eval(`({}).__proto__ = {};`);
+
+var warning = getLastWarning();
+assertEq(warning !== null, true);
+assertEq(warning.name, "None");
+assertEq(warning.message.includes("mutating"), true);
+assertEq(warning.lineNumber, 1);
+assertEq(warning.columnNumber, 1);
+
+// Clear last warning.
+
+clearLastWarning();
+warning = getLastWarning();
+assertEq(warning, null);
+
+// Warning with JSEXN_SYNTAXERR.
+
+options("strict");
+eval(`var a; if (a=0) {}`);
+
+warning = getLastWarning();
+assertEq(warning !== null, true);
+assertEq(warning.name, "SyntaxError");
+assertEq(warning.message.includes("equality"), true);
+assertEq(warning.lineNumber, 1);
+assertEq(warning.columnNumber, 14);
+
+// Disabled.
+
+disableLastWarning();
+
+eval(`var a; if (a=0) {}`);
+
+enableLastWarning();
+warning = getLastWarning();
+assertEq(warning, null);
+
+disableLastWarning();
+
+if (typeof reportCompare === "function")
+  reportCompare(true, true);
diff --git a/js/src/vm/HelperThreads.cpp b/js/src/vm/HelperThreads.cpp
index 7974ca49d506..0a6eea154d65 100644
--- a/js/src/vm/HelperThreads.cpp
+++ b/js/src/vm/HelperThreads.cpp
@@ -434,8 +434,8 @@ js::EnqueuePendingParseTasksAfterGC(JSRuntime* rt)
     HelperThreadState().notifyAll(GlobalHelperThreadState::PRODUCER);
 }
 
-static const uint32_t kDefaultHelperStackSize = 512 * 1024;
-static const uint32_t kDefaultHelperStackQuota = 450 * 1024;
+static const uint32_t kDefaultHelperStackSize = 2048 * 1024;
+static const uint32_t kDefaultHelperStackQuota = 1800 * 1024;
 
 // TSan enforces a minimum stack size that's just slightly larger than our
 // default helper stack size.  It does this to store blobs of TSan-specific
diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp
index 4463fdfceedb..819e50c23c66 100644
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -1205,9 +1205,80 @@ GetExistingPropertyValue(ExclusiveContext* cx, HandleNativeObject obj, HandleId
     }
     if (!cx->shouldBeJSContext())
         return false;
+
+    MOZ_ASSERT(shape->propid() == id);
+    MOZ_ASSERT(obj->contains(cx, shape));
+
     return GetExistingProperty<CanGC>(cx->asJSContext(), obj, obj, shape, vp);
 }
 
+/*
+ * If ES6 draft rev 37 9.1.6.3 ValidateAndApplyPropertyDescriptor step 4 would
+ * return early, because desc is redundant with an existing own property obj[id],
+ * then set *redundant = true and return true.
+ */
+static bool
+DefinePropertyIsRedundant(ExclusiveContext* cx, HandleNativeObject obj, HandleId id,
+                          HandleShape shape, unsigned shapeAttrs,
+                          Handle<PropertyDescriptor> desc, bool *redundant)
+{
+    *redundant = false;
+
+    if (desc.hasConfigurable() && desc.configurable() != ((shapeAttrs & JSPROP_PERMANENT) == 0))
+        return true;
+    if (desc.hasEnumerable() && desc.enumerable() != ((shapeAttrs & JSPROP_ENUMERATE) != 0))
+        return true;
+    if (desc.isDataDescriptor()) {
+        if ((shapeAttrs & (JSPROP_GETTER | JSPROP_SETTER)) != 0)
+            return true;
+        if (desc.hasWritable() && desc.writable() != ((shapeAttrs & JSPROP_READONLY) == 0))
+            return true;
+        if (desc.hasValue()) {
+            // Get the current value of the existing property.
+            RootedValue currentValue(cx);
+            if (!IsImplicitDenseOrTypedArrayElement(shape) &&
+                shape->hasSlot() &&
+                shape->hasDefaultGetter())
+            {
+                // Inline GetExistingPropertyValue in order to omit a type
+                // correctness assertion that's too strict for this particular
+                // call site. For details, see bug 1125624 comments 13-16.
+                currentValue.set(obj->getSlot(shape->slot()));
+            } else {
+                if (!GetExistingPropertyValue(cx, obj, id, shape, &currentValue))
+                    return false;
+            }
+
+            // The specification calls for SameValue here, but it seems to be a
+            // bug. See <https://bugs.ecmascript.org/show_bug.cgi?id=3508>.
+            if (desc.value() != currentValue)
+                return true;
+        }
+
+        GetterOp existingGetterOp =
+            IsImplicitDenseOrTypedArrayElement(shape) ? nullptr : shape->getter();
+        if (desc.getter() != existingGetterOp)
+            return true;
+
+        SetterOp existingSetterOp =
+            IsImplicitDenseOrTypedArrayElement(shape) ? nullptr : shape->setter();
+        if (desc.setter() != existingSetterOp)
+            return true;
+    } else {
+        if (desc.hasGetterObject()) {
+            if (!(shapeAttrs & JSPROP_GETTER) || desc.getterObject() != shape->getterObject())
+                return true;
+        }
+        if (desc.hasSetterObject()) {
+            if (!(shapeAttrs & JSPROP_SETTER) || desc.setterObject() != shape->setterObject())
+                return true;
+        }
+    }
+
+    *redundant = true;
+    return true;
+}
+
 bool
 js::NativeDefineProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId id,
                          Handle<PropertyDescriptor> desc_,
@@ -1296,6 +1367,25 @@ js::NativeDefineProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId
 
     MOZ_ASSERT(shape);
 
+    // Steps 3-4. (Step 3 is a special case of step 4.) We use shapeAttrs as a
+    // stand-in for shape in many places below, since shape might not be a
+    // pointer to a real Shape (see IsImplicitDenseOrTypedArrayElement).
+    unsigned shapeAttrs = GetShapeAttributes(obj, shape);
+    bool redundant;
+    if (!DefinePropertyIsRedundant(cx, obj, id, shape, shapeAttrs, desc, &redundant))
+        return false;
+    if (redundant) {
+        // In cases involving JSOP_NEWOBJECT and JSOP_INITPROP, obj can have a
+        // type for this property that doesn't match the value in the slot.
+        // Update the type here, even though this DefineProperty call is
+        // otherwise a no-op. (See bug 1125624 comment 13.)
+        if (!IsImplicitDenseOrTypedArrayElement(shape) && desc.hasValue()) {
+            if (!UpdateShapeTypeAndValue(cx, obj, shape, desc.value()))
+                return false;
+        }
+        return result.succeed();
+    }
+
     // Non-standard hack: Allow redefining non-configurable properties if
     // JSPROP_REDEFINE_NONCONFIGURABLE is set _and_ the object is a non-DOM
     // global. The idea is that a DOM object can never have such a thing on
@@ -1306,12 +1396,7 @@ js::NativeDefineProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId
                               obj->is<GlobalObject>() &&
                               !obj->getClass()->isDOMClass();
 
-    // Steps 3-4 are redundant.
-
-    // Step 5. We use shapeAttrs as a stand-in for shape in many places below
-    // since shape might not be a pointer to a real Shape (see
-    // IsImplicitDenseOrTypedArrayElement).
-    unsigned shapeAttrs = GetShapeAttributes(obj, shape);
+    // Step 5.
     if (!IsConfigurable(shapeAttrs) && !skipRedefineChecks) {
         if (desc.hasConfigurable() && desc.configurable())
             return result.fail(JSMSG_CANT_REDEFINE_PROP);
diff --git a/js/src/vm/UnboxedObject.cpp b/js/src/vm/UnboxedObject.cpp
index 3e08f3c63c21..2548a6379eca 100644
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@@ -522,7 +522,7 @@ UnboxedLayout::makeNativeGroup(JSContext* cx, ObjectGroup* group)
                 return false;
 
             HeapTypeSet* nativeProperty = nativeGroup->maybeGetProperty(id);
-            if (nativeProperty->canSetDefinite(i))
+            if (nativeProperty && nativeProperty->canSetDefinite(i))
                 nativeProperty->setDefinite(i);
         }
     }
diff --git a/js/xpconnect/src/XPCJSRuntime.cpp b/js/xpconnect/src/XPCJSRuntime.cpp
index 1785c47cf12b..0b6c18c118a4 100644
--- a/js/xpconnect/src/XPCJSRuntime.cpp
+++ b/js/xpconnect/src/XPCJSRuntime.cpp
@@ -3110,6 +3110,12 @@ AccumulateTelemetryCallback(int id, uint32_t sample, const char* key)
       case JS_TELEMETRY_GC_MS:
         Telemetry::Accumulate(Telemetry::GC_MS, sample);
         break;
+      case JS_TELEMETRY_GC_BUDGET_MS:
+        Telemetry::Accumulate(Telemetry::GC_BUDGET_MS, sample);
+        break;
+      case JS_TELEMETRY_GC_ANIMATION_MS:
+        Telemetry::Accumulate(Telemetry::GC_ANIMATION_MS, sample);
+        break;
       case JS_TELEMETRY_GC_MAX_PAUSE_MS:
         Telemetry::Accumulate(Telemetry::GC_MAX_PAUSE_MS, sample);
         break;
diff --git a/js/xpconnect/src/nsXPConnect.cpp b/js/xpconnect/src/nsXPConnect.cpp
index 4cdb40fe20d7..428c0b187df8 100644
--- a/js/xpconnect/src/nsXPConnect.cpp
+++ b/js/xpconnect/src/nsXPConnect.cpp
@@ -85,7 +85,7 @@ nsXPConnect::~nsXPConnect()
     // XPConnect, to clean the stuff we forcibly disconnected. The forced
     // shutdown code defaults to leaking in a number of situations, so we can't
     // get by with only the second GC. :-(
-    JS_GC(mRuntime->Runtime());
+    mRuntime->GarbageCollect(JS::gcreason::XPCONNECT_SHUTDOWN);
 
     mShuttingDown = true;
     XPCWrappedNativeScope::SystemIsBeingShutDown();
@@ -95,7 +95,7 @@ nsXPConnect::~nsXPConnect()
     // after which point we need to GC to clean everything up. We need to do
     // this before deleting the XPCJSRuntime, because doing so destroys the
     // maps that our finalize callback depends on.
-    JS_GC(mRuntime->Runtime());
+    mRuntime->GarbageCollect(JS::gcreason::XPCONNECT_SHUTDOWN);
 
     NS_RELEASE(gSystemPrincipal);
     gScriptSecurityManager = nullptr;
diff --git a/layout/base/nsBidi.cpp b/layout/base/nsBidi.cpp
index 24630c4b0cab..f669c9731536 100644
--- a/layout/base/nsBidi.cpp
+++ b/layout/base/nsBidi.cpp
@@ -505,7 +505,7 @@ void nsBidi::GetDirProps(const char16_t *aText)
       } else if  (state == SEEKING_STRONG_FOR_FSI) {
         if (stackLast <= NSBIDI_MAX_EXPLICIT_LEVEL) {
           dirProps[isolateStartStack[stackLast]] = LRI;
-          flags |= LRI;
+          flags |= DIRPROP_FLAG(LRI);
         }
         state = LOOKING_FOR_PDI;
       }
@@ -518,7 +518,7 @@ void nsBidi::GetDirProps(const char16_t *aText)
       } else if  (state == SEEKING_STRONG_FOR_FSI) {
         if (stackLast <= NSBIDI_MAX_EXPLICIT_LEVEL) {
           dirProps[isolateStartStack[stackLast]] = RLI;
-          flags |= RLI;
+          flags |= DIRPROP_FLAG(RLI);
         }
         state = LOOKING_FOR_PDI;
       }
diff --git a/layout/base/nsDisplayList.cpp b/layout/base/nsDisplayList.cpp
index 4852f5884bae..2e65f85febd4 100644
--- a/layout/base/nsDisplayList.cpp
+++ b/layout/base/nsDisplayList.cpp
@@ -1582,7 +1582,7 @@ already_AddRefed<LayerManager> nsDisplayList::PaintRoot(nsDisplayListBuilder* aB
   }
 
   if (addMetrics || ensureMetricsForRootId) {
-    bool isRoot = presContext->IsRootContentDocument();
+    bool isRootContent = presContext->IsRootContentDocument();
 
     nsRect viewport(aBuilder->ToReferenceFrame(frame), frame->GetSize());
 
@@ -1591,7 +1591,7 @@ already_AddRefed<LayerManager> nsDisplayList::PaintRoot(nsDisplayListBuilder* aB
                          rootScrollFrame, content,
                          aBuilder->FindReferenceFrameFor(frame),
                          root, FrameMetrics::NULL_SCROLL_ID, viewport, Nothing(),
-                         isRoot, containerParameters));
+                         isRootContent, containerParameters));
   } else {
     // Set empty metrics to clear any metrics that might be on a recycled layer.
     root->SetFrameMetrics(nsTArray<FrameMetrics>());
diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
index fc550dc932e7..71ab13c3827e 100644
--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -8169,7 +8169,7 @@ nsLayoutUtils::ComputeFrameMetrics(nsIFrame* aForFrame,
                                    ViewID aScrollParentId,
                                    const nsRect& aViewport,
                                    const Maybe<nsRect>& aClipRect,
-                                   bool aIsRoot,
+                                   bool aIsRootContent,
                                    const ContainerLayerParameters& aContainerParameters)
 {
   nsPresContext* presContext = aForFrame->PresContext();
@@ -8248,7 +8248,7 @@ nsLayoutUtils::ComputeFrameMetrics(nsIFrame* aForFrame,
   // overscroll handoff chain.
   MOZ_ASSERT(aScrollParentId == FrameMetrics::NULL_SCROLL_ID || scrollId != aScrollParentId);
   metrics.SetScrollId(scrollId);
-  metrics.SetIsRoot(aIsRoot);
+  metrics.SetIsRootContent(aIsRootContent);
   metrics.SetScrollParentId(aScrollParentId);
 
   if (scrollId != FrameMetrics::NULL_SCROLL_ID && !presContext->GetParentPresContext()) {
diff --git a/layout/build/moz.build b/layout/build/moz.build
index e144a964cd84..abe45694ce72 100644
--- a/layout/build/moz.build
+++ b/layout/build/moz.build
@@ -119,6 +119,7 @@ if CONFIG['MOZ_B2G_BT']:
 
 if CONFIG['MOZ_WEBSPEECH']:
     LOCAL_INCLUDES += [
+        '/dom/media/webspeech/recognition',
         '/dom/media/webspeech/synth',
     ]
 
diff --git a/layout/build/nsLayoutModule.cpp b/layout/build/nsLayoutModule.cpp
index c2f1216acbe0..0f243a598312 100644
--- a/layout/build/nsLayoutModule.cpp
+++ b/layout/build/nsLayoutModule.cpp
@@ -99,6 +99,9 @@
 #ifdef MOZ_WEBSPEECH_TEST_BACKEND
 #include "mozilla/dom/FakeSpeechRecognitionService.h"
 #endif
+#ifdef MOZ_WEBSPEECH_POCKETSPHINX
+#include "mozilla/dom/PocketSphinxSpeechRecognitionService.h"
+#endif
 #ifdef MOZ_WEBSPEECH
 #include "mozilla/dom/nsSynthVoiceRegistry.h"
 #endif
@@ -635,6 +638,9 @@ NS_GENERIC_FACTORY_SINGLETON_CONSTRUCTOR(DataStoreService, DataStoreService::Get
 #ifdef MOZ_WEBSPEECH_TEST_BACKEND
 NS_GENERIC_FACTORY_CONSTRUCTOR(FakeSpeechRecognitionService)
 #endif
+#ifdef MOZ_WEBSPEECH_POCKETSPHINX
+NS_GENERIC_FACTORY_CONSTRUCTOR(PocketSphinxSpeechRecognitionService)
+#endif
 
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsCSPContext)
 NS_GENERIC_FACTORY_CONSTRUCTOR(CSPService)
@@ -831,6 +837,9 @@ NS_DEFINE_NAMED_CID(NS_GAMEPAD_TEST_CID);
 #ifdef MOZ_WEBSPEECH_TEST_BACKEND
 NS_DEFINE_NAMED_CID(NS_FAKE_SPEECH_RECOGNITION_SERVICE_CID);
 #endif
+#ifdef MOZ_WEBSPEECH_POCKETSPHINX
+NS_DEFINE_NAMED_CID(NS_POCKETSPHINX_SPEECH_RECOGNITION_SERVICE_CID);
+#endif
 #ifdef MOZ_WEBSPEECH
 NS_DEFINE_NAMED_CID(NS_SYNTHVOICEREGISTRY_CID);
 #endif
@@ -1088,6 +1097,9 @@ static const mozilla::Module::CIDEntry kLayoutCIDs[] = {
 #ifdef MOZ_WEBSPEECH_TEST_BACKEND
   { &kNS_FAKE_SPEECH_RECOGNITION_SERVICE_CID, false, nullptr, FakeSpeechRecognitionServiceConstructor },
 #endif
+#ifdef MOZ_WEBSPEECH_POCKETSPHINX
+  { &kNS_POCKETSPHINX_SPEECH_RECOGNITION_SERVICE_CID, false, nullptr, PocketSphinxSpeechRecognitionServiceConstructor },
+#endif
 #ifdef MOZ_WEBSPEECH
   { &kNS_SYNTHVOICEREGISTRY_CID, true, nullptr, nsSynthVoiceRegistryConstructor },
 #endif
@@ -1252,6 +1264,9 @@ static const mozilla::Module::ContractIDEntry kLayoutContracts[] = {
 #ifdef MOZ_WEBSPEECH_TEST_BACKEND
   { NS_SPEECH_RECOGNITION_SERVICE_CONTRACTID_PREFIX "fake", &kNS_FAKE_SPEECH_RECOGNITION_SERVICE_CID },
 #endif
+#ifdef MOZ_WEBSPEECH_POCKETSPHINX
+  { NS_SPEECH_RECOGNITION_SERVICE_CONTRACTID_PREFIX "pocketsphinx", &kNS_POCKETSPHINX_SPEECH_RECOGNITION_SERVICE_CID },
+#endif
 #ifdef MOZ_WEBSPEECH
   { NS_SYNTHVOICEREGISTRY_CONTRACTID, &kNS_SYNTHVOICEREGISTRY_CID },
 #endif
diff --git a/layout/generic/nsBlockFrame.cpp b/layout/generic/nsBlockFrame.cpp
index e3f0786a18e3..fe8e33061e89 100644
--- a/layout/generic/nsBlockFrame.cpp
+++ b/layout/generic/nsBlockFrame.cpp
@@ -7215,7 +7215,7 @@ nsBlockFrame::ISizeToClearPastFloats(nsBlockReflowState& aState,
   nscoord inlineStartOffset, inlineEndOffset;
   WritingMode wm = aState.mReflowState.GetWritingMode();
   nsCSSOffsetState offsetState(aFrame, aState.mReflowState.rendContext,
-                               aState.mContentArea.Width(wm));
+                               wm, aState.mContentArea.ISize(wm));
 
   ReplacedElementISizeToClear result;
   aState.ComputeReplacedBlockOffsetsForFloats(aFrame, aFloatAvailableSpace,
diff --git a/layout/generic/nsBlockReflowState.cpp b/layout/generic/nsBlockReflowState.cpp
index 1d8945840d2a..aca5af94cd9d 100644
--- a/layout/generic/nsBlockReflowState.cpp
+++ b/layout/generic/nsBlockReflowState.cpp
@@ -182,7 +182,7 @@ nsBlockReflowState::ComputeReplacedBlockOffsetsForFloats(
   } else {
     LogicalMargin frameMargin(wm);
     nsCSSOffsetState os(aFrame, mReflowState.rendContext,
-                        mContentArea.ISize(wm));
+                        wm, mContentArea.ISize(wm));
     frameMargin =
       os.ComputedLogicalMargin().ConvertTo(wm, aFrame->GetWritingMode());
 
@@ -209,7 +209,8 @@ GetBEndMarginClone(nsIFrame* aFrame,
 {
   if (aFrame->StyleBorder()->mBoxDecorationBreak ==
         NS_STYLE_BOX_DECORATION_BREAK_CLONE) {
-    nsCSSOffsetState os(aFrame, aRenderingContext, aContentArea.ISize(aWritingMode));
+    nsCSSOffsetState os(aFrame, aRenderingContext, aWritingMode,
+                        aContentArea.ISize(aWritingMode));
     return os.ComputedLogicalMargin().
                 ConvertTo(aWritingMode,
                           aFrame->GetWritingMode()).BEnd(aWritingMode);
@@ -721,7 +722,7 @@ nsBlockReflowState::FlowAndPlaceFloat(nsIFrame* aFloat)
                "Float frame has wrong parent");
 
   nsCSSOffsetState offsets(aFloat, mReflowState.rendContext,
-                           mReflowState.ComputedISize());
+                           wm, mReflowState.ComputedISize());
 
   nscoord floatMarginISize = FloatMarginISize(mReflowState,
                                               adjustedAvailableSpace.ISize(wm),
diff --git a/layout/generic/nsGfxScrollFrame.cpp b/layout/generic/nsGfxScrollFrame.cpp
index 4f1856bd0661..04fa0cdbf955 100644
--- a/layout/generic/nsGfxScrollFrame.cpp
+++ b/layout/generic/nsGfxScrollFrame.cpp
@@ -3066,13 +3066,13 @@ ScrollFrameHelper::ComputeFrameMetrics(Layer* aLayer,
   }
 
   nsPoint toReferenceFrame = mOuter->GetOffsetToCrossDoc(aContainerReferenceFrame);
-  bool isRoot = mIsRoot && mOuter->PresContext()->IsRootContentDocument();
+  bool isRootContent = mIsRoot && mOuter->PresContext()->IsRootContentDocument();
 
   Maybe<nsRect> parentLayerClip;
   if (needsParentLayerClip) {
     nsRect clip = nsRect(mScrollPort.TopLeft() + toReferenceFrame,
                          nsLayoutUtils::CalculateCompositionSizeForFrame(mOuter));
-    if (isRoot) {
+    if (isRootContent) {
       double res = mOuter->PresContext()->PresShell()->GetResolution();
       clip.width = NSToCoordRound(clip.width / res);
       clip.height = NSToCoordRound(clip.height / res);
@@ -3089,7 +3089,7 @@ ScrollFrameHelper::ComputeFrameMetrics(Layer* aLayer,
 #if defined(MOZ_WIDGET_ANDROID) && !defined(MOZ_ANDROID_APZ)
   // Android without apzc (aka the java pan zoom code) only uses async scrolling
   // for the root scroll frame of the root content document.
-  if (!isRoot) {
+  if (!isRootContent) {
     thisScrollFrameUsesAsyncScrolling = false;
   }
 #endif
@@ -3124,7 +3124,7 @@ ScrollFrameHelper::ComputeFrameMetrics(Layer* aLayer,
       nsLayoutUtils::ComputeFrameMetrics(
         mScrolledFrame, mOuter, mOuter->GetContent(),
         aContainerReferenceFrame, aLayer, mScrollParentID,
-        scrollport, parentLayerClip, isRoot, aParameters);
+        scrollport, parentLayerClip, isRootContent, aParameters);
 }
 
 bool
diff --git a/layout/generic/nsHTMLReflowState.cpp b/layout/generic/nsHTMLReflowState.cpp
index edca8648ad71..5c6e935386e6 100644
--- a/layout/generic/nsHTMLReflowState.cpp
+++ b/layout/generic/nsHTMLReflowState.cpp
@@ -144,6 +144,7 @@ FontSizeInflationListMarginAdjustment(const nsIFrame* aFrame)
 // containing-block block-size, rather than its inline-size.
 nsCSSOffsetState::nsCSSOffsetState(nsIFrame *aFrame,
                                    nsRenderingContext *aRenderingContext,
+                                   WritingMode aContainingBlockWritingMode,
                                    nscoord aContainingBlockISize)
   : frame(aFrame)
   , rendContext(aRenderingContext)
@@ -153,9 +154,9 @@ nsCSSOffsetState::nsCSSOffsetState(nsIFrame *aFrame,
              "We're about to resolve percent margin & padding "
              "values against CB inline size, which is incorrect for "
              "flex/grid items");
-  LogicalSize cbSize(mWritingMode, aContainingBlockISize,
+  LogicalSize cbSize(aContainingBlockWritingMode, aContainingBlockISize,
                      aContainingBlockISize);
-  InitOffsets(cbSize, frame->GetType());
+  InitOffsets(aContainingBlockWritingMode, cbSize, frame->GetType());
 }
 
 // Initialize a reflow state for a child frame's reflow. Some state
@@ -2031,7 +2032,7 @@ nsHTMLReflowState::InitConstraints(nsPresContext*     aPresContext,
   // height equal to the available space
   if (nullptr == parentReflowState || mFlags.mDummyParentReflowState) {
     // XXXldb This doesn't mean what it used to!
-    InitOffsets(OffsetPercentBasis(frame, wm, aContainingBlockSize),
+    InitOffsets(wm, OffsetPercentBasis(frame, wm, aContainingBlockSize),
                 aFrameType, aBorder, aPadding);
     // Override mComputedMargin since reflow roots start from the
     // frame's boundary, which is inside the margin.
@@ -2084,9 +2085,15 @@ nsHTMLReflowState::InitConstraints(nsPresContext*     aPresContext,
 
     // XXX Might need to also pass the CB height (not width) for page boxes,
     // too, if we implement them.
-    InitOffsets(OffsetPercentBasis(frame, wm, cbSize),
+
+    // For calculating positioning offsets, margins, borders and
+    // padding, we use the writing mode of the containing block
+    WritingMode cbwm = cbrs->GetWritingMode();
+    InitOffsets(cbwm, OffsetPercentBasis(frame, cbwm,
+                                         cbSize.ConvertTo(cbwm, wm)),
                 aFrameType, aBorder, aPadding);
 
+    // For calculating the size of this box, we use its own writing mode
     const nsStyleCoord &blockSize = mStylePosition->BSize(wm);
     nsStyleUnit blockSizeUnit = blockSize.GetUnit();
 
@@ -2138,14 +2145,16 @@ nsHTMLReflowState::InitConstraints(nsPresContext*     aPresContext,
       }
     }
 
-    // Compute our offsets if the element is relatively positioned.  We need
-    // the correct containing block width and blockSize here, which is why we need
-    // to do it after all the quirks-n-such above. (If the element is sticky
-    // positioned, we need to wait until the scroll container knows its size,
-    // so we compute offsets from StickyScrollContainer::UpdatePositions.)
+    // Compute our offsets if the element is relatively positioned.  We
+    // need the correct containing block inline-size and block-size
+    // here, which is why we need to do it after all the quirks-n-such
+    // above. (If the element is sticky positioned, we need to wait
+    // until the scroll container knows its size, so we compute offsets
+    // from StickyScrollContainer::UpdatePositions.)
     if (mStyleDisplay->IsRelativelyPositioned(frame) &&
         NS_STYLE_POSITION_RELATIVE == mStyleDisplay->mPosition) {
-      ComputeRelativeOffsets(wm, frame, cbSize, ComputedPhysicalOffsets());
+      ComputeRelativeOffsets(cbwm, frame, cbSize.ConvertTo(cbwm, wm),
+                             ComputedPhysicalOffsets());
     } else {
       // Initialize offsets to 0
       ComputedPhysicalOffsets().SizeTo(0, 0, 0, 0);
@@ -2306,7 +2315,8 @@ UpdateProp(FrameProperties& aProps,
 }
 
 void
-nsCSSOffsetState::InitOffsets(const LogicalSize& aPercentBasis,
+nsCSSOffsetState::InitOffsets(WritingMode aWM,
+                              const LogicalSize& aPercentBasis,
                               nsIAtom* aFrameType,
                               const nsMargin *aBorder,
                               const nsMargin *aPadding)
@@ -2323,7 +2333,7 @@ nsCSSOffsetState::InitOffsets(const LogicalSize& aPercentBasis,
   // become the default computed values, and may be adjusted below
   // XXX fix to provide 0,0 for the top&bottom margins for
   // inline-non-replaced elements
-  bool needMarginProp = ComputeMargin(aPercentBasis);
+  bool needMarginProp = ComputeMargin(aWM, aPercentBasis);
   // XXX We need to include 'auto' horizontal margins in this too!
   // ... but if we did that, we'd need to fix nsFrame::GetUsedMargin
   // to use it even when the margins are all zero (since sometimes
@@ -2356,7 +2366,7 @@ nsCSSOffsetState::InitOffsets(const LogicalSize& aPercentBasis,
 	  (frame->GetStateBits() & NS_FRAME_REFLOW_ROOT);
   }
   else {
-    needPaddingProp = ComputePadding(aPercentBasis, aFrameType);
+    needPaddingProp = ComputePadding(aWM, aPercentBasis, aFrameType);
   }
 
   if (isThemed) {
@@ -2650,7 +2660,8 @@ nsHTMLReflowState::CalcLineHeight(nsIContent* aContent,
 }
 
 bool
-nsCSSOffsetState::ComputeMargin(const LogicalSize& aPercentBasis)
+nsCSSOffsetState::ComputeMargin(WritingMode aWM,
+                                const LogicalSize& aPercentBasis)
 {
   // SVG text frames have no margin.
   if (frame->IsSVGText()) {
@@ -2662,26 +2673,29 @@ nsCSSOffsetState::ComputeMargin(const LogicalSize& aPercentBasis)
 
   bool isCBDependent = !styleMargin->GetMargin(ComputedPhysicalMargin());
   if (isCBDependent) {
-    // We have to compute the value
-    WritingMode wm = GetWritingMode();
-    LogicalMargin m(wm);
-    m.IStart(wm) = nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.ISize(wm),
-                              styleMargin->mMargin.GetIStart(wm));
-    m.IEnd(wm) = nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.ISize(wm),
-                              styleMargin->mMargin.GetIEnd(wm));
+    // We have to compute the value. Note that this calculation is
+    // performed according to the writing mode of the containing block
+    // (http://dev.w3.org/csswg/css-writing-modes-3/#orthogonal-flows)
+    LogicalMargin m(aWM);
+    m.IStart(aWM) = nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.ISize(aWM),
+                              styleMargin->mMargin.GetIStart(aWM));
+    m.IEnd(aWM) = nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.ISize(aWM),
+                              styleMargin->mMargin.GetIEnd(aWM));
 
-    m.BStart(wm) = nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.BSize(wm),
-                              styleMargin->mMargin.GetBStart(wm));
-    m.BEnd(wm) = nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.BSize(wm),
-                              styleMargin->mMargin.GetBEnd(wm));
+    m.BStart(aWM) = nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.BSize(aWM),
+                              styleMargin->mMargin.GetBStart(aWM));
+    m.BEnd(aWM) = nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.BSize(aWM),
+                              styleMargin->mMargin.GetBEnd(aWM));
 
-    SetComputedLogicalMargin(m);
+    SetComputedLogicalMargin(aWM, m);
   }
 
+  // ... but font-size-inflation-based margin adjustment uses the
+  // frame's writing mode
   nscoord marginAdjustment = FontSizeInflationListMarginAdjustment(frame);
 
   if (marginAdjustment > 0) {
@@ -2694,7 +2708,8 @@ nsCSSOffsetState::ComputeMargin(const LogicalSize& aPercentBasis)
 }
 
 bool
-nsCSSOffsetState::ComputePadding(const LogicalSize& aPercentBasis,
+nsCSSOffsetState::ComputePadding(WritingMode aWM,
+                                 const LogicalSize& aPercentBasis,
                                  nsIAtom* aFrameType)
 {
   // If style can provide us the padding directly, then use it.
@@ -2709,25 +2724,26 @@ nsCSSOffsetState::ComputePadding(const LogicalSize& aPercentBasis,
     ComputedPhysicalPadding().SizeTo(0,0,0,0);
   }
   else if (isCBDependent) {
-    // We have to compute the value
+    // We have to compute the value. This calculation is performed
+    // according to the writing mode of the containing block
+    // (http://dev.w3.org/csswg/css-writing-modes-3/#orthogonal-flows)
     // clamp negative calc() results to 0
-    WritingMode wm = GetWritingMode();
-    LogicalMargin p(wm);
-    p.IStart(wm) = std::max(0, nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.ISize(wm),
-                              stylePadding->mPadding.GetIStart(wm)));
-    p.IEnd(wm) = std::max(0, nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.ISize(wm),
-                              stylePadding->mPadding.GetIEnd(wm)));
+    LogicalMargin p(aWM);
+    p.IStart(aWM) = std::max(0, nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.ISize(aWM),
+                              stylePadding->mPadding.GetIStart(aWM)));
+    p.IEnd(aWM) = std::max(0, nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.ISize(aWM),
+                              stylePadding->mPadding.GetIEnd(aWM)));
 
-    p.BStart(wm) = std::max(0, nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.BSize(wm),
-                              stylePadding->mPadding.GetBStart(wm)));
-    p.BEnd(wm) = std::max(0, nsLayoutUtils::
-      ComputeCBDependentValue(aPercentBasis.BSize(wm),
-                              stylePadding->mPadding.GetBEnd(wm)));
+    p.BStart(aWM) = std::max(0, nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.BSize(aWM),
+                              stylePadding->mPadding.GetBStart(aWM)));
+    p.BEnd(aWM) = std::max(0, nsLayoutUtils::
+      ComputeCBDependentValue(aPercentBasis.BSize(aWM),
+                              stylePadding->mPadding.GetBEnd(aWM)));
 
-    SetComputedLogicalPadding(p);
+    SetComputedLogicalPadding(aWM, p);
   }
   return isCBDependent;
 }
diff --git a/layout/generic/nsHTMLReflowState.h b/layout/generic/nsHTMLReflowState.h
index 93817e76ac48..f3146478f495 100644
--- a/layout/generic/nsHTMLReflowState.h
+++ b/layout/generic/nsHTMLReflowState.h
@@ -124,12 +124,23 @@ public:
   const LogicalMargin ComputedLogicalPadding() const
     { return LogicalMargin(mWritingMode, mComputedPadding); }
 
+  void SetComputedLogicalMargin(mozilla::WritingMode aWM,
+                                const LogicalMargin& aMargin)
+    { mComputedMargin = aMargin.GetPhysicalMargin(aWM); }
   void SetComputedLogicalMargin(const LogicalMargin& aMargin)
-    { mComputedMargin = aMargin.GetPhysicalMargin(mWritingMode); }
+    { SetComputedLogicalMargin(mWritingMode, aMargin); }
+
+  void SetComputedLogicalBorderPadding(mozilla::WritingMode aWM,
+                                       const LogicalMargin& aMargin)
+    { mComputedBorderPadding = aMargin.GetPhysicalMargin(aWM); }
   void SetComputedLogicalBorderPadding(const LogicalMargin& aMargin)
-    { mComputedBorderPadding = aMargin.GetPhysicalMargin(mWritingMode); }
+    { SetComputedLogicalBorderPadding(mWritingMode, aMargin); }
+
+  void SetComputedLogicalPadding(mozilla::WritingMode aWM,
+                                 const LogicalMargin& aMargin)
+    { mComputedPadding = aMargin.GetPhysicalMargin(aWM); }
   void SetComputedLogicalPadding(const LogicalMargin& aMargin)
-    { mComputedPadding = aMargin.GetPhysicalMargin(mWritingMode); }
+    { SetComputedLogicalPadding(mWritingMode, aMargin); }
 
   WritingMode GetWritingMode() const { return mWritingMode; }
 
@@ -159,6 +170,7 @@ public:
   }
 
   nsCSSOffsetState(nsIFrame *aFrame, nsRenderingContext *aRenderingContext,
+                   mozilla::WritingMode aContainingBlockWritingMode,
                    nscoord aContainingBlockISize);
 
 #ifdef DEBUG
@@ -180,9 +192,11 @@ private:
    * Computes margin values from the specified margin style information, and
    * fills in the mComputedMargin member.
    *
+   * @param aWM Writing mode of the containing block
    * @param aPercentBasis
-   *    Logical size to use for resolving percentage margin values in
-   *    the inline and block axes.
+   *    Logical size in the writing mode of the containing block to use
+   *    for resolving percentage margin values in the inline and block
+   *    axes.
    *    The inline size is usually the containing block inline-size
    *    (width if writing mode is horizontal, and height if vertical).
    *    The block size is usually the containing block inline-size, per
@@ -191,15 +205,18 @@ private:
    *    Flexbox and Grid.
    * @return true if the margin is dependent on the containing block size.
    */
-  bool ComputeMargin(const mozilla::LogicalSize& aPercentBasis);
+  bool ComputeMargin(mozilla::WritingMode aWM,
+                     const mozilla::LogicalSize& aPercentBasis);
   
   /**
    * Computes padding values from the specified padding style information, and
    * fills in the mComputedPadding member.
    *
+   * @param aWM Writing mode of the containing block
    * @param aPercentBasis
-   *    Length to use for resolving percentage padding values in
-   *    the inline and block axes.
+   *    Logical size in the writing mode of the containing block to use
+   *    for resolving percentage padding values in the inline and block
+   *    axes.
    *    The inline size is usually the containing block inline-size
    *    (width if writing mode is horizontal, and height if vertical).
    *    The block size is usually the containing block inline-size, per
@@ -208,12 +225,14 @@ private:
    *    Flexbox and Grid.
    * @return true if the padding is dependent on the containing block size.
    */
-  bool ComputePadding(const mozilla::LogicalSize& aPercentBasis,
+  bool ComputePadding(mozilla::WritingMode aWM,
+                      const mozilla::LogicalSize& aPercentBasis,
                       nsIAtom* aFrameType);
 
 protected:
 
-  void InitOffsets(const mozilla::LogicalSize& aPercentBasis,
+  void InitOffsets(mozilla::WritingMode aWM,
+                   const mozilla::LogicalSize& aPercentBasis,
                    nsIAtom* aFrameType,
                    const nsMargin *aBorder = nullptr,
                    const nsMargin *aPadding = nullptr);
diff --git a/layout/ipc/RenderFrameParent.cpp b/layout/ipc/RenderFrameParent.cpp
index 4e47526d3e49..c15e64e53758 100644
--- a/layout/ipc/RenderFrameParent.cpp
+++ b/layout/ipc/RenderFrameParent.cpp
@@ -198,7 +198,7 @@ public:
 
   void ClearRenderFrame() { mRenderFrame = nullptr; }
 
-  virtual void SendAsyncScrollDOMEvent(bool aIsRoot,
+  virtual void SendAsyncScrollDOMEvent(bool aIsRootContent,
                                        const CSSRect& aContentRect,
                                        const CSSSize& aContentSize) override
   {
@@ -207,10 +207,10 @@ public:
         FROM_HERE,
         NewRunnableMethod(this,
                           &RemoteContentController::SendAsyncScrollDOMEvent,
-                          aIsRoot, aContentRect, aContentSize));
+                          aIsRootContent, aContentRect, aContentSize));
       return;
     }
-    if (mRenderFrame && aIsRoot) {
+    if (mRenderFrame && aIsRootContent) {
       TabParent* browser = TabParent::GetFrom(mRenderFrame->Manager());
       BrowserElementParent::DispatchAsyncScrollEvent(browser, aContentRect,
                                                      aContentSize);
diff --git a/layout/mathml/nsMathMLSelectedFrame.cpp b/layout/mathml/nsMathMLSelectedFrame.cpp
index ecf3bac6a1d2..f55e5693df70 100644
--- a/layout/mathml/nsMathMLSelectedFrame.cpp
+++ b/layout/mathml/nsMathMLSelectedFrame.cpp
@@ -117,7 +117,8 @@ nsMathMLSelectedFrame::ComputeSize(nsRenderingContext *aRenderingContext,
     nscoord availableISize = aAvailableISize - aBorder.ISize(aWM) -
         aPadding.ISize(aWM) - aMargin.ISize(aWM);
     LogicalSize cbSize = aCBSize - aBorder - aPadding - aMargin;
-    nsCSSOffsetState offsetState(childFrame, aRenderingContext, availableISize);
+    nsCSSOffsetState offsetState(childFrame, aRenderingContext, aWM,
+                                 availableISize);
     LogicalSize size =
         childFrame->ComputeSize(aRenderingContext, aWM, cbSize,
             availableISize, offsetState.ComputedLogicalMargin().Size(aWM),
diff --git a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-001.html b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-001.html
index a6ff66c6e854..b2fb6d3f1f07 100644
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-001.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-001.html
@@ -7,7 +7,7 @@
 <head>
   <title>CSS Test: Try various flex-flow values, with 'direction: ltr' and 'writing-mode: horizontal-tb'</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
-  <link rel="help" href="http://dev.w3.org/csswg/css-flexbox-1/#propdef-flex-direction">
+  <link rel="help" href="http://www.w3.org/TR/css-flexbox-1/#propdef-flex-direction">
   <link rel="match" href="flexbox-writing-mode-001-ref.html">
   <meta charset="utf-8">
   <style>
diff --git a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-002.html b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-002.html
index 44cb1ff51ec6..8e1c724ed7bf 100644
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-002.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-002.html
@@ -7,7 +7,7 @@
 <head>
   <title>CSS Test: Try various flex-flow values, with 'direction: ltr' and 'writing-mode: vertical-rl'</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
-  <link rel="help" href="http://dev.w3.org/csswg/css-flexbox-1/#propdef-flex-direction">
+  <link rel="help" href="http://www.w3.org/TR/css-flexbox-1/#propdef-flex-direction">
   <link rel="match" href="flexbox-writing-mode-002-ref.html">
   <meta charset="utf-8">
   <style>
diff --git a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-003.html b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-003.html
index de27b24497d5..9b4450487f36 100644
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-003.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-003.html
@@ -7,7 +7,7 @@
 <head>
   <title>CSS Test: Try various flex-flow values, with 'direction: ltr' and 'writing-mode: vertical-lr'</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
-  <link rel="help" href="http://dev.w3.org/csswg/css-flexbox-1/#propdef-flex-direction">
+  <link rel="help" href="http://www.w3.org/TR/css-flexbox-1/#propdef-flex-direction">
   <link rel="match" href="flexbox-writing-mode-003-ref.html">
   <meta charset="utf-8">
   <style>
diff --git a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-004.html b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-004.html
index 8e80b2bfdde2..38f415868085 100644
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-004.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-004.html
@@ -7,7 +7,7 @@
 <head>
   <title>CSS Test: Try various flex-flow values, with 'direction: rtl' and 'writing-mode: horizontal-tb'</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
-  <link rel="help" href="http://dev.w3.org/csswg/css-flexbox-1/#propdef-flex-direction">
+  <link rel="help" href="http://www.w3.org/TR/css-flexbox-1/#propdef-flex-direction">
   <link rel="match" href="flexbox-writing-mode-004-ref.html">
   <meta charset="utf-8">
   <style>
diff --git a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-005.html b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-005.html
index 24633d5be210..65826fc2e37f 100644
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-005.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-005.html
@@ -7,7 +7,7 @@
 <head>
   <title>CSS Test: Try various flex-flow values, with 'direction: rtl' and 'writing-mode: vertical-rl'</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
-  <link rel="help" href="http://dev.w3.org/csswg/css-flexbox-1/#propdef-flex-direction">
+  <link rel="help" href="http://www.w3.org/TR/css-flexbox-1/#propdef-flex-direction">
   <link rel="match" href="flexbox-writing-mode-005-ref.html">
   <meta charset="utf-8">
   <style>
diff --git a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-006.html b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-006.html
index b2b1dfe9ef58..3e8352a45a2c 100644
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-006.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-writing-mode-006.html
@@ -7,7 +7,7 @@
 <head>
   <title>CSS Test: Try various flex-flow values, with 'direction: rtl' and 'writing-mode: vertical-lr'</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
-  <link rel="help" href="http://dev.w3.org/csswg/css-flexbox-1/#propdef-flex-direction">
+  <link rel="help" href="http://www.w3.org/TR/css-flexbox-1/#propdef-flex-direction">
   <link rel="match" href="flexbox-writing-mode-006-ref.html">
   <meta charset="utf-8">
   <style>
diff --git a/layout/reftests/writing-mode/1172774-percent-horizontal-ref.html b/layout/reftests/writing-mode/1172774-percent-horizontal-ref.html
new file mode 100644
index 000000000000..53b1bef4bdce
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-horizontal-ref.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: margin percentage and 'vertical-rl'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+ </head>
+ <body>
+  <div id="reference"><img src="blue-yellow-206w-165h.png" width="206" height="165" alt="Image download support must be enabled"></div>
+ </body>
+</html>
\ No newline at end of file
diff --git a/layout/reftests/writing-mode/1172774-percent-margin-1.html b/layout/reftests/writing-mode/1172774-percent-margin-1.html
new file mode 100644
index 000000000000..4017ea9f10fc
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-margin-1.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: margin percentage and 'vertical-rl'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the margin are calculated with respect to the inline-size (width) of the containing block if 'writing-mode' of such containing block is 'horizontal-tb'. In this test, div.outer's computed 'writing-mode' value is 'horizontal-tb' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      width: 200px;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      height: 3px;
+      margin: 0.5em auto;
+    }
+
+  div.inner
+    {
+      background-color: yellow;
+      height: 50px;
+      width: 50px;
+      -ah-writing-mode: vertical-rl;
+      -webkit-writing-mode: vertical-rl;
+      writing-mode: tb-rl; /* IE11 */
+      writing-mode: vertical-rl;
+    }
+
+  div.foo
+    {
+      margin-bottom: 2.5%; /* 5px */
+      margin-left: 50%; /* 100px */
+      margin-right: 25%; /* 50px */
+      margin-top: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      margin-bottom: 10%;
+      margin-left: 25%;
+      margin-right: 50%;
+      margin-top: 2.5%;
+    }
+  </style>
+ </head>
+
+ <body>
+  <div class="outer">
+    <div class="inner foo"></div>
+    <hr>
+    <div class="inner bar"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-margin-2.html b/layout/reftests/writing-mode/1172774-percent-margin-2.html
new file mode 100644
index 000000000000..55ce27f509cb
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-margin-2.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: margin percentage and 'vertical-lr'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the margin are calculated with respect to the inline-size (width) of the containing block if 'writing-mode' of such containing block is 'horizontal-tb'. In this test, div.outer's computed 'writing-mode' value is 'horizontal-tb' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      width: 200px;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      height: 3px;
+      margin: 0.5em auto;
+    }
+
+  div.inner
+    {
+      background-color: yellow;
+      height: 50px;
+      width: 50px;
+      -ah-writing-mode: vertical-lr;
+      -webkit-writing-mode: vertical-lr;
+      writing-mode: tb-lr; /* IE11 */
+      writing-mode: vertical-lr;
+    }
+
+  div.foo
+    {
+      margin-bottom: 2.5%; /* 5px */
+      margin-left: 50%; /* 100px */
+      margin-right: 25%; /* 50px */
+      margin-top: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      margin-bottom: 10%;
+      margin-left: 25%;
+      margin-right: 50%;
+      margin-top: 2.5%;
+    }
+  </style>
+ </head>
+
+ <body>
+  <div class="outer">
+    <div class="inner foo"></div>
+    <hr>
+    <div class="inner bar"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-margin-3.html b/layout/reftests/writing-mode/1172774-percent-margin-3.html
new file mode 100644
index 000000000000..03f5edde4f95
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-margin-3.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: margin percentage and 'vertical-rl'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the margin are calculated with respect to the inline size (height!) of the containing block if 'writing-mode' of such containing block is 'vertical-rl'. In this test, div.outer's computed 'writing-mode' value is 'vertical-rl' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      height: 200px;
+      -ah-writing-mode: vertical-rl;
+      -webkit-writing-mode: vertical-rl;
+      writing-mode: tb-rl; /* IE11 */
+      writing-mode: vertical-rl;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      width: 3px;
+      margin: auto 0.5em;
+    }
+
+  div.inner
+    {
+      background-color: yellow;
+      height: 50px;
+      width: 50px;
+      -ah-writing-mode: horizontal-tb;
+      -webkit-writing-mode: horizontal-tb;
+      writing-mode: lr-tb; /* IE11 */
+      writing-mode: horizontal-tb;
+    }
+
+  div.foo
+    {
+      margin-left: 2.5%; /* 5px */
+      margin-top: 50%; /* 100px */
+      margin-bottom: 25%; /* 50px */
+      margin-right: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      margin-left: 10%;
+      margin-top: 25%;
+      margin-bottom: 50%;
+      margin-right: 2.5%;
+    }
+  </style>
+ </head>
+
+ <body>
+  <div class="outer">
+    <div class="inner foo"></div>
+    <hr>
+    <div class="inner bar"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-margin-4.html b/layout/reftests/writing-mode/1172774-percent-margin-4.html
new file mode 100644
index 000000000000..adac543bed65
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-margin-4.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: margin percentage and 'vertical-lr'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the margin are calculated with respect to the inline size (height!) of the containing block if 'writing-mode' of such containing block is 'vertical-lr'. In this test, div.outer's computed 'writing-mode' value is 'vertical-lr' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      height: 200px;
+      -ah-writing-mode: vertical-lr;
+      -webkit-writing-mode: vertical-lr;
+      writing-mode: tb-lr; /* IE11 */
+      writing-mode: vertical-lr;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      width: 3px;
+      margin: auto 0.5em;
+    }
+
+  div.inner
+    {
+      background-color: yellow;
+      height: 50px;
+      width: 50px;
+      -ah-writing-mode: horizontal-tb;
+      -webkit-writing-mode: horizontal-tb;
+      writing-mode: lr-tb; /* IE11 */
+      writing-mode: horizontal-tb;
+    }
+
+  div.foo
+    {
+      margin-left: 2.5%; /* 5px */
+      margin-top: 50%; /* 100px */
+      margin-bottom: 25%; /* 50px */
+      margin-right: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      margin-left: 10%;
+      margin-top: 25%;
+      margin-bottom: 50%;
+      margin-right: 2.5%;
+    }
+  </style>
+ </head>
+
+ <body>
+  <div class="outer">
+    <div class="inner bar"></div>
+    <hr>
+    <div class="inner foo"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-padding-1.html b/layout/reftests/writing-mode/1172774-percent-padding-1.html
new file mode 100644
index 000000000000..d665db72528d
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-padding-1.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: padding percentage and 'vertical-rl'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the padding are calculated with respect to the inline-size (width) of the containing block if 'writing-mode' of such containing block is 'horizontal-tb'. In this test, div.outer's computed 'writing-mode' value is 'horizontal-tb' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      width: 200px;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      height: 3px;
+      margin: 3px auto;
+    }
+
+  div.inner
+    {
+      background-color: transparent;
+      height: 50px;
+      -ah-writing-mode: vertical-rl;
+      -webkit-writing-mode: vertical-rl;
+      writing-mode: tb-rl; /* IE11 */
+      writing-mode: vertical-rl;
+    }
+
+  div.foo
+    {
+      padding-bottom: 2.5%; /* 5px */
+      padding-left: 50%; /* 100px */
+      padding-right: 25%; /* 50px */
+      padding-top: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      padding-bottom: 10%;
+      padding-left: 25%;
+      padding-right: 50%;
+      padding-top: 2.5%;
+    }
+  </style>
+ </head>
+ <body>
+  <div class="outer">
+    <div class="inner foo"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+    <hr>
+    <div class="inner bar"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-padding-2.html b/layout/reftests/writing-mode/1172774-percent-padding-2.html
new file mode 100644
index 000000000000..2a9cb52f7642
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-padding-2.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: padding percentage and 'vertical-lr'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the padding are calculated with respect to the inline-size (width) of the containing block if 'writing-mode' of such containing block is 'horizontal-tb'. In this test, div.outer's computed 'writing-mode' value is 'horizontal-tb' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      width: 200px;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      height: 3px;
+      margin: 3px auto;
+    }
+
+  div.inner
+    {
+      background-color: transparent;
+      height: 50px;
+      -ah-writing-mode: vertical-lr;
+      -webkit-writing-mode: vertical-lr;
+      writing-mode: tb-lr; /* IE11 */
+      writing-mode: vertical-lr;
+    }
+
+  div.foo
+    {
+      padding-bottom: 2.5%; /* 5px */
+      padding-left: 50%; /* 100px */
+      padding-right: 25%; /* 50px */
+      padding-top: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      padding-bottom: 10%;
+      padding-left: 25%;
+      padding-right: 50%;
+      padding-top: 2.5%;
+    }
+  </style>
+ </head>
+
+ <body>
+  <div class="outer">
+    <div class="inner foo"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+    <hr>
+    <div class="inner bar"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-padding-3.html b/layout/reftests/writing-mode/1172774-percent-padding-3.html
new file mode 100644
index 000000000000..fb897735a5c3
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-padding-3.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: padding percentage and 'vertical-rl'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the padding are calculated with respect to the inline size (height!) of the containing block if 'writing-mode' of such containing block is 'vertical-rl'. In this test, div.outer's computed 'writing-mode' value is 'vertical-rl' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      height: 200px;
+      -ah-writing-mode: vertical-rl;
+      -webkit-writing-mode: vertical-rl;
+      writing-mode: tb-rl; /* IE11 */
+      writing-mode: vertical-rl;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      width: 3px;
+      margin: auto 3px;
+    }
+
+  div.inner
+    {
+      background-color: transparent;
+      width: 50px;
+      -ah-writing-mode: horizontal-tb;
+      -webkit-writing-mode: horizontal-tb;
+      writing-mode: lr-tb; /* IE11 */
+      writing-mode: horizontal-tb;
+    }
+
+  div.foo
+    {
+      padding-left: 2.5%; /* 5px */
+      padding-top: 50%; /* 100px */
+      padding-bottom: 25%; /* 50px */
+      padding-right: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      padding-left: 10%;
+      padding-top: 25%;
+      padding-bottom: 50%;
+      padding-right: 2.5%;
+    }
+  </style>
+ </head>
+
+ <body>
+  <div class="outer">
+    <div class="inner foo"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+    <hr>
+    <div class="inner bar"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-padding-4.html b/layout/reftests/writing-mode/1172774-percent-padding-4.html
new file mode 100644
index 000000000000..a3d8859a5b1e
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-padding-4.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: padding percentage and 'vertical-lr'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+  <meta content="This test checks that percentages on the padding are calculated with respect to the inline size (height!) of the containing block if 'writing-mode' of such containing block is 'vertical-lr'. In this test, div.outer's computed 'writing-mode' value is 'vertical-lr' and it is the div.inner's containing block." name="assert">
+  <style type="text/css">
+  div.outer
+    {
+      background-color: blue;
+      border: blue solid 3px;
+      height: 200px;
+      -ah-writing-mode: vertical-lr;
+      -webkit-writing-mode: vertical-lr;
+      writing-mode: tb-lr; /* IE11 */
+      writing-mode: vertical-lr;
+    }
+
+  hr
+    {
+      background-color: transparent;
+      border: transparent none 0px;
+      width: 3px;
+      margin: auto 3px;
+    }
+
+  div.inner
+    {
+      background-color: transparent;
+      width: 50px;
+      -ah-writing-mode: horizontal-tb;
+      -webkit-writing-mode: horizontal-tb;
+      writing-mode: lr-tb; /* IE11 */
+      writing-mode: horizontal-tb;
+    }
+
+  div.foo
+    {
+      padding-left: 2.5%; /* 5px */
+      padding-top: 50%; /* 100px */
+      padding-bottom: 25%; /* 50px */
+      padding-right: 10%; /* 20px */
+    }
+
+  div.bar
+    {
+      padding-left: 10%;
+      padding-top: 25%;
+      padding-bottom: 50%;
+      padding-right: 2.5%;
+    }
+  </style>
+ </head>
+
+ <body>
+  <div class="outer">
+    <div class="inner bar"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+    <hr>
+    <div class="inner foo"><img src="swatch-yellow.png" width="50" height="50" alt="Image download support must be enabled"></div>
+  </div>
+ </body>
+</html>
diff --git a/layout/reftests/writing-mode/1172774-percent-vertical-ref.html b/layout/reftests/writing-mode/1172774-percent-vertical-ref.html
new file mode 100644
index 000000000000..2fd2a2f08fac
--- /dev/null
+++ b/layout/reftests/writing-mode/1172774-percent-vertical-ref.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <title>CSS Writing Modes Test: margin percentage and 'vertical-rl'</title>
+  <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">
+ </head>
+ <body>
+  <div id="reference"><img src="blue-yellow-165w-206h.png" width="165" height="206" alt="Image download support must be enabled"></div>
+ </body>
+</html>
\ No newline at end of file
diff --git a/layout/reftests/writing-mode/blue-yellow-165w-206h.png b/layout/reftests/writing-mode/blue-yellow-165w-206h.png
new file mode 100644
index 000000000000..3d70889ee25e
Binary files /dev/null and b/layout/reftests/writing-mode/blue-yellow-165w-206h.png differ
diff --git a/layout/reftests/writing-mode/blue-yellow-206w-165h.png b/layout/reftests/writing-mode/blue-yellow-206w-165h.png
new file mode 100644
index 000000000000..47ceb84d3fbd
Binary files /dev/null and b/layout/reftests/writing-mode/blue-yellow-206w-165h.png differ
diff --git a/layout/reftests/writing-mode/reftest.list b/layout/reftests/writing-mode/reftest.list
index de7b241435cc..a8174a84863e 100644
--- a/layout/reftests/writing-mode/reftest.list
+++ b/layout/reftests/writing-mode/reftest.list
@@ -140,6 +140,14 @@ fails == 1147834-relative-overconstrained-vertical-rl-rtl.html 1147834-top-left-
 == 1157758-1-vertical-arabic.html 1157758-1-vertical-arabic-ref.html
 == 1158549-1-vertical-block-size-constraints.html 1158549-1-vertical-block-size-constraints-ref.html
 == 1163238-orthogonal-auto-margins.html 1163238-orthogonal-auto-margins-ref.html
+== 1172774-percent-margin-1.html 1172774-percent-horizontal-ref.html
+== 1172774-percent-margin-2.html 1172774-percent-horizontal-ref.html
+== 1172774-percent-margin-3.html 1172774-percent-vertical-ref.html
+== 1172774-percent-margin-4.html 1172774-percent-vertical-ref.html
+== 1172774-percent-padding-1.html 1172774-percent-horizontal-ref.html
+== 1172774-percent-padding-2.html 1172774-percent-horizontal-ref.html
+== 1172774-percent-padding-3.html 1172774-percent-vertical-ref.html
+== 1172774-percent-padding-4.html 1172774-percent-vertical-ref.html
 
 # Suite of tests from Gérard Talbot in bug 1079151
 include abspos/reftest.list
diff --git a/layout/reftests/writing-mode/swatch-yellow.png b/layout/reftests/writing-mode/swatch-yellow.png
new file mode 100644
index 000000000000..1591aa0e2e27
Binary files /dev/null and b/layout/reftests/writing-mode/swatch-yellow.png differ
diff --git a/layout/style/forms.css b/layout/style/forms.css
index d3379999b3d4..df901f648c08 100644
--- a/layout/style/forms.css
+++ b/layout/style/forms.css
@@ -2,10 +2,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-/** 
+/**
   Styles for old GFX form widgets
- **/ 
- 
+ **/
+
 
 @namespace url(http://www.w3.org/1999/xhtml); /* set default namespace to HTML */
 @namespace xul url(http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul);
@@ -48,7 +48,7 @@ label {
 
 /* default inputs, text inputs, and selects */
 
-/* Note: Values in nsNativeTheme IsWidgetStyled function 
+/* Note: Values in nsNativeTheme IsWidgetStyled function
    need to match textfield background/border values here */
 
 input {
@@ -206,7 +206,7 @@ select {
   line-height: normal !important;
   white-space: nowrap !important;
   word-wrap: normal !important;
-  text-align: start; 
+  text-align: start;
   cursor: default;
   box-sizing: border-box;
   -moz-user-select: none;
@@ -224,7 +224,7 @@ select {
 
 /* Need the "select[size][multiple]" selector to override the settings on
    'select[size="1"]', eg if one has <select size="1" multiple> */
-   
+
 select[size],
 select[multiple],
 select[size][multiple] {
@@ -281,7 +281,7 @@ select:empty {
 *|*::-moz-display-comboboxcontrol-frame {
   overflow: -moz-hidden-unscrollable;
   /* This block-start/end padding plus the combobox block-start/end border need to
-     add up to the block-start/end borderpadding of text inputs and buttons */ 
+     add up to the block-start/end borderpadding of text inputs and buttons */
   padding-block-start: 1px;
   padding-block-end: 1px;
   -moz-padding-start: 4px;
@@ -369,7 +369,7 @@ optgroup:before {
    */
   border: 1px outset black !important;
   -moz-border-start-width: 2px ! important;
-} 
+}
 
 input:disabled,
 textarea:disabled,
@@ -543,7 +543,7 @@ input[type="checkbox"]:disabled:hover:active {
   /* same as above, but !important */
   color: GrayText ! important;
   background-color: ThreeDFace ! important;
-  cursor: inherit; 
+  cursor: inherit;
 }
 
 input[type="checkbox"]:-moz-focusring,
@@ -557,9 +557,13 @@ input[type="radio"]:hover:active {
   border-style: inset !important;
 }
 
+input[type="search"] {
+  box-sizing: border-box;
+}
+
 /* buttons */
 
-/* Note: Values in nsNativeTheme IsWidgetStyled function 
+/* Note: Values in nsNativeTheme IsWidgetStyled function
    need to match button background/border values here */
 
 /* Non text-related properties for buttons: these ones are shared with
@@ -591,7 +595,7 @@ button,
 input[type="reset"],
 input[type="button"],
 input[type="submit"] {
-  color: ButtonText; 
+  color: ButtonText;
   font: -moz-button;
   line-height: normal;
   white-space: pre;
@@ -692,7 +696,7 @@ input[type="submit"]:disabled {
   padding-block-end: 0px;
   -moz-padding-start: 6px;
   border: 2px outset ButtonFace;
-  cursor: inherit; 
+  cursor: inherit;
 }
 
 button:disabled:active, button:disabled,
diff --git a/layout/tables/nsTableOuterFrame.cpp b/layout/tables/nsTableOuterFrame.cpp
index 9284a9c66c45..c4f1dc482962 100644
--- a/layout/tables/nsTableOuterFrame.cpp
+++ b/layout/tables/nsTableOuterFrame.cpp
@@ -383,7 +383,8 @@ ChildShrinkWrapISize(nsRenderingContext *aRenderingContext,
 
   // On the other hand, the inline size that we pass to nsCSSOffsetState
   // needs to be in the containing block's writing mode.
-  nsCSSOffsetState offsets(aChildFrame, aRenderingContext, aCBSize.ISize(aWM));
+  nsCSSOffsetState offsets(aChildFrame, aRenderingContext, aWM,
+                           aCBSize.ISize(aWM));
   LogicalSize size =
     aChildFrame->ComputeSize(aRenderingContext,
                   wm, cbSize, aAvailableWidth,
diff --git a/layout/xul/test/chrome.ini b/layout/xul/test/chrome.ini
index 04a8b2dd3364..0dfa1da3190c 100644
--- a/layout/xul/test/chrome.ini
+++ b/layout/xul/test/chrome.ini
@@ -16,7 +16,7 @@ skip-if = buildapp == 'mulet'
 [test_bug703150.xul]
 skip-if = buildapp == 'mulet'
 [test_bug987230.xul]
-skip-if = os == 'linux' || (os == 'win' && (os_version == '6.2' || os_version == '6.3')) # No native mousedown event on Linux, bug 1135545 for win8 intermittent failures
+skip-if = os == 'linux' # No native mousedown event on Linux
 [test_popupReflowPos.xul]
 [test_popupSizeTo.xul]
 [test_popupZoom.xul]
diff --git a/media/libstagefright/binding/Index.cpp b/media/libstagefright/binding/Index.cpp
index e111dc287ea9..4a20c85ba57b 100644
--- a/media/libstagefright/binding/Index.cpp
+++ b/media/libstagefright/binding/Index.cpp
@@ -244,7 +244,7 @@ Index::Index(const nsTArray<Indice>& aIndex,
   if (aIndex.IsEmpty()) {
     mMoofParser = new MoofParser(aSource, aTrackId, aIsAudio, aMonitor);
   } else {
-    if (!mIndex.SetCapacity(aIndex.Length())) {
+    if (!mIndex.SetCapacity(aIndex.Length(), fallible)) {
       // OOM.
       return;
     }
@@ -256,7 +256,8 @@ Index::Index(const nsTArray<Indice>& aIndex,
       sample.mCompositionRange = Interval<Microseconds>(indice.start_composition,
                                                         indice.end_composition);
       sample.mSync = indice.sync;
-      MOZ_ALWAYS_TRUE(mIndex.AppendElement(sample));
+      // FIXME: Make this infallible after bug 968520 is done.
+      MOZ_ALWAYS_TRUE(mIndex.AppendElement(sample, fallible));
     }
   }
 }
diff --git a/media/libstagefright/binding/MP4Metadata.cpp b/media/libstagefright/binding/MP4Metadata.cpp
index db5167cb5a3b..22836191bd6f 100644
--- a/media/libstagefright/binding/MP4Metadata.cpp
+++ b/media/libstagefright/binding/MP4Metadata.cpp
@@ -71,7 +71,7 @@ ConvertIndex(FallibleTArray<Index::Indice>& aDest,
              const stagefright::Vector<stagefright::MediaSource::Indice>& aIndex,
              int64_t aMediaTime)
 {
-  if (!aDest.SetCapacity(aIndex.size())) {
+  if (!aDest.SetCapacity(aIndex.size(), mozilla::fallible)) {
     return false;
   }
   for (size_t i = 0; i < aIndex.size(); i++) {
@@ -82,7 +82,8 @@ ConvertIndex(FallibleTArray<Index::Indice>& aDest,
     indice.start_composition = s_indice.start_composition - aMediaTime;
     indice.end_composition = s_indice.end_composition - aMediaTime;
     indice.sync = s_indice.sync;
-    MOZ_ALWAYS_TRUE(aDest.AppendElement(indice));
+    // FIXME: Make this infallible after bug 968520 is done.
+    MOZ_ALWAYS_TRUE(aDest.AppendElement(indice, mozilla::fallible));
   }
   return true;
 }
diff --git a/media/libstagefright/binding/MoofParser.cpp b/media/libstagefright/binding/MoofParser.cpp
index b290ae9a1468..4c62c48ee318 100644
--- a/media/libstagefright/binding/MoofParser.cpp
+++ b/media/libstagefright/binding/MoofParser.cpp
@@ -6,6 +6,7 @@
 #include "mp4_demuxer/Box.h"
 #include "mp4_demuxer/SinfParser.h"
 #include <limits>
+#include "Intervals.h"
 
 #include "mozilla/Logging.h"
 
@@ -42,6 +43,7 @@ bool
 MoofParser::RebuildFragmentedIndex(BoxContext& aContext)
 {
   bool foundValidMoof = false;
+  bool foundMdat = false;
 
   for (Box box(&aContext, mOffset); box.IsAvailable(); box = box.Next()) {
     if (box.IsType("moov")) {
@@ -62,13 +64,43 @@ MoofParser::RebuildFragmentedIndex(BoxContext& aContext)
       }
 
       mMoofs.AppendElement(moof);
+      mMediaRanges.AppendElement(moof.mRange);
       foundValidMoof = true;
+    } else if (box.IsType("mdat") && !Moofs().IsEmpty()) {
+      // Check if we have all our data from last moof.
+      Moof& moof = Moofs().LastElement();
+      media::Interval<int64_t> datarange(moof.mMdatRange.mStart, moof.mMdatRange.mEnd, 0);
+      media::Interval<int64_t> mdat(box.Range().mStart, box.Range().mEnd, 0);
+      if (datarange.Intersects(mdat)) {
+        mMediaRanges.LastElement() =
+          mMediaRanges.LastElement().Extents(box.Range());
+      }
     }
     mOffset = box.NextOffset();
   }
   return foundValidMoof;
 }
 
+MediaByteRange
+MoofParser::FirstCompleteMediaHeader()
+{
+  if (Moofs().IsEmpty()) {
+    return MediaByteRange();
+  }
+  return Moofs()[0].mRange;
+}
+
+MediaByteRange
+MoofParser::FirstCompleteMediaSegment()
+{
+  for (uint32_t i = 0 ; i < mMediaRanges.Length(); i++) {
+    if (mMediaRanges[i].Contains(Moofs()[i].mMdatRange)) {
+      return mMediaRanges[i];
+    }
+  }
+  return MediaByteRange();
+}
+
 class BlockingStream : public Stream {
 public:
   explicit BlockingStream(Stream* aStream) : mStream(aStream)
@@ -463,7 +495,7 @@ Moof::ParseTrun(Box& aBox, Tfhd& aTfhd, Mvhd& aMvhd, Mdhd& aMdhd, Edts& aEdts, u
   uint64_t decodeTime = *aDecodeTime;
   nsTArray<Interval<Microseconds>> timeRanges;
 
-  if (!mIndex.SetCapacity(sampleCount)) {
+  if (!mIndex.SetCapacity(sampleCount, fallible)) {
     LOG(Moof, "Out of Memory");
     return false;
   }
@@ -497,7 +529,8 @@ Moof::ParseTrun(Box& aBox, Tfhd& aTfhd, Mvhd& aMvhd, Mdhd& aMdhd, Edts& aEdts, u
     // because every audio sample is a keyframe.
     sample.mSync = !(sampleFlags & 0x1010000) || aIsAudio;
 
-    MOZ_ALWAYS_TRUE(mIndex.AppendElement(sample));
+    // FIXME: Make this infallible after bug 968520 is done.
+    MOZ_ALWAYS_TRUE(mIndex.AppendElement(sample, fallible));
 
     mMdatRange = mMdatRange.Extents(sample.mByteRange);
   }
diff --git a/media/libstagefright/binding/include/mp4_demuxer/MoofParser.h b/media/libstagefright/binding/include/mp4_demuxer/MoofParser.h
index a87703560cba..32f698fa3187 100644
--- a/media/libstagefright/binding/include/mp4_demuxer/MoofParser.h
+++ b/media/libstagefright/binding/include/mp4_demuxer/MoofParser.h
@@ -225,6 +225,8 @@ public:
 
   bool BlockingReadNextMoof();
   bool HasMetadata();
+  MediaByteRange FirstCompleteMediaSegment();
+  MediaByteRange FirstCompleteMediaHeader();
 
   mozilla::MediaByteRange mInitRange;
   nsRefPtr<Stream> mSource;
@@ -240,6 +242,7 @@ public:
   nsTArray<Moof>& Moofs() { mMonitor->AssertCurrentThreadOwns(); return mMoofs; }
 private:
   nsTArray<Moof> mMoofs;
+  nsTArray<MediaByteRange> mMediaRanges;
   bool mIsAudio;
 };
 }
diff --git a/media/libvpx/bug1137614.patch b/media/libvpx/bug1137614.patch
new file mode 100644
index 000000000000..6f4e35088223
--- /dev/null
+++ b/media/libvpx/bug1137614.patch
@@ -0,0 +1,23 @@
+diff --git a/media/libvpx/vp8/encoder/block.h b/media/libvpx/vp8/encoder/block.h
+--- a/media/libvpx/vp8/encoder/block.h
++++ b/media/libvpx/vp8/encoder/block.h
+@@ -93,17 +93,18 @@ typedef struct macroblock
+     int rddiv;
+     int rdmult;
+     unsigned int * mb_activity_ptr;
+     int * mb_norm_activity_ptr;
+     signed int act_zbin_adj;
+     signed int last_act_zbin_adj;
+ 
+     int *mvcost[2];
+-    int *mvsadcost[2];
++    /* MSVC generates code that thinks this is 16-byte aligned */
++    DECLARE_ALIGNED(16, int*, mvsadcost[2]);
+     int (*mbmode_cost)[MB_MODE_COUNT];
+     int (*intra_uv_mode_cost)[MB_MODE_COUNT];
+     int (*bmode_costs)[10][10];
+     int *inter_bmode_costs;
+     int (*token_costs)[COEF_BANDS][PREV_COEF_CONTEXTS]
+     [MAX_ENTROPY_TOKENS];
+ 
+     /* These define limits to motion vector components to prevent
diff --git a/media/libvpx/update.py b/media/libvpx/update.py
index 50e36a44896a..1dce1f21d0e1 100755
--- a/media/libvpx/update.py
+++ b/media/libvpx/update.py
@@ -524,6 +524,8 @@ def apply_patches():
     os.system("patch -p3 < apple-clang.patch")
     # Patch to allow MSVC 2015 to compile libvpx
     os.system("patch -p3 < msvc2015.patch")
+    # Patch to fix a crash caused by MSVC 2013
+    os.system("patch -p3 < bug1137614.patch")
 
 def update_readme(commit):
     with open('README_MOZILLA') as f:
diff --git a/media/libvpx/vp8/encoder/block.h b/media/libvpx/vp8/encoder/block.h
index dd733e55a9d1..eae00d960265 100644
--- a/media/libvpx/vp8/encoder/block.h
+++ b/media/libvpx/vp8/encoder/block.h
@@ -98,7 +98,8 @@ typedef struct macroblock
     signed int last_act_zbin_adj;
 
     int *mvcost[2];
-    int *mvsadcost[2];
+    /* MSVC generates code that thinks this is 16-byte aligned */
+    DECLARE_ALIGNED(16, int*, mvsadcost[2]);
     int (*mbmode_cost)[MB_MODE_COUNT];
     int (*intra_uv_mode_cost)[MB_MODE_COUNT];
     int (*bmode_costs)[10][10];
diff --git a/media/mtransport/common.build b/media/mtransport/common.build
index 01b0e9682ead..0d441f79c882 100644
--- a/media/mtransport/common.build
+++ b/media/mtransport/common.build
@@ -16,6 +16,7 @@ mtransport_lcppsrcs = [
     'rlogringbuffer.cpp',
     'simpletokenbucket.cpp',
     'stun_udp_socket_filter.cpp',
+    'test_nr_socket.cpp',
     'transportflow.cpp',
     'transportlayer.cpp',
     'transportlayerdtls.cpp',
diff --git a/media/mtransport/nr_socket_prsock.cpp b/media/mtransport/nr_socket_prsock.cpp
index 93be754baefa..998d2d7dbc02 100644
--- a/media/mtransport/nr_socket_prsock.cpp
+++ b/media/mtransport/nr_socket_prsock.cpp
@@ -653,7 +653,7 @@ int NrSocket::sendto(const void *msg, size_t len,
     if (PR_GetError() == PR_WOULD_BLOCK_ERROR)
       ABORT(R_WOULDBLOCK);
 
-    r_log(LOG_GENERIC, LOG_INFO, "Error in sendto %s", to->as_string);
+    r_log(LOG_GENERIC, LOG_INFO, "Error in sendto: %s", to->as_string);
     ABORT(R_IO_ERROR);
   }
 
@@ -674,7 +674,7 @@ int NrSocket::recvfrom(void * buf, size_t maxlen,
   if (status <= 0) {
     if (PR_GetError() == PR_WOULD_BLOCK_ERROR)
       ABORT(R_WOULDBLOCK);
-    r_log(LOG_GENERIC, LOG_INFO, "Error in recvfrom");
+    r_log(LOG_GENERIC, LOG_INFO, "Error in recvfrom: %d", (int)PR_GetError());
     ABORT(R_IO_ERROR);
   }
   *len=status;
@@ -1309,7 +1309,7 @@ static nr_socket_vtbl nr_socket_local_vtbl={
   nr_socket_local_close
 };
 
-int nr_socket_local_create(nr_transport_addr *addr, nr_socket **sockp) {
+int nr_socket_local_create(void *obj, nr_transport_addr *addr, nr_socket **sockp) {
   RefPtr<NrSocketBase> sock;
 
   // create IPC bridge for content process
diff --git a/media/mtransport/nr_socket_prsock.h b/media/mtransport/nr_socket_prsock.h
index d892cd5ad7d5..1c2623ee621f 100644
--- a/media/mtransport/nr_socket_prsock.h
+++ b/media/mtransport/nr_socket_prsock.h
@@ -116,6 +116,9 @@ public:
 
   static TimeStamp short_term_violation_time();
   static TimeStamp long_term_violation_time();
+  const nr_transport_addr& my_addr() const {
+    return my_addr_;
+  }
 
 protected:
   void fire_callback(int how);
@@ -163,7 +166,7 @@ public:
   virtual int write(const void *msg, size_t len, size_t *written) override;
   virtual int read(void* buf, size_t maxlen, size_t *len) override;
 
-private:
+protected:
   virtual ~NrSocket() {
     if (fd_)
       PR_Close(fd_);
diff --git a/media/mtransport/test/ice_unittest.cpp b/media/mtransport/test/ice_unittest.cpp
index c7124229186c..54602be1bc1d 100644
--- a/media/mtransport/test/ice_unittest.cpp
+++ b/media/mtransport/test/ice_unittest.cpp
@@ -35,6 +35,9 @@
 #include "rlogringbuffer.h"
 #include "runnable_utils.h"
 #include "stunserver.h"
+#include "nr_socket_prsock.h"
+#include "test_nr_socket.h"
+#include "ice_ctx.h"
 // TODO(bcampen@mozilla.com): Big fat hack since the build system doesn't give
 // us a clean way to add object files to a single executable.
 #include "stunserver.cpp"
@@ -250,13 +253,21 @@ class IceTestPeer : public sigslot::has_slots<> {
       expected_remote_type_(NrIceCandidate::ICE_HOST),
       trickle_mode_(TRICKLE_NONE),
       trickled_(0),
-      simulate_ice_lite_(false) {
+      simulate_ice_lite_(false),
+      nat_(new TestNat) {
     ice_ctx_->SignalGatheringStateChange.connect(
         this,
         &IceTestPeer::GatheringStateChange);
     ice_ctx_->SignalConnectionStateChange.connect(
         this,
         &IceTestPeer::ConnectionStateChange);
+
+    nr_socket_factory *fac;
+    int r = nat_->create_socket_factory(&fac);
+    MOZ_ASSERT(!r);
+    if (!r) {
+      nr_ice_ctx_set_socket_factory(ice_ctx_->ctx(), fac);
+    }
   }
 
   ~IceTestPeer() {
@@ -317,6 +328,11 @@ class IceTestPeer : public sigslot::has_slots<> {
     ASSERT_TRUE(NS_SUCCEEDED(ice_ctx_->SetStunServers(stun_servers)));
   }
 
+  void UseTestStunServer() {
+    SetStunServer(TestStunServer::GetInstance()->addr(),
+                  TestStunServer::GetInstance()->port());
+  }
+
   void SetTurnServer(const std::string addr, uint16_t port,
                      const std::string username,
                      const std::string password,
@@ -371,6 +387,25 @@ class IceTestPeer : public sigslot::has_slots<> {
     ASSERT_TRUE(NS_SUCCEEDED(res));
   }
 
+  void UseNat() {
+    nat_->enabled_ = true;
+  }
+
+  void SetFilteringType(TestNat::NatBehavior type) {
+    MOZ_ASSERT(!nat_->has_port_mappings());
+    nat_->filtering_type_ = type;
+  }
+
+  void SetMappingType(TestNat::NatBehavior type) {
+    MOZ_ASSERT(!nat_->has_port_mappings());
+    nat_->mapping_type_ = type;
+  }
+
+  void SetBlockUdp(bool block) {
+    MOZ_ASSERT(!nat_->has_port_mappings());
+    nat_->block_udp_ = block;
+  }
+
   // Get various pieces of state
   std::vector<std::string> GetGlobalAttributes() {
     std::vector<std::string> attrs(ice_ctx_->GetGlobalAttributes());
@@ -1008,6 +1043,7 @@ class IceTestPeer : public sigslot::has_slots<> {
   TrickleMode trickle_mode_;
   int trickled_;
   bool simulate_ice_lite_;
+  nsRefPtr<mozilla::TestNat> nat_;
 };
 
 void SchedulableTrickleCandidate::Trickle() {
@@ -1065,6 +1101,12 @@ class IceGatherTest : public ::testing::Test {
                          TestStunServer::GetInstance()->port());
   }
 
+  void UseTestStunServer() {
+    TestStunServer::GetInstance()->Reset();
+    peer_->SetStunServer(TestStunServer::GetInstance()->addr(),
+                         TestStunServer::GetInstance()->port());
+  }
+
   // NB: Only does substring matching, watch out for stuff like "1.2.3.4"
   // matching "21.2.3.47". " 1.2.3.4 " should not have false positives.
   bool StreamHasMatchingCandidate(unsigned int stream,
@@ -1084,7 +1126,12 @@ class IceGatherTest : public ::testing::Test {
 
 class IceConnectTest : public ::testing::Test {
  public:
-  IceConnectTest() : initted_(false) {}
+  IceConnectTest() :
+    initted_(false),
+    use_nat_(false),
+    filtering_type_(TestNat::ENDPOINT_INDEPENDENT),
+    mapping_type_(TestNat::ENDPOINT_INDEPENDENT),
+    block_udp_(false) {}
 
   void SetUp() {
     nsresult rv;
@@ -1126,8 +1173,25 @@ class IceConnectTest : public ::testing::Test {
 
   bool Gather(unsigned int waitTime = kDefaultTimeout) {
     Init(false, false);
-    p1_->SetStunServer(g_stun_server_address, kDefaultStunServerPort);
-    p2_->SetStunServer(g_stun_server_address, kDefaultStunServerPort);
+    if (use_nat_) {
+      // If we enable nat simulation, but still use a real STUN server somewhere
+      // on the internet, we will see failures if there is a real NAT in
+      // addition to our simulated one, particularly if it disallows
+      // hairpinning.
+      UseTestStunServer();
+      p1_->UseNat();
+      p2_->UseNat();
+      p1_->SetFilteringType(filtering_type_);
+      p2_->SetFilteringType(filtering_type_);
+      p1_->SetMappingType(mapping_type_);
+      p2_->SetMappingType(mapping_type_);
+      p1_->SetBlockUdp(block_udp_);
+      p2_->SetBlockUdp(block_udp_);
+    } else {
+      p1_->SetStunServer(g_stun_server_address, kDefaultStunServerPort);
+      p2_->SetStunServer(g_stun_server_address, kDefaultStunServerPort);
+    }
+
     p1_->Gather();
     p2_->Gather();
 
@@ -1142,6 +1206,28 @@ class IceConnectTest : public ::testing::Test {
     return true;
   }
 
+  void UseNat() {
+    use_nat_ = true;
+  }
+
+  void SetFilteringType(TestNat::NatBehavior type) {
+    filtering_type_ = type;
+  }
+
+  void SetMappingType(TestNat::NatBehavior type) {
+    mapping_type_ = type;
+  }
+
+  void BlockUdp() {
+    block_udp_ = true;
+  }
+
+  void UseTestStunServer() {
+    TestStunServer::GetInstance()->Reset();
+    p1_->UseTestStunServer();
+    p2_->UseTestStunServer();
+  }
+
   void SetTurnServer(const std::string addr, uint16_t port,
                      const std::string username,
                      const std::string password,
@@ -1277,6 +1363,10 @@ class IceConnectTest : public ::testing::Test {
   nsCOMPtr<nsIEventTarget> target_;
   mozilla::ScopedDeletePtr<IceTestPeer> p1_;
   mozilla::ScopedDeletePtr<IceTestPeer> p2_;
+  bool use_nat_;
+  TestNat::NatBehavior filtering_type_;
+  TestNat::NatBehavior mapping_type_;
+  bool block_udp_;
 };
 
 class PrioritizerTest : public ::testing::Test {
@@ -1643,6 +1733,147 @@ TEST_F(IceConnectTest, TestTrickleIceLiteOfferer) {
   AssertCheckingReached();
 }
 
+TEST_F(IceConnectTest, TestGatherFullCone) {
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::ENDPOINT_INDEPENDENT);
+  SetMappingType(TestNat::ENDPOINT_INDEPENDENT);
+  ASSERT_TRUE(Gather());
+}
+
+TEST_F(IceConnectTest, TestGatherFullConeAutoPrioritize) {
+  Init(false, true);
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::ENDPOINT_INDEPENDENT);
+  SetMappingType(TestNat::ENDPOINT_INDEPENDENT);
+  ASSERT_TRUE(Gather());
+}
+
+
+TEST_F(IceConnectTest, TestConnectFullCone) {
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::ENDPOINT_INDEPENDENT);
+  SetMappingType(TestNat::ENDPOINT_INDEPENDENT);
+  SetExpectedTypes(NrIceCandidate::Type::ICE_SERVER_REFLEXIVE,
+                   NrIceCandidate::Type::ICE_SERVER_REFLEXIVE);
+  ASSERT_TRUE(Gather());
+  Connect();
+}
+
+TEST_F(IceConnectTest, TestGatherAddressRestrictedCone) {
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::ADDRESS_DEPENDENT);
+  SetMappingType(TestNat::ENDPOINT_INDEPENDENT);
+  ASSERT_TRUE(Gather());
+}
+
+TEST_F(IceConnectTest, TestConnectAddressRestrictedCone) {
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::ADDRESS_DEPENDENT);
+  SetMappingType(TestNat::ENDPOINT_INDEPENDENT);
+  SetExpectedTypes(NrIceCandidate::Type::ICE_SERVER_REFLEXIVE,
+                   NrIceCandidate::Type::ICE_SERVER_REFLEXIVE);
+  ASSERT_TRUE(Gather());
+  Connect();
+}
+
+TEST_F(IceConnectTest, TestGatherPortRestrictedCone) {
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::PORT_DEPENDENT);
+  SetMappingType(TestNat::ENDPOINT_INDEPENDENT);
+  ASSERT_TRUE(Gather());
+}
+
+TEST_F(IceConnectTest, TestConnectPortRestrictedCone) {
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::PORT_DEPENDENT);
+  SetMappingType(TestNat::ENDPOINT_INDEPENDENT);
+  SetExpectedTypes(NrIceCandidate::Type::ICE_SERVER_REFLEXIVE,
+                   NrIceCandidate::Type::ICE_SERVER_REFLEXIVE);
+  ASSERT_TRUE(Gather());
+  Connect();
+}
+
+TEST_F(IceConnectTest, TestGatherSymmetricNat) {
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::PORT_DEPENDENT);
+  SetMappingType(TestNat::PORT_DEPENDENT);
+  ASSERT_TRUE(Gather());
+}
+
+TEST_F(IceConnectTest, TestConnectSymmetricNat) {
+  if (g_turn_server.empty())
+    return;
+
+  AddStream("first", 1);
+  UseNat();
+  SetFilteringType(TestNat::PORT_DEPENDENT);
+  SetMappingType(TestNat::PORT_DEPENDENT);
+  p1_->SetExpectedTypes(NrIceCandidate::Type::ICE_RELAYED,
+                        NrIceCandidate::Type::ICE_RELAYED);
+  p2_->SetExpectedTypes(NrIceCandidate::Type::ICE_RELAYED,
+                        NrIceCandidate::Type::ICE_RELAYED);
+  SetTurnServer(g_turn_server, kDefaultStunServerPort,
+                g_turn_user, g_turn_password);
+  ASSERT_TRUE(Gather());
+  Connect();
+}
+
+TEST_F(IceConnectTest, TestGatherNatBlocksUDP) {
+  if (g_turn_server.empty())
+    return;
+
+  AddStream("first", 1);
+  UseNat();
+  BlockUdp();
+  std::vector<NrIceTurnServer> turn_servers;
+  std::vector<unsigned char> password_vec(g_turn_password.begin(),
+                                          g_turn_password.end());
+  turn_servers.push_back(
+      *NrIceTurnServer::Create(g_turn_server, kDefaultStunServerPort,
+                               g_turn_user, password_vec, kNrIceTransportTcp));
+  turn_servers.push_back(
+      *NrIceTurnServer::Create(g_turn_server, kDefaultStunServerPort,
+                               g_turn_user, password_vec, kNrIceTransportUdp));
+  SetTurnServers(turn_servers);
+  // We have to wait for the UDP-based stuff to time out.
+  ASSERT_TRUE(Gather(kDefaultTimeout * 3));
+}
+
+TEST_F(IceConnectTest, TestConnectNatBlocksUDP) {
+  if (g_turn_server.empty())
+    return;
+
+  AddStream("first", 1);
+  UseNat();
+  BlockUdp();
+  std::vector<NrIceTurnServer> turn_servers;
+  std::vector<unsigned char> password_vec(g_turn_password.begin(),
+                                          g_turn_password.end());
+  turn_servers.push_back(
+      *NrIceTurnServer::Create(g_turn_server, kDefaultStunServerPort,
+                               g_turn_user, password_vec, kNrIceTransportTcp));
+  turn_servers.push_back(
+      *NrIceTurnServer::Create(g_turn_server, kDefaultStunServerPort,
+                               g_turn_user, password_vec, kNrIceTransportUdp));
+  SetTurnServers(turn_servers);
+  p1_->SetExpectedTypes(NrIceCandidate::Type::ICE_RELAYED,
+                        NrIceCandidate::Type::ICE_RELAYED,
+                        kNrIceTransportTcp);
+  p2_->SetExpectedTypes(NrIceCandidate::Type::ICE_RELAYED,
+                        NrIceCandidate::Type::ICE_RELAYED,
+                        kNrIceTransportTcp);
+  ASSERT_TRUE(Gather(kDefaultTimeout * 3));
+  Connect();
+}
+
 TEST_F(IceConnectTest, TestConnectTwoComponents) {
   AddStream("first", 2);
   ASSERT_TRUE(Gather());
diff --git a/media/mtransport/test/moz.build b/media/mtransport/test/moz.build
index 3f74840ac1fb..71f8abf68aa6 100644
--- a/media/mtransport/test/moz.build
+++ b/media/mtransport/test/moz.build
@@ -14,6 +14,7 @@ if CONFIG['OS_TARGET'] != 'WINNT' and CONFIG['MOZ_WIDGET_TOOLKIT'] != 'gonk':
         'runnable_utils_unittest',
         'simpletokenbucket_unittest',
         'sockettransportservice_unittest',
+        'test_nr_socket_unittest',
         'TestSyncRunnable',
         'transport_unittests',
         'turn_unittest',
@@ -30,6 +31,8 @@ for var in ('MOZILLA_INTERNAL_API', 'MOZILLA_XPCOMRT_API', 'MOZILLA_EXTERNAL_LIN
     DEFINES[var] = True
 
 if CONFIG['OS_TARGET'] == 'Android':
+    DEFINES['LINUX'] = True
+    DEFINES['ANDROID'] = True
     LOCAL_INCLUDES += [
         '/media/mtransport/third_party/nrappkit/src/port/android/include',
     ]
@@ -37,6 +40,8 @@ else:
     DEFINES['INET6'] = True
 
 if CONFIG['OS_TARGET'] == 'Linux':
+    DEFINES['LINUX'] = True
+    DEFINES['USE_INTERFACE_PRIORITIZER'] = True
     LOCAL_INCLUDES += [
         '/media/mtransport/third_party/nrappkit/src/port/linux/include',
     ]
@@ -53,12 +58,20 @@ if CONFIG['OS_TARGET'] == 'Darwin':
     ]
 
 if CONFIG['OS_TARGET'] in ('DragonFly', 'FreeBSD', 'NetBSD', 'OpenBSD'):
+    if CONFIG['OS_TARGET'] == 'Darwin':
+        DEFINES['DARWIN'] = True
+    else:
+        DEFINES['BSD'] = True
     LOCAL_INCLUDES += [
         '/media/mtransport/third_party/nrappkit/src/port/darwin/include',
     ]
 
 # SCTP DEFINES
 if CONFIG['OS_TARGET'] == 'WINNT':
+    DEFINES['WIN'] = True
+    # for stun.h
+    DEFINES['WIN32'] = True
+    DEFINES['NOMINMAX'] = True
     DEFINES['__Userspace_os_Windows'] = 1
 else:
     # Works for Darwin, Linux, Android. Probably doesn't work for others.
diff --git a/media/mtransport/test/stunserver.cpp b/media/mtransport/test/stunserver.cpp
index 9f71f646a311..f0a4bb51cb6e 100644
--- a/media/mtransport/test/stunserver.cpp
+++ b/media/mtransport/test/stunserver.cpp
@@ -221,7 +221,7 @@ int TestStunServer::TryOpenListenSocket(nr_local_addr* addr, uint16_t port) {
       return R_INTERNAL;
     }
 
-    if (nr_socket_local_create(&addr->addr, &listen_sock_)) {
+    if (nr_socket_local_create(nullptr, &addr->addr, &listen_sock_)) {
       MOZ_MTLOG(ML_ERROR, "Couldn't create listen socket");
       return R_ALREADY;
     }
diff --git a/media/mtransport/test/test_nr_socket_unittest.cpp b/media/mtransport/test/test_nr_socket_unittest.cpp
new file mode 100644
index 000000000000..bbe6ff54b2a1
--- /dev/null
+++ b/media/mtransport/test/test_nr_socket_unittest.cpp
@@ -0,0 +1,660 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Original author: bcampen@mozilla.com
+
+extern "C" {
+#include "stun_msg.h" // for NR_STUN_MAX_MESSAGE_SIZE
+#include "stun_util.h"
+#include "nr_api.h"
+#include "async_wait.h"
+#include "nr_socket.h"
+#include "nr_socket_local.h"
+#include "stun_hint.h"
+#include "local_addr.h"
+#include "registry.h"
+}
+
+#include "test_nr_socket.h"
+
+#include "nsCOMPtr.h"
+#include "nsNetCID.h"
+#include "nsServiceManagerUtils.h"
+#include "nsAutoPtr.h"
+#include "runnable_utils.h"
+#include "mtransport_test_utils.h"
+
+#include <vector>
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+#include "gtest_utils.h"
+
+namespace mozilla {
+
+class TestNrSocketTest : public ::testing::Test {
+ public:
+  TestNrSocketTest() :
+    wait_done_for_main_(false),
+    sts_(),
+    public_addrs_(),
+    private_addrs_(),
+    nats_() {
+    // Get the transport service as a dispatch target
+    nsresult rv;
+    sts_ = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);
+    EXPECT_TRUE(NS_SUCCEEDED(rv)) << "Failed to get STS: " << (int)rv;
+  }
+
+  ~TestNrSocketTest() {
+    sts_->Dispatch(WrapRunnable(this, &TestNrSocketTest::TearDown_s),
+                   NS_DISPATCH_SYNC);
+  }
+
+  void TearDown_s() {
+    public_addrs_.clear();
+    private_addrs_.clear();
+    nats_.clear();
+    sts_ = nullptr;
+  }
+
+  nsRefPtr<TestNrSocket> CreateTestNrSocket_s(const char *ip_str,
+                                              TestNat *nat) {
+    // If no nat is supplied, we create a default NAT which is disabled. This
+    // is how we simulate a non-natted socket.
+    nsRefPtr<TestNrSocket> sock(new TestNrSocket(nat ? nat : new TestNat));
+    nr_transport_addr address;
+    nr_ip4_str_port_to_transport_addr(ip_str, 0, IPPROTO_UDP, &address);
+    int r = sock->create(&address);
+    if (r) {
+      return nullptr;
+    }
+    return sock;
+  }
+
+  void CreatePublicAddrs(size_t count, const char *ip_str = "127.0.0.1") {
+    sts_->Dispatch(
+        WrapRunnable(this,
+                     &TestNrSocketTest::CreatePublicAddrs_s,
+                     count,
+                     ip_str),
+        NS_DISPATCH_SYNC);
+  }
+
+  void CreatePublicAddrs_s(size_t count, const char* ip_str) {
+    while (count--) {
+      auto sock = CreateTestNrSocket_s(ip_str, nullptr);
+      ASSERT_TRUE(sock) << "Failed to create socket";
+      public_addrs_.push_back(sock);
+    }
+  }
+
+  nsRefPtr<TestNat> CreatePrivateAddrs(size_t size,
+                                       const char* ip_str = "127.0.0.1") {
+    nsRefPtr<TestNat> result;
+    sts_->Dispatch(
+        WrapRunnableRet(this,
+                        &TestNrSocketTest::CreatePrivateAddrs_s,
+                        size,
+                        ip_str,
+                        &result),
+        NS_DISPATCH_SYNC);
+    return result;
+  }
+
+  nsRefPtr<TestNat> CreatePrivateAddrs_s(size_t count, const char* ip_str) {
+    nsRefPtr<TestNat> nat(new TestNat);
+    while (count--) {
+      auto sock = CreateTestNrSocket_s(ip_str, nat);
+      if (!sock) {
+        EXPECT_TRUE(false) << "Failed to create socket";
+        break;
+      }
+      private_addrs_.push_back(sock);
+    }
+    nat->enabled_ = true;
+    nats_.push_back(nat);
+    return nat;
+  }
+
+  bool CheckConnectivityVia(
+      TestNrSocket *from,
+      TestNrSocket *to,
+      const nr_transport_addr &via,
+      nr_transport_addr *sender_external_address = nullptr) {
+    MOZ_ASSERT(from);
+
+    if (!WaitForWriteable(from)) {
+      return false;
+    }
+
+    int result = 0;
+    sts_->Dispatch(WrapRunnableRet(this,
+                                   &TestNrSocketTest::SendData_s,
+                                   from,
+                                   via,
+                                   &result),
+                   NS_DISPATCH_SYNC);
+    if (result) {
+      return false;
+    }
+
+    if (!WaitForReadable(to)) {
+      return false;
+    }
+
+    nr_transport_addr dummy_outparam;
+    if (!sender_external_address) {
+      sender_external_address = &dummy_outparam;
+    }
+
+    MOZ_ASSERT(to);
+    sts_->Dispatch(WrapRunnableRet(this,
+                                   &TestNrSocketTest::RecvData_s,
+                                   to,
+                                   sender_external_address,
+                                   &result),
+                   NS_DISPATCH_SYNC);
+
+    return !result;
+  }
+
+  bool CheckConnectivity(
+      TestNrSocket *from,
+      TestNrSocket *to,
+      nr_transport_addr *sender_external_address = nullptr) {
+    nr_transport_addr destination_address;
+    int r = GetAddress(to, &destination_address);
+    if (r) {
+      return false;
+    }
+
+    return CheckConnectivityVia(from,
+                                to,
+                                destination_address,
+                                sender_external_address);
+  }
+
+  int GetAddress(TestNrSocket *sock, nr_transport_addr_ *address) {
+    MOZ_ASSERT(sock);
+    MOZ_ASSERT(address);
+    int r;
+    sts_->Dispatch(WrapRunnableRet(this,
+                                   &TestNrSocketTest::GetAddress_s,
+                                   sock,
+                                   address,
+                                   &r),
+                   NS_DISPATCH_SYNC);
+    return r;
+  }
+
+  int GetAddress_s(TestNrSocket *sock, nr_transport_addr *address) {
+    return sock->getaddr(address);
+  }
+
+  int SendData_s(TestNrSocket *from, const nr_transport_addr &to) {
+    // It is up to caller to ensure that |from| is writeable.
+    const char buf[] = "foobajooba";
+    return from->sendto(buf, sizeof(buf), 0,
+        // TODO(bug 1170299): Remove const_cast when no longer necessary
+        const_cast<nr_transport_addr*>(&to));
+  }
+
+  int RecvData_s(TestNrSocket *to, nr_transport_addr *from) {
+    // It is up to caller to ensure that |to| is readable
+    const size_t bufSize = 1024;
+    char buf[bufSize];
+    size_t len;
+    // Maybe check that data matches?
+    int r = to->recvfrom(buf, sizeof(buf), &len, 0, from);
+    if (!r && (len == 0)) {
+      r = R_INTERNAL;
+    }
+    return r;
+  }
+
+  bool WaitForSocketState(TestNrSocket *sock, int state) {
+    MOZ_ASSERT(sock);
+    sts_->Dispatch(WrapRunnable(this,
+                                &TestNrSocketTest::WaitForSocketState_s,
+                                sock,
+                                state),
+                   NS_DISPATCH_SYNC);
+
+    bool res;
+    WAIT_(wait_done_for_main_, 100, res);
+    wait_done_for_main_ = false;
+
+    if (!res) {
+      sts_->Dispatch(WrapRunnable(this,
+                                  &TestNrSocketTest::CancelWait_s,
+                                  sock,
+                                  state),
+                     NS_DISPATCH_SYNC);
+    }
+
+    return res;
+  }
+
+  void WaitForSocketState_s(TestNrSocket *sock, int state) {
+     NR_ASYNC_WAIT(sock, state, &WaitDone, this);
+  }
+
+  void CancelWait_s(TestNrSocket *sock, int state) {
+     sock->cancel(state);
+  }
+
+  bool WaitForReadable(TestNrSocket *sock) {
+    return WaitForSocketState(sock, NR_ASYNC_WAIT_READ);
+  }
+
+  bool WaitForWriteable(TestNrSocket *sock) {
+    return WaitForSocketState(sock, NR_ASYNC_WAIT_WRITE);
+  }
+
+  static void WaitDone(void *sock, int how, void *test_fixture) {
+    TestNrSocketTest *test = static_cast<TestNrSocketTest*>(test_fixture);
+    test->wait_done_for_main_ = true;
+  }
+
+  // Simple busywait boolean for the test cases to spin on.
+  Atomic<bool> wait_done_for_main_;
+
+  nsCOMPtr<nsIEventTarget> sts_;
+  std::vector<nsRefPtr<TestNrSocket>> public_addrs_;
+  std::vector<nsRefPtr<TestNrSocket>> private_addrs_;
+  std::vector<nsRefPtr<TestNat>> nats_;
+};
+
+} // namespace mozilla
+
+using mozilla::TestNrSocketTest;
+using mozilla::TestNat;
+
+TEST_F(TestNrSocketTest, PublicConnectivity) {
+  CreatePublicAddrs(2);
+
+  ASSERT_TRUE(CheckConnectivity(public_addrs_[0], public_addrs_[1]));
+  ASSERT_TRUE(CheckConnectivity(public_addrs_[1], public_addrs_[0]));
+  ASSERT_TRUE(CheckConnectivity(public_addrs_[0], public_addrs_[0]));
+  ASSERT_TRUE(CheckConnectivity(public_addrs_[1], public_addrs_[1]));
+}
+
+TEST_F(TestNrSocketTest, PrivateConnectivity) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(2));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0], private_addrs_[1]));
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[1], private_addrs_[0]));
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0], private_addrs_[0]));
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[1], private_addrs_[1]));
+}
+
+TEST_F(TestNrSocketTest, NoConnectivityWithoutPinhole) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  CreatePublicAddrs(1);
+
+  ASSERT_FALSE(CheckConnectivity(public_addrs_[0], private_addrs_[0]));
+}
+
+TEST_F(TestNrSocketTest, NoConnectivityBetweenSubnets) {
+  nsRefPtr<TestNat> nat1(CreatePrivateAddrs(1));
+  nat1->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat1->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nsRefPtr<TestNat> nat2(CreatePrivateAddrs(1));
+  nat2->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat2->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+
+  ASSERT_FALSE(CheckConnectivity(private_addrs_[0], private_addrs_[1]));
+  ASSERT_FALSE(CheckConnectivity(private_addrs_[1], private_addrs_[0]));
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0], private_addrs_[0]));
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[1], private_addrs_[1]));
+}
+
+TEST_F(TestNrSocketTest, FullConeAcceptIngress) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  CreatePublicAddrs(2);
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address));
+
+  // Verify that other public IP can use the pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address));
+}
+
+TEST_F(TestNrSocketTest, FullConeOnePinhole) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  CreatePublicAddrs(2);
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address));
+
+  // Send traffic to other public IP, verify that it uses the same pinhole
+  nr_transport_addr sender_external_address2;
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[1],
+                                &sender_external_address2));
+  ASSERT_FALSE(nr_transport_addr_cmp(&sender_external_address,
+                                     &sender_external_address2,
+                                     NR_TRANSPORT_ADDR_CMP_MODE_ALL))
+    << "addr1: " << sender_external_address.as_string << " addr2: "
+    << sender_external_address2.as_string;
+}
+
+// OS 10.6 doesn't seem to allow us to open ports on 127.0.0.2, and while linux
+// does allow this, it has other behavior (see below) that prevents this test
+// from working.
+TEST_F(TestNrSocketTest, DISABLED_AddressRestrictedCone) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::ADDRESS_DEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  CreatePublicAddrs(2, "127.0.0.1");
+  CreatePublicAddrs(1, "127.0.0.2");
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address));
+
+  // Verify that another address on the same host can use the pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address));
+
+  // Linux has a tendency to monkey around with source addresses, doing
+  // stuff like substituting 127.0.0.1 for packets sent by 127.0.0.2, and even
+  // going as far as substituting localhost for a packet sent from a real IP
+  // address when the destination is localhost. The only way to make this test
+  // work on linux is to have two real IP addresses.
+#ifndef __linux__
+  // Verify that an address on a different host can't use the pinhole
+  ASSERT_FALSE(CheckConnectivityVia(public_addrs_[2],
+                                   private_addrs_[0],
+                                   sender_external_address));
+#endif
+
+  // Send traffic to other public IP, verify that it uses the same pinhole
+  nr_transport_addr sender_external_address2;
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[1],
+                                &sender_external_address2));
+  ASSERT_FALSE(nr_transport_addr_cmp(&sender_external_address,
+                                     &sender_external_address2,
+                                     NR_TRANSPORT_ADDR_CMP_MODE_ALL))
+    << "addr1: " << sender_external_address.as_string << " addr2: "
+    << sender_external_address2.as_string;
+
+  // Verify that the other public IP can now use the pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address2));
+
+  // Send traffic to other public IP, verify that it uses the same pinhole
+  nr_transport_addr sender_external_address3;
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[2],
+                                &sender_external_address3));
+  ASSERT_FALSE(nr_transport_addr_cmp(&sender_external_address,
+                                     &sender_external_address3,
+                                     NR_TRANSPORT_ADDR_CMP_MODE_ALL))
+    << "addr1: " << sender_external_address.as_string << " addr2: "
+    << sender_external_address3.as_string;
+
+  // Verify that the other public IP can now use the pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[2],
+                                   private_addrs_[0],
+                                   sender_external_address3));
+}
+
+TEST_F(TestNrSocketTest, RestrictedCone) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::PORT_DEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  CreatePublicAddrs(2);
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address));
+
+  // Verify that other public IP cannot use the pinhole
+  ASSERT_FALSE(CheckConnectivityVia(public_addrs_[1],
+                                    private_addrs_[0],
+                                    sender_external_address));
+
+  // Send traffic to other public IP, verify that it uses the same pinhole
+  nr_transport_addr sender_external_address2;
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[1],
+                                &sender_external_address2));
+  ASSERT_FALSE(nr_transport_addr_cmp(&sender_external_address,
+                                     &sender_external_address2,
+                                     NR_TRANSPORT_ADDR_CMP_MODE_ALL))
+    << "addr1: " << sender_external_address.as_string << " addr2: "
+    << sender_external_address2.as_string;
+
+  // Verify that the other public IP can now use the pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address2));
+}
+
+TEST_F(TestNrSocketTest, PortDependentMappingFullCone) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::PORT_DEPENDENT;
+  CreatePublicAddrs(2);
+
+  nr_transport_addr sender_external_address0;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address0));
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address0));
+
+  // Verify that other public IP can use the pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address0));
+
+  // Send traffic to other public IP, verify that it uses a different pinhole
+  nr_transport_addr sender_external_address1;
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[1],
+                                &sender_external_address1));
+  ASSERT_TRUE(nr_transport_addr_cmp(&sender_external_address0,
+                                    &sender_external_address1,
+                                    NR_TRANSPORT_ADDR_CMP_MODE_ALL))
+    << "addr1: " << sender_external_address0.as_string << " addr2: "
+    << sender_external_address1.as_string;
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address1));
+
+  // Verify that other public IP can use the original pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address1));
+}
+
+TEST_F(TestNrSocketTest, Symmetric) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::PORT_DEPENDENT;
+  nat->mapping_type_ = TestNat::PORT_DEPENDENT;
+  CreatePublicAddrs(2);
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address));
+
+  // Verify that other public IP cannot use the pinhole
+  ASSERT_FALSE(CheckConnectivityVia(public_addrs_[1],
+                                    private_addrs_[0],
+                                    sender_external_address));
+
+  // Send traffic to other public IP, verify that it uses a new pinhole
+  nr_transport_addr sender_external_address2;
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[1],
+                                &sender_external_address2));
+  ASSERT_TRUE(nr_transport_addr_cmp(&sender_external_address,
+                                    &sender_external_address2,
+                                    NR_TRANSPORT_ADDR_CMP_MODE_ALL));
+
+  // Verify that the other public IP can use the new pinhole
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address2));
+}
+
+TEST_F(TestNrSocketTest, BlockUdp) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(2));
+  nat->block_udp_ = true;
+  CreatePublicAddrs(1);
+
+  nr_transport_addr sender_external_address;
+  ASSERT_FALSE(CheckConnectivity(private_addrs_[0],
+                                 public_addrs_[0],
+                                 &sender_external_address));
+
+  // Make sure UDP behind the NAT still works
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                private_addrs_[1]));
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[1],
+                                private_addrs_[0]));
+}
+
+TEST_F(TestNrSocketTest, DenyHairpinning) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(2));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  CreatePublicAddrs(1);
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that hairpinning is disallowed
+  ASSERT_FALSE(CheckConnectivityVia(private_addrs_[1],
+                                    private_addrs_[0],
+                                    sender_external_address));
+}
+
+TEST_F(TestNrSocketTest, AllowHairpinning) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(2));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_timeout_ = 30000;
+  nat->allow_hairpinning_ = true;
+  CreatePublicAddrs(1);
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0, obtain external address
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that hairpinning is allowed
+  ASSERT_TRUE(CheckConnectivityVia(private_addrs_[1],
+                                   private_addrs_[0],
+                                   sender_external_address));
+}
+
+TEST_F(TestNrSocketTest, FullConeTimeout) {
+  nsRefPtr<TestNat> nat(CreatePrivateAddrs(1));
+  nat->filtering_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_type_ = TestNat::ENDPOINT_INDEPENDENT;
+  nat->mapping_timeout_ = 200;
+  CreatePublicAddrs(2);
+
+  nr_transport_addr sender_external_address;
+  // Open pinhole to public IP 0
+  ASSERT_TRUE(CheckConnectivity(private_addrs_[0],
+                                public_addrs_[0],
+                                &sender_external_address));
+
+  // Verify that return traffic works
+  ASSERT_TRUE(CheckConnectivityVia(public_addrs_[0],
+                                   private_addrs_[0],
+                                   sender_external_address));
+
+  PR_Sleep(201);
+
+  // Verify that return traffic does not work
+  ASSERT_FALSE(CheckConnectivityVia(public_addrs_[0],
+                                    private_addrs_[0],
+                                    sender_external_address));
+}
+
+// TODO(): We need TCP tests, but first we will need ICE TCP to land (this
+// adds listen/accept support to NrSocket)
+
+int main(int argc, char **argv)
+{
+  // Inits STS and some other stuff.
+  MtransportTestUtils test_utils;
+
+  NR_reg_init(NR_REG_MODE_LOCAL);
+
+  // Start the tests
+  ::testing::InitGoogleTest(&argc, argv);
+
+  int rv = RUN_ALL_TESTS();
+
+  return rv;
+}
diff --git a/media/mtransport/test/turn_unittest.cpp b/media/mtransport/test/turn_unittest.cpp
index 898d0439d540..b1e53c7a17da 100644
--- a/media/mtransport/test/turn_unittest.cpp
+++ b/media/mtransport/test/turn_unittest.cpp
@@ -119,7 +119,7 @@ class TurnClient : public ::testing::Test {
     r = nr_ip4_port_to_transport_addr(0, 0, protocol_, &addr);
     ASSERT_EQ(0, r);
 
-    r = nr_socket_local_create(&addr, &real_socket_);
+    r = nr_socket_local_create(nullptr, &addr, &real_socket_);
     ASSERT_EQ(0, r);
 
     if (protocol_ == IPPROTO_TCP) {
diff --git a/media/mtransport/test_nr_socket.cpp b/media/mtransport/test_nr_socket.cpp
new file mode 100644
index 000000000000..1d6c8ca195dd
--- /dev/null
+++ b/media/mtransport/test_nr_socket.cpp
@@ -0,0 +1,763 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+*/
+
+/*
+Based partially on original code from nICEr and nrappkit.
+
+nICEr copyright:
+
+Copyright (c) 2007, Adobe Systems, Incorporated
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+* Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+* Neither the name of Adobe Systems, Network Resonance nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+nrappkit copyright:
+
+   Copyright (C) 2001-2003, Network Resonance, Inc.
+   Copyright (C) 2006, Network Resonance, Inc.
+   All Rights Reserved
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. Neither the name of Network Resonance, Inc. nor the name of any
+      contributors to this software may be used to endorse or promote
+      products derived from this software without specific prior written
+      permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
+   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+   ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+   LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+   CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+   POSSIBILITY OF SUCH DAMAGE.
+
+
+   ekr@rtfm.com  Thu Dec 20 20:14:49 2001
+*/
+
+// Original author: bcampen@mozilla.com [:bwc]
+
+extern "C" {
+#include "stun_msg.h" // for NR_STUN_MAX_MESSAGE_SIZE
+#include "nr_api.h"
+#include "async_wait.h"
+#include "nr_socket.h"
+#include "nr_socket_local.h"
+#include "stun_hint.h"
+#include "transport_addr.h"
+}
+
+#include "mozilla/RefPtr.h"
+#include "test_nr_socket.h"
+#include "runnable_utils.h"
+
+namespace mozilla {
+
+static int test_nat_socket_create(void *obj,
+                                  nr_transport_addr *addr,
+                                  nr_socket **sockp) {
+  RefPtr<NrSocketBase> sock = new TestNrSocket(static_cast<TestNat*>(obj));
+
+  int r, _status;
+
+  r = sock->create(addr);
+  if (r)
+    ABORT(r);
+
+  r = nr_socket_create_int(static_cast<void *>(sock),
+                           sock->vtbl(), sockp);
+  if (r)
+    ABORT(r);
+
+  _status = 0;
+
+  {
+    // We will release this reference in destroy(), not exactly the normal
+    // ownership model, but it is what it is.
+    NrSocketBase *dummy = sock.forget().take();
+    (void)dummy;
+  }
+
+abort:
+  return _status;
+}
+
+static int test_nat_socket_factory_destroy(void **obj) {
+  TestNat *nat = static_cast<TestNat*>(*obj);
+  *obj = nullptr;
+  nat->Release();
+  return 0;
+}
+
+static nr_socket_factory_vtbl test_nat_socket_factory_vtbl = {
+  test_nat_socket_create,
+  test_nat_socket_factory_destroy
+};
+
+bool TestNat::has_port_mappings() const {
+  for (TestNrSocket *sock : sockets_) {
+    if (sock->has_port_mappings()) {
+      return true;
+    }
+  }
+  return false;
+}
+
+bool TestNat::is_my_external_tuple(const nr_transport_addr &addr) const {
+  for (TestNrSocket *sock : sockets_) {
+    if (sock->is_my_external_tuple(addr)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+bool TestNat::is_an_internal_tuple(const nr_transport_addr &addr) const {
+  for (TestNrSocket *sock : sockets_) {
+    nr_transport_addr addr_behind_nat;
+    if (sock->getaddr(&addr_behind_nat)) {
+      MOZ_CRASH("TestNrSocket::getaddr failed!");
+    }
+
+    // TODO(bug 1170299): Remove const_cast when no longer necessary
+    if (!nr_transport_addr_cmp(const_cast<nr_transport_addr*>(&addr),
+                               &addr_behind_nat,
+                               NR_TRANSPORT_ADDR_CMP_MODE_ALL)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+int TestNat::create_socket_factory(nr_socket_factory **factorypp) {
+  int r = nr_socket_factory_create_int(this,
+                                       &test_nat_socket_factory_vtbl,
+                                       factorypp);
+  if (!r) {
+    AddRef();
+  }
+  return r;
+}
+
+TestNrSocket::TestNrSocket(TestNat *nat)
+  : nat_(nat) {
+  nat_->insert_socket(this);
+}
+
+TestNrSocket::~TestNrSocket() {
+  nat_->erase_socket(this);
+}
+
+nsRefPtr<NrSocket> TestNrSocket::create_external_socket(
+    const nr_transport_addr &dest_addr) const {
+  MOZ_ASSERT(nat_->enabled_);
+  MOZ_ASSERT(!nat_->is_an_internal_tuple(dest_addr));
+
+  int r;
+  nr_transport_addr nat_external_addr;
+
+  // Open the socket on an arbitrary port, on the same address.
+  // TODO(bug 1170299): Remove const_cast when no longer necessary
+  if ((r = nr_transport_addr_copy(&nat_external_addr,
+                                  const_cast<nr_transport_addr*>(&my_addr_)))) {
+    r_log(LOG_GENERIC,LOG_CRIT, "%s: Failure in nr_transport_addr_copy: %d",
+                                __FUNCTION__, r);
+    return nullptr;
+  }
+
+  if ((r = nr_transport_addr_set_port(&nat_external_addr, 0))) {
+    r_log(LOG_GENERIC,LOG_CRIT, "%s: Failure in nr_transport_addr_set_port: %d",
+                                __FUNCTION__, r);
+    return nullptr;
+  }
+
+  nsRefPtr<NrSocket> external_socket = new NrSocket;
+
+  if ((r = external_socket->create(&nat_external_addr))) {
+    r_log(LOG_GENERIC,LOG_CRIT, "%s: Failure in NrSocket::create: %d",
+                                __FUNCTION__, r);
+    return nullptr;
+  }
+
+  return external_socket;
+}
+
+int TestNrSocket::sendto(const void *msg, size_t len,
+                         int flags, nr_transport_addr *to) {
+  MOZ_ASSERT(my_addr_.protocol != IPPROTO_TCP);
+  ASSERT_ON_THREAD(ststhread_);
+
+  if (!nat_->enabled_ || nat_->is_an_internal_tuple(*to)) {
+    return NrSocket::sendto(msg, len, flags, to);
+  }
+
+  destroy_stale_port_mappings();
+
+  if (to->protocol == IPPROTO_UDP && nat_->block_udp_) {
+    // Silently eat the packet
+    return 0;
+  }
+
+  // Choose our port mapping based on our most selective criteria
+  PortMapping *port_mapping = get_port_mapping(*to,
+                                               std::max(nat_->filtering_type_,
+                                                        nat_->mapping_type_));
+
+  if (!port_mapping) {
+    // See if we have already made the external socket we need to use.
+    PortMapping *similar_port_mapping =
+      get_port_mapping(*to, nat_->mapping_type_);
+    nsRefPtr<NrSocket> external_socket;
+
+    if (similar_port_mapping) {
+      external_socket = similar_port_mapping->external_socket_;
+    } else {
+      external_socket = create_external_socket(*to);
+      if (!external_socket) {
+        MOZ_ASSERT(false);
+        return R_INTERNAL;
+      }
+    }
+
+    port_mapping = create_port_mapping(*to, external_socket);
+    port_mappings_.push_back(port_mapping);
+
+    if (poll_flags() & PR_POLL_READ) {
+      // Make sure the new port mapping is ready to receive traffic if the
+      // TestNrSocket is already waiting.
+      port_mapping->async_wait(NR_ASYNC_WAIT_READ,
+                              port_mapping_readable_callback,
+                              this,
+                              (char*)__FUNCTION__,
+                              __LINE__);
+    }
+  }
+
+  // We probably don't want to propagate the flags, since this is a simulated
+  // external IP address.
+  return port_mapping->sendto(msg, len, *to);
+}
+
+int TestNrSocket::recvfrom(void *buf, size_t maxlen,
+                           size_t *len, int flags,
+                           nr_transport_addr *from) {
+  MOZ_ASSERT(my_addr_.protocol != IPPROTO_TCP);
+  ASSERT_ON_THREAD(ststhread_);
+
+  int r;
+  bool ingress_allowed = false;
+
+  if (readable_socket_) {
+    // If any of the external sockets got data, see if it will be passed through
+    r = readable_socket_->recvfrom(buf, maxlen, len, 0, from);
+    readable_socket_ = nullptr;
+    if (!r) {
+      PortMapping *port_mapping_used;
+      ingress_allowed = allow_ingress(*from, &port_mapping_used);
+      if (ingress_allowed && nat_->refresh_on_ingress_ && port_mapping_used) {
+        port_mapping_used->last_used_ = PR_IntervalNow();
+      }
+    }
+  } else {
+    // If no external socket has data, see if there's any data that was sent
+    // directly to the TestNrSocket, and eat it if it isn't supposed to get
+    // through.
+    r = NrSocket::recvfrom(buf, maxlen, len, flags, from);
+    if (!r) {
+      // We do not use allow_ingress() here because that only handles traffic
+      // landing on an external port.
+      ingress_allowed = (!nat_->enabled_ ||
+                         nat_->is_an_internal_tuple(*from));
+      if (!ingress_allowed) {
+        r_log(LOG_GENERIC, LOG_INFO, "TestNrSocket %s denying ingress from %s: "
+                                     "Not behind the same NAT",
+                                     my_addr_.as_string,
+                                     from->as_string);
+      }
+    }
+  }
+
+  // Kinda lame that we are forced to give the app a readable callback and then
+  // say "Oh, never mind...", but the alternative is to totally decouple the
+  // callbacks from STS and the callbacks the app sets. On the bright side, this
+  // speeds up unit tests where we are verifying that ingress is forbidden,
+  // since they'll get a readable callback and then an error, instead of having
+  // to wait for a timeout.
+  if (!ingress_allowed) {
+    *len = 0;
+    r = R_WOULDBLOCK;
+  }
+
+  return r;
+}
+
+bool TestNrSocket::allow_ingress(const nr_transport_addr &from,
+                                 PortMapping **port_mapping_used) const {
+  *port_mapping_used = nullptr;
+  if (!nat_->enabled_)
+    return true;
+
+  if (nat_->is_an_internal_tuple(from))
+    return true;
+
+  *port_mapping_used = get_port_mapping(from, nat_->filtering_type_);
+  if (!(*port_mapping_used)) {
+    r_log(LOG_GENERIC, LOG_INFO, "TestNrSocket %s denying ingress from %s: "
+                                 "Filtered",
+                                 my_addr_.as_string,
+                                 from.as_string);
+    return false;
+  }
+
+  if (is_port_mapping_stale(**port_mapping_used)) {
+    r_log(LOG_GENERIC, LOG_INFO, "TestNrSocket %s denying ingress from %s: "
+                                 "Stale port mapping",
+                                 my_addr_.as_string,
+                                 from.as_string);
+    return false;
+  }
+
+  if (!nat_->allow_hairpinning_ && nat_->is_my_external_tuple(from)) {
+    r_log(LOG_GENERIC, LOG_INFO, "TestNrSocket %s denying ingress from %s: "
+                                 "Hairpinning disallowed",
+                                 my_addr_.as_string,
+                                 from.as_string);
+    return false;
+  }
+
+  return true;
+}
+
+int TestNrSocket::connect(nr_transport_addr *addr) {
+  ASSERT_ON_THREAD(ststhread_);
+
+  if (connect_invoked_ || !port_mappings_.empty()) {
+    MOZ_CRASH("TestNrSocket::connect() called more than once!");
+    return R_INTERNAL;
+  }
+
+  if (!nat_->enabled_ || nat_->is_an_internal_tuple(*addr)) {
+    // This will set connect_invoked_
+    return NrSocket::connect(addr);
+  }
+
+  nsRefPtr<NrSocket> external_socket(create_external_socket(*addr));
+  if (!external_socket) {
+    return R_INTERNAL;
+  }
+
+  PortMapping *port_mapping = create_port_mapping(*addr, external_socket);
+  port_mappings_.push_back(port_mapping);
+  port_mapping->external_socket_->connect(addr);
+  port_mapping->last_used_ = PR_IntervalNow();
+
+  if (poll_flags() & PR_POLL_READ) {
+    port_mapping->async_wait(NR_ASYNC_WAIT_READ,
+                             port_mapping_tcp_passthrough_callback,
+                             this,
+                             (char*)__FUNCTION__,
+                             __LINE__);
+  }
+
+  return 0;
+}
+
+int TestNrSocket::write(const void *msg, size_t len, size_t *written) {
+  ASSERT_ON_THREAD(ststhread_);
+
+  if (port_mappings_.empty()) {
+    // The no-nat case, just pass call through.
+    r_log(LOG_GENERIC, LOG_INFO, "TestNrSocket %s writing",
+          my_addr().as_string);
+
+    return NrSocket::write(msg, len, written);
+  } else {
+    // This is TCP only
+    MOZ_ASSERT(port_mappings_.size() == 1);
+    r_log(LOG_GENERIC, LOG_INFO,
+          "PortMapping %s -> %s writing",
+          port_mappings_.front()->external_socket_->my_addr().as_string,
+          port_mappings_.front()->remote_address_.as_string);
+
+    return port_mappings_.front()->external_socket_->write(msg, len, written);
+  }
+}
+
+int TestNrSocket::read(void *buf, size_t maxlen, size_t *len) {
+  ASSERT_ON_THREAD(ststhread_);
+
+  if (port_mappings_.empty()) {
+    return NrSocket::read(buf, maxlen, len);
+  } else {
+    MOZ_ASSERT(port_mappings_.size() == 1);
+    return port_mappings_.front()->external_socket_->read(buf, maxlen, len);
+  }
+}
+
+int TestNrSocket::async_wait(int how, NR_async_cb cb, void *cb_arg,
+                             char *function, int line) {
+  ASSERT_ON_THREAD(ststhread_);
+
+  // Make sure we're waiting on the socket for the internal address
+  int r = NrSocket::async_wait(how, cb, cb_arg, function, line);
+
+  if (r) {
+    return r;
+  }
+
+  r_log(LOG_GENERIC, LOG_DEBUG, "TestNrSocket %s waiting for %s",
+                                my_addr_.as_string,
+                                how == NR_ASYNC_WAIT_READ ? "read" : "write");
+
+  if (is_tcp_connection_behind_nat()) {
+    // Bypass all port-mapping related logic
+    return 0;
+  }
+
+  if (my_addr_.protocol == IPPROTO_TCP) {
+    // For a TCP connection through a simulated NAT, these signals are
+    // just passed through.
+    MOZ_ASSERT(port_mappings_.size() == 1);
+
+    return port_mappings_.front()->async_wait(
+        how,
+        port_mapping_tcp_passthrough_callback,
+        this,
+        function,
+        line);
+  } else if (how == NR_ASYNC_WAIT_READ) {
+    // For UDP port mappings, we decouple the writeable callbacks
+    for (PortMapping *port_mapping : port_mappings_) {
+      // Be ready to receive traffic on our port mappings
+      r = port_mapping->async_wait(how,
+                                   port_mapping_readable_callback,
+                                   this,
+                                   function,
+                                   line);
+      if (r) {
+        return r;
+      }
+    }
+  }
+
+  return 0;
+}
+
+void TestNrSocket::cancel_port_mapping_async_wait(int how) {
+  for (PortMapping *port_mapping : port_mappings_) {
+    port_mapping->cancel(how);
+  }
+}
+
+int TestNrSocket::cancel(int how) {
+  ASSERT_ON_THREAD(ststhread_);
+
+  r_log(LOG_GENERIC, LOG_DEBUG, "TestNrSocket %s stop waiting for %s",
+        my_addr_.as_string,
+        how == NR_ASYNC_WAIT_READ ? "read" : "write");
+
+  // Writable callbacks are decoupled except for the TCP case
+  if (how == NR_ASYNC_WAIT_READ || my_addr_.protocol == IPPROTO_TCP) {
+    cancel_port_mapping_async_wait(how);
+  }
+
+  return NrSocket::cancel(how);
+}
+
+bool TestNrSocket::has_port_mappings() const {
+  return !port_mappings_.empty();
+}
+
+bool TestNrSocket::is_my_external_tuple(const nr_transport_addr &addr) const {
+  for (PortMapping *port_mapping : port_mappings_) {
+    nr_transport_addr port_mapping_addr;
+    if (port_mapping->external_socket_->getaddr(&port_mapping_addr)) {
+      MOZ_CRASH("NrSocket::getaddr failed!");
+    }
+
+    // TODO(bug 1170299): Remove const_cast when no longer necessary
+    if (!nr_transport_addr_cmp(const_cast<nr_transport_addr*>(&addr),
+                               &port_mapping_addr,
+                               NR_TRANSPORT_ADDR_CMP_MODE_ALL)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+bool TestNrSocket::is_port_mapping_stale(
+    const PortMapping &port_mapping) const {
+  PRIntervalTime now = PR_IntervalNow();
+  PRIntervalTime elapsed_ticks = now - port_mapping.last_used_;
+  uint32_t idle_duration = PR_IntervalToMilliseconds(elapsed_ticks);
+  return idle_duration > nat_->mapping_timeout_;
+}
+
+void TestNrSocket::destroy_stale_port_mappings() {
+  for (auto i = port_mappings_.begin(); i != port_mappings_.end();) {
+    auto temp = i;
+    ++i;
+    if (is_port_mapping_stale(**temp)) {
+      r_log(LOG_GENERIC, LOG_INFO,
+            "TestNrSocket %s destroying port mapping %s -> %s",
+            my_addr_.as_string,
+            (*temp)->external_socket_->my_addr().as_string,
+            (*temp)->remote_address_.as_string);
+
+      port_mappings_.erase(temp);
+    }
+  }
+}
+
+void TestNrSocket::port_mapping_readable_callback(void *ext_sock_v,
+                                                  int how,
+                                                  void *test_sock_v) {
+  TestNrSocket *test_socket = static_cast<TestNrSocket*>(test_sock_v);
+  NrSocket *external_socket = static_cast<NrSocket*>(ext_sock_v);
+
+  test_socket->on_port_mapping_readable(external_socket);
+}
+
+void TestNrSocket::on_port_mapping_readable(NrSocket *external_socket) {
+  if (!readable_socket_) {
+    readable_socket_ = external_socket;
+  }
+
+  // None of our port mappings should be waiting for readable callbacks
+  // if nobody is waiting for readable callbacks from us.
+  MOZ_ASSERT(poll_flags() & PR_POLL_READ);
+
+  fire_readable_callback();
+}
+
+void TestNrSocket::fire_readable_callback() {
+  MOZ_ASSERT(poll_flags() & PR_POLL_READ);
+  // Stop listening on all mapped sockets; we will start listening again
+  // if the app starts listening to us again.
+  cancel_port_mapping_async_wait(NR_ASYNC_WAIT_READ);
+  r_log(LOG_GENERIC, LOG_DEBUG, "TestNrSocket %s ready for read",
+        my_addr_.as_string);
+  fire_callback(NR_ASYNC_WAIT_READ);
+}
+
+void TestNrSocket::port_mapping_writeable_callback(void *ext_sock_v,
+                                                   int how,
+                                                   void *test_sock_v) {
+  TestNrSocket *test_socket = static_cast<TestNrSocket*>(test_sock_v);
+  NrSocket *external_socket = static_cast<NrSocket*>(ext_sock_v);
+
+  test_socket->write_to_port_mapping(external_socket);
+}
+
+void TestNrSocket::write_to_port_mapping(NrSocket *external_socket) {
+  MOZ_ASSERT(my_addr_.protocol != IPPROTO_TCP);
+
+  int r = 0;
+  for (PortMapping *port_mapping : port_mappings_) {
+    if (port_mapping->external_socket_ == external_socket) {
+      // If the send succeeds, or if there was nothing to send, we keep going
+      r = port_mapping->send_from_queue();
+      if (r) {
+        break;
+      }
+    }
+  }
+
+  if (r == R_WOULDBLOCK) {
+    // Re-register for writeable callbacks, since we still have stuff to send
+    NR_ASYNC_WAIT(external_socket,
+                  NR_ASYNC_WAIT_WRITE,
+                  &TestNrSocket::port_mapping_writeable_callback,
+                  this);
+  }
+}
+
+void TestNrSocket::port_mapping_tcp_passthrough_callback(void *ext_sock_v,
+                                                         int how,
+                                                         void *test_sock_v) {
+  TestNrSocket *test_socket = static_cast<TestNrSocket*>(test_sock_v);
+  r_log(LOG_GENERIC, LOG_INFO,
+        "TestNrSocket %s firing %s callback",
+        test_socket->my_addr().as_string,
+        how == NR_ASYNC_WAIT_READ ? "readable" : "writeable");
+
+
+  test_socket->fire_callback(how);
+}
+
+bool TestNrSocket::is_tcp_connection_behind_nat() const {
+  return my_addr_.protocol == IPPROTO_TCP && port_mappings_.empty();
+}
+
+TestNrSocket::PortMapping* TestNrSocket::get_port_mapping(
+    const nr_transport_addr &remote_address,
+    TestNat::NatBehavior filter) const {
+  int compare_flags;
+  switch (filter) {
+    case TestNat::ENDPOINT_INDEPENDENT:
+      compare_flags = NR_TRANSPORT_ADDR_CMP_MODE_PROTOCOL;
+      break;
+    case TestNat::ADDRESS_DEPENDENT:
+      compare_flags = NR_TRANSPORT_ADDR_CMP_MODE_ADDR;
+      break;
+    case TestNat::PORT_DEPENDENT:
+      compare_flags = NR_TRANSPORT_ADDR_CMP_MODE_ALL;
+      break;
+  }
+
+  for (PortMapping *port_mapping : port_mappings_) {
+    // TODO(bug 1170299): Remove const_cast when no longer necessary
+    if (!nr_transport_addr_cmp(const_cast<nr_transport_addr*>(&remote_address),
+                               &port_mapping->remote_address_,
+                               compare_flags))
+      return port_mapping;
+  }
+  return nullptr;
+}
+
+TestNrSocket::PortMapping* TestNrSocket::create_port_mapping(
+    const nr_transport_addr &remote_address,
+    const nsRefPtr<NrSocket> &external_socket) const {
+  r_log(LOG_GENERIC, LOG_INFO, "TestNrSocket %s creating port mapping %s -> %s",
+        my_addr_.as_string,
+        external_socket->my_addr().as_string,
+        remote_address.as_string);
+
+  return new PortMapping(remote_address, external_socket);
+}
+
+TestNrSocket::PortMapping::PortMapping(
+    const nr_transport_addr &remote_address,
+    const nsRefPtr<NrSocket> &external_socket) :
+  external_socket_(external_socket) {
+  // TODO(bug 1170299): Remove const_cast when no longer necessary
+  nr_transport_addr_copy(&remote_address_,
+                         const_cast<nr_transport_addr*>(&remote_address));
+}
+
+int TestNrSocket::PortMapping::send_from_queue() {
+  MOZ_ASSERT(remote_address_.protocol != IPPROTO_TCP);
+  int r = 0;
+
+  while (!send_queue_.empty()) {
+    UdpPacket &packet = *send_queue_.front();
+    r_log(LOG_GENERIC, LOG_INFO,
+          "PortMapping %s -> %s sending from queue to %s",
+          external_socket_->my_addr().as_string,
+          remote_address_.as_string,
+          packet.remote_address_.as_string);
+
+    r = external_socket_->sendto(packet.buffer_->data(),
+                                 packet.buffer_->len(),
+                                 0,
+                                 &packet.remote_address_);
+
+    if (r) {
+      if (r != R_WOULDBLOCK) {
+        r_log(LOG_GENERIC, LOG_ERR, "%s: Fatal error %d, stop trying",
+              __FUNCTION__, r);
+        send_queue_.clear();
+      } else {
+        r_log(LOG_GENERIC, LOG_INFO, "Would block, will retry later");
+      }
+      break;
+    }
+
+    send_queue_.pop_front();
+  }
+
+  return r;
+}
+
+int TestNrSocket::PortMapping::sendto(const void *msg,
+                                      size_t len,
+                                      const nr_transport_addr &to) {
+  MOZ_ASSERT(remote_address_.protocol != IPPROTO_TCP);
+  r_log(LOG_GENERIC, LOG_INFO,
+        "PortMapping %s -> %s sending to %s",
+        external_socket_->my_addr().as_string,
+        remote_address_.as_string,
+        to.as_string);
+
+  last_used_ = PR_IntervalNow();
+  int r = external_socket_->sendto(msg, len, 0,
+      // TODO(bug 1170299): Remove const_cast when no longer necessary
+      const_cast<nr_transport_addr*>(&to));
+
+  if (r == R_WOULDBLOCK) {
+    r_log(LOG_GENERIC, LOG_INFO, "Enqueueing UDP packet to %s", to.as_string);
+    send_queue_.push_back(nsRefPtr<UdpPacket>(new UdpPacket(msg, len, to)));
+    return 0;
+  } else if (r) {
+    r_log(LOG_GENERIC,LOG_ERR, "Error: %d", r);
+  }
+
+  return r;
+}
+
+int TestNrSocket::PortMapping::async_wait(int how, NR_async_cb cb, void *cb_arg,
+                                          char *function, int line) {
+  r_log(LOG_GENERIC, LOG_DEBUG,
+        "PortMapping %s -> %s waiting for %s",
+        external_socket_->my_addr().as_string,
+        remote_address_.as_string,
+        how == NR_ASYNC_WAIT_READ ? "read" : "write");
+
+  return external_socket_->async_wait(how, cb, cb_arg, function, line);
+}
+
+int TestNrSocket::PortMapping::cancel(int how) {
+  r_log(LOG_GENERIC, LOG_DEBUG,
+        "PortMapping %s -> %s stop waiting for %s",
+        external_socket_->my_addr().as_string,
+        remote_address_.as_string,
+        how == NR_ASYNC_WAIT_READ ? "read" : "write");
+
+  return external_socket_->cancel(how);
+}
+} // namespace mozilla
+
diff --git a/media/mtransport/test_nr_socket.h b/media/mtransport/test_nr_socket.h
new file mode 100644
index 000000000000..8fd2f148aa07
--- /dev/null
+++ b/media/mtransport/test_nr_socket.h
@@ -0,0 +1,283 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+*/
+
+/*
+Based partially on original code from nICEr and nrappkit.
+
+nICEr copyright:
+
+Copyright (c) 2007, Adobe Systems, Incorporated
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+* Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+* Neither the name of Adobe Systems, Network Resonance nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+nrappkit copyright:
+
+   Copyright (C) 2001-2003, Network Resonance, Inc.
+   Copyright (C) 2006, Network Resonance, Inc.
+   All Rights Reserved
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. Neither the name of Network Resonance, Inc. nor the name of any
+      contributors to this software may be used to endorse or promote
+      products derived from this software without specific prior written
+      permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
+   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+   ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+   LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+   CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+   POSSIBILITY OF SUCH DAMAGE.
+
+
+   ekr@rtfm.com  Thu Dec 20 20:14:49 2001
+*/
+
+// Original author: bcampen@mozilla.com [:bwc]
+
+#ifndef test_nr_socket__
+#define test_nr_socket__
+
+#include "nr_socket_prsock.h"
+
+extern "C" {
+#include "nr_socket.h"
+}
+
+#include <set>
+#include <vector>
+#include <map>
+#include <list>
+
+#include "mozilla/UniquePtr.h"
+#include "prinrval.h"
+
+namespace mozilla {
+
+class TestNrSocket;
+
+/**
+ * A group of TestNrSockets that behave as if they were behind the same NAT.
+ * @note We deliberately avoid addref/release of TestNrSocket here to avoid
+ *       masking lifetime errors elsewhere.
+*/
+class TestNat {
+  public:
+    typedef enum {
+      /** For mapping, one port is used for all destinations.
+       *  For filtering, allow any external address/port. */
+      ENDPOINT_INDEPENDENT,
+
+      /** For mapping, one port for each destination address (for any port).
+       *  For filtering, allow incoming traffic from addresses that outgoing
+       *  traffic has been sent to. */
+      ADDRESS_DEPENDENT,
+
+      /** For mapping, one port for each destination address/port.
+       *  For filtering, allow incoming traffic only from addresses/ports that
+       *  outgoing traffic has been sent to. */
+      PORT_DEPENDENT,
+    } NatBehavior;
+
+    TestNat() :
+      enabled_(false),
+      filtering_type_(ENDPOINT_INDEPENDENT),
+      mapping_type_(ENDPOINT_INDEPENDENT),
+      mapping_timeout_(30000),
+      allow_hairpinning_(false),
+      refresh_on_ingress_(false),
+      block_udp_(false),
+      sockets_() {}
+
+    bool has_port_mappings() const;
+
+    // Helps determine whether we're hairpinning
+    bool is_my_external_tuple(const nr_transport_addr &addr) const;
+    bool is_an_internal_tuple(const nr_transport_addr &addr) const;
+
+    int create_socket_factory(nr_socket_factory **factorypp);
+
+    void insert_socket(TestNrSocket *socket) {
+      sockets_.insert(socket);
+    }
+
+    void erase_socket(TestNrSocket *socket) {
+      sockets_.erase(socket);
+    }
+
+    NS_INLINE_DECL_THREADSAFE_REFCOUNTING(TestNat);
+
+    bool enabled_;
+    TestNat::NatBehavior filtering_type_;
+    TestNat::NatBehavior mapping_type_;
+    uint32_t mapping_timeout_;
+    bool allow_hairpinning_;
+    bool refresh_on_ingress_;
+    bool block_udp_;
+
+  private:
+    std::set<TestNrSocket*> sockets_;
+
+    ~TestNat(){}
+};
+
+/**
+ * Subclass of NrSocket that can simulate things like being behind a NAT, packet
+ * loss, latency, packet rewriting, etc. Also exposes some stuff that assists in
+ * diagnostics.
+ */
+class TestNrSocket : public NrSocket {
+  public:
+    explicit TestNrSocket(TestNat *nat);
+
+    virtual ~TestNrSocket();
+
+    bool has_port_mappings() const;
+    bool is_my_external_tuple(const nr_transport_addr &addr) const;
+
+    // Overrides of NrSocket
+    int sendto(const void *msg, size_t len,
+               int flags, nr_transport_addr *to) override;
+    int recvfrom(void * buf, size_t maxlen,
+                 size_t *len, int flags,
+                 nr_transport_addr *from) override;
+    int connect(nr_transport_addr *addr) override;
+    int write(const void *msg, size_t len, size_t *written) override;
+    int read(void *buf, size_t maxlen, size_t *len) override;
+
+    int async_wait(int how, NR_async_cb cb, void *cb_arg,
+                   char *function, int line) override;
+    int cancel(int how) override;
+
+  private:
+    class UdpPacket {
+      public:
+        UdpPacket(const void *msg, size_t len, const nr_transport_addr &addr) :
+          buffer_(new DataBuffer(static_cast<const uint8_t*>(msg), len)) {
+          // TODO(bug 1170299): Remove const_cast when no longer necessary
+          nr_transport_addr_copy(&remote_address_,
+                                 const_cast<nr_transport_addr*>(&addr));
+        }
+
+        nr_transport_addr remote_address_;
+        UniquePtr<DataBuffer> buffer_;
+
+        NS_INLINE_DECL_THREADSAFE_REFCOUNTING(UdpPacket);
+      private:
+        ~UdpPacket(){}
+    };
+
+    class PortMapping {
+      public:
+        PortMapping(const nr_transport_addr &remote_address,
+                    const nsRefPtr<NrSocket> &external_socket);
+
+        int sendto(const void *msg, size_t len, const nr_transport_addr &to);
+        int async_wait(int how, NR_async_cb cb, void *cb_arg,
+                       char *function, int line);
+        int cancel(int how);
+        int send_from_queue();
+        NS_INLINE_DECL_THREADSAFE_REFCOUNTING(PortMapping);
+
+        PRIntervalTime last_used_;
+        nsRefPtr<NrSocket> external_socket_;
+        // For non-symmetric, most of the data here doesn't matter
+        nr_transport_addr remote_address_;
+
+      private:
+        ~PortMapping(){}
+
+        // If external_socket_ returns E_WOULDBLOCK, we don't want to propagate
+        // that to the code using the TestNrSocket. We can also perhaps use this
+        // to help simulate things like latency.
+        std::list<nsRefPtr<UdpPacket>> send_queue_;
+    };
+
+    bool is_port_mapping_stale(const PortMapping &port_mapping) const;
+    bool allow_ingress(const nr_transport_addr &from,
+                       PortMapping **port_mapping_used) const;
+    void destroy_stale_port_mappings();
+
+    static void port_mapping_readable_callback(void *ext_sock_v,
+                                               int how,
+                                               void *test_sock_v);
+    void on_port_mapping_readable(NrSocket *external_socket);
+    void fire_readable_callback();
+
+    static void port_mapping_tcp_passthrough_callback(void *ext_sock_v,
+                                                      int how,
+                                                      void *test_sock_v);
+    void cancel_port_mapping_async_wait(int how);
+
+    static void port_mapping_writeable_callback(void *ext_sock_v,
+                                                int how,
+                                                void *test_sock_v);
+    void write_to_port_mapping(NrSocket *external_socket);
+    bool is_tcp_connection_behind_nat() const;
+
+    PortMapping* get_port_mapping(const nr_transport_addr &remote_addr,
+                                  TestNat::NatBehavior filter) const;
+    PortMapping* create_port_mapping(
+        const nr_transport_addr &remote_addr,
+        const nsRefPtr<NrSocket> &external_socket) const;
+    nsRefPtr<NrSocket> create_external_socket(
+        const nr_transport_addr &remote_addr) const;
+
+    nsRefPtr<NrSocket> readable_socket_;
+    nsRefPtr<TestNat> nat_;
+    // Since our comparison logic is different depending on what kind of NAT
+    // we simulate, and the STL does not make it very easy to switch out the
+    // comparison function at runtime, and these lists are going to be very
+    // small anyway, we just brute-force it.
+    std::list<nsRefPtr<PortMapping>> port_mappings_;
+};
+
+} // namespace mozilla
+
+#endif // test_nr_socket__
+
diff --git a/media/mtransport/third_party/nICEr/src/ice/ice_component.c b/media/mtransport/third_party/nICEr/src/ice/ice_component.c
index e144793f4439..62a6ab33cc0c 100644
--- a/media/mtransport/third_party/nICEr/src/ice/ice_component.c
+++ b/media/mtransport/third_party/nICEr/src/ice/ice_component.c
@@ -196,7 +196,7 @@ static int nr_ice_component_initialize_udp(struct nr_ice_ctx_ *ctx,nr_ice_compon
           continue;
       }
       r_log(LOG_ICE,LOG_DEBUG,"ICE(%s): host address %s",ctx->label,addrs[i].addr.as_string);
-      if(r=nr_socket_local_create(&addrs[i].addr,&sock)){
+      if((r=nr_socket_factory_create_socket(ctx->socket_factory,&addrs[i].addr,&sock))){
         r_log(LOG_ICE,LOG_WARNING,"ICE(%s): couldn't create socket for address %s",ctx->label,addrs[i].addr.as_string);
         continue;
       }
@@ -323,7 +323,7 @@ static int nr_ice_component_initialize_tcp(struct nr_ice_ctx_ *ctx,nr_ice_compon
         addr.protocol = IPPROTO_TCP;
         if ((r=nr_transport_addr_fmt_addr_string(&addr)))
           ABORT(r);
-        if((r=nr_socket_local_create(&addr, &sock))){
+        if((r=nr_socket_factory_create_socket(ctx->socket_factory,&addr,&sock))){
           r_log(LOG_ICE,LOG_DEBUG,"ICE(%s): couldn't create socket for address %s",ctx->label,addr.as_string);
           continue;
         }
diff --git a/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c b/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c
index 8eb7da6f814a..d866fb1231f9 100644
--- a/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c
+++ b/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c
@@ -54,6 +54,7 @@ static char *RCSSTRING __UNUSED__="$Id: ice_ctx.c,v 1.2 2008/04/28 17:59:01 ekr
 #include "nr_crypto.h"
 #include "async_timer.h"
 #include "util.h"
+#include "nr_socket_local.h"
 
 
 int LOG_ICE = 0;
@@ -65,6 +66,14 @@ static int nr_ice_fetch_turn_servers(int ct, nr_ice_turn_server **out);
 #endif /* USE_TURN */
 static void nr_ice_ctx_destroy_cb(NR_SOCKET s, int how, void *cb_arg);
 static int nr_ice_ctx_pair_new_trickle_candidates(nr_ice_ctx *ctx, nr_ice_candidate *cand);
+static int no_op(void **obj) {
+  return 0;
+}
+
+static nr_socket_factory_vtbl default_socket_factory_vtbl = {
+  nr_socket_local_create,
+  no_op
+};
 
 int nr_ice_fetch_stun_servers(int ct, nr_ice_stun_server **out)
   {
@@ -229,6 +238,12 @@ int nr_ice_ctx_set_turn_tcp_socket_wrapper(nr_ice_ctx *ctx, nr_socket_wrapper_fa
     return(_status);
   }
 
+void nr_ice_ctx_set_socket_factory(nr_ice_ctx *ctx, nr_socket_factory *factory)
+  {
+    nr_socket_factory_destroy(&ctx->socket_factory);
+    ctx->socket_factory = factory;
+  }
+
 #ifdef USE_TURN
 int nr_ice_fetch_turn_servers(int ct, nr_ice_turn_server **out)
   {
@@ -381,6 +396,9 @@ int nr_ice_ctx_create(char *label, UINT4 flags, nr_ice_ctx **ctxp)
 
     ctx->Ta = 20;
 
+    if (r=nr_socket_factory_create_int(NULL, &default_socket_factory_vtbl, &ctx->socket_factory))
+      ABORT(r);
+
     STAILQ_INIT(&ctx->streams);
     STAILQ_INIT(&ctx->sockets);
     STAILQ_INIT(&ctx->foundations);
@@ -439,6 +457,7 @@ static void nr_ice_ctx_destroy_cb(NR_SOCKET s, int how, void *cb_arg)
     nr_resolver_destroy(&ctx->resolver);
     nr_interface_prioritizer_destroy(&ctx->interface_prioritizer);
     nr_socket_wrapper_factory_destroy(&ctx->turn_tcp_socket_wrapper);
+    nr_socket_factory_destroy(&ctx->socket_factory);
 
     RFREE(ctx);
   }
diff --git a/media/mtransport/third_party/nICEr/src/ice/ice_ctx.h b/media/mtransport/third_party/nICEr/src/ice/ice_ctx.h
index d5cbf2623705..2ef2d653f06b 100644
--- a/media/mtransport/third_party/nICEr/src/ice/ice_ctx.h
+++ b/media/mtransport/third_party/nICEr/src/ice/ice_ctx.h
@@ -130,6 +130,7 @@ struct nr_ice_ctx_ {
   nr_resolver *resolver;                      /* The resolver to use */
   nr_interface_prioritizer *interface_prioritizer;  /* Priority decision logic */
   nr_socket_wrapper_factory *turn_tcp_socket_wrapper; /* The TURN TCP socket wrapper to use */
+  nr_socket_factory *socket_factory;
 
   nr_ice_foundation_head foundations;
 
@@ -173,6 +174,7 @@ int nr_ice_ctx_set_turn_servers(nr_ice_ctx *ctx,nr_ice_turn_server *servers, int
 int nr_ice_ctx_set_resolver(nr_ice_ctx *ctx, nr_resolver *resolver);
 int nr_ice_ctx_set_interface_prioritizer(nr_ice_ctx *ctx, nr_interface_prioritizer *prioritizer);
 int nr_ice_ctx_set_turn_tcp_socket_wrapper(nr_ice_ctx *ctx, nr_socket_wrapper_factory *wrapper);
+void nr_ice_ctx_set_socket_factory(nr_ice_ctx *ctx, nr_socket_factory *factory);
 int nr_ice_ctx_set_trickle_cb(nr_ice_ctx *ctx, nr_ice_trickle_candidate_cb cb, void *cb_arg);
 
 #define NR_ICE_MAX_ATTRIBUTE_SIZE 256
diff --git a/media/mtransport/third_party/nICEr/src/net/nr_socket.c b/media/mtransport/third_party/nICEr/src/net/nr_socket.c
index 9c91a4df1909..e158e46e7945 100644
--- a/media/mtransport/third_party/nICEr/src/net/nr_socket.c
+++ b/media/mtransport/third_party/nICEr/src/net/nr_socket.c
@@ -135,3 +135,43 @@ int nr_socket_read(nr_socket *sock,void * restrict buf, size_t maxlen,
     CHECK_DEFINED(sread);
     return sock->vtbl->sread(sock->obj, buf, maxlen, len);
   }
+
+
+int nr_socket_factory_create_int(void *obj,
+  nr_socket_factory_vtbl *vtbl, nr_socket_factory **factorypp)
+  {
+    int _status;
+    nr_socket_factory *factoryp=0;
+
+    if(!(factoryp=RCALLOC(sizeof(nr_socket_factory))))
+      ABORT(R_NO_MEMORY);
+
+    factoryp->obj = obj;
+    factoryp->vtbl = vtbl;
+
+    *factorypp = factoryp;
+
+    _status=0;
+  abort:
+    return(_status);
+  }
+
+int nr_socket_factory_destroy(nr_socket_factory **factorypp)
+  {
+    nr_socket_factory *factoryp;
+
+    if (!factorypp || !*factorypp)
+      return (0);
+
+    factoryp = *factorypp;
+    *factorypp = NULL;
+    factoryp->vtbl->destroy(&factoryp->obj);
+    RFREE(factoryp);
+    return (0);
+  }
+
+int nr_socket_factory_create_socket(nr_socket_factory *factory, nr_transport_addr *addr, nr_socket **sockp)
+  {
+    return factory->vtbl->create_socket(factory->obj, addr, sockp);
+  }
+
diff --git a/media/mtransport/third_party/nICEr/src/net/nr_socket.h b/media/mtransport/third_party/nICEr/src/net/nr_socket.h
index ee87f60599d1..71c6c418795c 100644
--- a/media/mtransport/third_party/nICEr/src/net/nr_socket.h
+++ b/media/mtransport/third_party/nICEr/src/net/nr_socket.h
@@ -72,6 +72,15 @@ typedef struct nr_socket_ {
   nr_socket_vtbl *vtbl;
 } nr_socket;
 
+typedef struct nr_socket_factory_vtbl_ {
+  int (*create_socket)(void *obj, nr_transport_addr *addr, nr_socket **sockp);
+  int (*destroy)(void **obj);
+} nr_socket_factory_vtbl;
+
+typedef struct nr_socket_factory_ {
+  void *obj;
+  nr_socket_factory_vtbl *vtbl;
+} nr_socket_factory;
 
 /* To be called by constructors */
 int nr_socket_create_int(void *obj, nr_socket_vtbl *vtbl, nr_socket **sockp);
@@ -87,5 +96,9 @@ int nr_socket_connect(nr_socket *sock, nr_transport_addr *addr);
 int nr_socket_write(nr_socket *sock,const void *msg, size_t len, size_t *written, int flags);
 int nr_socket_read(nr_socket *sock, void * restrict buf, size_t maxlen, size_t *len, int flags);
 
+int nr_socket_factory_create_int(void *obj, nr_socket_factory_vtbl *vtbl, nr_socket_factory **factorypp);
+int nr_socket_factory_destroy(nr_socket_factory **factoryp);
+int nr_socket_factory_create_socket(nr_socket_factory *factory, nr_transport_addr *addr, nr_socket **sockp);
+
 #endif
 
diff --git a/media/mtransport/third_party/nICEr/src/net/nr_socket_local.h b/media/mtransport/third_party/nICEr/src/net/nr_socket_local.h
index b59953076796..a2f813ff668d 100644
--- a/media/mtransport/third_party/nICEr/src/net/nr_socket_local.h
+++ b/media/mtransport/third_party/nICEr/src/net/nr_socket_local.h
@@ -35,7 +35,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #ifndef _nr_socket_local_h
 #define _nr_socket_local_h
 
-int nr_socket_local_create(nr_transport_addr *addr, nr_socket **sockp);
+int nr_socket_local_create(void *obj, nr_transport_addr *addr, nr_socket **sockp);
 
 #endif
 
diff --git a/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp b/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp
index 262165f02ca5..0775931889d1 100644
--- a/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp
+++ b/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp
@@ -43,6 +43,7 @@
 #endif
 #include "mozilla/gfx/Point.h"
 #include "mozilla/gfx/Types.h"
+#include "mozilla/UniquePtr.h"
 
 #include "logging.h"
 
@@ -1157,51 +1158,68 @@ void MediaPipelineTransmit::PipelineListener::ProcessVideoChunk(
     MOZ_MTLOG(ML_DEBUG, "Sending a video frame");
     // Not much for us to do with an error
     conduit->SendVideoFrame(y, I420SIZE(width, height), width, height, mozilla::kVideoI420, 0);
-  } else if(format == ImageFormat::CAIRO_SURFACE) {
-    layers::CairoImage* rgb =
-    const_cast<layers::CairoImage *>(
-          static_cast<const layers::CairoImage *>(img));
+  } else {
+    RefPtr<gfx::SourceSurface> surf = img->GetAsSourceSurface();
+    if (!surf) {
+      MOZ_MTLOG(ML_ERROR, "Getting surface from image failed");
+      return;
+    }
 
-    gfx::IntSize size = rgb->GetSize();
+    RefPtr<gfx::DataSourceSurface> data = surf->GetDataSurface();
+    if (!data) {
+      MOZ_MTLOG(ML_ERROR, "Getting data surface from image failed");
+      return;
+    }
+
+    gfx::IntSize size = img->GetSize();
     int half_width = (size.width + 1) >> 1;
     int half_height = (size.height + 1) >> 1;
     int c_size = half_width * half_height;
     int buffer_size = YSIZE(size.width, size.height) + 2 * c_size;
-    uint8* yuv = (uint8*) malloc(buffer_size); // fallible
-    if (!yuv)
+    UniquePtr<uint8[]> yuv_scoped(new (fallible) uint8[buffer_size]);
+    if (!yuv_scoped)
       return;
+    uint8* yuv = yuv_scoped.get();
 
-    int cb_offset = YSIZE(size.width, size.height);
-    int cr_offset = cb_offset + c_size;
-    RefPtr<gfx::SourceSurface> tempSurf = rgb->GetAsSourceSurface();
-    RefPtr<gfx::DataSourceSurface> surf = tempSurf->GetDataSurface();
+    {
+      DataSourceSurface::ScopedMap map(data, DataSourceSurface::READ);
+      if (!map.IsMapped()) {
+        MOZ_MTLOG(ML_ERROR, "Reading DataSourceSurface failed");
+        return;
+      }
 
-    switch (surf->GetFormat()) {
-      case gfx::SurfaceFormat::B8G8R8A8:
-      case gfx::SurfaceFormat::B8G8R8X8:
-        libyuv::ARGBToI420(static_cast<uint8*>(surf->GetData()), surf->Stride(),
-                           yuv, size.width,
-                           yuv + cb_offset, half_width,
-                           yuv + cr_offset, half_width,
-                           size.width, size.height);
-        break;
-      case gfx::SurfaceFormat::R5G6B5:
-        libyuv::RGB565ToI420(static_cast<uint8*>(surf->GetData()), surf->Stride(),
-                             yuv, size.width,
-                             yuv + cb_offset, half_width,
-                             yuv + cr_offset, half_width,
-                             size.width, size.height);
-        break;
-      default:
-        MOZ_MTLOG(ML_ERROR, "Unsupported RGB video format");
-        MOZ_ASSERT(PR_FALSE);
+      int rv;
+      int cb_offset = YSIZE(size.width, size.height);
+      int cr_offset = cb_offset + c_size;
+      switch (surf->GetFormat()) {
+        case gfx::SurfaceFormat::B8G8R8A8:
+        case gfx::SurfaceFormat::B8G8R8X8:
+          rv = libyuv::ARGBToI420(static_cast<uint8*>(map.GetData()),
+                                  map.GetStride(),
+                                  yuv, size.width,
+                                  yuv + cb_offset, half_width,
+                                  yuv + cr_offset, half_width,
+                                  size.width, size.height);
+          break;
+        case gfx::SurfaceFormat::R5G6B5:
+          rv = libyuv::RGB565ToI420(static_cast<uint8*>(map.GetData()),
+                                    map.GetStride(),
+                                    yuv, size.width,
+                                    yuv + cb_offset, half_width,
+                                    yuv + cr_offset, half_width,
+                                    size.width, size.height);
+          break;
+        default:
+          MOZ_MTLOG(ML_ERROR, "Unsupported RGB video format");
+          MOZ_ASSERT(PR_FALSE);
+          return;
+      }
+      if (rv != 0) {
+        MOZ_MTLOG(ML_ERROR, "RGB to I420 conversion failed");
+        return;
+      }
     }
     conduit->SendVideoFrame(yuv, buffer_size, size.width, size.height, mozilla::kVideoI420, 0);
-    free(yuv);
-  } else {
-    MOZ_MTLOG(ML_ERROR, "Unsupported video format");
-    MOZ_ASSERT(PR_FALSE);
-    return;
   }
 }
 #endif
diff --git a/mobile/android/chrome/content/browser.js b/mobile/android/chrome/content/browser.js
index 108f1ebb7271..fcb7362e3edd 100644
--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -1856,7 +1856,9 @@ var BrowserApp = {
 
       case "Viewport:FixedMarginsChanged":
         gViewportMargins = JSON.parse(aData);
-        this.selectedTab.updateViewportSize(gScreenWidth);
+        if (this.selectedTab) {
+          this.selectedTab.updateViewportSize(gScreenWidth);
+        }
         break;
 
       case "nsPref:changed":
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 720a6cac1e2e..49ec7f4452f7 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1196,7 +1196,7 @@ pref("network.warnOnAboutNetworking", true);
 // pref("network.protocol-handler.expose.imap", true);
 
 // Whether IOService.connectivity and NS_IsOffline depends on connectivity status
-pref("network.manage-offline-status", false);
+pref("network.manage-offline-status", true);
 // If set to true, IOService.offline depends on IOService.connectivity
 pref("network.offline-mirrors-connectivity", true);
 
diff --git a/netwerk/base/nsLoadGroup.cpp b/netwerk/base/nsLoadGroup.cpp
index 78da469169f1..e474eb7b9a13 100644
--- a/netwerk/base/nsLoadGroup.cpp
+++ b/netwerk/base/nsLoadGroup.cpp
@@ -166,17 +166,6 @@ RescheduleRequest(nsIRequest *aRequest, int32_t delta)
         p->AdjustPriority(delta);
 }
 
-static PLDHashOperator
-RescheduleRequests(PLDHashTable *table, PLDHashEntryHdr *hdr,
-                   uint32_t number, void *arg)
-{
-    RequestMapEntry *e = static_cast<RequestMapEntry *>(hdr);
-    int32_t *delta = static_cast<int32_t *>(arg);
-
-    RescheduleRequest(e->mKey, *delta);
-    return PL_DHASH_NEXT;
-}
-
 nsLoadGroup::nsLoadGroup(nsISupports* outer)
     : mForegroundCount(0)
     , mLoadFlags(LOAD_NORMAL)
@@ -257,27 +246,29 @@ nsLoadGroup::GetStatus(nsresult *status)
     return NS_OK; 
 }
 
-// PLDHashTable enumeration callback that appends strong references to
-// all nsIRequest to an nsTArray<nsIRequest*>.
-static PLDHashOperator
-AppendRequestsToArray(PLDHashTable *table, PLDHashEntryHdr *hdr,
-                      uint32_t number, void *arg)
+static bool
+AppendRequestsToArray(PLDHashTable* aTable, nsTArray<nsIRequest*> *aArray)
 {
-    RequestMapEntry *e = static_cast<RequestMapEntry *>(hdr);
-    nsTArray<nsIRequest*> *array = static_cast<nsTArray<nsIRequest*> *>(arg);
+    PLDHashTable::Iterator iter(aTable);
+    while (iter.HasMoreEntries()) {
+        auto e = static_cast<RequestMapEntry*>(iter.NextEntry());
+        nsIRequest *request = e->mKey;
+        NS_ASSERTION(request, "What? Null key in pldhash entry?");
 
-    nsIRequest *request = e->mKey;
-    NS_ASSERTION(request, "What? Null key in pldhash entry?");
-
-    bool ok = array->AppendElement(request) != nullptr;
-
-    if (!ok) {
-        return PL_DHASH_STOP;
+        bool ok = !!aArray->AppendElement(request);
+        if (!ok) {
+           break;
+        }
+        NS_ADDREF(request);
     }
 
-    NS_ADDREF(request);
-
-    return PL_DHASH_NEXT;
+    if (aArray->Length() != aTable->EntryCount()) {
+        for (uint32_t i = 0, len = aArray->Length(); i < len; ++i) {
+            NS_RELEASE((*aArray)[i]);
+        }
+        return false;
+    }
+    return true;
 }
 
 NS_IMETHODIMP
@@ -291,14 +282,7 @@ nsLoadGroup::Cancel(nsresult status)
 
     nsAutoTArray<nsIRequest*, 8> requests;
 
-    PL_DHashTableEnumerate(&mRequests, AppendRequestsToArray,
-                           static_cast<nsTArray<nsIRequest*> *>(&requests));
-
-    if (requests.Length() != count) {
-        for (uint32_t i = 0, len = requests.Length(); i < len; ++i) {
-            NS_RELEASE(requests[i]);
-        }
-
+    if (!AppendRequestsToArray(&mRequests, &requests)) {
         return NS_ERROR_OUT_OF_MEMORY;
     }
 
@@ -370,14 +354,7 @@ nsLoadGroup::Suspend()
 
     nsAutoTArray<nsIRequest*, 8> requests;
 
-    PL_DHashTableEnumerate(&mRequests, AppendRequestsToArray,
-                           static_cast<nsTArray<nsIRequest*> *>(&requests));
-
-    if (requests.Length() != count) {
-        for (uint32_t i = 0, len = requests.Length(); i < len; ++i) {
-            NS_RELEASE(requests[i]);
-        }
-
+    if (!AppendRequestsToArray(&mRequests, &requests)) {
         return NS_ERROR_OUT_OF_MEMORY;
     }
 
@@ -422,14 +399,7 @@ nsLoadGroup::Resume()
 
     nsAutoTArray<nsIRequest*, 8> requests;
 
-    PL_DHashTableEnumerate(&mRequests, AppendRequestsToArray,
-                           static_cast<nsTArray<nsIRequest*> *>(&requests));
-
-    if (requests.Length() != count) {
-        for (uint32_t i = 0, len = requests.Length(); i < len; ++i) {
-            NS_RELEASE(requests[i]);
-        }
-
+    if (!AppendRequestsToArray(&mRequests, &requests)) {
         return NS_ERROR_OUT_OF_MEMORY;
     }
 
@@ -734,24 +704,17 @@ nsLoadGroup::RemoveRequest(nsIRequest *request, nsISupports* ctxt,
     return rv;
 }
 
-// PLDHashTable enumeration callback that appends all items in the
-// hash to an nsCOMArray
-static PLDHashOperator
-AppendRequestsToCOMArray(PLDHashTable *table, PLDHashEntryHdr *hdr,
-                         uint32_t number, void *arg)
-{
-    RequestMapEntry *e = static_cast<RequestMapEntry *>(hdr);
-    static_cast<nsCOMArray<nsIRequest>*>(arg)->AppendObject(e->mKey);
-    return PL_DHASH_NEXT;
-}
-
 NS_IMETHODIMP
 nsLoadGroup::GetRequests(nsISimpleEnumerator * *aRequests)
 {
     nsCOMArray<nsIRequest> requests;
     requests.SetCapacity(mRequests.EntryCount());
 
-    PL_DHashTableEnumerate(&mRequests, AppendRequestsToCOMArray, &requests);
+    PLDHashTable::Iterator iter(&mRequests);
+    while (iter.HasMoreEntries()) {
+      auto e = static_cast<RequestMapEntry*>(iter.NextEntry());
+      requests.AppendObject(e->mKey);
+    }
 
     return NS_NewArrayEnumerator(aRequests, requests);
 }
@@ -885,7 +848,11 @@ nsLoadGroup::AdjustPriority(int32_t aDelta)
     // Update the priority for each request that supports nsISupportsPriority
     if (aDelta != 0) {
         mPriority += aDelta;
-        PL_DHashTableEnumerate(&mRequests, RescheduleRequests, &aDelta);
+        PLDHashTable::Iterator iter(&mRequests);
+        while (iter.HasMoreEntries()) {
+          auto e = static_cast<RequestMapEntry*>(iter.NextEntry());
+          RescheduleRequest(e->mKey, aDelta);
+        }
     }
     return NS_OK;
 }
diff --git a/netwerk/base/nsUDPSocket.cpp b/netwerk/base/nsUDPSocket.cpp
index 7cea95aa75c6..44d4ed516504 100644
--- a/netwerk/base/nsUDPSocket.cpp
+++ b/netwerk/base/nsUDPSocket.cpp
@@ -1255,10 +1255,10 @@ class SendRequestRunnable: public nsRunnable {
 public:
   SendRequestRunnable(nsUDPSocket *aSocket,
                       const NetAddr &aAddr,
-                      FallibleTArray<uint8_t> &aData)
+                      FallibleTArray<uint8_t>&& aData)
     : mSocket(aSocket)
     , mAddr(aAddr)
-    , mData(aData)
+    , mData(Move(aData))
   { }
 
   NS_DECL_NSIRUNNABLE
@@ -1373,8 +1373,9 @@ nsUDPSocket::SendWithAddress(const NetAddr *aAddr, const uint8_t *aData,
       return NS_ERROR_OUT_OF_MEMORY;
     }
 
-    nsresult rv = mSts->Dispatch(new SendRequestRunnable(this, *aAddr, fallibleArray),
-                                 NS_DISPATCH_NORMAL);
+    nsresult rv = mSts->Dispatch(
+      new SendRequestRunnable(this, *aAddr, Move(fallibleArray)),
+      NS_DISPATCH_NORMAL);
     NS_ENSURE_SUCCESS(rv, rv);
     *_retval = aDataLength;
   }
diff --git a/python/mach/mach/base.py b/python/mach/mach/base.py
index b391427f11d1..d6c8472c8489 100644
--- a/python/mach/mach/base.py
+++ b/python/mach/mach/base.py
@@ -77,6 +77,9 @@ class MethodHandler(object):
         # Description of the purpose of this command.
         'description',
 
+        # Docstring associated with command.
+        'docstring',
+
         # Functions used to 'skip' commands if they don't meet the conditions
         # in a given context.
         'conditions',
@@ -99,7 +102,7 @@ class MethodHandler(object):
     )
 
     def __init__(self, cls, method, name, category=None, description=None,
-        conditions=None, parser=None, arguments=None,
+        docstring=None, conditions=None, parser=None, arguments=None,
         argument_group_names=None, pass_context=False,
         subcommand_handlers=None):
 
@@ -108,6 +111,7 @@ class MethodHandler(object):
         self.name = name
         self.category = category
         self.description = description
+        self.docstring = docstring
         self.conditions = conditions or []
         self.arguments = arguments or []
         self.argument_group_names = argument_group_names or []
diff --git a/python/mach/mach/decorators.py b/python/mach/mach/decorators.py
index c04a4564b26f..f94c8074ac0d 100644
--- a/python/mach/mach/decorators.py
+++ b/python/mach/mach/decorators.py
@@ -89,7 +89,8 @@ def CommandProvider(cls):
         argument_group_names = getattr(value, '_mach_command_arg_group_names', None)
 
         handler = MethodHandler(cls, attr, command_name, category=category,
-            description=description, conditions=conditions, parser=parser,
+            description=description, docstring=value.__doc__,
+            conditions=conditions, parser=parser,
             arguments=arguments, argument_group_names=argument_group_names,
             pass_context=pass_context)
 
@@ -121,6 +122,7 @@ def CommandProvider(cls):
         argument_group_names = getattr(value, '_mach_command_arg_group_names', None)
 
         handler = MethodHandler(cls, attr, subcommand, description=description,
+            docstring=value.__doc__,
             arguments=arguments, argument_group_names=argument_group_names,
             pass_context=pass_context)
         parent = Registrar.command_handlers[command]
diff --git a/python/mach/mach/dispatcher.py b/python/mach/mach/dispatcher.py
index 03206ea58a98..d5b9bc094589 100644
--- a/python/mach/mach/dispatcher.py
+++ b/python/mach/mach/dispatcher.py
@@ -351,13 +351,19 @@ class CommandAction(argparse.Action):
 
         self._populate_command_group(c_parser, handler, group)
 
-        # This will print the description of the command below the usage.
-        description = handler.description
-        if description:
-            parser.description = description
+        # Set the long help of the command to the docstring (if present) or
+        # the command decorator description argument (if present).
+        if handler.docstring:
+            parser.description = format_docstring(handler.docstring)
+        elif handler.description:
+            parser.description = handler.description
 
         parser.usage = '%(prog)s [global arguments] ' + command + \
             ' [command arguments]'
+
+        # This is needed to preserve line endings in the description field,
+        # which may be populated from a docstring.
+        parser.formatter_class = argparse.RawDescriptionHelpFormatter
         parser.print_help()
         print('')
         c_parser.print_help()
@@ -371,6 +377,11 @@ class CommandAction(argparse.Action):
             group.add_argument(subcommand, help=subhandler.description,
                 action='store_true')
 
+        if handler.docstring:
+            parser.description = format_docstring(handler.docstring)
+
+        parser.formatter_class = argparse.RawDescriptionHelpFormatter
+
         parser.print_help()
 
     def _handle_subcommand_help(self, parser, command, subcommand, handler):
@@ -382,10 +393,40 @@ class CommandAction(argparse.Action):
         group = c_parser.add_argument_group('Sub Command Arguments')
         self._populate_command_group(c_parser, handler, group)
 
+        if handler.docstring:
+            parser.description = format_docstring(handler.docstring)
+
+        parser.formatter_class = argparse.RawDescriptionHelpFormatter
+
         parser.print_help()
         print('')
         c_parser.print_help()
 
+
 class NoUsageFormatter(argparse.HelpFormatter):
     def _format_usage(self, *args, **kwargs):
         return ""
+
+
+def format_docstring(docstring):
+    """Format a raw docstring into something suitable for presentation.
+
+    This function is based on the example function in PEP-0257.
+    """
+    if not docstring:
+        return ''
+    lines = docstring.expandtabs().splitlines()
+    indent = sys.maxint
+    for line in lines[1:]:
+        stripped = line.lstrip()
+        if stripped:
+            indent = min(indent, len(line) - len(stripped))
+    trimmed = [lines[0].strip()]
+    if indent < sys.maxint:
+        for line in lines[1:]:
+            trimmed.append(line[indent:].rstrip())
+    while trimmed and not trimmed[-1]:
+        trimmed.pop()
+    while trimmed and not trimmed[0]:
+        trimmed.pop(0)
+    return '\n'.join(trimmed)
diff --git a/python/mozbuild/mozbuild/frontend/mach_commands.py b/python/mozbuild/mozbuild/frontend/mach_commands.py
index ff498c76c2d3..0c5131c1ef40 100644
--- a/python/mozbuild/mozbuild/frontend/mach_commands.py
+++ b/python/mozbuild/mozbuild/frontend/mach_commands.py
@@ -85,7 +85,11 @@ class MozbuildFileCommands(MachCommandBase):
     @Command('file-info', category='build-dev',
              description='Query for metadata about files.')
     def file_info(self):
-        pass
+        """Show files metadata derived from moz.build files.
+
+        moz.build files contain "Files" sub-contexts for declaring metadata
+        against file patterns. This command suite is used to query that data.
+        """
 
     @SubCommand('file-info', 'bugzilla-component',
                 'Show Bugzilla component info for files listed.')
@@ -94,6 +98,11 @@ class MozbuildFileCommands(MachCommandBase):
     @CommandArgument('paths', nargs='+',
                      help='Paths whose data to query')
     def file_info_bugzilla(self, paths, rev=None):
+        """Show Bugzilla component for a set of files.
+
+        Given a requested set of files (which can be specified using
+        wildcards), print the Bugzilla component for each file.
+        """
         components = defaultdict(set)
         try:
             for p, m in self._get_files_info(paths, rev=rev).items():
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 977c810d9a11..4625002a9465 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1016,9 +1016,11 @@ nsNSSComponent::InitializeNSS()
   }
 
   SECStatus init_rv = SECFailure;
-  if (!profileStr.IsEmpty()) {
+  bool nocertdb = Preferences::GetBool("security.nocertdb", false);
+
+  if (!nocertdb && !profileStr.IsEmpty()) {
     // First try to initialize the NSS DB in read/write mode.
-    SECStatus init_rv = ::mozilla::psm::InitializeNSS(profileStr.get(), false);
+    init_rv = ::mozilla::psm::InitializeNSS(profileStr.get(), false);
     // If that fails, attempt read-only mode.
     if (init_rv != SECSuccess) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not init NSS r/w in %s\n", profileStr.get()));
@@ -1029,9 +1031,9 @@ nsNSSComponent::InitializeNSS()
     }
   }
   // If we haven't succeeded in initializing the DB in our profile
-  // directory or we don't have a profile at all, attempt to initialize
-  // with no DB.
-  if (init_rv != SECSuccess) {
+  // directory or we don't have a profile at all, or the "security.nocertdb"
+  // pref has been set to "true", attempt to initialize with no DB.
+  if (nocertdb || init_rv != SECSuccess) {
     init_rv = NSS_NoDB_Init(nullptr);
   }
   if (init_rv != SECSuccess) {
diff --git a/security/manager/ssl/tests/unit/moz.build b/security/manager/ssl/tests/unit/moz.build
index 4f3731d12b45..002cda2861da 100644
--- a/security/manager/ssl/tests/unit/moz.build
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -6,6 +6,7 @@
 
 DIRS += ['tlsserver']
 TEST_DIRS += [
+    'test_cert_eku',
     'test_cert_keyUsage',
     'test_cert_trust',
     'test_intermediate_basic_usage_constraints',
diff --git a/security/manager/ssl/tests/unit/pycert.py b/security/manager/ssl/tests/unit/pycert.py
index de114847be4a..3b89de80b4f7 100755
--- a/security/manager/ssl/tests/unit/pycert.py
+++ b/security/manager/ssl/tests/unit/pycert.py
@@ -19,7 +19,9 @@ Known extensions are:
 basicConstraints:[cA],[pathLenConstraint]
 keyUsage:[digitalSignature,nonRepudiation,keyEncipherment,
           dataEncipherment,keyAgreement,keyCertSign,cRLSign]
-extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection]
+extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection
+             nsSGC, # Netscape Server Gated Crypto
+             OCSPSigning,timeStamping]
 
 In the future it will be possible to specify other properties of the
 generated certificate (for example, its validity period, signature
@@ -283,6 +285,12 @@ class Certificate:
             return rfc2459.id_kp_codeSigning
         if keyPurpose == 'emailProtection':
             return rfc2459.id_kp_emailProtection
+        if keyPurpose == 'nsSGC':
+            return univ.ObjectIdentifier('2.16.840.1.113730.4.1')
+        if keyPurpose == 'OCSPSigning':
+            return univ.ObjectIdentifier('1.3.6.1.5.5.7.3.9')
+        if keyPurpose == 'timeStamping':
+            return rfc2459.id_kp_timeStamping
         raise UnknownKeyPurposeTypeError(keyPurpose)
 
     def addExtKeyUsage(self, extKeyUsage):
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-CA.js b/security/manager/ssl/tests/unit/test_cert_eku-CA.js
index cad9e6651349..4e87309c95cc 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-CA.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-CA.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-CA_EP.js b/security/manager/ssl/tests/unit/test_cert_eku-CA_EP.js
index 11a6b03864c4..002e04e5ebce 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-CA_EP.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-CA_EP.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA_EP', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-CA_EP_NS_OS_SA_TS.js b/security/manager/ssl/tests/unit/test_cert_eku-CA_EP_NS_OS_SA_TS.js
index 71217a7db96d..31176e013248 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-CA_EP_NS_OS_SA_TS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-CA_EP_NS_OS_SA_TS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA_EP_NS_OS_SA_TS', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-CA_NS.js b/security/manager/ssl/tests/unit/test_cert_eku-CA_NS.js
index dfad636abbc1..077425a6ae40 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-CA_NS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-CA_NS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA_NS', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-CA_OS.js b/security/manager/ssl/tests/unit/test_cert_eku-CA_OS.js
index 35a45e999290..433c661ebe21 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-CA_OS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-CA_OS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA_OS', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-CA_SA.js b/security/manager/ssl/tests/unit/test_cert_eku-CA_SA.js
index e6e77674994e..e93002e25694 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-CA_SA.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-CA_SA.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA_SA', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-CA_TS.js b/security/manager/ssl/tests/unit/test_cert_eku-CA_TS.js
index b2c14cabc29a..17b85fd956ac 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-CA_TS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-CA_TS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-CA_TS', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-CA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-EP.js b/security/manager/ssl/tests/unit/test_cert_eku-EP.js
index 48cb80825028..36a27ef1a871 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-EP.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-EP.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-EP', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-EP_NS.js b/security/manager/ssl/tests/unit/test_cert_eku-EP_NS.js
index e80efb9e4581..c86febf19640 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-EP_NS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-EP_NS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-EP_NS', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-EP_OS.js b/security/manager/ssl/tests/unit/test_cert_eku-EP_OS.js
index 525a824c7d4e..239985adb24b 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-EP_OS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-EP_OS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-EP_OS', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-EP_SA.js b/security/manager/ssl/tests/unit/test_cert_eku-EP_SA.js
index 55ebb98e98d4..d226167c51cc 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-EP_SA.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-EP_SA.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-EP_SA', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-EP_TS.js b/security/manager/ssl/tests/unit/test_cert_eku-EP_TS.js
index f50e09c3b84a..8fec28b06dc9 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-EP_TS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-EP_TS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-EP_TS', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-EP_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-NONE.js b/security/manager/ssl/tests/unit/test_cert_eku-NONE.js
index 0b7ca0b1f3ec..120047c0abf7 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-NONE.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-NONE.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-NONE', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NONE'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-NS.js b/security/manager/ssl/tests/unit/test_cert_eku-NS.js
index c384b39e1c5e..4ddd3edd1d0b 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-NS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-NS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-NS', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-NS_OS.js b/security/manager/ssl/tests/unit/test_cert_eku-NS_OS.js
index c63afd9fa190..1428d81a0550 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-NS_OS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-NS_OS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-NS_OS', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-NS_SA.js b/security/manager/ssl/tests/unit/test_cert_eku-NS_SA.js
index f0281517cc33..570da4711a8e 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-NS_SA.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-NS_SA.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-NS_SA', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-NS_TS.js b/security/manager/ssl/tests/unit/test_cert_eku-NS_TS.js
index ad03ce1962fe..3f48daaedd0e 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-NS_TS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-NS_TS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-NS_TS', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-NS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-OS.js b/security/manager/ssl/tests/unit/test_cert_eku-OS.js
index c551136b80cf..83156040b0bc 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-OS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-OS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-OS', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-OS_SA.js b/security/manager/ssl/tests/unit/test_cert_eku-OS_SA.js
index b7b0512c9c1b..04e621d3fdf4 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-OS_SA.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-OS_SA.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-OS_SA', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-OS_TS.js b/security/manager/ssl/tests/unit/test_cert_eku-OS_TS.js
index 4cd9f09a16af..40919a7aee42 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-OS_TS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-OS_TS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-OS_TS', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), PRErrorCodeSuccess, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-OS_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS'), PRErrorCodeSuccess, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-OS_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-SA.js b/security/manager/ssl/tests/unit/test_cert_eku-SA.js
index aff598b5bdf9..61c0d32f10fb 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-SA.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-SA.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-SA', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-SA_TS.js b/security/manager/ssl/tests/unit/test_cert_eku-SA_TS.js
index 599301d686ec..139c583ef0bd 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-SA_TS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-SA_TS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-SA_TS', ',,'), PRErrorCodeSuccess, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS.der'), PRErrorCodeSuccess, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS'), PRErrorCodeSuccess, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-SA_TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku-TS.js b/security/manager/ssl/tests/unit/test_cert_eku-TS.js
index c7173f4fdb96..5b4e94a37f6e 100644
--- a/security/manager/ssl/tests/unit/test_cert_eku-TS.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku-TS.js
@@ -11,156 +11,154 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
   load_cert("ca", "CT,CT,CT");
 
   checkCertErrorGeneric(certdb, load_cert('int-EKU-TS', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-EP_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NONE-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-NS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-OS_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-SA_TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-TS-int-EKU-TS'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.der b/security/manager/ssl/tests/unit/test_cert_eku/ca.der
deleted file mode 100644
index 3c8fbb385465..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ca.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
new file mode 100644
index 000000000000..eb7c4b4bee8a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA.der
deleted file mode 100644
index 543e69cde271..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..7d6688b90da8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-CA-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP.der
deleted file mode 100644
index 412786c6f42b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..dc6be4883a17
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-CA-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index b13e83bd4ed5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..66f8b6c37182
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_NS.der
deleted file mode 100644
index 00d84160666d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..13992cf24583
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-CA-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_OS.der
deleted file mode 100644
index a125997963e3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..59fbdf6b1d91
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-CA-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_SA.der
deleted file mode 100644
index 569490b8d78e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..23b417eabd69
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-CA-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_TS.der
deleted file mode 100644
index 98bb2b6def2c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..59beb877117d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-CA-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP.der
deleted file mode 100644
index 7a62c36e94e3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..5642e488804a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-CA-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_NS.der
deleted file mode 100644
index 3d7a57d1ab4d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..8cefd22badad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-CA-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_OS.der
deleted file mode 100644
index 55ed1c8b2cb2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..0d7acfe67904
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-CA-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_SA.der
deleted file mode 100644
index 9879a4093ad0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..e581999b3dbe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-CA-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_TS.der
deleted file mode 100644
index 412ab193e50b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..aa55bae5b197
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-CA-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NONE.der
deleted file mode 100644
index 0ccfff208b51..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..6cfebf4615ec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-CA-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS.der
deleted file mode 100644
index d4a7e079411e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..8343ee2228e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-CA-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_OS.der
deleted file mode 100644
index 3b52988bf14b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..833c9affc46d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-CA-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_SA.der
deleted file mode 100644
index 0c02bd19f074..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..2360138b07c5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-CA-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_TS.der
deleted file mode 100644
index d25b6ce21a48..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..50960a89320b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-CA-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS.der
deleted file mode 100644
index 5324cf3b3a01..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..bb2356237f0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-CA-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_SA.der
deleted file mode 100644
index 318c9fdf02d6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..4bc4749d5e14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-CA-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_TS.der
deleted file mode 100644
index 4bfe5f651cb2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..e1bf5848bd6c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-CA-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA.der
deleted file mode 100644
index 460306e9953f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..3325b36c4504
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-CA-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA_TS.der
deleted file mode 100644
index 31e5aeec6922..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..c7e065915036
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-CA-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-TS.der
deleted file mode 100644
index 76f7c6f4e276..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..9af46fc13541
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-CA-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA.der
deleted file mode 100644
index 71dedabe0753..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..de437fd68430
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-CA_EP-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP.der
deleted file mode 100644
index 1d6e19cb2ce9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..db6438a8b0e1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-CA_EP-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 063773088def..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..2af0eb0d4b4e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_NS.der
deleted file mode 100644
index aa45882ea9b5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..6909ad8f8254
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-CA_EP-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_OS.der
deleted file mode 100644
index afaed132a21b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..2a4d937a6fee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-CA_EP-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_SA.der
deleted file mode 100644
index b696143fe407..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..2adba94a04b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-CA_EP-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_TS.der
deleted file mode 100644
index 3139a377dc74..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..f466f456262b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-CA_EP-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP.der
deleted file mode 100644
index 9aa333f92f25..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..74d7237c8e32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-CA_EP-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_NS.der
deleted file mode 100644
index 57b96331ed3a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..d76d6dcbb489
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-CA_EP-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_OS.der
deleted file mode 100644
index aa9665117973..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..b62c11686d2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-CA_EP-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_SA.der
deleted file mode 100644
index c70d03c7d8f2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..a38a46a3c428
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-CA_EP-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_TS.der
deleted file mode 100644
index 6d2f9dbf69af..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..f24e372704b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-CA_EP-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NONE.der
deleted file mode 100644
index c82b660e3483..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..aa95f27ea82a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-CA_EP-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS.der
deleted file mode 100644
index 13bb4405fafa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..06ee1f588663
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-CA_EP-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_OS.der
deleted file mode 100644
index c3d79e2a1e66..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..1cf27e251428
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-CA_EP-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_SA.der
deleted file mode 100644
index ffa8adcfb1d5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..88f446050644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-CA_EP-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_TS.der
deleted file mode 100644
index 4952c043cb5f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..78329b6b7628
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-CA_EP-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS.der
deleted file mode 100644
index d7f7e938677e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..fe9935c383d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-CA_EP-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_SA.der
deleted file mode 100644
index 0497e9e7af21..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..3c1d48686784
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-CA_EP-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_TS.der
deleted file mode 100644
index b784c6866370..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..ecdc29c8a89d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-CA_EP-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA.der
deleted file mode 100644
index 44fe585c4b52..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..fd9cbd2f4124
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-CA_EP-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA_TS.der
deleted file mode 100644
index 958440221068..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..a0aa1b86bd23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-CA_EP-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-TS.der
deleted file mode 100644
index 15771cefb037..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..fc7121979468
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-CA_EP-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der
deleted file mode 100644
index 13e8478075a7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..6ea37c22e2f3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der
deleted file mode 100644
index 943b256c69b6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..b4d50f5e899f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 07c806cac343..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..dbcab96b084c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der
deleted file mode 100644
index 36ac3f27b4d8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..407a048e82b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der
deleted file mode 100644
index ba02a840326a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..14ee5d8b76d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der
deleted file mode 100644
index 0250703039a6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..40b39de5efc8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der
deleted file mode 100644
index f783736d614f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..20af12b1801b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der
deleted file mode 100644
index 9cb9cbcdbb06..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..9c83946d5f2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der
deleted file mode 100644
index 982f14c081c0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..f1f62b5810ab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der
deleted file mode 100644
index ecacad03fd17..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..ec233882e1f3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der
deleted file mode 100644
index 405eb97018cb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..77103f201786
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der
deleted file mode 100644
index e903244baeae..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..a02c9143646b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der
deleted file mode 100644
index 99aed08a18e8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..c85f407d5a50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der
deleted file mode 100644
index c29cc4af113d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..9da87dac0bf8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der
deleted file mode 100644
index 82bd9c04c61c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..2916166c3c4f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der
deleted file mode 100644
index a50dde4b4e41..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..f6ba167f8359
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der
deleted file mode 100644
index beb516413111..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..9a627aa7ae32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der
deleted file mode 100644
index d77a4f3edab8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..454347e724c6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der
deleted file mode 100644
index f380da7b3050..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..66776690cc78
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der
deleted file mode 100644
index befb083d420d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..ecb3c4e94040
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der
deleted file mode 100644
index 26f53dc62be3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..20d8b75bc360
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der
deleted file mode 100644
index 93cdc271e6aa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..1544cb3065b2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der
deleted file mode 100644
index d87d658b2bbf..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..e04570e48cd4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA.der
deleted file mode 100644
index 9f8e684d1d4e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..2beb4123c82b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-CA_NS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP.der
deleted file mode 100644
index 3424b964830c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..8ee3be492d73
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-CA_NS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index f9098fdf28e6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..2cb46537459f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_NS.der
deleted file mode 100644
index 532ec167e93d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..f304237a640a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-CA_NS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_OS.der
deleted file mode 100644
index 1a6cf91a6262..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..4d6bee2ba13a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-CA_NS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_SA.der
deleted file mode 100644
index ef98dbfec75c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..68af7895d23e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-CA_NS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_TS.der
deleted file mode 100644
index 9a442d31e1f8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..6b817ea4fc40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-CA_NS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP.der
deleted file mode 100644
index 0b013d5068e7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..b5529716aa6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-CA_NS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_NS.der
deleted file mode 100644
index 286d729cf8dc..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..7f8e905c1f46
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-CA_NS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_OS.der
deleted file mode 100644
index 2fbec915c547..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..15d95f0c2334
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-CA_NS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_SA.der
deleted file mode 100644
index e4c26bac116c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..df08a6e7f6a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-CA_NS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_TS.der
deleted file mode 100644
index b04f8f22389b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..0a96cb86dce5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-CA_NS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NONE.der
deleted file mode 100644
index bb43acc74a93..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..7b757a19cb8c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-CA_NS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS.der
deleted file mode 100644
index b309f01d6105..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..753a04bfa225
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-CA_NS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_OS.der
deleted file mode 100644
index f52d80e13f35..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..d85c501c66c4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-CA_NS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_SA.der
deleted file mode 100644
index 49c65d33b173..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..36be7c143d8c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-CA_NS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_TS.der
deleted file mode 100644
index 04b861389e58..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..f8ff2b9f2c94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-CA_NS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS.der
deleted file mode 100644
index 7a92cf511d1a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..1fa6dfbbb6b0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-CA_NS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_SA.der
deleted file mode 100644
index f3f1194e3315..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..b7a7e54f5787
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-CA_NS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_TS.der
deleted file mode 100644
index d0aae6feacda..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..70b5297c88d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-CA_NS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA.der
deleted file mode 100644
index e52ed8a16957..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..7c63b600c47f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-CA_NS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA_TS.der
deleted file mode 100644
index 13e52b91a247..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..97181c449662
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-CA_NS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-TS.der
deleted file mode 100644
index 2f16f733b0d2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..81cd22b81782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_NS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-CA_NS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA.der
deleted file mode 100644
index 8710d285661e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..54ac4e41d6ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-CA_OS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP.der
deleted file mode 100644
index c0fd7969a53a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..be955d1ba758
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-CA_OS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 3e571be1f517..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..b84a09c2c15a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_NS.der
deleted file mode 100644
index 05b9908266f0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..b7627e2a337c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-CA_OS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_OS.der
deleted file mode 100644
index a312cb01a758..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..a8bc342e2a67
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-CA_OS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_SA.der
deleted file mode 100644
index 1ae32351ea33..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..605ae18bb9e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-CA_OS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_TS.der
deleted file mode 100644
index 995bb2f786fc..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..978ea2b19399
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-CA_OS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP.der
deleted file mode 100644
index c49da81e3205..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..e883390a565c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-CA_OS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_NS.der
deleted file mode 100644
index 0acfb463a4f9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..a0825edaffdf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-CA_OS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_OS.der
deleted file mode 100644
index 495396c111a5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..67daa2d53b92
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-CA_OS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_SA.der
deleted file mode 100644
index a20eb9774f96..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..babf8ecc1a43
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-CA_OS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_TS.der
deleted file mode 100644
index 6b022804dfb9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..ce78c515dbe4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-CA_OS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NONE.der
deleted file mode 100644
index d178d2447028..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..b4ee8384a567
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-CA_OS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS.der
deleted file mode 100644
index f6b8a33af1a0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..91aa9c048b9c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-CA_OS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_OS.der
deleted file mode 100644
index 694cbca82f3b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..d49e9489dd4f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-CA_OS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_SA.der
deleted file mode 100644
index 54c89bfcb2f3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..727bad6bff38
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-CA_OS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_TS.der
deleted file mode 100644
index d42282b3ddf2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..40c9aa01abde
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-CA_OS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS.der
deleted file mode 100644
index 15f83ce6646e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..81ff16815fde
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-CA_OS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_SA.der
deleted file mode 100644
index 52c59566e1e6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..77e10d4f3ab3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-CA_OS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_TS.der
deleted file mode 100644
index 198f20a81682..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..2f290d4fc1ec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-CA_OS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA.der
deleted file mode 100644
index 6c38f0cbe85f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..59cbf9a236a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-CA_OS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA_TS.der
deleted file mode 100644
index ffe08638b9e4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..d783a565608e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-CA_OS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-TS.der
deleted file mode 100644
index 91a6704407c6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..bf19fb7b6c20
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_OS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-CA_OS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA.der
deleted file mode 100644
index f5bc9657d0e1..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..30c5370e3351
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-CA_SA-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP.der
deleted file mode 100644
index 88783e444973..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..438379b917fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-CA_SA-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index dd9168a3812e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..4d18f1df9eae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_NS.der
deleted file mode 100644
index e353079baf6f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..efe4c6b30c1c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-CA_SA-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_OS.der
deleted file mode 100644
index 1e24c586b05f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..6cddd0313af4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-CA_SA-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_SA.der
deleted file mode 100644
index 8889e0da2fa6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..59ee96cd8133
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-CA_SA-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_TS.der
deleted file mode 100644
index a815cfb5fe64..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..1c324d378db3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-CA_SA-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP.der
deleted file mode 100644
index a9d6a1a2c155..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..eaafb68a2f3e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-CA_SA-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_NS.der
deleted file mode 100644
index 5287e3dba9ef..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..130fee6245d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-CA_SA-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_OS.der
deleted file mode 100644
index b450ab87fb7c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..e953334cbaa3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-CA_SA-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_SA.der
deleted file mode 100644
index cb8ba58176b4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..9eb0794d86a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-CA_SA-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_TS.der
deleted file mode 100644
index 196311c63971..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..72958e17fbfb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-CA_SA-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NONE.der
deleted file mode 100644
index f484601df929..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..c56d1310cf68
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-CA_SA-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS.der
deleted file mode 100644
index 765066653233..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..da35bcd1214f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-CA_SA-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_OS.der
deleted file mode 100644
index 3a83de2a0f0e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..e00ed010ac99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-CA_SA-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_SA.der
deleted file mode 100644
index 5edcb1c561c8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..b393b89a6ead
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-CA_SA-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_TS.der
deleted file mode 100644
index c702c58540d8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..c6c2a7b258a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-CA_SA-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS.der
deleted file mode 100644
index 9e0ea7b40659..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..313bc6515ce1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-CA_SA-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_SA.der
deleted file mode 100644
index 20e87de82776..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..57e906b4ff0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-CA_SA-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_TS.der
deleted file mode 100644
index 4a3eea7ea0ed..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..c9480dbd35ea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-CA_SA-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA.der
deleted file mode 100644
index 0b3d0be7db8c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..95dfa0d7dcaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-CA_SA-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA_TS.der
deleted file mode 100644
index 8bc3dda040fe..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..55bc17e776d2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-CA_SA-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-TS.der
deleted file mode 100644
index ce550ebf6a86..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..a773b1c50681
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_SA-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-CA_SA-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA.der
deleted file mode 100644
index 98a3559310c8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..782e6a284468
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-CA_TS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP.der
deleted file mode 100644
index b93a54e2693e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..1cfb4420539b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-CA_TS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 5a3438dcaf2e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..6926938f0804
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_NS.der
deleted file mode 100644
index a86309426a60..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..aed2690d71b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-CA_TS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_OS.der
deleted file mode 100644
index bd8100d7be18..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..695f45634d0e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-CA_TS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_SA.der
deleted file mode 100644
index a7d30e35ca27..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..72adc5647a6f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-CA_TS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_TS.der
deleted file mode 100644
index fbae65e20f72..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..45e1da5fef8f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-CA_TS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP.der
deleted file mode 100644
index fed3bc8b017c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..46e71b1e8ad7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-CA_TS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_NS.der
deleted file mode 100644
index 2653cd48173e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..8d325684381f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-CA_TS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_OS.der
deleted file mode 100644
index 00e63d39c684..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..6d208655eff2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-CA_TS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_SA.der
deleted file mode 100644
index 1e9fea659ea5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..8491cc578c19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-CA_TS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_TS.der
deleted file mode 100644
index 6635974da99e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..a04a5f2b080f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-CA_TS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NONE.der
deleted file mode 100644
index 527b02884e85..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..c9631d172d49
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-CA_TS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS.der
deleted file mode 100644
index 6b5aa8b3d82d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..bb97e8411a4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-CA_TS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_OS.der
deleted file mode 100644
index cf54c87c8bf9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..7871c187331d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-CA_TS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_SA.der
deleted file mode 100644
index 2bfa828afd75..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..a43942ade867
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-CA_TS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_TS.der
deleted file mode 100644
index 4857244d6af6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..edc9421aba44
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-CA_TS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS.der
deleted file mode 100644
index 9889ea898672..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..6523d83fe5f9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-CA_TS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_SA.der
deleted file mode 100644
index f54e2d7db6fc..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..492db9070e60
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-CA_TS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_TS.der
deleted file mode 100644
index 64f7070c9dfa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..05518a987dd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-CA_TS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA.der
deleted file mode 100644
index 18a0362e083c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..253a88430722
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-CA_TS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA_TS.der
deleted file mode 100644
index 3743a74c865a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..5b898b6b32ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-CA_TS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-TS.der
deleted file mode 100644
index e1520c6cb548..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..847b0dc05552
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-CA_TS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-CA_TS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA.der
deleted file mode 100644
index 4ba4cd277ca8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..07aea5e252e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-EP-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP.der
deleted file mode 100644
index 455273c224f5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..f63558abc9be
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-EP-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 71a41bcd4b50..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..22158f301c6e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_NS.der
deleted file mode 100644
index 64f7ff3ca065..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..c9a0f016c0b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-EP-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_OS.der
deleted file mode 100644
index c95758d83e0b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..85bad13f3363
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-EP-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_SA.der
deleted file mode 100644
index b7a61634b96a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..feb4c57f9575
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-EP-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_TS.der
deleted file mode 100644
index 334a43ff11fa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..72762a8d1111
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-EP-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP.der
deleted file mode 100644
index 23884bfc04b9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..9a20174f90f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-EP-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_NS.der
deleted file mode 100644
index df0023b99721..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..8b8c422d007c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-EP-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_OS.der
deleted file mode 100644
index 7700fd1d7878..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..aa2d7df4303e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-EP-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_SA.der
deleted file mode 100644
index 0ee083c7fc9b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..75a2fe3e45ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-EP-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_TS.der
deleted file mode 100644
index 097fd88bf4c0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..327725e4fc10
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-EP-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NONE.der
deleted file mode 100644
index 5fabb9b72830..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..557d06d399a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-EP-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS.der
deleted file mode 100644
index ffeec91eae1b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..ebb7e997f25e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-EP-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_OS.der
deleted file mode 100644
index a45c88a4c229..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..38bab7c35cf4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-EP-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_SA.der
deleted file mode 100644
index f8e34e5a778e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..d441e132aa88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-EP-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_TS.der
deleted file mode 100644
index 596687b0b4ad..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..73b95e0e279b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-EP-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS.der
deleted file mode 100644
index e167181c884e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..2c1e5e67d27d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-EP-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_SA.der
deleted file mode 100644
index 4f5a2a13069b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..feb45bdd177c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-EP-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_TS.der
deleted file mode 100644
index 639cb1306776..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..866f25d0ce74
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-EP-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA.der
deleted file mode 100644
index 03954fa4d84e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..cfe6ce909c6c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-EP-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA_TS.der
deleted file mode 100644
index 960720bc44be..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..c48a71b85fbf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-EP-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-TS.der
deleted file mode 100644
index 35023a369d2e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..b9246348f86c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-EP-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA.der
deleted file mode 100644
index 0e593e89214c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..e47e4c8a5d9f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-EP_NS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP.der
deleted file mode 100644
index bca02d2b769d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..79b01d6abcb6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-EP_NS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 5a26305c5eff..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..e34b42c3547b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_NS.der
deleted file mode 100644
index 0bb89e00d490..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..ce588ae5afcd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-EP_NS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_OS.der
deleted file mode 100644
index cde7da628fa5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..06b05c96d7c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-EP_NS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_SA.der
deleted file mode 100644
index 369c504607d1..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..b72f54848f32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-EP_NS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_TS.der
deleted file mode 100644
index 960807a9e6ac..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..a86b535c17cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-EP_NS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP.der
deleted file mode 100644
index bf204ba4c1c0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..d7596c71bf9b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-EP_NS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_NS.der
deleted file mode 100644
index 65eb74dd0367..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..61e58941b22b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-EP_NS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_OS.der
deleted file mode 100644
index a85cf54fd9c4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..7a43933f533b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-EP_NS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_SA.der
deleted file mode 100644
index e46ea9254dfa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..8d3c803614eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-EP_NS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_TS.der
deleted file mode 100644
index cd21d53c2c7f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..e23404c6b8a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-EP_NS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NONE.der
deleted file mode 100644
index 810d57baa7c3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..b2446ca507e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-EP_NS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS.der
deleted file mode 100644
index faf74111e812..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..15b130927ec7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-EP_NS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_OS.der
deleted file mode 100644
index 7dc1127e28a6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..fccab98d245a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-EP_NS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_SA.der
deleted file mode 100644
index f95bcf6cd371..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..daf580b714d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-EP_NS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_TS.der
deleted file mode 100644
index 8ab9c47a5f20..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..e59e2c7d1818
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-EP_NS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS.der
deleted file mode 100644
index f4de6a8d31e2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..5e9da855e4e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-EP_NS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_SA.der
deleted file mode 100644
index a69547b4eab4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..75fdb3044c6e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-EP_NS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_TS.der
deleted file mode 100644
index be9c395c04b6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..c4fa24066d05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-EP_NS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA.der
deleted file mode 100644
index a3fef325fa7f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..d5564c90b180
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-EP_NS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA_TS.der
deleted file mode 100644
index 42abb0d3e273..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..f5d1a2fc2b17
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-EP_NS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-TS.der
deleted file mode 100644
index a544b2aef868..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..014c4d6a0ce0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_NS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-EP_NS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA.der
deleted file mode 100644
index f738d77f812f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..1de9b809bdce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-EP_OS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP.der
deleted file mode 100644
index 15a3bdbc0311..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..92670826f0bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-EP_OS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index dac77c151d73..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..0f0365ed1fa0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_NS.der
deleted file mode 100644
index 20cf9305f4d6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..2d1400c74918
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-EP_OS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_OS.der
deleted file mode 100644
index 332cfcf7dda5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..c66f0020b090
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-EP_OS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_SA.der
deleted file mode 100644
index d4672c4927ec..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..12b21d2fa27d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-EP_OS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_TS.der
deleted file mode 100644
index 9d847c30f6f7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..0e8274c0fa6c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-EP_OS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP.der
deleted file mode 100644
index 5ae6ae60f850..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..71ba54bbf3d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-EP_OS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_NS.der
deleted file mode 100644
index 07440f7e9bed..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..32921ee6c7fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-EP_OS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_OS.der
deleted file mode 100644
index 27952c7ac499..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..7b7fc2267e8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-EP_OS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_SA.der
deleted file mode 100644
index 2760c59724b3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..918f26c84d0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-EP_OS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_TS.der
deleted file mode 100644
index cfd1dadcd9c4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..8e41b8800ca3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-EP_OS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NONE.der
deleted file mode 100644
index a0cb191a97b8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..f656d9c4f553
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-EP_OS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS.der
deleted file mode 100644
index 4373f6574cfd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..6cdc0d76f023
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-EP_OS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_OS.der
deleted file mode 100644
index 378d3ef0c939..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..7e9ba7870901
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-EP_OS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_SA.der
deleted file mode 100644
index cd9d8f2ac339..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..6d4deade7e29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-EP_OS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_TS.der
deleted file mode 100644
index c95e1bbe07ab..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..8a00b0672f09
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-EP_OS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS.der
deleted file mode 100644
index bdab674a9153..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..b12f51bbc7e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-EP_OS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_SA.der
deleted file mode 100644
index b9bf3e9a4081..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..d103a253699f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-EP_OS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_TS.der
deleted file mode 100644
index 1fc92e516691..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..eb37a4216720
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-EP_OS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA.der
deleted file mode 100644
index 72f910ef8dff..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..b43ab0fc6f3d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-EP_OS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA_TS.der
deleted file mode 100644
index 3c5da712da6b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..9a45dd9ae2ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-EP_OS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-TS.der
deleted file mode 100644
index 25ff8866d7fd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..f21c9a38c129
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_OS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-EP_OS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA.der
deleted file mode 100644
index 293a450a9c37..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..4299c02a4554
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-EP_SA-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP.der
deleted file mode 100644
index 98976b1b1d5d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..2730d56c9f7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-EP_SA-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index b5bd09708f50..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..a0edc3a77c39
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_NS.der
deleted file mode 100644
index dcc1860095db..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..907676f8d4fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-EP_SA-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_OS.der
deleted file mode 100644
index 64df6db52116..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..0e6feadc4504
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-EP_SA-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_SA.der
deleted file mode 100644
index d4f025679499..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..34f90622043f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-EP_SA-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_TS.der
deleted file mode 100644
index 49c56ca14efe..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..29934a7a176e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-EP_SA-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP.der
deleted file mode 100644
index 9f7ed69e3d74..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..1b124b1490dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-EP_SA-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_NS.der
deleted file mode 100644
index 3a9b5462d41c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..8567f0a58045
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-EP_SA-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_OS.der
deleted file mode 100644
index 32cda4a64eef..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..4ebfbcc4f52e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-EP_SA-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_SA.der
deleted file mode 100644
index 490517ffc21f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..385b43f52c60
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-EP_SA-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_TS.der
deleted file mode 100644
index 6b479971c8ac..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..0460d6fb7b15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-EP_SA-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NONE.der
deleted file mode 100644
index dd25ebb045c3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..220d3d537cd6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-EP_SA-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS.der
deleted file mode 100644
index b0a265397aa7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..535de7086947
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-EP_SA-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_OS.der
deleted file mode 100644
index fc7624c92dfb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..c1c865d0dac1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-EP_SA-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_SA.der
deleted file mode 100644
index 9d09b78c5137..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..53f581f8ca9f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-EP_SA-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_TS.der
deleted file mode 100644
index 6ea6e67b03f5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..801d98320da1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-EP_SA-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS.der
deleted file mode 100644
index 9531f2f6cd50..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..49ecc0aa35cf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-EP_SA-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_SA.der
deleted file mode 100644
index 1d54a30508b3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..8997027f6a6e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-EP_SA-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_TS.der
deleted file mode 100644
index 7a66cb2e7394..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..eb08658a355f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-EP_SA-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA.der
deleted file mode 100644
index c9b6c89df4a5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..7a3829dd885b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-EP_SA-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA_TS.der
deleted file mode 100644
index d2d29f52cc7e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..0571b6f3f74f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-EP_SA-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-TS.der
deleted file mode 100644
index 68f8e97db9d9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..0ceb84cf6716
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_SA-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-EP_SA-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA.der
deleted file mode 100644
index 7e5cc5083b0a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..4521beb45779
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-EP_TS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP.der
deleted file mode 100644
index b9258ae9e2d0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..9360753eda7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-EP_TS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 5e1a5ab64168..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..0ab5481a75cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_NS.der
deleted file mode 100644
index bf631379f7d4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..f9313ecd0f55
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-EP_TS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_OS.der
deleted file mode 100644
index ddf1810b8cf4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..9e6e5d447fa8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-EP_TS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_SA.der
deleted file mode 100644
index 0fc46a380132..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..486872692d19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-EP_TS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_TS.der
deleted file mode 100644
index ddf39b5e1d59..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..6715da6008b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-EP_TS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP.der
deleted file mode 100644
index 5cfca1fc03fd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..545822248e74
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-EP_TS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_NS.der
deleted file mode 100644
index 5f1bd284a259..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..960186a49c1c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-EP_TS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_OS.der
deleted file mode 100644
index a95026607cd3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..bcd82c9546d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-EP_TS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_SA.der
deleted file mode 100644
index 4c04a304a752..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..2d2c85eb27d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-EP_TS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_TS.der
deleted file mode 100644
index 32624bc16c09..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..d48f444dfa7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-EP_TS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NONE.der
deleted file mode 100644
index ee5d61b046f5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..2559414ee746
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-EP_TS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS.der
deleted file mode 100644
index 8753ee874adc..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..845c8f9dd428
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-EP_TS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_OS.der
deleted file mode 100644
index caaeb4b515d6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..dba65baca6ca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-EP_TS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_SA.der
deleted file mode 100644
index 52d5b8ec8dfd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..898aba6cfbad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-EP_TS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_TS.der
deleted file mode 100644
index 944d13f96928..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..cdfacb6504af
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-EP_TS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS.der
deleted file mode 100644
index ab07585a1245..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..d129c1f3a467
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-EP_TS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_SA.der
deleted file mode 100644
index efd8e70fe93d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..c2dee2db574b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-EP_TS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_TS.der
deleted file mode 100644
index a836b531de3d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..31434c4585b1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-EP_TS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA.der
deleted file mode 100644
index 8b88606e9a09..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..c1ec4c930b2a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-EP_TS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA_TS.der
deleted file mode 100644
index 3c30d0ff5c62..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..51804cfd4758
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-EP_TS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-TS.der
deleted file mode 100644
index 1bf7f5b1fb06..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..ad25f7e0068d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-EP_TS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-EP_TS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA.der
deleted file mode 100644
index 89cf14593344..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..29ca65d24332
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-CA
+subject:ee-EKU-NONE-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP.der
deleted file mode 100644
index ce1035fdbdee..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..e0c5e1e022db
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-NONE-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 438134bccfc1..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..ff8ae9990162
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_NS.der
deleted file mode 100644
index 3d657a699214..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..716e5456e3c4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-NONE-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_OS.der
deleted file mode 100644
index 1bc090052bd5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..fbe881a7913f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-NONE-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_SA.der
deleted file mode 100644
index 9e6bda50c715..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..9569733d063a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-NONE-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_TS.der
deleted file mode 100644
index 6407e3a60869..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..836a310ab3bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-NONE-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP.der
deleted file mode 100644
index 634ad5b05646..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..31b7258cca5c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-EP
+subject:ee-EKU-NONE-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_NS.der
deleted file mode 100644
index eb11be31c835..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..733c813e2a42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-NONE-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_OS.der
deleted file mode 100644
index 0ce029c4a435..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..9e25214f9992
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-NONE-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_SA.der
deleted file mode 100644
index 1159b3c04081..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..d6ab1604dff2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-NONE-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_TS.der
deleted file mode 100644
index 9bd8057f0419..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..88bcf0e455c8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-NONE-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NONE.der
deleted file mode 100644
index a45857e8a643..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..8216513d5b12
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NONE.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-NONE-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS.der
deleted file mode 100644
index 9867d898bf0e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..381f8cf103e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-NS
+subject:ee-EKU-NONE-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_OS.der
deleted file mode 100644
index 633c0b7f635c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..980a27fa7414
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-NONE-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_SA.der
deleted file mode 100644
index 68316a20a731..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..0f0cb27db932
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-NONE-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_TS.der
deleted file mode 100644
index 738d9c074d9a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..95856eaf4d18
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-NONE-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS.der
deleted file mode 100644
index b955b8332283..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..fd8d35b88ad9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-OS
+subject:ee-EKU-NONE-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_SA.der
deleted file mode 100644
index 97955e0b6a5e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..d9ba67de3487
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-NONE-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_TS.der
deleted file mode 100644
index 5f3fbbaa54eb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..e6972800ded8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-NONE-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA.der
deleted file mode 100644
index fa8b52a87719..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..236f0b49ff8a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-SA
+subject:ee-EKU-NONE-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA_TS.der
deleted file mode 100644
index 95a627ba53a8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..ecde037700fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-NONE-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-TS.der
deleted file mode 100644
index 6a510d01c4bb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..a7c50ec2192b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NONE-int-EKU-TS.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-EKU-TS
+subject:ee-EKU-NONE-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA.der
deleted file mode 100644
index 0678584a44a9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..31632c6fa298
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-NS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP.der
deleted file mode 100644
index d2b294ff9904..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..ea4185892e46
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-NS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index a91f8a0c843d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..8c69ca7ec4d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_NS.der
deleted file mode 100644
index 57cece4f3c31..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..2132111babc1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-NS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_OS.der
deleted file mode 100644
index 89efb7ce729c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..021f8cff6d0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-NS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_SA.der
deleted file mode 100644
index 0facc4ba3c35..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..b12f363838ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-NS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_TS.der
deleted file mode 100644
index 1f6c554e71fb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..db906f52f060
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-NS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP.der
deleted file mode 100644
index aad295c0d21b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..eafe5097e847
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-NS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_NS.der
deleted file mode 100644
index ab8c63e85bb3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..05f3297dbec4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-NS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_OS.der
deleted file mode 100644
index b0854eaa59d3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..518d0da3695b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-NS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_SA.der
deleted file mode 100644
index e74463981cfd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..c3d5cea0f262
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-NS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_TS.der
deleted file mode 100644
index 13d747d07d0a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..b24a6990bbe1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-NS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NONE.der
deleted file mode 100644
index 980ed9ba93bc..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..64f2960d6466
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-NS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS.der
deleted file mode 100644
index 65934a94a608..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..1ec9059229d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-NS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_OS.der
deleted file mode 100644
index 4d290448805d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..183e13a29f81
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-NS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_SA.der
deleted file mode 100644
index bbf0a41489b8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..5eee76ee3b54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-NS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_TS.der
deleted file mode 100644
index 57047bcc70f3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..2a7c5d895f8c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-NS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS.der
deleted file mode 100644
index 227aacad494d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..8107c3ec660b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-NS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_SA.der
deleted file mode 100644
index d5fa80887be8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..0d7a5763e0a5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-NS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_TS.der
deleted file mode 100644
index 229e7d69da00..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..7b7a6ae6c1db
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-NS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA.der
deleted file mode 100644
index 7ebca29135fb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..659dba40885e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-NS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA_TS.der
deleted file mode 100644
index e6b85be7fd3d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..53cfd207c2e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-NS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-TS.der
deleted file mode 100644
index f5b964489ddd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..b5b08ed9b1e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-NS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA.der
deleted file mode 100644
index 322c100f2be5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..2fc9ba1e96bd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-NS_OS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP.der
deleted file mode 100644
index fb22d2611429..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..ff77d076aa9e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-NS_OS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 2262c563e04f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..906756b7ab94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_NS.der
deleted file mode 100644
index 0aaf8e4e262c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..a04b0228df7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-NS_OS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_OS.der
deleted file mode 100644
index ffa852aed952..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..308542d579b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-NS_OS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_SA.der
deleted file mode 100644
index 66f370931cf2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..40292289ab03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-NS_OS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_TS.der
deleted file mode 100644
index 0c1528a5961b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..d516a1874769
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-NS_OS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP.der
deleted file mode 100644
index d0a1506dbb4f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..fc36f2f94c7f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-NS_OS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_NS.der
deleted file mode 100644
index a4ff28877450..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..df01e7cc82df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-NS_OS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_OS.der
deleted file mode 100644
index 4e4258887032..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..0a95874fe799
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-NS_OS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_SA.der
deleted file mode 100644
index 1c8976e72ed5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..7786a5d15895
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-NS_OS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_TS.der
deleted file mode 100644
index 39d38730b93b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..4aba8e13afca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-NS_OS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NONE.der
deleted file mode 100644
index 15290cf5841d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..6b51a3bb2b1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-NS_OS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS.der
deleted file mode 100644
index 06f0b75a7950..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..e2636cdd4c75
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-NS_OS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_OS.der
deleted file mode 100644
index 38b35404d09f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..18d8e848192a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-NS_OS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_SA.der
deleted file mode 100644
index 2e75c3b2a705..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..4f620e8ed36d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-NS_OS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_TS.der
deleted file mode 100644
index 20702de20b42..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..7ed0599c3822
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-NS_OS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS.der
deleted file mode 100644
index 11374e4d67be..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..bf468d842e36
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-NS_OS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_SA.der
deleted file mode 100644
index 2f3ac9bac0f4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..6f4f76f22ede
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-NS_OS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_TS.der
deleted file mode 100644
index 546bc68b6090..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..2c4b23408a8c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-NS_OS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA.der
deleted file mode 100644
index d2f55d73916d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..4c2cbc1f542d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-NS_OS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA_TS.der
deleted file mode 100644
index 0510b26b9ecb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..100f3ef807dd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-NS_OS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-TS.der
deleted file mode 100644
index 07aa9657370f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..2d7b317a4a22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_OS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-NS_OS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA.der
deleted file mode 100644
index 958d6bec29ce..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..e80eede80fcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-NS_SA-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP.der
deleted file mode 100644
index 47aa56789efe..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..68240b817fbb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-NS_SA-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index af807978d748..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..608751e2d5d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_NS.der
deleted file mode 100644
index f163aa8eb373..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..ef7a2716ff1e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-NS_SA-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_OS.der
deleted file mode 100644
index 076b167cf058..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..0e9a98127fd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-NS_SA-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_SA.der
deleted file mode 100644
index b519e60a4c16..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..0da9052c442d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-NS_SA-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_TS.der
deleted file mode 100644
index 3435c7b0087a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..3a8845a9f163
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-NS_SA-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP.der
deleted file mode 100644
index 043c47ca9941..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..cd8226ca88d2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-NS_SA-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_NS.der
deleted file mode 100644
index 56c376118f63..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..6e5a879ea176
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-NS_SA-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_OS.der
deleted file mode 100644
index 7cd11f8ff7a7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..f894dad6d6d3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-NS_SA-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_SA.der
deleted file mode 100644
index d02e09cb96cb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..336f8e4a2263
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-NS_SA-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_TS.der
deleted file mode 100644
index 1f8619d33675..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..459b4010f5ca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-NS_SA-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NONE.der
deleted file mode 100644
index d819c934185d..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..f1dee5eaf51e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-NS_SA-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS.der
deleted file mode 100644
index 49014b171d03..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..c25155b7df8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-NS_SA-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_OS.der
deleted file mode 100644
index d941f0e7e801..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..8e2ee21f543e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-NS_SA-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_SA.der
deleted file mode 100644
index 29a7cb2c0ca2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..f4dd8fc496ea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-NS_SA-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_TS.der
deleted file mode 100644
index a31cb652abe6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..24074d709f05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-NS_SA-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS.der
deleted file mode 100644
index 5247a93f1df9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..b392e31393d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-NS_SA-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_SA.der
deleted file mode 100644
index f278126cbaa0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..2c88c32c709e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-NS_SA-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_TS.der
deleted file mode 100644
index 168ac5890be9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..a7b92e8aa2d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-NS_SA-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA.der
deleted file mode 100644
index 2d228bc66171..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..be8a19ffaecf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-NS_SA-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA_TS.der
deleted file mode 100644
index 2de0ecd35606..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..41c27dfd5e2a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-NS_SA-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-TS.der
deleted file mode 100644
index 857511cc9b2f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..4c8aa75cd1d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_SA-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-NS_SA-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA.der
deleted file mode 100644
index 28e3a8ca8d01..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..ce37430d634c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-NS_TS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP.der
deleted file mode 100644
index a33605e90b33..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..05d0e1c59862
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-NS_TS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index ad4ad3a389be..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..2a7ec25dbbf5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_NS.der
deleted file mode 100644
index 948d0bad5947..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..a8fa63b0b296
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-NS_TS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_OS.der
deleted file mode 100644
index 9dd9d89f039c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..9d4d6c79e027
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-NS_TS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_SA.der
deleted file mode 100644
index 2e85b9cd3f74..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..2ebad75f0f53
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-NS_TS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_TS.der
deleted file mode 100644
index 504394faa0a4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..b942268ab760
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-NS_TS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP.der
deleted file mode 100644
index 864761bccd35..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..3abbb5644459
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-NS_TS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_NS.der
deleted file mode 100644
index b9f9579ed3a3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..c921bd021187
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-NS_TS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_OS.der
deleted file mode 100644
index cbaabc895ae2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..78e7da962e0f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-NS_TS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_SA.der
deleted file mode 100644
index 30a7de0c23d3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..cac0d3231e0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-NS_TS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_TS.der
deleted file mode 100644
index 91a4b50713cd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..5728c453b806
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-NS_TS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NONE.der
deleted file mode 100644
index fae32093c51a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..25657b0ba1c9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-NS_TS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS.der
deleted file mode 100644
index 38e595618bd7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..55ff174768fa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-NS_TS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_OS.der
deleted file mode 100644
index 57d5553ed742..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..eb84a3124dab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-NS_TS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_SA.der
deleted file mode 100644
index 74a89d1b4b44..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..d989b1d80095
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-NS_TS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_TS.der
deleted file mode 100644
index c7ed66144109..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..c2fdd2463456
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-NS_TS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS.der
deleted file mode 100644
index b3d8a71d0a3a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..e6e7f8708cb4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-NS_TS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_SA.der
deleted file mode 100644
index 60a1c5053a9c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..10d3f2832522
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-NS_TS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_TS.der
deleted file mode 100644
index aa427768ec40..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..4f6f3fe34c1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-NS_TS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA.der
deleted file mode 100644
index b5dd3246fd19..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..c0cd45c1df4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-NS_TS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA_TS.der
deleted file mode 100644
index a7a53fd4006e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..93f90eed1f99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-NS_TS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-TS.der
deleted file mode 100644
index ea24c6b10eb2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..fa27d836f150
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-NS_TS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-NS_TS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA.der
deleted file mode 100644
index ca92db913b7c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..c15529690e7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-OS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP.der
deleted file mode 100644
index 6ca3f51e84ac..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..5498724ee08b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-OS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 62d17e6cbfad..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..ee5a7c54dff5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_NS.der
deleted file mode 100644
index 3f8e70f076ce..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..ea6b577318d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-OS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_OS.der
deleted file mode 100644
index 239af50dfa78..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..7bb486adf916
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-OS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_SA.der
deleted file mode 100644
index 8ce0fbecd094..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..3a373351872e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-OS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_TS.der
deleted file mode 100644
index c034cac392da..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..54ef5394e104
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-OS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP.der
deleted file mode 100644
index 96c52bc3c9b4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..544dd8a799d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-OS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_NS.der
deleted file mode 100644
index ea9c3df11f5f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..04b908365421
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-OS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_OS.der
deleted file mode 100644
index 99c153369b3c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..1baf30036047
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-OS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_SA.der
deleted file mode 100644
index a08e5b45160b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..b3fe6e105b03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-OS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_TS.der
deleted file mode 100644
index 20381c552f8e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..f6b14b589024
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-OS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NONE.der
deleted file mode 100644
index b482cfca50c6..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..6a47e198803c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-OS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS.der
deleted file mode 100644
index 32212c768738..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..b2fa840c8bff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-OS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_OS.der
deleted file mode 100644
index 04dbe57235f2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..d96eaff0b130
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-OS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_SA.der
deleted file mode 100644
index 8a2fba16cc4c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..7215f6a1e196
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-OS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_TS.der
deleted file mode 100644
index a85f4a4a3bec..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..c138843fd072
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-OS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS.der
deleted file mode 100644
index 9f9829225a7f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..a4f2a7e3c6d2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-OS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_SA.der
deleted file mode 100644
index fb0a8c7f88f4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..895bcfcee57f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-OS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_TS.der
deleted file mode 100644
index 85084188cfaa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..9816c8998d39
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-OS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA.der
deleted file mode 100644
index 5357440f8c2a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..e5af1e17fac6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-OS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA_TS.der
deleted file mode 100644
index f6f78d35cd71..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..709177e6c8ea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-OS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-TS.der
deleted file mode 100644
index 0a3731a7b663..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..1e91f0de6398
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-OS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA.der
deleted file mode 100644
index d826d0354781..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..972fbf0460d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-OS_SA-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP.der
deleted file mode 100644
index b63f8d5b14ab..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..0c29ec2945c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-OS_SA-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index 2486a7d2349a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..39a299e1f62e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_NS.der
deleted file mode 100644
index 164e88a786b2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..6bc4a9583562
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-OS_SA-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_OS.der
deleted file mode 100644
index ad1b05a489d8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..1f36ac2ef0ab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-OS_SA-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_SA.der
deleted file mode 100644
index dd7e5a0e9e4c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..0f47ffdf21e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-OS_SA-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_TS.der
deleted file mode 100644
index 03d0166a8584..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..f854391ad7d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-OS_SA-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP.der
deleted file mode 100644
index 4cd4562c7c9e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..1d19d78e52ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-OS_SA-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_NS.der
deleted file mode 100644
index 1b27039a1037..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..090ffdb0b3d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-OS_SA-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_OS.der
deleted file mode 100644
index f2ce8dd518aa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..2a3d5fdeb0e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-OS_SA-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_SA.der
deleted file mode 100644
index 1667617f18c5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..1654c2e88134
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-OS_SA-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_TS.der
deleted file mode 100644
index dc4056f30c24..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..52dfac9d205e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-OS_SA-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NONE.der
deleted file mode 100644
index 875c2f5643b2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..a08303de2616
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-OS_SA-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS.der
deleted file mode 100644
index e75c3fbe2480..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..af7edeb9b775
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-OS_SA-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_OS.der
deleted file mode 100644
index f36e4a6e2c92..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..d231a3cd7f2c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-OS_SA-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_SA.der
deleted file mode 100644
index 0ec8284471f7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..6fda094b4e97
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-OS_SA-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_TS.der
deleted file mode 100644
index 430446c2927c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..2ddbb8d0adf6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-OS_SA-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS.der
deleted file mode 100644
index 07a43f3ede2e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..cee653dd0e58
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-OS_SA-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_SA.der
deleted file mode 100644
index 79c5263924c9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..0a2e96e24334
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-OS_SA-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_TS.der
deleted file mode 100644
index d332de0c95eb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..3a6fdcd7efe5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-OS_SA-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA.der
deleted file mode 100644
index 074c77b65e35..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..3df2d2a52c06
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-OS_SA-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA_TS.der
deleted file mode 100644
index 86b12af87c87..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..9da0615176fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-OS_SA-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-TS.der
deleted file mode 100644
index d5bc75de40e9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..cdbd3e79f2d7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_SA-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-OS_SA-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA.der
deleted file mode 100644
index 026a402e9042..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..6203e1a5c12b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-OS_TS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP.der
deleted file mode 100644
index e48835dbec4b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..75f25d9792b2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-OS_TS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index cd221a7645b3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..f9e172aa8c40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_NS.der
deleted file mode 100644
index 5190ccd49677..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..57bef032d98c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-OS_TS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_OS.der
deleted file mode 100644
index cd6479b3a707..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..2a331a338f26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-OS_TS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_SA.der
deleted file mode 100644
index 7554f0b24682..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..f79aa4efaeed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-OS_TS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_TS.der
deleted file mode 100644
index e3ebe6a5bd9b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..09eecfc94bfe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-OS_TS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP.der
deleted file mode 100644
index e5ffb7f2fc28..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..7e61ca81d5b1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-OS_TS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_NS.der
deleted file mode 100644
index 57351e7936fa..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..8f9f9becf69c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-OS_TS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_OS.der
deleted file mode 100644
index b70123d17a3e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..0abc9e1e78b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-OS_TS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_SA.der
deleted file mode 100644
index cdc0503ddee0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..ae96d154d588
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-OS_TS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_TS.der
deleted file mode 100644
index 5cbc2e138af8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..a967698dd388
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-OS_TS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NONE.der
deleted file mode 100644
index de83423991fc..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..d0d1a4ca4307
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-OS_TS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS.der
deleted file mode 100644
index c3da95ae2a40..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..d04eb3586882
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-OS_TS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_OS.der
deleted file mode 100644
index 85facc7b4467..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..33df30df53cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-OS_TS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_SA.der
deleted file mode 100644
index c779eff69154..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..ec2df81360f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-OS_TS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_TS.der
deleted file mode 100644
index 8f1086153637..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..61b92fe332fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-OS_TS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS.der
deleted file mode 100644
index 16cfe348d6ee..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..151096785997
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-OS_TS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_SA.der
deleted file mode 100644
index b4acf5a191a0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..7a9b2e864fa0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-OS_TS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_TS.der
deleted file mode 100644
index 0804088dbef8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..8ab8a8877702
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-OS_TS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA.der
deleted file mode 100644
index 4b3ed9a21a5c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..6a6353fb3019
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-OS_TS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA_TS.der
deleted file mode 100644
index ccdf50ff3595..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..d80ceb4b4fa1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-OS_TS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-TS.der
deleted file mode 100644
index 0076eafb0bcf..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..cd6dac231ac5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-OS_TS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-OS_TS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA.der
deleted file mode 100644
index 8b32ba11efdd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..b4d04b823399
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-SA-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP.der
deleted file mode 100644
index 081556cb02ca..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..83249cf43f37
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-SA-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index ea688f6f1886..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..c3e48ee5ebca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_NS.der
deleted file mode 100644
index 26e86fc05774..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..76fec7c8b98e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-SA-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_OS.der
deleted file mode 100644
index edcaa7c3544a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..dd137afb1c61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-SA-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_SA.der
deleted file mode 100644
index a798610e764b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..e950251153e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-SA-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_TS.der
deleted file mode 100644
index c50009172cb9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..36163e015a1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-SA-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP.der
deleted file mode 100644
index d97a14581ce0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..bbd2d9f205e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-SA-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_NS.der
deleted file mode 100644
index cb77230ecbf4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..db7686bc5a3a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-SA-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_OS.der
deleted file mode 100644
index 3108d354bd2c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..608e685bf803
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-SA-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_SA.der
deleted file mode 100644
index 73bdcd6bd514..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..1a1370ea7c77
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-SA-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_TS.der
deleted file mode 100644
index 5e30ab6e20fd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..efb16343431a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-SA-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NONE.der
deleted file mode 100644
index 0216a9e07a03..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..f0c98f4b54a0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-SA-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS.der
deleted file mode 100644
index a8033660d310..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..13a6fe235a67
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-SA-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_OS.der
deleted file mode 100644
index 7907f742ed12..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..59d4b5bc7fec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-SA-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_SA.der
deleted file mode 100644
index 7d33924a7404..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..02b1780029c5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-SA-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_TS.der
deleted file mode 100644
index eb5e6d50c76b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..0d5b8e20be00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-SA-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS.der
deleted file mode 100644
index b2bc44e11aee..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..70f46e951392
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-SA-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_SA.der
deleted file mode 100644
index 36cd63dbec6e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..011a1343c028
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-SA-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_TS.der
deleted file mode 100644
index 62070243e119..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..8e133c352846
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-SA-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA.der
deleted file mode 100644
index 1b9b8fb36ccf..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..a38fa4705df7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-SA-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA_TS.der
deleted file mode 100644
index 61fe89ee66c5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..3d1d50aefc1f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-SA-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-TS.der
deleted file mode 100644
index ff0a3fc1567b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..ed539190ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-SA-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA.der
deleted file mode 100644
index d72a5916b14a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..c1b45fca1630
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-SA_TS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP.der
deleted file mode 100644
index 94678055a4c8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..bbbb5c0b12b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-SA_TS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index b5cbba327402..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..9b73c5b2f2c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_NS.der
deleted file mode 100644
index fda39e85a278..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..3b9ef1c3e24c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-SA_TS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_OS.der
deleted file mode 100644
index ff4733135c63..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..344050a6f40c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-SA_TS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_SA.der
deleted file mode 100644
index d418c0962257..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..61d29546ee16
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-SA_TS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_TS.der
deleted file mode 100644
index 2abfcae07920..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..8d9b6c128b54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-SA_TS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP.der
deleted file mode 100644
index 6355c1f7a61a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..b146f0995002
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-SA_TS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_NS.der
deleted file mode 100644
index 581acab30ef8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..bfaaf0a12344
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-SA_TS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_OS.der
deleted file mode 100644
index 298581087740..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..6dacaed4e87d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-SA_TS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_SA.der
deleted file mode 100644
index 3e4677271750..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..162c2cace1c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-SA_TS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_TS.der
deleted file mode 100644
index 1e0e8e50578a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..79753e09a51e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-SA_TS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NONE.der
deleted file mode 100644
index 3a7829757315..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..d7d76584dfbb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-SA_TS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS.der
deleted file mode 100644
index 5401afbaafc7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..facfd3b0ad19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-SA_TS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_OS.der
deleted file mode 100644
index 1380f182141e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..242bbef414e6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-SA_TS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_SA.der
deleted file mode 100644
index 7d96204eae7c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..7c780f2ea4b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-SA_TS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_TS.der
deleted file mode 100644
index e6d1a0f4537a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..05e5193591ef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-SA_TS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS.der
deleted file mode 100644
index 5d03a0147be7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..5d7c2d4925f2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-SA_TS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_SA.der
deleted file mode 100644
index 287de557dab2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..ab97890dfcc3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-SA_TS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_TS.der
deleted file mode 100644
index 28b2f2dee4ed..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..a6022ba7dcc0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-SA_TS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA.der
deleted file mode 100644
index d2222b41a35a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..9b982c1a8238
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-SA_TS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA_TS.der
deleted file mode 100644
index 7a3d978aecb5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..48d856183e61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-SA_TS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-TS.der
deleted file mode 100644
index 677b24f66dca..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..35adb4854d4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-SA_TS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-SA_TS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA.der
deleted file mode 100644
index 601dff642ab5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..c2e5b8ca0653
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA
+subject:ee-EKU-TS-int-EKU-CA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP.der
deleted file mode 100644
index a96cd175addf..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..b1ea4dcbb7d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP
+subject:ee-EKU-TS-int-EKU-CA_EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index f542e25fb51e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..13c3c17ee809
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_EP_NS_OS_SA_TS
+subject:ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_NS.der
deleted file mode 100644
index 52174691b8ff..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..dbb552c644f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_NS
+subject:ee-EKU-TS-int-EKU-CA_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_OS.der
deleted file mode 100644
index e8b387f3f29e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..719fb5936bfa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_OS
+subject:ee-EKU-TS-int-EKU-CA_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_SA.der
deleted file mode 100644
index 0bad9dfcfbb9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..5682fe3c2136
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_SA
+subject:ee-EKU-TS-int-EKU-CA_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_TS.der
deleted file mode 100644
index 7c94ac3e5dc1..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..2410f7d4278a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-CA_TS
+subject:ee-EKU-TS-int-EKU-CA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP.der
deleted file mode 100644
index 3dc0138f9e5f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..75f755461a58
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP
+subject:ee-EKU-TS-int-EKU-EP
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_NS.der
deleted file mode 100644
index 69000d806844..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..bd8d27008eff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_NS
+subject:ee-EKU-TS-int-EKU-EP_NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_OS.der
deleted file mode 100644
index 3ad679891b56..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..80caf2272164
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_OS
+subject:ee-EKU-TS-int-EKU-EP_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_SA.der
deleted file mode 100644
index 4f93127b9c46..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..ef35255f3467
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_SA
+subject:ee-EKU-TS-int-EKU-EP_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_TS.der
deleted file mode 100644
index 590adfbb81b8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..0c403f1fec0f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-EP_TS
+subject:ee-EKU-TS-int-EKU-EP_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NONE.der
deleted file mode 100644
index 934340a1d8d2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..a5236476c602
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NONE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NONE
+subject:ee-EKU-TS-int-EKU-NONE
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS.der
deleted file mode 100644
index 2d0bf4c545a2..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..d57c23010911
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS
+subject:ee-EKU-TS-int-EKU-NS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_OS.der
deleted file mode 100644
index 36ff6377b837..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..88aa48943161
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_OS
+subject:ee-EKU-TS-int-EKU-NS_OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_SA.der
deleted file mode 100644
index 22ed46120155..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..783890129ab6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_SA
+subject:ee-EKU-TS-int-EKU-NS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_TS.der
deleted file mode 100644
index 1a97bad8cef0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..e894f993e00e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-NS_TS
+subject:ee-EKU-TS-int-EKU-NS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS.der
deleted file mode 100644
index de27ad2a5554..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..6ff27c82a96d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS
+subject:ee-EKU-TS-int-EKU-OS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_SA.der
deleted file mode 100644
index dcc46008c4bd..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..2c75547b345c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_SA
+subject:ee-EKU-TS-int-EKU-OS_SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_TS.der
deleted file mode 100644
index 7b6e2fc9c8ea..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..1714918c7e30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-OS_TS
+subject:ee-EKU-TS-int-EKU-OS_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA.der
deleted file mode 100644
index 314baf327c91..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..c4f60175cd67
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA
+subject:ee-EKU-TS-int-EKU-SA
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA_TS.der
deleted file mode 100644
index df6df63bcb52..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..a31d1d715a4c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-SA_TS
+subject:ee-EKU-TS-int-EKU-SA_TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-TS.der
deleted file mode 100644
index d285b2304469..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..e65002c5e658
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-EKU-TS-int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-EKU-TS
+subject:ee-EKU-TS-int-EKU-TS
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/generate.py b/security/manager/ssl/tests/unit/test_cert_eku/generate.py
index 2ad815ce69db..d3d6453c9363 100755
--- a/security/manager/ssl/tests/unit/test_cert_eku/generate.py
+++ b/security/manager/ssl/tests/unit/test_cert_eku/generate.py
@@ -1,29 +1,9 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-# requires openssl >= 1.0.0
-
-import tempfile, os, sys, random
-libpath = os.path.abspath('../psm_common_py')
-
-sys.path.append(libpath)
-
-import CertUtils
-
-srcdir = os.getcwd()
-db = tempfile.mkdtemp()
-
-CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
-EE_basic_constraints = "basicConstraints = CA:FALSE\n"
-
-CA_full_ku = "keyUsage = keyCertSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, cRLSign\n"
-EE_full_ku = "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement\n"
-
-key_type = 'rsa'
-
 # codesigning differs significantly between mozilla::pkix and
 # classic NSS that actual testing on it is not very useful
 eku_values = { 'SA': "serverAuth",
@@ -32,7 +12,7 @@ eku_values = { 'SA': "serverAuth",
                'EP': "emailProtection",
                'TS': "timeStamping",
                'NS': "nsSGC", # Netscape Server Gated Crypto.
-               'OS': "1.3.6.1.5.5.7.3.9"
+               'OS': "OCSPSigning"
              }
 
 cert_usages = [ "certificateUsageSSLClient",
@@ -57,14 +37,12 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function cert_from_file(filename) {
-  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
-  return certdb.constructX509(der, der.length);
+  return constructCertFromFile(`test_cert_eku/${filename}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
-  return cert_from_file(cert_filename);
+  addCertFromFile(certdb, `test_cert_eku/${cert_name}.pem`, trust_string);
+  return cert_from_file(cert_name);
 }
 
 function run_test() {
@@ -87,7 +65,7 @@ def gen_int_js_output(int_string):
 
 def single_test_output(ee_name, cert_usage, error):
     return ("  checkCertErrorGeneric(certdb, cert_from_file('" + ee_name +
-            ".der'), " + error + ", " + cert_usage + ");\n")
+            "'), " + error + ", " + cert_usage + ");\n")
 
 def usage_to_abbreviation(usage):
     if usage is "certificateUsageStatusResponder":
@@ -169,17 +147,21 @@ def generate_test_eku():
     all_values = eku_values[eku_names[0]]
     for i in range (1, len(eku_names)):
         all_names = all_names + "_" + eku_names[i]
-        all_values = all_values + ", " + eku_values[eku_names[i]]
+        all_values = all_values + "," + eku_values[eku_names[i]]
     outmap[all_names] = all_values
     return outmap
 
-def generate_certs(do_cert_generation):
-    ca_name = "ca"
-    if do_cert_generation:
-        [ca_key, ca_cert] = CertUtils.generate_cert_generic(
-                              db, srcdir, 1, key_type, ca_name,
-                              CA_basic_constraints)
-    ee_ext_text = EE_basic_constraints + EE_full_ku
+def generate_certspec_file(issuer_name, name, extensions_list):
+    filename = name + ".pem.certspec"
+    with open(filename, "w") as f:
+        f.write("issuer:%s\n" % issuer_name)
+        f.write("subject:%s\n" % name)
+        for extension in extensions_list:
+            f.write("extension:%s\n" % extension)
+
+def generate_certs():
+    generate_certspec_file("ca", "ca", ["basicConstraints:cA,"])
+    cert_list = ["ca.pem"]
 
     # now we do it again for valid basic constraints but strange eku/ku at the
     # intermediate layer
@@ -192,30 +174,32 @@ def generate_certs(do_cert_generation):
 
         # generate int
         int_name = "int-EKU-" + eku_name
-        int_serial = random.randint(100, 40000000)
-        eku_text = "extendedKeyUsage = " + eku_dict[eku_name]
-        if (eku_name == "NONE"):
-            eku_text = ""
-        int_ext_text = CA_basic_constraints + CA_full_ku + eku_text
-        if do_cert_generation:
-            [int_key, int_cert] = CertUtils.generate_cert_generic(
-                                    db, srcdir, int_serial, key_type, int_name,
-                                    int_ext_text, ca_key, ca_cert)
+        int_eku = "extKeyUsage:" + eku_dict[eku_name]
+        int_extensions_list = [
+            "basicConstraints:cA,",
+            "keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign"
+        ]
+        if eku_name != "NONE":
+            int_extensions_list.append(int_eku)
+        generate_certspec_file("ca", int_name, int_extensions_list)
+        cert_list.append(int_name + ".pem")
+
         js_outfile.write("\n")
         js_outfile.write(gen_int_js_output(int_name))
 
         for ee_eku_name in (sorted(eku_dict.keys())):
             ee_base_name = "ee-EKU-" + ee_eku_name
             ee_name = ee_base_name + "-" + int_name
-            ee_serial = random.randint(100, 40000000)
-            ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name]
-            if (ee_eku_name == "NONE"):
-                ee_eku = ""
-            ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku
-            if do_cert_generation:
-                [ee_key, ee_cert] = CertUtils.generate_cert_generic(
-                                      db, srcdir, ee_serial, key_type, ee_name,
-                                      ee_ext_text, int_key, int_cert)
+            ee_eku = "extKeyUsage:" + eku_dict[ee_eku_name]
+            ee_extensions_list = [
+                "basicConstraints:,",
+                "keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement"
+            ]
+            if ee_eku_name != "NONE":
+                ee_extensions_list.append(ee_eku)
+            generate_certspec_file(int_name, ee_name, ee_extensions_list)
+            cert_list.append(ee_name + ".pem")
+
             for cert_usage in (cert_usages):
                 js_outfile.write(gen_ee_js_output(int_name, ee_base_name,
                                  cert_usage, ee_name))
@@ -223,7 +207,35 @@ def generate_certs(do_cert_generation):
         js_outfile.write(js_file_footer)
         js_outfile.close()
 
-# By default, re-generate the certificates. Anything can be passed as a
-# command-line option to prevent this.
-do_cert_generation = len(sys.argv) < 2
-generate_certs(do_cert_generation)
+    return cert_list
+
+def generate_mozbuild_file(generated_cert_filenames):
+    MOZ_BUILD_HEADER = """# AUTOGENERATED FILE, DO NOT EDIT
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+test_certificates = (
+"""
+
+    MOZ_BUILD_FOOTER = """)
+
+for test_certificate in test_certificates:
+    input_file = test_certificate + '.certspec'
+    GENERATED_FILES += [test_certificate]
+    props = GENERATED_FILES[test_certificate]
+    props.script = '../pycert.py'
+    props.inputs = [input_file, '!/config/buildid']
+    TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_cert_eku += ['!%s' % test_certificate]
+"""
+
+    with open("moz.build", "w") as f:
+        f.write(MOZ_BUILD_HEADER)
+        for cert_filename in sorted(generated_cert_filenames):
+            f.write("    '%s',\n" % cert_filename)
+        f.write(MOZ_BUILD_FOOTER)
+
+generated_cert_filenames = generate_certs()
+generate_mozbuild_file(generated_cert_filenames)
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA.der
deleted file mode 100644
index 882ed63fcb6b..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA.pem.certspec
new file mode 100644
index 000000000000..6079748a31e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-CA
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP.der
deleted file mode 100644
index e22b267d4170..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP.pem.certspec
new file mode 100644
index 000000000000..e2742750e452
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-CA_EP
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:clientAuth,emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP_NS_OS_SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP_NS_OS_SA_TS.der
deleted file mode 100644
index f7f02d12449f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP_NS_OS_SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
new file mode 100644
index 000000000000..81acc32d79c4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_EP_NS_OS_SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-CA_EP_NS_OS_SA_TS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:clientAuth,emailProtection,nsSGC,OCSPSigning,serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_NS.der
deleted file mode 100644
index 78c3fc348c13..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_NS.pem.certspec
new file mode 100644
index 000000000000..21a1a30a6d26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-CA_NS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:clientAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_OS.der
deleted file mode 100644
index 742e1e515553..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_OS.pem.certspec
new file mode 100644
index 000000000000..c33e47136d80
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-CA_OS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_SA.der
deleted file mode 100644
index c855df0fc883..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_SA.pem.certspec
new file mode 100644
index 000000000000..6fa6280f3b4b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-CA_SA
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:clientAuth,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_TS.der
deleted file mode 100644
index e805d9f47bfb..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_TS.pem.certspec
new file mode 100644
index 000000000000..af00ed29baa9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-CA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-CA_TS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:clientAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP.der
deleted file mode 100644
index 7785788b9b10..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP.pem.certspec
new file mode 100644
index 000000000000..21eabf3d875a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-EP
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_NS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_NS.der
deleted file mode 100644
index c0b40f0bc0a7..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_NS.pem.certspec
new file mode 100644
index 000000000000..3805cfb05ad3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-EP_NS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:emailProtection,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_OS.der
deleted file mode 100644
index 081376961d8c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_OS.pem.certspec
new file mode 100644
index 000000000000..b1c8a586bf6e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-EP_OS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:emailProtection,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_SA.der
deleted file mode 100644
index 690e6f3f1e6e..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_SA.pem.certspec
new file mode 100644
index 000000000000..478a3fa0b45a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-EP_SA
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:emailProtection,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_TS.der
deleted file mode 100644
index 13a6f4b02a73..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_TS.pem.certspec
new file mode 100644
index 000000000000..bfc08098f928
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-EP_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-EP_TS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:emailProtection,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NONE.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NONE.der
deleted file mode 100644
index 0b95d9665db0..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NONE.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NONE.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NONE.pem.certspec
new file mode 100644
index 000000000000..5ee971ce0d88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NONE.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-EKU-NONE
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS.der
deleted file mode 100644
index 86cfae8bf497..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS.pem.certspec
new file mode 100644
index 000000000000..cff8f37ddf73
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-NS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_OS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_OS.der
deleted file mode 100644
index 6f699a0997e8..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_OS.pem.certspec
new file mode 100644
index 000000000000..25446672814e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-NS_OS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:nsSGC,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_SA.der
deleted file mode 100644
index 73802081d7c4..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_SA.pem.certspec
new file mode 100644
index 000000000000..9c7a0584cd9c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-NS_SA
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:nsSGC,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_TS.der
deleted file mode 100644
index 039ceb0a77b9..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_TS.pem.certspec
new file mode 100644
index 000000000000..9e54a7b39f3e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-NS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-NS_TS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:nsSGC,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS.der
deleted file mode 100644
index d8af76c38eae..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS.pem.certspec
new file mode 100644
index 000000000000..b0657e9e6611
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-OS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_SA.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_SA.der
deleted file mode 100644
index d5c101f9bfc5..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_SA.pem.certspec
new file mode 100644
index 000000000000..bccaa93186d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-OS_SA
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:OCSPSigning,serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_TS.der
deleted file mode 100644
index 39374b68e00a..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_TS.pem.certspec
new file mode 100644
index 000000000000..8ca4e2f42acb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-OS_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-OS_TS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:OCSPSigning,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA.der
deleted file mode 100644
index 446032ab012f..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA.pem.certspec
new file mode 100644
index 000000000000..dd11189f7809
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-SA
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA_TS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA_TS.der
deleted file mode 100644
index 06d66330f1c3..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA_TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA_TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA_TS.pem.certspec
new file mode 100644
index 000000000000..e2dd293e96fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-SA_TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-SA_TS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:serverAuth,timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-TS.der b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-TS.der
deleted file mode 100644
index 993b5829f57c..000000000000
Binary files a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-TS.der and /dev/null differ
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-TS.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-TS.pem.certspec
new file mode 100644
index 000000000000..e190cd070913
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-EKU-TS.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-EKU-TS
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:timeStamping
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/moz.build b/security/manager/ssl/tests/unit/test_cert_eku/moz.build
new file mode 100644
index 000000000000..e15c9beddde3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/moz.build
@@ -0,0 +1,570 @@
+# AUTOGENERATED FILE, DO NOT EDIT
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+test_certificates = (
+    'ca.pem',
+    'ee-EKU-CA-int-EKU-CA.pem',
+    'ee-EKU-CA-int-EKU-CA_EP.pem',
+    'ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-CA-int-EKU-CA_NS.pem',
+    'ee-EKU-CA-int-EKU-CA_OS.pem',
+    'ee-EKU-CA-int-EKU-CA_SA.pem',
+    'ee-EKU-CA-int-EKU-CA_TS.pem',
+    'ee-EKU-CA-int-EKU-EP.pem',
+    'ee-EKU-CA-int-EKU-EP_NS.pem',
+    'ee-EKU-CA-int-EKU-EP_OS.pem',
+    'ee-EKU-CA-int-EKU-EP_SA.pem',
+    'ee-EKU-CA-int-EKU-EP_TS.pem',
+    'ee-EKU-CA-int-EKU-NONE.pem',
+    'ee-EKU-CA-int-EKU-NS.pem',
+    'ee-EKU-CA-int-EKU-NS_OS.pem',
+    'ee-EKU-CA-int-EKU-NS_SA.pem',
+    'ee-EKU-CA-int-EKU-NS_TS.pem',
+    'ee-EKU-CA-int-EKU-OS.pem',
+    'ee-EKU-CA-int-EKU-OS_SA.pem',
+    'ee-EKU-CA-int-EKU-OS_TS.pem',
+    'ee-EKU-CA-int-EKU-SA.pem',
+    'ee-EKU-CA-int-EKU-SA_TS.pem',
+    'ee-EKU-CA-int-EKU-TS.pem',
+    'ee-EKU-CA_EP-int-EKU-CA.pem',
+    'ee-EKU-CA_EP-int-EKU-CA_EP.pem',
+    'ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-CA_EP-int-EKU-CA_NS.pem',
+    'ee-EKU-CA_EP-int-EKU-CA_OS.pem',
+    'ee-EKU-CA_EP-int-EKU-CA_SA.pem',
+    'ee-EKU-CA_EP-int-EKU-CA_TS.pem',
+    'ee-EKU-CA_EP-int-EKU-EP.pem',
+    'ee-EKU-CA_EP-int-EKU-EP_NS.pem',
+    'ee-EKU-CA_EP-int-EKU-EP_OS.pem',
+    'ee-EKU-CA_EP-int-EKU-EP_SA.pem',
+    'ee-EKU-CA_EP-int-EKU-EP_TS.pem',
+    'ee-EKU-CA_EP-int-EKU-NONE.pem',
+    'ee-EKU-CA_EP-int-EKU-NS.pem',
+    'ee-EKU-CA_EP-int-EKU-NS_OS.pem',
+    'ee-EKU-CA_EP-int-EKU-NS_SA.pem',
+    'ee-EKU-CA_EP-int-EKU-NS_TS.pem',
+    'ee-EKU-CA_EP-int-EKU-OS.pem',
+    'ee-EKU-CA_EP-int-EKU-OS_SA.pem',
+    'ee-EKU-CA_EP-int-EKU-OS_TS.pem',
+    'ee-EKU-CA_EP-int-EKU-SA.pem',
+    'ee-EKU-CA_EP-int-EKU-SA_TS.pem',
+    'ee-EKU-CA_EP-int-EKU-TS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-SA_TS.pem',
+    'ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-TS.pem',
+    'ee-EKU-CA_NS-int-EKU-CA.pem',
+    'ee-EKU-CA_NS-int-EKU-CA_EP.pem',
+    'ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-CA_NS-int-EKU-CA_NS.pem',
+    'ee-EKU-CA_NS-int-EKU-CA_OS.pem',
+    'ee-EKU-CA_NS-int-EKU-CA_SA.pem',
+    'ee-EKU-CA_NS-int-EKU-CA_TS.pem',
+    'ee-EKU-CA_NS-int-EKU-EP.pem',
+    'ee-EKU-CA_NS-int-EKU-EP_NS.pem',
+    'ee-EKU-CA_NS-int-EKU-EP_OS.pem',
+    'ee-EKU-CA_NS-int-EKU-EP_SA.pem',
+    'ee-EKU-CA_NS-int-EKU-EP_TS.pem',
+    'ee-EKU-CA_NS-int-EKU-NONE.pem',
+    'ee-EKU-CA_NS-int-EKU-NS.pem',
+    'ee-EKU-CA_NS-int-EKU-NS_OS.pem',
+    'ee-EKU-CA_NS-int-EKU-NS_SA.pem',
+    'ee-EKU-CA_NS-int-EKU-NS_TS.pem',
+    'ee-EKU-CA_NS-int-EKU-OS.pem',
+    'ee-EKU-CA_NS-int-EKU-OS_SA.pem',
+    'ee-EKU-CA_NS-int-EKU-OS_TS.pem',
+    'ee-EKU-CA_NS-int-EKU-SA.pem',
+    'ee-EKU-CA_NS-int-EKU-SA_TS.pem',
+    'ee-EKU-CA_NS-int-EKU-TS.pem',
+    'ee-EKU-CA_OS-int-EKU-CA.pem',
+    'ee-EKU-CA_OS-int-EKU-CA_EP.pem',
+    'ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-CA_OS-int-EKU-CA_NS.pem',
+    'ee-EKU-CA_OS-int-EKU-CA_OS.pem',
+    'ee-EKU-CA_OS-int-EKU-CA_SA.pem',
+    'ee-EKU-CA_OS-int-EKU-CA_TS.pem',
+    'ee-EKU-CA_OS-int-EKU-EP.pem',
+    'ee-EKU-CA_OS-int-EKU-EP_NS.pem',
+    'ee-EKU-CA_OS-int-EKU-EP_OS.pem',
+    'ee-EKU-CA_OS-int-EKU-EP_SA.pem',
+    'ee-EKU-CA_OS-int-EKU-EP_TS.pem',
+    'ee-EKU-CA_OS-int-EKU-NONE.pem',
+    'ee-EKU-CA_OS-int-EKU-NS.pem',
+    'ee-EKU-CA_OS-int-EKU-NS_OS.pem',
+    'ee-EKU-CA_OS-int-EKU-NS_SA.pem',
+    'ee-EKU-CA_OS-int-EKU-NS_TS.pem',
+    'ee-EKU-CA_OS-int-EKU-OS.pem',
+    'ee-EKU-CA_OS-int-EKU-OS_SA.pem',
+    'ee-EKU-CA_OS-int-EKU-OS_TS.pem',
+    'ee-EKU-CA_OS-int-EKU-SA.pem',
+    'ee-EKU-CA_OS-int-EKU-SA_TS.pem',
+    'ee-EKU-CA_OS-int-EKU-TS.pem',
+    'ee-EKU-CA_SA-int-EKU-CA.pem',
+    'ee-EKU-CA_SA-int-EKU-CA_EP.pem',
+    'ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-CA_SA-int-EKU-CA_NS.pem',
+    'ee-EKU-CA_SA-int-EKU-CA_OS.pem',
+    'ee-EKU-CA_SA-int-EKU-CA_SA.pem',
+    'ee-EKU-CA_SA-int-EKU-CA_TS.pem',
+    'ee-EKU-CA_SA-int-EKU-EP.pem',
+    'ee-EKU-CA_SA-int-EKU-EP_NS.pem',
+    'ee-EKU-CA_SA-int-EKU-EP_OS.pem',
+    'ee-EKU-CA_SA-int-EKU-EP_SA.pem',
+    'ee-EKU-CA_SA-int-EKU-EP_TS.pem',
+    'ee-EKU-CA_SA-int-EKU-NONE.pem',
+    'ee-EKU-CA_SA-int-EKU-NS.pem',
+    'ee-EKU-CA_SA-int-EKU-NS_OS.pem',
+    'ee-EKU-CA_SA-int-EKU-NS_SA.pem',
+    'ee-EKU-CA_SA-int-EKU-NS_TS.pem',
+    'ee-EKU-CA_SA-int-EKU-OS.pem',
+    'ee-EKU-CA_SA-int-EKU-OS_SA.pem',
+    'ee-EKU-CA_SA-int-EKU-OS_TS.pem',
+    'ee-EKU-CA_SA-int-EKU-SA.pem',
+    'ee-EKU-CA_SA-int-EKU-SA_TS.pem',
+    'ee-EKU-CA_SA-int-EKU-TS.pem',
+    'ee-EKU-CA_TS-int-EKU-CA.pem',
+    'ee-EKU-CA_TS-int-EKU-CA_EP.pem',
+    'ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-CA_TS-int-EKU-CA_NS.pem',
+    'ee-EKU-CA_TS-int-EKU-CA_OS.pem',
+    'ee-EKU-CA_TS-int-EKU-CA_SA.pem',
+    'ee-EKU-CA_TS-int-EKU-CA_TS.pem',
+    'ee-EKU-CA_TS-int-EKU-EP.pem',
+    'ee-EKU-CA_TS-int-EKU-EP_NS.pem',
+    'ee-EKU-CA_TS-int-EKU-EP_OS.pem',
+    'ee-EKU-CA_TS-int-EKU-EP_SA.pem',
+    'ee-EKU-CA_TS-int-EKU-EP_TS.pem',
+    'ee-EKU-CA_TS-int-EKU-NONE.pem',
+    'ee-EKU-CA_TS-int-EKU-NS.pem',
+    'ee-EKU-CA_TS-int-EKU-NS_OS.pem',
+    'ee-EKU-CA_TS-int-EKU-NS_SA.pem',
+    'ee-EKU-CA_TS-int-EKU-NS_TS.pem',
+    'ee-EKU-CA_TS-int-EKU-OS.pem',
+    'ee-EKU-CA_TS-int-EKU-OS_SA.pem',
+    'ee-EKU-CA_TS-int-EKU-OS_TS.pem',
+    'ee-EKU-CA_TS-int-EKU-SA.pem',
+    'ee-EKU-CA_TS-int-EKU-SA_TS.pem',
+    'ee-EKU-CA_TS-int-EKU-TS.pem',
+    'ee-EKU-EP-int-EKU-CA.pem',
+    'ee-EKU-EP-int-EKU-CA_EP.pem',
+    'ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-EP-int-EKU-CA_NS.pem',
+    'ee-EKU-EP-int-EKU-CA_OS.pem',
+    'ee-EKU-EP-int-EKU-CA_SA.pem',
+    'ee-EKU-EP-int-EKU-CA_TS.pem',
+    'ee-EKU-EP-int-EKU-EP.pem',
+    'ee-EKU-EP-int-EKU-EP_NS.pem',
+    'ee-EKU-EP-int-EKU-EP_OS.pem',
+    'ee-EKU-EP-int-EKU-EP_SA.pem',
+    'ee-EKU-EP-int-EKU-EP_TS.pem',
+    'ee-EKU-EP-int-EKU-NONE.pem',
+    'ee-EKU-EP-int-EKU-NS.pem',
+    'ee-EKU-EP-int-EKU-NS_OS.pem',
+    'ee-EKU-EP-int-EKU-NS_SA.pem',
+    'ee-EKU-EP-int-EKU-NS_TS.pem',
+    'ee-EKU-EP-int-EKU-OS.pem',
+    'ee-EKU-EP-int-EKU-OS_SA.pem',
+    'ee-EKU-EP-int-EKU-OS_TS.pem',
+    'ee-EKU-EP-int-EKU-SA.pem',
+    'ee-EKU-EP-int-EKU-SA_TS.pem',
+    'ee-EKU-EP-int-EKU-TS.pem',
+    'ee-EKU-EP_NS-int-EKU-CA.pem',
+    'ee-EKU-EP_NS-int-EKU-CA_EP.pem',
+    'ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-EP_NS-int-EKU-CA_NS.pem',
+    'ee-EKU-EP_NS-int-EKU-CA_OS.pem',
+    'ee-EKU-EP_NS-int-EKU-CA_SA.pem',
+    'ee-EKU-EP_NS-int-EKU-CA_TS.pem',
+    'ee-EKU-EP_NS-int-EKU-EP.pem',
+    'ee-EKU-EP_NS-int-EKU-EP_NS.pem',
+    'ee-EKU-EP_NS-int-EKU-EP_OS.pem',
+    'ee-EKU-EP_NS-int-EKU-EP_SA.pem',
+    'ee-EKU-EP_NS-int-EKU-EP_TS.pem',
+    'ee-EKU-EP_NS-int-EKU-NONE.pem',
+    'ee-EKU-EP_NS-int-EKU-NS.pem',
+    'ee-EKU-EP_NS-int-EKU-NS_OS.pem',
+    'ee-EKU-EP_NS-int-EKU-NS_SA.pem',
+    'ee-EKU-EP_NS-int-EKU-NS_TS.pem',
+    'ee-EKU-EP_NS-int-EKU-OS.pem',
+    'ee-EKU-EP_NS-int-EKU-OS_SA.pem',
+    'ee-EKU-EP_NS-int-EKU-OS_TS.pem',
+    'ee-EKU-EP_NS-int-EKU-SA.pem',
+    'ee-EKU-EP_NS-int-EKU-SA_TS.pem',
+    'ee-EKU-EP_NS-int-EKU-TS.pem',
+    'ee-EKU-EP_OS-int-EKU-CA.pem',
+    'ee-EKU-EP_OS-int-EKU-CA_EP.pem',
+    'ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-EP_OS-int-EKU-CA_NS.pem',
+    'ee-EKU-EP_OS-int-EKU-CA_OS.pem',
+    'ee-EKU-EP_OS-int-EKU-CA_SA.pem',
+    'ee-EKU-EP_OS-int-EKU-CA_TS.pem',
+    'ee-EKU-EP_OS-int-EKU-EP.pem',
+    'ee-EKU-EP_OS-int-EKU-EP_NS.pem',
+    'ee-EKU-EP_OS-int-EKU-EP_OS.pem',
+    'ee-EKU-EP_OS-int-EKU-EP_SA.pem',
+    'ee-EKU-EP_OS-int-EKU-EP_TS.pem',
+    'ee-EKU-EP_OS-int-EKU-NONE.pem',
+    'ee-EKU-EP_OS-int-EKU-NS.pem',
+    'ee-EKU-EP_OS-int-EKU-NS_OS.pem',
+    'ee-EKU-EP_OS-int-EKU-NS_SA.pem',
+    'ee-EKU-EP_OS-int-EKU-NS_TS.pem',
+    'ee-EKU-EP_OS-int-EKU-OS.pem',
+    'ee-EKU-EP_OS-int-EKU-OS_SA.pem',
+    'ee-EKU-EP_OS-int-EKU-OS_TS.pem',
+    'ee-EKU-EP_OS-int-EKU-SA.pem',
+    'ee-EKU-EP_OS-int-EKU-SA_TS.pem',
+    'ee-EKU-EP_OS-int-EKU-TS.pem',
+    'ee-EKU-EP_SA-int-EKU-CA.pem',
+    'ee-EKU-EP_SA-int-EKU-CA_EP.pem',
+    'ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-EP_SA-int-EKU-CA_NS.pem',
+    'ee-EKU-EP_SA-int-EKU-CA_OS.pem',
+    'ee-EKU-EP_SA-int-EKU-CA_SA.pem',
+    'ee-EKU-EP_SA-int-EKU-CA_TS.pem',
+    'ee-EKU-EP_SA-int-EKU-EP.pem',
+    'ee-EKU-EP_SA-int-EKU-EP_NS.pem',
+    'ee-EKU-EP_SA-int-EKU-EP_OS.pem',
+    'ee-EKU-EP_SA-int-EKU-EP_SA.pem',
+    'ee-EKU-EP_SA-int-EKU-EP_TS.pem',
+    'ee-EKU-EP_SA-int-EKU-NONE.pem',
+    'ee-EKU-EP_SA-int-EKU-NS.pem',
+    'ee-EKU-EP_SA-int-EKU-NS_OS.pem',
+    'ee-EKU-EP_SA-int-EKU-NS_SA.pem',
+    'ee-EKU-EP_SA-int-EKU-NS_TS.pem',
+    'ee-EKU-EP_SA-int-EKU-OS.pem',
+    'ee-EKU-EP_SA-int-EKU-OS_SA.pem',
+    'ee-EKU-EP_SA-int-EKU-OS_TS.pem',
+    'ee-EKU-EP_SA-int-EKU-SA.pem',
+    'ee-EKU-EP_SA-int-EKU-SA_TS.pem',
+    'ee-EKU-EP_SA-int-EKU-TS.pem',
+    'ee-EKU-EP_TS-int-EKU-CA.pem',
+    'ee-EKU-EP_TS-int-EKU-CA_EP.pem',
+    'ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-EP_TS-int-EKU-CA_NS.pem',
+    'ee-EKU-EP_TS-int-EKU-CA_OS.pem',
+    'ee-EKU-EP_TS-int-EKU-CA_SA.pem',
+    'ee-EKU-EP_TS-int-EKU-CA_TS.pem',
+    'ee-EKU-EP_TS-int-EKU-EP.pem',
+    'ee-EKU-EP_TS-int-EKU-EP_NS.pem',
+    'ee-EKU-EP_TS-int-EKU-EP_OS.pem',
+    'ee-EKU-EP_TS-int-EKU-EP_SA.pem',
+    'ee-EKU-EP_TS-int-EKU-EP_TS.pem',
+    'ee-EKU-EP_TS-int-EKU-NONE.pem',
+    'ee-EKU-EP_TS-int-EKU-NS.pem',
+    'ee-EKU-EP_TS-int-EKU-NS_OS.pem',
+    'ee-EKU-EP_TS-int-EKU-NS_SA.pem',
+    'ee-EKU-EP_TS-int-EKU-NS_TS.pem',
+    'ee-EKU-EP_TS-int-EKU-OS.pem',
+    'ee-EKU-EP_TS-int-EKU-OS_SA.pem',
+    'ee-EKU-EP_TS-int-EKU-OS_TS.pem',
+    'ee-EKU-EP_TS-int-EKU-SA.pem',
+    'ee-EKU-EP_TS-int-EKU-SA_TS.pem',
+    'ee-EKU-EP_TS-int-EKU-TS.pem',
+    'ee-EKU-NONE-int-EKU-CA.pem',
+    'ee-EKU-NONE-int-EKU-CA_EP.pem',
+    'ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-NONE-int-EKU-CA_NS.pem',
+    'ee-EKU-NONE-int-EKU-CA_OS.pem',
+    'ee-EKU-NONE-int-EKU-CA_SA.pem',
+    'ee-EKU-NONE-int-EKU-CA_TS.pem',
+    'ee-EKU-NONE-int-EKU-EP.pem',
+    'ee-EKU-NONE-int-EKU-EP_NS.pem',
+    'ee-EKU-NONE-int-EKU-EP_OS.pem',
+    'ee-EKU-NONE-int-EKU-EP_SA.pem',
+    'ee-EKU-NONE-int-EKU-EP_TS.pem',
+    'ee-EKU-NONE-int-EKU-NONE.pem',
+    'ee-EKU-NONE-int-EKU-NS.pem',
+    'ee-EKU-NONE-int-EKU-NS_OS.pem',
+    'ee-EKU-NONE-int-EKU-NS_SA.pem',
+    'ee-EKU-NONE-int-EKU-NS_TS.pem',
+    'ee-EKU-NONE-int-EKU-OS.pem',
+    'ee-EKU-NONE-int-EKU-OS_SA.pem',
+    'ee-EKU-NONE-int-EKU-OS_TS.pem',
+    'ee-EKU-NONE-int-EKU-SA.pem',
+    'ee-EKU-NONE-int-EKU-SA_TS.pem',
+    'ee-EKU-NONE-int-EKU-TS.pem',
+    'ee-EKU-NS-int-EKU-CA.pem',
+    'ee-EKU-NS-int-EKU-CA_EP.pem',
+    'ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-NS-int-EKU-CA_NS.pem',
+    'ee-EKU-NS-int-EKU-CA_OS.pem',
+    'ee-EKU-NS-int-EKU-CA_SA.pem',
+    'ee-EKU-NS-int-EKU-CA_TS.pem',
+    'ee-EKU-NS-int-EKU-EP.pem',
+    'ee-EKU-NS-int-EKU-EP_NS.pem',
+    'ee-EKU-NS-int-EKU-EP_OS.pem',
+    'ee-EKU-NS-int-EKU-EP_SA.pem',
+    'ee-EKU-NS-int-EKU-EP_TS.pem',
+    'ee-EKU-NS-int-EKU-NONE.pem',
+    'ee-EKU-NS-int-EKU-NS.pem',
+    'ee-EKU-NS-int-EKU-NS_OS.pem',
+    'ee-EKU-NS-int-EKU-NS_SA.pem',
+    'ee-EKU-NS-int-EKU-NS_TS.pem',
+    'ee-EKU-NS-int-EKU-OS.pem',
+    'ee-EKU-NS-int-EKU-OS_SA.pem',
+    'ee-EKU-NS-int-EKU-OS_TS.pem',
+    'ee-EKU-NS-int-EKU-SA.pem',
+    'ee-EKU-NS-int-EKU-SA_TS.pem',
+    'ee-EKU-NS-int-EKU-TS.pem',
+    'ee-EKU-NS_OS-int-EKU-CA.pem',
+    'ee-EKU-NS_OS-int-EKU-CA_EP.pem',
+    'ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-NS_OS-int-EKU-CA_NS.pem',
+    'ee-EKU-NS_OS-int-EKU-CA_OS.pem',
+    'ee-EKU-NS_OS-int-EKU-CA_SA.pem',
+    'ee-EKU-NS_OS-int-EKU-CA_TS.pem',
+    'ee-EKU-NS_OS-int-EKU-EP.pem',
+    'ee-EKU-NS_OS-int-EKU-EP_NS.pem',
+    'ee-EKU-NS_OS-int-EKU-EP_OS.pem',
+    'ee-EKU-NS_OS-int-EKU-EP_SA.pem',
+    'ee-EKU-NS_OS-int-EKU-EP_TS.pem',
+    'ee-EKU-NS_OS-int-EKU-NONE.pem',
+    'ee-EKU-NS_OS-int-EKU-NS.pem',
+    'ee-EKU-NS_OS-int-EKU-NS_OS.pem',
+    'ee-EKU-NS_OS-int-EKU-NS_SA.pem',
+    'ee-EKU-NS_OS-int-EKU-NS_TS.pem',
+    'ee-EKU-NS_OS-int-EKU-OS.pem',
+    'ee-EKU-NS_OS-int-EKU-OS_SA.pem',
+    'ee-EKU-NS_OS-int-EKU-OS_TS.pem',
+    'ee-EKU-NS_OS-int-EKU-SA.pem',
+    'ee-EKU-NS_OS-int-EKU-SA_TS.pem',
+    'ee-EKU-NS_OS-int-EKU-TS.pem',
+    'ee-EKU-NS_SA-int-EKU-CA.pem',
+    'ee-EKU-NS_SA-int-EKU-CA_EP.pem',
+    'ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-NS_SA-int-EKU-CA_NS.pem',
+    'ee-EKU-NS_SA-int-EKU-CA_OS.pem',
+    'ee-EKU-NS_SA-int-EKU-CA_SA.pem',
+    'ee-EKU-NS_SA-int-EKU-CA_TS.pem',
+    'ee-EKU-NS_SA-int-EKU-EP.pem',
+    'ee-EKU-NS_SA-int-EKU-EP_NS.pem',
+    'ee-EKU-NS_SA-int-EKU-EP_OS.pem',
+    'ee-EKU-NS_SA-int-EKU-EP_SA.pem',
+    'ee-EKU-NS_SA-int-EKU-EP_TS.pem',
+    'ee-EKU-NS_SA-int-EKU-NONE.pem',
+    'ee-EKU-NS_SA-int-EKU-NS.pem',
+    'ee-EKU-NS_SA-int-EKU-NS_OS.pem',
+    'ee-EKU-NS_SA-int-EKU-NS_SA.pem',
+    'ee-EKU-NS_SA-int-EKU-NS_TS.pem',
+    'ee-EKU-NS_SA-int-EKU-OS.pem',
+    'ee-EKU-NS_SA-int-EKU-OS_SA.pem',
+    'ee-EKU-NS_SA-int-EKU-OS_TS.pem',
+    'ee-EKU-NS_SA-int-EKU-SA.pem',
+    'ee-EKU-NS_SA-int-EKU-SA_TS.pem',
+    'ee-EKU-NS_SA-int-EKU-TS.pem',
+    'ee-EKU-NS_TS-int-EKU-CA.pem',
+    'ee-EKU-NS_TS-int-EKU-CA_EP.pem',
+    'ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-NS_TS-int-EKU-CA_NS.pem',
+    'ee-EKU-NS_TS-int-EKU-CA_OS.pem',
+    'ee-EKU-NS_TS-int-EKU-CA_SA.pem',
+    'ee-EKU-NS_TS-int-EKU-CA_TS.pem',
+    'ee-EKU-NS_TS-int-EKU-EP.pem',
+    'ee-EKU-NS_TS-int-EKU-EP_NS.pem',
+    'ee-EKU-NS_TS-int-EKU-EP_OS.pem',
+    'ee-EKU-NS_TS-int-EKU-EP_SA.pem',
+    'ee-EKU-NS_TS-int-EKU-EP_TS.pem',
+    'ee-EKU-NS_TS-int-EKU-NONE.pem',
+    'ee-EKU-NS_TS-int-EKU-NS.pem',
+    'ee-EKU-NS_TS-int-EKU-NS_OS.pem',
+    'ee-EKU-NS_TS-int-EKU-NS_SA.pem',
+    'ee-EKU-NS_TS-int-EKU-NS_TS.pem',
+    'ee-EKU-NS_TS-int-EKU-OS.pem',
+    'ee-EKU-NS_TS-int-EKU-OS_SA.pem',
+    'ee-EKU-NS_TS-int-EKU-OS_TS.pem',
+    'ee-EKU-NS_TS-int-EKU-SA.pem',
+    'ee-EKU-NS_TS-int-EKU-SA_TS.pem',
+    'ee-EKU-NS_TS-int-EKU-TS.pem',
+    'ee-EKU-OS-int-EKU-CA.pem',
+    'ee-EKU-OS-int-EKU-CA_EP.pem',
+    'ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-OS-int-EKU-CA_NS.pem',
+    'ee-EKU-OS-int-EKU-CA_OS.pem',
+    'ee-EKU-OS-int-EKU-CA_SA.pem',
+    'ee-EKU-OS-int-EKU-CA_TS.pem',
+    'ee-EKU-OS-int-EKU-EP.pem',
+    'ee-EKU-OS-int-EKU-EP_NS.pem',
+    'ee-EKU-OS-int-EKU-EP_OS.pem',
+    'ee-EKU-OS-int-EKU-EP_SA.pem',
+    'ee-EKU-OS-int-EKU-EP_TS.pem',
+    'ee-EKU-OS-int-EKU-NONE.pem',
+    'ee-EKU-OS-int-EKU-NS.pem',
+    'ee-EKU-OS-int-EKU-NS_OS.pem',
+    'ee-EKU-OS-int-EKU-NS_SA.pem',
+    'ee-EKU-OS-int-EKU-NS_TS.pem',
+    'ee-EKU-OS-int-EKU-OS.pem',
+    'ee-EKU-OS-int-EKU-OS_SA.pem',
+    'ee-EKU-OS-int-EKU-OS_TS.pem',
+    'ee-EKU-OS-int-EKU-SA.pem',
+    'ee-EKU-OS-int-EKU-SA_TS.pem',
+    'ee-EKU-OS-int-EKU-TS.pem',
+    'ee-EKU-OS_SA-int-EKU-CA.pem',
+    'ee-EKU-OS_SA-int-EKU-CA_EP.pem',
+    'ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-OS_SA-int-EKU-CA_NS.pem',
+    'ee-EKU-OS_SA-int-EKU-CA_OS.pem',
+    'ee-EKU-OS_SA-int-EKU-CA_SA.pem',
+    'ee-EKU-OS_SA-int-EKU-CA_TS.pem',
+    'ee-EKU-OS_SA-int-EKU-EP.pem',
+    'ee-EKU-OS_SA-int-EKU-EP_NS.pem',
+    'ee-EKU-OS_SA-int-EKU-EP_OS.pem',
+    'ee-EKU-OS_SA-int-EKU-EP_SA.pem',
+    'ee-EKU-OS_SA-int-EKU-EP_TS.pem',
+    'ee-EKU-OS_SA-int-EKU-NONE.pem',
+    'ee-EKU-OS_SA-int-EKU-NS.pem',
+    'ee-EKU-OS_SA-int-EKU-NS_OS.pem',
+    'ee-EKU-OS_SA-int-EKU-NS_SA.pem',
+    'ee-EKU-OS_SA-int-EKU-NS_TS.pem',
+    'ee-EKU-OS_SA-int-EKU-OS.pem',
+    'ee-EKU-OS_SA-int-EKU-OS_SA.pem',
+    'ee-EKU-OS_SA-int-EKU-OS_TS.pem',
+    'ee-EKU-OS_SA-int-EKU-SA.pem',
+    'ee-EKU-OS_SA-int-EKU-SA_TS.pem',
+    'ee-EKU-OS_SA-int-EKU-TS.pem',
+    'ee-EKU-OS_TS-int-EKU-CA.pem',
+    'ee-EKU-OS_TS-int-EKU-CA_EP.pem',
+    'ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-OS_TS-int-EKU-CA_NS.pem',
+    'ee-EKU-OS_TS-int-EKU-CA_OS.pem',
+    'ee-EKU-OS_TS-int-EKU-CA_SA.pem',
+    'ee-EKU-OS_TS-int-EKU-CA_TS.pem',
+    'ee-EKU-OS_TS-int-EKU-EP.pem',
+    'ee-EKU-OS_TS-int-EKU-EP_NS.pem',
+    'ee-EKU-OS_TS-int-EKU-EP_OS.pem',
+    'ee-EKU-OS_TS-int-EKU-EP_SA.pem',
+    'ee-EKU-OS_TS-int-EKU-EP_TS.pem',
+    'ee-EKU-OS_TS-int-EKU-NONE.pem',
+    'ee-EKU-OS_TS-int-EKU-NS.pem',
+    'ee-EKU-OS_TS-int-EKU-NS_OS.pem',
+    'ee-EKU-OS_TS-int-EKU-NS_SA.pem',
+    'ee-EKU-OS_TS-int-EKU-NS_TS.pem',
+    'ee-EKU-OS_TS-int-EKU-OS.pem',
+    'ee-EKU-OS_TS-int-EKU-OS_SA.pem',
+    'ee-EKU-OS_TS-int-EKU-OS_TS.pem',
+    'ee-EKU-OS_TS-int-EKU-SA.pem',
+    'ee-EKU-OS_TS-int-EKU-SA_TS.pem',
+    'ee-EKU-OS_TS-int-EKU-TS.pem',
+    'ee-EKU-SA-int-EKU-CA.pem',
+    'ee-EKU-SA-int-EKU-CA_EP.pem',
+    'ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-SA-int-EKU-CA_NS.pem',
+    'ee-EKU-SA-int-EKU-CA_OS.pem',
+    'ee-EKU-SA-int-EKU-CA_SA.pem',
+    'ee-EKU-SA-int-EKU-CA_TS.pem',
+    'ee-EKU-SA-int-EKU-EP.pem',
+    'ee-EKU-SA-int-EKU-EP_NS.pem',
+    'ee-EKU-SA-int-EKU-EP_OS.pem',
+    'ee-EKU-SA-int-EKU-EP_SA.pem',
+    'ee-EKU-SA-int-EKU-EP_TS.pem',
+    'ee-EKU-SA-int-EKU-NONE.pem',
+    'ee-EKU-SA-int-EKU-NS.pem',
+    'ee-EKU-SA-int-EKU-NS_OS.pem',
+    'ee-EKU-SA-int-EKU-NS_SA.pem',
+    'ee-EKU-SA-int-EKU-NS_TS.pem',
+    'ee-EKU-SA-int-EKU-OS.pem',
+    'ee-EKU-SA-int-EKU-OS_SA.pem',
+    'ee-EKU-SA-int-EKU-OS_TS.pem',
+    'ee-EKU-SA-int-EKU-SA.pem',
+    'ee-EKU-SA-int-EKU-SA_TS.pem',
+    'ee-EKU-SA-int-EKU-TS.pem',
+    'ee-EKU-SA_TS-int-EKU-CA.pem',
+    'ee-EKU-SA_TS-int-EKU-CA_EP.pem',
+    'ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-SA_TS-int-EKU-CA_NS.pem',
+    'ee-EKU-SA_TS-int-EKU-CA_OS.pem',
+    'ee-EKU-SA_TS-int-EKU-CA_SA.pem',
+    'ee-EKU-SA_TS-int-EKU-CA_TS.pem',
+    'ee-EKU-SA_TS-int-EKU-EP.pem',
+    'ee-EKU-SA_TS-int-EKU-EP_NS.pem',
+    'ee-EKU-SA_TS-int-EKU-EP_OS.pem',
+    'ee-EKU-SA_TS-int-EKU-EP_SA.pem',
+    'ee-EKU-SA_TS-int-EKU-EP_TS.pem',
+    'ee-EKU-SA_TS-int-EKU-NONE.pem',
+    'ee-EKU-SA_TS-int-EKU-NS.pem',
+    'ee-EKU-SA_TS-int-EKU-NS_OS.pem',
+    'ee-EKU-SA_TS-int-EKU-NS_SA.pem',
+    'ee-EKU-SA_TS-int-EKU-NS_TS.pem',
+    'ee-EKU-SA_TS-int-EKU-OS.pem',
+    'ee-EKU-SA_TS-int-EKU-OS_SA.pem',
+    'ee-EKU-SA_TS-int-EKU-OS_TS.pem',
+    'ee-EKU-SA_TS-int-EKU-SA.pem',
+    'ee-EKU-SA_TS-int-EKU-SA_TS.pem',
+    'ee-EKU-SA_TS-int-EKU-TS.pem',
+    'ee-EKU-TS-int-EKU-CA.pem',
+    'ee-EKU-TS-int-EKU-CA_EP.pem',
+    'ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'ee-EKU-TS-int-EKU-CA_NS.pem',
+    'ee-EKU-TS-int-EKU-CA_OS.pem',
+    'ee-EKU-TS-int-EKU-CA_SA.pem',
+    'ee-EKU-TS-int-EKU-CA_TS.pem',
+    'ee-EKU-TS-int-EKU-EP.pem',
+    'ee-EKU-TS-int-EKU-EP_NS.pem',
+    'ee-EKU-TS-int-EKU-EP_OS.pem',
+    'ee-EKU-TS-int-EKU-EP_SA.pem',
+    'ee-EKU-TS-int-EKU-EP_TS.pem',
+    'ee-EKU-TS-int-EKU-NONE.pem',
+    'ee-EKU-TS-int-EKU-NS.pem',
+    'ee-EKU-TS-int-EKU-NS_OS.pem',
+    'ee-EKU-TS-int-EKU-NS_SA.pem',
+    'ee-EKU-TS-int-EKU-NS_TS.pem',
+    'ee-EKU-TS-int-EKU-OS.pem',
+    'ee-EKU-TS-int-EKU-OS_SA.pem',
+    'ee-EKU-TS-int-EKU-OS_TS.pem',
+    'ee-EKU-TS-int-EKU-SA.pem',
+    'ee-EKU-TS-int-EKU-SA_TS.pem',
+    'ee-EKU-TS-int-EKU-TS.pem',
+    'int-EKU-CA.pem',
+    'int-EKU-CA_EP.pem',
+    'int-EKU-CA_EP_NS_OS_SA_TS.pem',
+    'int-EKU-CA_NS.pem',
+    'int-EKU-CA_OS.pem',
+    'int-EKU-CA_SA.pem',
+    'int-EKU-CA_TS.pem',
+    'int-EKU-EP.pem',
+    'int-EKU-EP_NS.pem',
+    'int-EKU-EP_OS.pem',
+    'int-EKU-EP_SA.pem',
+    'int-EKU-EP_TS.pem',
+    'int-EKU-NONE.pem',
+    'int-EKU-NS.pem',
+    'int-EKU-NS_OS.pem',
+    'int-EKU-NS_SA.pem',
+    'int-EKU-NS_TS.pem',
+    'int-EKU-OS.pem',
+    'int-EKU-OS_SA.pem',
+    'int-EKU-OS_TS.pem',
+    'int-EKU-SA.pem',
+    'int-EKU-SA_TS.pem',
+    'int-EKU-TS.pem',
+)
+
+for test_certificate in test_certificates:
+    input_file = test_certificate + '.certspec'
+    GENERATED_FILES += [test_certificate]
+    props = GENERATED_FILES[test_certificate]
+    props.script = '../pycert.py'
+    props.inputs = [input_file, '!/config/buildid']
+    TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_cert_eku += ['!%s' % test_certificate]
diff --git a/testing/config/mozharness/linux_config.py b/testing/config/mozharness/linux_config.py
index ff07183f83e7..7f79e3bbc0a2 100644
--- a/testing/config/mozharness/linux_config.py
+++ b/testing/config/mozharness/linux_config.py
@@ -84,7 +84,8 @@ config = {
             "options": [
                 "--symbols-path=%(symbols_path)s",
                 "--test-plugin-path=%(test_plugin_path)s",
-                "--log-raw=%(raw_log_file)s"
+                "--log-raw=%(raw_log_file)s",
+                "--utility-path=tests/bin",
             ],
             "run_filename": "runxpcshelltests.py",
             "testsdir": "xpcshell"
diff --git a/testing/config/mozharness/mac_config.py b/testing/config/mozharness/mac_config.py
index f4b1a68a8354..8d2cd095adea 100644
--- a/testing/config/mozharness/mac_config.py
+++ b/testing/config/mozharness/mac_config.py
@@ -82,7 +82,8 @@ config = {
             "options": [
                 "--symbols-path=%(symbols_path)s",
                 "--test-plugin-path=%(test_plugin_path)s",
-                "--log-raw=%(raw_log_file)s"
+                "--log-raw=%(raw_log_file)s",
+                "--utility-path=tests/bin",
             ],
             "run_filename": "runxpcshelltests.py",
             "testsdir": "xpcshell"
diff --git a/testing/config/mozharness/windows_config.py b/testing/config/mozharness/windows_config.py
index f4b1a68a8354..8d2cd095adea 100644
--- a/testing/config/mozharness/windows_config.py
+++ b/testing/config/mozharness/windows_config.py
@@ -82,7 +82,8 @@ config = {
             "options": [
                 "--symbols-path=%(symbols_path)s",
                 "--test-plugin-path=%(test_plugin_path)s",
-                "--log-raw=%(raw_log_file)s"
+                "--log-raw=%(raw_log_file)s",
+                "--utility-path=tests/bin",
             ],
             "run_filename": "runxpcshelltests.py",
             "testsdir": "xpcshell"
diff --git a/testing/cppunittest.ini b/testing/cppunittest.ini
index ab885dc9be0b..e4aaa9987244 100644
--- a/testing/cppunittest.ini
+++ b/testing/cppunittest.ini
@@ -87,6 +87,7 @@ skip-if = os == 'b2g'  #Bug 919595
 [TestWebGLElementArrayCache]
 [buffered_stun_socket_unittest]
 [ice_unittest]
+[test_nr_socket_unittest]
 [jsapi-tests]
 skip-if = os == 'b2g'  #Bug 1068946
 [mediaconduit_unittests]
diff --git a/testing/docker/desktop-build/bin/build.sh b/testing/docker/desktop-build/bin/build.sh
index 4daab6674bb6..f5ffd8403d9c 100644
--- a/testing/docker/desktop-build/bin/build.sh
+++ b/testing/docker/desktop-build/bin/build.sh
@@ -47,6 +47,12 @@ set -x -e
 
 : WORKSPACE                     ${WORKSPACE:=/home/worker/workspace}
 
+# files to be "uploaded" (moved to ~/artifacts) from obj-firefox/dist
+: DIST_UPLOADS                  ${DIST_UPLOADS:=""}
+# files which will be be prefixed with target before being sent to artifacts
+# e.g. DIST_TARGET_UPLOADS="a.zip" runs mv v2.0.a.zip mv artifacts/target.a.zip
+: DIST_TARGET_UPLOADS           ${DIST_TARGET_UPLOADS:=""}
+
 set -v
 
 # Don't run the upload step; this is passed through mozharness to mach.  Once
@@ -87,13 +93,6 @@ fi
 # and check out mozilla-central where mozharness will use it as a cache (/builds/hg-shared)
 tc-vcs checkout $WORKSPACE/build/src $GECKO_BASE_REPOSITORY $GECKO_HEAD_REPOSITORY $GECKO_HEAD_REV $GECKO_HEAD_REF
 
-# the TC docker worker looks for artifacts to upload in $HOME/artifacts, but
-# mach wants to put them in $WORKSPACE/build/upload; symlinking lets everyone
-# win!
-rm -rf $WORKSPACE/build/upload
-mkdir -p $HOME/artifacts
-ln -s $HOME/artifacts $WORKSPACE/build/upload
-
 # run mozharness in XVfb, if necessary; this is an array to maintain the quoting in the -s argument
 if $NEED_XVFB; then
     # Some mozharness scripts set DISPLAY=:2
@@ -172,3 +171,18 @@ done
   --no-action=generate-build-stats \
   --branch=${MH_BRANCH} \
   --build-pool=${MH_BUILD_POOL}
+
+# upload auxiliary files
+cd $WORKSPACE/build/src/obj-firefox/dist
+
+for file in $DIST_UPLOADS
+do
+    mv $file $HOME/artifacts/$file
+done
+
+# Discard version numbers from packaged files, they just make it hard to write
+# the right filename in the task payload where artifacts are declared
+for file in $DIST_TARGET_UPLOADS
+do
+    mv *.$file $HOME/artifacts/target.$file
+done
diff --git a/testing/mach_commands.py b/testing/mach_commands.py
index 1a13f1a58430..3e1bf7ca9f26 100644
--- a/testing/mach_commands.py
+++ b/testing/mach_commands.py
@@ -184,6 +184,24 @@ class Test(MachCommandBase):
     @Command('test', category='testing', description='Run tests (detects the kind of test and runs it).')
     @CommandArgument('what', default=None, nargs='*', help=TEST_HELP)
     def test(self, what):
+        """Run tests from names or paths.
+
+        mach test accepts arguments specifying which tests to run. Each argument
+        can be:
+
+        * The path to a test file
+        * A directory containing tests
+        * A test suite name
+        * An alias to a test suite name (codes used on TreeHerder)
+
+        When paths or directories are given, they are first resolved to test
+        files known to the build system.
+
+        If resolved tests belong to more than one test type/flavor/harness,
+        the harness for each relevant type/flavor will be invoked. e.g. if
+        you specify a directory with xpcshell and browser chrome mochitests,
+        both harnesses will be invoked.
+        """
         from mozbuild.testing import TestResolver
 
         # Parse arguments and assemble a test "plan."
diff --git a/testing/marionette/driver.js b/testing/marionette/driver.js
index 5b847ce69c79..f49c74746a47 100644
--- a/testing/marionette/driver.js
+++ b/testing/marionette/driver.js
@@ -3170,7 +3170,8 @@ BrowserObj.prototype.register = function(uid, target) {
 BrowserObj.prototype.hasRemotenessChange = function() {
   // None of these checks are relevant on b2g or if we don't have a tab yet,
   // and may not apply on Fennec.
-  if (this.driver.appName != "Firefox" || this.tab === null) {
+  if (this.driver.appName != "Firefox" || this.tab === null ||
+      !this.browserForTab) {
     return false;
   }
 
diff --git a/testing/mochitest/runtests.py b/testing/mochitest/runtests.py
index 79b7a6fc8783..db7dcf3c45a4 100644
--- a/testing/mochitest/runtests.py
+++ b/testing/mochitest/runtests.py
@@ -1936,12 +1936,24 @@ class Mochitest(MochitestUtilsMixin):
 
                 # Add chunking filters if specified
                 if options.totalChunks:
+                    if options.chunkByRuntime:
+                        runtime_file = self.resolve_runtime_file(options, info)
+                        if not os.path.exists(runtime_file):
+                            self.log.warning("runtime file %s not found; defaulting to chunk-by-dir" %
+                                             runtime_file)
+                            options.chunkByRuntime = None
+                            flavor = self.getTestFlavor(options)
+                            if flavor in ('browser-chrome', 'devtools-chrome'):
+                                # these values match current mozharness configs
+                                options.chunkbyDir = 5
+                            else:
+                                options.chunkByDir = 4
+
                     if options.chunkByDir:
                         filters.append(chunk_by_dir(options.thisChunk,
                                                     options.totalChunks,
                                                     options.chunkByDir))
                     elif options.chunkByRuntime:
-                        runtime_file = self.resolve_runtime_file(options, info)
                         with open(runtime_file, 'r') as f:
                             runtime_data = json.loads(f.read())
                         runtimes = runtime_data['runtimes']
diff --git a/testing/mozbase/mozdevice/mozdevice/devicemanagerADB.py b/testing/mozbase/mozdevice/mozdevice/devicemanagerADB.py
index dd6fd4037eb0..f2f92676fe69 100644
--- a/testing/mozbase/mozdevice/mozdevice/devicemanagerADB.py
+++ b/testing/mozbase/mozdevice/mozdevice/devicemanagerADB.py
@@ -539,9 +539,10 @@ class DeviceManagerADB(DeviceManager):
         self.uninstallApp(appName)
         self.reboot()
 
-    def _runCmd(self, args, retryLimit=None):
+    def _runCmd(self, args, timeout=None, retryLimit=None):
         """
         Runs a command using adb
+        If timeout is specified, the process is killed after <timeout> seconds.
 
         returns: instance of ProcessHandler
         """
@@ -555,11 +556,17 @@ class DeviceManagerADB(DeviceManager):
             finalArgs.extend(['-s', self._deviceSerial])
         finalArgs.extend(args)
         self._logger.debug("_runCmd - command: %s" % ' '.join(finalArgs))
+        if not timeout:
+            timeout = self.default_timeout
+
+        def _timeout():
+            self._logger.error("Timeout exceeded for _runCmd call '%s'" % ' '.join(finalArgs))
+
         retries = 0
         while retries < retryLimit:
             proc = ProcessHandler(finalArgs, storeOutput=True,
-                    processOutputLine=self._log)
-            proc.run()
+                    processOutputLine=self._log, onTimeout=_timeout)
+            proc.run(timeout=timeout)
             proc.returncode = proc.wait()
             if proc.returncode == None:
                 proc.kill()
diff --git a/testing/mozbase/mozprofile/mozprofile/prefs.py b/testing/mozbase/mozprofile/mozprofile/prefs.py
index 3497cda0d0b4..efce9f666522 100644
--- a/testing/mozbase/mozprofile/mozprofile/prefs.py
+++ b/testing/mozbase/mozprofile/mozprofile/prefs.py
@@ -164,8 +164,6 @@ class Preferences(object):
                               to str.format to interpolate preference values.
         """
 
-        comment = re.compile('/\*([^*]|[\r\n]|(\*+([^*/]|[\r\n])))*\*+/', re.MULTILINE)
-
         marker = '##//' # magical marker
         lines = [i.strip() for i in mozfile.load(path).readlines() if i.strip()]
         _lines = []
@@ -176,7 +174,6 @@ class Preferences(object):
                 line = line.replace('//', marker)
             _lines.append(line)
         string = '\n'.join(_lines)
-        string = re.sub(comment, '', string)
 
         # skip trailing comments
         processed_tokens = []
diff --git a/testing/profiles/prefs_general.js b/testing/profiles/prefs_general.js
index 029854cc6b76..192f94748927 100644
--- a/testing/profiles/prefs_general.js
+++ b/testing/profiles/prefs_general.js
@@ -60,8 +60,6 @@ user_pref("font.size.inflation.minTwips", 0);
 
 // AddonManager tests require that the experiments provider be present.
 user_pref("experiments.supported", true);
-user_pref("experiments.logging.level", "Trace");
-user_pref("experiments.logging.dump", true);
 // Point the manifest at something local so we don't risk it hitting production
 // data and installing experiments that may vary over time.
 user_pref("experiments.manifest.uri", "http://%(server)s/experiments-dummy/manifest");
diff --git a/testing/tools/screenshot/gdk-screenshot.cpp b/testing/tools/screenshot/gdk-screenshot.cpp
index c42d9a3173e8..9cdeac577ace 100644
--- a/testing/tools/screenshot/gdk-screenshot.cpp
+++ b/testing/tools/screenshot/gdk-screenshot.cpp
@@ -60,8 +60,7 @@ int main(int argc, char** argv)
 {
   gdk_init(&argc, &argv);
 
-// TODO GTK3
-#if defined(HAVE_LIBXSS) && (MOZ_WIDGET_GTK == 2)
+#if defined(HAVE_LIBXSS) && defined(MOZ_WIDGET_GTK)
   int event_base, error_base;
   Bool have_xscreensaver =
     XScreenSaverQueryExtension(GDK_DISPLAY(), &event_base, &error_base);
@@ -127,13 +126,16 @@ int main(int argc, char** argv)
 #endif
 
   GdkPixbuf* screenshot = nullptr;
-// TODO GTK3
-#if (MOZ_WIDGET_GTK == 2)
   GdkWindow* window = gdk_get_default_root_window();
+#if (MOZ_WIDGET_GTK == 2)
   screenshot = gdk_pixbuf_get_from_drawable(nullptr, window, nullptr,
                                             0, 0, 0, 0,
                                             gdk_screen_width(),
                                             gdk_screen_height());
+#else
+  screenshot = gdk_pixbuf_get_from_window(window, 0, 0,
+                                          gdk_window_get_width(window),
+                                          gdk_window_get_height(window));
 #endif
   if (!screenshot) {
     fprintf(stderr, "%s: failed to create screenshot GdkPixbuf\n", argv[0]);
diff --git a/testing/web-platform/meta/html/dom/reflection-forms.html.ini b/testing/web-platform/meta/html/dom/reflection-forms.html.ini
index 69c83cd68fce..8c2bccfe231a 100644
--- a/testing/web-platform/meta/html/dom/reflection-forms.html.ini
+++ b/testing/web-platform/meta/html/dom/reflection-forms.html.ini
@@ -1,5 +1,6 @@
 [reflection-forms.html]
   type: testharness
+  prefs: [dom.forms.inputmode:true]
   [form.tabIndex: setAttribute() to -2147483648 followed by IDL get]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/web-animations/__dir__.ini b/testing/web-platform/meta/web-animations/__dir__.ini
new file mode 100644
index 000000000000..d8cab869f8bc
--- /dev/null
+++ b/testing/web-platform/meta/web-animations/__dir__.ini
@@ -0,0 +1 @@
+prefs: [dom.animations-api.core.enabled:true]
\ No newline at end of file
diff --git a/testing/web-platform/tests/media-source/URL-createObjectURL-revoke.html b/testing/web-platform/tests/media-source/URL-createObjectURL-revoke.html
index 5355659ec6e0..c5e18d4fd585 100644
--- a/testing/web-platform/tests/media-source/URL-createObjectURL-revoke.html
+++ b/testing/web-platform/tests/media-source/URL-createObjectURL-revoke.html
@@ -38,6 +38,22 @@ async_test(function(t) {
         video.removeEventListener('error', unexpectedErrorHandler);
     }));
 }, "Check referenced MediaSource can open after URL.revokeObjectURL(url).");
+async_test(function(t) {
+    var mediaSource = new MediaSource();
+    var url = window.URL.createObjectURL(mediaSource);
+    setTimeout(function() {
+        mediaSource.addEventListener('sourceopen',
+                                     t.unreached_func("url should not reference MediaSource."));
+        var video = document.createElement('video');
+        video.src = url;
+        video.addEventListener('error', t.step_func_done(function(e) {
+            assert_equals(e.target.error.code,
+                          MediaError.MEDIA_ERR_SRC_NOT_SUPPORTED,
+                          'Expected error code');
+            assert_equals(mediaSource.readyState, 'closed');
+        }));
+    }, 0);
+}, "Check auto-revoking behavior with URL.createObjectURL(MediaSource).");
 </script>
 </body>
 </html>
diff --git a/testing/xpcshell/mach_commands.py b/testing/xpcshell/mach_commands.py
index 1360f3a566fc..380355c556e9 100644
--- a/testing/xpcshell/mach_commands.py
+++ b/testing/xpcshell/mach_commands.py
@@ -173,6 +173,7 @@ class XPCShellRunner(MozbuildObject):
             'jsDebugger': jsDebugger,
             'jsDebuggerPort': jsDebuggerPort,
             'test_tags': test_tags,
+            'utility_path': self.bindir,
         }
 
         if test_path is not None:
diff --git a/testing/xpcshell/runxpcshelltests.py b/testing/xpcshell/runxpcshelltests.py
index 8769c76617d8..3a4a94b66d14 100755
--- a/testing/xpcshell/runxpcshelltests.py
+++ b/testing/xpcshell/runxpcshelltests.py
@@ -5,6 +5,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 import copy
+import importlib
 import json
 import math
 import mozdebug
@@ -90,6 +91,39 @@ def cleanup_encoding(s):
     # Replace all C0 and C1 control characters with \xNN escapes.
     return _cleanup_encoding_re.sub(_cleanup_encoding_repl, s)
 
+def find_stack_fixer(mozinfo, utility_dir, symbols_path):
+    # This is mostly taken from the equivalent in runreftest.py, itself similar
+    # to the mochitest version. It's not a huge amount of code, but deduping it
+    # might be nice. This version is indepenent of an enclosing harness class,
+    # so should easily be movable to a shared location.
+    if not mozinfo.info.get('debug'):
+        return None
+
+    def import_stack_fixer_module(module_name):
+        sys.path.insert(0, utility_dir)
+        module = importlib.import_module(module_name)
+        sys.path.pop(0)
+        return module
+
+    stack_fixer_function = None
+
+    if symbols_path and os.path.exists(symbols_path):
+        # Run each line through a function in fix_stack_using_bpsyms.py (uses breakpad symbol files).
+        # This method is preferred for Tinderbox builds, since native symbols may have been stripped.
+        stack_fixer_module = import_stack_fixer_module('fix_stack_using_bpsyms')
+        stack_fixer_function = lambda line: stack_fixer_module.fixSymbols(line, symbols_path)
+    elif mozinfo.isMac:
+        # Run each line through fix_macosx_stack.py (uses atos).
+        # This method is preferred for developer machines, so we don't have to run "make buildsymbols".
+        stack_fixer_module = import_stack_fixer_module('fix_macosx_stack')
+        stack_fixer_function = stack_fixer_module.fixSymbols
+    elif mozinfo.isLinux:
+        stack_fixer_module = import_stack_fixer_module('fix_linux_stack')
+        stack_fixer_function = stack_fixer_module.fixSymbols
+
+    return stack_fixer_function
+
+
 """ Control-C handling """
 gotSIGINT = False
 def markGotSIGINT(signum, stackFrame):
@@ -126,6 +160,7 @@ class XPCShellTestThread(Thread):
         self.xpcshell = kwargs.get('xpcshell')
         self.xpcsRunArgs = kwargs.get('xpcsRunArgs')
         self.failureManifest = kwargs.get('failureManifest')
+        self.stack_fixer_function = kwargs.get('stack_fixer_function')
 
         self.tests_root_dir = tests_root_dir
         self.app_dir_key = app_dir_key
@@ -490,17 +525,23 @@ class XPCShellTestThread(Thread):
         if self.saw_proc_start and not self.saw_proc_end:
             self.has_failure_output = True
 
+    def fix_text_output(self, line):
+        line = cleanup_encoding(line)
+        if self.stack_fixer_function is not None:
+            return self.stack_fixer_function(line)
+        return line
+
     def log_line(self, line):
         """Log a line of output (either a parser json object or text output from
         the test process"""
         if isinstance(line, basestring):
-            line = cleanup_encoding(line).rstrip("\r\n")
+            line = self.fix_text_output(line).rstrip('\r\n')
             self.log.process_output(self.proc_ident,
                                     line,
                                     command=self.complete_command)
         else:
             if 'message' in line:
-                line['message'] = cleanup_encoding(line['message'])
+                line['message'] = self.fix_text_output(line['message'])
             if 'xpcshell_process' in line:
                 line['thread'] =  ' '.join([current_thread().name, line['xpcshell_process']])
             else:
@@ -1022,7 +1063,7 @@ class XPCShellTests(object):
                  testsRootDir=None, testingModulesDir=None, pluginsPath=None,
                  testClass=XPCShellTestThread, failureManifest=None,
                  log=None, stream=None, jsDebugger=False, jsDebuggerPort=0,
-                 test_tags=None, **otherOptions):
+                 test_tags=None, utility_path=None, **otherOptions):
         """Run xpcshell tests.
 
         |xpcshell|, is the xpcshell executable to use to run the tests.
@@ -1153,6 +1194,12 @@ class XPCShellTests(object):
 
         mozinfo.update(self.mozInfo)
 
+        self.stack_fixer_function = None
+        if utility_path and os.path.exists(utility_path):
+            self.stack_fixer_function = find_stack_fixer(mozinfo,
+                                                         utility_path,
+                                                         self.symbolsPath)
+
         # buildEnvironment() needs mozInfo, so we call it after mozInfo is initialized.
         self.buildEnvironment()
 
@@ -1200,6 +1247,7 @@ class XPCShellTests(object):
             'xpcsRunArgs': self.xpcsRunArgs,
             'failureManifest': failureManifest,
             'harness_timeout': self.harness_timeout,
+            'stack_fixer_function': self.stack_fixer_function,
         }
 
         if self.sequential:
@@ -1486,6 +1534,11 @@ class XPCShellOptions(OptionParser):
                         help="filter out tests that don't have the given tag. Can be "
                              "used multiple times in which case the test must contain "
                              "at least one of the given tags.")
+        self.add_option("--utility-path",
+                        action="store", dest="utility_path",
+                        default=None,
+                        help="Path to a directory containing utility programs, such "
+                             "as stack fixer scripts.")
 
 def main():
     parser = XPCShellOptions()
diff --git a/testing/xpcshell/selftest.py b/testing/xpcshell/selftest.py
index f1b169496087..aa54b49fda70 100644
--- a/testing/xpcshell/selftest.py
+++ b/testing/xpcshell/selftest.py
@@ -5,7 +5,7 @@
 #
 
 from __future__ import with_statement
-import sys, os, unittest, tempfile, shutil
+import sys, os, unittest, tempfile, shutil, re, pprint
 import mozinfo
 
 from StringIO import StringIO
@@ -357,6 +357,7 @@ class XPCShellTestsTests(unittest.TestCase):
     def setUp(self):
         self.log = StringIO()
         self.tempdir = tempfile.mkdtemp()
+        self.utility_path = os.path.join(objdir, 'dist', 'bin')
         logger = structured.commandline.setup_logging("selftest%s" % id(self),
                                                       {},
                                                       {"tbpl": self.log})
@@ -409,7 +410,8 @@ tail =
                                           shuffle=shuffle,
                                           testsRootDir=self.tempdir,
                                           verbose=verbose,
-                                          sequential=True),
+                                          sequential=True,
+                                          utility_path=self.utility_path),
                           msg="""Tests should have %s, log:
 ========
 %s
@@ -466,6 +468,34 @@ tail =
         self.assertInLog(TEST_FAIL_STRING)
         self.assertNotInLog(TEST_PASS_STRING)
 
+    @unittest.skipIf(mozinfo.isWin or not mozinfo.info.get('debug'),
+                     'We don\'t have a stack fixer on hand for windows.')
+    def testAssertStack(self):
+        """
+        When an assertion is hit, we should produce a useful stack.
+        """
+        self.writeFile("test_assert.js", '''
+          add_test(function test_asserts_immediately() {
+            Components.classes["@mozilla.org/xpcom/debug;1"]
+                      .getService(Components.interfaces.nsIDebug2)
+                      .assertion("foo", "assertion failed", "test.js", 1)
+            run_next_test();
+          });
+        ''')
+
+        self.writeManifest(["test_assert.js"])
+
+        self.assertTestResult(False)
+
+        self.assertInLog("###!!! ASSERTION")
+        log_lines = self.log.getvalue().splitlines()
+        line_pat = "#\d\d:"
+        unknown_pat = "#\d\d\: \?\?\?\[.* \+0x[a-f0-9]+\]"
+        self.assertFalse(any(re.search(unknown_pat, line) for line in log_lines),
+                         "An stack frame without symbols was found in\n%s" % pprint.pformat(log_lines))
+        self.assertTrue(any(re.search(line_pat, line) for line in log_lines),
+                        "No line resembling a stack frame was found in\n%s" % pprint.pformat(log_lines))
+
     @unittest.skipIf(build_obj.defines.get('MOZ_B2G'),
                      'selftests with child processes fail on b2g desktop builds')
     def testChildPass(self):
diff --git a/toolkit/components/build/nsToolkitCompsModule.cpp b/toolkit/components/build/nsToolkitCompsModule.cpp
index b6792d3ae962..9c021e70b59b 100644
--- a/toolkit/components/build/nsToolkitCompsModule.cpp
+++ b/toolkit/components/build/nsToolkitCompsModule.cpp
@@ -120,7 +120,7 @@ NS_GENERIC_FACTORY_CONSTRUCTOR(nsBrowserStatusFilter)
 #if defined(MOZ_UPDATER) && !defined(MOZ_WIDGET_ANDROID)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsUpdateProcessor)
 #endif
-NS_GENERIC_FACTORY_CONSTRUCTOR(FinalizationWitnessService)
+NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(FinalizationWitnessService, Init)
 NS_GENERIC_FACTORY_CONSTRUCTOR(NativeOSFileInternalsService)
 NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(NativeFileWatcherService, Init)
 
diff --git a/toolkit/components/finalizationwitness/FinalizationWitnessService.cpp b/toolkit/components/finalizationwitness/FinalizationWitnessService.cpp
index 0678ceddd2f5..57010972fe11 100644
--- a/toolkit/components/finalizationwitness/FinalizationWitnessService.cpp
+++ b/toolkit/components/finalizationwitness/FinalizationWitnessService.cpp
@@ -18,6 +18,8 @@
 
 // Implementation of nsIFinalizationWitnessService
 
+static bool gShuttingDown = false;
+
 namespace mozilla {
 
 namespace {
@@ -99,8 +101,8 @@ ExtractFinalizationEvent(JSObject *objSelf)
 void Finalize(JSFreeOp *fop, JSObject *objSelf)
 {
   nsRefPtr<FinalizationEvent> event = ExtractFinalizationEvent(objSelf);
-  if (event == nullptr) {
-    // Forget() has been called
+  if (event == nullptr || gShuttingDown) {
+    // NB: event will be null if Forget() has been called
     return;
   }
 
@@ -171,7 +173,7 @@ static const JSFunctionSpec sWitnessClassFunctions[] = {
 
 }
 
-NS_IMPL_ISUPPORTS(FinalizationWitnessService, nsIFinalizationWitnessService)
+NS_IMPL_ISUPPORTS(FinalizationWitnessService, nsIFinalizationWitnessService, nsIObserver)
 
 /**
  * Create a new Finalization Witness.
@@ -209,4 +211,30 @@ FinalizationWitnessService::Make(const char* aTopic,
   return NS_OK;
 }
 
+NS_IMETHODIMP
+FinalizationWitnessService::Observe(nsISupports* aSubject,
+                                    const char* aTopic,
+                                    const char16_t* aValue)
+{
+  MOZ_ASSERT(strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0);
+  gShuttingDown = true;
+  nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
+  if (obs) {
+    obs->RemoveObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID);
+  }
+
+  return NS_OK;
+}
+
+nsresult
+FinalizationWitnessService::Init()
+{
+  nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
+  if (!obs) {
+    return NS_ERROR_FAILURE;
+  }
+
+  return obs->AddObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false);
+}
+
 } // namespace mozilla
diff --git a/toolkit/components/finalizationwitness/FinalizationWitnessService.h b/toolkit/components/finalizationwitness/FinalizationWitnessService.h
index 4c521397fa46..087cff2398de 100644
--- a/toolkit/components/finalizationwitness/FinalizationWitnessService.h
+++ b/toolkit/components/finalizationwitness/FinalizationWitnessService.h
@@ -6,17 +6,22 @@
 #define mozilla_finalizationwitnessservice_h__
 
 #include "nsIFinalizationWitnessService.h"
+#include "nsIObserver.h"
 
 namespace mozilla {
 
 /**
  * XPConnect initializer, for use in the main thread.
  */
-class FinalizationWitnessService final : public nsIFinalizationWitnessService
+class FinalizationWitnessService final : public nsIFinalizationWitnessService,
+                                         public nsIObserver
 {
  public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSIFINALIZATIONWITNESSSERVICE
+  NS_DECL_NSIOBSERVER
+
+  nsresult Init();
  private:
   ~FinalizationWitnessService() {}
   void operator=(const FinalizationWitnessService* other) = delete;
diff --git a/toolkit/components/passwordmgr/test/chrome.ini b/toolkit/components/passwordmgr/test/chrome.ini
index a40ec1a8db6f..31754515dab0 100644
--- a/toolkit/components/passwordmgr/test/chrome.ini
+++ b/toolkit/components/passwordmgr/test/chrome.ini
@@ -7,5 +7,4 @@ support-files =
 
 [test_formless_submit.html]
 [test_privbrowsing_perwindowpb.html]
-# Too many intermittent failures (bug 919016)
-skip-if = true
+skip-if = true # Bug 1173337
diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json
index e8c81df44285..474898452ead 100644
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -275,6 +275,22 @@
     "n_buckets": 50,
     "description": "Time spent running JS GC (ms)"
   },
+  "GC_BUDGET_MS": {
+    "alert_emails": ["dev-telemetry-gc-alerts@mozilla.org"],
+    "expires_in_version": "never",
+    "kind": "linear",
+    "high": "100",
+    "n_buckets": 10,
+    "description": "Requested GC slice budget (ms)"
+  },
+  "GC_ANIMATION_MS": {
+    "alert_emails": ["dev-telemetry-gc-alerts@mozilla.org"],
+    "expires_in_version": "never",
+    "kind": "exponential",
+    "high": "10000",
+    "n_buckets": 50,
+    "description": "Time spent running JS GC when animating (ms)"
+  },
   "GC_MAX_PAUSE_MS": {
     "alert_emails": ["dev-telemetry-gc-alerts@mozilla.org"],
     "expires_in_version": "never",
diff --git a/toolkit/components/url-classifier/Entries.h b/toolkit/components/url-classifier/Entries.h
index 5e9bbdeee0e0..098c0e559f1f 100644
--- a/toolkit/components/url-classifier/Entries.h
+++ b/toolkit/components/url-classifier/Entries.h
@@ -275,19 +275,6 @@ EntrySort(nsTArray_Impl<T, Alloc>& aArray)
 template<class T, class Alloc>
 nsresult
 ReadTArray(nsIInputStream* aStream, nsTArray_Impl<T, Alloc>* aArray, uint32_t aNumElements)
-{
-  aArray->SetLength(aNumElements);
-
-  void *buffer = aArray->Elements();
-  nsresult rv = NS_ReadInputStreamToBuffer(aStream, &buffer,
-                                           (aNumElements * sizeof(T)));
-  NS_ENSURE_SUCCESS(rv, rv);
-  return NS_OK;
-}
-
-template<class T>
-nsresult
-ReadTArray(nsIInputStream* aStream, FallibleTArray<T>* aArray, uint32_t aNumElements)
 {
   if (!aArray->SetLength(aNumElements, fallible))
     return NS_ERROR_OUT_OF_MEMORY;
diff --git a/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp b/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
index cd29cec81ad9..652e45d8596b 100644
--- a/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+++ b/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
@@ -1205,7 +1205,7 @@ nsUrlClassifierDBService::Classify(nsIPrincipal* aPrincipal,
   NS_ENSURE_ARG(aPrincipal);
   NS_ENSURE_TRUE(gDbBackgroundThread, NS_ERROR_NOT_INITIALIZED);
 
-  if (!(mCheckMalware || mCheckPhishing)) {
+  if (!(mCheckMalware || mCheckPhishing || aTrackingProtectionEnabled)) {
     *result = false;
     return NS_OK;
   }
diff --git a/toolkit/components/url-classifier/tests/mochitest/chrome.ini b/toolkit/components/url-classifier/tests/mochitest/chrome.ini
index b6863635783a..eca0beebfae8 100644
--- a/toolkit/components/url-classifier/tests/mochitest/chrome.ini
+++ b/toolkit/components/url-classifier/tests/mochitest/chrome.ini
@@ -9,3 +9,4 @@ support-files =
 [test_classified_annotations.html]
 [test_allowlisted_annotations.html]
 [test_privatebrowsing_trackingprotection.html]
+[test_trackingprotection_bug1157081.html]
diff --git a/toolkit/components/url-classifier/tests/mochitest/test_trackingprotection_bug1157081.html b/toolkit/components/url-classifier/tests/mochitest/test_trackingprotection_bug1157081.html
new file mode 100644
index 000000000000..34309629040f
--- /dev/null
+++ b/toolkit/components/url-classifier/tests/mochitest/test_trackingprotection_bug1157081.html
@@ -0,0 +1,138 @@
+<!DOCTYPE HTML>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+<html>
+<head>
+  <title>Test Tracking Protection with and without Safe Browsing (Bug #1157081)</title>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css">
+</head>
+
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+
+<script class="testbody" type="text/javascript">
+
+var Cc = SpecialPowers.Cc;
+var Ci = SpecialPowers.Ci;
+
+var mainWindow = window.QueryInterface(Ci.nsIInterfaceRequestor)
+                    .getInterface(Ci.nsIWebNavigation)
+                    .QueryInterface(Ci.nsIDocShellTreeItem)
+                    .rootTreeItem
+                    .QueryInterface(Ci.nsIInterfaceRequestor)
+                    .getInterface(Ci.nsIDOMWindow);
+var contentPage = "chrome://mochitests/content/chrome/toolkit/components/url-classifier/tests/mochitest/classifiedAnnotatedPBFrame.html"
+
+Components.utils.import("resource://gre/modules/Services.jsm");
+
+function whenDelayedStartupFinished(aWindow, aCallback) {
+  Services.obs.addObserver(function observer(aSubject, aTopic) {
+    if (aWindow == aSubject) {
+      Services.obs.removeObserver(observer, aTopic);
+      setTimeout(aCallback, 0);
+    }
+  }, "browser-delayed-startup-finished", false);
+}
+
+function testOnWindow(aCallback) {
+  var win = mainWindow.OpenBrowserWindow();
+  win.addEventListener("load", function onLoad() {
+    win.removeEventListener("load", onLoad, false);
+    whenDelayedStartupFinished(win, function() {
+      win.addEventListener("DOMContentLoaded", function onInnerLoad() {
+        if (win.content.location.href != contentPage) {
+          win.gBrowser.loadURI(contentPage);
+          return;
+        }
+        win.removeEventListener("DOMContentLoaded", onInnerLoad, true);
+
+        win.content.addEventListener('load', function innerLoad2() {
+          win.content.removeEventListener('load', innerLoad2, false);
+          SimpleTest.executeSoon(function() { aCallback(win); });
+        }, false, true);
+      }, true);
+      SimpleTest.executeSoon(function() { win.gBrowser.loadURI(contentPage); });
+    });
+  }, true);
+}
+
+// Add some URLs to the tracking database
+var testData = "tracking.example.com/";
+var testUpdate =
+  "n:1000\ni:test-track-simple\nad:1\n" +
+  "a:524:32:" + testData.length + "\n" +
+  testData;
+
+var badids = [
+  "badscript"
+];
+
+function checkLoads(aWindow, aBlocked) {
+  var win = aWindow.content;
+  is(win.document.getElementById("badscript").dataset.touched, aBlocked ? "no" : "yes", "Should not load tracking javascript");
+}
+
+var dbService = Cc["@mozilla.org/url-classifier/dbservice;1"]
+                .getService(Ci.nsIUrlClassifierDBService);
+
+function doUpdate(update) {
+  var listener = {
+    QueryInterface: function(iid)
+    {
+      if (iid.equals(Ci.nsISupports) ||
+          iid.equals(Ci.nsIUrlClassifierUpdateObserver))
+        return this;
+
+      throw Cr.NS_ERROR_NO_INTERFACE;
+    },
+    updateUrlRequested: function(url) { },
+    streamFinished: function(status) { },
+    updateError: function(errorCode) {
+      ok(false, "Couldn't update classifier.");
+      // Abort test.
+      SimpleTest.finish();
+    },
+    updateSuccess: function(requestedTimeout) {
+      // Safe Browsing turned OFF, tracking protection should work nevertheless
+      testOnWindow(function(aWindow) {
+        checkLoads(aWindow, true);
+        aWindow.close();
+
+        // Safe Browsing turned ON, tracking protection should still work
+        SpecialPowers.setBoolPref("browser.safebrowsing.enabled", true);
+        testOnWindow(function(aWindow) {
+          checkLoads(aWindow, true);
+          aWindow.close();
+          SimpleTest.finish();
+        });
+      });
+    }
+  };
+
+  dbService.beginUpdate(listener, "test-track-simple", "");
+  dbService.beginStream("", "");
+  dbService.updateStream(update);
+  dbService.finishStream();
+  dbService.finishUpdate();
+}
+
+SpecialPowers.pushPrefEnv(
+  {"set" : [["urlclassifier.trackingTable", "test-track-simple"],
+            ["privacy.trackingprotection.enabled", true],
+            ["browser.safebrowsing.malware.enabled", false],
+            ["browser.safebrowsing.enabled", false],
+            ["channelclassifier.allowlist_example", true]]},
+  function() { doUpdate(testUpdate); });
+
+SimpleTest.waitForExplicitFinish();
+
+</script>
+
+</pre>
+<iframe id="testFrame" width="100%" height="100%" onload=""></iframe>
+</body>
+</html>
diff --git a/toolkit/content/tests/chrome/chrome.ini b/toolkit/content/tests/chrome/chrome.ini
index 2a9625e4e9a0..364ddea965c0 100644
--- a/toolkit/content/tests/chrome/chrome.ini
+++ b/toolkit/content/tests/chrome/chrome.ini
@@ -68,7 +68,6 @@ skip-if = buildapp == 'mulet'
 [test_bug331215.xul]
 [test_bug360220.xul]
 [test_bug360437.xul]
-skip-if = os == "win" # Intermittent failures, bug 919016
 [test_bug365773.xul]
 [test_bug366992.xul]
 [test_bug382990.xul]
@@ -161,7 +160,6 @@ skip-if = buildapp == 'mulet'
 [test_scrollbar.xul]
 skip-if = buildapp == 'mulet'
 [test_showcaret.xul]
-skip-if = os == "win" # Bug 952350
 [test_sorttemplate.xul]
 [test_statusbar.xul]
 [test_subframe_origin.xul]
diff --git a/toolkit/crashreporter/nsExceptionHandler.cpp b/toolkit/crashreporter/nsExceptionHandler.cpp
index d44d03cb81ca..827240da46fd 100644
--- a/toolkit/crashreporter/nsExceptionHandler.cpp
+++ b/toolkit/crashreporter/nsExceptionHandler.cpp
@@ -2414,6 +2414,22 @@ GetMinidumpLimboDir(nsIFile** dir)
   }
 }
 
+void
+DeleteMinidumpFilesForID(const nsAString& id)
+{
+  nsCOMPtr<nsIFile> minidumpFile;
+  GetMinidumpForID(id, getter_AddRefs(minidumpFile));
+  bool exists = false;
+  if (minidumpFile && NS_SUCCEEDED(minidumpFile->Exists(&exists)) && exists) {
+    nsCOMPtr<nsIFile> childExtraFile;
+    GetExtraFileForMinidump(minidumpFile, getter_AddRefs(childExtraFile));
+    if (childExtraFile) {
+      childExtraFile->Remove(false);
+    }
+    minidumpFile->Remove(false);
+  }
+}
+
 bool
 GetMinidumpForID(const nsAString& id, nsIFile** minidump)
 {
@@ -2426,7 +2442,7 @@ GetMinidumpForID(const nsAString& id, nsIFile** minidump)
 bool
 GetIDFromMinidump(nsIFile* minidump, nsAString& id)
 {
-  if (NS_SUCCEEDED(minidump->GetLeafName(id))) {
+  if (minidump && NS_SUCCEEDED(minidump->GetLeafName(id))) {
     id.Replace(id.Length() - 4, 4, NS_LITERAL_STRING(""));
     return true;
   }
@@ -3077,7 +3093,7 @@ TakeMinidumpForChild(uint32_t childPid, nsIFile** dump, uint32_t* aSequence)
 
 void
 RenameAdditionalHangMinidump(nsIFile* minidump, nsIFile* childMinidump,
-                           const nsACString& name)
+                             const nsACString& name)
 {
   nsCOMPtr<nsIFile> directory;
   childMinidump->GetParent(getter_AddRefs(directory));
@@ -3090,7 +3106,9 @@ RenameAdditionalHangMinidump(nsIFile* minidump, nsIFile* childMinidump,
   // turn "<id>.dmp" into "<id>-<name>.dmp
   leafName.Insert(NS_LITERAL_CSTRING("-") + name, leafName.Length() - 4);
 
-  minidump->MoveToNative(directory, leafName);
+  if (NS_FAILED(minidump->MoveToNative(directory, leafName))) {
+    NS_WARNING("RenameAdditionalHangMinidump failed to move minidump.");
+  }
 }
 
 static bool
@@ -3199,18 +3217,50 @@ GetChildThread(ProcessHandle childPid, ThreadId childBlamedThread)
 }
 #endif
 
-bool
-CreatePairedMinidumps(ProcessHandle childPid,
-                      ThreadId childBlamedThread,
-                      nsIFile** childDump)
+bool TakeMinidump(nsIFile** aResult, bool aMoveToPending)
 {
   if (!GetEnabled())
     return false;
 
-#ifdef XP_MACOSX
-  mach_port_t childThread = GetChildThread(childPid, childBlamedThread);
+  xpstring dump_path;
+#ifndef XP_LINUX
+  dump_path = gExceptionHandler->dump_path();
 #else
-  ThreadId childThread = childBlamedThread;
+  dump_path = gExceptionHandler->minidump_descriptor().directory();
+#endif
+
+  // capture the dump
+  if (!google_breakpad::ExceptionHandler::WriteMinidump(
+         dump_path,
+#ifdef XP_MACOSX
+         true,
+#endif
+         PairedDumpCallback,
+         static_cast<void*>(aResult))) {
+    return false;
+  }
+
+  if (aMoveToPending) {
+    MoveToPending(*aResult, nullptr);
+  }
+  return true;
+}
+
+bool
+CreateMinidumpsAndPair(ProcessHandle aTargetPid,
+                       ThreadId aTargetBlamedThread,
+                       const nsACString& aIncomingPairName,
+                       nsIFile* aIncomingDumpToPair,
+                       nsIFile** aMainDumpOut)
+{
+  if (!GetEnabled()) {
+    return false;
+  }
+
+#ifdef XP_MACOSX
+  mach_port_t targetThread = GetChildThread(aTargetPid, aTargetBlamedThread);
+#else
+  ThreadId targetThread = aTargetBlamedThread;
 #endif
 
   xpstring dump_path;
@@ -3220,45 +3270,46 @@ CreatePairedMinidumps(ProcessHandle childPid,
   dump_path = gExceptionHandler->minidump_descriptor().directory();
 #endif
 
-  // dump the child
-  nsCOMPtr<nsIFile> childMinidump;
+  // dump the target
+  nsCOMPtr<nsIFile> targetMinidump;
   if (!google_breakpad::ExceptionHandler::WriteMinidumpForChild(
-         childPid,
-         childThread,
+         aTargetPid,
+         targetThread,
          dump_path,
          PairedDumpCallbackExtra,
-         static_cast<void*>(&childMinidump)))
+         static_cast<void*>(&targetMinidump)))
     return false;
 
-  nsCOMPtr<nsIFile> childExtra;
-  GetExtraFileForMinidump(childMinidump, getter_AddRefs(childExtra));
+  nsCOMPtr<nsIFile> targetExtra;
+  GetExtraFileForMinidump(targetMinidump, getter_AddRefs(targetExtra));
 
-  // dump the parent
-  nsCOMPtr<nsIFile> parentMinidump;
-  if (!google_breakpad::ExceptionHandler::WriteMinidump(
-         dump_path,
+  // If aIncomingDumpToPair isn't valid, create a dump of this process.
+  nsCOMPtr<nsIFile> incomingDump;
+  if (aIncomingDumpToPair == nullptr) {
+    if (!google_breakpad::ExceptionHandler::WriteMinidump(
+        dump_path,
 #ifdef XP_MACOSX
-         true,                  // write exception stream
+        true,
 #endif
-         PairedDumpCallback,
-         static_cast<void*>(&parentMinidump))) {
+        PairedDumpCallback,
+        static_cast<void*>(&incomingDump))) {
 
-    childMinidump->Remove(false);
-    childExtra->Remove(false);
-
-    return false;
+      targetMinidump->Remove(false);
+      targetExtra->Remove(false);
+      return false;
+    }
+  } else {
+    incomingDump = aIncomingDumpToPair;
   }
-
-  // success
-  RenameAdditionalHangMinidump(parentMinidump, childMinidump,
-                               NS_LITERAL_CSTRING("browser"));
+  
+  RenameAdditionalHangMinidump(incomingDump, targetMinidump, aIncomingPairName);
 
   if (ShouldReport()) {
-    MoveToPending(childMinidump, childExtra);
-    MoveToPending(parentMinidump, nullptr);
+    MoveToPending(targetMinidump, targetExtra);
+    MoveToPending(incomingDump, nullptr);
   }
 
-  childMinidump.forget(childDump);
+  targetMinidump.forget(aMainDumpOut);
 
   return true;
 }
diff --git a/toolkit/crashreporter/nsExceptionHandler.h b/toolkit/crashreporter/nsExceptionHandler.h
index 17bebcd17ca8..a3aee029e38a 100644
--- a/toolkit/crashreporter/nsExceptionHandler.h
+++ b/toolkit/crashreporter/nsExceptionHandler.h
@@ -87,14 +87,26 @@ nsresult UnregisterAppMemory(void* ptr);
 // Functions for working with minidumps and .extras
 typedef nsDataHashtable<nsCStringHashKey, nsCString> AnnotationTable;
 
+void DeleteMinidumpFilesForID(const nsAString& id);
 bool GetMinidumpForID(const nsAString& id, nsIFile** minidump);
 bool GetIDFromMinidump(nsIFile* minidump, nsAString& id);
 bool GetExtraFileForID(const nsAString& id, nsIFile** extraFile);
 bool GetExtraFileForMinidump(nsIFile* minidump, nsIFile** extraFile);
 bool AppendExtraData(const nsAString& id, const AnnotationTable& data);
 bool AppendExtraData(nsIFile* extraFile, const AnnotationTable& data);
-void RenameAdditionalHangMinidump(nsIFile* minidump, nsIFile* childMinidump,
-                                  const nsACString& name);
+
+/*
+ * Renames the stand alone dump file aDumpFile to:
+ *  |aOwnerDumpFile-aDumpFileProcessType.dmp|
+ * and moves it into the same directory as aOwnerDumpFile. Does not
+ * modify aOwnerDumpFile in any way.
+ *
+ * @param aDumpFile - the dump file to associate with aOwnerDumpFile.
+ * @param aOwnerDumpFile - the new owner of aDumpFile.
+ * @param aDumpFileProcessType - process name associated with aDumpFile.
+ */
+void RenameAdditionalHangMinidump(nsIFile* aDumpFile, const nsIFile* aOwnerDumpFile,
+                                  const nsACString& aDumpFileProcessType);
 
 #ifdef XP_WIN32
   nsresult WriteMinidumpForException(EXCEPTION_POINTERS* aExceptionInfo);
@@ -116,6 +128,17 @@ nsresult SetSubmitReports(bool aSubmitReport);
 // thread.
 void OOPInit();
 
+/*
+ * Takes a minidump for the current process and returns the dump file.
+ * Callers are responsible for managing the resulting file.
+ *
+ * @param aResult - file pointer that holds the resulting minidump.
+ * @param aMoveToPending - if true move the report to the report
+ *   pending directory.
+ * @returns boolean indicating success or failure.
+ */
+bool TakeMinidump(nsIFile** aResult, bool aMoveToPending = false);
+
 // Return true if a dump was found for |childPid|, and return the
 // path in |dump|.  The caller owns the last reference to |dump| if it
 // is non-nullptr. The sequence parameter will be filled with an ordinal
@@ -143,19 +166,31 @@ typedef int ThreadId;
 // hoops for us.
 ThreadId CurrentThreadId();
 
-// Create a hang report with two minidumps that are snapshots of the state
-// of this parent process and |childPid|. The "main" minidump will be the
-// child process, and this parent process will have the -browser extension.
-//
-// Returns true on success. If this function fails, it will attempt to delete
-// any files that were created.
-//
-// The .extra information created will not include an additional_minidumps
-// annotation: the caller should annotate additional_minidumps with
-// at least "browser" and perhaps other minidumps attached to this report.
-bool CreatePairedMinidumps(ProcessHandle childPid,
-                           ThreadId childBlamedThread,
-                           nsIFile** childDump);
+/*
+ * Take a minidump of the target process and pair it with an incoming minidump
+ * provided by the caller or a new minidump of the calling process and thread.
+ * The caller will own both dumps after this call. If this function fails
+ * it will attempt to delete any files that were created.
+ *
+ * The .extra information created will not include an 'additional_minidumps'
+ * annotation.
+ *
+ * @param aTargetPid The target process for the minidump.
+ * @param aTargetBlamedThread The target thread for the minidump.
+ * @param aIncomingPairName The name to apply to the paired dump the caller
+ *   passes in.
+ * @param aIncomingDumpToPair Existing dump to pair with the new dump. if this
+ *   is null, TakeMinidumpAndPair will take a new minidump of the calling
+ *   process and thread and use it in aIncomingDumpToPairs place.
+ * @param aTargetDumpOut The target minidump file paired up with
+ *   aIncomingDumpToPair.
+ * @return bool indicating success or failure
+ */
+bool CreateMinidumpsAndPair(ProcessHandle aTargetPid,
+                            ThreadId aTargetBlamedThread,
+                            const nsACString& aIncomingPairName,
+                            nsIFile* aIncomingDumpToPair,
+                            nsIFile** aTargetDumpOut);
 
 // Create an additional minidump for a child of a process which already has
 // a minidump (|parentMinidump|).
diff --git a/toolkit/devtools/server/AutoMemMap.cpp b/toolkit/devtools/server/AutoMemMap.cpp
new file mode 100644
index 000000000000..162ee5d5ede6
--- /dev/null
+++ b/toolkit/devtools/server/AutoMemMap.cpp
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/devtools/AutoMemMap.h"
+#include "nsDebug.h"
+
+namespace mozilla {
+namespace devtools {
+
+AutoMemMap::~AutoMemMap()
+{
+  if (addr) {
+    NS_WARN_IF(PR_MemUnmap(addr, size()) != PR_SUCCESS);
+    addr = nullptr;
+  }
+
+  if (fileMap) {
+    NS_WARN_IF(PR_CloseFileMap(fileMap) != PR_SUCCESS);
+    fileMap = nullptr;
+  }
+
+  if (fd) {
+    NS_WARN_IF(PR_Close(fd) != PR_SUCCESS);
+    fd = nullptr;
+  }
+}
+
+nsresult
+AutoMemMap::init(const char* filePath, PRIntn flags, PRIntn mode, PRFileMapProtect prot)
+{
+  MOZ_ASSERT(!fd);
+  MOZ_ASSERT(!fileMap);
+  MOZ_ASSERT(!addr);
+
+  if (PR_GetFileInfo64(filePath, &fileInfo) != PR_SUCCESS)
+    return NS_ERROR_FILE_NOT_FOUND;
+
+  // Check if the file is too big to memmap.
+  if (fileInfo.size > int64_t(UINT32_MAX))
+    return NS_ERROR_INVALID_ARG;
+  auto length = uint32_t(fileInfo.size);
+
+  fd = PR_Open(filePath, flags, flags);
+  if (!fd)
+    return NS_ERROR_UNEXPECTED;
+
+  fileMap = PR_CreateFileMap(fd, fileInfo.size, prot);
+  if (!fileMap)
+    return NS_ERROR_UNEXPECTED;
+
+  addr = PR_MemMap(fileMap, 0, length);
+  if (!addr)
+    return NS_ERROR_UNEXPECTED;
+
+  return NS_OK;
+}
+
+} // namespace devtools
+} // namespace mozilla
diff --git a/toolkit/devtools/server/AutoMemMap.h b/toolkit/devtools/server/AutoMemMap.h
new file mode 100644
index 000000000000..e6943a412248
--- /dev/null
+++ b/toolkit/devtools/server/AutoMemMap.h
@@ -0,0 +1,70 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <prio.h>
+#include "mozilla/GuardObjects.h"
+
+namespace mozilla {
+namespace devtools {
+
+// # AutoMemMap
+//
+// AutoMemMap is an RAII class to manage mapping a file to memory. It is a
+// wrapper aorund managing opening and closing a file and calling PR_MemMap and
+// PR_MemUnmap.
+//
+// Example usage:
+//
+//     {
+//       AutoMemMap mm;
+//       if (NS_FAILED(mm.init("/path/to/desired/file"))) {
+//          // Handle the error however you see fit.
+//         return false;
+//       }
+//
+//       doStuffWithMappedMemory(mm.address());
+//     }
+//     // The memory is automatically unmapped when the AutoMemMap leaves scope.
+class MOZ_STACK_CLASS AutoMemMap
+{
+  MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER;
+
+  PRFileInfo64 fileInfo;
+  PRFileDesc*  fd;
+  PRFileMap*   fileMap;
+  void*        addr;
+
+  AutoMemMap(const AutoMemMap& aOther) = delete;
+  void operator=(const AutoMemMap& aOther) = delete;
+
+public:
+  explicit AutoMemMap(MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM)
+      : fd(nullptr)
+      , fileMap(nullptr)
+      , addr(nullptr)
+  {
+      MOZ_GUARD_OBJECT_NOTIFIER_INIT;
+  };
+  ~AutoMemMap();
+
+  // Initialize this AutoMemMap.
+  nsresult init(const char* filePath, PRIntn flags = PR_RDONLY, PRIntn mode = 0,
+                PRFileMapProtect prot = PR_PROT_READONLY);
+
+  // Get the size of the memory mapped file.
+  uint32_t size() const {
+      MOZ_ASSERT(fileInfo.size <= UINT32_MAX,
+                 "Should only call size() if init() succeeded.");
+      return uint32_t(fileInfo.size);
+  }
+
+  // Get the mapped memory.
+  void* address() { MOZ_ASSERT(addr); return addr; }
+  const void* address() const { MOZ_ASSERT(addr); return addr; }
+};
+
+} // namespace devtools
+} // namespace mozilla
diff --git a/toolkit/devtools/server/ChromeUtils.cpp b/toolkit/devtools/server/ChromeUtils.cpp
index 4e5968356422..658c07db3943 100644
--- a/toolkit/devtools/server/ChromeUtils.cpp
+++ b/toolkit/devtools/server/ChromeUtils.cpp
@@ -8,6 +8,7 @@
 #include <google/protobuf/io/coded_stream.h>
 #include <google/protobuf/io/gzip_stream.h>
 
+#include "mozilla/devtools/AutoMemMap.h"
 #include "mozilla/devtools/HeapSnapshot.h"
 #include "mozilla/devtools/ZeroCopyNSIOutputStream.h"
 #include "mozilla/Attributes.h"
@@ -395,37 +396,14 @@ ChromeUtils::ReadHeapSnapshot(GlobalObject& global,
     return nullptr;
   }
 
-  PRFileInfo fileInfo;
-  if (PR_GetFileInfo(path.get(), &fileInfo) != PR_SUCCESS) {
-    rv.Throw(NS_ERROR_FILE_NOT_FOUND);
+  AutoMemMap mm;
+  rv = mm.init(path.get());
+  if (rv.Failed())
     return nullptr;
-  }
 
-  uint32_t size = fileInfo.size;
-  ScopedFreePtr<uint8_t> buffer(static_cast<uint8_t*>(malloc(size)));
-  if (!buffer) {
-    rv.Throw(NS_ERROR_OUT_OF_MEMORY);
-    return nullptr;
-  }
-
-  PRFileDesc* fd = PR_Open(path.get(), PR_RDONLY, 0);
-  if (!fd) {
-    rv.Throw(NS_ERROR_UNEXPECTED);
-    return nullptr;
-  }
-
-  uint32_t bytesRead = 0;
-  while (bytesRead < size) {
-    uint32_t bytesLeft = size - bytesRead;
-    int32_t bytesReadThisTime = PR_Read(fd, buffer.get() + bytesRead, bytesLeft);
-    if (bytesReadThisTime < 1) {
-      rv.Throw(NS_ERROR_UNEXPECTED);
-      return nullptr;
-    }
-    bytesRead += bytesReadThisTime;
-  }
-
-  return HeapSnapshot::Create(cx, global, buffer.get(), size, rv);
+  return HeapSnapshot::Create(cx, global,
+                              reinterpret_cast<const uint8_t*>(mm.address()),
+                              mm.size(), rv);
 }
 
 } // namespace devtools
diff --git a/toolkit/devtools/server/DeserializedNode.cpp b/toolkit/devtools/server/DeserializedNode.cpp
index 9600be76a3e9..ac617821e9fa 100644
--- a/toolkit/devtools/server/DeserializedNode.cpp
+++ b/toolkit/devtools/server/DeserializedNode.cpp
@@ -49,55 +49,30 @@ DeserializedEdge::init(const protobuf::Edge& edge, HeapSnapshot& owner)
   return true;
 }
 
-/* static */ UniquePtr<DeserializedNode>
-DeserializedNode::Create(const protobuf::Node& node, HeapSnapshot& owner)
+DeserializedNode::DeserializedNode(DeserializedNode&& rhs)
 {
-  if (!node.has_id())
-    return nullptr;
-  NodeId id = node.id();
+  id = rhs.id;
+  rhs.id = 0;
 
-  if (!node.has_typename_())
-    return nullptr;
+  typeName = rhs.typeName;
+  rhs.typeName = nullptr;
 
-  const char16_t* duplicatedTypeName = reinterpret_cast<const char16_t*>(node.typename_().c_str());
-  const char16_t* uniqueTypeName = owner.borrowUniqueString(duplicatedTypeName,
-                                                            node.typename_().length() / sizeof(char16_t));
-  if (!uniqueTypeName)
-    return nullptr;
+  size = rhs.size;
+  rhs.size = 0;
 
-  auto edgesLength = node.edges_size();
-  EdgeVector edges;
-  if (!edges.reserve(edgesLength))
-    return nullptr;
-  for (decltype(edgesLength) i = 0; i < edgesLength; i++) {
-    DeserializedEdge edge;
-    if (!edge.init(node.edges(i), owner))
-      return nullptr;
-    edges.infallibleAppend(Move(edge));
-  }
+  edges = Move(rhs.edges);
 
-  if (!node.has_size())
-    return nullptr;
-  uint64_t size = node.size();
-
-  return MakeUnique<DeserializedNode>(id,
-                                      uniqueTypeName,
-                                      size,
-                                      Move(edges),
-                                      owner);
+  owner = rhs.owner;
+  rhs.owner = nullptr;
 }
 
-DeserializedNode::DeserializedNode(NodeId id,
-                                   const char16_t* typeName,
-                                   uint64_t size,
-                                   EdgeVector&& edges,
-                                   HeapSnapshot& owner)
-  : id(id)
-  , typeName(typeName)
-  , size(size)
-  , edges(Move(edges))
-  , owner(&owner)
-{ }
+DeserializedNode& DeserializedNode::operator=(DeserializedNode&& rhs)
+{
+  MOZ_ASSERT(&rhs != this);
+  this->~DeserializedNode();
+  new(this) DeserializedNode(Move(rhs));
+  return *this;
+}
 
 DeserializedNode::DeserializedNode(NodeId id, const char16_t* typeName, uint64_t size)
   : id(id)
@@ -107,12 +82,19 @@ DeserializedNode::DeserializedNode(NodeId id, const char16_t* typeName, uint64_t
   , owner(nullptr)
 { }
 
-DeserializedNode&
+JS::ubi::Node
 DeserializedNode::getEdgeReferent(const DeserializedEdge& edge)
 {
   auto ptr = owner->nodes.lookup(edge.referent);
   MOZ_ASSERT(ptr);
-  return *ptr->value();
+
+  // `HashSets` only provide const access to their values, because mutating a
+  // value might change its hash, rendering it unfindable in the set.
+  // Unfortunately, the `ubi::Node` constructor requires a non-const pointer to
+  // its referent.  However, the only aspect of a `DeserializedNode` we hash on
+  // is its id, which can't be changed via `ubi::Node`, so this cast can't cause
+  // the trouble `HashSet` is concerned a non-const reference would cause.
+  return JS::ubi::Node(const_cast<DeserializedNode*>(&*ptr));
 }
 
 } // namespace devtools
@@ -171,8 +153,8 @@ public:
           return false;
       }
 
-      DeserializedNode& referent = node.getEdgeReferent(*edgep);
-      edges.infallibleAppend(mozilla::Move(SimpleEdge(name, Node(&referent))));
+      auto referent = node.getEdgeReferent(*edgep);
+      edges.infallibleAppend(mozilla::Move(SimpleEdge(name, referent)));
     }
 
     settle();
diff --git a/toolkit/devtools/server/DeserializedNode.h b/toolkit/devtools/server/DeserializedNode.h
index 876dec906d2b..9efedcce15ae 100644
--- a/toolkit/devtools/server/DeserializedNode.h
+++ b/toolkit/devtools/server/DeserializedNode.h
@@ -57,29 +57,36 @@ struct DeserializedNode {
   using EdgeVector = Vector<DeserializedEdge>;
   using UniqueStringPtr = UniquePtr<char16_t[]>;
 
-  NodeId         id;
+  NodeId          id;
   // A borrowed reference to a string owned by this node's owning HeapSnapshot.
   const char16_t* typeName;
-  uint64_t       size;
-  EdgeVector     edges;
+  uint64_t        size;
+  EdgeVector      edges;
   // A weak pointer to this node's owning `HeapSnapshot`. Safe without
   // AddRef'ing because this node's lifetime is equal to that of its owner.
-  HeapSnapshot*  owner;
-
-  // Create a new `DeserializedNode` from the given `protobuf::Node` message.
-  static UniquePtr<DeserializedNode> Create(const protobuf::Node& node,
-                                            HeapSnapshot& owner);
+  HeapSnapshot*   owner;
 
   DeserializedNode(NodeId id,
                    const char16_t* typeName,
                    uint64_t size,
                    EdgeVector&& edges,
-                   HeapSnapshot& owner);
+                   HeapSnapshot& owner)
+    : id(id)
+    , typeName(typeName)
+    , size(size)
+    , edges(Move(edges))
+    , owner(&owner)
+  { }
   virtual ~DeserializedNode() { }
 
+  DeserializedNode(DeserializedNode&& rhs);
+  DeserializedNode& operator=(DeserializedNode&& rhs);
+
   // Get a borrowed reference to the given edge's referent. This method is
   // virtual to provide a hook for gmock and gtest.
-  virtual DeserializedNode& getEdgeReferent(const DeserializedEdge& edge);
+  virtual JS::ubi::Node getEdgeReferent(const DeserializedEdge& edge);
+
+  struct HashPolicy;
 
 protected:
   // This is only for use with `MockDeserializedNode` in testing.
@@ -90,6 +97,25 @@ private:
   DeserializedNode& operator=(const DeserializedNode&) = delete;
 };
 
+struct DeserializedNode::HashPolicy
+{
+  using Lookup = NodeId;
+
+  static js::HashNumber hash(const Lookup& lookup) {
+    // NodeIds are always 64 bits, but they are derived from the original
+    // referents' addresses, which could have been either 32 or 64 bits long.
+    // As such, a NodeId has little entropy in its bottom three bits, and may or
+    // may not have entropy in its upper 32 bits. This hash should manage both
+    // cases well.
+    uint64_t id = lookup >> 3;
+    return js::HashNumber((id >> 32) ^ id);
+  }
+
+  static bool match(const DeserializedNode& existing, const Lookup& lookup) {
+    return existing.id == lookup;
+  }
+};
+
 } // namespace devtools
 } // namespace mozilla
 
diff --git a/toolkit/devtools/server/HeapSnapshot.cpp b/toolkit/devtools/server/HeapSnapshot.cpp
index b4decbd036f3..f9dd6fd1cf3e 100644
--- a/toolkit/devtools/server/HeapSnapshot.cpp
+++ b/toolkit/devtools/server/HeapSnapshot.cpp
@@ -98,10 +98,38 @@ parseMessage(ZeroCopyInputStream& stream, MessageType& message)
 bool
 HeapSnapshot::saveNode(const protobuf::Node& node)
 {
-  UniquePtr<DeserializedNode> dn(DeserializedNode::Create(node, *this));
-  if (!dn)
+  if (!node.has_id())
     return false;
-  return nodes.put(dn->id, Move(dn));
+  NodeId id = node.id();
+
+  if (!node.has_typename_())
+    return false;
+
+  const auto* duplicatedTypeName = reinterpret_cast<const char16_t*>(
+    node.typename_().c_str());
+  const char16_t* typeName = borrowUniqueString(
+    duplicatedTypeName,
+    node.typename_().length() / sizeof(char16_t));
+  if (!typeName)
+    return false;
+
+  if (!node.has_size())
+    return false;
+  uint64_t size = node.size();
+
+  auto edgesLength = node.edges_size();
+  DeserializedNode::EdgeVector edges;
+  if (!edges.reserve(edgesLength))
+    return false;
+  for (decltype(edgesLength) i = 0; i < edgesLength; i++) {
+    DeserializedEdge edge;
+    if (!edge.init(node.edges(i), *this))
+      return false;
+    edges.infallibleAppend(Move(edge));
+  }
+
+  DeserializedNode dn(id, typeName, size, Move(edges), *this);
+  return nodes.putNew(id, Move(dn));
 }
 
 static inline bool
diff --git a/toolkit/devtools/server/HeapSnapshot.h b/toolkit/devtools/server/HeapSnapshot.h
index ead729a9e5b3..406c73e89bc2 100644
--- a/toolkit/devtools/server/HeapSnapshot.h
+++ b/toolkit/devtools/server/HeapSnapshot.h
@@ -52,7 +52,9 @@ struct UniqueStringHashPolicy {
 
   static bool match(const UniqueString& existing, const Lookup& lookup) {
     MOZ_ASSERT(lookup.str);
-    return NS_strncmp(existing.get(), lookup.str, lookup.length) == 0;
+    if (NS_strlen(existing.get()) != lookup.length)
+      return false;
+    return memcmp(existing.get(), lookup.str, lookup.length * sizeof(char16_t)) == 0;
   }
 };
 
@@ -87,8 +89,8 @@ class HeapSnapshot final : public nsISupports
   NodeId rootId;
 
   // The set of nodes in this deserialized heap graph, keyed by id.
-  using NodeMap = js::HashMap<NodeId, UniquePtr<DeserializedNode>>;
-  NodeMap nodes;
+  using NodeSet = js::HashSet<DeserializedNode, DeserializedNode::HashPolicy>;
+  NodeSet nodes;
 
   // Core dump files have many duplicate strings: type names are repeated for
   // each node, and although in theory edge names are highly customizable for
diff --git a/toolkit/devtools/server/moz.build b/toolkit/devtools/server/moz.build
index 5762aa57093b..1503896e66da 100644
--- a/toolkit/devtools/server/moz.build
+++ b/toolkit/devtools/server/moz.build
@@ -18,6 +18,7 @@ XPIDL_SOURCES += [
 XPIDL_MODULE = 'jsinspector'
 
 EXPORTS.mozilla.devtools += [
+    'AutoMemMap.h',
     'ChromeUtils.h',
     'CoreDump.pb.h',
     'DeserializedNode.h',
@@ -26,6 +27,7 @@ EXPORTS.mozilla.devtools += [
 ]
 
 SOURCES += [
+    'AutoMemMap.cpp',
     'ChromeUtils.cpp',
     'CoreDump.pb.cc',
     'DeserializedNode.cpp',
diff --git a/toolkit/devtools/server/tests/gtest/DeserializedNodeUbiNodes.cpp b/toolkit/devtools/server/tests/gtest/DeserializedNodeUbiNodes.cpp
index 76d7845ee7f4..743c90caa2cc 100644
--- a/toolkit/devtools/server/tests/gtest/DeserializedNodeUbiNodes.cpp
+++ b/toolkit/devtools/server/tests/gtest/DeserializedNodeUbiNodes.cpp
@@ -26,7 +26,7 @@ struct MockDeserializedNode : public DeserializedNode
     return edges.append(Move(edge));
   }
 
-  MOCK_METHOD1(getEdgeReferent, DeserializedNode&(const DeserializedEdge&));
+  MOCK_METHOD1(getEdgeReferent, JS::ubi::Node(const DeserializedEdge&));
 };
 
 size_t fakeMallocSizeOf(const void*) {
@@ -65,7 +65,7 @@ DEF_TEST(DeserializedNodeUbiNodes, {
                 getEdgeReferent(Field(&DeserializedEdge::referent,
                                       referent1->id)))
       .Times(1)
-      .WillOnce(ReturnRef(*referent1.get()));
+      .WillOnce(Return(JS::ubi::Node(referent1.get())));
 
     UniquePtr<DeserializedNode> referent2(new MockDeserializedNode(2,
                                                                    nullptr,
@@ -77,7 +77,7 @@ DEF_TEST(DeserializedNodeUbiNodes, {
                 getEdgeReferent(Field(&DeserializedEdge::referent,
                                       referent2->id)))
       .Times(1)
-      .WillOnce(ReturnRef(*referent2.get()));
+      .WillOnce(Return(JS::ubi::Node(referent2.get())));
 
     UniquePtr<DeserializedNode> referent3(new MockDeserializedNode(3,
                                                                    nullptr,
@@ -89,7 +89,7 @@ DEF_TEST(DeserializedNodeUbiNodes, {
                 getEdgeReferent(Field(&DeserializedEdge::referent,
                                       referent3->id)))
       .Times(1)
-      .WillOnce(ReturnRef(*referent3.get()));
+      .WillOnce(Return(JS::ubi::Node(referent3.get())));
 
     ubi.edges(cx);
   });
diff --git a/toolkit/devtools/server/tests/gtest/UniqueStringHashPolicy.cpp b/toolkit/devtools/server/tests/gtest/UniqueStringHashPolicy.cpp
new file mode 100644
index 000000000000..3c210d5e82f9
--- /dev/null
+++ b/toolkit/devtools/server/tests/gtest/UniqueStringHashPolicy.cpp
@@ -0,0 +1,25 @@
+/* -*-  Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2; -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Bug 1171226 - Test UniqueStringHashPolicy::match
+
+#include "DevTools.h"
+#include "mozilla/devtools/HeapSnapshot.h"
+
+using mozilla::devtools::UniqueString;
+using mozilla::devtools::UniqueStringHashPolicy;
+
+DEF_TEST(UniqueStringHashPolicy_match, {
+    //                                               1
+    //                                     01234567890123456
+    UniqueString str1(NS_strdup(MOZ_UTF16("some long string and a tail")));
+    ASSERT_TRUE(!!str1);
+
+    UniqueStringHashPolicy::Lookup lookup(MOZ_UTF16("some long string with same prefix"), 16);
+
+    // str1 is longer than Lookup.length, so they shouldn't match, even though
+    // the first 16 chars are equal!
+    ASSERT_FALSE(UniqueStringHashPolicy::match(str1, lookup));
+  });
diff --git a/toolkit/devtools/server/tests/gtest/moz.build b/toolkit/devtools/server/tests/gtest/moz.build
index eb78b6ff7ed2..9c601aded383 100644
--- a/toolkit/devtools/server/tests/gtest/moz.build
+++ b/toolkit/devtools/server/tests/gtest/moz.build
@@ -17,6 +17,7 @@ UNIFIED_SOURCES = [
     'SerializesEdgeNames.cpp',
     'SerializesEverythingInHeapGraphOnce.cpp',
     'SerializesTypeNames.cpp',
+    'UniqueStringHashPolicy.cpp',
 ]
 
 FINAL_LIBRARY = 'xul-gtest'
diff --git a/toolkit/modules/Finder.jsm b/toolkit/modules/Finder.jsm
index e1e96b525988..6d080054fd3f 100644
--- a/toolkit/modules/Finder.jsm
+++ b/toolkit/modules/Finder.jsm
@@ -1048,3 +1048,6 @@ function GetClipboardSearchString(aLoadContext) {
 
   return searchString;
 }
+
+this.Finder = Finder;
+this.GetClipboardSearchString = GetClipboardSearchString;
diff --git a/toolkit/mozapps/extensions/test/xpinstall/browser.ini b/toolkit/mozapps/extensions/test/xpinstall/browser.ini
index 9ec3d1d4f5ea..13d6c36647eb 100644
--- a/toolkit/mozapps/extensions/test/xpinstall/browser.ini
+++ b/toolkit/mozapps/extensions/test/xpinstall/browser.ini
@@ -41,10 +41,10 @@ support-files =
 [browser_bug540558.js]
 [browser_bug611242.js]
 [browser_bug638292.js]
-skip-if = e10s # Bug 1083269
+skip-if = e10s # Bug 1173330
 [browser_bug645699.js]
-# [browser_bug672485.js]
-# disabled due to a leak. See bug 682410.
+[browser_bug672485.js]
+skip-if = true # disabled due to a leak. See bug 682410.
 [browser_cancel.js]
 [browser_concurrent_installs.js]
 [browser_cookies.js]
@@ -94,4 +94,3 @@ skip-if = buildapp == "mulet"
 [browser_whitelist5.js]
 [browser_whitelist6.js]
 [browser_whitelist7.js]
-skip-if = (os == 'win' || os == 'mac') && debug # bug 986458 - leaked 1 docshell until shutdown on chunked debug bc
diff --git a/uriloader/base/nsDocLoader.cpp b/uriloader/base/nsDocLoader.cpp
index 240c817570ab..cd85b439635c 100644
--- a/uriloader/base/nsDocLoader.cpp
+++ b/uriloader/base/nsDocLoader.cpp
@@ -1343,43 +1343,23 @@ nsDocLoader::nsRequestInfo* nsDocLoader::GetRequestInfo(nsIRequest* aRequest)
                     (PL_DHashTableSearch(&mRequestInfoHash, aRequest));
 }
 
-// PLDHashTable enumeration callback that just removes every entry
-// from the hash.
-static PLDHashOperator
-RemoveInfoCallback(PLDHashTable *table, PLDHashEntryHdr *hdr, uint32_t number,
-                   void *arg)
-{
-  return PL_DHASH_REMOVE;
-}
-
 void nsDocLoader::ClearRequestInfoHash(void)
 {
-  PL_DHashTableEnumerate(&mRequestInfoHash, RemoveInfoCallback, nullptr);
-}
-
-// PLDHashTable enumeration callback that calculates the max progress.
-PLDHashOperator
-nsDocLoader::CalcMaxProgressCallback(PLDHashTable* table, PLDHashEntryHdr* hdr,
-                                     uint32_t number, void* arg)
-{
-  const nsRequestInfo* info = static_cast<const nsRequestInfo*>(hdr);
-  int64_t* max = static_cast<int64_t* >(arg);
-
-  if (info->mMaxProgress < info->mCurrentProgress) {
-    *max = int64_t(-1);
-
-    return PL_DHASH_STOP;
-  }
-
-  *max += info->mMaxProgress;
-
-  return PL_DHASH_NEXT;
+  mRequestInfoHash.Clear();
 }
 
 int64_t nsDocLoader::CalculateMaxProgress()
 {
   int64_t max = mCompletedTotalProgress;
-  PL_DHashTableEnumerate(&mRequestInfoHash, CalcMaxProgressCallback, &max);
+  PLDHashTable::Iterator iter(&mRequestInfoHash);
+  while (iter.HasMoreEntries()) {
+    auto info = static_cast<const nsRequestInfo*>(iter.NextEntry());
+
+    if (info->mMaxProgress < info->mCurrentProgress) {
+      return int64_t(-1);
+    }
+    max += info->mMaxProgress;
+  }
   return max;
 }
 
diff --git a/uriloader/base/nsDocLoader.h b/uriloader/base/nsDocLoader.h
index 087d57641df8..49521c6edbe8 100644
--- a/uriloader/base/nsDocLoader.h
+++ b/uriloader/base/nsDocLoader.h
@@ -324,9 +324,6 @@ private:
     nsRequestInfo *GetRequestInfo(nsIRequest* aRequest);
     void ClearRequestInfoHash();
     int64_t CalculateMaxProgress();
-    static PLDHashOperator CalcMaxProgressCallback(PLDHashTable* table,
-                                                   PLDHashEntryHdr* hdr,
-                                                   uint32_t number, void* arg);
 ///    void DumpChannelInfo(void);
 
     // used to clear our internal progress state between loads...
diff --git a/widget/ScreenProxy.cpp b/widget/ScreenProxy.cpp
index f1673af736fe..936841431f8e 100644
--- a/widget/ScreenProxy.cpp
+++ b/widget/ScreenProxy.cpp
@@ -171,9 +171,9 @@ ScreenProxy::InvalidateCacheOnNextTick()
 
   nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
   if (appShell) {
-    appShell->RunInStableState(
-      NS_NewRunnableMethod(this, &ScreenProxy::InvalidateCache)
-    );
+    nsCOMPtr<nsIRunnable> r =
+      NS_NewRunnableMethod(this, &ScreenProxy::InvalidateCache);
+    appShell->RunInStableState(r.forget());
   } else {
     // It's pretty bad news if we can't get the appshell. In that case,
     // let's just invalidate the cache right away.
diff --git a/widget/TextEventDispatcher.cpp b/widget/TextEventDispatcher.cpp
index 459b40632ec5..0b5ab7e35059 100644
--- a/widget/TextEventDispatcher.cpp
+++ b/widget/TextEventDispatcher.cpp
@@ -83,6 +83,26 @@ TextEventDispatcher::BeginInputTransactionInternal(
   return NS_OK;
 }
 
+void
+TextEventDispatcher::EndInputTransaction(TextEventDispatcherListener* aListener)
+{
+  if (NS_WARN_IF(IsComposing()) || NS_WARN_IF(IsDispatchingEvent())) {
+    return;
+  }
+
+  nsCOMPtr<TextEventDispatcherListener> listener = do_QueryReferent(mListener);
+  if (NS_WARN_IF(!listener)) {
+    return;
+  }
+
+  if (NS_WARN_IF(listener != aListener)) {
+    return;
+  }
+
+  mListener = nullptr;
+  listener->OnRemovedFrom(this);
+}
+
 void
 TextEventDispatcher::OnDestroyWidget()
 {
diff --git a/widget/TextEventDispatcher.h b/widget/TextEventDispatcher.h
index f8affde8563e..f02bf3ffda06 100644
--- a/widget/TextEventDispatcher.h
+++ b/widget/TextEventDispatcher.h
@@ -59,6 +59,14 @@ public:
   nsresult BeginInputTransactionForTests(
              TextEventDispatcherListener* aListener);
 
+  /**
+   * EndInputTransaction() should be called when the listener stops using
+   * the TextEventDispatcher.
+   *
+   * @param aListener       The listener using the TextEventDispatcher instance.
+   */
+  void EndInputTransaction(TextEventDispatcherListener* aListener);
+
   /**
    * OnDestroyWidget() is called when mWidget is being destroyed.
    */
diff --git a/widget/TextEvents.h b/widget/TextEvents.h
index 44fc72379bac..2ffbee554162 100644
--- a/widget/TextEvents.h
+++ b/widget/TextEvents.h
@@ -410,6 +410,15 @@ public:
     return mRanges ? mRanges->TargetClauseOffset() : 0;
   }
 
+  uint32_t TargetClauseLength() const
+  {
+    uint32_t length = UINT32_MAX;
+    if (mRanges) {
+      length = mRanges->TargetClauseLength();
+    }
+    return length == UINT32_MAX ? mData.Length() : length;
+  }
+
   uint32_t RangeCount() const
   {
     return mRanges ? mRanges->Length() : 0;
diff --git a/widget/TextRange.h b/widget/TextRange.h
index b492ad9f0096..36abbf09dca8 100644
--- a/widget/TextRange.h
+++ b/widget/TextRange.h
@@ -195,6 +195,18 @@ class TextRangeArray final : public nsAutoTArray<TextRange, 10>
 
   NS_INLINE_DECL_REFCOUNTING(TextRangeArray)
 
+  const TextRange* GetTargetClause() const
+  {
+    for (uint32_t i = 0; i < Length(); ++i) {
+      const TextRange& range = ElementAt(i);
+      if (range.mRangeType == NS_TEXTRANGE_SELECTEDRAWTEXT ||
+          range.mRangeType == NS_TEXTRANGE_SELECTEDCONVERTEDTEXT) {
+        return &range;
+      }
+    }
+    return nullptr;
+  }
+
 public:
   bool IsComposing() const
   {
@@ -206,18 +218,20 @@ public:
     return false;
   }
 
-  // Returns target clase offset.  If there are selected clauses, this returns
+  // Returns target clause offset.  If there are selected clauses, this returns
   // the first selected clause offset.  Otherwise, 0.
   uint32_t TargetClauseOffset() const
   {
-    for (uint32_t i = 0; i < Length(); ++i) {
-      const TextRange& range = ElementAt(i);
-      if (range.mRangeType == NS_TEXTRANGE_SELECTEDRAWTEXT ||
-          range.mRangeType == NS_TEXTRANGE_SELECTEDCONVERTEDTEXT) {
-        return range.mStartOffset;
-      }
-    }
-    return 0;
+    const TextRange* range = GetTargetClause();
+    return range ? range->mStartOffset : 0;
+  }
+
+  // Returns target clause length.  If there are selected clauses, this returns
+  // the first selected clause length.  Otherwise, UINT32_MAX.
+  uint32_t TargetClauseLength() const
+  {
+    const TextRange* range = GetTargetClause();
+    return range ? range->Length() : UINT32_MAX;
   }
 
   bool Equals(const TextRangeArray& aOther) const
diff --git a/widget/cocoa/nsNativeThemeCocoa.mm b/widget/cocoa/nsNativeThemeCocoa.mm
index ad4df3659e3b..69e7a02ed080 100644
--- a/widget/cocoa/nsNativeThemeCocoa.mm
+++ b/widget/cocoa/nsNativeThemeCocoa.mm
@@ -90,6 +90,20 @@ extern "C" {
 
 @end
 
+// These two classes don't actually add any behavior over NSButtonCell. Their
+// purpose is to make it easy to distinguish NSCell objects that are used for
+// drawing radio buttons / checkboxes from other cell types.
+// The class names are made up, there are no classes with these names in AppKit.
+// The reason we need them is that calling [cell setButtonType:NSRadioButton]
+// doesn't leave an easy-to-check "marker" on the cell object - there is no
+// -[NSButtonCell buttonType] method.
+@interface RadioButtonCell : NSButtonCell
+@end;
+@implementation RadioButtonCell @end;
+@interface CheckboxCell : NSButtonCell
+@end;
+@implementation CheckboxCell @end;
+
 static void
 DrawFocusRingForCellIfNeeded(NSCell* aCell, NSRect aWithFrame, NSView* aInView)
 {
@@ -120,7 +134,7 @@ DrawFocusRingForCellIfNeeded(NSCell* aCell, NSRect aWithFrame, NSView* aInView)
 }
 
 static bool
-FocusIsDrawnByDrawWithFrame()
+FocusIsDrawnByDrawWithFrame(NSCell* aCell)
 {
 #if defined(MAC_OS_X_VERSION_10_8) && MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_8
   // When building with the 10.8 SDK or higher, focus rings don't draw as part
@@ -130,9 +144,19 @@ FocusIsDrawnByDrawWithFrame()
   // https://developer.apple.com/library/mac/releasenotes/AppKit/RN-AppKitOlderNotes/#X10_8Notes
   return false;
 #else
-  // On 10.10 and up, this is the case even when building against the 10.7 SDK
-  // or lower.
-  return !nsCocoaFeatures::OnYosemiteOrLater();
+  if (!nsCocoaFeatures::OnYosemiteOrLater()) {
+    // When building with the 10.7 SDK or lower, focus rings always draw as
+    // part of -[NSCell drawWithFrame:inView:] if the build is run on 10.9 or
+    // lower.
+    return true;
+  }
+
+  // On 10.10, whether the focus ring is drawn as part of
+  // -[NSCell drawWithFrame:inView:] depends on the cell type.
+  // Radio buttons and checkboxes draw their own focus rings, other cell
+  // types need -[NSCell drawFocusRingMaskWithFrame:inView:].
+  return [aCell isKindOfClass:[RadioButtonCell class]] ||
+         [aCell isKindOfClass:[CheckboxCell class]];
 #endif
 }
 
@@ -141,7 +165,7 @@ DrawCellIncludingFocusRing(NSCell* aCell, NSRect aWithFrame, NSView* aInView)
 {
   [aCell drawWithFrame:aWithFrame inView:aInView];
 
-  if (!FocusIsDrawnByDrawWithFrame()) {
+  if (!FocusIsDrawnByDrawWithFrame(aCell)) {
     DrawFocusRingForCellIfNeeded(aCell, aWithFrame, aInView);
   }
 }
@@ -322,7 +346,11 @@ static BOOL IsToolbarStyleContainer(nsIFrame* aFrame)
 {
   [super drawWithFrame:rect inView:controlView];
 
-  if (FocusIsDrawnByDrawWithFrame()) {
+  if (FocusIsDrawnByDrawWithFrame(self)) {
+    // For some reason, -[NSSearchFieldCell drawWithFrame:inView] doesn't draw a
+    // focus ring in 64 bit mode, no matter what SDK is used or what OS X version
+    // we're running on. But if FocusIsDrawnByDrawWithFrame(self), then our
+    // caller expects us to draw a focus ring. So we just do that here.
     DrawFocusRingForCellIfNeeded(self, rect, controlView);
   }
 }
@@ -340,11 +368,13 @@ static BOOL IsToolbarStyleContainer(nsIFrame* aFrame)
 #endif
 
 #define HITHEME_ORIENTATION kHIThemeOrientationNormal
-#define MAX_FOCUS_RING_WIDTH 4
+
+static CGFloat kMaxFocusRingWidth = 0; // initialized by the nsNativeThemeCocoa constructor
 
 // These enums are for indexing into the margin array.
 enum {
-  leopardOS = 0
+  leopardOSorlater = 0, // 10.6 - 10.9
+  yosemiteOSorlater = 1 // 10.10+
 };
 
 enum {
@@ -393,7 +423,8 @@ static void InflateControlRect(NSRect* rect, NSControlSize cocoaControlSize, con
   if (!marginSet)
     return;
 
-  static int osIndex = leopardOS;
+  static int osIndex = nsCocoaFeatures::OnYosemiteOrLater() ?
+                         yosemiteOSorlater : leopardOSorlater;
   size_t controlSize = EnumSizeForCocoaSize(cocoaControlSize);
   const float* buttonMargins = marginSet[osIndex][controlSize];
   rect->origin.x -= buttonMargins[leftMargin];
@@ -490,6 +521,8 @@ nsNativeThemeCocoa::nsNativeThemeCocoa()
 {
   NS_OBJC_BEGIN_TRY_ABORT_BLOCK;
 
+  kMaxFocusRingWidth = nsCocoaFeatures::OnYosemiteOrLater() ? 7 : 4;
+
   // provide a local autorelease pool, as this is called during startup
   // before the main event-loop pool is in place
   nsAutoreleasePool pool;
@@ -508,10 +541,10 @@ nsNativeThemeCocoa::nsNativeThemeCocoa()
   [mPushButtonCell setButtonType:NSMomentaryPushInButton];
   [mPushButtonCell setHighlightsBy:NSPushInCellMask];
 
-  mRadioButtonCell = [[NSButtonCell alloc] initTextCell:nil];
+  mRadioButtonCell = [[RadioButtonCell alloc] initTextCell:nil];
   [mRadioButtonCell setButtonType:NSRadioButton];
 
-  mCheckboxCell = [[NSButtonCell alloc] initTextCell:nil];
+  mCheckboxCell = [[CheckboxCell alloc] initTextCell:nil];
   [mCheckboxCell setButtonType:NSSwitchButton];
   [mCheckboxCell setAllowsMixedState:YES];
 
@@ -655,14 +688,14 @@ static void DrawCellWithScaling(NSCell *cell,
   else {
     float w = ceil(drawRect.size.width);
     float h = ceil(drawRect.size.height);
-    NSRect tmpRect = NSMakeRect(MAX_FOCUS_RING_WIDTH, MAX_FOCUS_RING_WIDTH, w, h);
+    NSRect tmpRect = NSMakeRect(kMaxFocusRingWidth, kMaxFocusRingWidth, w, h);
 
     // inflate to figure out the frame we need to tell NSCell to draw in, to get something that's 0,0,w,h
     InflateControlRect(&tmpRect, controlSize, marginSet);
 
-    // and then, expand by MAX_FOCUS_RING_WIDTH size to make sure we can capture any focus ring
-    w += MAX_FOCUS_RING_WIDTH * 2.0;
-    h += MAX_FOCUS_RING_WIDTH * 2.0;
+    // and then, expand by kMaxFocusRingWidth size to make sure we can capture any focus ring
+    w += kMaxFocusRingWidth * 2.0;
+    h += kMaxFocusRingWidth * 2.0;
 
     int backingScaleFactor = GetBackingScaleFactorForRendering(cgContext);
     CGColorSpaceRef rgb = CGColorSpaceCreateDeviceRGB();
@@ -700,12 +733,12 @@ static void DrawCellWithScaling(NSCell *cell,
     CGImageRef img = CGBitmapContextCreateImage(ctx);
 
     // Drop the image into the original destination rectangle, scaling to fit
-    // Only scale MAX_FOCUS_RING_WIDTH by xscale/yscale when the resulting rect
+    // Only scale kMaxFocusRingWidth by xscale/yscale when the resulting rect
     // doesn't extend beyond the overflow rect
     float xscale = destRect.size.width / drawRect.size.width;
     float yscale = destRect.size.height / drawRect.size.height;
-    float scaledFocusRingX = xscale < 1.0f ? MAX_FOCUS_RING_WIDTH * xscale : MAX_FOCUS_RING_WIDTH;
-    float scaledFocusRingY = yscale < 1.0f ? MAX_FOCUS_RING_WIDTH * yscale : MAX_FOCUS_RING_WIDTH;
+    float scaledFocusRingX = xscale < 1.0f ? kMaxFocusRingWidth * xscale : kMaxFocusRingWidth;
+    float scaledFocusRingY = yscale < 1.0f ? kMaxFocusRingWidth * yscale : kMaxFocusRingWidth;
     CGContextDrawImage(cgContext, CGRectMake(destRect.origin.x - scaledFocusRingX,
                                              destRect.origin.y - scaledFocusRingY,
                                              destRect.size.width + scaledFocusRingX * 2,
@@ -736,10 +769,10 @@ struct CellRenderSettings {
   NSSize minimumSizes[3];
 
   // A three-dimensional array,
-  // with the first dimension being the OS version (only Leopard for the moment),
+  // with the first dimension being the OS version ([0] 10.6-10.9, [1] 10.10 and above),
   // the second being the control size (mini, small, regular), and the third
   // being the 4 margin values (left, top, right, bottom).
-  float margins[1][3][4];
+  float margins[2][3][4];
 };
 
 /*
@@ -965,6 +998,11 @@ static const CellRenderSettings radioSettings = {
       {0, 0, 0, 0},     // mini
       {0, 1, 1, 1},     // small
       {0, 0, 0, 0}      // regular
+    },
+    { // Yosemite
+      {0, 0, 0, 0},     // mini
+      {1, 1, 1, 2},     // small
+      {0, 0, 0, 0}      // regular
     }
   }
 };
@@ -983,6 +1021,11 @@ static const CellRenderSettings checkboxSettings = {
       {0, 1, 0, 0},     // mini
       {0, 1, 0, 1},     // small
       {0, 1, 0, 1}      // regular
+    },
+    { // Yosemite
+      {0, 1, 0, 0},     // mini
+      {0, 1, 0, 1},     // small
+      {0, 1, 0, 1}      // regular
     }
   }
 };
@@ -1036,6 +1079,11 @@ static const CellRenderSettings searchFieldSettings = {
       {0, 0, 0, 0},     // mini
       {0, 0, 0, 0},     // small
       {0, 0, 0, 0}      // regular
+    },
+    { // Yosemite
+      {0, 0, 0, 0},     // mini
+      {0, 0, 0, 0},     // small
+      {0, 0, 0, 0}      // regular
     }
   }
 };
@@ -1146,6 +1194,11 @@ static const CellRenderSettings pushButtonSettings = {
       {0, 0, 0, 0},    // mini
       {4, 0, 4, 1},    // small
       {5, 0, 5, 2}     // regular
+    },
+    { // Yosemite
+      {0, 0, 0, 0},    // mini
+      {4, 0, 4, 1},    // small
+      {5, 0, 5, 2}     // regular
     }
   }
 };
@@ -1258,8 +1311,8 @@ RenderTransformedHIThemeControl(CGContextRef aCGContext, const HIRect& aRect,
     aFunc(aCGContext, drawRect, aData);
   } else {
     // Inflate the buffer to capture focus rings.
-    int w = ceil(drawRect.size.width) + 2 * MAX_FOCUS_RING_WIDTH;
-    int h = ceil(drawRect.size.height) + 2 * MAX_FOCUS_RING_WIDTH;
+    int w = ceil(drawRect.size.width) + 2 * kMaxFocusRingWidth;
+    int h = ceil(drawRect.size.height) + 2 * kMaxFocusRingWidth;
 
     int backingScaleFactor = GetBackingScaleFactorForRendering(aCGContext);
     CGColorSpaceRef colorSpace = CGColorSpaceCreateDeviceRGB();
@@ -1273,7 +1326,7 @@ RenderTransformedHIThemeControl(CGContextRef aCGContext, const HIRect& aRect,
     CGColorSpaceRelease(colorSpace);
 
     CGContextScaleCTM(bitmapctx, backingScaleFactor, backingScaleFactor);
-    CGContextTranslateCTM(bitmapctx, MAX_FOCUS_RING_WIDTH, MAX_FOCUS_RING_WIDTH);
+    CGContextTranslateCTM(bitmapctx, kMaxFocusRingWidth, kMaxFocusRingWidth);
 
     // Set the context's "base transform" to in order to get correctly-sized focus rings.
     CGContextSetBaseCTM(bitmapctx, CGAffineTransformMakeScale(backingScaleFactor, backingScaleFactor));
@@ -1298,7 +1351,7 @@ RenderTransformedHIThemeControl(CGContextRef aCGContext, const HIRect& aRect,
       CGContextScaleCTM(aCGContext, -1.0f, 1.0f);
     }
 
-    HIRect inflatedDrawRect = CGRectMake(-MAX_FOCUS_RING_WIDTH, -MAX_FOCUS_RING_WIDTH, w, h);
+    HIRect inflatedDrawRect = CGRectMake(-kMaxFocusRingWidth, -kMaxFocusRingWidth, w, h);
     CGContextDrawImage(aCGContext, inflatedDrawRect, bitmap);
 
     CGContextSetCTM(aCGContext, ctm);
@@ -1414,6 +1467,11 @@ static const CellRenderSettings dropdownSettings = {
       {1, 1, 2, 1},    // mini
       {3, 0, 3, 1},    // small
       {3, 0, 3, 0}     // regular
+    },
+    { // Yosemite
+      {1, 1, 2, 1},    // mini
+      {3, 0, 3, 1},    // small
+      {3, 0, 3, 0}     // regular
     }
   }
 };
@@ -1434,6 +1492,11 @@ static const CellRenderSettings editableMenulistSettings = {
       {0, 0, 2, 2},    // mini
       {0, 0, 3, 2},    // small
       {0, 1, 3, 3}     // regular
+    },
+    { // Yosemite
+      {0, 0, 2, 2},    // mini
+      {0, 0, 3, 2},    // small
+      {0, 1, 3, 3}     // regular
     }
   }
 };
@@ -1478,6 +1541,11 @@ static const CellRenderSettings spinnerSettings = {
       {0, 0, 0, 0},    // mini
       {0, 0, 0, 0},    // small
       {0, 0, 0, 0}     // regular
+    },
+    { // Yosemite
+      {0, 0, 0, 0},    // mini
+      {0, 0, 0, 0},    // small
+      {0, 0, 0, 0}     // regular
     }
   }
 };
@@ -1644,6 +1712,11 @@ static const CellRenderSettings progressSettings[2][2] = {
           {0, 0, 0, 0},     // mini
           {1, 1, 1, 1},     // small
           {1, 0, 1, 0}      // regular
+        },
+        { // Yosemite
+          {0, 0, 0, 0},     // mini
+          {1, 1, 1, 1},     // small
+          {1, 0, 1, 0}      // regular
         }
       }
     }
@@ -1665,6 +1738,11 @@ static const CellRenderSettings progressSettings[2][2] = {
           {0, 0, 0, 0},     // mini
           {1, 1, 1, 1},     // small
           {1, 1, 1, 1}      // regular
+        },
+        { // Yosemite
+          {0, 0, 0, 0},     // mini
+          {1, 1, 1, 1},     // small
+          {1, 1, 1, 1}      // regular
         }
       }
     },
@@ -1683,6 +1761,11 @@ static const CellRenderSettings progressSettings[2][2] = {
           {0, 0, 0, 0},     // mini
           {1, 1, 1, 1},     // small
           {0, 1, 0, 1}      // regular
+        },
+        { // Yosemite
+          {0, 0, 0, 0},     // mini
+          {1, 1, 1, 1},     // small
+          {0, 1, 0, 1}      // regular
         }
       }
     }
@@ -1728,6 +1811,11 @@ static const CellRenderSettings meterSetting = {
       {1, 1, 1, 1},     // mini
       {1, 1, 1, 1},     // small
       {1, 1, 1, 1}      // regular
+    },
+    { // Yosemite
+      {1, 1, 1, 1},     // mini
+      {1, 1, 1, 1},     // small
+      {1, 1, 1, 1}      // regular
     }
   }
 };
@@ -3139,10 +3227,10 @@ nsNativeThemeCocoa::GetWidgetOverflow(nsDeviceContext* aContext, nsIFrame* aFram
     {
       // We assume that the above widgets can draw a focus ring that will be less than
       // or equal to 4 pixels thick.
-      nsIntMargin extraSize = nsIntMargin(MAX_FOCUS_RING_WIDTH,
-                                          MAX_FOCUS_RING_WIDTH,
-                                          MAX_FOCUS_RING_WIDTH,
-                                          MAX_FOCUS_RING_WIDTH);
+      nsIntMargin extraSize = nsIntMargin(kMaxFocusRingWidth,
+                                          kMaxFocusRingWidth,
+                                          kMaxFocusRingWidth,
+                                          kMaxFocusRingWidth);
       nsMargin m(NSIntPixelsToAppUnits(extraSize.top, p2a),
                  NSIntPixelsToAppUnits(extraSize.right, p2a),
                  NSIntPixelsToAppUnits(extraSize.bottom, p2a),
diff --git a/widget/gonk/nsAppShell.cpp b/widget/gonk/nsAppShell.cpp
index 7e274401ccbb..19ef7f8adf51 100644
--- a/widget/gonk/nsAppShell.cpp
+++ b/widget/gonk/nsAppShell.cpp
@@ -34,6 +34,7 @@
 
 #include "base/basictypes.h"
 #include "GonkPermission.h"
+#include "libdisplay/BootAnimation.h"
 #include "nscore.h"
 #ifdef MOZ_OMX_DECODER
 #include "MediaResourceManagerService.h"
@@ -936,6 +937,10 @@ nsAppShell::Observe(nsISupports* aSubject,
             updateHeadphoneSwitch();
         }
         mEnableDraw = true;
+
+        // System is almost booting up. Stop the bootAnim now.
+        StopBootAnimation();
+
         NotifyEvent();
         return NS_OK;
     }
diff --git a/widget/gonk/nsScreenManagerGonk.cpp b/widget/gonk/nsScreenManagerGonk.cpp
index e86e1efbdf8b..7723d445450b 100644
--- a/widget/gonk/nsScreenManagerGonk.cpp
+++ b/widget/gonk/nsScreenManagerGonk.cpp
@@ -227,9 +227,6 @@ nsScreenGonk::GetSurfaceFormat()
 ANativeWindow*
 nsScreenGonk::GetNativeWindow()
 {
-    if (IsPrimaryScreen()) {
-        StopBootAnimation();
-    }
     return mNativeWindow.get();
 }
 
diff --git a/widget/gtk/nsApplicationChooser.h b/widget/gtk/nsApplicationChooser.h
index a97d094327f2..9ccdafd0b5af 100644
--- a/widget/gtk/nsApplicationChooser.h
+++ b/widget/gtk/nsApplicationChooser.h
@@ -9,7 +9,7 @@
 #include <gtk/gtk.h>
 #include "nsIApplicationChooser.h"
 
-class nsApplicationChooser : public nsIApplicationChooser
+class nsApplicationChooser final : public nsIApplicationChooser
 {
 public:
   nsApplicationChooser();
diff --git a/widget/gtk/nsGtkIMModule.cpp b/widget/gtk/nsGtkIMModule.cpp
index 827e60a5f734..b80d273ef25e 100644
--- a/widget/gtk/nsGtkIMModule.cpp
+++ b/widget/gtk/nsGtkIMModule.cpp
@@ -14,6 +14,7 @@
 #include "mozilla/MiscEvents.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/TextEvents.h"
+#include "WritingModes.h"
 
 using namespace mozilla;
 using namespace mozilla::widget;
@@ -75,8 +76,30 @@ GetEventType(GdkEventKey* aKeyEvent)
     }
 }
 
+class GetWritingModeName : public nsAutoCString
+{
+public:
+  explicit GetWritingModeName(const WritingMode& aWritingMode)
+  {
+    if (!aWritingMode.IsVertical()) {
+      AssignLiteral("Horizontal");
+      return;
+    }
+    if (aWritingMode.IsVerticalLR()) {
+      AssignLiteral("Vertical (LTR)");
+      return;
+    }
+    AssignLiteral("Vertical (RTL)");
+  }
+  virtual ~GetWritingModeName() {}
+};
+
 const static bool kUseSimpleContextDefault = MOZ_WIDGET_GTK == 2;
 
+/******************************************************************************
+ * nsGtkIMModule
+ ******************************************************************************/
+
 nsGtkIMModule* nsGtkIMModule::sLastFocusedModule = nullptr;
 bool nsGtkIMModule::sUseSimpleContext;
 
@@ -89,10 +112,10 @@ nsGtkIMModule::nsGtkIMModule(nsWindow* aOwnerWindow)
     , mComposingContext(nullptr)
     , mCompositionStart(UINT32_MAX)
     , mProcessingKeyEvent(nullptr)
-    , mCompositionTargetOffset(UINT32_MAX)
     , mCompositionState(eCompositionState_NotComposing)
     , mIsIMFocused(false)
     , mIsDeletingSurrounding(false)
+    , mLayoutChanged(false)
 {
     if (!gGtkIMLog) {
         gGtkIMLog = PR_NewLogModule("nsGtkIMModuleWidgets");
@@ -418,6 +441,7 @@ nsGtkIMModule::OnFocusChangeInGecko(bool aFocus)
 
     // We shouldn't carry over the removed string to another editor.
     mSelectedString.Truncate();
+    mSelection.Clear();
 }
 
 void
@@ -505,6 +529,17 @@ nsGtkIMModule::EndIMEComposition(nsWindow* aCaller)
     return NS_OK;
 }
 
+void
+nsGtkIMModule::OnLayoutChange()
+{
+    if (MOZ_UNLIKELY(IsDestroyed())) {
+        return;
+    }
+
+    SetCursorPosition(GetActiveContext());
+    mLayoutChanged = true;
+}
+
 void
 nsGtkIMModule::OnUpdateComposition()
 {
@@ -512,7 +547,11 @@ nsGtkIMModule::OnUpdateComposition()
         return;
     }
 
-    SetCursorPosition(GetActiveContext(), mCompositionTargetOffset);
+    // If we've already set candidate window position, we don't need to update
+    // the position with update composition notification.
+    if (!mLayoutChanged) {
+        SetCursorPosition(GetActiveContext());
+    }
 }
 
 void
@@ -714,8 +753,11 @@ nsGtkIMModule::Blur()
 }
 
 void
-nsGtkIMModule::OnSelectionChange(nsWindow* aCaller)
+nsGtkIMModule::OnSelectionChange(nsWindow* aCaller,
+                                 const IMENotification& aIMENotification)
 {
+    mSelection.Assign(aIMENotification);
+
     if (MOZ_UNLIKELY(IsDestroyed())) {
         return;
     }
@@ -739,42 +781,13 @@ nsGtkIMModule::OnSelectionChange(nsWindow* aCaller)
     // event handler.  So, we're dispatching NS_COMPOSITION_START,
     // we should ignore selection change notification.
     if (mCompositionState == eCompositionState_CompositionStartDispatched) {
-        nsCOMPtr<nsIWidget> focusedWindow(mLastFocusedWindow);
-        nsEventStatus status;
-        WidgetQueryContentEvent selection(true, NS_QUERY_SELECTED_TEXT,
-                                          focusedWindow);
-        InitEvent(selection);
-        mLastFocusedWindow->DispatchEvent(&selection, status);
-
-        bool cannotContinueComposition = false;
-        if (MOZ_UNLIKELY(IsDestroyed())) {
-            MOZ_LOG(gGtkIMLog, LogLevel::Info,
-                ("    ERROR: nsGtkIMModule instance is destroyed during "
-                 "querying selection offset"));
-            return;
-        } else if (NS_WARN_IF(!selection.mSucceeded)) {
-            cannotContinueComposition = true;
-            MOZ_LOG(gGtkIMLog, LogLevel::Info,
-                ("    ERROR: failed to retrieve new caret offset"));
-        } else if (selection.mReply.mOffset == UINT32_MAX) {
-            cannotContinueComposition = true;
+        if (NS_WARN_IF(!mSelection.IsValid())) {
             MOZ_LOG(gGtkIMLog, LogLevel::Info,
                 ("    ERROR: new offset is too large, cannot keep composing"));
-        } else if (!mLastFocusedWindow || focusedWindow != mLastFocusedWindow) {
-            cannotContinueComposition = true;
-            MOZ_LOG(gGtkIMLog, LogLevel::Info,
-                ("    ERROR: focus is changed during querying selection "
-                 "offset"));
-        } else if (focusedWindow->Destroyed()) {
-            cannotContinueComposition = true;
-            MOZ_LOG(gGtkIMLog, LogLevel::Info,
-                ("    ERROR: focused window started to be being destroyed "
-                 "during querying selection offset"));
-        }
-
-        if (!cannotContinueComposition) {
+        } else {
             // Modify the selection start offset with new offset.
-            mCompositionStart = selection.mReply.mOffset;
+            mCompositionStart = mSelection.mOffset;
+            // XXX We should modify mSelectedString? But how?
             MOZ_LOG(gGtkIMLog, LogLevel::Info,
                 ("    NOTE: mCompositionStart is updated to %u, "
                  "the selection change doesn't cause resetting IM context",
@@ -822,7 +835,8 @@ nsGtkIMModule::OnStartCompositionNative(GtkIMContext *aContext)
     if (!DispatchCompositionStart(aContext)) {
         return;
     }
-    mCompositionTargetOffset = mCompositionStart;
+    mCompositionTargetRange.mOffset = mCompositionStart;
+    mCompositionTargetRange.mLength = 0;
 }
 
 /* static */
@@ -1082,13 +1096,7 @@ nsGtkIMModule::DispatchCompositionStart(GtkIMContext* aContext)
         return false;
     }
 
-    nsEventStatus status;
-    WidgetQueryContentEvent selection(true, NS_QUERY_SELECTED_TEXT,
-                                      mLastFocusedWindow);
-    InitEvent(selection);
-    mLastFocusedWindow->DispatchEvent(&selection, status);
-
-    if (!selection.mSucceeded || selection.mReply.mOffset == UINT32_MAX) {
+    if (NS_WARN_IF(!EnsureToCacheSelection())) {
         MOZ_LOG(gGtkIMLog, LogLevel::Info,
             ("    FAILED, cannot query the selection offset"));
         return false;
@@ -1098,7 +1106,7 @@ nsGtkIMModule::DispatchCompositionStart(GtkIMContext* aContext)
     //     even though we strongly hope it doesn't happen.
     //     Every composition event should have the start offset for the result
     //     because it may high cost if we query the offset every time.
-    mCompositionStart = selection.mReply.mOffset;
+    mCompositionStart = mSelection.mOffset;
     mDispatchedCompositionString.Truncate();
 
     if (mProcessingKeyEvent && !mKeyDownEventWasSent &&
@@ -1126,6 +1134,7 @@ nsGtkIMModule::DispatchCompositionStart(GtkIMContext* aContext)
                                      mLastFocusedWindow);
     InitEvent(compEvent);
     nsCOMPtr<nsIWidget> kungFuDeathGrip = mLastFocusedWindow;
+    nsEventStatus status;
     mLastFocusedWindow->DispatchEvent(&compEvent, status);
     if (static_cast<nsWindow*>(kungFuDeathGrip.get())->IsDestroyed() ||
         kungFuDeathGrip != mLastFocusedWindow) {
@@ -1167,15 +1176,12 @@ nsGtkIMModule::DispatchCompositionChangeEvent(
     // Store the selected string which will be removed by following
     // compositionchange event.
     if (mCompositionState == eCompositionState_CompositionStartDispatched) {
-        // XXX We should assume, for now, any web applications don't change
-        //     selection at handling this compositionchange event.
-        WidgetQueryContentEvent querySelectedTextEvent(true,
-                                                       NS_QUERY_SELECTED_TEXT,
-                                                       mLastFocusedWindow);
-        mLastFocusedWindow->DispatchEvent(&querySelectedTextEvent, status);
-        if (querySelectedTextEvent.mSucceeded) {
-            mSelectedString = querySelectedTextEvent.mReply.mString;
-            mCompositionStart = querySelectedTextEvent.mReply.mOffset;
+        if (NS_WARN_IF(!EnsureToCacheSelection(&mSelectedString))) {
+            // XXX How should we behave in this case??
+        } else {
+            // XXX We should assume, for now, any web applications don't change
+            //     selection at handling this compositionchange event.
+            mCompositionStart = mSelection.mOffset;
         }
     }
 
@@ -1194,6 +1200,14 @@ nsGtkIMModule::DispatchCompositionChangeEvent(
 
     mCompositionState = eCompositionState_CompositionChangeEventDispatched;
 
+    // We cannot call SetCursorPosition for e10s-aware.
+    // DispatchEvent is async on e10s, so composition rect isn't updated now
+    // on tab parent.
+    mLayoutChanged = false;
+    mCompositionTargetRange.mOffset = targetOffset;
+    mCompositionTargetRange.mLength =
+        compositionChangeEvent.mRanges->TargetClauseLength();
+
     mLastFocusedWindow->DispatchEvent(&compositionChangeEvent, status);
     if (lastFocusedWindow->IsDestroyed() ||
         lastFocusedWindow != mLastFocusedWindow) {
@@ -1202,12 +1216,6 @@ nsGtkIMModule::DispatchCompositionChangeEvent(
              "compositionchange event"));
         return false;
     }
-
-    // We cannot call SetCursorPosition for e10s-aware.
-    // DispatchEvent is async on e10s, so composition rect isn't updated now
-    // on tab parent.
-    mCompositionTargetOffset = targetOffset;
-
     return true;
 }
 
@@ -1249,7 +1257,7 @@ nsGtkIMModule::DispatchCompositionCommitEvent(
                                        NS_COMPOSITION_COMMIT_AS_IS;
     mCompositionState = eCompositionState_NotComposing;
     mCompositionStart = UINT32_MAX;
-    mCompositionTargetOffset = UINT32_MAX;
+    mCompositionTargetRange.Clear();
     mDispatchedCompositionString.Truncate();
 
     WidgetCompositionEvent compositionCommitEvent(true, message,
@@ -1404,16 +1412,19 @@ nsGtkIMModule::CreateTextRangeArray(GtkIMContext* aContext,
 }
 
 void
-nsGtkIMModule::SetCursorPosition(GtkIMContext* aContext,
-                                 uint32_t aTargetOffset)
+nsGtkIMModule::SetCursorPosition(GtkIMContext* aContext)
 {
     MOZ_LOG(gGtkIMLog, LogLevel::Info,
-        ("GtkIMModule(%p): SetCursorPosition, aContext=%p, aTargetOffset=%u",
-         this, aContext, aTargetOffset));
+        ("GtkIMModule(%p): SetCursorPosition, aContext=%p, "
+         "mCompositionTargetRange={ mOffset=%u, mLength=%u }"
+         "mSelection.mWritingMode=%s",
+         this, aContext, mCompositionTargetRange.mOffset,
+         mCompositionTargetRange.mLength,
+         GetWritingModeName(mSelection.mWritingMode).get()));
 
-    if (aTargetOffset == UINT32_MAX) {
+    if (!mCompositionTargetRange.IsValid()) {
         MOZ_LOG(gGtkIMLog, LogLevel::Info,
-            ("    FAILED, aTargetOffset is wrong offset"));
+            ("    FAILED, mCompositionTargetRange is invalid"));
         return;
     }
 
@@ -1431,7 +1442,15 @@ nsGtkIMModule::SetCursorPosition(GtkIMContext* aContext,
 
     WidgetQueryContentEvent charRect(true, NS_QUERY_TEXT_RECT,
                                      mLastFocusedWindow);
-    charRect.InitForQueryTextRect(aTargetOffset, 1);
+    if (mSelection.mWritingMode.IsVertical()) {
+        // For preventing the candidate window to overlap the target clause,
+        // we should set fake (typically, very tall) caret rect.
+        uint32_t length = mCompositionTargetRange.mLength ?
+            mCompositionTargetRange.mLength : 1;
+        charRect.InitForQueryTextRect(mCompositionTargetRange.mOffset, length);
+    } else {
+        charRect.InitForQueryTextRect(mCompositionTargetRange.mOffset, 1);
+    }
     InitEvent(charRect);
     nsEventStatus status;
     mLastFocusedWindow->DispatchEvent(&charRect, status);
@@ -1440,6 +1459,7 @@ nsGtkIMModule::SetCursorPosition(GtkIMContext* aContext,
             ("    FAILED, NS_QUERY_TEXT_RECT was failed"));
         return;
     }
+
     nsWindow* rootWindow =
         static_cast<nsWindow*>(mLastFocusedWindow->GetTopLevelWidget());
 
@@ -1483,14 +1503,14 @@ nsGtkIMModule::GetCurrentParagraph(nsAString& aText, uint32_t& aCursorPos)
     // current selection.
     if (!EditorHasCompositionString()) {
         // Query cursor position & selection
-        WidgetQueryContentEvent querySelectedTextEvent(true,
-                                                       NS_QUERY_SELECTED_TEXT,
-                                                       mLastFocusedWindow);
-        mLastFocusedWindow->DispatchEvent(&querySelectedTextEvent, status);
-        NS_ENSURE_TRUE(querySelectedTextEvent.mSucceeded, NS_ERROR_FAILURE);
+        if (NS_WARN_IF(!EnsureToCacheSelection())) {
+            MOZ_LOG(gGtkIMLog, LogLevel::Info,
+                ("    FAILED, due to no valid selection information"));
+            return NS_ERROR_FAILURE;
+        }
 
-        selOffset = querySelectedTextEvent.mReply.mOffset;
-        selLength = querySelectedTextEvent.mReply.mString.Length();
+        selOffset = mSelection.mOffset;
+        selLength = mSelection.mLength;
     }
 
     MOZ_LOG(gGtkIMLog, LogLevel::Info,
@@ -1588,14 +1608,12 @@ nsGtkIMModule::DeleteText(GtkIMContext* aContext,
             return NS_ERROR_FAILURE;
         }
     } else {
-        // Query cursor position & selection
-        WidgetQueryContentEvent querySelectedTextEvent(true,
-                                                       NS_QUERY_SELECTED_TEXT,
-                                                       mLastFocusedWindow);
-        lastFocusedWindow->DispatchEvent(&querySelectedTextEvent, status);
-        NS_ENSURE_TRUE(querySelectedTextEvent.mSucceeded, NS_ERROR_FAILURE);
-
-        selOffset = querySelectedTextEvent.mReply.mOffset;
+        if (NS_WARN_IF(!EnsureToCacheSelection())) {
+            MOZ_LOG(gGtkIMLog, LogLevel::Info,
+                ("    FAILED, due to no valid selection information"));
+            return NS_ERROR_FAILURE;
+        }
+        selOffset = mSelection.mOffset;
     }
 
     // Get all text contents of the focused editor
@@ -1718,3 +1736,77 @@ nsGtkIMModule::InitEvent(WidgetGUIEvent& aEvent)
 {
     aEvent.time = PR_Now() / 1000;
 }
+
+bool
+nsGtkIMModule::EnsureToCacheSelection(nsAString* aSelectedString)
+{
+    if (aSelectedString) {
+        aSelectedString->Truncate();
+    }
+
+    if (mSelection.IsValid() &&
+        (!mSelection.Collapsed() || !aSelectedString)) {
+       return true;
+    }
+
+    if (NS_WARN_IF(!mLastFocusedWindow)) {
+        MOZ_LOG(gGtkIMLog, LogLevel::Error,
+                ("GtkIMModule(%p): EnsureToCacheSelection(), FAILED, due to "
+                 "no focused window", this));
+        return false;
+    }
+
+    nsEventStatus status;
+    WidgetQueryContentEvent selection(true, NS_QUERY_SELECTED_TEXT,
+                                      mLastFocusedWindow);
+    InitEvent(selection);
+    mLastFocusedWindow->DispatchEvent(&selection, status);
+    if (NS_WARN_IF(!selection.mSucceeded)) {
+        MOZ_LOG(gGtkIMLog, LogLevel::Error,
+                ("GtkIMModule(%p): EnsureToCacheSelection(), FAILED, due to "
+                 "failure of query selection event", this));
+        return false;
+    }
+
+    mSelection.Assign(selection);
+    if (!mSelection.IsValid()) {
+        MOZ_LOG(gGtkIMLog, LogLevel::Error,
+                ("GtkIMModule(%p): EnsureToCacheSelection(), FAILED, due to "
+                 "failure of query selection event (invalid result)", this));
+        return false;
+    }
+
+    if (!mSelection.Collapsed() && aSelectedString) {
+        aSelectedString->Assign(selection.mReply.mString);
+    }
+
+    MOZ_LOG(gGtkIMLog, LogLevel::Debug,
+            ("GtkIMModule(%p): EnsureToCacheSelection(), Succeeded, mSelection="
+             "{ mOffset=%u, mLength=%u, mWritingMode=%s }",
+             this, mSelection.mOffset, mSelection.mLength,
+             GetWritingModeName(mSelection.mWritingMode).get()));
+    return true;
+}
+
+/******************************************************************************
+ * nsGtkIMModule::Selection
+ ******************************************************************************/
+
+void
+nsGtkIMModule::Selection::Assign(const IMENotification& aIMENotification)
+{
+    MOZ_ASSERT(aIMENotification.mMessage == NOTIFY_IME_OF_SELECTION_CHANGE);
+    mOffset = aIMENotification.mSelectionChangeData.mOffset;
+    mLength = aIMENotification.mSelectionChangeData.mLength;
+    mWritingMode = aIMENotification.mSelectionChangeData.GetWritingMode();
+}
+
+void
+nsGtkIMModule::Selection::Assign(const WidgetQueryContentEvent& aEvent)
+{
+    MOZ_ASSERT(aEvent.message == NS_QUERY_SELECTED_TEXT);
+    MOZ_ASSERT(aEvent.mSucceeded);
+    mOffset = aEvent.mReply.mOffset;
+    mLength = aEvent.mReply.mString.Length();
+    mWritingMode = aEvent.GetWritingMode();
+}
diff --git a/widget/gtk/nsGtkIMModule.h b/widget/gtk/nsGtkIMModule.h
index edf4bd28b6d2..960c3460db2e 100644
--- a/widget/gtk/nsGtkIMModule.h
+++ b/widget/gtk/nsGtkIMModule.h
@@ -16,13 +16,16 @@
 #include "nsCOMPtr.h"
 #include "nsTArray.h"
 #include "nsIWidget.h"
+#include "mozilla/CheckedInt.h"
 #include "mozilla/EventForwards.h"
+#include "WritingModes.h"
 
 class nsWindow;
 
 class nsGtkIMModule
 {
 protected:
+    typedef mozilla::widget::IMENotification IMENotification;
     typedef mozilla::widget::InputContext InputContext;
     typedef mozilla::widget::InputContextAction InputContextAction;
 
@@ -48,7 +51,8 @@ public:
     void OnFocusChangeInGecko(bool aFocus);
     // OnSelectionChange is a notification that selection (caret) is changed
     // in the focused editor.
-    void OnSelectionChange(nsWindow* aCaller);
+    void OnSelectionChange(nsWindow* aCaller,
+                           const IMENotification& aIMENotification);
 
     // OnKeyEvent is called when aWindow gets a native key press event or a
     // native key release event.  If this returns TRUE, the key event was
@@ -65,6 +69,7 @@ public:
                          const InputContextAction* aAction);
     InputContext GetInputContext();
     void OnUpdateComposition();
+    void OnLayoutChange();
 
 protected:
     ~nsGtkIMModule();
@@ -121,8 +126,27 @@ protected:
     // event.
     GdkEventKey* mProcessingKeyEvent;
 
-    // current target offset of IME composition
-    uint32_t mCompositionTargetOffset;
+    struct Range
+    {
+        uint32_t mOffset;
+        uint32_t mLength;
+
+        Range()
+            : mOffset(UINT32_MAX)
+            , mLength(UINT32_MAX)
+        {
+        }
+
+        bool IsValid() const { return mOffset != UINT32_MAX; }
+        void Clear()
+        {
+            mOffset = UINT32_MAX;
+            mLength = UINT32_MAX;
+        }
+    };
+
+    // current target offset and length of IME composition
+    Range mCompositionTargetRange;
 
     // mCompositionState indicates current status of composition.
     enum eCompositionState {
@@ -177,6 +201,44 @@ protected:
         }
     }
 
+    struct Selection final
+    {
+        uint32_t mOffset;
+        uint32_t mLength;
+        WritingMode mWritingMode;
+
+        Selection()
+            : mOffset(UINT32_MAX)
+            , mLength(UINT32_MAX)
+        {
+        }
+
+        void Clear()
+        {
+            mOffset = UINT32_MAX;
+            mLength = UINT32_MAX;
+            mWritingMode = WritingMode();
+        }
+
+        void Assign(const IMENotification& aIMENotification);
+        void Assign(const WidgetQueryContentEvent& aSelectedTextEvent);
+
+        bool IsValid() const { return mOffset != UINT32_MAX; }
+        bool Collapsed() const { return !mLength; }
+        uint32_t EndOffset() const
+        {
+            if (NS_WARN_IF(!IsValid())) {
+                return UINT32_MAX;
+            }
+            CheckedInt<uint32_t> endOffset =
+                CheckedInt<uint32_t>(mOffset) + mLength;
+            if (NS_WARN_IF(!endOffset.isValid())) {
+                return UINT32_MAX;
+            }
+            return endOffset.value();
+        }
+    } mSelection;
+    bool EnsureToCacheSelection(nsAString* aSelectedString = nullptr);
 
     // mIsIMFocused is set to TRUE when we call gtk_im_context_focus_in(). And
     // it's set to FALSE when we call gtk_im_context_focus_out().
@@ -194,6 +256,9 @@ protected:
     // mIsDeletingSurrounding is true while OnDeleteSurroundingNative() is
     // trying to delete the surrounding text.
     bool mIsDeletingSurrounding;
+    // mLayoutChanged is true after OnLayoutChange() is called.  This is reset
+    // when NS_COMPOSITION_CHANGE is being dispatched.
+    bool mLayoutChanged;
 
     // sLastFocusedModule is a pointer to the last focused instance of this
     // class.  When a instance is destroyed and sLastFocusedModule refers it,
@@ -285,14 +350,11 @@ protected:
                              const nsAString& aLastDispatchedData);
 
     /**
-     * Sets the offset's cursor position to IME.
+     * Move the candidate window with "fake" cursor position.
      *
      * @param aContext              A GtkIMContext which is being handled.
-     * @param aTargetOffset         Offset of a character which is anchor of
-     *                              a candidate window.  This is offset in
-     *                              UTF-16 string.
      */
-    void SetCursorPosition(GtkIMContext* aContext, uint32_t aTargetOffset);
+    void SetCursorPosition(GtkIMContext* aContext);
 
     // Queries the current selection offset of the window.
     uint32_t GetSelectionOffset(nsWindow* aWindow);
diff --git a/widget/gtk/nsImageToPixbuf.cpp b/widget/gtk/nsImageToPixbuf.cpp
index ca05b3b8a49e..a83a570d3d82 100644
--- a/widget/gtk/nsImageToPixbuf.cpp
+++ b/widget/gtk/nsImageToPixbuf.cpp
@@ -75,7 +75,9 @@ nsImageToPixbuf::SourceSurfaceToPixbuf(SourceSurface* aSurface,
 
     RefPtr<DataSourceSurface> dataSurface = aSurface->GetDataSurface();
     DataSourceSurface::MappedSurface map;
-    dataSurface->Map(DataSourceSurface::MapType::READ, &map);
+    if (!dataSurface->Map(DataSourceSurface::MapType::READ, &map))
+        return nullptr;
+
     uint8_t* srcData = map.mData;
     int32_t srcStride = map.mStride;
 
diff --git a/widget/gtk/nsNativeThemeGTK.cpp b/widget/gtk/nsNativeThemeGTK.cpp
index 24d4ca0469bb..233d769ecce7 100644
--- a/widget/gtk/nsNativeThemeGTK.cpp
+++ b/widget/gtk/nsNativeThemeGTK.cpp
@@ -35,6 +35,7 @@
 #include "gfxGdkNativeRenderer.h"
 #include "mozilla/gfx/BorrowedContext.h"
 #include "mozilla/gfx/HelpersCairo.h"
+#include "mozilla/gfx/PathHelpers.h"
 
 #ifdef MOZ_X11
 #  ifdef CAIRO_HAS_XLIB_SURFACE
@@ -715,6 +716,85 @@ ThemeRenderer::DrawWithGDK(GdkDrawable * drawable, gint offsetX,
   return NS_OK;
 }
 #else
+class SystemCairoClipper : public ClipExporter {
+public:
+  SystemCairoClipper(cairo_t* aContext) : mContext(aContext)
+  {
+  }
+
+  void
+  BeginClip(const Matrix& aTransform) override
+  {
+    cairo_matrix_t mat;
+    GfxMatrixToCairoMatrix(aTransform, mat);
+    cairo_set_matrix(mContext, &mat);
+
+    cairo_new_path(mContext);
+  }
+
+  void
+  MoveTo(const Point &aPoint) override
+  {
+    cairo_move_to(mContext, aPoint.x, aPoint.y);
+    mCurrentPoint = aPoint;
+  }
+
+  void
+  LineTo(const Point &aPoint) override
+  {
+    cairo_line_to(mContext, aPoint.x, aPoint.y);
+    mCurrentPoint = aPoint;
+  }
+
+  void
+  BezierTo(const Point &aCP1, const Point &aCP2, const Point &aCP3) override
+  {
+    cairo_curve_to(mContext, aCP1.x, aCP1.y, aCP2.x, aCP2.y, aCP3.x, aCP3.y);
+    mCurrentPoint = aCP3;
+  }
+
+  void
+  QuadraticBezierTo(const Point &aCP1, const Point &aCP2) override
+  {
+    Point CP0 = CurrentPoint();
+    Point CP1 = (CP0 + aCP1 * 2.0) / 3.0;
+    Point CP2 = (aCP2 + aCP1 * 2.0) / 3.0;
+    Point CP3 = aCP2;
+    cairo_curve_to(mContext, CP1.x, CP1.y, CP2.x, CP2.y, CP3.x, CP3.y);
+    mCurrentPoint = aCP2;
+  }
+
+  void
+  Arc(const Point &aOrigin, float aRadius, float aStartAngle, float aEndAngle,
+      bool aAntiClockwise) override
+  {
+    ArcToBezier(this, aOrigin, Size(aRadius, aRadius), aStartAngle, aEndAngle,
+                aAntiClockwise);
+  }
+
+  void
+  Close() override
+  {
+    cairo_close_path(mContext);
+  }
+
+  void
+  EndClip() override
+  {
+    cairo_clip(mContext);
+  }
+
+  Point
+  CurrentPoint() const override
+  {
+    return mCurrentPoint;
+  }
+
+private:
+  cairo_t* mContext;
+  Point mCurrentPoint;
+};
+
 static void
 DrawThemeWithCairo(gfxContext* aContext, DrawTarget* aDrawTarget,
                    GtkWidgetState aState, GtkThemeWidgetType aGTKWidgetType,
@@ -722,19 +802,29 @@ DrawThemeWithCairo(gfxContext* aContext, DrawTarget* aDrawTarget,
                    bool aSnapped, const Point& aDrawOrigin, const nsIntSize& aDrawSize,
                    GdkRectangle& aGDKRect, nsITheme::Transparency aTransparency)
 {
+  Point drawOffset;
+  Matrix transform;
+  if (!aSnapped) {
+    // If we are not snapped, we depend on the DT for translation.
+    drawOffset = aDrawOrigin;
+    transform = aDrawTarget->GetTransform().PreTranslate(aDrawOrigin);
+  } else {
+    // Otherwise, we only need to take the device offset into account.
+    drawOffset = aDrawOrigin - aContext->GetDeviceOffset();
+    transform = Matrix::Translation(drawOffset);
+  }
+
+  if (aScaleFactor != 1)
+    transform.PreScale(aScaleFactor, aScaleFactor);
+
+  cairo_matrix_t mat;
+  GfxMatrixToCairoMatrix(transform, mat);
+
 #ifndef MOZ_TREE_CAIRO
   // Directly use the Cairo draw target to render the widget if using system Cairo everywhere.
   BorrowedCairoContext borrow(aDrawTarget);
   if (borrow.mCairo) {
-    if (aSnapped) {
-      cairo_identity_matrix(borrow.mCairo);
-    }
-    if (aDrawOrigin != Point(0, 0)) {
-      cairo_translate(borrow.mCairo, aDrawOrigin.x, aDrawOrigin.y);
-    }
-    if (aScaleFactor != 1) {
-      cairo_scale(borrow.mCairo, aScaleFactor, aScaleFactor);
-    }
+    cairo_set_matrix(borrow.mCairo, &mat);
 
     moz_gtk_widget_paint(aGTKWidgetType, borrow.mCairo, &aGDKRect, &aState, aFlags, aDirection);
 
@@ -744,40 +834,33 @@ DrawThemeWithCairo(gfxContext* aContext, DrawTarget* aDrawTarget,
 #endif
 
   // A direct Cairo draw target is not available, so we need to create a temporary one.
-  bool needClip = !aSnapped || aContext->HasComplexClip();
 #if defined(MOZ_X11) && defined(CAIRO_HAS_XLIB_SURFACE)
-  if (!needClip) {
-    // If using a Cairo xlib surface, then try to reuse it.
-    BorrowedXlibDrawable borrow(aDrawTarget);
-    if (borrow.GetDrawable()) {
-      nsIntSize size = aDrawTarget->GetSize();
-      cairo_surface_t* surf = nullptr;
-      // Check if the surface is using XRender.
+  // If using a Cairo xlib surface, then try to reuse it.
+  BorrowedXlibDrawable borrow(aDrawTarget);
+  if (borrow.GetDrawable()) {
+    nsIntSize size = aDrawTarget->GetSize();
+    cairo_surface_t* surf = nullptr;
+    // Check if the surface is using XRender.
 #ifdef CAIRO_HAS_XLIB_XRENDER_SURFACE
-      if (borrow.GetXRenderFormat()) {
-        surf = cairo_xlib_surface_create_with_xrender_format(
+    if (borrow.GetXRenderFormat()) {
+      surf = cairo_xlib_surface_create_with_xrender_format(
           borrow.GetDisplay(), borrow.GetDrawable(), borrow.GetScreen(),
           borrow.GetXRenderFormat(), size.width, size.height);
-      } else {
+    } else {
 #else
       if (! borrow.GetXRenderFormat()) {
 #endif
         surf = cairo_xlib_surface_create(
-          borrow.GetDisplay(), borrow.GetDrawable(), borrow.GetVisual(),
-          size.width, size.height);
+            borrow.GetDisplay(), borrow.GetDrawable(), borrow.GetVisual(),
+            size.width, size.height);
       }
       if (!NS_WARN_IF(!surf)) {
         cairo_t* cr = cairo_create(surf);
         if (!NS_WARN_IF(!cr)) {
-          cairo_new_path(cr);
-          cairo_rectangle(cr, aDrawOrigin.x, aDrawOrigin.y, aDrawSize.width, aDrawSize.height);
-          cairo_clip(cr);
-          if (aDrawOrigin != Point(0, 0)) {
-            cairo_translate(cr, aDrawOrigin.x, aDrawOrigin.y);
-          }
-          if (aScaleFactor != 1) {
-            cairo_scale(cr, aScaleFactor, aScaleFactor);
-          }
+          RefPtr<SystemCairoClipper> clipper = new SystemCairoClipper(cr);
+          aContext->ExportClip(*clipper);
+
+          cairo_set_matrix(cr, &mat);
 
           moz_gtk_widget_paint(aGTKWidgetType, cr, &aGDKRect, &aState, aFlags, aDirection);
 
@@ -788,7 +871,6 @@ DrawThemeWithCairo(gfxContext* aContext, DrawTarget* aDrawTarget,
       borrow.Finish();
       return;
     }
-  }
 #endif
 
   // Check if the widget requires complex masking that must be composited.
@@ -797,18 +879,18 @@ DrawThemeWithCairo(gfxContext* aContext, DrawTarget* aDrawTarget,
   nsIntSize size;
   int32_t stride;
   SurfaceFormat format;
-  if (!needClip && aDrawTarget->LockBits(&data, &size, &stride, &format)) {
+  if (aDrawTarget->LockBits(&data, &size, &stride, &format)) {
     // Create a Cairo image surface context the device rectangle.
     cairo_surface_t* surf =
       cairo_image_surface_create_for_data(
-        data + int32_t(aDrawOrigin.y) * stride + int32_t(aDrawOrigin.x) * BytesPerPixel(format),
-        GfxFormatToCairoFormat(format), aDrawSize.width, aDrawSize.height, stride);
+        data, GfxFormatToCairoFormat(format), size.width, size.height, stride);
     if (!NS_WARN_IF(!surf)) {
       cairo_t* cr = cairo_create(surf);
       if (!NS_WARN_IF(!cr)) {
-        if (aScaleFactor != 1) {
-          cairo_scale(cr, aScaleFactor, aScaleFactor);
-        }
+        RefPtr<SystemCairoClipper> clipper = new SystemCairoClipper(cr);
+        aContext->ExportClip(*clipper);
+
+        cairo_set_matrix(cr, &mat);
 
         moz_gtk_widget_paint(aGTKWidgetType, cr, &aGDKRect, &aState, aFlags, aDirection);
 
@@ -845,17 +927,17 @@ DrawThemeWithCairo(gfxContext* aContext, DrawTarget* aDrawTarget,
       dataSurface->Unmap();
 
       if (cr) {
-        if (needClip || aTransparency != nsITheme::eOpaque) {
+        if (!aSnapped || aTransparency != nsITheme::eOpaque) {
           // The widget either needs to be masked or has transparency, so use the slower drawing path.
           aDrawTarget->DrawSurface(dataSurface,
-                                   Rect(aSnapped ? aDrawOrigin - aDrawTarget->GetTransform().GetTranslation() : aDrawOrigin,
+                                   Rect(aSnapped ? drawOffset - aDrawTarget->GetTransform().GetTranslation() : drawOffset,
                                         Size(aDrawSize)),
                                    Rect(0, 0, aDrawSize.width, aDrawSize.height));
         } else {
           // The widget is a simple opaque rectangle, so just copy it out.
           aDrawTarget->CopySurface(dataSurface,
                                    IntRect(0, 0, aDrawSize.width, aDrawSize.height),
-                                   TruncatedToInt(aDrawOrigin));
+                                   TruncatedToInt(drawOffset));
         }
 
         cairo_destroy(cr);
diff --git a/widget/gtk/nsWindow.cpp b/widget/gtk/nsWindow.cpp
index c65271cf57bc..149bd4d0558f 100644
--- a/widget/gtk/nsWindow.cpp
+++ b/widget/gtk/nsWindow.cpp
@@ -5951,11 +5951,14 @@ nsWindow::NotifyIMEInternal(const IMENotification& aIMENotification)
         case NOTIFY_IME_OF_BLUR:
             mIMModule->OnFocusChangeInGecko(false);
             return NS_OK;
+        case NOTIFY_IME_OF_POSITION_CHANGE:
+            mIMModule->OnLayoutChange();
+            return NS_OK;
         case NOTIFY_IME_OF_COMPOSITION_UPDATE:
             mIMModule->OnUpdateComposition();
             return NS_OK;
         case NOTIFY_IME_OF_SELECTION_CHANGE:
-            mIMModule->OnSelectionChange(this);
+            mIMModule->OnSelectionChange(this, aIMENotification);
             return NS_OK;
         default:
             return NS_ERROR_NOT_IMPLEMENTED;
@@ -5994,7 +5997,8 @@ nsIMEUpdatePreference
 nsWindow::GetIMEUpdatePreference()
 {
     nsIMEUpdatePreference updatePreference(
-        nsIMEUpdatePreference::NOTIFY_SELECTION_CHANGE);
+        nsIMEUpdatePreference::NOTIFY_SELECTION_CHANGE |
+        nsIMEUpdatePreference::NOTIFY_POSITION_CHANGE);
     // We shouldn't notify IME of selection change caused by changes of
     // composition string.  Therefore, we don't need to be notified selection
     // changes which are caused by compositionchange events handled.
diff --git a/widget/nsBaseAppShell.cpp b/widget/nsBaseAppShell.cpp
index be813c6b735f..d194abdd5176 100644
--- a/widget/nsBaseAppShell.cpp
+++ b/widget/nsBaseAppShell.cpp
@@ -387,7 +387,8 @@ nsBaseAppShell::RunSyncSectionsInternal(bool aStable,
 }
 
 void
-nsBaseAppShell::ScheduleSyncSection(nsIRunnable* aRunnable, bool aStable)
+nsBaseAppShell::ScheduleSyncSection(already_AddRefed<nsIRunnable> aRunnable,
+                                    bool aStable)
 {
   NS_ASSERTION(NS_IsMainThread(), "Should be on main thread.");
 
@@ -444,16 +445,16 @@ nsBaseAppShell::Observe(nsISupports *subject, const char *topic,
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsBaseAppShell::RunInStableState(nsIRunnable* aRunnable)
+void
+nsBaseAppShell::RunInStableState(already_AddRefed<nsIRunnable> aRunnable)
 {
-  ScheduleSyncSection(aRunnable, true);
-  return NS_OK;
+  ScheduleSyncSection(mozilla::Move(aRunnable), true);
 }
 
 NS_IMETHODIMP
 nsBaseAppShell::RunBeforeNextEvent(nsIRunnable* aRunnable)
 {
-  ScheduleSyncSection(aRunnable, false);
+  nsCOMPtr<nsIRunnable> runnable = aRunnable;
+  ScheduleSyncSection(runnable.forget(), false);
   return NS_OK;
 }
diff --git a/widget/nsBaseAppShell.h b/widget/nsBaseAppShell.h
index b528e88e484a..09f8e47b71ca 100644
--- a/widget/nsBaseAppShell.h
+++ b/widget/nsBaseAppShell.h
@@ -25,6 +25,8 @@ class nsBaseAppShell : public nsIAppShell, public nsIThreadObserver,
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIAPPSHELL
+  void RunInStableState(already_AddRefed<nsIRunnable> runnable) override;
+
   NS_DECL_NSITHREADOBSERVER
   NS_DECL_NSIOBSERVER
 
@@ -94,7 +96,7 @@ private:
     }
   }
 
-  void ScheduleSyncSection(nsIRunnable* runnable, bool stable);
+  void ScheduleSyncSection(already_AddRefed<nsIRunnable> runnable, bool stable);
 
   struct SyncSection {
     SyncSection()
diff --git a/widget/nsIAppShell.idl b/widget/nsIAppShell.idl
index 3c0af793c633..bb089d20ae86 100644
--- a/widget/nsIAppShell.idl
+++ b/widget/nsIAppShell.idl
@@ -7,12 +7,15 @@
 #include "nsISupports.idl"
 
 interface nsIRunnable;
+%{ C++
+template <class T> struct already_AddRefed;
+%}
 
 /**
  * Interface for the native event system layer.  This interface is designed
  * to be used on the main application thread only.
  */
-[uuid(2d10ca53-f143-439a-bb2e-c1fbc71f6a05)]
+[uuid(3d09973e-3975-4fd4-b103-276300cc8437)]
 interface nsIAppShell : nsISupports
 {
   /**
@@ -71,16 +74,20 @@ interface nsIAppShell : nsISupports
    */
   readonly attribute unsigned long eventloopNestingLevel;
   
+%{ C++
   /**
-   * Allows running of a "synchronous section", in the form of an nsIRunnable
-   * once the event loop has reached a "stable state". We've reached a stable
-   * state when the currently executing task/event has finished, see:
+   * Add a "synchronous section", in the form of an nsIRunnable run once the
+   * event loop has reached a "stable state". |runnable| must not cause any
+   * queued events to be processed (i.e. must not spin the event loop). We've
+   * reached a stable state when the currently executing task/event has
+   * finished, see:
    * http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#synchronous-section
    * In practice this runs aRunnable once the currently executing event
    * finishes. If called multiple times per task/event, all the runnables will
    * be executed, in the order in which runInStableState() was called.
    */
-  void runInStableState(in nsIRunnable runnable);
+  virtual void RunInStableState(already_AddRefed<nsIRunnable> runnable) = 0;
+%}
 
   /**
    * Run the given runnable before the next iteration of the event loop (this
diff --git a/widget/nsScreenManagerProxy.cpp b/widget/nsScreenManagerProxy.cpp
index e014940ade97..b768a53091ae 100644
--- a/widget/nsScreenManagerProxy.cpp
+++ b/widget/nsScreenManagerProxy.cpp
@@ -200,9 +200,9 @@ nsScreenManagerProxy::InvalidateCacheOnNextTick()
 
   nsCOMPtr<nsIAppShell> appShell = do_GetService(kAppShellCID);
   if (appShell) {
-    appShell->RunInStableState(
-      NS_NewRunnableMethod(this, &nsScreenManagerProxy::InvalidateCache)
-    );
+    nsCOMPtr<nsIRunnable> r =
+      NS_NewRunnableMethod(this, &nsScreenManagerProxy::InvalidateCache);
+    appShell->RunInStableState(r.forget());
   } else {
     // It's pretty bad news if we can't get the appshell. In that case,
     // let's just invalidate the cache right away.
diff --git a/xpcom/base/CycleCollectedJSRuntime.cpp b/xpcom/base/CycleCollectedJSRuntime.cpp
index 00ac977042fd..57aeb51b45fc 100644
--- a/xpcom/base/CycleCollectedJSRuntime.cpp
+++ b/xpcom/base/CycleCollectedJSRuntime.cpp
@@ -740,7 +740,11 @@ CycleCollectedJSRuntime::GCSliceCallback(JSRuntime* aRuntime,
   MOZ_ASSERT(self->Runtime() == aRuntime);
 
   if (aProgress == JS::GC_CYCLE_END) {
-    NS_WARN_IF(NS_FAILED(DebuggerOnGCRunnable::Enqueue(aRuntime, aDesc)));
+    JS::gcreason::Reason reason = aDesc.reason_;
+    NS_WARN_IF(NS_FAILED(DebuggerOnGCRunnable::Enqueue(aRuntime, aDesc)) &&
+               reason != JS::gcreason::SHUTDOWN_CC &&
+               reason != JS::gcreason::DESTROY_RUNTIME &&
+               reason != JS::gcreason::XPCONNECT_SHUTDOWN);
   }
 
   if (self->mPrevGCSliceCallback) {
diff --git a/xpcom/base/nsCycleCollector.cpp b/xpcom/base/nsCycleCollector.cpp
index a50ed8be4682..1919f0aaf76c 100644
--- a/xpcom/base/nsCycleCollector.cpp
+++ b/xpcom/base/nsCycleCollector.cpp
@@ -182,6 +182,7 @@
 #include <stdint.h>
 #include <stdio.h>
 
+#include "mozilla/AutoTimelineMarker.h"
 #include "mozilla/Likely.h"
 #include "mozilla/PoisonIOInterposer.h"
 #include "mozilla/Telemetry.h"
@@ -2812,6 +2813,11 @@ nsCycleCollector::ForgetSkippable(bool aRemoveChildlessNodes,
 {
   CheckThreadSafety();
 
+  mozilla::Maybe<mozilla::AutoGlobalTimelineMarker> marker;
+  if (NS_IsMainThread()) {
+    marker.emplace("nsCycleCollector::ForgetSkippable");
+  }
+
   // If we remove things from the purple buffer during graph building, we may
   // lose track of an object that was mutated during graph building.
   MOZ_ASSERT(mIncrementalPhase == IdlePhase);
@@ -3572,6 +3578,11 @@ nsCycleCollector::Collect(ccType aCCType,
 
   MOZ_ASSERT(!IsIncrementalGCInProgress());
 
+  mozilla::Maybe<mozilla::AutoGlobalTimelineMarker> marker;
+  if (NS_IsMainThread()) {
+    marker.emplace("nsCycleCollector::Collect");
+  }
+
   bool startedIdle = (mIncrementalPhase == IdlePhase);
   bool collectedAny = false;
 
diff --git a/xpcom/ds/nsAtomTable.cpp b/xpcom/ds/nsAtomTable.cpp
index 15262287da03..fee856ad5e82 100644
--- a/xpcom/ds/nsAtomTable.cpp
+++ b/xpcom/ds/nsAtomTable.cpp
@@ -299,24 +299,6 @@ static const PLDHashTableOps AtomTableOps = {
 };
 
 
-#ifdef DEBUG
-static PLDHashOperator
-DumpAtomLeaks(PLDHashTable* aTable, PLDHashEntryHdr* aEntryHdr,
-              uint32_t aIndex, void* aArg)
-{
-  AtomTableEntry* entry = static_cast<AtomTableEntry*>(aEntryHdr);
-  AtomImpl* atom = entry->mAtom;
-  if (!atom->IsPermanent()) {
-    ++*static_cast<uint32_t*>(aArg);
-    nsAutoCString str;
-    atom->ToUTF8String(str);
-    fputs(str.get(), stdout);
-    fputs("\n", stdout);
-  }
-  return PL_DHASH_NEXT;
-}
-#endif
-
 static inline
 void
 PromoteToPermanent(AtomImpl* aAtom)
@@ -345,7 +327,18 @@ NS_PurgeAtomTable()
       uint32_t leaked = 0;
       printf("*** %d atoms still exist (including permanent):\n",
              gAtomTable->EntryCount());
-      PL_DHashTableEnumerate(gAtomTable, DumpAtomLeaks, &leaked);
+      PLDHashTable::Iterator iter(gAtomTable);
+      while (iter.HasMoreEntries()) {
+        auto entry = static_cast<AtomTableEntry*>(iter.NextEntry());
+        AtomImpl* atom = entry->mAtom;
+        if (!atom->IsPermanent()) {
+          leaked++;
+          nsAutoCString str;
+          atom->ToUTF8String(str);
+          fputs(str.get(), stdout);
+          fputs("\n", stdout);
+        }
+      }
       printf("*** %u non-permanent atoms leaked\n", leaked);
     }
 #endif
diff --git a/xpcom/ds/nsPersistentProperties.cpp b/xpcom/ds/nsPersistentProperties.cpp
index 145714f6e67a..39c4e4656b95 100644
--- a/xpcom/ds/nsPersistentProperties.cpp
+++ b/xpcom/ds/nsPersistentProperties.cpp
@@ -563,25 +563,6 @@ nsPersistentProperties::GetStringProperty(const nsACString& aKey,
   return NS_OK;
 }
 
-static PLDHashOperator
-AddElemToArray(PLDHashTable* aTable, PLDHashEntryHdr* aHdr,
-               uint32_t aIndex, void* aArg)
-{
-  nsCOMArray<nsIPropertyElement>* props =
-    static_cast<nsCOMArray<nsIPropertyElement>*>(aArg);
-  PropertyTableEntry* entry =
-    static_cast<PropertyTableEntry*>(aHdr);
-
-  nsPropertyElement* element =
-    new nsPropertyElement(nsDependentCString(entry->mKey),
-                          nsDependentString(entry->mValue));
-
-  props->AppendObject(element);
-
-  return PL_DHASH_NEXT;
-}
-
-
 NS_IMETHODIMP
 nsPersistentProperties::Enumerate(nsISimpleEnumerator** aResult)
 {
@@ -591,9 +572,17 @@ nsPersistentProperties::Enumerate(nsISimpleEnumerator** aResult)
   props.SetCapacity(mTable.EntryCount());
 
   // Step through hash entries populating a transient array
-  uint32_t n = PL_DHashTableEnumerate(&mTable, AddElemToArray, (void*)&props);
-  if (n < mTable.EntryCount()) {
-    return NS_ERROR_OUT_OF_MEMORY;
+  PLDHashTable::Iterator iter(&mTable);
+  while (iter.HasMoreEntries()) {
+    auto entry = static_cast<PropertyTableEntry*>(iter.NextEntry());
+
+    nsRefPtr<nsPropertyElement> element =
+      new nsPropertyElement(nsDependentCString(entry->mKey),
+                            nsDependentString(entry->mValue));
+
+    if (!props.AppendObject(element)) {
+      return NS_ERROR_OUT_OF_MEMORY;
+    }
   }
 
   return NS_NewArrayEnumerator(aResult, props);
diff --git a/xpcom/glue/nsTArray.h b/xpcom/glue/nsTArray.h
index e45bd41ed575..1e9d0e0e5eb4 100644
--- a/xpcom/glue/nsTArray.h
+++ b/xpcom/glue/nsTArray.h
@@ -1222,6 +1222,7 @@ public:
   // @param aArrayLen The number of values to copy into this array.
   // @return          A pointer to the new elements in the array, or null if
   //                  the operation failed due to insufficient memory.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* ReplaceElementsAt(index_type aStart, size_type aCount,
                                const Item* aArray, size_type aArrayLen)
@@ -1238,7 +1239,7 @@ public:
     AssignRange(aStart, aArrayLen, aArray);
     return Elements() + aStart;
   }
-
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1251,6 +1252,7 @@ public:
   }
 
   // A variation on the ReplaceElementsAt method defined above.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* ReplaceElementsAt(index_type aStart, size_type aCount,
                                const nsTArray<Item>& aArray)
@@ -1258,6 +1260,7 @@ public:
     return ReplaceElementsAt<Item, ActualAlloc>(
       aStart, aCount, aArray.Elements(), aArray.Length());
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1269,12 +1272,14 @@ public:
   }
 
   // A variation on the ReplaceElementsAt method defined above.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* ReplaceElementsAt(index_type aStart, size_type aCount,
                                const Item& aItem)
   {
     return ReplaceElementsAt<Item, ActualAlloc>(aStart, aCount, &aItem, 1);
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1292,12 +1297,14 @@ public:
   }
 
   // A variation on the ReplaceElementsAt method defined above.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* InsertElementsAt(index_type aIndex, const Item* aArray,
                               size_type aArrayLen)
   {
     return ReplaceElementsAt<Item, ActualAlloc>(aIndex, 0, aArray, aArrayLen);
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1308,6 +1315,7 @@ public:
   }
 
   // A variation on the ReplaceElementsAt method defined above.
+protected:
   template<class Item, class Allocator, typename ActualAlloc = Alloc>
   elem_type* InsertElementsAt(index_type aIndex,
                               const nsTArray_Impl<Item, Allocator>& aArray)
@@ -1315,6 +1323,7 @@ public:
     return ReplaceElementsAt<Item, ActualAlloc>(
       aIndex, 0, aArray.Elements(), aArray.Length());
   }
+public:
 
   template<class Item, class Allocator>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1328,6 +1337,7 @@ public:
   // Insert a new element without copy-constructing. This is useful to avoid
   // temporaries.
   // @return A pointer to the newly inserted element, or null on OOM.
+protected:
   template<typename ActualAlloc = Alloc>
   elem_type* InsertElementAt(index_type aIndex)
   {
@@ -1341,6 +1351,7 @@ public:
     elem_traits::Construct(elem);
     return elem;
   }
+public:
 
   /* MOZ_WARN_UNUSED_RESULT */
   elem_type* InsertElementAt(index_type aIndex, const mozilla::fallible_t&)
@@ -1349,6 +1360,7 @@ public:
   }
 
   // Insert a new element, move constructing if possible.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* InsertElementAt(index_type aIndex, Item&& aItem)
   {
@@ -1362,6 +1374,7 @@ public:
     elem_traits::Construct(elem, mozilla::Forward<Item>(aItem));
     return elem;
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1410,6 +1423,7 @@ public:
   // Inserts |aItem| at such an index to guarantee that if the array
   // was previously sorted, it will remain sorted after this
   // insertion.
+protected:
   template<class Item, class Comparator, typename ActualAlloc = Alloc>
   elem_type* InsertElementSorted(Item&& aItem, const Comparator& aComp)
   {
@@ -1417,6 +1431,7 @@ public:
     return InsertElementAt<Item, ActualAlloc>(
       index, mozilla::Forward<Item>(aItem));
   }
+public:
 
   template<class Item, class Comparator>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1428,6 +1443,7 @@ public:
   }
 
   // A variation on the InsertElementSorted method defined above.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* InsertElementSorted(Item&& aItem)
   {
@@ -1435,6 +1451,7 @@ public:
     return InsertElementSorted<Item, decltype(comp), ActualAlloc>(
       mozilla::Forward<Item>(aItem), comp);
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1449,6 +1466,7 @@ public:
   // @param aArrayLen The number of elements to append to this array.
   // @return          A pointer to the new elements in the array, or null if
   //                  the operation failed due to insufficient memory.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* AppendElements(const Item* aArray, size_type aArrayLen)
   {
@@ -1461,6 +1479,7 @@ public:
     this->IncrementLength(aArrayLen);
     return Elements() + len;
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1471,11 +1490,13 @@ public:
   }
 
   // A variation on the AppendElements method defined above.
+protected:
   template<class Item, class Allocator, typename ActualAlloc = Alloc>
   elem_type* AppendElements(const nsTArray_Impl<Item, Allocator>& aArray)
   {
     return AppendElements<Item, ActualAlloc>(aArray.Elements(), aArray.Length());
   }
+public:
 
   template<class Item, class Allocator>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1486,6 +1507,7 @@ public:
   }
 
   // Append a new element, move constructing if possible.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* AppendElement(Item&& aItem)
   {
@@ -1498,6 +1520,7 @@ public:
     this->IncrementLength(1);
     return elem;
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -1510,6 +1533,7 @@ public:
   // Append new elements without copy-constructing. This is useful to avoid
   // temporaries.
   // @return A pointer to the newly appended elements, or null on OOM.
+protected:
   template<typename ActualAlloc = Alloc>
   elem_type* AppendElements(size_type aCount) {
     if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>(
@@ -1524,6 +1548,7 @@ public:
     this->IncrementLength(aCount);
     return elems;
   }
+public:
 
   /* MOZ_WARN_UNUSED_RESULT */
   elem_type* AppendElements(size_type aCount,
@@ -1535,11 +1560,13 @@ public:
   // Append a new element without copy-constructing. This is useful to avoid
   // temporaries.
   // @return A pointer to the newly appended element, or null on OOM.
+protected:
   template<typename ActualAlloc = Alloc>
   elem_type* AppendElement()
   {
     return AppendElements<ActualAlloc>(1);
   }
+public:
 
   /* MOZ_WARN_UNUSED_RESULT */
   elem_type* AppendElement(const mozilla::fallible_t&)
@@ -1661,12 +1688,14 @@ public:
   // will not reduce the number of elements in this array.
   // @param aCapacity The desired capacity of this array.
   // @return True if the operation succeeded; false if we ran out of memory
+protected:
   template<typename ActualAlloc = Alloc>
   typename ActualAlloc::ResultType SetCapacity(size_type aCapacity)
   {
     return ActualAlloc::Result(this->template EnsureCapacity<ActualAlloc>(
       aCapacity, sizeof(elem_type)));
   }
+public:
 
   /* MOZ_WARN_UNUSED_RESULT */
   bool SetCapacity(size_type aCapacity, const mozilla::fallible_t&)
@@ -1682,6 +1711,7 @@ public:
   // @return True if the operation succeeded; false otherwise.
   // See also TruncateLength if the new length is guaranteed to be smaller than
   // the old.
+protected:
   template<typename ActualAlloc = Alloc>
   typename ActualAlloc::ResultType SetLength(size_type aNewLen)
   {
@@ -1694,6 +1724,7 @@ public:
     TruncateLength(aNewLen);
     return ActualAlloc::ConvertBoolToResultType(true);
   }
+public:
 
   /* MOZ_WARN_UNUSED_RESULT */
   bool SetLength(size_type aNewLen, const mozilla::fallible_t&)
@@ -1721,6 +1752,7 @@ public:
   // constructor.
   // @param aMinLen The desired minimum length of this array.
   // @return True if the operation succeeded; false otherwise.
+protected:
   template<typename ActualAlloc = Alloc>
   typename ActualAlloc::ResultType EnsureLengthAtLeast(size_type aMinLen)
   {
@@ -1731,6 +1763,7 @@ public:
     }
     return ActualAlloc::ConvertBoolToResultType(true);
   }
+public:
 
   /* MOZ_WARN_UNUSED_RESULT */
   bool EnsureLengthAtLeast(size_type aMinLen, const mozilla::fallible_t&)
@@ -1743,6 +1776,7 @@ public:
   // @param aIndex the place to insert the new elements. This must be no
   //               greater than the current length of the array.
   // @param aCount the number of elements to insert
+protected:
   template<typename ActualAlloc = Alloc>
   elem_type* InsertElementsAt(index_type aIndex, size_type aCount)
   {
@@ -1761,6 +1795,7 @@ public:
 
     return Elements() + aIndex;
   }
+public:
 
   /* MOZ_WARN_UNUSED_RESULT */
   elem_type* InsertElementsAt(index_type aIndex, size_type aCount,
@@ -1776,6 +1811,7 @@ public:
   //               greater than the current length of the array.
   // @param aCount the number of elements to insert.
   // @param aItem the value to use when constructing the new elements.
+protected:
   template<class Item, typename ActualAlloc = Alloc>
   elem_type* InsertElementsAt(index_type aIndex, size_type aCount,
                               const Item& aItem)
@@ -1795,6 +1831,7 @@ public:
 
     return Elements() + aIndex;
   }
+public:
 
   template<class Item>
   /* MOZ_WARN_UNUSED_RESULT */
@@ -2049,6 +2086,17 @@ public:
     base_type::operator=(mozilla::Move(aOther));
     return *this;
   }
+
+  using base_type::AppendElement;
+  using base_type::AppendElements;
+  using base_type::EnsureLengthAtLeast;
+  using base_type::InsertElementAt;
+  using base_type::InsertElementsAt;
+  using base_type::InsertElementSorted;
+  using base_type::MoveElementsFrom;
+  using base_type::ReplaceElementsAt;
+  using base_type::SetCapacity;
+  using base_type::SetLength;
 };
 
 //
diff --git a/xpcom/glue/nsTHashtable.cpp b/xpcom/glue/nsTHashtable.cpp
deleted file mode 100644
index e02cd7d87149..000000000000
--- a/xpcom/glue/nsTHashtable.cpp
+++ /dev/null
@@ -1,16 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsTHashtable.h"
-
-PLDHashOperator
-PL_DHashStubEnumRemove(PLDHashTable*    aTable,
-                       PLDHashEntryHdr* aEntry,
-                       uint32_t         aOrdinal,
-                       void*            aUserarg)
-{
-  return PL_DHASH_REMOVE;
-}
diff --git a/xpcom/glue/nsTHashtable.h b/xpcom/glue/nsTHashtable.h
index 52becd39501a..9d97349fb620 100644
--- a/xpcom/glue/nsTHashtable.h
+++ b/xpcom/glue/nsTHashtable.h
@@ -19,13 +19,6 @@
 
 #include <new>
 
-// helper function for nsTHashtable::Clear()
-PLDHashOperator PL_DHashStubEnumRemove(PLDHashTable* aTable,
-                                       PLDHashEntryHdr* aEntry,
-                                       uint32_t aOrdinal,
-                                       void* aUserArg);
-
-
 /**
  * a base class for templated hashtables.
  *
@@ -211,11 +204,13 @@ public:
   }
 
   /**
-   * remove all entries, return hashtable to "pristine" state ;)
+   * Remove all entries, return hashtable to "pristine" state. It's
+   * conceptually the same as calling the destructor and then re-calling the
+   * constructor.
    */
   void Clear()
   {
-    PL_DHashTableEnumerate(&mTable, PL_DHashStubEnumRemove, nullptr);
+    mTable.Clear();
   }
 
   /**
diff --git a/xpcom/glue/objs.mozbuild b/xpcom/glue/objs.mozbuild
index 0b21f405e4c0..3c4f0d21723c 100644
--- a/xpcom/glue/objs.mozbuild
+++ b/xpcom/glue/objs.mozbuild
@@ -25,7 +25,6 @@ xpcom_glue_src_lcppsrcs = [
     'nsMemory.cpp',
     'nsQuickSort.cpp',
     'nsTArray.cpp',
-    'nsTHashtable.cpp',
     'nsThreadUtils.cpp',
     'nsTObserverArray.cpp',
     'nsVersionComparator.cpp',
diff --git a/xpcom/glue/pldhash.cpp b/xpcom/glue/pldhash.cpp
index c3c30745ecad..ac3f080d79f6 100644
--- a/xpcom/glue/pldhash.cpp
+++ b/xpcom/glue/pldhash.cpp
@@ -759,7 +759,7 @@ PLDHashTable::Enumerate(PLDHashEnumerator aEtor, void* aArg)
   char* entryAddr = mEntryStore;
   uint32_t capacity = Capacity();
   uint32_t tableSize = capacity * mEntrySize;
-  char* entryLimit = entryAddr + tableSize;
+  char* entryLimit = mEntryStore + tableSize;
   uint32_t i = 0;
   bool didRemove = false;
 
@@ -768,9 +768,6 @@ PLDHashTable::Enumerate(PLDHashEnumerator aEtor, void* aArg)
     // even more chaotic to iterate in fully random order, but that's a lot
     // more work.
     entryAddr += ChaosMode::randomUint32LessThan(capacity) * mEntrySize;
-    if (entryAddr >= entryLimit) {
-      entryAddr -= tableSize;
-    }
   }
 
   for (uint32_t e = 0; e < capacity; ++e) {
@@ -912,17 +909,12 @@ PLDHashTable::Iterator::Iterator(const PLDHashTable* aTable)
   // vary over the course of the for loop) are converted into mEntryOffset and
   // mEntryAddr, respectively.
   uint32_t capacity = mTable->Capacity();
-  uint32_t tableSize = capacity * mTable->EntrySize();
-  char* entryLimit = mEntryAddr + tableSize;
 
   if (ChaosMode::isActive(ChaosMode::HashTableIteration)) {
     // Start iterating at a random point in the hashtable. It would be
     // even more chaotic to iterate in fully random order, but that's a lot
     // more work.
     mEntryAddr += ChaosMode::randomUint32LessThan(capacity) * mTable->mEntrySize;
-    if (mEntryAddr >= entryLimit) {
-      mEntryAddr -= tableSize;
-    }
   }
 }
 
@@ -962,7 +954,7 @@ PLDHashTable::Iterator::NextEntry()
   // mEntryAddr, respectively.
   uint32_t capacity = mTable->Capacity();
   uint32_t tableSize = capacity * mTable->mEntrySize;
-  char* entryLimit = mEntryAddr + tableSize;
+  char* entryLimit = mTable->mEntryStore + tableSize;
 
   // Strictly speaking, we don't need to iterate over the full capacity each
   // time. However, it is simpler to do so rather than unnecessarily track the
diff --git a/xpcom/libxpcomrt/moz.build b/xpcom/libxpcomrt/moz.build
index 4179c3238b1d..4de8bb0eb06d 100644
--- a/xpcom/libxpcomrt/moz.build
+++ b/xpcom/libxpcomrt/moz.build
@@ -77,7 +77,6 @@ xpcom_glue_src = [
     'nsProxyRelease.cpp',
     'nsQuickSort.cpp',
     'nsTArray.cpp',
-    'nsTHashtable.cpp',
     'nsTObserverArray.cpp',
     'nsThreadUtils.cpp',
     'nsWeakReference.cpp',