зеркало из https://github.com/mozilla/gecko-dev.git
bug 1290613 - test_ev_certs.js cleanup r=Cykesiopka,mgoodwin
MozReview-Commit-ID: KcCV161J3qV --HG-- rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem => security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem rename : security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem rename : security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key.keyspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem rename : security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec => security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec extra : rebase_source : 4a84a44616a396ae484550fcfcaf0df5e533dd51
This commit is contained in:
Родитель
dcd144713e
Коммит
abc60241f8
|
@ -1523,7 +1523,6 @@ VerifyCertAtTime(nsIX509Cert* aCert,
|
||||||
}
|
}
|
||||||
*_retval = 0;
|
*_retval = 0;
|
||||||
} else {
|
} else {
|
||||||
NS_ENSURE_TRUE(evOidPolicy == SEC_OID_UNKNOWN, NS_ERROR_FAILURE);
|
|
||||||
NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
|
NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
|
||||||
*_retval = error;
|
*_retval = error;
|
||||||
}
|
}
|
||||||
|
|
|
@ -563,6 +563,10 @@ function getFailingHttpServer(serverPort, serverIdentities) {
|
||||||
// expectedCertNames is an array of nicks of the certs to be responsed
|
// expectedCertNames is an array of nicks of the certs to be responsed
|
||||||
// expectedBasePaths is an optional array that is used to indicate
|
// expectedBasePaths is an optional array that is used to indicate
|
||||||
// what is the expected base path of the OCSP request.
|
// what is the expected base path of the OCSP request.
|
||||||
|
// expectedMethods is an optional array of methods ("GET" or "POST") indicating
|
||||||
|
// by which HTTP method the server is expected to be queried.
|
||||||
|
// expectedResponseTypes is an optional array of OCSP response types to use (see
|
||||||
|
// GenerateOCSPResponse.cpp).
|
||||||
function startOCSPResponder(serverPort, identity, nssDBLocation,
|
function startOCSPResponder(serverPort, identity, nssDBLocation,
|
||||||
expectedCertNames, expectedBasePaths,
|
expectedCertNames, expectedBasePaths,
|
||||||
expectedMethods, expectedResponseTypes) {
|
expectedMethods, expectedResponseTypes) {
|
||||||
|
|
|
@ -5,31 +5,39 @@
|
||||||
|
|
||||||
"use strict";
|
"use strict";
|
||||||
|
|
||||||
|
// Tests that end-entity certificates that should successfully verify as EV
|
||||||
|
// (Extended Validation) do so and that end-entity certificates that should not
|
||||||
|
// successfully verify as EV do not. Also tests related situations (e.g. that
|
||||||
|
// failure to fetch an OCSP response results in no EV treatment).
|
||||||
|
//
|
||||||
|
// A quick note about the certificates in these tests: generally, an EV
|
||||||
|
// certificate chain will have an end-entity with a specific policy OID followed
|
||||||
|
// by an intermediate with the anyPolicy OID chaining to a root with no policy
|
||||||
|
// OID (since it's a trust anchor, it can be omitted). In these tests, the
|
||||||
|
// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
|
||||||
|
// referred to as the test OID. In order to reflect what will commonly be
|
||||||
|
// encountered, the end-entity of any given test path will have the test OID
|
||||||
|
// unless otherwise specified in the name of the test path. Similarly, the
|
||||||
|
// intermediate will have the anyPolicy OID, again unless otherwise specified.
|
||||||
|
// For example, for the path where the end-entity does not have an OCSP URI
|
||||||
|
// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
|
||||||
|
// whereas the intermediate has the anyPolicy OID.
|
||||||
|
// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
|
||||||
|
// the end-entity and the intermediate have the test OID.
|
||||||
|
|
||||||
do_get_profile(); // must be called before getting nsIX509CertDB
|
do_get_profile(); // must be called before getting nsIX509CertDB
|
||||||
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
||||||
.getService(Ci.nsIX509CertDB);
|
.getService(Ci.nsIX509CertDB);
|
||||||
|
|
||||||
const evrootnick = "evroot";
|
do_register_cleanup(() => {
|
||||||
|
Services.prefs.clearUserPref("network.dns.localDomains");
|
||||||
|
Services.prefs.clearUserPref("security.OCSP.enabled");
|
||||||
|
});
|
||||||
|
|
||||||
// This is the list of certificates needed for the test
|
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
|
||||||
// The certificates prefixed by 'int-' are intermediates
|
Services.prefs.setIntPref("security.OCSP.enabled", 1);
|
||||||
var certList = [
|
addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
|
||||||
// Test for successful EV validation
|
addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
|
||||||
'int-ev-valid',
|
|
||||||
'ev-valid',
|
|
||||||
'ev-valid-anypolicy-int',
|
|
||||||
'int-ev-valid-anypolicy-int',
|
|
||||||
'no-ocsp-url-cert', // a cert signed by the EV auth that has no OCSP url
|
|
||||||
// but that contains a valid CRLDP.
|
|
||||||
|
|
||||||
// Testing a root that looks like EV but is not EV enabled
|
|
||||||
'int-non-ev-root',
|
|
||||||
'non-ev-root',
|
|
||||||
];
|
|
||||||
|
|
||||||
function load_ca(ca_name) {
|
|
||||||
addCertFromFile(certdb, `test_ev_certs/${ca_name}.pem`, "CTu,CTu,CTu");
|
|
||||||
}
|
|
||||||
|
|
||||||
const SERVER_PORT = 8888;
|
const SERVER_PORT = 8888;
|
||||||
|
|
||||||
|
@ -37,302 +45,294 @@ function failingOCSPResponder() {
|
||||||
return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
|
return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
|
||||||
}
|
}
|
||||||
|
|
||||||
function start_ocsp_responder(expectedCertNames) {
|
class EVCertVerificationResult {
|
||||||
let expectedPaths = expectedCertNames.slice();
|
constructor(testcase, expectedPRErrorCode, expectedEV, resolve,
|
||||||
return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
|
ocspResponder) {
|
||||||
expectedCertNames, expectedPaths);
|
this.testcase = testcase;
|
||||||
}
|
this.expectedPRErrorCode = expectedPRErrorCode;
|
||||||
|
this.expectedEV = expectedEV;
|
||||||
function check_cert_err(cert_name, expected_error) {
|
this.resolve = resolve;
|
||||||
let cert = certdb.findCertByNickname(cert_name);
|
this.ocspResponder = ocspResponder;
|
||||||
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function check_ee_for_ev(cert_name, expected_ev) {
|
|
||||||
let cert = certdb.findCertByNickname(cert_name);
|
|
||||||
checkEVStatus(certdb, cert, certificateUsageSSLServer, expected_ev);
|
|
||||||
}
|
|
||||||
|
|
||||||
function run_test() {
|
|
||||||
for (let i = 0 ; i < certList.length; i++) {
|
|
||||||
let cert_filename = certList[i] + ".pem";
|
|
||||||
addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
|
|
||||||
}
|
}
|
||||||
load_ca("evroot");
|
|
||||||
load_ca("non-evroot-ca");
|
|
||||||
|
|
||||||
// setup and start ocsp responder
|
verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
|
||||||
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
|
equal(prErrorCode, this.expectedPRErrorCode,
|
||||||
Services.prefs.setIntPref("security.OCSP.enabled", 1);
|
`${this.testcase} should have expected error code`);
|
||||||
|
equal(hasEVPolicy, this.expectedEV,
|
||||||
|
`${this.testcase} should result in expected EV status`);
|
||||||
|
this.ocspResponder.stop(this.resolve);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
add_test(function () {
|
function asyncTestEV(cert, expectedPRErrorCode, expectedEV,
|
||||||
clearOCSPCache();
|
expectedOCSPRequestPaths, ocspResponseTypes = undefined)
|
||||||
let ocspResponder = start_ocsp_responder(
|
{
|
||||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
let now = Date.now() / 1000;
|
||||||
: ["ev-valid"]);
|
return new Promise((resolve, reject) => {
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
let ocspResponder = expectedOCSPRequestPaths.length > 0
|
||||||
ocspResponder.stop(run_next_test);
|
? startOCSPResponder(SERVER_PORT, "www.example.com",
|
||||||
|
"test_ev_certs",
|
||||||
|
expectedOCSPRequestPaths,
|
||||||
|
expectedOCSPRequestPaths.slice(),
|
||||||
|
null, ocspResponseTypes)
|
||||||
|
: failingOCSPResponder();
|
||||||
|
let result = new EVCertVerificationResult(cert.subjectName,
|
||||||
|
expectedPRErrorCode, expectedEV,
|
||||||
|
resolve, ocspResponder);
|
||||||
|
certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, 0,
|
||||||
|
"ev-test.example.com", now, result);
|
||||||
});
|
});
|
||||||
|
}
|
||||||
|
|
||||||
add_test(function () {
|
function ensureVerifiesAsEV(testcase) {
|
||||||
clearOCSPCache();
|
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||||
|
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||||
|
let expectedOCSPRequestPaths = gEVExpected
|
||||||
|
? [ `${testcase}-int`, `${testcase}-ee` ]
|
||||||
|
: [ `${testcase}-ee` ];
|
||||||
|
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
|
||||||
|
expectedOCSPRequestPaths);
|
||||||
|
}
|
||||||
|
|
||||||
let ocspResponder = start_ocsp_responder(
|
function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
|
||||||
gEVExpected ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
|
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||||
: ["ev-valid-anypolicy-int"]);
|
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||||
check_ee_for_ev("ev-valid-anypolicy-int", gEVExpected);
|
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
|
||||||
ocspResponder.stop(run_next_test);
|
}
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function() {
|
function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
|
||||||
clearOCSPCache();
|
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||||
let ocspResponder = start_ocsp_responder(["non-ev-root"]);
|
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||||
check_ee_for_ev("non-ev-root", false);
|
return asyncTestEV(cert, PRErrorCodeSuccess, false,
|
||||||
ocspResponder.stop(run_next_test);
|
expectedOCSPRequestPaths ? expectedOCSPRequestPaths
|
||||||
});
|
: [ `${testcase}-ee` ]);
|
||||||
|
}
|
||||||
|
|
||||||
add_test(function() {
|
function ensureVerificationFails(testcase, expectedPRErrorCode) {
|
||||||
clearOCSPCache();
|
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||||
let ocspResponder = gEVExpected ? start_ocsp_responder(["int-ev-valid"])
|
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||||
: failingOCSPResponder();
|
return asyncTestEV(cert, expectedPRErrorCode, false, []);
|
||||||
check_ee_for_ev("no-ocsp-url-cert", false);
|
}
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
// bug 917380: Check that explicitly removing trust from an EV root actually
|
function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
|
||||||
// causes the root to be untrusted.
|
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||||
const nsIX509Cert = Ci.nsIX509Cert;
|
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||||
add_test(function() {
|
let now = Date.now() / 1000;
|
||||||
let evRootCA = certdb.findCertByNickname(evrootnick);
|
let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
|
||||||
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
|
if (expectSuccess && gEVExpected) {
|
||||||
|
expectedErrorCode = PRErrorCodeSuccess;
|
||||||
clearOCSPCache();
|
}
|
||||||
|
return new Promise((resolve, reject) => {
|
||||||
let ocspResponder = failingOCSPResponder();
|
let ocspResponder = failingOCSPResponder();
|
||||||
check_cert_err("ev-valid", SEC_ERROR_UNKNOWN_ISSUER);
|
let result = new EVCertVerificationResult(
|
||||||
ocspResponder.stop(run_next_test);
|
cert.subjectName, expectedErrorCode, expectSuccess && gEVExpected,
|
||||||
|
resolve, ocspResponder);
|
||||||
|
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
|
||||||
|
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
|
||||||
|
certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, flags,
|
||||||
|
"ev-test.example.com", now, result);
|
||||||
});
|
});
|
||||||
|
|
||||||
// bug 917380: Check that a trusted EV root is trusted after disabling and
|
|
||||||
// re-enabling trust.
|
|
||||||
add_test(function() {
|
|
||||||
let evRootCA = certdb.findCertByNickname(evrootnick);
|
|
||||||
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
|
|
||||||
Ci.nsIX509CertDB.TRUSTED_SSL |
|
|
||||||
Ci.nsIX509CertDB.TRUSTED_EMAIL |
|
|
||||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
|
|
||||||
|
|
||||||
clearOCSPCache();
|
|
||||||
let ocspResponder = start_ocsp_responder(
|
|
||||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
|
||||||
: ["ev-valid"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function () {
|
|
||||||
check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
|
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function () {
|
|
||||||
check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
|
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function () {
|
|
||||||
check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
|
|
||||||
});
|
|
||||||
|
|
||||||
// Check OneCRL OCSP request skipping works correctly
|
|
||||||
add_test(function () {
|
|
||||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
|
||||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
|
||||||
// set the blocklist-background-update-timer value to the recent past
|
|
||||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
|
||||||
Math.floor(Date.now() / 1000) - 1);
|
|
||||||
Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
|
|
||||||
Math.floor(Date.now() / 1000) - 1);
|
|
||||||
clearOCSPCache();
|
|
||||||
// the intermediate should not have an associated OCSP request
|
|
||||||
let ocspResponder = start_ocsp_responder(["ev-valid"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function () {
|
|
||||||
// disable OneCRL OCSP Skipping (no staleness allowed)
|
|
||||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
|
|
||||||
clearOCSPCache();
|
|
||||||
let ocspResponder = start_ocsp_responder(
|
|
||||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
|
||||||
: ["ev-valid"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function () {
|
|
||||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
|
||||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
|
||||||
// set the blocklist-background-update-timer value to the more distant past
|
|
||||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
|
||||||
Math.floor(Date.now() / 1000) - 108080);
|
|
||||||
Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
|
|
||||||
Math.floor(Date.now() / 1000) - 108080);
|
|
||||||
clearOCSPCache();
|
|
||||||
let ocspResponder = start_ocsp_responder(
|
|
||||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
|
||||||
: ["ev-valid"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function () {
|
|
||||||
// test that setting "security.onecrl.via.amo" results in the correct
|
|
||||||
// OCSP behavior when services.blocklist.onecrl.checked is in the distant past
|
|
||||||
// and blacklist-background-update-timer is recent
|
|
||||||
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
|
||||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
|
||||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
|
||||||
// set the blocklist-background-update-timer value to the recent past
|
|
||||||
// (services.blocklist.onecrl.checked defaults to 0)
|
|
||||||
Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
|
|
||||||
Math.floor(Date.now() / 1000) - 1);
|
|
||||||
clearOCSPCache();
|
|
||||||
// the intermediate should have an associated OCSP request
|
|
||||||
let ocspResponder = start_ocsp_responder(
|
|
||||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
|
||||||
: ["ev-valid"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
add_test(function () {
|
|
||||||
// test that setting "security.onecrl.via.amo" results in the correct
|
|
||||||
// OCSP behavior when services.blocklist.onecrl.checked is recent
|
|
||||||
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
|
||||||
|
|
||||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
|
||||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
|
|
||||||
|
|
||||||
// now set services.blocklist.onecrl.checked to a recent value
|
|
||||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
|
||||||
Math.floor(Date.now() / 1000) - 1);
|
|
||||||
|
|
||||||
clearOCSPCache();
|
|
||||||
// the intermediate should not have an associated OCSP request
|
|
||||||
let ocspResponder = start_ocsp_responder(["ev-valid"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
// The tests following this assume no OCSP bypass
|
|
||||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
|
|
||||||
Services.prefs.clearUserPref("security.onecrl.via.amo");
|
|
||||||
Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
// Test the EV continues to work with flags after successful EV verification
|
|
||||||
add_test(function () {
|
|
||||||
clearOCSPCache();
|
|
||||||
let ocspResponder = start_ocsp_responder(
|
|
||||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
|
||||||
: ["ev-valid"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
ocspResponder.stop(function () {
|
|
||||||
// without net it must be able to EV verify
|
|
||||||
let failingOcspResponder = failingOCSPResponder();
|
|
||||||
let cert = certdb.findCertByNickname("ev-valid");
|
|
||||||
let hasEVPolicy = {};
|
|
||||||
let verifiedChain = {};
|
|
||||||
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
|
|
||||||
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
|
|
||||||
|
|
||||||
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
|
|
||||||
null, verifiedChain, hasEVPolicy);
|
|
||||||
equal(hasEVPolicy.value, gEVExpected,
|
|
||||||
"Actual and expected EV status should match for local only EV");
|
|
||||||
equal(error,
|
|
||||||
gEVExpected ? PRErrorCodeSuccess : SEC_ERROR_POLICY_VALIDATION_FAILED,
|
|
||||||
"Actual and expected error code should match for local only EV");
|
|
||||||
failingOcspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
// Bug 991815 old but valid intermediates are OK
|
|
||||||
add_test(function () {
|
|
||||||
clearOCSPCache();
|
|
||||||
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
|
|
||||||
"test_ev_certs",
|
|
||||||
gEVExpected ? ["int-ev-valid", "ev-valid"]
|
|
||||||
: ["ev-valid"],
|
|
||||||
[], [],
|
|
||||||
gEVExpected ? ["longvalidityalmostold", "good"]
|
|
||||||
: ["good"]);
|
|
||||||
check_ee_for_ev("ev-valid", gEVExpected);
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
// Bug 991815 old but valid end-entities are NOT OK for EV
|
|
||||||
// Unfortunately because of soft-fail we consider these OK for DV.
|
|
||||||
add_test(function () {
|
|
||||||
clearOCSPCache();
|
|
||||||
// Since Mozilla::pkix does not consider the old almost invalid OCSP
|
|
||||||
// response valid, it does not cache the old response and thus
|
|
||||||
// makes a separate request for DV
|
|
||||||
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
|
|
||||||
let debugResponseArray = ["good", "longvalidityalmostold",
|
|
||||||
"longvalidityalmostold"];
|
|
||||||
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
|
|
||||||
"test_ev_certs",
|
|
||||||
gEVExpected ? debugCertNickArray : ["ev-valid"],
|
|
||||||
[], [],
|
|
||||||
gEVExpected ? debugResponseArray
|
|
||||||
: ["longvalidityalmostold"]);
|
|
||||||
check_ee_for_ev("ev-valid", false);
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
// Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
|
|
||||||
// EV (still OK for soft fail DV)
|
|
||||||
add_test(function () {
|
|
||||||
clearOCSPCache();
|
|
||||||
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
|
|
||||||
let debugResponseArray = ["good", "ancientstillvalid",
|
|
||||||
"ancientstillvalid"];
|
|
||||||
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
|
|
||||||
"test_ev_certs",
|
|
||||||
gEVExpected ? debugCertNickArray : ["ev-valid"],
|
|
||||||
[], [],
|
|
||||||
gEVExpected ? debugResponseArray
|
|
||||||
: ["ancientstillvalid"]);
|
|
||||||
check_ee_for_ev("ev-valid", false);
|
|
||||||
ocspResponder.stop(run_next_test);
|
|
||||||
});
|
|
||||||
|
|
||||||
run_next_test();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
|
function ensureNoOCSPMeansNoEV(testcase) {
|
||||||
// to prevent spurious OCSP requests that race with OCSP stapling.
|
return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
|
||||||
// This has the side-effect of saying an EV certificate is not EV if
|
}
|
||||||
// it hasn't already been verified (e.g. on the verification thread when
|
|
||||||
// connecting to a site).
|
function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
|
||||||
// This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
|
return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
|
||||||
// works as intended.
|
}
|
||||||
function check_no_ocsp_requests(cert_name, expected_error) {
|
|
||||||
|
function ensureOneCRLSkipsOCSPForIntermediates(testcase) {
|
||||||
|
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||||
|
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||||
|
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
|
||||||
|
[ `${testcase}-ee` ]);
|
||||||
|
}
|
||||||
|
|
||||||
|
function verifyWithDifferentOCSPResponseTypes(testcase, responses, expectEV) {
|
||||||
|
let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
|
||||||
|
addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
|
||||||
|
let expectedOCSPRequestPaths = gEVExpected
|
||||||
|
? [ `${testcase}-int`, `${testcase}-ee` ]
|
||||||
|
: [ `${testcase}-ee` ];
|
||||||
|
let ocspResponseTypes = gEVExpected ? responses : responses.slice(1);
|
||||||
|
return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected && expectEV,
|
||||||
|
expectedOCSPRequestPaths, ocspResponseTypes);
|
||||||
|
}
|
||||||
|
|
||||||
|
function ensureVerifiesAsEVWithOldIntermediateOCSPResponse(testcase) {
|
||||||
|
return verifyWithDifferentOCSPResponseTypes(
|
||||||
|
testcase, [ "longvalidityalmostold", "good" ], true);
|
||||||
|
}
|
||||||
|
|
||||||
|
function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
|
||||||
|
return verifyWithDifferentOCSPResponseTypes(
|
||||||
|
testcase, [ "good", "longvalidityalmostold" ], false);
|
||||||
|
}
|
||||||
|
|
||||||
|
function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
|
||||||
|
return verifyWithDifferentOCSPResponseTypes(
|
||||||
|
testcase, [ "good", "ancientstillvalid" ], false);
|
||||||
|
}
|
||||||
|
|
||||||
|
// These should all verify as EV.
|
||||||
|
add_task(function* plainExpectSuccessEVTests() {
|
||||||
|
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsEV("test-oid-path");
|
||||||
|
});
|
||||||
|
|
||||||
|
// These fail for various reasons to verify as EV, but fallback to DV should
|
||||||
|
// succeed.
|
||||||
|
add_task(function* expectDVFallbackTests() {
|
||||||
|
yield ensureVerifiesAsDV("anyPolicy-ee-path");
|
||||||
|
yield ensureVerifiesAsDV("non-ev-root-path");
|
||||||
|
yield ensureVerifiesAsDV("no-ocsp-ee-path",
|
||||||
|
gEVExpected ? [ "no-ocsp-ee-path-int" ] : []);
|
||||||
|
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||||
|
});
|
||||||
|
|
||||||
|
// Test that removing the trust bits from an EV root causes verifications
|
||||||
|
// relying on that root to fail (and then test that adding back the trust bits
|
||||||
|
// causes the verifications to succeed again).
|
||||||
|
add_task(function* evRootTrustTests() {
|
||||||
clearOCSPCache();
|
clearOCSPCache();
|
||||||
let ocspResponder = failingOCSPResponder();
|
let evroot = certdb.findCertByNickname("evroot");
|
||||||
let cert = certdb.findCertByNickname(cert_name);
|
do_print("untrusting evroot");
|
||||||
let hasEVPolicy = {};
|
certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
|
||||||
let verifiedChain = {};
|
Ci.nsIX509CertDB.UNTRUSTED);
|
||||||
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
|
yield ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
|
||||||
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
|
do_print("re-trusting evroot");
|
||||||
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
|
certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
|
||||||
null, verifiedChain, hasEVPolicy);
|
Ci.nsIX509CertDB.TRUSTED_SSL);
|
||||||
// Since we're not doing OCSP requests, no certificate will be EV.
|
yield ensureVerifiesAsEV("test-oid-path");
|
||||||
equal(hasEVPolicy.value, false,
|
});
|
||||||
"EV status should be false when not doing OCSP requests");
|
|
||||||
equal(error, expected_error,
|
// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
|
||||||
"Actual and expected error should match when not doing OCSP requests");
|
// requests are made (this also means that nothing will verify as EV).
|
||||||
ocspResponder.stop(run_next_test);
|
add_task(function* localOnlyMustBeEVTests() {
|
||||||
}
|
clearOCSPCache();
|
||||||
|
yield ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
|
||||||
|
yield ensureNoOCSPMeansNoEV("anyPolicy-int-path");
|
||||||
|
yield ensureNoOCSPMeansNoEV("non-ev-root-path");
|
||||||
|
yield ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
|
||||||
|
yield ensureNoOCSPMeansNoEV("no-ocsp-int-path");
|
||||||
|
yield ensureNoOCSPMeansNoEV("test-oid-path");
|
||||||
|
});
|
||||||
|
|
||||||
|
|
||||||
|
// Under certain conditions, OneCRL allows us to skip OCSP requests for
|
||||||
|
// intermediates.
|
||||||
|
add_task(function* oneCRLTests() {
|
||||||
|
clearOCSPCache();
|
||||||
|
|
||||||
|
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||||
|
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||||
|
108000);
|
||||||
|
// set the blocklist-background-update-timer value to the recent past
|
||||||
|
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||||
|
Math.floor(Date.now() / 1000) - 1);
|
||||||
|
Services.prefs.setIntPref(
|
||||||
|
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||||
|
Math.floor(Date.now() / 1000) - 1);
|
||||||
|
|
||||||
|
yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
|
||||||
|
yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
|
||||||
|
yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
|
||||||
|
|
||||||
|
clearOCSPCache();
|
||||||
|
// disable OneCRL OCSP Skipping (no staleness allowed)
|
||||||
|
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
|
||||||
|
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||||
|
// Because the intermediate in this case is missing an OCSP URI, it will not
|
||||||
|
// validate as EV, but it should fall back to DV.
|
||||||
|
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||||
|
yield ensureVerifiesAsEV("test-oid-path");
|
||||||
|
|
||||||
|
clearOCSPCache();
|
||||||
|
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||||
|
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||||
|
108000);
|
||||||
|
// set the blocklist-background-update-timer value to the more distant past
|
||||||
|
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||||
|
Math.floor(Date.now() / 1000) - 108080);
|
||||||
|
Services.prefs.setIntPref(
|
||||||
|
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||||
|
Math.floor(Date.now() / 1000) - 108080);
|
||||||
|
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||||
|
yield ensureVerifiesAsEV("test-oid-path");
|
||||||
|
|
||||||
|
clearOCSPCache();
|
||||||
|
// test that setting "security.onecrl.via.amo" results in the correct
|
||||||
|
// OCSP behavior when services.blocklist.onecrl.checked is in the distant past
|
||||||
|
// and blacklist-background-update-timer is recent
|
||||||
|
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
||||||
|
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||||
|
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||||
|
108000);
|
||||||
|
// set the blocklist-background-update-timer value to the recent past
|
||||||
|
// (services.blocklist.onecrl.checked defaults to 0)
|
||||||
|
Services.prefs.setIntPref(
|
||||||
|
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||||
|
Math.floor(Date.now() / 1000) - 1);
|
||||||
|
|
||||||
|
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsDV("no-ocsp-int-path");
|
||||||
|
yield ensureVerifiesAsEV("test-oid-path");
|
||||||
|
|
||||||
|
clearOCSPCache();
|
||||||
|
// test that setting "security.onecrl.via.amo" results in the correct
|
||||||
|
// OCSP behavior when services.blocklist.onecrl.checked is recent
|
||||||
|
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
|
||||||
|
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||||
|
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||||
|
108000);
|
||||||
|
// now set services.blocklist.onecrl.checked to a recent value
|
||||||
|
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||||
|
Math.floor(Date.now() / 1000) - 1);
|
||||||
|
yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
|
||||||
|
yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
|
||||||
|
yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
|
||||||
|
|
||||||
|
Services.prefs.clearUserPref("security.onecrl.via.amo");
|
||||||
|
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
||||||
|
Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
|
||||||
|
Services.prefs.clearUserPref(
|
||||||
|
"app.update.lastUpdateTime.blocklist-background-update-timer");
|
||||||
|
});
|
||||||
|
|
||||||
|
// Prime the OCSP cache and then ensure that we can validate certificates as EV
|
||||||
|
// without hitting the network. There's two cases here: one where we simply
|
||||||
|
// validate like normal and then check that the network was never accessed and
|
||||||
|
// another where we use flags to mandate that the network not be used.
|
||||||
|
add_task(function* ocspCachingTests() {
|
||||||
|
clearOCSPCache();
|
||||||
|
|
||||||
|
yield ensureVerifiesAsEV("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsEV("test-oid-path");
|
||||||
|
|
||||||
|
yield ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
|
||||||
|
|
||||||
|
yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
|
||||||
|
});
|
||||||
|
|
||||||
|
// Old-but-still-valid OCSP responses are accepted for intermediates but not
|
||||||
|
// end-entity certificates (because of OCSP soft-fail this results in DV
|
||||||
|
// fallback).
|
||||||
|
add_task(function* oldOCSPResponseTests() {
|
||||||
|
clearOCSPCache();
|
||||||
|
|
||||||
|
yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("test-oid-path");
|
||||||
|
|
||||||
|
clearOCSPCache();
|
||||||
|
yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
|
||||||
|
|
||||||
|
clearOCSPCache();
|
||||||
|
yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
|
||||||
|
"anyPolicy-int-path");
|
||||||
|
yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
|
||||||
|
});
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDUzCCAj2gAwIBAgIUE20vV8zM9OXxDcXIQL8GFm0SKrgwCwYJKoZIhvcNAQEL
|
||||||
|
MCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDAiGA8yMDE0MTEyNzAw
|
||||||
|
MDAwMFoYDzIwMTcwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRhbnlQb2xpY3ktZWUt
|
||||||
|
cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
|
||||||
|
Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
|
||||||
|
cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
|
||||||
|
AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
|
||||||
|
ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
|
||||||
|
s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
|
||||||
|
A6zaGAo17Y0CAwEAAaOBhTCBgjBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGG
|
||||||
|
MWh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xpY3ktZWUtcGF0aC1l
|
||||||
|
ZS8wEQYDVR0gBAowCDAGBgRVHSAAMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBs
|
||||||
|
ZS5jb20wCwYJKoZIhvcNAQELA4IBAQAiyZHRImgu1XH/X6KY6duEjEP8hPvIc+Vw
|
||||||
|
Vyej3Aaa9NjWpDrO0eCm+08msuiOOYdnTvfudbyDorWY6D8jbTy3re6MLaY+GFY7
|
||||||
|
9E18zdDk4t4Ssg1O1ous7MGfKKygNQ0eTB4aJH83jWjfpmNTvXggkA7Zp1SfOVv+
|
||||||
|
2OMv066Vwewafrr1pgKl8IuSdTjCpaqCMzZDZf4cwL9tdadF1k9NqjInrinlUI+9
|
||||||
|
nbb0WLL3fttvFGsee370t9Q+GRNd1S8nGuxpcXq4Yo51MDRk+HwjPPSBowfg+Tki
|
||||||
|
Pk6RSND8FSjn22A+JUNT8u6MnNUOj4wh0N8RzEEQEW6GADH5hZdS
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
||||||
|
issuer:anyPolicy-ee-path-int
|
||||||
|
subject:anyPolicy-ee-path-ee
|
||||||
|
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
|
||||||
|
extension:certificatePolicies:any
|
||||||
|
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDQDCCAiqgAwIBAgIUI2XRNlfIQthAhAOq8dL98Ifp8wMwCwYJKoZIhvcNAQEL
|
||||||
|
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||||
|
MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3ktZWUtcGF0aC1pbnQwggEiMA0G
|
||||||
|
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
|
||||||
|
NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
|
||||||
|
fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
|
||||||
|
CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
|
||||||
|
HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
|
||||||
|
1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
|
||||||
|
gYAwfjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBOBggrBgEFBQcBAQRCMEAw
|
||||||
|
PgYIKwYBBQUHMAGGMmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xp
|
||||||
|
Y3ktZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADALBgkqhkiG9w0BAQsD
|
||||||
|
ggEBAG8A4LEmQDAvr6U+NShqPkyxi9d+kMGSHaKV75bJJgbtAkb5ZWG0LQdi4IxV
|
||||||
|
MR/IE73jWJSUCEaIUsYjXVsQE+7CJLLUVCt7w3zRf7EoQV2hDp2+WCME6/q0L0HK
|
||||||
|
EdK9DAe7UegvxLLSKS12rq/LhNB+XUYTFqQFfmSYSbNqNqzyDgqipPcicBs1RPlO
|
||||||
|
HlKISVlKH4uV5FXaGb9FVZAP9J80YI5iHH7fCkJloMKEghnnqA79/Np0eDXt3JzJ
|
||||||
|
O+x+I/DiUveAMlz5q72ou3pIOATsgOXRBs7neYgTR9hQ8q3jexidTIWwOuUjzDpt
|
||||||
|
BhxQXS5JZ/owc3H0NJ33helcoXE=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,7 +1,7 @@
|
||||||
issuer:evroot
|
issuer:evroot
|
||||||
subject:int-ev-valid-anypolicy-int
|
subject:anyPolicy-ee-path-int
|
||||||
issuerKey:ev
|
issuerKey:ev
|
||||||
extension:basicConstraints:cA,
|
extension:basicConstraints:cA,
|
||||||
extension:keyUsage:cRLSign,keyCertSign
|
extension:keyUsage:cRLSign,keyCertSign
|
||||||
extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid-anypolicy-int/
|
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
|
||||||
extension:certificatePolicies:any
|
extension:certificatePolicies:any
|
|
@ -0,0 +1,21 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDZDCCAk6gAwIBAgIURy0a2jqjnawhuv+eW/eeWdMx8MkwCwYJKoZIhvcNAQEL
|
||||||
|
MCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwIhgPMjAxNDExMjcw
|
||||||
|
MDAwMDBaGA8yMDE3MDIwNDAwMDAwMFowIDEeMBwGA1UEAwwVYW55UG9saWN5LWlu
|
||||||
|
dC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
|
||||||
|
FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
|
||||||
|
amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
|
||||||
|
sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
|
||||||
|
VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
|
||||||
|
aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
|
||||||
|
MdUDrNoYCjXtjQIDAQABo4GUMIGRME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcw
|
||||||
|
AYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1pbnQtcGF0
|
||||||
|
aC1lZS8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcw
|
||||||
|
FYITZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGhjgde0w84T
|
||||||
|
oegn3iGIIOB3q27pqH5nzwv4o5yThG0CmDRvTjBnK8yqlPdNvqx3YmnNh4aWlh94
|
||||||
|
Z7XeFA5bPMQq2bCDdBD94g0j3hvBiNqy00Ou34uKm9tNFcQH6kecIjgrInpoxK84
|
||||||
|
v2RJ9fjd79503cIuvSw9y3X63DnJn8+ml1Yjt5uO+URpZVDEjJB1mliG1NHdAZ3D
|
||||||
|
qDM13f7pphIYggo+ZBlcOVEbh+uDu81gc/Y1JN1ZUOoKBWMx3TVFctYQ6f+uJcem
|
||||||
|
xbYsnCK3FuCYTgf1zPye1gILCxvRfRiVw5ojnZ5daxPpfq9Ugv+T9DROuzZgHin1
|
||||||
|
WYeP+oiXygI=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
||||||
|
issuer:anyPolicy-int-path-int
|
||||||
|
subject:anyPolicy-int-path-ee
|
||||||
|
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
|
||||||
|
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||||
|
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDQjCCAiygAwIBAgIUI4h7bIgXBroqPq3r8qcqzWTPiTwwCwYJKoZIhvcNAQEL
|
||||||
|
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||||
|
MDAwMDAwWjAhMR8wHQYDVQQDDBZhbnlQb2xpY3ktaW50LXBhdGgtaW50MIIBIjAN
|
||||||
|
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
|
||||||
|
5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
|
||||||
|
An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
|
||||||
|
ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
|
||||||
|
zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
|
||||||
|
JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
|
||||||
|
o4GBMH8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEEQzBB
|
||||||
|
MD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9s
|
||||||
|
aWN5LWludC1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsGCSqGSIb3DQEB
|
||||||
|
CwOCAQEAaar6+lvsKAL6fuKS9b8HOSI1Q6c+7/PDAo+YPVsDyzg4OYpFHfrJqveK
|
||||||
|
vmwWSnUngX/V702znW4woDu1ZjXLWpTG4xx87FU7b0BIrL7r1N1twAohOYFUMnjl
|
||||||
|
TW7RMjTgMGIgxybQc3N0snwf2SJedUu78xekdLW1/jTiMuIEys/+44tqGzVsFu9j
|
||||||
|
XrFxPxNBHVzR8UFGICREeE2nFeOnqj3uQPh1JJszKUlfXbYtjgPFKfbbsPzzGLJ3
|
||||||
|
tLmzPZLSeEed/AYvegq00CybA5f6UDY1uMnECekHAWFzv/yhZZsL+hMSGXTctE7+
|
||||||
|
C+WTNlFX41Gi6uvck6N8T3ABNVTk8A==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,7 @@
|
||||||
|
issuer:evroot
|
||||||
|
subject:anyPolicy-int-path-int
|
||||||
|
issuerKey:ev
|
||||||
|
extension:basicConstraints:cA,
|
||||||
|
extension:keyUsage:cRLSign,keyCertSign
|
||||||
|
extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
|
||||||
|
extension:certificatePolicies:any
|
|
@ -1,20 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDSDCCAjKgAwIBAgIUby+kueFNWXyfsUNUp9JXQ4u/CgYwCwYJKoZIhvcNAQEL
|
|
||||||
MCUxIzAhBgNVBAMMGmludC1ldi12YWxpZC1hbnlwb2xpY3ktaW50MCIYDzIwMTQx
|
|
||||||
MTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2LXZhbGlk
|
|
||||||
LWFueXBvbGljeS1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
|
|
||||||
iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
|
|
||||||
4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
|
|
||||||
8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
|
|
||||||
Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
|
|
||||||
77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
|
|
||||||
I/pyUcQx1QOs2hgKNe2NAgMBAAGjdDByME8GCCsGAQUFBwEBBEMwQTA/BggrBgEF
|
|
||||||
BQcwAYYzaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2LXZhbGlkLWFueXBv
|
|
||||||
bGljeS1pbnQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMAsGCSqG
|
|
||||||
SIb3DQEBCwOCAQEAV2WSrBkRIiml/Nc0WyZwX7MnHLwQe4V4z9mCXdBRwwgZv8Cd
|
|
||||||
ALzlKgj3Uz18CVYh3ZH4XCIxxJRvLy4eBbGsWRuS5c4ZaAPoeIur8WVURscEGu2k
|
|
||||||
FT2cM7eA38Z7f0WYnuGbTBZ+sN7Hsm7HpV1dpBuI7RaJ9hwAlcvmKvgHBLsJZbyd
|
|
||||||
yW7Vpu7KJ0S2djFhBPqjZ7xsIHIfbHuaYBhuO3xlmmx0YbgCS9HGkmuA6RXsSqd1
|
|
||||||
15Iu8mT0mpq/SqxLRXi79f+HWpPAP9ERkNF+Ea0zIkIsK8d5PSnQqIKj5QugXSBE
|
|
||||||
44He3YH8teY36VHQqApV3VGZ5mtMwVLAjMF8rg==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,19 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDHjCCAgigAwIBAgIUIWjgvey0rx7/CM8k0zC+FVdlHG0wCwYJKoZIhvcNAQEL
|
|
||||||
MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
|
|
||||||
MTcwMjA0MDAwMDAwWjATMREwDwYDVQQDDAhldi12YWxpZDCCASIwDQYJKoZIhvcN
|
|
||||||
AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
|
|
||||||
bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
|
|
||||||
OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
|
|
||||||
uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
|
|
||||||
t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
|
|
||||||
NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNmMGQwQQYI
|
|
||||||
KwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vd3d3LmV4YW1wbGUuY29t
|
|
||||||
Ojg4ODgvZXYtdmFsaWQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
|
|
||||||
MAsGCSqGSIb3DQEBCwOCAQEAAZ49c1ZNqOYEz0x2EzYaInvPcK2Fxbc8CjX71xIj
|
|
||||||
ahLnIZ1cb/VIe88wvidZdQYQdRn0aTfc8Z7+P62XnPqM3nlF85b7g4H2yxJRq7or
|
|
||||||
V1skztvKxm+YC/iY4ogsR8x24gdEn/IdwAdjtfZnI471A69CN3t0V6tmt26SNGix
|
|
||||||
jNnabOus9JGfhii+qL8svIYR6T+Gmr2fDuQBEJtTpcHjLbrPAV4pOlFu3WmOsVsF
|
|
||||||
9yaUy72WFBXg0kas+Tz1QvKWgi4XZ9640HoBVdmHGBnAiBjx62d4pxf4ttbrvh9r
|
|
||||||
G26w6vWsfTKWDsoJKi1gYtf9hTcG04jrHg2EAx06+A0yFw==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,20 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDSzCCAjWgAwIBAgIUaYYtOBr1wZWTYvHqYsRinupYgT4wCwYJKoZIhvcNAQEL
|
|
||||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
|
||||||
MDAwMDAwWjAlMSMwIQYDVQQDDBppbnQtZXYtdmFsaWQtYW55cG9saWN5LWludDCC
|
|
||||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
|
|
||||||
PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
|
|
||||||
HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
|
|
||||||
Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
|
|
||||||
EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
|
|
||||||
lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
|
|
||||||
AwEAAaOBhjCBgzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBTBggrBgEFBQcB
|
|
||||||
AQRHMEUwQwYIKwYBBQUHMAGGN2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9p
|
|
||||||
bnQtZXYtdmFsaWQtYW55cG9saWN5LWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsG
|
|
||||||
CSqGSIb3DQEBCwOCAQEAqnqfTrqYSYeWWRX6GfGKkCVfmksgIA3OnvRD8gE895qU
|
|
||||||
JS5Ke/3d/4+3beSlfNueL+JSriA+BqqlK6wrxI7xo7H4xjbUV/DrEXEfhUg052O1
|
|
||||||
gC1oqObWsZenegoQBZ0mQUT0uqshj7IHWzED2GQZmjEt7F6Il5bjvy49OQ5A++/O
|
|
||||||
m+YUr579TZ8r02WU0/+TNln6PnM+6uhoizF2bgh/fCcMlFqLUcJ4FNVi5CgT/oiR
|
|
||||||
Wxv8FO2N3ijfQ1Qwnt2Ti0lGby//rrbdnE9tHJb22COxu8QuOi+z/meh4TL+UG3r
|
|
||||||
HeCP5545zGOyBOzCrHNioeGVE13svKQFM4T+eguckQ==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,20 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDPTCCAiegAwIBAgIUJ6ZiwLEBBmRIxjG+KN4K/KQ+NKkwCwYJKoZIhvcNAQEL
|
|
||||||
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
|
||||||
MDAwMDAwWjAXMRUwEwYDVQQDDAxpbnQtZXYtdmFsaWQwggEiMA0GCSqGSIb3DQEB
|
|
||||||
AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
|
|
||||||
e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
|
|
||||||
KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
|
|
||||||
YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
|
|
||||||
lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
|
|
||||||
HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgYYwgYMwDAYD
|
|
||||||
VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUF
|
|
||||||
BzABhilodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvaW50LWV2LXZhbGlkLzAf
|
|
||||||
BgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0BAQsDggEB
|
|
||||||
AHuI7ZqTAYzCj2QtErvEKbo16WctTXslepQmnD9hrAFNkhrT9ParJ+EViwaq8wXL
|
|
||||||
RpBs4QNtH5j1lrlIIY3SEeGRvNv7pIC1vQoBa15ieg6IJOxs0Zq/TszAEcdIQSpr
|
|
||||||
p1fcl/51kAoXoV74VBOer6dIqenuK043aa2aai58Jz/cMaWd7E55Ak+aU9pb+Mdc
|
|
||||||
x6k9vV8sSfkpSR2Jmx5GEq5Sat8eJ7lib9/+wHGGCObUzxXnMJN50ZsR6R77DP/E
|
|
||||||
+cafdtTxYgFTsPdA1OTBxUEbk2hx3c08T1kmPL+nmg3WoSu8fXuaZWzCBegDMFMI
|
|
||||||
wgiVIyUZPm9H356bgW+nVeo=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,20 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDSjCCAjSgAwIBAgIUD22BRPEQk1ohdq0TWpDiC9DX0QgwCwYJKoZIhvcNAQEL
|
|
||||||
MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
|
|
||||||
MDE3MDIwNDAwMDAwMFowGjEYMBYGA1UEAwwPaW50LW5vbi1ldi1yb290MIIBIjAN
|
|
||||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
|
|
||||||
5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
|
|
||||||
An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
|
|
||||||
ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
|
|
||||||
zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
|
|
||||||
JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
|
|
||||||
o4GJMIGGMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEgGCCsGAQUFBwEBBDww
|
|
||||||
OjA4BggrBgEFBQcwAYYsaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2ludC1u
|
|
||||||
b24tZXYtcm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJ
|
|
||||||
KoZIhvcNAQELA4IBAQCNfizDGiKBxkquDAvy/RDTwOiYDliOvReGjlZOZrQBkf52
|
|
||||||
xvfHAkl/m/GluDeCjHSSlGU/8cloXnyN6PRzRfxf46Lx+RuiStgDPS1OfqGw961l
|
|
||||||
dV2xEa2g5SHkHS1aTnadO83GxkagYes6OEZbe7fexrOnPIhNx4Da9wfFyQBOi8/t
|
|
||||||
4Y69eBk+cC5AaSBwHpf12TDc4NKvW2/Qtl1G8idn24OhPlucxBd/dPOxduztde5a
|
|
||||||
bmvQW4m66HHjF5aIXaJn7I5+drY2vSIJz3Nry05pgrJapf7rOi0iKNrv5vKoAyi9
|
|
||||||
IYeIPTOD377JbUBdSOt0yGV2yx5bkvWfMUET51i3
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -6,15 +6,20 @@
|
||||||
|
|
||||||
# Temporarily disabled. See bug 1256495.
|
# Temporarily disabled. See bug 1256495.
|
||||||
#test_certificates = (
|
#test_certificates = (
|
||||||
# 'ev-valid-anypolicy-int.pem',
|
# 'anyPolicy-ee-path-ee.pem',
|
||||||
# 'ev-valid.pem',
|
# 'anyPolicy-ee-path-int.pem',
|
||||||
|
# 'anyPolicy-int-path-ee.pem',
|
||||||
|
# 'anyPolicy-int-path-int.pem',
|
||||||
# 'evroot.pem',
|
# 'evroot.pem',
|
||||||
# 'int-ev-valid-anypolicy-int.pem',
|
# 'no-ocsp-ee-path-ee.pem',
|
||||||
# 'int-ev-valid.pem',
|
# 'no-ocsp-ee-path-int.pem',
|
||||||
# 'int-non-ev-root.pem',
|
# 'no-ocsp-int-path-ee.pem',
|
||||||
# 'no-ocsp-url-cert.pem',
|
# 'no-ocsp-int-path-int.pem',
|
||||||
# 'non-ev-root.pem',
|
# 'non-ev-root-path-ee.pem',
|
||||||
|
# 'non-ev-root-path-int.pem',
|
||||||
# 'non-evroot-ca.pem',
|
# 'non-evroot-ca.pem',
|
||||||
|
# 'test-oid-path-ee.pem',
|
||||||
|
# 'test-oid-path-int.pem',
|
||||||
#)
|
#)
|
||||||
#
|
#
|
||||||
#for test_certificate in test_certificates:
|
#for test_certificate in test_certificates:
|
||||||
|
@ -22,7 +27,7 @@
|
||||||
#
|
#
|
||||||
#test_keys = (
|
#test_keys = (
|
||||||
# 'evroot.key',
|
# 'evroot.key',
|
||||||
# 'int-ev-valid.key',
|
# 'test-oid-path-int.key',
|
||||||
#)
|
#)
|
||||||
#
|
#
|
||||||
#for test_key in test_keys:
|
#for test_key in test_keys:
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDDDCCAfagAwIBAgIUN1tZuouNywOlI92yfPVp0g1KyqswCwYJKoZIhvcNAQEL
|
||||||
|
MB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwIhgPMjAxNDExMjcwMDAw
|
||||||
|
MDBaGA8yMDE3MDIwNDAwMDAwMFowHTEbMBkGA1UEAwwSbm8tb2NzcC1lZS1wYXRo
|
||||||
|
LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
|
||||||
|
iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
|
||||||
|
WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
|
||||||
|
Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
|
||||||
|
ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
|
||||||
|
b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
|
||||||
|
CjXtjQIDAQABo0MwQTAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAe
|
||||||
|
BgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
|
||||||
|
PIRn3vteO/sx0OrU73mnICPuA8sVwv+bC8LbVAV8hgboad6ypC6/i/l3KComDtgK
|
||||||
|
NsbANmhq8gF3XpvHzxvlBqnjO9qaZnmV4ETJMlSISm8NaK6xFJvHxLrbpH82g7WH
|
||||||
|
5eLUxDNvkXBDClcs5iwa5cDnRykdXFttmxN5riw+dAT7rCsrNQODnYvF6C5J9e/S
|
||||||
|
I7wyDkbfAdEsioDBHC2xAjuxdKLJr7+YKAaxN54q0U5EZ8dIThuAGLxQK2hSAw8O
|
||||||
|
e34OwOPK11tH3tsrbxXAlaykuFgEeJnBfurq3Ff2OO8WirQ8pFiqYxl93sLIPFd6
|
||||||
|
nMpuKlS/wpXkZV+NwwwJaQ==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,4 @@
|
||||||
|
issuer:no-ocsp-ee-path-int
|
||||||
|
subject:no-ocsp-ee-path-ee
|
||||||
|
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||||
|
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDOzCCAiWgAwIBAgIUY7txKTVVTBc2roj9KXXVlQxF20YwCwYJKoZIhvcNAQEL
|
||||||
|
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||||
|
MDAwMDAwWjAeMRwwGgYDVQQDDBNuby1vY3NwLWVlLXBhdGgtaW50MIIBIjANBgkq
|
||||||
|
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
|
||||||
|
tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
|
||||||
|
Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
|
||||||
|
sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
|
||||||
|
l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
|
||||||
|
nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo34w
|
||||||
|
fDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBMBggrBgEFBQcBAQRAMD4wPAYI
|
||||||
|
KwYBBQUHMAGGMGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWVl
|
||||||
|
LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcNAQELA4IBAQCE
|
||||||
|
tGJOFahnFAubE9prxtKV5wEHxGhHWlwXC3lCFFeNMjZ0jOaMeI7JpeX18Nnzvy9u
|
||||||
|
qNZfsvzUZk0fu22MDjwOSjJmZk3OI2B9Sc01gXU/IEQH7Jw3uy8NwVOGZctHjMyn
|
||||||
|
MDIIaFcNDaAIQgjTRCLMyjrD0A86qSG795TQj6xjRuPy5NByLuT3We8cml3AJqy0
|
||||||
|
F0dhLoeFbL5f4HN2xJFsb6UcTMb0bMAAtsvkIu3TTI01mu4ffiI6JVhWfraLLTig
|
||||||
|
X30yMU8oJjeYGfcOyxrnvD/Y6MzIWQat97U8mRnuyfuISxilWvLeTJCasnpmnNWH
|
||||||
|
wrWzbB62tJ1DJw3ngTGj
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,7 @@
|
||||||
|
issuer:evroot
|
||||||
|
subject:no-ocsp-ee-path-int
|
||||||
|
issuerKey:ev
|
||||||
|
extension:basicConstraints:cA,
|
||||||
|
extension:keyUsage:cRLSign,keyCertSign
|
||||||
|
extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
|
||||||
|
extension:certificatePolicies:any
|
|
@ -0,0 +1,21 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDXjCCAkigAwIBAgIUNQic6jgct61lYPUlwpd2hHK2YJMwCwYJKoZIhvcNAQEL
|
||||||
|
MB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
|
||||||
|
MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtaW50LXBh
|
||||||
|
dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
|
||||||
|
braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
|
||||||
|
eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
|
||||||
|
iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
|
||||||
|
qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
|
||||||
|
LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
|
||||||
|
2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
|
||||||
|
dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm8tb2NzcC1pbnQtcGF0aC1lZS8w
|
||||||
|
HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
|
||||||
|
dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH5n55Iw3ulJPDVG7pjY
|
||||||
|
SZHl1wfxcr0mhJ8wSJtv+QwPJDc6dDEAyttdiwZPlTZ/zPAws7xChsYaSsPlHnUG
|
||||||
|
QSMDpssbEa4HNz4z+dAMp8lcMO4mwJi8z/hoB+G4J/yW6zWJpIqENrgyZmS2w/zR
|
||||||
|
4ztwIEgEOPH5wsglxhrSzwihYr6lk0LMaOPU+EQ9a+ohbAJeFF9mPyc8VtWOhsYY
|
||||||
|
5o2eHCl9BgIJQ5zuqpul2Liv6lLQQLmu9Y40TPp30lWtUX4I1KechDaRySZDeScx
|
||||||
|
dFvF87rn3X09R+KBDUxcQMxAuJG9lzgAegxSwsCwQduE03+Ba3zJCXoFUTo1CVuc
|
||||||
|
zLc=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,4 +1,5 @@
|
||||||
issuer:int-ev-valid-anypolicy-int
|
issuer:no-ocsp-int-path-int
|
||||||
subject:ev-valid-anypolicy-int
|
subject:no-ocsp-int-path-ee
|
||||||
extension:authorityInformationAccess:http://www.example.com:8888/ev-valid-anypolicy-int/
|
extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
|
||||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||||
|
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC7jCCAdigAwIBAgIUdXjljKCreZHFVnBN7VXrPJiBz8AwCwYJKoZIhvcNAQEL
|
||||||
|
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||||
|
MDAwMDAwWjAfMR0wGwYDVQQDDBRuby1vY3NwLWludC1wYXRoLWludDCCASIwDQYJ
|
||||||
|
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
|
||||||
|
SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
|
||||||
|
zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
|
||||||
|
K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
|
||||||
|
bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
|
||||||
|
JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMw
|
||||||
|
MC4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
|
||||||
|
MAsGCSqGSIb3DQEBCwOCAQEAkCLoPzlhyoE0haiNXg2V767zsoTJMxA4XDKh2Ndb
|
||||||
|
oaMfxJdqit/4yQregeCMh+zbgOt5i7gs5OQ0JR3Mo3fZ6HYxNLukCmxKD7OjYRAp
|
||||||
|
ZsUbXQAeuNN+0q49rB1Sf7/Huk0WLbS8fG/oAK7HUwpJBxfzgCPbLRYt0ZeXooD+
|
||||||
|
glh+2nUmlMmmjWgzc3xbQ1K1shqWatDT49BPcBel/GHsfpyDuJzzAvop8itJY+I0
|
||||||
|
rUfrA+kJzojBJOykoucNx2cYx/0NxT+Rv3jWL4Qp0YdjCa9huJzdAFv0q0Rk6IlJ
|
||||||
|
ef+7wWlvP6YoDUgwT4H8JPq/vSfCsB5yXKz/Hu0Ykc+3hQ==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,6 @@
|
||||||
|
issuer:evroot
|
||||||
|
subject:no-ocsp-int-path-int
|
||||||
|
issuerKey:ev
|
||||||
|
extension:basicConstraints:cA,
|
||||||
|
extension:keyUsage:cRLSign,keyCertSign
|
||||||
|
extension:certificatePolicies:any
|
|
@ -1,18 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIC4zCCAc2gAwIBAgIUd5B8Tu9tyK8u9ciEb+vs5wAhPjcwCwYJKoZIhvcNAQEL
|
|
||||||
MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
|
|
||||||
MTcwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBuby1vY3NwLXVybC1jZXJ0MIIBIjAN
|
|
||||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
|
|
||||||
5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
|
|
||||||
An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
|
|
||||||
ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
|
|
||||||
zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
|
|
||||||
JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
|
|
||||||
oyMwITAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0B
|
|
||||||
AQsDggEBAGD4KgUYaMaVoU2ioXkVXR99IrOz65d6DsI8JZHlI1/5fykVbzPq7gpI
|
|
||||||
fHB2iIp5RzP/eDDZPyriJ7L2LEUIGC/yr68C96d5FqlpeTL9hgkWQaM2Z9hisgoe
|
|
||||||
vk1uBsvZ6KmCQhG9TTCcEAQks7Qe9qDo3j3zk35795Q57w4xYYJZKiBtKFgMTtF2
|
|
||||||
nkpoSTHQ8wmPgok0T7H4c3WxXwRz9Pxa+X63q5Whd8tDeHHp2o+Fm3HzW7aGTb1t
|
|
||||||
F1UJQsF4hCEsnqhfbx2pEPUkYHjtLi2WXFT/AYDbYsqzly4PZhMOdNldJu/S3TS0
|
|
||||||
wSsKiflXOecc1Voy2BHO3igasqYZ6Tk=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,3 +0,0 @@
|
||||||
issuer:int-ev-valid
|
|
||||||
subject:no-ocsp-url-cert
|
|
||||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDXjCCAkigAwIBAgIUPx1bQ/YwNzxyiIIEYEoQjqZUmHUwCwYJKoZIhvcNAQEL
|
||||||
|
MB8xHTAbBgNVBAMMFG5vbi1ldi1yb290LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
|
||||||
|
MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vbi1ldi1yb290LXBh
|
||||||
|
dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
|
||||||
|
braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
|
||||||
|
eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
|
||||||
|
iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
|
||||||
|
qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
|
||||||
|
LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
|
||||||
|
2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
|
||||||
|
dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm9uLWV2LXJvb3QtcGF0aC1lZS8w
|
||||||
|
HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
|
||||||
|
dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAIkYTJJR3JK3wbcNaBKL
|
||||||
|
5R2qbPJLSJSP2ZbwyBF28HnzrOncI6elJFi9LxVwTDLKIchJolUqQmxLTbmuO/Y5
|
||||||
|
hH9VXBKmct1PbWuDuH2ASFXVTvf3FREg+qHH9/s+GGnIxTSleS0lj2RsHdrC9Q8O
|
||||||
|
ChtSg1Fcuz6ZDMEQgpc52tGaTmB2Q/ZHFV6dIdcZtwxH0AqSy1aX432MAjyaEg6G
|
||||||
|
dFX4ObU/JWOPk8qz+Mw/q0d8b4U6OP7uP2buURYR60KFJx1Iqfcwu2bWl0VdaHrQ
|
||||||
|
1xU1SGViOHaCZMTXrV8l3cvAGbpnFXTp6MAdiTMc8+44M9/SOQVmqWVwULpCtNNv
|
||||||
|
e5M=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,4 +1,5 @@
|
||||||
issuer:int-ev-valid
|
issuer:non-ev-root-path-int
|
||||||
subject:ev-valid
|
subject:non-ev-root-path-ee
|
||||||
extension:authorityInformationAccess:http://www.example.com:8888/ev-valid/
|
extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
|
||||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||||
|
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDRDCCAi6gAwIBAgIUe8flRD9fpbyM3B5myFA50T3jScUwCwYJKoZIhvcNAQEL
|
||||||
|
MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
|
||||||
|
MDE3MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQw
|
||||||
|
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
|
||||||
|
PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
|
||||||
|
9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
|
||||||
|
4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
|
||||||
|
exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
|
||||||
|
ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
|
||||||
|
AgMBAAGjfzB9MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME0GCCsGAQUFBwEB
|
||||||
|
BEEwPzA9BggrBgEFBQcwAYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25v
|
||||||
|
bi1ldi1yb290LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcN
|
||||||
|
AQELA4IBAQCw1nYDX13O3uLXnQBJ5aM8/x6IM1tzVd6UWqgtbLDiTDqmQIRw52jz
|
||||||
|
n+Fl/feTEjYn2/GF++LgKS031wXSjbAs2EIe3QtKQZfpMo+XtJzYtOmkQ6dzM5PV
|
||||||
|
GsV5PJG/JvUgC4X/FpSFNbh+5jNEuU8nZatrhqlVShTVmFCHC8bpcQhZlyt3uwY2
|
||||||
|
Vd7x2qSem5XCPP+7Hmvt6jlP0ZO1oTyqfMf1K7Q1m+r97pmHj3xkhYQKTBkiwRMJ
|
||||||
|
+pwIkbvYJONIR30V2tg3bZuJwzwt9R4f4dl2J03UQkg1ge2eJUF9d3odaWmLma7N
|
||||||
|
nuwrO2Y0DpQv3HqvZZOOYX8chPO8IIVe
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,6 +1,6 @@
|
||||||
issuer:non-evroot-ca
|
issuer:non-evroot-ca
|
||||||
subject:int-non-ev-root
|
subject:non-ev-root-path-int
|
||||||
extension:basicConstraints:cA,
|
extension:basicConstraints:cA,
|
||||||
extension:keyUsage:cRLSign,keyCertSign
|
extension:keyUsage:cRLSign,keyCertSign
|
||||||
extension:authorityInformationAccess:http://www.example.com:8888/int-non-ev-root/
|
extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
|
||||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
extension:certificatePolicies:any
|
|
@ -1,19 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDJzCCAhGgAwIBAgIULwMSM80UKgeh7YdspJB7dG8Yn3owCwYJKoZIhvcNAQEL
|
|
||||||
MBoxGDAWBgNVBAMMD2ludC1ub24tZXYtcm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoY
|
|
||||||
DzIwMTcwMjA0MDAwMDAwWjAWMRQwEgYDVQQDDAtub24tZXYtcm9vdDCCASIwDQYJ
|
|
||||||
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
|
|
||||||
SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
|
|
||||||
zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
|
|
||||||
K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
|
|
||||||
bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
|
|
||||||
JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNp
|
|
||||||
MGcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vd3d3LmV4YW1w
|
|
||||||
bGUuY29tOjg4ODgvbm9uLWV2LXJvb3QvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUa
|
|
||||||
hRqFGgGDdAkBMAsGCSqGSIb3DQEBCwOCAQEAAtXIU+ufmDNCqfjUZiJ+9nHcE14I
|
|
||||||
t158M0bTBeAsmwtenY9WsBz2Svd3JJ4k8/0OjIfS44o9XPnGvAT/KmHKcTjmTkHR
|
|
||||||
vixUvEa3923AsJzoGzxQcF2BtyQufGWBW8/Oq5d6G5ISB/C4VA3Ez8j7o+OE+6bp
|
|
||||||
ID60osGbUJsQ/mknXxj0MsZoeuz3upbdTDe49jNYPkyyJqKnctOacq3PIs1Ai10A
|
|
||||||
iMgKtn0e5wEEUCouKwuKXxK1kFIrxDiiKLWEhgBKTPxDf8E+ZuJbp+nZo3TDfI1j
|
|
||||||
rQDQsbH6cao5EzrVe/weHRYDQMJ1tk17RXrW+PPsgWYia8Mi11qbI9w+1Q==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDVTCCAj+gAwIBAgIULwfe1XYxIxI1GOvu3ZnTqxvVOYYwCwYJKoZIhvcNAQEL
|
||||||
|
MBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAw
|
||||||
|
WhgPMjAxNzAyMDQwMDAwMDBaMBsxGTAXBgNVBAMMEHRlc3Qtb2lkLXBhdGgtZWUw
|
||||||
|
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
|
||||||
|
PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
|
||||||
|
9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
|
||||||
|
4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
|
||||||
|
exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
|
||||||
|
ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
|
||||||
|
AgMBAAGjgY8wgYwwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8v
|
||||||
|
d3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtcGF0aC1lZS8wHwYDVR0gBBgw
|
||||||
|
FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
|
||||||
|
cGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGBM93ylo+yXjVAr7GHY2/Suvddfd47X
|
||||||
|
i+0qQc5Aif2f5okWm7k8BaLdhQYMcLo/D/AZzKcPvO5wUFdiInHPF069ebu8s6qL
|
||||||
|
qZ7ybJK7AR/UfkS4Yn+gTdvPUxasFCtorT3tx8aws3Y9NBK0YV2IImgC+wS2Qe37
|
||||||
|
XBUF+526UjJ/ooInFnW6Ukf8rdhxMpSOAXzblJCfHMnnkg36m5zSWNH83oTWEGwe
|
||||||
|
tWolqulTICNpRA4rqwO7i2BRHkgQrq9lhQS3/rCyGYgeqware7QPSj5S4WXBLM3p
|
||||||
|
a7je/NteBTOUVsfngQSz5ETVu3Bj7mgJYmtkCC5ZRVfQmjWsfPyqslE=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,4 +1,5 @@
|
||||||
issuer:int-non-ev-root
|
issuer:test-oid-path-int
|
||||||
subject:non-ev-root
|
subject:test-oid-path-ee
|
||||||
extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root/
|
extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
|
||||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
||||||
|
extension:subjectAlternativeName:ev-test.example.com
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDRzCCAjGgAwIBAgIUXX3/aud0LGpAvxl0RGcu8j7gbsAwCwYJKoZIhvcNAQEL
|
||||||
|
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
|
||||||
|
MDAwMDAwWjAcMRowGAYDVQQDDBF0ZXN0LW9pZC1wYXRoLWludDCCASIwDQYJKoZI
|
||||||
|
hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
|
||||||
|
9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
|
||||||
|
HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
|
||||||
|
kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
|
||||||
|
lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
|
||||||
|
kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBizCB
|
||||||
|
iDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBKBggrBgEFBQcBAQQ+MDwwOgYI
|
||||||
|
KwYBBQUHMAGGLmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1w
|
||||||
|
YXRoLWludC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJKoZI
|
||||||
|
hvcNAQELA4IBAQBonq8E1t3lQQAdEimupSIEFehQNe5wE69Hj9O941yTTIYZazR/
|
||||||
|
kgKiFb4daLhvmeay1WxKq2D4SabCyvQpkU2acUunOolNcUUYwzqjeOr3OB369vvy
|
||||||
|
13vshQs6PL9y5sTNEFCt8xYeBgiMoUKrelLe9iql4h/jyqOBYAuk8hQzztaW986p
|
||||||
|
q8mF0V59hT3EZNEGdHf2LcPBlR24i7mdA45mWHQ+v5zySVptxJG9xi5bv2PoT3i3
|
||||||
|
HUcBfOERE+6d14OZmMsDcmv3G6JRtbAow0ZKbi7UXemrHk0Xszb570gEvii2PKyD
|
||||||
|
mQbrJ3k0g8SGTK+mWEYtpowoPVWMa3Do/KpO
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -1,7 +1,7 @@
|
||||||
issuer:evroot
|
issuer:evroot
|
||||||
subject:int-ev-valid
|
subject:test-oid-path-int
|
||||||
issuerKey:ev
|
issuerKey:ev
|
||||||
extension:basicConstraints:cA,
|
extension:basicConstraints:cA,
|
||||||
extension:keyUsage:cRLSign,keyCertSign
|
extension:keyUsage:cRLSign,keyCertSign
|
||||||
extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid/
|
extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
|
||||||
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
|
|
@ -41,7 +41,7 @@ function testOff() {
|
||||||
add_test(() => {
|
add_test(() => {
|
||||||
clearOCSPCache();
|
clearOCSPCache();
|
||||||
let ocspResponder = getFailingOCSPResponder();
|
let ocspResponder = getFailingOCSPResponder();
|
||||||
checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
|
checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
|
||||||
false);
|
false);
|
||||||
ocspResponder.stop(run_next_test);
|
ocspResponder.stop(run_next_test);
|
||||||
});
|
});
|
||||||
|
@ -50,7 +50,7 @@ function testOff() {
|
||||||
add_test(() => {
|
add_test(() => {
|
||||||
clearOCSPCache();
|
clearOCSPCache();
|
||||||
let ocspResponder = getFailingOCSPResponder();
|
let ocspResponder = getFailingOCSPResponder();
|
||||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
|
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
|
||||||
PRErrorCodeSuccess, certificateUsageSSLServer);
|
PRErrorCodeSuccess, certificateUsageSSLServer);
|
||||||
ocspResponder.stop(run_next_test);
|
ocspResponder.stop(run_next_test);
|
||||||
});
|
});
|
||||||
|
@ -69,9 +69,9 @@ function testOn() {
|
||||||
add_test(() => {
|
add_test(() => {
|
||||||
clearOCSPCache();
|
clearOCSPCache();
|
||||||
let ocspResponder =
|
let ocspResponder =
|
||||||
getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"]
|
getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
|
||||||
: ["ev-valid"]);
|
: ["test-oid-path-ee"]);
|
||||||
checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
|
checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
|
||||||
gEVExpected);
|
gEVExpected);
|
||||||
ocspResponder.stop(run_next_test);
|
ocspResponder.stop(run_next_test);
|
||||||
});
|
});
|
||||||
|
@ -80,8 +80,8 @@ function testOn() {
|
||||||
// successfully.
|
// successfully.
|
||||||
add_test(() => {
|
add_test(() => {
|
||||||
clearOCSPCache();
|
clearOCSPCache();
|
||||||
let ocspResponder = getOCSPResponder(["non-ev-root"]);
|
let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
|
||||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
|
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
|
||||||
PRErrorCodeSuccess, certificateUsageSSLServer);
|
PRErrorCodeSuccess, certificateUsageSSLServer);
|
||||||
ocspResponder.stop(run_next_test);
|
ocspResponder.stop(run_next_test);
|
||||||
});
|
});
|
||||||
|
@ -100,9 +100,9 @@ function testEVOnly() {
|
||||||
add_test(() => {
|
add_test(() => {
|
||||||
clearOCSPCache();
|
clearOCSPCache();
|
||||||
let ocspResponder = gEVExpected
|
let ocspResponder = gEVExpected
|
||||||
? getOCSPResponder(["int-ev-valid", "ev-valid"])
|
? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
|
||||||
: getFailingOCSPResponder();
|
: getFailingOCSPResponder();
|
||||||
checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
|
checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
|
||||||
gEVExpected);
|
gEVExpected);
|
||||||
ocspResponder.stop(run_next_test);
|
ocspResponder.stop(run_next_test);
|
||||||
});
|
});
|
||||||
|
@ -111,7 +111,7 @@ function testEVOnly() {
|
||||||
add_test(() => {
|
add_test(() => {
|
||||||
clearOCSPCache();
|
clearOCSPCache();
|
||||||
let ocspResponder = getFailingOCSPResponder();
|
let ocspResponder = getFailingOCSPResponder();
|
||||||
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
|
checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
|
||||||
PRErrorCodeSuccess, certificateUsageSSLServer);
|
PRErrorCodeSuccess, certificateUsageSSLServer);
|
||||||
ocspResponder.stop(run_next_test);
|
ocspResponder.stop(run_next_test);
|
||||||
});
|
});
|
||||||
|
@ -129,9 +129,9 @@ function run_test() {
|
||||||
Services.prefs.setBoolPref("security.OCSP.require", true);
|
Services.prefs.setBoolPref("security.OCSP.require", true);
|
||||||
|
|
||||||
loadCert("evroot", "CTu,,");
|
loadCert("evroot", "CTu,,");
|
||||||
loadCert("int-ev-valid", ",,");
|
loadCert("test-oid-path-int", ",,");
|
||||||
loadCert("non-evroot-ca", "CTu,,");
|
loadCert("non-evroot-ca", "CTu,,");
|
||||||
loadCert("int-non-ev-root", ",,");
|
loadCert("non-ev-root-path-int", ",,");
|
||||||
|
|
||||||
testOff();
|
testOff();
|
||||||
testOn();
|
testOn();
|
||||||
|
|
Загрузка…
Ссылка в новой задаче