Backed out changeset f5fa8ea86d3b (bug 622859)
authorCarsten "Tomcat" Book <cbook@mozilla.com>
Fri, 17 Oct 2014 13:13:01 +0200
changeset 211020 a7e637d5287d642af2c48bf8ed9961c80960ee57
parent 211019 ce11ac061a1bdd1071615a878bce8cc0300dd178
child 211021 209ec35a59c13bfccd4b5a787268cb4e1eaf1bb3
push id27667
push usercbook@mozilla.com
push dateMon, 20 Oct 2014 12:40:56 +0000
treeherderautoland@cc2d8bdbccb8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs622859
milestone36.0a1
backs outf5fa8ea86d3b7645835b35b4fe6ff35860eea18c
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset f5fa8ea86d3b (bug 622859)
security/certverifier/ExtendedValidation.cpp
security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
security/manager/ssl/tests/unit/test_keysize/cert9.db
security/manager/ssl/tests/unit/test_keysize/dsa-caBad.der
security/manager/ssl/tests/unit/test_keysize/dsa-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeBad-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeOK-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeOK-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeOK-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/dsa-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-caBad.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeBad-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeOK-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeOK-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeOK-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/generate.py
security/manager/ssl/tests/unit/test_keysize/key4.db
security/manager/ssl/tests/unit/test_keysize/pkcs11.txt
security/manager/ssl/tests/unit/test_keysize/rsa-caBad.der
security/manager/ssl/tests/unit/test_keysize/rsa-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeBad-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeOK-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeOK-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeOK-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/rsa-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize_ev.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -85,58 +85,44 @@ struct nsMyTrustedEVInfo
 //
 // If you are able to connect to the site without certificate errors,
 // but you don't see the EV status indicator, then most likely the CA
 // has a problem in their infrastructure. The most common problems are
 // related to the CA's OCSP infrastructure, either they use an incorrect
 // OCSP signing certificate, or OCSP for the intermediate certificates
 // isn't working, or OCSP isn't working at all.
 
-static const size_t NUM_TEST_EV_ROOTS = 2;
 static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
   // IMPORTANT! When extending this list,
   // pairs of dotted_oid and oid_name should always be unique pairs.
   // In other words, if you add another list, that uses the same dotted_oid
   // as an existing entry, then please use the same oid_name.
 #ifdef DEBUG
   // Debug EV certificates should all use the OID (repeating EV OID is OK):
   // 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
-  // If you add or remove debug EV certs you must also modify NUM_TEST_EV_ROOTS
-  // so that the correct number of certs are skipped as these debug EV certs are
-  // NOT part of the default trust store.
+  // If you add or remove debug EV certs you must also modify IdentityInfoInit
+  // (there is another #ifdef DEBUG section there) so that the correct number of
+  // certs are skipped as these debug EV certs are NOT part of the default trust
+  // store.
   {
     // This is the testing EV signature (xpcshell) (RSA)
     // CN=XPCShell EV Testing (untrustworthy) CA,OU=Security Engineering,O=Mozilla - EV debug test CA,L=Mountain View,ST=CA,C=US"
     "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
     "DEBUGtesting EV OID",
     SEC_OID_UNKNOWN,
     { 0x2D, 0x94, 0x52, 0x70, 0xAA, 0x92, 0x13, 0x0B, 0x1F, 0xB1, 0x24,
       0x0B, 0x24, 0xB1, 0xEE, 0x4E, 0xFB, 0x7C, 0x43, 0x45, 0x45, 0x7F,
       0x97, 0x6C, 0x90, 0xBF, 0xD4, 0x8A, 0x04, 0x79, 0xE4, 0x68 },
     "MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu"
     "IFZpZXcxIzAhBgNVBAoMGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD"
     "VQQLDBRTZWN1cml0eSBFbmdpbmVlcmluZzEvMC0GA1UEAwwmWFBDU2hlbGwgRVYg"
     "VGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0E=",
     "At+3zdo=",
     nullptr
   },
-  {
-    // The RSA root with an inadequate key size used for EV key size checking
-    // O=ev-rsa-caBad,CN=XPCShell Key Size Testing rsa 2040-bit (EV)
-    "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
-    "DEBUGtesting EV OID",
-    SEC_OID_UNKNOWN,
-    { 0x0E, 0xE2, 0x7A, 0x44, 0xD3, 0xAB, 0x66, 0x1A, 0x31, 0xBF, 0x0C,
-      0x1C, 0xFC, 0xAA, 0xD9, 0xD6, 0x27, 0x75, 0xC2, 0xDB, 0xC5, 0x69,
-      0xD7, 0x1C, 0xDE, 0x9C, 0x7E, 0xD5, 0x86, 0x88, 0x6C, 0xB7 },
-    "ME0xNDAyBgNVBAMMK1hQQ1NoZWxsIEtleSBTaXplIFRlc3RpbmcgcnNhIDIwNDAt"
-    "Yml0IChFVikxFTATBgNVBAoMDGV2LXJzYS1jYUJhZA==",
-    "PCQ3",
-    nullptr
-  },
 #endif
   {
     // OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
     "1.2.392.200091.100.721.1",
     "SECOM EV OID",
     SEC_OID_UNKNOWN,
     { 0xA2, 0x2D, 0xBA, 0x68, 0x1E, 0x97, 0x37, 0x6E, 0x2D, 0x39, 0x7D,
       0x72, 0x8A, 0xAE, 0x3A, 0x9B, 0x62, 0x96, 0xB9, 0xFD, 0xBA, 0x60,
@@ -1091,19 +1077,18 @@ IdentityInfoInit()
     SECITEM_FreeItem(&ias.serialNumber, false);
 
     // If an entry is missing in the NSS root database, it may be because the
     // root database is out of sync with what we expect (e.g. a different
     // version of system NSS is installed). We will just silently avoid
     // treating that root cert as EV.
     if (!entry.cert) {
 #ifdef DEBUG
-      // The debug CA structs are at positions 0 to NUM_TEST_EV_ROOTS - 1, and
-      // are NOT in the NSS root DB.
-      if (iEV < NUM_TEST_EV_ROOTS) {
+      // The debug CA info is at position 0, and is NOT on the NSS root db
+      if (iEV == 0) {
         continue;
       }
 #endif
       PR_NOT_REACHED("Could not find EV root in NSS storage");
       continue;
     }
 
     unsigned char certFingerprint[SHA256_LENGTH];
--- a/security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
+++ b/security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
@@ -178,43 +178,16 @@ def generate_pkcs12(db_dir, dest_dir, de
                           pk12_filename)
     child.expect('Enter Export Password:')
     child.sendline('')
     child.expect('Verifying - Enter Export Password:')
     child.sendline('')
     child.expect(pexpect.EOF)
     return pk12_filename
 
-def import_cert_and_pkcs12(db_dir, cert_filename, pkcs12_filename, nickname,
-                           trust_flags):
-    """
-    Imports a given certificate file and PKCS12 file into the SQL NSS DB.
-
-    Arguments:
-      db_dir -- the location of the database and password file
-      cert_filename -- the filename of the cert in DER format
-      pkcs12_filename -- the filename of the private key of the cert in PEM
-                         format
-      nickname -- the nickname to assign to the cert
-      trust_flags -- the trust flags the cert should have
-    """
-    os.system('certutil -A -d sql:' + db_dir + ' -n ' + nickname + ' -i ' +
-              cert_filename + ' -t "' + trust_flags + '"')
-    os.system('pk12util -i ' + pkcs12_filename + ' -d sql:' + db_dir +
-              ' -w ' + db_dir + '/pwfile')
-
-def print_cert_info_for_ev(cert_filename):
-    """
-    Prints out the information required to enable EV for the given cert.
-
-    Arguments:
-      cert_filename -- the filename of the cert in DER format
-    """
-    os.system('pp -t certificate-identity -i ' + cert_filename)
-
 def init_nss_db(db_dir):
     """
     Remove the current nss database in the specified directory and create a new
     nss database with the sql format.
     Arguments
       db_dir -- the desired location of the new database
     output
      noise_file -- the path to a noise file suitable to generate TEST
deleted file mode 100644
index fc7e8d3ec2d9a9958b9806b875a0bc1cc30b79bb..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
index c947b11aee4d6c182a4db36fe6e821b9add6fd1f..b7ea48d517058bcbc65a5930e2e522252218d515
GIT binary patch
literal 605
zc$_n6Vv00qViH@x%*4pV#4PGiYrxIMnb79Jn99t;%w!;9C}beO#vIDR%)^;doT!_e
z=#-dZAScdiXkuV)Xl!U|Vqs(+CC+OE;u=7?ICM2J&H`ddHg>Hxk8>6*j6e<#QzgTk
z<AD?OFP+-@YuUZv#+0&B!3UFNV)*a;>7KgPY~tHx*57NpEHgrH-+rmJxMP}YWmI8E
zz-x8hi+tB-+KD?)_kN(Nd#Z5*^ZtzvvkjxP_Sk;i!><2B*Urr?%w+l@v4ave5AHbX
z39EU0vG|ncs=-+EBPr48v24@4VkS|B-gV)LPEnpwr{Z&sPVlc2KN*&InyDiE&a~Eq
zbAPU;)fDbmv=qB!5tHB>zG<iDBsKmi3sX#+ik>~~3+5IQo^<Bzk6-#d!qVR!?XCT|
zEq6=E;j&Us>Au6^dJ3;+-8(E|7c+P9j=o6!j86>--gAvI*1nb#Vv2h(d#b(ErmMVq
zhc0~b)w~!beCUDBQgJ(LHs)#uri#qu#k0jSO*F2Gi->Djdnxo^+TyWvlFILPP0LG%
zg?C5nRSfHSA~0+9kMy3-2kB*-cw=AWE-&mkC$!uy$nS5+uBE^DMLA#YkWadItIsYp
zk2fJ+RHAd?Op}S*kCX;U-QT~+;#kR1rzcf4<v%NRSI=nfV={d_cg=g|#li-H2K>M{
zlNDxU{LjK_zzn2N(gL#qgMluSNbKi(CSGfP2S3U9sq2svx6YLN<Og6-wwP2atDVd%
Sn6UEgGmXZ=q*W1TcK`s|^y|R@
index 0d23ff16acd40ab6df8cdb1bf7389cc2fad1b557..c57957fc455ca242a26c80cfaeb17468e7961cf3
GIT binary patch
literal 633
zc$_n6Vk$LgVlrO9%*4pV#KM@?J=uVpjWeOmgE5tvg_+4f*ig`bpN%<`g_(yVr8rSH
zInm$SKu(<3(8R#p(Adz_#KOotN}SgS#5I6&v1@8#+yTToZ0uTX9_K7r7=avlrp88w
z`!P=Q_y3E{yL0Bb;}WY-e{QY=Efbn^<X-4TmtJI;W3y<&g8N!G%j5s6p4OWG|I40s
z*{?I_Z_|xop7DWa_Q8P0HS?+>UY3_$ZrgKXgI0CT`c5rxyMT24xw|&3TxX;t^I;cn
zT+4T^G*;f?z??4CPVN;^Nv^t{8A7a6udhCsm6FXQ%Fw<$**#h0@osg=cg%-8#q-}k
z+R6xW+Pvk($A5UKKb-Q4U-#al-#q=_ZYbTIZF<1lev<RlMeG-B{;*bCZoGXuH2q<_
z_W2v1+&IG`9(A&)CSR#KCTr5H<FtB9eZ|%AHZ|7hy;a$sg$K)i-(j9``-u^kMBR1A
z>bi!5Hi7>aoLQ;3)o4}whQ|i25BCY!$G8~m-nYi1a^vS<=EhbAkUQ=fK9sg`^mu$h
z>*L&Dm5=u<GtbC<eyMS9{_A5tQzCw^t@yjLtED4Y_kX;>@wrE%)UN+r#=CX<)&=&7
zt@nfs6)(-Hx%SpPdBeT!cCot~8jXxN*oBXtWZrKv#p}QS*6@<0Q=NY1>E(zUTOAIs
zkTBoktPyY_H0{;;5BE$CO7Rs&^eq-PfJCUQFeBrC7FGjhAcc}nnDrS9beKd84WBJo
sy2JAUzoX{+Prl|n-f=3QnM5RJu=d^Y{2b2F+5c$Crq_o8PZeDS092^~W&i*H
index a7947ec96f63b99c0a3f0333dafccdea62a04075..07629f06038e7b03599ef159c6e983c8e65d7cf8
GIT binary patch
literal 600
zc$_n6VhS;6ViH=w%*4pV#KLIb*ki!W#+lIO!I;X-!pvkKX((<W%ElbZ!py^$Qk<xp
znOEZPt(%<a?`<F_&TD95U~Xt^Xli0%WF95XYXssNK)D9;hO!3I5UnC0t*NO_i7Chi
zG%?NsVo5f3tu~Ky7A%ZF4i8f$!<^%R6Z9{g+WKqRz2L@_vQohZlVxJ~@BHbWy47sr
z+hx|@Yr8BnLT}%GskOLcnrmfLVMxGhb>547*Js*^J5Tq1psIVSaRc-IjSjO7qqO$e
ze%-^a|3lZ#%`MDi`XRA{5;hO+IO++jd3>?>l;*0zSo0$((dn^l)4XCPQHI`i;fYRB
zo>8abbB#{$uM<BRmUx<}BK*#@)`W9^uBO!#?pL%FyJQiQ;2XYar{^R!{wWJnOq+_H
zJ?#tT780Ix=IxJP`aQzZ-yZF){kSc6OUU7}Qcvl=!{K@guV>vmEMgZkckzzCNd1gY
z4GG?JjWX80mJ?!%doX*dz0{_wyn2T&eDc-27$tn@fzDEKJ8L%PY6hkX+jz5H9<gOF
zlowY>gk?BMCklorZL<FU=+-2E1D$)j_Oo2fv<Wsnt2Q-pOSb&o(+q+iZrV$Ka1QX}
zDA{7RN}ge(*CFli2dkof_#~*`wm->lYW%Wu@$H$tSznblHBGS;>0!L4z_j#1yUu$H
z)!=)*{}lK({J8aa%SDuAz^u<;pu;30*vrnE5i7CXDE<A-A5)XI2no&aWD+qbfB!%1
UP{f12NUwXB_xDx0RmaW-0DD^NAOHXW
index c01e16e6dfa83d4783f5997bb79e2ac6a9a86df7..9b5cf38bf6f09a71c3ef86b2f51ad9605ec6005f
GIT binary patch
literal 630
zc$_n6Vk$CdVlr63%*4pV#B43L(14qbGoj6cF_oExnaM!PP{KfrjX9KsnTJ26I8iq<
zuf!=aMK?Lo-`hY=oY&CAz}(Q-(A31j$UI7%*9gQlfN~Aw4P_0aA$mnXdQ(&Vy-^Hk
zV%!15I&AD(Z64<=SQvpEd8WojhWjy2^Y{OY&AW5vx#JS6P=9W&11%GpbL3v=Mweb>
zm}9eO!h-u+H_PMytDe@H|NqOLcG<5p=Wo-EVV?1UXZFE>#x?V*B3_o4UT)iSV}n+8
z&H7F)Z@YkW{kgj~tXyZLB=cbxZ(PfFt~6HO;=r6P)lTjeQAw`4o*6={Q?IW+n3a;v
zB+AgfJJ~&1<neBG$#=|$JjL_hKibL&a@xG*#m9emsXv_ZieLBMqu)IJ-)<<~oo#x+
z+kTSs)J5zUZ2quTTW-94IyC)ZyY~4TpWHaZA|7?Js3u>jIwot<tmCwLOMS)F@HREp
z=)G0ho`na?e&1o9aQlf7mqgul$LhL<gEoQx7o1tCxYcM?`-aB`tq=DJ*vGgS?B2J=
zqjKZtVCKeF29P`M31)m1%VE9Da^CrC?j?h&Pvwo$Li-ymRO_c(=0pY+x>$JZd3K^{
zsf{*^B7@VlgRJj)0%GoX+Uyp{xg?geQ#DB{&h2tcL*B;qZ7V(YvER9KGx_1Ccanau
z17zPOKAirrS6#nxb+D}X6Q2mb$Z6jim~-c;F1LD>B^^2Ceo2V?5|mWJtj}Pe!z5zI
v^+i^H@3qv);!0i<Z1tzuUHM<mBx3OHk&)5=i@7XE<+oVP3*4buU;6+6hi3f9
index 063df6a78dc81ea90fee3314c3bcb9bc90ee0403..b3b083d686e299d3bb358ac9ca88dad5d9cb50d1
GIT binary patch
literal 630
zc$_n6Vk$CdVlr63%*4pV#KLfj_q_o(8)rhB2V*KT3p0~}l%a%y7#nja3o{RYN^zoY
zW?qTEw{CKxQ(}sNoH(zciGjJHv7xDng^_ubIIj_iYXIdM$Q#NUNJI3Bfb^!O0<|I=
z(8RbMh;`W5wc0$+S+FnyIr2=6jSTl=oaXQU7n^tI%yY*jR-yjfTnAbvH0Q{@(2Xv=
z$S}ud(S!x}wQiQj|5rV&HUIyYJ?*kzXU^ZI8^b)~1JCS(0gY?sRYklkFTLEh=f(!D
z>YDYPTHba6>H2ebZCJU^NJ-|yF5bA7?_6oDyv2bzU8<ejE25HIbv-kLSf^fJeK0E}
zn@N<ReRr~ZvdH7z>XPr64|$5`zkjrq5#+Ra%Zrcy@KS#`<rTl~y+^-!`oG;!x;xwS
zfVcf5=c$X>FWCHHt+w2F`*djf!*=cSH$J&>hDAK;WKm7NQguw$q*=#l^_KdItKn^G
ztkHX`vONnAmi@lNJmK~eBQA-$>yFiR4F_!k|1UVRQgN%%s`d?!4O$=W6R?kQG1$Ft
zjYs9i&%w-%EeuSJ4UxhRIr`=<dGXNTrkzq*!v3!tZte8G7h0UQ*`{*KhqE8rGS1~^
zZ1}K#W!na~`^Wl&mBdmL{cSQb8ftqC(|a%UoVoiynmP2$s)Ji2xA0u?Jo;^Nu9F!X
zBcE7=?cqO9r&&G{{<*3w@VaLGm&QAPeItJP=}$3xZM^tz`cW%q#bA$CltjX;&tRa#
yBvNvzvFTLp;+?Mgb<f`%E1z*n(^7;<MAYtyNnY*3fA4kg@cG{O+k9}={T%?l!U*O7
index c391cca156216925c7ecfaf633da74fd41c3645f..97ad32b1e9e1b0ab4784fb70b39ed5b225640245
GIT binary patch
literal 628
zc$_n6Vk$6bV$xf{%*4pV#KQP)&3OZEHqL}L55`nx7G@>`Nkef1Q8wmK7G@s4l;T9)
z%)AnRZ{6fXe{Tahab80c19L-TLsJtABl9S6ULz3K0LnFxGn6rqf@l>6X-!Q9>O|7t
z#JC-Zb=cUo+C0u#urLBS@=T454EJN4=I{R(n|J5TbH^oCq5j-l2U;dH=g7U#jV`^&
zFvn)mga!AtZkEUYS3RvY|Noag?Xq8I&flgR!#v{y&+LN%jcevrMZ7F8z1+6v#s;nG
zn)RJp-gW`$`g3<}Sh>zfN#?^Y-nf?UTxqPl#eq3ps-4^`qLN&7Ju`$@r(R!uFe@dS
zNtB^|cd~o3$m8AWlJA%gd5Y)1f3%em<g|Iqi;w^CQhzw*6~FGiN56Uczui!}JKOYt
zxBVpNsf*Yz*!*Fww%mC8bZGj+cJ1>wKDlv*MLg<cQBA&5bxhWzS;uMhmimgT;caTH
z(R-`1Jqr(({l3FI;r0_FE{VG9j@5My2W<lXFF3POajVg)_6?5>S|9Ecu#a&u*u8I!
zN9D%P!OV><3`~s;>8eu>Uaz_REAC|}@7F-#8iwr!*6-^6<!mrY*?2(C^~2<Sn@&{C
zX%*lssGZ(%?Cjb-7b31OAKlUV@9g?gw~XE+qE#!q3vXu$IxT;jF~#MTg7XoUgBlX6
zPd_aTGxzR!*y_F3SFP0H1B*Wk*R>62?tahTI$?Y1%)@>^3}?>mF9`BMNg~Yp3<f$(
xA|CU#oLQAhr&_LPd*Z4xFU6kYW+Ib_X6Cl?kNJ;#PV^aM*eED?u2DPo766qf1H}LU
index ad2a39bcefb5d9b521f9d9a5b5707a912c9ffd6b..79795850171c81c728430ece330b041a35e3aa57
GIT binary patch
literal 610
zc$_n6Vu~|pVv<?F%*4pV#KO2JN7aCvjWeOmgE5tvg_+4f*ig`bpN%<`g_(yVr8rSH
zInm$SKu(<3(8R#p(Adz_#KOotN}SgS#5I6&4WtYu48$Os_(7U7^Gci&Qy_Yq7-s>o
zBpbU{o5wi|7Dgb4hpCcb&hfwr`j<{^{k7~~aAQhYso;ajGBNyj{&Y{>YBurhGVAZP
zU6vW4w{O4HTHG<swKA$OB;d6=??t}rGwsBkr+Yt8)jid?fqDN%huMZvT6=82?qS#e
zp=;;n7G^U2kk~;9n+JCs^@P<tzF2%pbJbw1`H__9^jNlOUNMs>L+`rqM5idvs8jK|
zMkn~!iJuHhJk3-QerH;1!nr?J(`pL$D_V+OvWQ9W4d1lWbCMeWl!Ym#O-0Y1_62hb
z2~Rrn_Qx;%9%1QkkM`Dn+?Kl~<ZxN3r*z-pa6N_Bv+f-hv5T3zct>BPe#WPU1n;><
z8Eaq52{FYzm_5~AYSUF-y+ap1`D$K_5<c`mXQ{ZIH5+p^15<_XiqA*gzDihD|N5Y9
zqOz%mQ?sl*yzBBhrbXTHXZ?=}?md#G7rZIinajH8?7@w<9;`U<uKb5USi*~-z{qxw
z+8rY4AAT;{qiNIfrC1_m*}nz6Up8BO=dhdB{!K7x`_zAooY6PtSG=wimC&(_yq{8H
z#jw2D{1Bt+t;NCykm!~bW@P-&!fL<_q)-wBvp$1?4wDGy=V!}Pidydm86UQ>-1Lj_
f`HDhWCJ~0?tE)2D`tQgrSy6b7>DDxP)wzxUbIt9~
index 035ac42e0c72c98716487764adf9a7970cf1db85..09476591dc20b5b84e48f170c679cdc4d39ac768
GIT binary patch
literal 640
zc$_n6VyZD{VzOGm%*4pV#KJhm^@ssC8)rhB2V*KT3p0~}h@p^y02^~C3o{RAN^zoY
za-vgWih-Osuc3*7xuLP4sfmS=d6YP>5r}I5<r+vCN*IVibn%09W#*Omdqed$F>VK9
z9X58YHji@_EQ~;oJX2#M!~Gbi`TPIH=G{5-+;NFjs6RK?ftCr)IdU&_qf0L`%&}QC
zVZnW^o8|HURZnZp|NmuAyX@DQ^S9~7FwgkFGy7mb<C=L@5iiS2FSqTvu|cc4W__oY
zw_QNG{@h&~R<1KrlKHTUH?HM7R~jpCabQlDYA5%Ks3cci&kP~fsn=H@%u2~-5@l%L
zo$Q`0@_4tp<U8g=p5poMA8lm>Ic?tZ;^RNO)E`cH#jkts(QlsqZ#R_g&Ne;ZZ9mC*
z>LT_FHh);FEjQji9h&~IUHklvPi~xH5sx}qRFkh%9g{U_)^S?BrM}{7c$*q)^xmp$
z&%%Rczwa<lxc$V4OQP<&V|87_L7Tw;3(l-m+-kI{eZyme)`$B9>|<OEcJEu`QMvJR
zFmq!I15;yz<FY8f$wIgI?C<L@Kd19n>%WJ=p2&%kQ88iCj`rso<+yG8xK<iO$97Hn
zxxRMMJ;$&~54c15gEZb-dst4hl0V(fc&BgT{`p=$o)K3Ce+4{{^?3Hh{?^yL#M2gm
zE9<ncz4d>dqG9@hyZyxFGafMxy%%5iJTrIC+OXxFLAZ=5N9<x@13?3RV6@5#Gcx{X
zVKra|QYguVS)ai`he@Q&wYla~%>VDHjtbVVzn(2w_GZ%>CXtwx+mg=j5AbS^VSi=o
LocU&7bfPc-BM1Qc
index 4a1a9a91fb2e17e13d99a05115e825702b95bbfd..c12bf8851064c59d9abe94e33878c1e6766d0ae8
GIT binary patch
literal 639
zc$_n6VyZT1VzOMo%*4pV#KLH*zrui<jWeOmgE5tvg_+4f*ig`bpN%<`g_(yVr8rSH
zInm$SKu(<3(8R#p(Adz_#KOotN}SgS#5I6&4I~Z44MZWD_&}O6^Gf`^AzGUlcL1>t
z8@pDU$2kiYMj%I?sj-paevH%n{r_U~?won<xWp>dpPTDI%Y^0}xfi<8r573I*esf`
z;J(()^7#L%r?uw)|FWlD_Up{~+jL`?XMEt9eK4SL&Ah6Jm*u6G+xFbppjBP7zEjKF
zE+Ach?ye0h*BL3veAvYs*Yce!jg_}JFsDnklY2!}lB=#~h7jx2>#GlDrDQXSGPLhb
zc25?0yjxxJ9rGbi@%;CXwlad8Hg9?H@gH9552w81*S+`XH&6e!8%lR)n;!7CpX5As
z5&H$3KdjZ38*iTuO@G*~eg4KLH_ot#N1ZIH$ych5$(l6lIIZ4NUvV|OO^r2rZ&kKu
z;lZ-scbF&KeqzKWQFq<3x~}1%P2m3pXI3h1HCola;juyM!+iqwF)jwX_pR}$-1s?|
zxv`Z2<c{fU70zFM#kHaL<7$<~I~eQ^i!CZx{3zl0*$CBNRXaGFBWITfENER`e8B&v
z?D~l4vvE}|8yk7oEuFW?_VVka`wp)D`k-rDX88Vo_r7bZY!+Vo(WR-+%<%Basjr(S
zgvjjvr}e?9<kc3An6jT@3;%95xH2Q+>Q^@nd%?8qrKf#LubV9vHh`oBSz$)T|17Kq
z%s>hywJ_^580avG$U9szdb#dumfSg$QscR2|30`Bsm3ItXVtLTK}oy1LE>fSGG2zA
Ji<%8@004}x2Ic?&
deleted file mode 100644
index eabede0ac26ab3d3eabc6e175c14ffc35b0d66ec..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index c2f4fdf85865e54b4eee235bca2bdffe94b7f0b2..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 3be15bfe7840fd23cf980260e9e9d9a2f7d6147a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index f04231307a4fd4d41beb058e5bfd75261cc4c5b0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 0d7a0fe87b6e83f66f2a06a7dfd0d2fe9cee5543..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 50d382c3117549d5f764a8a57cff1760e175f17e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 3147b266c44938b472deebeae887c6d8c923f900..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 660da8e45d9aeb8a0857c4f6f6acdafa260b6dcc..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@@ -13,227 +13,126 @@ sys.path.append(libpath)
 
 import CertUtils
 
 srcdir = os.getcwd()
 db_dir = tempfile.mkdtemp()
 dsaBad_param_filename = 'dsaBad_param.pem'
 dsaOK_param_filename = 'dsaOK_param.pem'
 
-ca_ext_text = ('basicConstraints = critical, CA:TRUE\n' +
-               'keyUsage = keyCertSign, cRLSign\n')
+ca_ext_text = 'basicConstraints = critical, CA:TRUE\n'
 ee_ext_text = ''
 
-aia_prefix = 'authorityInfoAccess = OCSP;URI:http://www.example.com:8888/'
-aia_suffix = '/\n'
-
-mozilla_testing_ev_policy = ('certificatePolicies = @v3_ca_ev_cp\n\n' +
-                             '[ v3_ca_ev_cp ]\n' +
-                             'policyIdentifier = ' +
-                             '1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n' +
-                             'CPS.1 = "http://mytestdomain.local/cps"')
-
-generated_ev_root_filenames = []
-
-def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text,
-                                   signer_key_filename, signer_cert_filename,
-                                   dsa_param_filename, key_size, generate_ev):
-    """
-    Generates a certificate and imports it into the NSS DB if appropriate.
-
-    Arguments:
-      key_type -- the type of key generated: potential values: 'rsa', 'dsa',
-                  or any of the curves found by 'openssl ecparam -list_curves'
-      cert_name_suffix -- suffix of the generated cert name
-      base_ext_text -- the base text for the x509 extensions to be added to the
-                       certificate (extra extensions will be added if generating
-                       an EV cert)
-      signer_key_filename -- the filename of the key from which the cert will
-                             be signed. If an empty string is passed in the cert
-                             will be self signed (think CA roots).
-      signer_cert_filename -- the filename of the signer cert that will sign the
-                              certificate being generated. Ignored if an empty
-                              string is passed in for signer_key_filename.
-                              Must be in DER format.
-      dsa_param_filename -- the filename for the DSA param file
-      key_size -- public key size for RSA certs
-      generate_ev -- whether an EV cert should be generated
-
-    Output:
-      key_filename -- the filename of the key file (PEM format)
-      cert_filename -- the filename of the certificate (DER format)
-    """
-    cert_name = key_type + cert_name_suffix
-    ev_ext_text = ''
-    subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
-                      (key_type, key_size))
-    if generate_ev:
-        cert_name = 'ev-' + cert_name
-        ev_ext_text = (aia_prefix + cert_name + aia_suffix +
-                       mozilla_testing_ev_policy)
-        subject_string += ' (EV)'
-
-    # Use the organization field to store the cert nickname for easier debugging
-    subject_string += '/O=' + cert_name
-
-    [key_filename, cert_filename] = CertUtils.generate_cert_generic(
-        db_dir,
-        srcdir,
-        random.randint(100, 40000000),
-        key_type,
-        cert_name,
-        base_ext_text + ev_ext_text,
-        signer_key_filename,
-        signer_cert_filename,
-        subject_string,
-        dsa_param_filename,
-        key_size)
-
-    if generate_ev:
-        # The dest_dir argument of generate_pkcs12() is also set to db_dir as
-        # the .p12 files do not need to be kept once they have been imported.
-        pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
-                                                    cert_filename, key_filename,
-                                                    cert_name)
-        CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename,
-                                         cert_name, ',,')
-
-        if not signer_key_filename:
-            generated_ev_root_filenames.append(cert_filename)
-
-    return [key_filename, cert_filename]
-
-def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
-    """
-    Generates the various certificates used by the key size tests.
-
-    Arguments:
-      key_type -- the type of key generated: potential values: 'rsa', 'dsa',
-                  or any of the curves found by 'openssl ecparam -list_curves'
-      bad_key_size -- the public key size bad certs should have
-      ok_key_size -- the public key size OK certs should have
-      generate_ev -- whether an EV cert should be generated
-    """
+def generate_certs(key_type, bad_key_size, ok_key_size):
     if key_type == 'dsa':
         CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
         CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
 
     # OK Chain
-    if generate_ev and key_type == 'rsa':
-        # Reuse the existing RSA EV root
-        caOK_cert_name = 'evroot'
-        caOK_key = '../test_ev_certs/evroot.key'
-        caOK_cert = '../test_ev_certs/evroot.der'
-        caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
-        CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
-                                         caOK_cert_name, ',,')
-    else:
-        [caOK_key, caOK_cert] = generate_and_maybe_import_cert(
-            key_type,
-            '-caOK',
-            ca_ext_text,
-            '',
-            '',
-            dsaOK_param_filename,
-            ok_key_size,
-            generate_ev)
+    [caOK_key, caOK_cert] = CertUtils.generate_cert_generic(
+                                db_dir,
+                                srcdir,
+                                random.randint(100, 40000000),
+                                key_type,
+                                key_type + '-caOK',
+                                ca_ext_text,
+                                dsa_param_filename = dsaOK_param_filename,
+                                key_size = ok_key_size)
 
-    [intOK_key, intOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-intOK-caOK',
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    [intOK_key, intOK_cert] = CertUtils.generate_cert_generic(
+                                  db_dir,
+                                  srcdir,
+                                  random.randint(100, 40000000),
+                                  key_type,
+                                  key_type + '-intOK-caOK',
+                                  ca_ext_text,
+                                  caOK_key,
+                                  caOK_cert,
+                                  dsa_param_filename = dsaOK_param_filename,
+                                  key_size = ok_key_size)
 
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeOK-intOK-caOK',
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeOK-intOK-caOK',
+                                    ee_ext_text,
+                                    intOK_key,
+                                    intOK_cert,
+                                    dsa_param_filename = dsaOK_param_filename,
+                                    key_size = ok_key_size)
 
     # Bad CA
-    [caBad_key, caBad_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-caBad',
-        ca_ext_text,
-        '',
-        '',
-        dsaBad_param_filename,
-        bad_key_size,
-        generate_ev)
+    [caBad_key, caBad_cert] = CertUtils.generate_cert_generic(
+                                  db_dir,
+                                  srcdir,
+                                  random.randint(100, 40000000),
+                                  key_type,
+                                  key_type + '-caBad',
+                                  ca_ext_text,
+                                  dsa_param_filename = dsaBad_param_filename,
+                                  key_size = bad_key_size)
 
-    [int_key, int_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-intOK-caBad',
-        ca_ext_text,
-        caBad_key,
-        caBad_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    [int_key, int_cert] = CertUtils.generate_cert_generic(
+                              db_dir,
+                              srcdir,
+                              random.randint(100, 40000000),
+                              key_type,
+                              key_type + '-intOK-caBad',
+                              ca_ext_text,
+                              caBad_key,
+                              caBad_cert,
+                              dsa_param_filename = dsaOK_param_filename,
+                              key_size = ok_key_size)
 
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeOK-intOK-caBad',
-        ee_ext_text,
-        int_key,
-        int_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeOK-intOK-caBad',
+                                    ee_ext_text,
+                                    int_key,
+                                    int_cert,
+                                    dsa_param_filename = dsaOK_param_filename,
+                                    key_size = ok_key_size)
 
     # Bad Intermediate
-    [intBad_key, intBad_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-intBad-caOK',
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
-        generate_ev)
+    [intBad_key, intBad_cert] = CertUtils.generate_cert_generic(
+                                    db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-intBad-caOK',
+                                    ca_ext_text,
+                                    caOK_key,
+                                    caOK_cert,
+                                    dsa_param_filename = dsaBad_param_filename,
+                                    key_size = bad_key_size)
 
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeOK-intBad-caOK',
-        ee_ext_text,
-        intBad_key,
-        intBad_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeOK-intBad-caOK',
+                                    ee_ext_text,
+                                    intBad_key,
+                                    intBad_cert,
+                                    dsa_param_filename = dsaOK_param_filename,
+                                    key_size = ok_key_size)
 
     # Bad End Entity
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeBad-intOK-caOK',
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
-        generate_ev)
-
-# Create a NSS DB for use by the OCSP responder.
-CertUtils.init_nss_db(srcdir)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeBad-intOK-caOK',
+                                    ee_ext_text,
+                                    intOK_key,
+                                    intOK_cert,
+                                    dsa_param_filename = dsaBad_param_filename,
+                                    key_size = bad_key_size)
 
-# TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
-# bits to the next multiple of 8 - therefore the highest key size less than 1024
-# that can be tested is 1016, less than 2048 is 2040 and so on.
-generate_certs('rsa', '1016', '1024', False)
-generate_certs('rsa', '2040', '2048', True)
-
-generate_certs('dsa', '960', '1024', False)
+# SECKEY_PublicKeyStrengthInBits() rounds up the number of bits to the next
+# multiple of 8 - therefore the highest key size less than 1024 that can be
+# tested at the moment is 1016
+generate_certs('rsa', '1016', '1024')
 
-# Print a blank line and the information needed to enable EV for any roots
-# generated by this script.
-print
-for cert_filename in generated_ev_root_filenames:
-    CertUtils.print_cert_info_for_ev(cert_filename)
-print ('You now MUST update the compiled test EV root information to match ' +
-       'the EV root information printed above.')
+generate_certs('dsa', '960', '1024')
deleted file mode 100644
index dba491b555c9bb73295e2308200897bb07a907c4..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_keysize/pkcs11.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='sql:/home/m-c_drive/mozilla-inbound/security/manager/ssl/tests/unit/test_keysize' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-
index b7ff2c94e03e8e855ec42946ed5cfae2e4351837..f7079a333a18af457a124c02931266d2f500c1b2
GIT binary patch
literal 438
zc$_n6V%%iV#3-|XnTe5!iG|^`td9XN8>d#AN85K^Mn-N{1_Kd8Ap-$6=1>-99?qiT
zMBU^>r^FNkIdNV?69aQYV?$FD3nTL=ab6=3*8s}Jp{sEovgwSh49tx^3<ixIOpOf;
z2SnDmc|EB7<ojyw>K+Mkxf5m2H19_9x84&EXAfBXTQlc`SH_jocN!bls|zWoX<QcL
z_@*kHH`_|;P3Kc>ZSmzkJKoFa9caq(`?UE(n$(nE`sc(#LLdLlbv}1~Wpd%dNg5VB
zo6bgGx$)lGe*4<UZOYBl60EPr^IV=+xvI8iVI~tZBLm}NVFN(}exS2ug&7(Dv#=U4
z11YosVFtR@qW5#J-~W5YQ+`VQ^3GkBapJ}NOK1NdvYa5dCidkiu46l=6)xgF^KV<p
zYE73VpDySxXAwL0-f>C7HWfd=FR$WR7iN4)PhXJD*41EFTgi2D$?Ll-Gdmv0{au&U
rowK+^<gtX>Zr;Y~>YT4H6~0JZt)FCFv*5GI?i&@8ULI=t*H{DqJV&WS
index ab42878ab1455ea8ac473caf0498abe468d222e1..0016f5152ca9fcb536e6cf63c605826391f8da32
GIT binary patch
literal 438
zc$_n6V%%iV#3;RhnTe5!iG^XuI}Zb1HcqWJkGAi;jEvl@3<ko6f(HC-%%LpIJRC*E
ziMq*&{@w<1;=G0?2IhvwhNdPKMrKjsyhb3d0hEhfQ{#MOvl&?#m>YW;3>rI`8XFm2
zRA=8RI#nIGrpDekFjM|#m#fGVE#5bCD)LV-3bYu@it90OGKnwx^5FUu@s+oC%~N=>
z>MZj^fzLjfIlZFJ&nh&QZ7M3Qwb9pHo*{4ghdc7${q)TaJKhS+h+x_`&!aEGF)vCa
zXitw_hg?kM+xw-LW;dxQOg5~!zGA9wSyjXAtxU{}42+9~4Is{z6=r1o&%$cJ45ZM)
zgBj@9ODlh-=Bn0OEGfD>rE8JAq|i@!eVzKR4AJ*zEsnc(ZQHE{t>Q%~VpE?<CH#FF
z&$~46y1}DOyF*ncuK9YS%cxdyXW8$6Ei>Nfe@NBVdV8!@c=!J{-xEb^_I}<xNo&s!
oCmyc#DW1DC=gw`vdtK7(x4r;(VCsZ|nz>@7GHaL2eNeLr08zZ70RR91
index 2ec11beb7a00d95f163c485082461ccfbd7c4c44..7397577653cc496ac8f07e8b7351fe4af172cb1b
GIT binary patch
literal 434
zc$_n6Vq9m?#3;UinTe5!iG|^w;#vb<HcqWJkGAi;jEvl@3<i>h;s&B@%%LpIJbXpP
ziMpA2CH~&J$%+2n26E!Oh9(B)hQ@}bCKg8KQR2KtAg%$FYankZYak8LDgx4)n(CC8
zf^0zJJY?G#Ss9ocdl(EFJD3_97%slbUFPybPiM>Njw(J@t4J4?J_~(y_xkA{OPv)f
z-|bkj`ecmW<27<;PU?M34LJDy-~uVL4flk$l{lR;@&0sUlEsGdWtJIhKh0CKFAe&a
zB(^fbeaVk4jk_H#Eq7`xk@+_3?A=)}nKZg>B#);o*#BAnpZRgNsO7J7o?i14RJdx%
z#LURRh!z&ijg1Uy1}nD(${qT?;It;kLg6Imh^NcGT=*xO#HS^7#3u5?rzf+&$1OMF
zRP5g^xc^nokAH=Y$11Cqf1CKO_wF;(^a{O4h2Q0B3@oEsBGx=zZq&${;Ogo4W`$6X
u)szUe%g#QAv!9zLu&=Xu+!1;zhD&43%ZCQ>89Keb(-r>hy6inEO%4EWv!>nv
index bd23f70d7506a3dcb8c84f5c65a8299fe5de1ade..f8d60726e084558f2f7dc76e0c589b359b21182a
GIT binary patch
literal 435
zc$_n6Vq9;~#3;FdnTe5!iG|Va2D<?-8>d#AN85K^Mn-N{1_LQW2?H@U=1>-99{!@@
zMBU815~suz-Q+}nZv#1TUPBWDb3<c8Qxgj#^C)p%BM{dB$~BNTlr@ls=oJC!O-=Rp
zMlqmqKC*R;tPISJy$lA8olK3543G8RTv+LH_v_E~TSW`5XIgcKs@(FM|3u-2_Sf1!
z{XZ|)G@X!Ek6JFjX7a71j)^>BF+c5B*Y9&>yPETKPUqG>B{y}?tIwvK^<VnykUHCu
zl&QW!tejVwAO1S?Qt|x6cXKEHon<F-X?}FajH4=Vqw_i3a^#i^AGiGy&ipurWtO;A
zEfX^%10z~!FgG?Z@E>lx5hIaU@vUL+qN`<AS$a#DZ_7OXxvyF=<Ia`6zuzaRq>21~
z68JHOy<YQa2zz>_-TJ_<1&*Is8_!K&xGgm~L%QWUo8ZJ7S0^aHvRU4DI?_P8c2Cv0
vsz)L&4oS;=*K9vN_muCVC;O(RZQi~-jWs__T%qLB|N1p1HG3O-R_Or%=;Er3
index 8ad88d3f551804afa4cbd6739cec647cfe3735d8..5ec9faf69dfe2fb5754b3066887b16bba2090b32
GIT binary patch
literal 436
zc$_n6V%%WR#3;FdnTe5!iG|@y)m8&uHcqWJkGAi;jEvl@3<gq$5(Z*y%%LpIJp4t)
ziMpA2CH~&J$%#&hDF$-lyoM$Q=7z?GrY06f=27CjMj);MlxrYwC~F`M(JKPdo0<yL
ziflmRd}QkwSs9ocdl?KGJDD0A8EzEG&em_5@l>s{_T<x-l|K$hbbLBn<6a)@dt@(T
z^j*o?kIRyhTGe~cyxnECFS)b+!divC<xe+OUrfn)d48gil;#yT#Yc>dY<x??-?ird
zF3>ntymo`oQ7(};D<%iXIr)8m%lkL}Oy4x=H%^KlY{NtBXPHeA?(dHMe_B9CW?^h2
z6Eh<NBU)%M1KlOHzvEK=>Z2l+>o?kpe*L^Q@64|kicy<qp6+?E(^~cV*|M(%0^1`p
z&wkL`n)*j!-;0RJ#ph2{&iwe$X#Ms8HO&{#A2>2jI-Is%u-?S3U~8mFK<S}GE@4aS
uwX+?A)0g^s&6e_bdAqx*>u!4G#=U#$=jrfhos?Z>a6-k8zuYR8Hx>YGI;jBw
index be843f5263e288faad1ee2be7e75fa46da6f3708..94dfef87e0e90302740d7280c42f1bbd7599b625
GIT binary patch
literal 434
zc$_n6Vq9m?#3;UinTe5!iG}h0=kEr*Y@Awc9&O)w85y}*84M&1#SKK+m_u2ZdH9No
z6LmB5O8mWblN0^D4dldm4NVNp4UG*=O)QMeqQrTPKwJYT*Fert#y|?9RT!i-H5I56
zNq^&fWXl*?8JHV;84MabnHn1zuB^HEMl4f2HL!L2wC_{SvR`$s+NYaip*Nw-bKb{z
z8;;BGj(mNW&8-nyoV9)O)ToPM0nAcMk2qC6_PcOp+LrF5bFUB1*}M4uvZG2`85#4w
z-#@+P%1MDoAM~HbUHri&@kMIRyg$8~U(^cRK0P{n_3KW<?Pq&M44M?#?iX%9xaI1h
zlT6Hv42)=D!3=bl-Gejpo@f90@$z}Y@;-<8ag3|JA9WE-%*(2e59aS$vx-0ai+9Bh
zv#>{B$`ZG2X1qQ<^+n&ku8ro&cO;KaGd<@wq33Bu^VaJ>{kJNFM7nQcbI@~G9l!p+
vRi1vgvFF)C^Y71CEA8=3<MynTE2b>ARfrLaZ`~2hHaE+Wqs{ZTe>*b(M76Lp
index 58b688db61cf13ec39a953cf2167b3600d4d9a25..707d0004daf4ea55bd44da53451e5ce96065e5f3
GIT binary patch
literal 444
zc$_n6V%%ZS#HhG{nTe5!iG@k}ZK(k-8>d#AN85K^Mn-N{1_NP3K?8m^=1>-99*&~o
zMBU^>e{Tahab80c19L-TLsJtABl9S6ULz3K0LnFxGL$e7gJ|LhY0AtiaY{^q=xv;b
zYy~4L19M{!gF#~lQ)2_exy)Ji(+~Y$QTQ`)0rRQp3?6*fwdT%9eZDF0^`eLVM_+L7
z{nV_lKP4~w^r20L+CCTa-UW3C^PS|<nLaI2`Py;;)ws7>+V!e$C#s8_b-yVh#_@84
zw0dPj<iqRMcFXRuA9mY&tv<*pg*oK%fA*t2-2P3g@1ESeYVzWe5~r1apT1;bW@KPo
zENlSrv8*s7<9`-b17;wF7Ank*jSPJL5BZkmRtTlN(X2mrBYDc6O}9El%DcES?tc1h
z&$rw&dg`TZOP(EPes<O+VYclD6XDR`<t)wS^MvzzWxlFTY2na%U-8<}EA3u<sUX{i
zwd-4J8}hsNGR(T|dLZb|!J0)^g|7Vj_ULSq{$uMs&x}m2q`K+^DCEoZwcnrpQfuX;
F2mlV*r?db7
index 26f46a1bbc47f0d42c3b2ca49b0a2515a9505714..b7391c49ab365f162407d3e272a5e35fddf2c038
GIT binary patch
literal 445
zc$_n6V%%xa#HhT0nTe5!iG`v2S+4;v8>d#AN85K^Mn-N{1_Kd8Ap-$6=1>-99?qiT
zMBU^>r^FNkIdNV?69aQYV?$FD3nTL=ab6=3*8s{jkTR4o5QFIA2kFYpEAjV+>TR5l
zYzHGN19M|9gF#~_Q)45;b}t9!&f0|^IG^nmlDzHqApF2f?YjE%MS8)P^c?GNu6h4s
z)5nZpov;&!4Nn({H#C(rFMK0w_3*m;%e{{;YzyA9v~P*UJWeO?d-rQ&eYjdqeD1#`
z?k}G_-#g*&W{cp{yWOMnA7_1S><fQf5mTc4u=Ga5A%8KRS+^_~d^_0a&}YlU%*epF
zSlB?&fFJ03Sz$)T|17Kq%s>h)T$mdh7(xX9I^Fsuz31&B=gSu^3*K)myXt)|_K}v(
z?@gs?O+CyDw?De3*Z5j^J7Z2??sbMmVS>UUeXHx7A1(LJ{M@+hNrFeM*<$<a8kM#>
z-;%NvV-vTxtm@mZxb(|iamkl+6MBW!GHi{Xt+w<1YQ(j!{*=e>`OIG`z4k4ON&B&)
Hz9|X-mm#Y<
index 74c7eddfcac8594e6ad1d78d40ccb43e1caeeb8c..d41c1cb05c90f8e10e0453581b3aee6e0c63ad00
GIT binary patch
literal 444
zc$_n6V%%ZS#HhG{nTe5!iG@+@VXgr$8>d#AN85K^Mn-N{1_NP3K?8m^=1>-99*&~o
zMBU^>e{Tahab80c19L-TLsJtABeN)RULz3K0LnFxG!!=wg=pdfY0Ati@%M&kZJdv6
z10yQ~b7L=qL1QOVV<W?cuO1<f`C1=+eEd_KXXc0P70aT&%ru*+_|UpgRb}s`ZI4$a
zbI-ZCY1XrJ*B)*oRyKRZQ$iDd``2;rN?bFeY|HGhZw`XRxwc7v9n&{hb%bo5b6@ZM
znfZIy&Esy#{#bPFL)@!w|9kVa)>_Cs);~7EZuVk>+AMkNC0D*ZVw$~us+v6$Gb01z
zVqpV_k7b1!8UM4e8ZZMXv`}FNI(Ao0z$xaru9w(8_=Zkj$GxQVkJGG~y5edwhpt@V
z<Ko<vvC~w%o#*S3(>7Jo*ZwqJPB^kLHgp2#*|Ue%nb<Ku_ndu8R52me_~sN#^;sqY
z5#5u_Bo$4xZP}z}9@(|WZu9Yvx71zgl@u@AFKKG(dX|0Zzv}MPJ5v3dugmYUaCQsm
F1OS9!qyhi{
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ /dev/null
@@ -1,154 +0,0 @@
-// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
-// Any copyright is dedicated to the Public Domain.
-// http://creativecommons.org/publicdomain/zero/1.0/
-"use strict";
-
-// Checks that RSA certs with key sizes below 2048 bits when verifying for EV
-// are rejected.
-
-do_get_profile(); // Must be called before getting nsIX509CertDB
-const certDB = Cc["@mozilla.org/security/x509certdb;1"]
-                 .getService(Ci.nsIX509CertDB);
-
-const SERVER_PORT = 8888;
-
-function getOCSPResponder(expectedCertNames) {
-  let expectedPaths = expectedCertNames.slice();
-  return startOCSPResponder(SERVER_PORT, "www.example.com", [],
-                            "test_keysize", expectedCertNames, expectedPaths);
-}
-
-function certFromFile(filename) {
-  let der = readFile(do_get_file("test_keysize/" + filename, false));
-  return certDB.constructX509(der, der.length);
-}
-
-function loadCert(certName, trustString) {
-  let certFilename = certName + ".der";
-  addCertFromFile(certDB, "test_keysize/" + certFilename, trustString);
-  return certFromFile(certFilename);
-}
-
-function checkEVStatus(cert, usage, isEVExpected) {
-  do_print("cert cn=" + cert.commonName);
-  do_print("cert o=" + cert.organization);
-  do_print("cert issuer cn=" + cert.issuerCommonName);
-  do_print("cert issuer o=" + cert.issuerOrganization);
-  let hasEVPolicy = {};
-  let verifiedChain = {};
-  let error = certDB.verifyCertNow(cert, usage, NO_FLAGS, verifiedChain,
-                                   hasEVPolicy);
-  equal(hasEVPolicy.value, isEVExpected);
-  equal(0, error);
-}
-
-/**
- * Adds a single EV key size test.
- *
- * @param {Array} expectedNamesForOCSP
- *        An array of nicknames of the certs to be responded to. The cert name
- *        prefix is not added to the nicknames in this array.
- * @param {String} certNamePrefix
- *        The prefix to prepend to the passed in cert names.
- * @param {String} rootCACertFileName
- *        The file name of the root CA cert. Can begin with ".." to reference
- *        certs in folders other than "test_keysize/".
- * @param {Array} subCACertFileNames
- *        An array of file names of any sub CA certificates.
- * @param {String} endEntityCertFileName
- *        The file name of the end entity cert.
- * @param {Boolean} expectedResult
- *        Whether the chain is expected to validate as EV.
- */
-function addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                             rootCACertFileName, subCACertFileNames,
-                             endEntityCertFileName, expectedResult)
-{
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
-
-    // Don't prepend the cert name prefix if rootCACertFileName starts with ".."
-    // to support reusing certs in other directories.
-    let rootCertNamePrefix = rootCACertFileName.startsWith("..")
-                           ? ""
-                           : certNamePrefix;
-    loadCert(rootCertNamePrefix + rootCACertFileName, "CTu,CTu,CTu");
-    for (let subCACertFileName of subCACertFileNames) {
-      loadCert(certNamePrefix + subCACertFileName, ",,");
-    }
-    checkEVStatus(certFromFile(certNamePrefix + endEntityCertFileName + ".der"),
-                  certificateUsageSSLServer, expectedResult);
-
-    ocspResponder.stop(run_next_test);
-  });
-}
-
-/**
- * For debug builds which have the test EV roots compiled in, checks for the
- * given key type that good chains validate as EV, while bad chains fail EV and
- * validate as DV.
- * For opt builds which don't have the test EV roots compiled in, checks that
- * none of the chains validate as EV.
- *
- * Note: This function assumes that the key size requirements for EV are greater
- * than or equal to the requirements for DV.
- *
- * @param {String} keyType
- *        The key type to check (e.g. "rsa").
- */
-function checkForKeyType(keyType) {
-  let certNamePrefix = "ev-" + keyType;
-
-  // Reuse the existing test RSA EV root
-  let rootCAOKCertFileName = keyType == "rsa" ? "../test_ev_certs/evroot"
-                                              : "-caOK";
-
-  // OK CA -> OK INT -> OK EE
-  // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
-  // will not be done for the "-intOK-caOK" intermediate in such a build.
-  let expectedNamesForOCSP = isDebugBuild
-                           ? [ certNamePrefix + "-intOK-caOK",
-                               certNamePrefix + "-eeOK-intOK-caOK" ]
-                           : [ certNamePrefix + "-eeOK-intOK-caOK" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      rootCAOKCertFileName,
-                      ["-intOK-caOK"],
-                      "-eeOK-intOK-caOK",
-                      isDebugBuild);
-
-  // Bad CA -> OK INT -> OK EE
-  expectedNamesForOCSP = [ certNamePrefix + "-eeOK-intOK-caBad" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      "-caBad",
-                      ["-intOK-caBad"],
-                      "-eeOK-intOK-caBad",
-                      false);
-
-  // OK CA -> Bad INT -> OK EE
-  expectedNamesForOCSP = isDebugBuild
-                       ? [ certNamePrefix + "-intBad-caOK" ]
-                       : [ certNamePrefix + "-eeOK-intBad-caOK" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      rootCAOKCertFileName,
-                      ["-intBad-caOK"],
-                      "-eeOK-intBad-caOK",
-                      false);
-
-  // OK CA -> OK INT -> Bad EE
-  expectedNamesForOCSP = [ certNamePrefix + "-eeBad-intOK-caOK" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      rootCAOKCertFileName,
-                      ["-intOK-caOK"],
-                      "-eeBad-intOK-caOK",
-                      false);
-}
-
-function run_test() {
-  // Setup OCSP responder
-  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
-
-  checkForKeyType("rsa");
-
-  run_next_test();
-}
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -101,21 +101,16 @@ run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
 [test_ocsp_no_hsts_upgrade.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
 [test_add_preexisting_cert.js]
 [test_keysize.js]
-[test_keysize_ev.js]
-run-sequentially = hardcoded ports
-# Bug 1009158: this test times out on Android
-# Bug 1008316: B2G doesn't have EV enabled
-skip-if = os == "android" || buildapp == "b2g"
 [test_cert_chains.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
 [test_client_cert.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"