bug 1255153 - (re)move redundant xpcshell name constraint tests to gtests r=Cykesiopka,jcj

MozReview-Commit-ID: 8eFSIhB1RId --HG-- extra : rebase_source : 63b147b8bdc9f2961b2f56723ac5baa0e2564684
2016-03-09 14:33:31 -08:00 · 2016-03-09 14:33:31 -08:00 · 61a9a234f8
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@ -5,6 +5,25 @@

 "use strict";

+// This test tests two specific items:
+// 1. Are name constraints properly enforced across the entire constructed
+// certificate chain? This makes use of a certificate hierarchy like so:
+//  - (trusted) root CA with permitted subtree dNSName example.com
+//  - intermediate CA with permitted subtree dNSName example.org
+//    a. end-entity with dNSNames example.com and example.org
+//       (the first entry is allowed by the root but not by the intermediate,
+//        and the second entry is allowed by the intermediate but not by the
+//        root)
+//    b. end-entity with dNSName example.com (not allowed by the intermediate)
+//    c. end-entity with dNSName examle.org (not allowed by the root)
+//    d. end-entity with dNSName example.test (not allowed by either)
+//  All of these cases should fail to verify with the error that the
+//  end-entity is not in the name space permitted by the hierarchy.
+//
+// 2. Are externally-imposed name constraints properly enforced? This makes use
+// of a certificate hierarchy rooted by a certificate with the same DN as an
+// existing hierarchy that has externally-imposed name constraints (DCISS).
+
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                 .getService(Ci.nsIX509CertDB);
@ -13,258 +32,32 @@ function certFromFile(name) {
  return constructCertFromFile(`test_name_constraints/${name}.pem`);
 }

-function load_cert(cert_name, trust_string) {
-  addCertFromFile(certdb, `test_name_constraints/${cert_name}.pem`, trust_string);
-  return certFromFile(cert_name);
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(certdb, `test_name_constraints/${certName}.pem`,
+                  trustString);
 }

-function check_cert_err(cert, expected_error) {
-  checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
+function checkCertNotInNameSpace(cert) {
+  checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
+                        certificateUsageSSLServer);
 }

-function check_ok(x) {
-  return check_cert_err(x, PRErrorCodeSuccess);
-}
-
-function check_ok_ca (x) {
-  checkCertErrorGeneric(certdb, x, PRErrorCodeSuccess, certificateUsageSSLCA);
-}
-
-function check_fail(x) {
-  return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
-}
-
-function check_fail_ca(x) {
-  checkCertErrorGeneric(certdb, x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
-                        certificateUsageSSLCA);
+function checkCertInNameSpace(cert) {
+  checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
+                        certificateUsageSSLServer);
 }

 function run_test() {
-  load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
-  load_cert("ca-nc", "CTu,CTu,CTu");
+  // Test that name constraints from the entire certificate chain are enforced.
+  loadCertWithTrust("ca-example-com-permitted", "CTu,,");
+  loadCertWithTrust("int-example-org-permitted", ",,");
+  checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
+  checkCertNotInNameSpace(certFromFile("ee-example-com"));
+  checkCertNotInNameSpace(certFromFile("ee-example-org"));
+  checkCertNotInNameSpace(certFromFile("ee-example-test"));

-  // Note that CN is only looked at when there is NO subjectAltName!
-
-  // Testing with a unconstrained root, and intermediate constrained to PERMIT
-  // foo.com. All failures on this section are doe to the cert DNS names
-  // not being under foo.com.
-  check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
-  // no dirName
-  check_ok(certFromFile('cn-www.foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc'));
-  // C=US O=bar
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc'));
-
-  // Testing with an unconstrained root and intermediate constrained to
-  // EXCLUDE DNS:example.com. All failures on this section are due to the cert
-  // DNS names containing example.com. The dirname does not affect evaluation.
-  check_ok_ca(load_cert('int-nc-excl-foo.com-ca-nc', ',,'));
-  // no dirName
-  check_fail(certFromFile('cn-www.foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org-int-nc-excl-foo.com-ca-nc'));
-  // notice that since the name constrains apply to the dns name the cn is not
-  // evaluated in the case where a subjectAltName exists. Thus the next case is
-  // correctly passing.
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc'));
-  // C=US O=bar
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc'));
-
-  // Testing with an unconstrained root, and intermediate constrained to
-  // permitting dirName:C=US. All failures on this section are due to cert
-  // name not being C=US.
-  check_ok_ca(load_cert('int-nc-c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc'));
-
-  // Testing with an unconstrained root, and intermediate constrained to
-  // permitting dirNAME:C=US that issues an intermediate name constrained to
-  // permitting DNS:foo.com. Checks for inheritance and intersection of
-  // different name constraints.
-  check_ok_ca(load_cert('int-nc-foo.com-int-nc-c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-
-  // Testing on a non constrainted root an intermediate name contrainted to
-  // permited dirNAME:C=US and  permited DNS:foo.com
-  // checks for compostability of different name constraints with same cert
-  check_ok_ca(load_cert('int-nc-perm-foo.com_c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  // next check is ok as there is an altname and thus the name constraints do
-  // not apply to the common name
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc'));
-
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted dirNAME: C=UK all but the intermeduate should fail because they
-  // dont have C=UK (missing or C=US)
-  check_ok_ca(load_cert('int-nc-perm-c-uk-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc'));
-
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted dirNAME: C=UK and an unconstrained intermediate that contains
-  // dirNAME C=US. EE and and Intermediates should fail
-  check_fail_ca(load_cert('int-c-us-int-nc-perm-c-uk-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted DNS: foo.com and permitted: DNS: a.us
-  check_ok_ca(load_cert('int-nc-foo.com_a.us', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us'));
-
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted DNS: foo.com and permitted: DNS:a.us that issues an intermediate
-  // permitted DNS: foo.com .
-  // Goal is to ensure that the stricter (inner) name constraint is enforced.
-  // The multi-subject alt should fail and is the difference from the sets of
-  // tests above.
-  check_ok_ca(load_cert('int-nc-foo.com-int-nc-foo.com_a.us', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us'));
-
-  // Testing on a root name constrainted to DNS:foo.com and an unconstrained
-  // intermediate.
-  // Checks that root constraints are enforced.
-  check_ok_ca(load_cert('int-ca-nc-perm-foo.com', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com'));
-
-  // We don't enforce dNSName name constraints on CN unless we're validating
-  // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
-  // NSS get it right.
-  {
-    let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc');
-    checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
-                          certificateUsageSSLServer);
-    checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
-                          certificateUsageSSLClient);
-  }
-
-  // DCISS tests
-  // The certs used here were generated by the NSS test suite and are
-  // originally located as security/nss/tests/libpkix/cert/
-  load_cert("dciss", "C,C,C");
-  check_ok(certFromFile('NameConstraints.dcissallowed'));
-  check_fail(certFromFile('NameConstraints.dcissblocked'));
+  // Test that externally-imposed name constraints are enforced (DCISS tests).
+  loadCertWithTrust("dciss", "CTu,,");
+  checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
+  checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
 }
--- a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:ca-example-com-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-nc-perm-foo.com.pem.certspec
@ -1,5 +0,0 @@
-issuer:ca-nc-perm-foo.com
-subject:ca-nc-perm-foo.com
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-nc.pem.certspec
@ -1,4 +0,0 @@
-issuer:ca-nc
-subject:ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-ca-nc-perm-foo.com.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
--- a/Показать больше
+++ b/Показать больше