зеркало из https://github.com/mozilla/gecko-dev.git
bug 1290613 - test_ev_certs.js cleanup r=Cykesiopka,mgoodwin
MozReview-Commit-ID: KcCV161J3qV --HG-- rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem => security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem rename : security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key.keyspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec extra : rebase_source : 4a84a44616a396ae484550fcfcaf0df5e533dd51
This commit is contained in:
Родитель
dcd144713e
Коммит
abc60241f8
|
@ -1523,7 +1523,6 @@ VerifyCertAtTime(nsIX509Cert* aCert,
|
|||
}
|
||||
*_retval = 0;
|
||||
} else {
|
||||
NS_ENSURE_TRUE(evOidPolicy == SEC_OID_UNKNOWN, NS_ERROR_FAILURE);
|
||||
NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
|
||||
*_retval = error;
|
||||
}
|
||||
|
|
|
@ -563,6 +563,10 @@ function getFailingHttpServer(serverPort, serverIdentities) {
|
|||
// expectedCertNames is an array of nicks of the certs to be responsed
|
||||
// expectedBasePaths is an optional array that is used to indicate
|
||||
// what is the expected base path of the OCSP request.
|
||||
// expectedMethods is an optional array of methods ("GET" or "POST") indicating
|
||||
// by which HTTP method the server is expected to be queried.
|
||||
// expectedResponseTypes is an optional array of OCSP response types to use (see
|
||||
// GenerateOCSPResponse.cpp).
|
||||
function startOCSPResponder(serverPort, identity, nssDBLocation,
|
||||
expectedCertNames, expectedBasePaths,
|
||||
expectedMethods, expectedResponseTypes) {
|
||||
|
|
|
@ -5,31 +5,39 @@
|
|||
|
||||
"use strict";
|
||||
|
||||
// Tests that end-entity certificates that should successfully verify as EV
|
||||
// (Extended Validation) do so and that end-entity certificates that should not
|
||||
// successfully verify as EV do not. Also tests related situations (e.g. that
|
||||
// failure to fetch an OCSP response results in no EV treatment).
|
||||
//
|
||||
// A quick note about the certificates in these tests: generally, an EV
|
||||
// certificate chain will have an end-entity with a specific policy OID followed
|
||||
// by an intermediate with the anyPolicy OID chaining to a root with no policy
|
||||
// OID (since it's a trust anchor, it can be omitted). In these tests, the
|
||||
// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
|
||||
// referred to as the test OID. In order to reflect what will commonly be
|
||||
// encountered, the end-entity of any given test path will have the test OID
|
||||
// unless otherwise specified in the name of the test path. Similarly, the
|
||||
// intermediate will have the anyPolicy OID, again unless otherwise specified.
|
||||
// For example, for the path where the end-entity does not have an OCSP URI
|
||||
// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
|
||||
// whereas the intermediate has the anyPolicy OID.
|
||||
// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
|
||||
// the end-entity and the intermediate have the test OID.
|
||||
|
||||
do_get_profile(); // must be called before getting nsIX509CertDB
|
||||
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Ci.nsIX509CertDB);
|
||||
|
||||
const evrootnick = "evroot";
|
||||
do_register_cleanup(() => {
|
||||
Services.prefs.clearUserPref("network.dns.localDomains");
|
||||
Services.prefs.clearUserPref("security.OCSP.enabled");
|
||||
});
|
||||
|
||||
// This is the list of certificates needed for the test
|
||||
// The certificates prefixed by 'int-' are intermediates
|
||||
var certList = [
|
||||
// Test for successful EV validation
|
||||
'int-ev-valid',
|
||||
'ev-valid',
|
||||
'ev-valid-anypolicy-int',
|
||||
'int-ev-valid-anypolicy-int',
|
||||
'no-ocsp-url-cert', // a cert signed by the EV auth that has no OCSP url
|
||||
// but that contains a valid CRLDP.
|
||||
|
||||
// Testing a root that looks like EV but is not EV enabled
|
||||
'int-non-ev-root',
|
||||
'non-ev-root',
|
||||
];
|
||||
|
||||
function load_ca(ca_name) {
|
||||
addCertFromFile(certdb, `test_ev_certs/${ca_name}.pem`, "CTu,CTu,CTu");
|
||||
}
|
||||
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
|
||||
Services.prefs.setIntPref("security.OCSP.enabled", 1);
|
||||
addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
|
||||
addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
|
||||
|
||||
const SERVER_PORT = 8888;
|
||||
|
||||
|
@ -37,302 +45,294 @@ function failingOCSPResponder() {
|
|||
return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
|
||||
}
|
||||
|
||||
function start_ocsp_responder(expectedCertNames) {
|
||||
let expectedPaths = expectedCertNames.slice();
|
||||
return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
|
||||
expectedCertNames, expectedPaths);
|
||||
}
|
||||
|
||||
function check_cert_err(cert_name, expected_error) {
|
||||
let cert = certdb.findCertByNickname(cert_name);
|
||||
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
|
||||
}
|
||||
|
||||
|
||||
function check_ee_for_ev(cert_name, expected_ev) {
|
||||
let cert = certdb.findCertByNickname(cert_name);
|
||||
checkEVStatus(certdb, cert, certificateUsageSSLServer, expected_ev);
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
for (let i = 0 ; i < certList.length; i++) {
|
||||
let cert_filename = certList[i] + ".pem";
|
||||
addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
|
||||
class EVCertVerificationResult {
|
||||
constructor(testcase, expectedPRErrorCode, expectedEV, resolve,
|
||||
ocspResponder) {
|
||||
this.testcase = testcase;
|
||||
this.expectedPRErrorCode = expectedPRErrorCode;
|
||||
this.expectedEV = expectedEV;
|
||||
this.resolve = resolve;
|
||||
this.ocspResponder = ocspResponder;
|
||||
}
|
||||
load_ca("evroot");
|
||||
load_ca("non-evroot-ca");
|
||||
|
||||
// setup and start ocsp responder
|
||||
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
|
||||
Services.prefs.setIntPref("security.OCSP.enabled", 1);
|
||||
verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
|
||||
equal(prErrorCode, this.expectedPRErrorCode,
|
||||
`${this.testcase} should have expected error code`);
|
||||
equal(hasEVPolicy, this.expectedEV,
|
||||
`${this.testcase} should result in expected EV status`);
|
||||
this.ocspResponder.stop(this.resolve);
|
||||
}
|
||||
}
|
||||
|
||||
add_test(function () {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
ocspResponder.stop(run_next_test);
|
||||
function asyncTestEV(cert, expectedPRErrorCode, expectedEV,
|
||||
expectedOCSPRequestPaths, ocspResponseTypes = undefined)
|
||||
{
|
||||
let now = Date.now() / 1000;
|
||||
return new Promise((resolve, reject) => {
|
||||
let ocspResponder = expectedOCSPRequestPaths.length > 0
|
||||
? startOCSPResponder(SERVER_PORT, "www.example.com",
|
||||
"test_ev_certs",
|
||||
expectedOCSPRequestPaths,
|
||||
expectedOCSPRequestPaths.slice(),
|
||||
null, ocspResponseTypes)
|
||||
: failingOCSPResponder();
|
||||
let result = new EVCertVerificationResult(cert.subjectName,
|
||||
expectedPRErrorCode, expectedEV,
|
||||
resolve, ocspResponder);
|
||||
certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, 0,
|
||||
"ev-test.example.com", now, result);
|
||||
});
|
||||
}
|
||||
|
||||
add_test(function () {
|
||||
clearOCSPCache();
|
||||
function ensureVerifiesAsEV(testcase) {
|
||||
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||
let expectedOCSPRequestPaths = gEVExpected
|
||||
? [ `${testcase}-int`, `${testcase}-ee` ]
|
||||
: [ `${testcase}-ee` ];
|
||||
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
|
||||
expectedOCSPRequestPaths);
|
||||
}
|
||||
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
gEVExpected ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
|
||||
: ["ev-valid-anypolicy-int"]);
|
||||
check_ee_for_ev("ev-valid-anypolicy-int", gEVExpected);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
|
||||
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
|
||||
}
|
||||
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(["non-ev-root"]);
|
||||
check_ee_for_ev("non-ev-root", false);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
|
||||
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||
return asyncTestEV(cert, PRErrorCodeSuccess, false,
|
||||
expectedOCSPRequestPaths ? expectedOCSPRequestPaths
|
||||
: [ `${testcase}-ee` ]);
|
||||
}
|
||||
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = gEVExpected ? start_ocsp_responder(["int-ev-valid"])
|
||||
: failingOCSPResponder();
|
||||
check_ee_for_ev("no-ocsp-url-cert", false);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
function ensureVerificationFails(testcase, expectedPRErrorCode) {
|
||||
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||
return asyncTestEV(cert, expectedPRErrorCode, false, []);
|
||||
}
|
||||
|
||||
// bug 917380: Check that explicitly removing trust from an EV root actually
|
||||
// causes the root to be untrusted.
|
||||
const nsIX509Cert = Ci.nsIX509Cert;
|
||||
add_test(function() {
|
||||
let evRootCA = certdb.findCertByNickname(evrootnick);
|
||||
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
|
||||
|
||||
clearOCSPCache();
|
||||
function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
|
||||
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||
let now = Date.now() / 1000;
|
||||
let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
|
||||
if (expectSuccess && gEVExpected) {
|
||||
expectedErrorCode = PRErrorCodeSuccess;
|
||||
}
|
||||
return new Promise((resolve, reject) => {
|
||||
let ocspResponder = failingOCSPResponder();
|
||||
check_cert_err("ev-valid", SEC_ERROR_UNKNOWN_ISSUER);
|
||||
ocspResponder.stop(run_next_test);
|
||||
let result = new EVCertVerificationResult(
|
||||
cert.subjectName, expectedErrorCode, expectSuccess && gEVExpected,
|
||||
resolve, ocspResponder);
|
||||
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
|
||||
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
|
||||
certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, flags,
|
||||
"ev-test.example.com", now, result);
|
||||
});
|
||||
|
||||
// bug 917380: Check that a trusted EV root is trusted after disabling and
|
||||
// re-enabling trust.
|
||||
add_test(function() {
|
||||
let evRootCA = certdb.findCertByNickname(evrootnick);
|
||||
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_SSL |
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL |
|
||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
|
||||
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function () {
|
||||
check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
|
||||
});
|
||||
|
||||
add_test(function () {
|
||||
check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
|
||||
});
|
||||
|
||||
add_test(function () {
|
||||
check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
|
||||
});
|
||||
|
||||
// Check OneCRL OCSP request skipping works correctly
|
||||
add_test(function () {
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
||||
// set the blocklist-background-update-timer value to the recent past
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
clearOCSPCache();
|
||||
// the intermediate should not have an associated OCSP request
|
||||
let ocspResponder = start_ocsp_responder(["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function () {
|
||||
// disable OneCRL OCSP Skipping (no staleness allowed)
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function () {
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
||||
// set the blocklist-background-update-timer value to the more distant past
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 108080);
|
||||
Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
Math.floor(Date.now() / 1000) - 108080);
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function () {
|
||||
// test that setting "security.onecrl.via.amo" results in the correct
|
||||
// OCSP behavior when services.blocklist.onecrl.checked is in the distant past
|
||||
// and blacklist-background-update-timer is recent
|
||||
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
||||
// set the blocklist-background-update-timer value to the recent past
|
||||
// (services.blocklist.onecrl.checked defaults to 0)
|
||||
Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
clearOCSPCache();
|
||||
// the intermediate should have an associated OCSP request
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function () {
|
||||
// test that setting "security.onecrl.via.amo" results in the correct
|
||||
// OCSP behavior when services.blocklist.onecrl.checked is recent
|
||||
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
||||
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
||||
|
||||
// now set services.blocklist.onecrl.checked to a recent value
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
|
||||
clearOCSPCache();
|
||||
// the intermediate should not have an associated OCSP request
|
||||
let ocspResponder = start_ocsp_responder(["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
// The tests following this assume no OCSP bypass
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
|
||||
Services.prefs.clearUserPref("security.onecrl.via.amo");
|
||||
Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
// Test the EV continues to work with flags after successful EV verification
|
||||
add_test(function () {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
ocspResponder.stop(function () {
|
||||
// without net it must be able to EV verify
|
||||
let failingOcspResponder = failingOCSPResponder();
|
||||
let cert = certdb.findCertByNickname("ev-valid");
|
||||
let hasEVPolicy = {};
|
||||
let verifiedChain = {};
|
||||
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
|
||||
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
|
||||
|
||||
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
|
||||
null, verifiedChain, hasEVPolicy);
|
||||
equal(hasEVPolicy.value, gEVExpected,
|
||||
"Actual and expected EV status should match for local only EV");
|
||||
equal(error,
|
||||
gEVExpected ? PRErrorCodeSuccess : SEC_ERROR_POLICY_VALIDATION_FAILED,
|
||||
"Actual and expected error code should match for local only EV");
|
||||
failingOcspResponder.stop(run_next_test);
|
||||
});
|
||||
});
|
||||
|
||||
// Bug 991815 old but valid intermediates are OK
|
||||
add_test(function () {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
|
||||
"test_ev_certs",
|
||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"],
|
||||
[], [],
|
||||
gEVExpected ? ["longvalidityalmostold", "good"]
|
||||
: ["good"]);
|
||||
check_ee_for_ev("ev-valid", gEVExpected);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
// Bug 991815 old but valid end-entities are NOT OK for EV
|
||||
// Unfortunately because of soft-fail we consider these OK for DV.
|
||||
add_test(function () {
|
||||
clearOCSPCache();
|
||||
// Since Mozilla::pkix does not consider the old almost invalid OCSP
|
||||
// response valid, it does not cache the old response and thus
|
||||
// makes a separate request for DV
|
||||
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
|
||||
let debugResponseArray = ["good", "longvalidityalmostold",
|
||||
"longvalidityalmostold"];
|
||||
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
|
||||
"test_ev_certs",
|
||||
gEVExpected ? debugCertNickArray : ["ev-valid"],
|
||||
[], [],
|
||||
gEVExpected ? debugResponseArray
|
||||
: ["longvalidityalmostold"]);
|
||||
check_ee_for_ev("ev-valid", false);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
// Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
|
||||
// EV (still OK for soft fail DV)
|
||||
add_test(function () {
|
||||
clearOCSPCache();
|
||||
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
|
||||
let debugResponseArray = ["good", "ancientstillvalid",
|
||||
"ancientstillvalid"];
|
||||
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
|
||||
"test_ev_certs",
|
||||
gEVExpected ? debugCertNickArray : ["ev-valid"],
|
||||
[], [],
|
||||
gEVExpected ? debugResponseArray
|
||||
: ["ancientstillvalid"]);
|
||||
check_ee_for_ev("ev-valid", false);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
run_next_test();
|
||||
}
|
||||
|
||||
// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
|
||||
// to prevent spurious OCSP requests that race with OCSP stapling.
|
||||
// This has the side-effect of saying an EV certificate is not EV if
|
||||
// it hasn't already been verified (e.g. on the verification thread when
|
||||
// connecting to a site).
|
||||
// This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
|
||||
// works as intended.
|
||||
function check_no_ocsp_requests(cert_name, expected_error) {
|
||||
function ensureNoOCSPMeansNoEV(testcase) {
|
||||
return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
|
||||
}
|
||||
|
||||
function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
|
||||
return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
|
||||
}
|
||||
|
||||
function ensureOneCRLSkipsOCSPForIntermediates(testcase) {
|
||||
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
|
||||
[ `${testcase}-ee` ]);
|
||||
}
|
||||
|
||||
function verifyWithDifferentOCSPResponseTypes(testcase, responses, expectEV) {
|
||||
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||
let expectedOCSPRequestPaths = gEVExpected
|
||||
? [ `${testcase}-int`, `${testcase}-ee` ]
|
||||
: [ `${testcase}-ee` ];
|
||||
let ocspResponseTypes = gEVExpected ? responses : responses.slice(1);
|
||||
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected && expectEV,
|
||||
expectedOCSPRequestPaths, ocspResponseTypes);
|
||||
}
|
||||
|
||||
function ensureVerifiesAsEVWithOldIntermediateOCSPResponse(testcase) {
|
||||
return verifyWithDifferentOCSPResponseTypes(
|
||||
testcase, [ "longvalidityalmostold", "good" ], true);
|
||||
}
|
||||
|
||||
function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
|
||||
return verifyWithDifferentOCSPResponseTypes(
|
||||
testcase, [ "good", "longvalidityalmostold" ], false);
|
||||
}
|
||||
|
||||
function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
|
||||
return verifyWithDifferentOCSPResponseTypes(
|
||||
testcase, [ "good", "ancientstillvalid" ], false);
|
||||
}
|
||||
|
||||
// These should all verify as EV.
|
||||
add_task(function* plainExpectSuccessEVTests() {
|
||||
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsEV("test-oid-path");
|
||||
});
|
||||
|
||||
// These fail for various reasons to verify as EV, but fallback to DV should
|
||||
// succeed.
|
||||
add_task(function* expectDVFallbackTests() {
|
||||
yield ensureVerifiesAsDV("anyPolicy-ee-path");
|
||||
yield ensureVerifiesAsDV("non-ev-root-path");
|
||||
yield ensureVerifiesAsDV("no-ocsp-ee-path",
|
||||
gEVExpected ? [ "no-ocsp-ee-path-int" ] : []);
|
||||
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||
});
|
||||
|
||||
// Test that removing the trust bits from an EV root causes verifications
|
||||
// relying on that root to fail (and then test that adding back the trust bits
|
||||
// causes the verifications to succeed again).
|
||||
add_task(function* evRootTrustTests() {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = failingOCSPResponder();
|
||||
let cert = certdb.findCertByNickname(cert_name);
|
||||
let hasEVPolicy = {};
|
||||
let verifiedChain = {};
|
||||
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
|
||||
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
|
||||
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
|
||||
null, verifiedChain, hasEVPolicy);
|
||||
// Since we're not doing OCSP requests, no certificate will be EV.
|
||||
equal(hasEVPolicy.value, false,
|
||||
"EV status should be false when not doing OCSP requests");
|
||||
equal(error, expected_error,
|
||||
"Actual and expected error should match when not doing OCSP requests");
|
||||
ocspResponder.stop(run_next_test);
|
||||
}
|
||||
let evroot = certdb.findCertByNickname("evroot");
|
||||
do_print("untrusting evroot");
|
||||
certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.UNTRUSTED);
|
||||
yield ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
|
||||
do_print("re-trusting evroot");
|
||||
certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_SSL);
|
||||
yield ensureVerifiesAsEV("test-oid-path");
|
||||
});
|
||||
|
||||
// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
|
||||
// requests are made (this also means that nothing will verify as EV).
|
||||
add_task(function* localOnlyMustBeEVTests() {
|
||||
clearOCSPCache();
|
||||
yield ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
|
||||
yield ensureNoOCSPMeansNoEV("anyPolicy-int-path");
|
||||
yield ensureNoOCSPMeansNoEV("non-ev-root-path");
|
||||
yield ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
|
||||
yield ensureNoOCSPMeansNoEV("no-ocsp-int-path");
|
||||
yield ensureNoOCSPMeansNoEV("test-oid-path");
|
||||
});
|
||||
|
||||
|
||||
// Under certain conditions, OneCRL allows us to skip OCSP requests for
|
||||
// intermediates.
|
||||
add_task(function* oneCRLTests() {
|
||||
clearOCSPCache();
|
||||
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// set the blocklist-background-update-timer value to the recent past
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
Services.prefs.setIntPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
|
||||
yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
|
||||
yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
|
||||
yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
// disable OneCRL OCSP Skipping (no staleness allowed)
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
|
||||
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||
// Because the intermediate in this case is missing an OCSP URI, it will not
|
||||
// validate as EV, but it should fall back to DV.
|
||||
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||
yield ensureVerifiesAsEV("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// set the blocklist-background-update-timer value to the more distant past
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 108080);
|
||||
Services.prefs.setIntPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
Math.floor(Date.now() / 1000) - 108080);
|
||||
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||
yield ensureVerifiesAsEV("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
// test that setting "security.onecrl.via.amo" results in the correct
|
||||
// OCSP behavior when services.blocklist.onecrl.checked is in the distant past
|
||||
// and blacklist-background-update-timer is recent
|
||||
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// set the blocklist-background-update-timer value to the recent past
|
||||
// (services.blocklist.onecrl.checked defaults to 0)
|
||||
Services.prefs.setIntPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
|
||||
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||
yield ensureVerifiesAsEV("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
// test that setting "security.onecrl.via.amo" results in the correct
|
||||
// OCSP behavior when services.blocklist.onecrl.checked is recent
|
||||
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// now set services.blocklist.onecrl.checked to a recent value
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
|
||||
yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
|
||||
yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
|
||||
|
||||
Services.prefs.clearUserPref("security.onecrl.via.amo");
|
||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
||||
Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
|
||||
Services.prefs.clearUserPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer");
|
||||
});
|
||||
|
||||
// Prime the OCSP cache and then ensure that we can validate certificates as EV
|
||||
// without hitting the network. There's two cases here: one where we simply
|
||||
// validate like normal and then check that the network was never accessed and
|
||||
// another where we use flags to mandate that the network not be used.
|
||||
add_task(function* ocspCachingTests() {
|
||||
clearOCSPCache();
|
||||
|
||||
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsEV("test-oid-path");
|
||||
|
||||
yield ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
|
||||
|
||||
yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
|
||||
});
|
||||
|
||||
// Old-but-still-valid OCSP responses are accepted for intermediates but not
|
||||
// end-entity certificates (because of OCSP soft-fail this results in DV
|
||||
// fallback).
|
||||
add_task(function* oldOCSPResponseTests() {
|
||||
clearOCSPCache();
|
||||
|
||||
yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
|
||||
yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
|
||||
"anyPolicy-int-path");
|
||||
yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
|
||||
});
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDUzCCAj2gAwIBAgIUE20vV8zM9OXxDcXIQL8GFm0SKrgwCwYJKoZIhvcNAQEL
|
||||
MCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDAiGA8yMDE0MTEyNzAw
|
||||
MDAwMFoYDzIwMTcwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRhbnlQb2xpY3ktZWUt
|
||||
cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
|
||||
Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
|
||||
cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
|
||||
AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
|
||||
ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
|
||||
s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
|
||||
A6zaGAo17Y0CAwEAAaOBhTCBgjBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGG
|
||||
MWh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xpY3ktZWUtcGF0aC1l
|
||||
ZS8wEQYDVR0gBAowCDAGBgRVHSAAMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBs
|
||||
ZS5jb20wCwYJKoZIhvcNAQELA4IBAQAiyZHRImgu1XH/X6KY6duEjEP8hPvIc+Vw
|
||||
Vyej3Aaa9NjWpDrO0eCm+08msuiOOYdnTvfudbyDorWY6D8jbTy3re6MLaY+GFY7
|
||||
9E18zdDk4t4Ssg1O1ous7MGfKKygNQ0eTB4aJH83jWjfpmNTvXggkA7Zp1SfOVv+
|
||||
2OMv066Vwewafrr1pgKl8IuSdTjCpaqCMzZDZf4cwL9tdadF1k9NqjInrinlUI+9
|
||||
nbb0WLL3fttvFGsee370t9Q+GRNd1S8nGuxpcXq4Yo51MDRk+HwjPPSBowfg+Tki
|
||||
Pk6RSND8FSjn22A+JUNT8u6MnNUOj4wh0N8RzEEQEW6GADH5hZdS
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
|||
issuer:anyPolicy-ee-path-int
|
||||
subject:anyPolicy-ee-path-ee
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
|
||||
extension:certificatePolicies:any
|
||||
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDQDCCAiqgAwIBAgIUI2XRNlfIQthAhAOq8dL98Ifp8wMwCwYJKoZIhvcNAQEL
|
||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||
MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3ktZWUtcGF0aC1pbnQwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
|
||||
NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
|
||||
fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
|
||||
CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
|
||||
HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
|
||||
1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
|
||||
gYAwfjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBOBggrBgEFBQcBAQRCMEAw
|
||||
PgYIKwYBBQUHMAGGMmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xp
|
||||
Y3ktZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADALBgkqhkiG9w0BAQsD
|
||||
ggEBAG8A4LEmQDAvr6U+NShqPkyxi9d+kMGSHaKV75bJJgbtAkb5ZWG0LQdi4IxV
|
||||
MR/IE73jWJSUCEaIUsYjXVsQE+7CJLLUVCt7w3zRf7EoQV2hDp2+WCME6/q0L0HK
|
||||
EdK9DAe7UegvxLLSKS12rq/LhNB+XUYTFqQFfmSYSbNqNqzyDgqipPcicBs1RPlO
|
||||
HlKISVlKH4uV5FXaGb9FVZAP9J80YI5iHH7fCkJloMKEghnnqA79/Np0eDXt3JzJ
|
||||
O+x+I/DiUveAMlz5q72ou3pIOATsgOXRBs7neYgTR9hQ8q3jexidTIWwOuUjzDpt
|
||||
BhxQXS5JZ/owc3H0NJ33helcoXE=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,7 +1,7 @@
|
|||
issuer:evroot
|
||||
subject:int-ev-valid-anypolicy-int
|
||||
subject:anyPolicy-ee-path-int
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid-anypolicy-int/
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
|
||||
extension:certificatePolicies:any
|
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDZDCCAk6gAwIBAgIURy0a2jqjnawhuv+eW/eeWdMx8MkwCwYJKoZIhvcNAQEL
|
||||
MCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwIhgPMjAxNDExMjcw
|
||||
MDAwMDBaGA8yMDE3MDIwNDAwMDAwMFowIDEeMBwGA1UEAwwVYW55UG9saWN5LWlu
|
||||
dC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
|
||||
FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
|
||||
amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
|
||||
sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
|
||||
VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
|
||||
aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
|
||||
MdUDrNoYCjXtjQIDAQABo4GUMIGRME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcw
|
||||
AYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1pbnQtcGF0
|
||||
aC1lZS8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcw
|
||||
FYITZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGhjgde0w84T
|
||||
oegn3iGIIOB3q27pqH5nzwv4o5yThG0CmDRvTjBnK8yqlPdNvqx3YmnNh4aWlh94
|
||||
Z7XeFA5bPMQq2bCDdBD94g0j3hvBiNqy00Ou34uKm9tNFcQH6kecIjgrInpoxK84
|
||||
v2RJ9fjd79503cIuvSw9y3X63DnJn8+ml1Yjt5uO+URpZVDEjJB1mliG1NHdAZ3D
|
||||
qDM13f7pphIYggo+ZBlcOVEbh+uDu81gc/Y1JN1ZUOoKBWMx3TVFctYQ6f+uJcem
|
||||
xbYsnCK3FuCYTgf1zPye1gILCxvRfRiVw5ojnZ5daxPpfq9Ugv+T9DROuzZgHin1
|
||||
WYeP+oiXygI=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
|||
issuer:anyPolicy-int-path-int
|
||||
subject:anyPolicy-int-path-ee
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDQjCCAiygAwIBAgIUI4h7bIgXBroqPq3r8qcqzWTPiTwwCwYJKoZIhvcNAQEL
|
||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||
MDAwMDAwWjAhMR8wHQYDVQQDDBZhbnlQb2xpY3ktaW50LXBhdGgtaW50MIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
|
||||
5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
|
||||
An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
|
||||
ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
|
||||
zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
|
||||
JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
|
||||
o4GBMH8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEEQzBB
|
||||
MD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9s
|
||||
aWN5LWludC1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsGCSqGSIb3DQEB
|
||||
CwOCAQEAaar6+lvsKAL6fuKS9b8HOSI1Q6c+7/PDAo+YPVsDyzg4OYpFHfrJqveK
|
||||
vmwWSnUngX/V702znW4woDu1ZjXLWpTG4xx87FU7b0BIrL7r1N1twAohOYFUMnjl
|
||||
TW7RMjTgMGIgxybQc3N0snwf2SJedUu78xekdLW1/jTiMuIEys/+44tqGzVsFu9j
|
||||
XrFxPxNBHVzR8UFGICREeE2nFeOnqj3uQPh1JJszKUlfXbYtjgPFKfbbsPzzGLJ3
|
||||
tLmzPZLSeEed/AYvegq00CybA5f6UDY1uMnECekHAWFzv/yhZZsL+hMSGXTctE7+
|
||||
C+WTNlFX41Gi6uvck6N8T3ABNVTk8A==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,7 @@
|
|||
issuer:evroot
|
||||
subject:anyPolicy-int-path-int
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
|
||||
extension:certificatePolicies:any
|
|
@ -1,20 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDSDCCAjKgAwIBAgIUby+kueFNWXyfsUNUp9JXQ4u/CgYwCwYJKoZIhvcNAQEL
|
||||
MCUxIzAhBgNVBAMMGmludC1ldi12YWxpZC1hbnlwb2xpY3ktaW50MCIYDzIwMTQx
|
||||
MTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2LXZhbGlk
|
||||
LWFueXBvbGljeS1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
|
||||
iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
|
||||
4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
|
||||
8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
|
||||
Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
|
||||
77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
|
||||
I/pyUcQx1QOs2hgKNe2NAgMBAAGjdDByME8GCCsGAQUFBwEBBEMwQTA/BggrBgEF
|
||||
BQcwAYYzaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2LXZhbGlkLWFueXBv
|
||||
bGljeS1pbnQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMAsGCSqG
|
||||
SIb3DQEBCwOCAQEAV2WSrBkRIiml/Nc0WyZwX7MnHLwQe4V4z9mCXdBRwwgZv8Cd
|
||||
ALzlKgj3Uz18CVYh3ZH4XCIxxJRvLy4eBbGsWRuS5c4ZaAPoeIur8WVURscEGu2k
|
||||
FT2cM7eA38Z7f0WYnuGbTBZ+sN7Hsm7HpV1dpBuI7RaJ9hwAlcvmKvgHBLsJZbyd
|
||||
yW7Vpu7KJ0S2djFhBPqjZ7xsIHIfbHuaYBhuO3xlmmx0YbgCS9HGkmuA6RXsSqd1
|
||||
15Iu8mT0mpq/SqxLRXi79f+HWpPAP9ERkNF+Ea0zIkIsK8d5PSnQqIKj5QugXSBE
|
||||
44He3YH8teY36VHQqApV3VGZ5mtMwVLAjMF8rg==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDHjCCAgigAwIBAgIUIWjgvey0rx7/CM8k0zC+FVdlHG0wCwYJKoZIhvcNAQEL
|
||||
MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
|
||||
MTcwMjA0MDAwMDAwWjATMREwDwYDVQQDDAhldi12YWxpZDCCASIwDQYJKoZIhvcN
|
||||
AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
|
||||
bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
|
||||
OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
|
||||
uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
|
||||
t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
|
||||
NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNmMGQwQQYI
|
||||
KwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vd3d3LmV4YW1wbGUuY29t
|
||||
Ojg4ODgvZXYtdmFsaWQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
|
||||
MAsGCSqGSIb3DQEBCwOCAQEAAZ49c1ZNqOYEz0x2EzYaInvPcK2Fxbc8CjX71xIj
|
||||
ahLnIZ1cb/VIe88wvidZdQYQdRn0aTfc8Z7+P62XnPqM3nlF85b7g4H2yxJRq7or
|
||||
V1skztvKxm+YC/iY4ogsR8x24gdEn/IdwAdjtfZnI471A69CN3t0V6tmt26SNGix
|
||||
jNnabOus9JGfhii+qL8svIYR6T+Gmr2fDuQBEJtTpcHjLbrPAV4pOlFu3WmOsVsF
|
||||
9yaUy72WFBXg0kas+Tz1QvKWgi4XZ9640HoBVdmHGBnAiBjx62d4pxf4ttbrvh9r
|
||||
G26w6vWsfTKWDsoJKi1gYtf9hTcG04jrHg2EAx06+A0yFw==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,20 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDSzCCAjWgAwIBAgIUaYYtOBr1wZWTYvHqYsRinupYgT4wCwYJKoZIhvcNAQEL
|
||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||
MDAwMDAwWjAlMSMwIQYDVQQDDBppbnQtZXYtdmFsaWQtYW55cG9saWN5LWludDCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
|
||||
PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
|
||||
HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
|
||||
Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
|
||||
EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
|
||||
lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
|
||||
AwEAAaOBhjCBgzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBTBggrBgEFBQcB
|
||||
AQRHMEUwQwYIKwYBBQUHMAGGN2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9p
|
||||
bnQtZXYtdmFsaWQtYW55cG9saWN5LWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsG
|
||||
CSqGSIb3DQEBCwOCAQEAqnqfTrqYSYeWWRX6GfGKkCVfmksgIA3OnvRD8gE895qU
|
||||
JS5Ke/3d/4+3beSlfNueL+JSriA+BqqlK6wrxI7xo7H4xjbUV/DrEXEfhUg052O1
|
||||
gC1oqObWsZenegoQBZ0mQUT0uqshj7IHWzED2GQZmjEt7F6Il5bjvy49OQ5A++/O
|
||||
m+YUr579TZ8r02WU0/+TNln6PnM+6uhoizF2bgh/fCcMlFqLUcJ4FNVi5CgT/oiR
|
||||
Wxv8FO2N3ijfQ1Qwnt2Ti0lGby//rrbdnE9tHJb22COxu8QuOi+z/meh4TL+UG3r
|
||||
HeCP5545zGOyBOzCrHNioeGVE13svKQFM4T+eguckQ==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,20 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDPTCCAiegAwIBAgIUJ6ZiwLEBBmRIxjG+KN4K/KQ+NKkwCwYJKoZIhvcNAQEL
|
||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||
MDAwMDAwWjAXMRUwEwYDVQQDDAxpbnQtZXYtdmFsaWQwggEiMA0GCSqGSIb3DQEB
|
||||
AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
|
||||
e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
|
||||
KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
|
||||
YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
|
||||
lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
|
||||
HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgYYwgYMwDAYD
|
||||
VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUF
|
||||
BzABhilodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvaW50LWV2LXZhbGlkLzAf
|
||||
BgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0BAQsDggEB
|
||||
AHuI7ZqTAYzCj2QtErvEKbo16WctTXslepQmnD9hrAFNkhrT9ParJ+EViwaq8wXL
|
||||
RpBs4QNtH5j1lrlIIY3SEeGRvNv7pIC1vQoBa15ieg6IJOxs0Zq/TszAEcdIQSpr
|
||||
p1fcl/51kAoXoV74VBOer6dIqenuK043aa2aai58Jz/cMaWd7E55Ak+aU9pb+Mdc
|
||||
x6k9vV8sSfkpSR2Jmx5GEq5Sat8eJ7lib9/+wHGGCObUzxXnMJN50ZsR6R77DP/E
|
||||
+cafdtTxYgFTsPdA1OTBxUEbk2hx3c08T1kmPL+nmg3WoSu8fXuaZWzCBegDMFMI
|
||||
wgiVIyUZPm9H356bgW+nVeo=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,20 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDSjCCAjSgAwIBAgIUD22BRPEQk1ohdq0TWpDiC9DX0QgwCwYJKoZIhvcNAQEL
|
||||
MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
|
||||
MDE3MDIwNDAwMDAwMFowGjEYMBYGA1UEAwwPaW50LW5vbi1ldi1yb290MIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
|
||||
5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
|
||||
An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
|
||||
ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
|
||||
zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
|
||||
JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
|
||||
o4GJMIGGMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEgGCCsGAQUFBwEBBDww
|
||||
OjA4BggrBgEFBQcwAYYsaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2ludC1u
|
||||
b24tZXYtcm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJ
|
||||
KoZIhvcNAQELA4IBAQCNfizDGiKBxkquDAvy/RDTwOiYDliOvReGjlZOZrQBkf52
|
||||
xvfHAkl/m/GluDeCjHSSlGU/8cloXnyN6PRzRfxf46Lx+RuiStgDPS1OfqGw961l
|
||||
dV2xEa2g5SHkHS1aTnadO83GxkagYes6OEZbe7fexrOnPIhNx4Da9wfFyQBOi8/t
|
||||
4Y69eBk+cC5AaSBwHpf12TDc4NKvW2/Qtl1G8idn24OhPlucxBd/dPOxduztde5a
|
||||
bmvQW4m66HHjF5aIXaJn7I5+drY2vSIJz3Nry05pgrJapf7rOi0iKNrv5vKoAyi9
|
||||
IYeIPTOD377JbUBdSOt0yGV2yx5bkvWfMUET51i3
|
||||
-----END CERTIFICATE-----
|
|
@ -6,15 +6,20 @@
|
|||
|
||||
# Temporarily disabled. See bug 1256495.
|
||||
#test_certificates = (
|
||||
# 'ev-valid-anypolicy-int.pem',
|
||||
# 'ev-valid.pem',
|
||||
# 'anyPolicy-ee-path-ee.pem',
|
||||
# 'anyPolicy-ee-path-int.pem',
|
||||
# 'anyPolicy-int-path-ee.pem',
|
||||
# 'anyPolicy-int-path-int.pem',
|
||||
# 'evroot.pem',
|
||||
# 'int-ev-valid-anypolicy-int.pem',
|
||||
# 'int-ev-valid.pem',
|
||||
# 'int-non-ev-root.pem',
|
||||
# 'no-ocsp-url-cert.pem',
|
||||
# 'non-ev-root.pem',
|
||||
# 'no-ocsp-ee-path-ee.pem',
|
||||
# 'no-ocsp-ee-path-int.pem',
|
||||
# 'no-ocsp-int-path-ee.pem',
|
||||
# 'no-ocsp-int-path-int.pem',
|
||||
# 'non-ev-root-path-ee.pem',
|
||||
# 'non-ev-root-path-int.pem',
|
||||
# 'non-evroot-ca.pem',
|
||||
# 'test-oid-path-ee.pem',
|
||||
# 'test-oid-path-int.pem',
|
||||
#)
|
||||
#
|
||||
#for test_certificate in test_certificates:
|
||||
|
@ -22,7 +27,7 @@
|
|||
#
|
||||
#test_keys = (
|
||||
# 'evroot.key',
|
||||
# 'int-ev-valid.key',
|
||||
# 'test-oid-path-int.key',
|
||||
#)
|
||||
#
|
||||
#for test_key in test_keys:
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDDDCCAfagAwIBAgIUN1tZuouNywOlI92yfPVp0g1KyqswCwYJKoZIhvcNAQEL
|
||||
MB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwIhgPMjAxNDExMjcwMDAw
|
||||
MDBaGA8yMDE3MDIwNDAwMDAwMFowHTEbMBkGA1UEAwwSbm8tb2NzcC1lZS1wYXRo
|
||||
LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
|
||||
iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
|
||||
WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
|
||||
Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
|
||||
ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
|
||||
b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
|
||||
CjXtjQIDAQABo0MwQTAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAe
|
||||
BgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
|
||||
PIRn3vteO/sx0OrU73mnICPuA8sVwv+bC8LbVAV8hgboad6ypC6/i/l3KComDtgK
|
||||
NsbANmhq8gF3XpvHzxvlBqnjO9qaZnmV4ETJMlSISm8NaK6xFJvHxLrbpH82g7WH
|
||||
5eLUxDNvkXBDClcs5iwa5cDnRykdXFttmxN5riw+dAT7rCsrNQODnYvF6C5J9e/S
|
||||
I7wyDkbfAdEsioDBHC2xAjuxdKLJr7+YKAaxN54q0U5EZ8dIThuAGLxQK2hSAw8O
|
||||
e34OwOPK11tH3tsrbxXAlaykuFgEeJnBfurq3Ff2OO8WirQ8pFiqYxl93sLIPFd6
|
||||
nMpuKlS/wpXkZV+NwwwJaQ==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,4 @@
|
|||
issuer:no-ocsp-ee-path-int
|
||||
subject:no-ocsp-ee-path-ee
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDOzCCAiWgAwIBAgIUY7txKTVVTBc2roj9KXXVlQxF20YwCwYJKoZIhvcNAQEL
|
||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||
MDAwMDAwWjAeMRwwGgYDVQQDDBNuby1vY3NwLWVlLXBhdGgtaW50MIIBIjANBgkq
|
||||
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
|
||||
tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
|
||||
Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
|
||||
sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
|
||||
l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
|
||||
nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo34w
|
||||
fDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBMBggrBgEFBQcBAQRAMD4wPAYI
|
||||
KwYBBQUHMAGGMGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWVl
|
||||
LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcNAQELA4IBAQCE
|
||||
tGJOFahnFAubE9prxtKV5wEHxGhHWlwXC3lCFFeNMjZ0jOaMeI7JpeX18Nnzvy9u
|
||||
qNZfsvzUZk0fu22MDjwOSjJmZk3OI2B9Sc01gXU/IEQH7Jw3uy8NwVOGZctHjMyn
|
||||
MDIIaFcNDaAIQgjTRCLMyjrD0A86qSG795TQj6xjRuPy5NByLuT3We8cml3AJqy0
|
||||
F0dhLoeFbL5f4HN2xJFsb6UcTMb0bMAAtsvkIu3TTI01mu4ffiI6JVhWfraLLTig
|
||||
X30yMU8oJjeYGfcOyxrnvD/Y6MzIWQat97U8mRnuyfuISxilWvLeTJCasnpmnNWH
|
||||
wrWzbB62tJ1DJw3ngTGj
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,7 @@
|
|||
issuer:evroot
|
||||
subject:no-ocsp-ee-path-int
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
|
||||
extension:certificatePolicies:any
|
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDXjCCAkigAwIBAgIUNQic6jgct61lYPUlwpd2hHK2YJMwCwYJKoZIhvcNAQEL
|
||||
MB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
|
||||
MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtaW50LXBh
|
||||
dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
|
||||
braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
|
||||
eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
|
||||
iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
|
||||
qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
|
||||
LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
|
||||
2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
|
||||
dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm8tb2NzcC1pbnQtcGF0aC1lZS8w
|
||||
HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
|
||||
dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH5n55Iw3ulJPDVG7pjY
|
||||
SZHl1wfxcr0mhJ8wSJtv+QwPJDc6dDEAyttdiwZPlTZ/zPAws7xChsYaSsPlHnUG
|
||||
QSMDpssbEa4HNz4z+dAMp8lcMO4mwJi8z/hoB+G4J/yW6zWJpIqENrgyZmS2w/zR
|
||||
4ztwIEgEOPH5wsglxhrSzwihYr6lk0LMaOPU+EQ9a+ohbAJeFF9mPyc8VtWOhsYY
|
||||
5o2eHCl9BgIJQ5zuqpul2Liv6lLQQLmu9Y40TPp30lWtUX4I1KechDaRySZDeScx
|
||||
dFvF87rn3X09R+KBDUxcQMxAuJG9lzgAegxSwsCwQduE03+Ba3zJCXoFUTo1CVuc
|
||||
zLc=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,4 +1,5 @@
|
|||
issuer:int-ev-valid-anypolicy-int
|
||||
subject:ev-valid-anypolicy-int
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev-valid-anypolicy-int/
|
||||
issuer:no-ocsp-int-path-int
|
||||
subject:no-ocsp-int-path-ee
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,18 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIC7jCCAdigAwIBAgIUdXjljKCreZHFVnBN7VXrPJiBz8AwCwYJKoZIhvcNAQEL
|
||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||
MDAwMDAwWjAfMR0wGwYDVQQDDBRuby1vY3NwLWludC1wYXRoLWludDCCASIwDQYJ
|
||||
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
|
||||
SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
|
||||
zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
|
||||
K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
|
||||
bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
|
||||
JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMw
|
||||
MC4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
|
||||
MAsGCSqGSIb3DQEBCwOCAQEAkCLoPzlhyoE0haiNXg2V767zsoTJMxA4XDKh2Ndb
|
||||
oaMfxJdqit/4yQregeCMh+zbgOt5i7gs5OQ0JR3Mo3fZ6HYxNLukCmxKD7OjYRAp
|
||||
ZsUbXQAeuNN+0q49rB1Sf7/Huk0WLbS8fG/oAK7HUwpJBxfzgCPbLRYt0ZeXooD+
|
||||
glh+2nUmlMmmjWgzc3xbQ1K1shqWatDT49BPcBel/GHsfpyDuJzzAvop8itJY+I0
|
||||
rUfrA+kJzojBJOykoucNx2cYx/0NxT+Rv3jWL4Qp0YdjCa9huJzdAFv0q0Rk6IlJ
|
||||
ef+7wWlvP6YoDUgwT4H8JPq/vSfCsB5yXKz/Hu0Ykc+3hQ==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,6 @@
|
|||
issuer:evroot
|
||||
subject:no-ocsp-int-path-int
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:certificatePolicies:any
|
|
@ -1,18 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIC4zCCAc2gAwIBAgIUd5B8Tu9tyK8u9ciEb+vs5wAhPjcwCwYJKoZIhvcNAQEL
|
||||
MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
|
||||
MTcwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBuby1vY3NwLXVybC1jZXJ0MIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
|
||||
5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
|
||||
An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
|
||||
ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
|
||||
zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
|
||||
JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
|
||||
oyMwITAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0B
|
||||
AQsDggEBAGD4KgUYaMaVoU2ioXkVXR99IrOz65d6DsI8JZHlI1/5fykVbzPq7gpI
|
||||
fHB2iIp5RzP/eDDZPyriJ7L2LEUIGC/yr68C96d5FqlpeTL9hgkWQaM2Z9hisgoe
|
||||
vk1uBsvZ6KmCQhG9TTCcEAQks7Qe9qDo3j3zk35795Q57w4xYYJZKiBtKFgMTtF2
|
||||
nkpoSTHQ8wmPgok0T7H4c3WxXwRz9Pxa+X63q5Whd8tDeHHp2o+Fm3HzW7aGTb1t
|
||||
F1UJQsF4hCEsnqhfbx2pEPUkYHjtLi2WXFT/AYDbYsqzly4PZhMOdNldJu/S3TS0
|
||||
wSsKiflXOecc1Voy2BHO3igasqYZ6Tk=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,3 +0,0 @@
|
|||
issuer:int-ev-valid
|
||||
subject:no-ocsp-url-cert
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDXjCCAkigAwIBAgIUPx1bQ/YwNzxyiIIEYEoQjqZUmHUwCwYJKoZIhvcNAQEL
|
||||
MB8xHTAbBgNVBAMMFG5vbi1ldi1yb290LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
|
||||
MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vbi1ldi1yb290LXBh
|
||||
dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
|
||||
braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
|
||||
eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
|
||||
iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
|
||||
qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
|
||||
LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
|
||||
2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
|
||||
dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm9uLWV2LXJvb3QtcGF0aC1lZS8w
|
||||
HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
|
||||
dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAIkYTJJR3JK3wbcNaBKL
|
||||
5R2qbPJLSJSP2ZbwyBF28HnzrOncI6elJFi9LxVwTDLKIchJolUqQmxLTbmuO/Y5
|
||||
hH9VXBKmct1PbWuDuH2ASFXVTvf3FREg+qHH9/s+GGnIxTSleS0lj2RsHdrC9Q8O
|
||||
ChtSg1Fcuz6ZDMEQgpc52tGaTmB2Q/ZHFV6dIdcZtwxH0AqSy1aX432MAjyaEg6G
|
||||
dFX4ObU/JWOPk8qz+Mw/q0d8b4U6OP7uP2buURYR60KFJx1Iqfcwu2bWl0VdaHrQ
|
||||
1xU1SGViOHaCZMTXrV8l3cvAGbpnFXTp6MAdiTMc8+44M9/SOQVmqWVwULpCtNNv
|
||||
e5M=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,4 +1,5 @@
|
|||
issuer:int-ev-valid
|
||||
subject:ev-valid
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/ev-valid/
|
||||
issuer:non-ev-root-path-int
|
||||
subject:non-ev-root-path-ee
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDRDCCAi6gAwIBAgIUe8flRD9fpbyM3B5myFA50T3jScUwCwYJKoZIhvcNAQEL
|
||||
MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
|
||||
MDE3MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQw
|
||||
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
|
||||
PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
|
||||
9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
|
||||
4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
|
||||
exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
|
||||
ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
|
||||
AgMBAAGjfzB9MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME0GCCsGAQUFBwEB
|
||||
BEEwPzA9BggrBgEFBQcwAYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25v
|
||||
bi1ldi1yb290LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcN
|
||||
AQELA4IBAQCw1nYDX13O3uLXnQBJ5aM8/x6IM1tzVd6UWqgtbLDiTDqmQIRw52jz
|
||||
n+Fl/feTEjYn2/GF++LgKS031wXSjbAs2EIe3QtKQZfpMo+XtJzYtOmkQ6dzM5PV
|
||||
GsV5PJG/JvUgC4X/FpSFNbh+5jNEuU8nZatrhqlVShTVmFCHC8bpcQhZlyt3uwY2
|
||||
Vd7x2qSem5XCPP+7Hmvt6jlP0ZO1oTyqfMf1K7Q1m+r97pmHj3xkhYQKTBkiwRMJ
|
||||
+pwIkbvYJONIR30V2tg3bZuJwzwt9R4f4dl2J03UQkg1ge2eJUF9d3odaWmLma7N
|
||||
nuwrO2Y0DpQv3HqvZZOOYX8chPO8IIVe
|
||||
-----END CERTIFICATE-----
|
|
@ -1,6 +1,6 @@
|
|||
issuer:non-evroot-ca
|
||||
subject:int-non-ev-root
|
||||
subject:non-ev-root-path-int
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/int-non-ev-root/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
|
||||
extension:certificatePolicies:any
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDJzCCAhGgAwIBAgIULwMSM80UKgeh7YdspJB7dG8Yn3owCwYJKoZIhvcNAQEL
|
||||
MBoxGDAWBgNVBAMMD2ludC1ub24tZXYtcm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoY
|
||||
DzIwMTcwMjA0MDAwMDAwWjAWMRQwEgYDVQQDDAtub24tZXYtcm9vdDCCASIwDQYJ
|
||||
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
|
||||
SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
|
||||
zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
|
||||
K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
|
||||
bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
|
||||
JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNp
|
||||
MGcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vd3d3LmV4YW1w
|
||||
bGUuY29tOjg4ODgvbm9uLWV2LXJvb3QvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUa
|
||||
hRqFGgGDdAkBMAsGCSqGSIb3DQEBCwOCAQEAAtXIU+ufmDNCqfjUZiJ+9nHcE14I
|
||||
t158M0bTBeAsmwtenY9WsBz2Svd3JJ4k8/0OjIfS44o9XPnGvAT/KmHKcTjmTkHR
|
||||
vixUvEa3923AsJzoGzxQcF2BtyQufGWBW8/Oq5d6G5ISB/C4VA3Ez8j7o+OE+6bp
|
||||
ID60osGbUJsQ/mknXxj0MsZoeuz3upbdTDe49jNYPkyyJqKnctOacq3PIs1Ai10A
|
||||
iMgKtn0e5wEEUCouKwuKXxK1kFIrxDiiKLWEhgBKTPxDf8E+ZuJbp+nZo3TDfI1j
|
||||
rQDQsbH6cao5EzrVe/weHRYDQMJ1tk17RXrW+PPsgWYia8Mi11qbI9w+1Q==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDVTCCAj+gAwIBAgIULwfe1XYxIxI1GOvu3ZnTqxvVOYYwCwYJKoZIhvcNAQEL
|
||||
MBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAw
|
||||
WhgPMjAxNzAyMDQwMDAwMDBaMBsxGTAXBgNVBAMMEHRlc3Qtb2lkLXBhdGgtZWUw
|
||||
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
|
||||
PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
|
||||
9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
|
||||
4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
|
||||
exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
|
||||
ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
|
||||
AgMBAAGjgY8wgYwwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8v
|
||||
d3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtcGF0aC1lZS8wHwYDVR0gBBgw
|
||||
FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
|
||||
cGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGBM93ylo+yXjVAr7GHY2/Suvddfd47X
|
||||
i+0qQc5Aif2f5okWm7k8BaLdhQYMcLo/D/AZzKcPvO5wUFdiInHPF069ebu8s6qL
|
||||
qZ7ybJK7AR/UfkS4Yn+gTdvPUxasFCtorT3tx8aws3Y9NBK0YV2IImgC+wS2Qe37
|
||||
XBUF+526UjJ/ooInFnW6Ukf8rdhxMpSOAXzblJCfHMnnkg36m5zSWNH83oTWEGwe
|
||||
tWolqulTICNpRA4rqwO7i2BRHkgQrq9lhQS3/rCyGYgeqware7QPSj5S4WXBLM3p
|
||||
a7je/NteBTOUVsfngQSz5ETVu3Bj7mgJYmtkCC5ZRVfQmjWsfPyqslE=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,4 +1,5 @@
|
|||
issuer:int-non-ev-root
|
||||
subject:non-ev-root
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root/
|
||||
issuer:test-oid-path-int
|
||||
subject:test-oid-path-ee
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDRzCCAjGgAwIBAgIUXX3/aud0LGpAvxl0RGcu8j7gbsAwCwYJKoZIhvcNAQEL
|
||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||
MDAwMDAwWjAcMRowGAYDVQQDDBF0ZXN0LW9pZC1wYXRoLWludDCCASIwDQYJKoZI
|
||||
hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
|
||||
9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
|
||||
HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
|
||||
kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
|
||||
lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
|
||||
kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBizCB
|
||||
iDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBKBggrBgEFBQcBAQQ+MDwwOgYI
|
||||
KwYBBQUHMAGGLmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1w
|
||||
YXRoLWludC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJKoZI
|
||||
hvcNAQELA4IBAQBonq8E1t3lQQAdEimupSIEFehQNe5wE69Hj9O941yTTIYZazR/
|
||||
kgKiFb4daLhvmeay1WxKq2D4SabCyvQpkU2acUunOolNcUUYwzqjeOr3OB369vvy
|
||||
13vshQs6PL9y5sTNEFCt8xYeBgiMoUKrelLe9iql4h/jyqOBYAuk8hQzztaW986p
|
||||
q8mF0V59hT3EZNEGdHf2LcPBlR24i7mdA45mWHQ+v5zySVptxJG9xi5bv2PoT3i3
|
||||
HUcBfOERE+6d14OZmMsDcmv3G6JRtbAow0ZKbi7UXemrHk0Xszb570gEvii2PKyD
|
||||
mQbrJ3k0g8SGTK+mWEYtpowoPVWMa3Do/KpO
|
||||
-----END CERTIFICATE-----
|
|
@ -1,7 +1,7 @@
|
|||
issuer:evroot
|
||||
subject:int-ev-valid
|
||||
subject:test-oid-path-int
|
||||
issuerKey:ev
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid/
|
||||
extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
|
||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
|
@ -41,7 +41,7 @@ function testOff() {
|
|||
add_test(() => {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = getFailingOCSPResponder();
|
||||
checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
|
||||
checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
|
||||
false);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
@ -50,7 +50,7 @@ function testOff() {
|
|||
add_test(() => {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = getFailingOCSPResponder();
|
||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
|
||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
|
||||
PRErrorCodeSuccess, certificateUsageSSLServer);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
@ -69,9 +69,9 @@ function testOn() {
|
|||
add_test(() => {
|
||||
clearOCSPCache();
|
||||
let ocspResponder =
|
||||
getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
|
||||
getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
|
||||
: ["test-oid-path-ee"]);
|
||||
checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
|
||||
gEVExpected);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
@ -80,8 +80,8 @@ function testOn() {
|
|||
// successfully.
|
||||
add_test(() => {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = getOCSPResponder(["non-ev-root"]);
|
||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
|
||||
let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
|
||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
|
||||
PRErrorCodeSuccess, certificateUsageSSLServer);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
@ -100,9 +100,9 @@ function testEVOnly() {
|
|||
add_test(() => {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = gEVExpected
|
||||
? getOCSPResponder(["int-ev-valid", "ev-valid"])
|
||||
? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
|
||||
: getFailingOCSPResponder();
|
||||
checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
|
||||
checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
|
||||
gEVExpected);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
@ -111,7 +111,7 @@ function testEVOnly() {
|
|||
add_test(() => {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = getFailingOCSPResponder();
|
||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
|
||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
|
||||
PRErrorCodeSuccess, certificateUsageSSLServer);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
@ -129,9 +129,9 @@ function run_test() {
|
|||
Services.prefs.setBoolPref("security.OCSP.require", true);
|
||||
|
||||
loadCert("evroot", "CTu,,");
|
||||
loadCert("int-ev-valid", ",,");
|
||||
loadCert("test-oid-path-int", ",,");
|
||||
loadCert("non-evroot-ca", "CTu,,");
|
||||
loadCert("int-non-ev-root", ",,");
|
||||
loadCert("non-ev-root-path-int", ",,");
|
||||
|
||||
testOff();
|
||||
testOn();
|
||||
|
|
Загрузка…
Ссылка в новой задаче