bug 1290613 - test_ev_certs.js cleanup r=Cykesiopka,mgoodwin

MozReview-Commit-ID: KcCV161J3qV

--HG--
rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
rename : security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem => security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
rename : security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
rename : security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
rename : security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
rename : security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
rename : security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key.keyspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
extra : rebase_source : 4a84a44616a396ae484550fcfcaf0df5e533dd51

security/manager/ssl/nsNSSCertificateDB.cpp

@@ -1523,7 +1523,6 @@ VerifyCertAtTime(nsIX509Cert* aCert,
     }
     *_retval = 0;
   } else {
-    NS_ENSURE_TRUE(evOidPolicy == SEC_OID_UNKNOWN, NS_ERROR_FAILURE);
     NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
     *_retval = error;
   }

security/manager/ssl/tests/unit/head_psm.js

@@ -563,6 +563,10 @@ function getFailingHttpServer(serverPort, serverIdentities) {
 // expectedCertNames is an array of nicks of the certs to be responsed
 // expectedBasePaths is an optional array that is used to indicate
 //   what is the expected base path of the OCSP request.
+// expectedMethods is an optional array of methods ("GET" or "POST") indicating
+//   by which HTTP method the server is expected to be queried.
+// expectedResponseTypes is an optional array of OCSP response types to use (see
+//   GenerateOCSPResponse.cpp).
 function startOCSPResponder(serverPort, identity, nssDBLocation,
                             expectedCertNames, expectedBasePaths,
                             expectedMethods, expectedResponseTypes) {

security/manager/ssl/tests/unit/test_ev_certs.js

@@ -5,31 +5,39 @@
 
 "use strict";
 
+// Tests that end-entity certificates that should successfully verify as EV
+// (Extended Validation) do so and that end-entity certificates that should not
+// successfully verify as EV do not. Also tests related situations (e.g. that
+// failure to fetch an OCSP response results in no EV treatment).
+//
+// A quick note about the certificates in these tests: generally, an EV
+// certificate chain will have an end-entity with a specific policy OID followed
+// by an intermediate with the anyPolicy OID chaining to a root with no policy
+// OID (since it's a trust anchor, it can be omitted). In these tests, the
+// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
+// referred to as the test OID. In order to reflect what will commonly be
+// encountered, the end-entity of any given test path will have the test OID
+// unless otherwise specified in the name of the test path. Similarly, the
+// intermediate will have the anyPolicy OID, again unless otherwise specified.
+// For example, for the path where the end-entity does not have an OCSP URI
+// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
+// whereas the intermediate has the anyPolicy OID.
+// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
+// the end-entity and the intermediate have the test OID.
+
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
-const evrootnick = "evroot";
+do_register_cleanup(() => {
+  Services.prefs.clearUserPref("network.dns.localDomains");
+  Services.prefs.clearUserPref("security.OCSP.enabled");
+});
 
-// This is the list of certificates needed for the test
-// The certificates prefixed by 'int-' are intermediates
-var certList = [
-  // Test for successful EV validation
-  'int-ev-valid',
-  'ev-valid',
-  'ev-valid-anypolicy-int',
-  'int-ev-valid-anypolicy-int',
-  'no-ocsp-url-cert', // a cert signed by the EV auth that has no OCSP url
-                      // but that contains a valid CRLDP.
-
-  // Testing a root that looks like EV but is not EV enabled
-  'int-non-ev-root',
-  'non-ev-root',
-];
-
-function load_ca(ca_name) {
-  addCertFromFile(certdb, `test_ev_certs/${ca_name}.pem`, "CTu,CTu,CTu");
-}
+Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
 
 const SERVER_PORT = 8888;
 
@@ -37,302 +45,294 @@ function failingOCSPResponder() {
   return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
 }
 
-function start_ocsp_responder(expectedCertNames) {
-  let expectedPaths = expectedCertNames.slice();
-  return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
-                            expectedCertNames, expectedPaths);
-}
-
-function check_cert_err(cert_name, expected_error) {
-  let cert = certdb.findCertByNickname(cert_name);
-  checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
-}
-
-
-function check_ee_for_ev(cert_name, expected_ev) {
-  let cert = certdb.findCertByNickname(cert_name);
-  checkEVStatus(certdb, cert, certificateUsageSSLServer, expected_ev);
-}
-
-function run_test() {
-  for (let i = 0 ; i < certList.length; i++) {
-    let cert_filename = certList[i] + ".pem";
-    addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
+class EVCertVerificationResult {
+  constructor(testcase, expectedPRErrorCode, expectedEV, resolve,
+              ocspResponder) {
+    this.testcase = testcase;
+    this.expectedPRErrorCode = expectedPRErrorCode;
+    this.expectedEV = expectedEV;
+    this.resolve = resolve;
+    this.ocspResponder = ocspResponder;
   }
-  load_ca("evroot");
-  load_ca("non-evroot-ca");
 
-  // setup and start ocsp responder
-  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
-  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
+    equal(prErrorCode, this.expectedPRErrorCode,
+          `${this.testcase} should have expected error code`);
+    equal(hasEVPolicy, this.expectedEV,
+          `${this.testcase} should result in expected EV status`);
+    this.ocspResponder.stop(this.resolve);
+  }
+}
 
-  add_test(function () {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
+function asyncTestEV(cert, expectedPRErrorCode, expectedEV,
+                     expectedOCSPRequestPaths, ocspResponseTypes = undefined)
+{
+  let now = Date.now() / 1000;
+  return new Promise((resolve, reject) => {
+    let ocspResponder = expectedOCSPRequestPaths.length > 0
+                      ? startOCSPResponder(SERVER_PORT, "www.example.com",
+                                           "test_ev_certs",
+                                           expectedOCSPRequestPaths,
+                                           expectedOCSPRequestPaths.slice(),
+                                           null, ocspResponseTypes)
+                      : failingOCSPResponder();
+    let result = new EVCertVerificationResult(cert.subjectName,
+                                              expectedPRErrorCode, expectedEV,
+                                              resolve, ocspResponder);
+    certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, 0,
+                                 "ev-test.example.com", now, result);
   });
+}
 
-  add_test(function () {
-    clearOCSPCache();
+function ensureVerifiesAsEV(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let expectedOCSPRequestPaths = gEVExpected
+                               ? [ `${testcase}-int`, `${testcase}-ee` ]
+                               : [ `${testcase}-ee` ];
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
+                     expectedOCSPRequestPaths);
+}
 
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
-                                      : ["ev-valid-anypolicy-int"]);
-    check_ee_for_ev("ev-valid-anypolicy-int", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
+function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
+}
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(["non-ev-root"]);
-    check_ee_for_ev("non-ev-root", false);
-    ocspResponder.stop(run_next_test);
-  });
+function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, PRErrorCodeSuccess, false,
+                     expectedOCSPRequestPaths ? expectedOCSPRequestPaths
+                                              : [ `${testcase}-ee` ]);
+}
 
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = gEVExpected ? start_ocsp_responder(["int-ev-valid"])
-                                    : failingOCSPResponder();
-    check_ee_for_ev("no-ocsp-url-cert", false);
-    ocspResponder.stop(run_next_test);
-  });
+function ensureVerificationFails(testcase, expectedPRErrorCode) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, expectedPRErrorCode, false, []);
+}
 
-  // bug 917380: Check that explicitly removing trust from an EV root actually
-  // causes the root to be untrusted.
-  const nsIX509Cert = Ci.nsIX509Cert;
-  add_test(function() {
-    let evRootCA = certdb.findCertByNickname(evrootnick);
-    certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
-
-    clearOCSPCache();
+function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let now = Date.now() / 1000;
+  let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
+  if (expectSuccess && gEVExpected) {
+    expectedErrorCode = PRErrorCodeSuccess;
+  }
+  return new Promise((resolve, reject) => {
     let ocspResponder = failingOCSPResponder();
-    check_cert_err("ev-valid", SEC_ERROR_UNKNOWN_ISSUER);
-    ocspResponder.stop(run_next_test);
+    let result = new EVCertVerificationResult(
+      cert.subjectName, expectedErrorCode, expectSuccess && gEVExpected,
+      resolve, ocspResponder);
+    let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
+                Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
+    certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, flags,
+                                 "ev-test.example.com", now, result);
   });
-
-  // bug 917380: Check that a trusted EV root is trusted after disabling and
-  // re-enabling trust.
-  add_test(function() {
-    let evRootCA = certdb.findCertByNickname(evrootnick);
-    certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
-                        Ci.nsIX509CertDB.TRUSTED_SSL |
-                        Ci.nsIX509CertDB.TRUSTED_EMAIL |
-                        Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
-
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function () {
-    check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
-  });
-
-  add_test(function () {
-    check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
-  });
-
-  add_test(function () {
-    check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
-  });
-
-  // Check OneCRL OCSP request skipping works correctly
-  add_test(function () {
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-    // set the blocklist-background-update-timer value to the recent past
-    Services.prefs.setIntPref("services.blocklist.onecrl.checked",
-                              Math.floor(Date.now() / 1000) - 1);
-    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
-                              Math.floor(Date.now() / 1000) - 1);
-    clearOCSPCache();
-    // the intermediate should not have an associated OCSP request
-    let ocspResponder = start_ocsp_responder(["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function () {
-    // disable OneCRL OCSP Skipping (no staleness allowed)
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function () {
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-    // set the blocklist-background-update-timer value to the more distant past
-    Services.prefs.setIntPref("services.blocklist.onecrl.checked",
-                              Math.floor(Date.now() / 1000) - 108080);
-    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
-                              Math.floor(Date.now() / 1000) - 108080);
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function () {
-    // test that setting "security.onecrl.via.amo" results in the correct
-    // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
-    // and blacklist-background-update-timer is recent
-    Services.prefs.setBoolPref("security.onecrl.via.amo", false);
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-    // set the blocklist-background-update-timer value to the recent past
-    // (services.blocklist.onecrl.checked defaults to 0)
-    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
-                              Math.floor(Date.now() / 1000) - 1);
-    clearOCSPCache();
-    // the intermediate should have an associated OCSP request
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function () {
-    // test that setting "security.onecrl.via.amo" results in the correct
-    // OCSP behavior when services.blocklist.onecrl.checked is recent
-    Services.prefs.setBoolPref("security.onecrl.via.amo", false);
-
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-
-    // now set services.blocklist.onecrl.checked to a recent value
-    Services.prefs.setIntPref("services.blocklist.onecrl.checked",
-                              Math.floor(Date.now() / 1000) - 1);
-
-    clearOCSPCache();
-    // the intermediate should not have an associated OCSP request
-    let ocspResponder = start_ocsp_responder(["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    // The tests following this assume no OCSP bypass
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
-    Services.prefs.clearUserPref("security.onecrl.via.amo");
-    Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
-    ocspResponder.stop(run_next_test);
-  });
-
-  // Test the EV continues to work with flags after successful EV verification
-  add_test(function () {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(function () {
-      // without net it must be able to EV verify
-      let failingOcspResponder = failingOCSPResponder();
-      let cert = certdb.findCertByNickname("ev-valid");
-      let hasEVPolicy = {};
-      let verifiedChain = {};
-      let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
-                  Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
-
-      let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
-                                       null, verifiedChain, hasEVPolicy);
-      equal(hasEVPolicy.value, gEVExpected,
-            "Actual and expected EV status should match for local only EV");
-      equal(error,
-            gEVExpected ? PRErrorCodeSuccess : SEC_ERROR_POLICY_VALIDATION_FAILED,
-            "Actual and expected error code should match for local only EV");
-      failingOcspResponder.stop(run_next_test);
-    });
-  });
-
-  // Bug 991815 old but valid intermediates are OK
-  add_test(function () {
-    clearOCSPCache();
-    let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
-                          "test_ev_certs",
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"],
-                          [], [],
-                          gEVExpected ? ["longvalidityalmostold", "good"]
-                                      : ["good"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
-
-  // Bug 991815 old but valid end-entities are NOT OK for EV
-  // Unfortunately because of soft-fail we consider these OK for DV.
-  add_test(function () {
-    clearOCSPCache();
-    // Since Mozilla::pkix does not consider the old almost invalid OCSP
-    // response valid, it does not cache the old response and thus
-    // makes a separate request for DV
-    let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
-    let debugResponseArray = ["good", "longvalidityalmostold",
-                              "longvalidityalmostold"];
-    let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
-                          "test_ev_certs",
-                          gEVExpected ? debugCertNickArray : ["ev-valid"],
-                          [], [],
-                          gEVExpected ? debugResponseArray
-                                      : ["longvalidityalmostold"]);
-    check_ee_for_ev("ev-valid", false);
-    ocspResponder.stop(run_next_test);
-  });
-
-  // Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
-  // EV (still OK for soft fail DV)
-  add_test(function () {
-    clearOCSPCache();
-    let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
-    let debugResponseArray = ["good", "ancientstillvalid",
-                              "ancientstillvalid"];
-    let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
-                          "test_ev_certs",
-                          gEVExpected ? debugCertNickArray : ["ev-valid"],
-                          [], [],
-                          gEVExpected ? debugResponseArray
-                                      : ["ancientstillvalid"]);
-    check_ee_for_ev("ev-valid", false);
-    ocspResponder.stop(run_next_test);
-  });
-
-  run_next_test();
 }
 
-// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
-// to prevent spurious OCSP requests that race with OCSP stapling.
-// This has the side-effect of saying an EV certificate is not EV if
-// it hasn't already been verified (e.g. on the verification thread when
-// connecting to a site).
-// This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
-// works as intended.
-function check_no_ocsp_requests(cert_name, expected_error) {
+function ensureNoOCSPMeansNoEV(testcase) {
+  return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
+}
+
+function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
+  return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
+}
+
+function ensureOneCRLSkipsOCSPForIntermediates(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
+                     [ `${testcase}-ee` ]);
+}
+
+function verifyWithDifferentOCSPResponseTypes(testcase, responses, expectEV) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let expectedOCSPRequestPaths = gEVExpected
+                               ? [ `${testcase}-int`, `${testcase}-ee` ]
+                               : [ `${testcase}-ee` ];
+  let ocspResponseTypes = gEVExpected ? responses : responses.slice(1);
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected && expectEV,
+                     expectedOCSPRequestPaths, ocspResponseTypes);
+}
+
+function ensureVerifiesAsEVWithOldIntermediateOCSPResponse(testcase) {
+  return verifyWithDifferentOCSPResponseTypes(
+    testcase, [ "longvalidityalmostold", "good" ], true);
+}
+
+function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
+  return verifyWithDifferentOCSPResponseTypes(
+    testcase, [ "good", "longvalidityalmostold" ], false);
+}
+
+function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
+  return verifyWithDifferentOCSPResponseTypes(
+    testcase, [ "good", "ancientstillvalid" ], false);
+}
+
+// These should all verify as EV.
+add_task(function* plainExpectSuccessEVTests() {
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
+});
+
+// These fail for various reasons to verify as EV, but fallback to DV should
+// succeed.
+add_task(function* expectDVFallbackTests() {
+  yield ensureVerifiesAsDV("anyPolicy-ee-path");
+  yield ensureVerifiesAsDV("non-ev-root-path");
+  yield ensureVerifiesAsDV("no-ocsp-ee-path",
+                           gEVExpected ? [ "no-ocsp-ee-path-int" ] : []);
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+});
+
+// Test that removing the trust bits from an EV root causes verifications
+// relying on that root to fail (and then test that adding back the trust bits
+// causes the verifications to succeed again).
+add_task(function* evRootTrustTests() {
   clearOCSPCache();
-  let ocspResponder = failingOCSPResponder();
-  let cert = certdb.findCertByNickname(cert_name);
-  let hasEVPolicy = {};
-  let verifiedChain = {};
-  let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
-              Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
-  let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
-                                   null, verifiedChain, hasEVPolicy);
-  // Since we're not doing OCSP requests, no certificate will be EV.
-  equal(hasEVPolicy.value, false,
-        "EV status should be false when not doing OCSP requests");
-  equal(error, expected_error,
-        "Actual and expected error should match when not doing OCSP requests");
-  ocspResponder.stop(run_next_test);
-}
+  let evroot = certdb.findCertByNickname("evroot");
+  do_print("untrusting evroot");
+  certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
+                      Ci.nsIX509CertDB.UNTRUSTED);
+  yield ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
+  do_print("re-trusting evroot");
+  certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
+                      Ci.nsIX509CertDB.TRUSTED_SSL);
+  yield ensureVerifiesAsEV("test-oid-path");
+});
+
+// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
+// requests are made (this also means that nothing will verify as EV).
+add_task(function* localOnlyMustBeEVTests() {
+  clearOCSPCache();
+  yield ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
+  yield ensureNoOCSPMeansNoEV("anyPolicy-int-path");
+  yield ensureNoOCSPMeansNoEV("non-ev-root-path");
+  yield ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
+  yield ensureNoOCSPMeansNoEV("no-ocsp-int-path");
+  yield ensureNoOCSPMeansNoEV("test-oid-path");
+});
+
+
+// Under certain conditions, OneCRL allows us to skip OCSP requests for
+// intermediates.
+add_task(function* oneCRLTests() {
+  clearOCSPCache();
+
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // set the blocklist-background-update-timer value to the recent past
+  Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+                            Math.floor(Date.now() / 1000) - 1);
+  Services.prefs.setIntPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer",
+    Math.floor(Date.now() / 1000) - 1);
+
+  yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
+
+  clearOCSPCache();
+  // disable OneCRL OCSP Skipping (no staleness allowed)
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  // Because the intermediate in this case is missing an OCSP URI, it will not
+  // validate as EV, but it should fall back to DV.
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
+
+  clearOCSPCache();
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // set the blocklist-background-update-timer value to the more distant past
+  Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+                            Math.floor(Date.now() / 1000) - 108080);
+  Services.prefs.setIntPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer",
+    Math.floor(Date.now() / 1000) - 108080);
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
+
+  clearOCSPCache();
+  // test that setting "security.onecrl.via.amo" results in the correct
+  // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
+  // and blacklist-background-update-timer is recent
+  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // set the blocklist-background-update-timer value to the recent past
+  // (services.blocklist.onecrl.checked defaults to 0)
+  Services.prefs.setIntPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer",
+    Math.floor(Date.now() / 1000) - 1);
+
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
+
+  clearOCSPCache();
+  // test that setting "security.onecrl.via.amo" results in the correct
+  // OCSP behavior when services.blocklist.onecrl.checked is recent
+  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // now set services.blocklist.onecrl.checked to a recent value
+  Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+                            Math.floor(Date.now() / 1000) - 1);
+  yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
+
+  Services.prefs.clearUserPref("security.onecrl.via.amo");
+  Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
+  Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
+  Services.prefs.clearUserPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer");
+});
+
+// Prime the OCSP cache and then ensure that we can validate certificates as EV
+// without hitting the network. There's two cases here: one where we simply
+// validate like normal and then check that the network was never accessed and
+// another where we use flags to mandate that the network not be used.
+add_task(function* ocspCachingTests() {
+  clearOCSPCache();
+
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
+
+  yield ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
+  yield ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
+
+  yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
+  yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
+});
+
+// Old-but-still-valid OCSP responses are accepted for intermediates but not
+// end-entity certificates (because of OCSP soft-fail this results in DV
+// fallback).
+add_task(function* oldOCSPResponseTests() {
+  clearOCSPCache();
+
+  yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("anyPolicy-int-path");
+  yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("test-oid-path");
+
+  clearOCSPCache();
+  yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
+  yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
+
+  clearOCSPCache();
+  yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
+    "anyPolicy-int-path");
+  yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
+});

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAj2gAwIBAgIUE20vV8zM9OXxDcXIQL8GFm0SKrgwCwYJKoZIhvcNAQEL
+MCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDAiGA8yMDE0MTEyNzAw
+MDAwMFoYDzIwMTcwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRhbnlQb2xpY3ktZWUt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBhTCBgjBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGG
+MWh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xpY3ktZWUtcGF0aC1l
+ZS8wEQYDVR0gBAowCDAGBgRVHSAAMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBs
+ZS5jb20wCwYJKoZIhvcNAQELA4IBAQAiyZHRImgu1XH/X6KY6duEjEP8hPvIc+Vw
+Vyej3Aaa9NjWpDrO0eCm+08msuiOOYdnTvfudbyDorWY6D8jbTy3re6MLaY+GFY7
+9E18zdDk4t4Ssg1O1ous7MGfKKygNQ0eTB4aJH83jWjfpmNTvXggkA7Zp1SfOVv+
+2OMv066Vwewafrr1pgKl8IuSdTjCpaqCMzZDZf4cwL9tdadF1k9NqjInrinlUI+9
+nbb0WLL3fttvFGsee370t9Q+GRNd1S8nGuxpcXq4Yo51MDRk+HwjPPSBowfg+Tki
+Pk6RSND8FSjn22A+JUNT8u6MnNUOj4wh0N8RzEEQEW6GADH5hZdS
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec

@@ -0,0 +1,5 @@
+issuer:anyPolicy-ee-path-int
+subject:anyPolicy-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
+extension:certificatePolicies:any
+extension:subjectAlternativeName:ev-test.example.com

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiqgAwIBAgIUI2XRNlfIQthAhAOq8dL98Ifp8wMwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3ktZWUtcGF0aC1pbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+gYAwfjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBOBggrBgEFBQcBAQRCMEAw
+PgYIKwYBBQUHMAGGMmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xp
+Y3ktZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADALBgkqhkiG9w0BAQsD
+ggEBAG8A4LEmQDAvr6U+NShqPkyxi9d+kMGSHaKV75bJJgbtAkb5ZWG0LQdi4IxV
+MR/IE73jWJSUCEaIUsYjXVsQE+7CJLLUVCt7w3zRf7EoQV2hDp2+WCME6/q0L0HK
+EdK9DAe7UegvxLLSKS12rq/LhNB+XUYTFqQFfmSYSbNqNqzyDgqipPcicBs1RPlO
+HlKISVlKH4uV5FXaGb9FVZAP9J80YI5iHH7fCkJloMKEghnnqA79/Np0eDXt3JzJ
+O+x+I/DiUveAMlz5q72ou3pIOATsgOXRBs7neYgTR9hQ8q3jexidTIWwOuUjzDpt
+BhxQXS5JZ/owc3H0NJ33helcoXE=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec

@@ -1,7 +1,7 @@
 issuer:evroot
-subject:int-ev-valid-anypolicy-int
+subject:anyPolicy-ee-path-int
 issuerKey:ev
 extension:basicConstraints:cA,
 extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid-anypolicy-int/
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
 extension:certificatePolicies:any

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAk6gAwIBAgIURy0a2jqjnawhuv+eW/eeWdMx8MkwCwYJKoZIhvcNAQEL
+MCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwIhgPMjAxNDExMjcw
+MDAwMDBaGA8yMDE3MDIwNDAwMDAwMFowIDEeMBwGA1UEAwwVYW55UG9saWN5LWlu
+dC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GUMIGRME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcw
+AYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1pbnQtcGF0
+aC1lZS8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcw
+FYITZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGhjgde0w84T
+oegn3iGIIOB3q27pqH5nzwv4o5yThG0CmDRvTjBnK8yqlPdNvqx3YmnNh4aWlh94
+Z7XeFA5bPMQq2bCDdBD94g0j3hvBiNqy00Ou34uKm9tNFcQH6kecIjgrInpoxK84
+v2RJ9fjd79503cIuvSw9y3X63DnJn8+ml1Yjt5uO+URpZVDEjJB1mliG1NHdAZ3D
+qDM13f7pphIYggo+ZBlcOVEbh+uDu81gc/Y1JN1ZUOoKBWMx3TVFctYQ6f+uJcem
+xbYsnCK3FuCYTgf1zPye1gILCxvRfRiVw5ojnZ5daxPpfq9Ugv+T9DROuzZgHin1
+WYeP+oiXygI=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec

@@ -0,0 +1,5 @@
+issuer:anyPolicy-int-path-int
+subject:anyPolicy-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiygAwIBAgIUI4h7bIgXBroqPq3r8qcqzWTPiTwwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAhMR8wHQYDVQQDDBZhbnlQb2xpY3ktaW50LXBhdGgtaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+o4GBMH8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEEQzBB
+MD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9s
+aWN5LWludC1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsGCSqGSIb3DQEB
+CwOCAQEAaar6+lvsKAL6fuKS9b8HOSI1Q6c+7/PDAo+YPVsDyzg4OYpFHfrJqveK
+vmwWSnUngX/V702znW4woDu1ZjXLWpTG4xx87FU7b0BIrL7r1N1twAohOYFUMnjl
+TW7RMjTgMGIgxybQc3N0snwf2SJedUu78xekdLW1/jTiMuIEys/+44tqGzVsFu9j
+XrFxPxNBHVzR8UFGICREeE2nFeOnqj3uQPh1JJszKUlfXbYtjgPFKfbbsPzzGLJ3
+tLmzPZLSeEed/AYvegq00CybA5f6UDY1uMnECekHAWFzv/yhZZsL+hMSGXTctE7+
+C+WTNlFX41Gi6uvck6N8T3ABNVTk8A==
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec

@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
+extension:certificatePolicies:any

security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSDCCAjKgAwIBAgIUby+kueFNWXyfsUNUp9JXQ4u/CgYwCwYJKoZIhvcNAQEL
-MCUxIzAhBgNVBAMMGmludC1ldi12YWxpZC1hbnlwb2xpY3ktaW50MCIYDzIwMTQx
-MTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2LXZhbGlk
-LWFueXBvbGljeS1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
-iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
-4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
-8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
-Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
-77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
-I/pyUcQx1QOs2hgKNe2NAgMBAAGjdDByME8GCCsGAQUFBwEBBEMwQTA/BggrBgEF
-BQcwAYYzaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2LXZhbGlkLWFueXBv
-bGljeS1pbnQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMAsGCSqG
-SIb3DQEBCwOCAQEAV2WSrBkRIiml/Nc0WyZwX7MnHLwQe4V4z9mCXdBRwwgZv8Cd
-ALzlKgj3Uz18CVYh3ZH4XCIxxJRvLy4eBbGsWRuS5c4ZaAPoeIur8WVURscEGu2k
-FT2cM7eA38Z7f0WYnuGbTBZ+sN7Hsm7HpV1dpBuI7RaJ9hwAlcvmKvgHBLsJZbyd
-yW7Vpu7KJ0S2djFhBPqjZ7xsIHIfbHuaYBhuO3xlmmx0YbgCS9HGkmuA6RXsSqd1
-15Iu8mT0mpq/SqxLRXi79f+HWpPAP9ERkNF+Ea0zIkIsK8d5PSnQqIKj5QugXSBE
-44He3YH8teY36VHQqApV3VGZ5mtMwVLAjMF8rg==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDHjCCAgigAwIBAgIUIWjgvey0rx7/CM8k0zC+FVdlHG0wCwYJKoZIhvcNAQEL
-MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
-MTcwMjA0MDAwMDAwWjATMREwDwYDVQQDDAhldi12YWxpZDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
-bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
-OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
-uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
-t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
-NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNmMGQwQQYI
-KwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vd3d3LmV4YW1wbGUuY29t
-Ojg4ODgvZXYtdmFsaWQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
-MAsGCSqGSIb3DQEBCwOCAQEAAZ49c1ZNqOYEz0x2EzYaInvPcK2Fxbc8CjX71xIj
-ahLnIZ1cb/VIe88wvidZdQYQdRn0aTfc8Z7+P62XnPqM3nlF85b7g4H2yxJRq7or
-V1skztvKxm+YC/iY4ogsR8x24gdEn/IdwAdjtfZnI471A69CN3t0V6tmt26SNGix
-jNnabOus9JGfhii+qL8svIYR6T+Gmr2fDuQBEJtTpcHjLbrPAV4pOlFu3WmOsVsF
-9yaUy72WFBXg0kas+Tz1QvKWgi4XZ9640HoBVdmHGBnAiBjx62d4pxf4ttbrvh9r
-G26w6vWsfTKWDsoJKi1gYtf9hTcG04jrHg2EAx06+A0yFw==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSzCCAjWgAwIBAgIUaYYtOBr1wZWTYvHqYsRinupYgT4wCwYJKoZIhvcNAQEL
-MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAlMSMwIQYDVQQDDBppbnQtZXYtdmFsaWQtYW55cG9saWN5LWludDCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
-PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
-HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
-Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
-EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
-lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
-AwEAAaOBhjCBgzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBTBggrBgEFBQcB
-AQRHMEUwQwYIKwYBBQUHMAGGN2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9p
-bnQtZXYtdmFsaWQtYW55cG9saWN5LWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsG
-CSqGSIb3DQEBCwOCAQEAqnqfTrqYSYeWWRX6GfGKkCVfmksgIA3OnvRD8gE895qU
-JS5Ke/3d/4+3beSlfNueL+JSriA+BqqlK6wrxI7xo7H4xjbUV/DrEXEfhUg052O1
-gC1oqObWsZenegoQBZ0mQUT0uqshj7IHWzED2GQZmjEt7F6Il5bjvy49OQ5A++/O
-m+YUr579TZ8r02WU0/+TNln6PnM+6uhoizF2bgh/fCcMlFqLUcJ4FNVi5CgT/oiR
-Wxv8FO2N3ijfQ1Qwnt2Ti0lGby//rrbdnE9tHJb22COxu8QuOi+z/meh4TL+UG3r
-HeCP5545zGOyBOzCrHNioeGVE13svKQFM4T+eguckQ==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPTCCAiegAwIBAgIUJ6ZiwLEBBmRIxjG+KN4K/KQ+NKkwCwYJKoZIhvcNAQEL
-MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAXMRUwEwYDVQQDDAxpbnQtZXYtdmFsaWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
-e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
-KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
-YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
-lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
-HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgYYwgYMwDAYD
-VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUF
-BzABhilodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvaW50LWV2LXZhbGlkLzAf
-BgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0BAQsDggEB
-AHuI7ZqTAYzCj2QtErvEKbo16WctTXslepQmnD9hrAFNkhrT9ParJ+EViwaq8wXL
-RpBs4QNtH5j1lrlIIY3SEeGRvNv7pIC1vQoBa15ieg6IJOxs0Zq/TszAEcdIQSpr
-p1fcl/51kAoXoV74VBOer6dIqenuK043aa2aai58Jz/cMaWd7E55Ak+aU9pb+Mdc
-x6k9vV8sSfkpSR2Jmx5GEq5Sat8eJ7lib9/+wHGGCObUzxXnMJN50ZsR6R77DP/E
-+cafdtTxYgFTsPdA1OTBxUEbk2hx3c08T1kmPL+nmg3WoSu8fXuaZWzCBegDMFMI
-wgiVIyUZPm9H356bgW+nVeo=
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSjCCAjSgAwIBAgIUD22BRPEQk1ohdq0TWpDiC9DX0QgwCwYJKoZIhvcNAQEL
-MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
-MDE3MDIwNDAwMDAwMFowGjEYMBYGA1UEAwwPaW50LW5vbi1ldi1yb290MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-o4GJMIGGMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEgGCCsGAQUFBwEBBDww
-OjA4BggrBgEFBQcwAYYsaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2ludC1u
-b24tZXYtcm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJ
-KoZIhvcNAQELA4IBAQCNfizDGiKBxkquDAvy/RDTwOiYDliOvReGjlZOZrQBkf52
-xvfHAkl/m/GluDeCjHSSlGU/8cloXnyN6PRzRfxf46Lx+RuiStgDPS1OfqGw961l
-dV2xEa2g5SHkHS1aTnadO83GxkagYes6OEZbe7fexrOnPIhNx4Da9wfFyQBOi8/t
-4Y69eBk+cC5AaSBwHpf12TDc4NKvW2/Qtl1G8idn24OhPlucxBd/dPOxduztde5a
-bmvQW4m66HHjF5aIXaJn7I5+drY2vSIJz3Nry05pgrJapf7rOi0iKNrv5vKoAyi9
-IYeIPTOD377JbUBdSOt0yGV2yx5bkvWfMUET51i3
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/moz.build

@@ -6,15 +6,20 @@
 
 # Temporarily disabled. See bug 1256495.
 #test_certificates = (
-#    'ev-valid-anypolicy-int.pem',
-#    'ev-valid.pem',
+#    'anyPolicy-ee-path-ee.pem',
+#    'anyPolicy-ee-path-int.pem',
+#    'anyPolicy-int-path-ee.pem',
+#    'anyPolicy-int-path-int.pem',
 #    'evroot.pem',
-#    'int-ev-valid-anypolicy-int.pem',
-#    'int-ev-valid.pem',
-#    'int-non-ev-root.pem',
-#    'no-ocsp-url-cert.pem',
-#    'non-ev-root.pem',
+#    'no-ocsp-ee-path-ee.pem',
+#    'no-ocsp-ee-path-int.pem',
+#    'no-ocsp-int-path-ee.pem',
+#    'no-ocsp-int-path-int.pem',
+#    'non-ev-root-path-ee.pem',
+#    'non-ev-root-path-int.pem',
 #    'non-evroot-ca.pem',
+#    'test-oid-path-ee.pem',
+#    'test-oid-path-int.pem',
 #)
 #
 #for test_certificate in test_certificates:
@@ -22,7 +27,7 @@
 #
 #test_keys = (
 #    'evroot.key',
-#    'int-ev-valid.key',
+#    'test-oid-path-int.key',
 #)
 #
 #for test_key in test_keys:

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDDCCAfagAwIBAgIUN1tZuouNywOlI92yfPVp0g1KyqswCwYJKoZIhvcNAQEL
+MB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwIhgPMjAxNDExMjcwMDAw
+MDBaGA8yMDE3MDIwNDAwMDAwMFowHTEbMBkGA1UEAwwSbm8tb2NzcC1lZS1wYXRo
+LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABo0MwQTAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAe
+BgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
+PIRn3vteO/sx0OrU73mnICPuA8sVwv+bC8LbVAV8hgboad6ypC6/i/l3KComDtgK
+NsbANmhq8gF3XpvHzxvlBqnjO9qaZnmV4ETJMlSISm8NaK6xFJvHxLrbpH82g7WH
+5eLUxDNvkXBDClcs5iwa5cDnRykdXFttmxN5riw+dAT7rCsrNQODnYvF6C5J9e/S
+I7wyDkbfAdEsioDBHC2xAjuxdKLJr7+YKAaxN54q0U5EZ8dIThuAGLxQK2hSAw8O
+e34OwOPK11tH3tsrbxXAlaykuFgEeJnBfurq3Ff2OO8WirQ8pFiqYxl93sLIPFd6
+nMpuKlS/wpXkZV+NwwwJaQ==
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec

@@ -0,0 +1,4 @@
+issuer:no-ocsp-ee-path-int
+subject:no-ocsp-ee-path-ee
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiWgAwIBAgIUY7txKTVVTBc2roj9KXXVlQxF20YwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAeMRwwGgYDVQQDDBNuby1vY3NwLWVlLXBhdGgtaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo34w
+fDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBMBggrBgEFBQcBAQRAMD4wPAYI
+KwYBBQUHMAGGMGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWVl
+LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcNAQELA4IBAQCE
+tGJOFahnFAubE9prxtKV5wEHxGhHWlwXC3lCFFeNMjZ0jOaMeI7JpeX18Nnzvy9u
+qNZfsvzUZk0fu22MDjwOSjJmZk3OI2B9Sc01gXU/IEQH7Jw3uy8NwVOGZctHjMyn
+MDIIaFcNDaAIQgjTRCLMyjrD0A86qSG795TQj6xjRuPy5NByLuT3We8cml3AJqy0
+F0dhLoeFbL5f4HN2xJFsb6UcTMb0bMAAtsvkIu3TTI01mu4ffiI6JVhWfraLLTig
+X30yMU8oJjeYGfcOyxrnvD/Y6MzIWQat97U8mRnuyfuISxilWvLeTJCasnpmnNWH
+wrWzbB62tJ1DJw3ngTGj
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec

@@ -0,0 +1,7 @@
+issuer:evroot
+subject:no-ocsp-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
+extension:certificatePolicies:any

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXjCCAkigAwIBAgIUNQic6jgct61lYPUlwpd2hHK2YJMwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtaW50LXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
+dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm8tb2NzcC1pbnQtcGF0aC1lZS8w
+HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH5n55Iw3ulJPDVG7pjY
+SZHl1wfxcr0mhJ8wSJtv+QwPJDc6dDEAyttdiwZPlTZ/zPAws7xChsYaSsPlHnUG
+QSMDpssbEa4HNz4z+dAMp8lcMO4mwJi8z/hoB+G4J/yW6zWJpIqENrgyZmS2w/zR
+4ztwIEgEOPH5wsglxhrSzwihYr6lk0LMaOPU+EQ9a+ohbAJeFF9mPyc8VtWOhsYY
+5o2eHCl9BgIJQ5zuqpul2Liv6lLQQLmu9Y40TPp30lWtUX4I1KechDaRySZDeScx
+dFvF87rn3X09R+KBDUxcQMxAuJG9lzgAegxSwsCwQduE03+Ba3zJCXoFUTo1CVuc
+zLc=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec

@@ -1,4 +1,5 @@
-issuer:int-ev-valid-anypolicy-int
-subject:ev-valid-anypolicy-int
-extension:authorityInformationAccess:http://www.example.com:8888/ev-valid-anypolicy-int/
+issuer:no-ocsp-int-path-int
+subject:no-ocsp-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAdigAwIBAgIUdXjljKCreZHFVnBN7VXrPJiBz8AwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAfMR0wGwYDVQQDDBRuby1vY3NwLWludC1wYXRoLWludDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMw
+MC4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MAsGCSqGSIb3DQEBCwOCAQEAkCLoPzlhyoE0haiNXg2V767zsoTJMxA4XDKh2Ndb
+oaMfxJdqit/4yQregeCMh+zbgOt5i7gs5OQ0JR3Mo3fZ6HYxNLukCmxKD7OjYRAp
+ZsUbXQAeuNN+0q49rB1Sf7/Huk0WLbS8fG/oAK7HUwpJBxfzgCPbLRYt0ZeXooD+
+glh+2nUmlMmmjWgzc3xbQ1K1shqWatDT49BPcBel/GHsfpyDuJzzAvop8itJY+I0
+rUfrA+kJzojBJOykoucNx2cYx/0NxT+Rv3jWL4Qp0YdjCa9huJzdAFv0q0Rk6IlJ
+ef+7wWlvP6YoDUgwT4H8JPq/vSfCsB5yXKz/Hu0Ykc+3hQ==
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec

@@ -0,0 +1,6 @@
+issuer:evroot
+subject:no-ocsp-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:certificatePolicies:any

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC4zCCAc2gAwIBAgIUd5B8Tu9tyK8u9ciEb+vs5wAhPjcwCwYJKoZIhvcNAQEL
-MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
-MTcwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBuby1vY3NwLXVybC1jZXJ0MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-oyMwITAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0B
-AQsDggEBAGD4KgUYaMaVoU2ioXkVXR99IrOz65d6DsI8JZHlI1/5fykVbzPq7gpI
-fHB2iIp5RzP/eDDZPyriJ7L2LEUIGC/yr68C96d5FqlpeTL9hgkWQaM2Z9hisgoe
-vk1uBsvZ6KmCQhG9TTCcEAQks7Qe9qDo3j3zk35795Q57w4xYYJZKiBtKFgMTtF2
-nkpoSTHQ8wmPgok0T7H4c3WxXwRz9Pxa+X63q5Whd8tDeHHp2o+Fm3HzW7aGTb1t
-F1UJQsF4hCEsnqhfbx2pEPUkYHjtLi2WXFT/AYDbYsqzly4PZhMOdNldJu/S3TS0
-wSsKiflXOecc1Voy2BHO3igasqYZ6Tk=
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec

@@ -1,3 +0,0 @@
-issuer:int-ev-valid
-subject:no-ocsp-url-cert
-extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1

security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXjCCAkigAwIBAgIUPx1bQ/YwNzxyiIIEYEoQjqZUmHUwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFG5vbi1ldi1yb290LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vbi1ldi1yb290LXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
+dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm9uLWV2LXJvb3QtcGF0aC1lZS8w
+HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAIkYTJJR3JK3wbcNaBKL
+5R2qbPJLSJSP2ZbwyBF28HnzrOncI6elJFi9LxVwTDLKIchJolUqQmxLTbmuO/Y5
+hH9VXBKmct1PbWuDuH2ASFXVTvf3FREg+qHH9/s+GGnIxTSleS0lj2RsHdrC9Q8O
+ChtSg1Fcuz6ZDMEQgpc52tGaTmB2Q/ZHFV6dIdcZtwxH0AqSy1aX432MAjyaEg6G
+dFX4ObU/JWOPk8qz+Mw/q0d8b4U6OP7uP2buURYR60KFJx1Iqfcwu2bWl0VdaHrQ
+1xU1SGViOHaCZMTXrV8l3cvAGbpnFXTp6MAdiTMc8+44M9/SOQVmqWVwULpCtNNv
+e5M=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec

@@ -1,4 +1,5 @@
-issuer:int-ev-valid
-subject:ev-valid
-extension:authorityInformationAccess:http://www.example.com:8888/ev-valid/
+issuer:non-ev-root-path-int
+subject:non-ev-root-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com

security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAi6gAwIBAgIUe8flRD9fpbyM3B5myFA50T3jScUwCwYJKoZIhvcNAQEL
+MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
+MDE3MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjfzB9MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME0GCCsGAQUFBwEB
+BEEwPzA9BggrBgEFBQcwAYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25v
+bi1ldi1yb290LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcN
+AQELA4IBAQCw1nYDX13O3uLXnQBJ5aM8/x6IM1tzVd6UWqgtbLDiTDqmQIRw52jz
+n+Fl/feTEjYn2/GF++LgKS031wXSjbAs2EIe3QtKQZfpMo+XtJzYtOmkQ6dzM5PV
+GsV5PJG/JvUgC4X/FpSFNbh+5jNEuU8nZatrhqlVShTVmFCHC8bpcQhZlyt3uwY2
+Vd7x2qSem5XCPP+7Hmvt6jlP0ZO1oTyqfMf1K7Q1m+r97pmHj3xkhYQKTBkiwRMJ
++pwIkbvYJONIR30V2tg3bZuJwzwt9R4f4dl2J03UQkg1ge2eJUF9d3odaWmLma7N
+nuwrO2Y0DpQv3HqvZZOOYX8chPO8IIVe
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec

@@ -1,6 +1,6 @@
 issuer:non-evroot-ca
-subject:int-non-ev-root
+subject:non-ev-root-path-int
 extension:basicConstraints:cA,
 extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-non-ev-root/
-extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
+extension:certificatePolicies:any

security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDJzCCAhGgAwIBAgIULwMSM80UKgeh7YdspJB7dG8Yn3owCwYJKoZIhvcNAQEL
-MBoxGDAWBgNVBAMMD2ludC1ub24tZXYtcm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoY
-DzIwMTcwMjA0MDAwMDAwWjAWMRQwEgYDVQQDDAtub24tZXYtcm9vdDCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
-SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
-zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
-K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
-bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
-JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNp
-MGcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vd3d3LmV4YW1w
-bGUuY29tOjg4ODgvbm9uLWV2LXJvb3QvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUa
-hRqFGgGDdAkBMAsGCSqGSIb3DQEBCwOCAQEAAtXIU+ufmDNCqfjUZiJ+9nHcE14I
-t158M0bTBeAsmwtenY9WsBz2Svd3JJ4k8/0OjIfS44o9XPnGvAT/KmHKcTjmTkHR
-vixUvEa3923AsJzoGzxQcF2BtyQufGWBW8/Oq5d6G5ISB/C4VA3Ez8j7o+OE+6bp
-ID60osGbUJsQ/mknXxj0MsZoeuz3upbdTDe49jNYPkyyJqKnctOacq3PIs1Ai10A
-iMgKtn0e5wEEUCouKwuKXxK1kFIrxDiiKLWEhgBKTPxDf8E+ZuJbp+nZo3TDfI1j
-rQDQsbH6cao5EzrVe/weHRYDQMJ1tk17RXrW+PPsgWYia8Mi11qbI9w+1Q==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj+gAwIBAgIULwfe1XYxIxI1GOvu3ZnTqxvVOYYwCwYJKoZIhvcNAQEL
+MBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAw
+WhgPMjAxNzAyMDQwMDAwMDBaMBsxGTAXBgNVBAMMEHRlc3Qtb2lkLXBhdGgtZWUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjgY8wgYwwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8v
+d3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtcGF0aC1lZS8wHwYDVR0gBBgw
+FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
+cGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGBM93ylo+yXjVAr7GHY2/Suvddfd47X
+i+0qQc5Aif2f5okWm7k8BaLdhQYMcLo/D/AZzKcPvO5wUFdiInHPF069ebu8s6qL
+qZ7ybJK7AR/UfkS4Yn+gTdvPUxasFCtorT3tx8aws3Y9NBK0YV2IImgC+wS2Qe37
+XBUF+526UjJ/ooInFnW6Ukf8rdhxMpSOAXzblJCfHMnnkg36m5zSWNH83oTWEGwe
+tWolqulTICNpRA4rqwO7i2BRHkgQrq9lhQS3/rCyGYgeqware7QPSj5S4WXBLM3p
+a7je/NteBTOUVsfngQSz5ETVu3Bj7mgJYmtkCC5ZRVfQmjWsfPyqslE=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec

@@ -1,4 +1,5 @@
-issuer:int-non-ev-root
-subject:non-ev-root
-extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root/
+issuer:test-oid-path-int
+subject:test-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com

security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAjGgAwIBAgIUXX3/aud0LGpAvxl0RGcu8j7gbsAwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAcMRowGAYDVQQDDBF0ZXN0LW9pZC1wYXRoLWludDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBizCB
+iDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBKBggrBgEFBQcBAQQ+MDwwOgYI
+KwYBBQUHMAGGLmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1w
+YXRoLWludC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJKoZI
+hvcNAQELA4IBAQBonq8E1t3lQQAdEimupSIEFehQNe5wE69Hj9O941yTTIYZazR/
+kgKiFb4daLhvmeay1WxKq2D4SabCyvQpkU2acUunOolNcUUYwzqjeOr3OB369vvy
+13vshQs6PL9y5sTNEFCt8xYeBgiMoUKrelLe9iql4h/jyqOBYAuk8hQzztaW986p
+q8mF0V59hT3EZNEGdHf2LcPBlR24i7mdA45mWHQ+v5zySVptxJG9xi5bv2PoT3i3
+HUcBfOERE+6d14OZmMsDcmv3G6JRtbAow0ZKbi7UXemrHk0Xszb570gEvii2PKyD
+mQbrJ3k0g8SGTK+mWEYtpowoPVWMa3Do/KpO
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec

@@ -1,7 +1,7 @@
 issuer:evroot
-subject:int-ev-valid
+subject:test-oid-path-int
 issuerKey:ev
 extension:basicConstraints:cA,
 extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid/
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1

security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js

@@ -41,7 +41,7 @@ function testOff() {
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = getFailingOCSPResponder();
-    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                   false);
     ocspResponder.stop(run_next_test);
   });
@@ -50,7 +50,7 @@ function testOff() {
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = getFailingOCSPResponder();
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                           PRErrorCodeSuccess, certificateUsageSSLServer);
     ocspResponder.stop(run_next_test);
   });
@@ -69,9 +69,9 @@ function testOn() {
   add_test(() => {
     clearOCSPCache();
     let ocspResponder =
-      getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                   : ["ev-valid"]);
-    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+      getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
+                                   : ["test-oid-path-ee"]);
+    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                   gEVExpected);
     ocspResponder.stop(run_next_test);
   });
@@ -80,8 +80,8 @@ function testOn() {
   // successfully.
   add_test(() => {
     clearOCSPCache();
-    let ocspResponder = getOCSPResponder(["non-ev-root"]);
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+    let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                           PRErrorCodeSuccess, certificateUsageSSLServer);
     ocspResponder.stop(run_next_test);
   });
@@ -100,9 +100,9 @@ function testEVOnly() {
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = gEVExpected
-                      ? getOCSPResponder(["int-ev-valid", "ev-valid"])
+                      ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
                       : getFailingOCSPResponder();
-    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                   gEVExpected);
     ocspResponder.stop(run_next_test);
   });
@@ -111,7 +111,7 @@ function testEVOnly() {
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = getFailingOCSPResponder();
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                           PRErrorCodeSuccess, certificateUsageSSLServer);
     ocspResponder.stop(run_next_test);
   });
@@ -129,9 +129,9 @@ function run_test() {
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   loadCert("evroot", "CTu,,");
-  loadCert("int-ev-valid", ",,");
+  loadCert("test-oid-path-int", ",,");
   loadCert("non-evroot-ca", "CTu,,");
-  loadCert("int-non-ev-root", ",,");
+  loadCert("non-ev-root-path-int", ",,");
 
   testOff();
   testOn();