bug 1290613 - test_ev_certs.js cleanup r=Cykesiopka,mgoodwin
authorDavid Keeler <dkeeler@mozilla.com>
Mon, 01 Aug 2016 17:01:27 -0700
changeset 312058 fabfb2ff761eace61d0433e4d6e3d74e0cba193e
parent 312057 d465e3e3b6f27c6ac6296150b68d0b951f1d2e61
child 312059 23162c502edcdf9aff8a48aa28822815719b1a0e
push id31891
push userdkeeler@mozilla.com
push dateWed, 31 Aug 2016 16:22:47 +0000
treeherderautoland@fabfb2ff761e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCykesiopka, mgoodwin
bugs1290613
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1290613 - test_ev_certs.js cleanup r=Cykesiopka,mgoodwin MozReview-Commit-ID: KcCV161J3qV
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_ev_certs.js
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem
security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem
security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key.keyspec
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem
security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/moz.build
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -1518,17 +1518,16 @@ VerifyCertAtTime(nsIX509Cert* aCert,
   NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE);
 
   if (srv == SECSuccess) {
     if (evOidPolicy != SEC_OID_UNKNOWN) {
       *aHasEVPolicy = true;
     }
     *_retval = 0;
   } else {
-    NS_ENSURE_TRUE(evOidPolicy == SEC_OID_UNKNOWN, NS_ERROR_FAILURE);
     NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
     *_retval = error;
   }
   nssCertList.forget(aVerifiedChain);
 
   return NS_OK;
 }
 
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -558,16 +558,20 @@ function getFailingHttpServer(serverPort
 //
 // serverPort is the port of the http OCSP responder
 // identity is the http hostname that will answer the OCSP requests
 // nssDBLocation is the location of the NSS database from where the OCSP
 //   responses will be generated (assumes appropiate keys are present)
 // expectedCertNames is an array of nicks of the certs to be responsed
 // expectedBasePaths is an optional array that is used to indicate
 //   what is the expected base path of the OCSP request.
+// expectedMethods is an optional array of methods ("GET" or "POST") indicating
+//   by which HTTP method the server is expected to be queried.
+// expectedResponseTypes is an optional array of OCSP response types to use (see
+//   GenerateOCSPResponse.cpp).
 function startOCSPResponder(serverPort, identity, nssDBLocation,
                             expectedCertNames, expectedBasePaths,
                             expectedMethods, expectedResponseTypes) {
   let ocspResponseGenerationArgs = expectedCertNames.map(
     function(expectedNick) {
       let responseType = "good";
       if (expectedResponseTypes && expectedResponseTypes.length >= 1) {
         responseType = expectedResponseTypes.shift();
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -1,338 +1,338 @@
 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 "use strict";
 
+// Tests that end-entity certificates that should successfully verify as EV
+// (Extended Validation) do so and that end-entity certificates that should not
+// successfully verify as EV do not. Also tests related situations (e.g. that
+// failure to fetch an OCSP response results in no EV treatment).
+//
+// A quick note about the certificates in these tests: generally, an EV
+// certificate chain will have an end-entity with a specific policy OID followed
+// by an intermediate with the anyPolicy OID chaining to a root with no policy
+// OID (since it's a trust anchor, it can be omitted). In these tests, the
+// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
+// referred to as the test OID. In order to reflect what will commonly be
+// encountered, the end-entity of any given test path will have the test OID
+// unless otherwise specified in the name of the test path. Similarly, the
+// intermediate will have the anyPolicy OID, again unless otherwise specified.
+// For example, for the path where the end-entity does not have an OCSP URI
+// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
+// whereas the intermediate has the anyPolicy OID.
+// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
+// the end-entity and the intermediate have the test OID.
+
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
-const evrootnick = "evroot";
+do_register_cleanup(() => {
+  Services.prefs.clearUserPref("network.dns.localDomains");
+  Services.prefs.clearUserPref("security.OCSP.enabled");
+});
 
-// This is the list of certificates needed for the test
-// The certificates prefixed by 'int-' are intermediates
-var certList = [
-  // Test for successful EV validation
-  'int-ev-valid',
-  'ev-valid',
-  'ev-valid-anypolicy-int',
-  'int-ev-valid-anypolicy-int',
-  'no-ocsp-url-cert', // a cert signed by the EV auth that has no OCSP url
-                      // but that contains a valid CRLDP.
-
-  // Testing a root that looks like EV but is not EV enabled
-  'int-non-ev-root',
-  'non-ev-root',
-];
-
-function load_ca(ca_name) {
-  addCertFromFile(certdb, `test_ev_certs/${ca_name}.pem`, "CTu,CTu,CTu");
-}
+Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
 
 const SERVER_PORT = 8888;
 
 function failingOCSPResponder() {
   return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
 }
 
-function start_ocsp_responder(expectedCertNames) {
-  let expectedPaths = expectedCertNames.slice();
-  return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
-                            expectedCertNames, expectedPaths);
+class EVCertVerificationResult {
+  constructor(testcase, expectedPRErrorCode, expectedEV, resolve,
+              ocspResponder) {
+    this.testcase = testcase;
+    this.expectedPRErrorCode = expectedPRErrorCode;
+    this.expectedEV = expectedEV;
+    this.resolve = resolve;
+    this.ocspResponder = ocspResponder;
+  }
+
+  verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
+    equal(prErrorCode, this.expectedPRErrorCode,
+          `${this.testcase} should have expected error code`);
+    equal(hasEVPolicy, this.expectedEV,
+          `${this.testcase} should result in expected EV status`);
+    this.ocspResponder.stop(this.resolve);
+  }
+}
+
+function asyncTestEV(cert, expectedPRErrorCode, expectedEV,
+                     expectedOCSPRequestPaths, ocspResponseTypes = undefined)
+{
+  let now = Date.now() / 1000;
+  return new Promise((resolve, reject) => {
+    let ocspResponder = expectedOCSPRequestPaths.length > 0
+                      ? startOCSPResponder(SERVER_PORT, "www.example.com",
+                                           "test_ev_certs",
+                                           expectedOCSPRequestPaths,
+                                           expectedOCSPRequestPaths.slice(),
+                                           null, ocspResponseTypes)
+                      : failingOCSPResponder();
+    let result = new EVCertVerificationResult(cert.subjectName,
+                                              expectedPRErrorCode, expectedEV,
+                                              resolve, ocspResponder);
+    certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, 0,
+                                 "ev-test.example.com", now, result);
+  });
+}
+
+function ensureVerifiesAsEV(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let expectedOCSPRequestPaths = gEVExpected
+                               ? [ `${testcase}-int`, `${testcase}-ee` ]
+                               : [ `${testcase}-ee` ];
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
+                     expectedOCSPRequestPaths);
+}
+
+function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
+}
+
+function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, PRErrorCodeSuccess, false,
+                     expectedOCSPRequestPaths ? expectedOCSPRequestPaths
+                                              : [ `${testcase}-ee` ]);
 }
 
-function check_cert_err(cert_name, expected_error) {
-  let cert = certdb.findCertByNickname(cert_name);
-  checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
+function ensureVerificationFails(testcase, expectedPRErrorCode) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, expectedPRErrorCode, false, []);
+}
+
+function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let now = Date.now() / 1000;
+  let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
+  if (expectSuccess && gEVExpected) {
+    expectedErrorCode = PRErrorCodeSuccess;
+  }
+  return new Promise((resolve, reject) => {
+    let ocspResponder = failingOCSPResponder();
+    let result = new EVCertVerificationResult(
+      cert.subjectName, expectedErrorCode, expectSuccess && gEVExpected,
+      resolve, ocspResponder);
+    let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
+                Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
+    certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, flags,
+                                 "ev-test.example.com", now, result);
+  });
+}
+
+function ensureNoOCSPMeansNoEV(testcase) {
+  return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
 }
 
+function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
+  return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
+}
 
-function check_ee_for_ev(cert_name, expected_ev) {
-  let cert = certdb.findCertByNickname(cert_name);
-  checkEVStatus(certdb, cert, certificateUsageSSLServer, expected_ev);
+function ensureOneCRLSkipsOCSPForIntermediates(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
+                     [ `${testcase}-ee` ]);
+}
+
+function verifyWithDifferentOCSPResponseTypes(testcase, responses, expectEV) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let expectedOCSPRequestPaths = gEVExpected
+                               ? [ `${testcase}-int`, `${testcase}-ee` ]
+                               : [ `${testcase}-ee` ];
+  let ocspResponseTypes = gEVExpected ? responses : responses.slice(1);
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected && expectEV,
+                     expectedOCSPRequestPaths, ocspResponseTypes);
+}
+
+function ensureVerifiesAsEVWithOldIntermediateOCSPResponse(testcase) {
+  return verifyWithDifferentOCSPResponseTypes(
+    testcase, [ "longvalidityalmostold", "good" ], true);
+}
+
+function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
+  return verifyWithDifferentOCSPResponseTypes(
+    testcase, [ "good", "longvalidityalmostold" ], false);
+}
+
+function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
+  return verifyWithDifferentOCSPResponseTypes(
+    testcase, [ "good", "ancientstillvalid" ], false);
 }
 
-function run_test() {
-  for (let i = 0 ; i < certList.length; i++) {
-    let cert_filename = certList[i] + ".pem";
-    addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
-  }
-  load_ca("evroot");
-  load_ca("non-evroot-ca");
-
-  // setup and start ocsp responder
-  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
-  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+// These should all verify as EV.
+add_task(function* plainExpectSuccessEVTests() {
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
+});
 
-  add_test(function () {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function () {
-    clearOCSPCache();
+// These fail for various reasons to verify as EV, but fallback to DV should
+// succeed.
+add_task(function* expectDVFallbackTests() {
+  yield ensureVerifiesAsDV("anyPolicy-ee-path");
+  yield ensureVerifiesAsDV("non-ev-root-path");
+  yield ensureVerifiesAsDV("no-ocsp-ee-path",
+                           gEVExpected ? [ "no-ocsp-ee-path-int" ] : []);
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+});
 
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
-                                      : ["ev-valid-anypolicy-int"]);
-    check_ee_for_ev("ev-valid-anypolicy-int", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(["non-ev-root"]);
-    check_ee_for_ev("non-ev-root", false);
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = gEVExpected ? start_ocsp_responder(["int-ev-valid"])
-                                    : failingOCSPResponder();
-    check_ee_for_ev("no-ocsp-url-cert", false);
-    ocspResponder.stop(run_next_test);
-  });
-
-  // bug 917380: Check that explicitly removing trust from an EV root actually
-  // causes the root to be untrusted.
-  const nsIX509Cert = Ci.nsIX509Cert;
-  add_test(function() {
-    let evRootCA = certdb.findCertByNickname(evrootnick);
-    certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
-
-    clearOCSPCache();
-    let ocspResponder = failingOCSPResponder();
-    check_cert_err("ev-valid", SEC_ERROR_UNKNOWN_ISSUER);
-    ocspResponder.stop(run_next_test);
-  });
+// Test that removing the trust bits from an EV root causes verifications
+// relying on that root to fail (and then test that adding back the trust bits
+// causes the verifications to succeed again).
+add_task(function* evRootTrustTests() {
+  clearOCSPCache();
+  let evroot = certdb.findCertByNickname("evroot");
+  do_print("untrusting evroot");
+  certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
+                      Ci.nsIX509CertDB.UNTRUSTED);
+  yield ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
+  do_print("re-trusting evroot");
+  certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
+                      Ci.nsIX509CertDB.TRUSTED_SSL);
+  yield ensureVerifiesAsEV("test-oid-path");
+});
 
-  // bug 917380: Check that a trusted EV root is trusted after disabling and
-  // re-enabling trust.
-  add_test(function() {
-    let evRootCA = certdb.findCertByNickname(evrootnick);
-    certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
-                        Ci.nsIX509CertDB.TRUSTED_SSL |
-                        Ci.nsIX509CertDB.TRUSTED_EMAIL |
-                        Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
+// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
+// requests are made (this also means that nothing will verify as EV).
+add_task(function* localOnlyMustBeEVTests() {
+  clearOCSPCache();
+  yield ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
+  yield ensureNoOCSPMeansNoEV("anyPolicy-int-path");
+  yield ensureNoOCSPMeansNoEV("non-ev-root-path");
+  yield ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
+  yield ensureNoOCSPMeansNoEV("no-ocsp-int-path");
+  yield ensureNoOCSPMeansNoEV("test-oid-path");
+});
 
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
 
-  add_test(function () {
-    check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
-  });
-
-  add_test(function () {
-    check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
-  });
-
-  add_test(function () {
-    check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
-  });
+// Under certain conditions, OneCRL allows us to skip OCSP requests for
+// intermediates.
+add_task(function* oneCRLTests() {
+  clearOCSPCache();
 
-  // Check OneCRL OCSP request skipping works correctly
-  add_test(function () {
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-    // set the blocklist-background-update-timer value to the recent past
-    Services.prefs.setIntPref("services.blocklist.onecrl.checked",
-                              Math.floor(Date.now() / 1000) - 1);
-    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
-                              Math.floor(Date.now() / 1000) - 1);
-    clearOCSPCache();
-    // the intermediate should not have an associated OCSP request
-    let ocspResponder = start_ocsp_responder(["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
-    ocspResponder.stop(run_next_test);
-  });
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // set the blocklist-background-update-timer value to the recent past
+  Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+                            Math.floor(Date.now() / 1000) - 1);
+  Services.prefs.setIntPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer",
+    Math.floor(Date.now() / 1000) - 1);
 
-  add_test(function () {
-    // disable OneCRL OCSP Skipping (no staleness allowed)
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
-    ocspResponder.stop(run_next_test);
-  });
+  yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
 
-  add_test(function () {
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-    // set the blocklist-background-update-timer value to the more distant past
-    Services.prefs.setIntPref("services.blocklist.onecrl.checked",
-                              Math.floor(Date.now() / 1000) - 108080);
-    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
-                              Math.floor(Date.now() / 1000) - 108080);
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  // disable OneCRL OCSP Skipping (no staleness allowed)
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  // Because the intermediate in this case is missing an OCSP URI, it will not
+  // validate as EV, but it should fall back to DV.
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
 
-  add_test(function () {
-    // test that setting "security.onecrl.via.amo" results in the correct
-    // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
-    // and blacklist-background-update-timer is recent
-    Services.prefs.setBoolPref("security.onecrl.via.amo", false);
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-    // set the blocklist-background-update-timer value to the recent past
-    // (services.blocklist.onecrl.checked defaults to 0)
-    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
-                              Math.floor(Date.now() / 1000) - 1);
-    clearOCSPCache();
-    // the intermediate should have an associated OCSP request
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
-
-  add_test(function () {
-    // test that setting "security.onecrl.via.amo" results in the correct
-    // OCSP behavior when services.blocklist.onecrl.checked is recent
-    Services.prefs.setBoolPref("security.onecrl.via.amo", false);
-
-    // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-
-    // now set services.blocklist.onecrl.checked to a recent value
-    Services.prefs.setIntPref("services.blocklist.onecrl.checked",
-                              Math.floor(Date.now() / 1000) - 1);
+  clearOCSPCache();
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // set the blocklist-background-update-timer value to the more distant past
+  Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+                            Math.floor(Date.now() / 1000) - 108080);
+  Services.prefs.setIntPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer",
+    Math.floor(Date.now() / 1000) - 108080);
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
 
-    clearOCSPCache();
-    // the intermediate should not have an associated OCSP request
-    let ocspResponder = start_ocsp_responder(["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    // The tests following this assume no OCSP bypass
-    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
-    Services.prefs.clearUserPref("security.onecrl.via.amo");
-    Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  // test that setting "security.onecrl.via.amo" results in the correct
+  // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
+  // and blacklist-background-update-timer is recent
+  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // set the blocklist-background-update-timer value to the recent past
+  // (services.blocklist.onecrl.checked defaults to 0)
+  Services.prefs.setIntPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer",
+    Math.floor(Date.now() / 1000) - 1);
 
-  // Test the EV continues to work with flags after successful EV verification
-  add_test(function () {
-    clearOCSPCache();
-    let ocspResponder = start_ocsp_responder(
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(function () {
-      // without net it must be able to EV verify
-      let failingOcspResponder = failingOCSPResponder();
-      let cert = certdb.findCertByNickname("ev-valid");
-      let hasEVPolicy = {};
-      let verifiedChain = {};
-      let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
-                  Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
-
-      let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
-                                       null, verifiedChain, hasEVPolicy);
-      equal(hasEVPolicy.value, gEVExpected,
-            "Actual and expected EV status should match for local only EV");
-      equal(error,
-            gEVExpected ? PRErrorCodeSuccess : SEC_ERROR_POLICY_VALIDATION_FAILED,
-            "Actual and expected error code should match for local only EV");
-      failingOcspResponder.stop(run_next_test);
-    });
-  });
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsDV("no-ocsp-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
 
-  // Bug 991815 old but valid intermediates are OK
-  add_test(function () {
-    clearOCSPCache();
-    let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
-                          "test_ev_certs",
-                          gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                      : ["ev-valid"],
-                          [], [],
-                          gEVExpected ? ["longvalidityalmostold", "good"]
-                                      : ["good"]);
-    check_ee_for_ev("ev-valid", gEVExpected);
-    ocspResponder.stop(run_next_test);
-  });
+  clearOCSPCache();
+  // test that setting "security.onecrl.via.amo" results in the correct
+  // OCSP behavior when services.blocklist.onecrl.checked is recent
+  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+                            108000);
+  // now set services.blocklist.onecrl.checked to a recent value
+  Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+                            Math.floor(Date.now() / 1000) - 1);
+  yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
+  yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
 
-  // Bug 991815 old but valid end-entities are NOT OK for EV
-  // Unfortunately because of soft-fail we consider these OK for DV.
-  add_test(function () {
-    clearOCSPCache();
-    // Since Mozilla::pkix does not consider the old almost invalid OCSP
-    // response valid, it does not cache the old response and thus
-    // makes a separate request for DV
-    let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
-    let debugResponseArray = ["good", "longvalidityalmostold",
-                              "longvalidityalmostold"];
-    let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
-                          "test_ev_certs",
-                          gEVExpected ? debugCertNickArray : ["ev-valid"],
-                          [], [],
-                          gEVExpected ? debugResponseArray
-                                      : ["longvalidityalmostold"]);
-    check_ee_for_ev("ev-valid", false);
-    ocspResponder.stop(run_next_test);
-  });
+  Services.prefs.clearUserPref("security.onecrl.via.amo");
+  Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
+  Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
+  Services.prefs.clearUserPref(
+    "app.update.lastUpdateTime.blocklist-background-update-timer");
+});
+
+// Prime the OCSP cache and then ensure that we can validate certificates as EV
+// without hitting the network. There's two cases here: one where we simply
+// validate like normal and then check that the network was never accessed and
+// another where we use flags to mandate that the network not be used.
+add_task(function* ocspCachingTests() {
+  clearOCSPCache();
 
-  // Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
-  // EV (still OK for soft fail DV)
-  add_test(function () {
-    clearOCSPCache();
-    let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
-    let debugResponseArray = ["good", "ancientstillvalid",
-                              "ancientstillvalid"];
-    let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
-                          "test_ev_certs",
-                          gEVExpected ? debugCertNickArray : ["ev-valid"],
-                          [], [],
-                          gEVExpected ? debugResponseArray
-                                      : ["ancientstillvalid"]);
-    check_ee_for_ev("ev-valid", false);
-    ocspResponder.stop(run_next_test);
-  });
+  yield ensureVerifiesAsEV("anyPolicy-int-path");
+  yield ensureVerifiesAsEV("test-oid-path");
 
-  run_next_test();
-}
+  yield ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
+  yield ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
+
+  yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
+  yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
+});
 
-// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
-// to prevent spurious OCSP requests that race with OCSP stapling.
-// This has the side-effect of saying an EV certificate is not EV if
-// it hasn't already been verified (e.g. on the verification thread when
-// connecting to a site).
-// This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
-// works as intended.
-function check_no_ocsp_requests(cert_name, expected_error) {
+// Old-but-still-valid OCSP responses are accepted for intermediates but not
+// end-entity certificates (because of OCSP soft-fail this results in DV
+// fallback).
+add_task(function* oldOCSPResponseTests() {
   clearOCSPCache();
-  let ocspResponder = failingOCSPResponder();
-  let cert = certdb.findCertByNickname(cert_name);
-  let hasEVPolicy = {};
-  let verifiedChain = {};
-  let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
-              Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
-  let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
-                                   null, verifiedChain, hasEVPolicy);
-  // Since we're not doing OCSP requests, no certificate will be EV.
-  equal(hasEVPolicy.value, false,
-        "EV status should be false when not doing OCSP requests");
-  equal(error, expected_error,
-        "Actual and expected error should match when not doing OCSP requests");
-  ocspResponder.stop(run_next_test);
-}
+
+  yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("anyPolicy-int-path");
+  yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("test-oid-path");
+
+  clearOCSPCache();
+  yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
+  yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
+
+  clearOCSPCache();
+  yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
+    "anyPolicy-int-path");
+  yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
+});
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAj2gAwIBAgIUE20vV8zM9OXxDcXIQL8GFm0SKrgwCwYJKoZIhvcNAQEL
+MCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDAiGA8yMDE0MTEyNzAw
+MDAwMFoYDzIwMTcwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRhbnlQb2xpY3ktZWUt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBhTCBgjBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGG
+MWh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xpY3ktZWUtcGF0aC1l
+ZS8wEQYDVR0gBAowCDAGBgRVHSAAMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBs
+ZS5jb20wCwYJKoZIhvcNAQELA4IBAQAiyZHRImgu1XH/X6KY6duEjEP8hPvIc+Vw
+Vyej3Aaa9NjWpDrO0eCm+08msuiOOYdnTvfudbyDorWY6D8jbTy3re6MLaY+GFY7
+9E18zdDk4t4Ssg1O1ous7MGfKKygNQ0eTB4aJH83jWjfpmNTvXggkA7Zp1SfOVv+
+2OMv066Vwewafrr1pgKl8IuSdTjCpaqCMzZDZf4cwL9tdadF1k9NqjInrinlUI+9
+nbb0WLL3fttvFGsee370t9Q+GRNd1S8nGuxpcXq4Yo51MDRk+HwjPPSBowfg+Tki
+Pk6RSND8FSjn22A+JUNT8u6MnNUOj4wh0N8RzEEQEW6GADH5hZdS
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-ee-path-int
+subject:anyPolicy-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
+extension:certificatePolicies:any
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiqgAwIBAgIUI2XRNlfIQthAhAOq8dL98Ifp8wMwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3ktZWUtcGF0aC1pbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+gYAwfjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBOBggrBgEFBQcBAQRCMEAw
+PgYIKwYBBQUHMAGGMmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xp
+Y3ktZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADALBgkqhkiG9w0BAQsD
+ggEBAG8A4LEmQDAvr6U+NShqPkyxi9d+kMGSHaKV75bJJgbtAkb5ZWG0LQdi4IxV
+MR/IE73jWJSUCEaIUsYjXVsQE+7CJLLUVCt7w3zRf7EoQV2hDp2+WCME6/q0L0HK
+EdK9DAe7UegvxLLSKS12rq/LhNB+XUYTFqQFfmSYSbNqNqzyDgqipPcicBs1RPlO
+HlKISVlKH4uV5FXaGb9FVZAP9J80YI5iHH7fCkJloMKEghnnqA79/Np0eDXt3JzJ
+O+x+I/DiUveAMlz5q72ou3pIOATsgOXRBs7neYgTR9hQ8q3jexidTIWwOuUjzDpt
+BhxQXS5JZ/owc3H0NJ33helcoXE=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
+extension:certificatePolicies:any
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
@@ -1,20 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDSDCCAjKgAwIBAgIUby+kueFNWXyfsUNUp9JXQ4u/CgYwCwYJKoZIhvcNAQEL
-MCUxIzAhBgNVBAMMGmludC1ldi12YWxpZC1hbnlwb2xpY3ktaW50MCIYDzIwMTQx
-MTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2LXZhbGlk
-LWFueXBvbGljeS1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
-iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
-4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
-8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
-Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
-77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
-I/pyUcQx1QOs2hgKNe2NAgMBAAGjdDByME8GCCsGAQUFBwEBBEMwQTA/BggrBgEF
-BQcwAYYzaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2LXZhbGlkLWFueXBv
-bGljeS1pbnQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMAsGCSqG
-SIb3DQEBCwOCAQEAV2WSrBkRIiml/Nc0WyZwX7MnHLwQe4V4z9mCXdBRwwgZv8Cd
-ALzlKgj3Uz18CVYh3ZH4XCIxxJRvLy4eBbGsWRuS5c4ZaAPoeIur8WVURscEGu2k
-FT2cM7eA38Z7f0WYnuGbTBZ+sN7Hsm7HpV1dpBuI7RaJ9hwAlcvmKvgHBLsJZbyd
-yW7Vpu7KJ0S2djFhBPqjZ7xsIHIfbHuaYBhuO3xlmmx0YbgCS9HGkmuA6RXsSqd1
-15Iu8mT0mpq/SqxLRXi79f+HWpPAP9ERkNF+Ea0zIkIsK8d5PSnQqIKj5QugXSBE
-44He3YH8teY36VHQqApV3VGZ5mtMwVLAjMF8rg==
+MIIDZDCCAk6gAwIBAgIURy0a2jqjnawhuv+eW/eeWdMx8MkwCwYJKoZIhvcNAQEL
+MCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwIhgPMjAxNDExMjcw
+MDAwMDBaGA8yMDE3MDIwNDAwMDAwMFowIDEeMBwGA1UEAwwVYW55UG9saWN5LWlu
+dC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GUMIGRME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcw
+AYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1pbnQtcGF0
+aC1lZS8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcw
+FYITZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGhjgde0w84T
+oegn3iGIIOB3q27pqH5nzwv4o5yThG0CmDRvTjBnK8yqlPdNvqx3YmnNh4aWlh94
+Z7XeFA5bPMQq2bCDdBD94g0j3hvBiNqy00Ou34uKm9tNFcQH6kecIjgrInpoxK84
+v2RJ9fjd79503cIuvSw9y3X63DnJn8+ml1Yjt5uO+URpZVDEjJB1mliG1NHdAZ3D
+qDM13f7pphIYggo+ZBlcOVEbh+uDu81gc/Y1JN1ZUOoKBWMx3TVFctYQ6f+uJcem
+xbYsnCK3FuCYTgf1zPye1gILCxvRfRiVw5ojnZ5daxPpfq9Ugv+T9DROuzZgHin1
+WYeP+oiXygI=
 -----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
@@ -1,4 +1,5 @@
-issuer:int-ev-valid-anypolicy-int
-subject:ev-valid-anypolicy-int
-extension:authorityInformationAccess:http://www.example.com:8888/ev-valid-anypolicy-int/
+issuer:anyPolicy-int-path-int
+subject:anyPolicy-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDSzCCAjWgAwIBAgIUaYYtOBr1wZWTYvHqYsRinupYgT4wCwYJKoZIhvcNAQEL
+MIIDQjCCAiygAwIBAgIUI4h7bIgXBroqPq3r8qcqzWTPiTwwCwYJKoZIhvcNAQEL
 MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAlMSMwIQYDVQQDDBppbnQtZXYtdmFsaWQtYW55cG9saWN5LWludDCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
-PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
-HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
-Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
-EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
-lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
-AwEAAaOBhjCBgzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBTBggrBgEFBQcB
-AQRHMEUwQwYIKwYBBQUHMAGGN2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9p
-bnQtZXYtdmFsaWQtYW55cG9saWN5LWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsG
-CSqGSIb3DQEBCwOCAQEAqnqfTrqYSYeWWRX6GfGKkCVfmksgIA3OnvRD8gE895qU
-JS5Ke/3d/4+3beSlfNueL+JSriA+BqqlK6wrxI7xo7H4xjbUV/DrEXEfhUg052O1
-gC1oqObWsZenegoQBZ0mQUT0uqshj7IHWzED2GQZmjEt7F6Il5bjvy49OQ5A++/O
-m+YUr579TZ8r02WU0/+TNln6PnM+6uhoizF2bgh/fCcMlFqLUcJ4FNVi5CgT/oiR
-Wxv8FO2N3ijfQ1Qwnt2Ti0lGby//rrbdnE9tHJb22COxu8QuOi+z/meh4TL+UG3r
-HeCP5545zGOyBOzCrHNioeGVE13svKQFM4T+eguckQ==
+MDAwMDAwWjAhMR8wHQYDVQQDDBZhbnlQb2xpY3ktaW50LXBhdGgtaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+o4GBMH8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEEQzBB
+MD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9s
+aWN5LWludC1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsGCSqGSIb3DQEB
+CwOCAQEAaar6+lvsKAL6fuKS9b8HOSI1Q6c+7/PDAo+YPVsDyzg4OYpFHfrJqveK
+vmwWSnUngX/V702znW4woDu1ZjXLWpTG4xx87FU7b0BIrL7r1N1twAohOYFUMnjl
+TW7RMjTgMGIgxybQc3N0snwf2SJedUu78xekdLW1/jTiMuIEys/+44tqGzVsFu9j
+XrFxPxNBHVzR8UFGICREeE2nFeOnqj3uQPh1JJszKUlfXbYtjgPFKfbbsPzzGLJ3
+tLmzPZLSeEed/AYvegq00CybA5f6UDY1uMnECekHAWFzv/yhZZsL+hMSGXTctE7+
+C+WTNlFX41Gi6uvck6N8T3ABNVTk8A==
 -----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
@@ -1,7 +1,7 @@
 issuer:evroot
-subject:int-ev-valid-anypolicy-int
+subject:anyPolicy-int-path-int
 issuerKey:ev
 extension:basicConstraints:cA,
 extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid-anypolicy-int/
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
 extension:certificatePolicies:any
--- a/security/manager/ssl/tests/unit/test_ev_certs/moz.build
+++ b/security/manager/ssl/tests/unit/test_ev_certs/moz.build
@@ -1,29 +1,34 @@
 # -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 # Temporarily disabled. See bug 1256495.
 #test_certificates = (
-#    'ev-valid-anypolicy-int.pem',
-#    'ev-valid.pem',
+#    'anyPolicy-ee-path-ee.pem',
+#    'anyPolicy-ee-path-int.pem',
+#    'anyPolicy-int-path-ee.pem',
+#    'anyPolicy-int-path-int.pem',
 #    'evroot.pem',
-#    'int-ev-valid-anypolicy-int.pem',
-#    'int-ev-valid.pem',
-#    'int-non-ev-root.pem',
-#    'no-ocsp-url-cert.pem',
-#    'non-ev-root.pem',
+#    'no-ocsp-ee-path-ee.pem',
+#    'no-ocsp-ee-path-int.pem',
+#    'no-ocsp-int-path-ee.pem',
+#    'no-ocsp-int-path-int.pem',
+#    'non-ev-root-path-ee.pem',
+#    'non-ev-root-path-int.pem',
 #    'non-evroot-ca.pem',
+#    'test-oid-path-ee.pem',
+#    'test-oid-path-int.pem',
 #)
 #
 #for test_certificate in test_certificates:
 #    GeneratedTestCertificate(test_certificate)
 #
 #test_keys = (
 #    'evroot.key',
-#    'int-ev-valid.key',
+#    'test-oid-path-int.key',
 #)
 #
 #for test_key in test_keys:
 #    GeneratedTestKey(test_key)
rename from security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
@@ -1,18 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC4zCCAc2gAwIBAgIUd5B8Tu9tyK8u9ciEb+vs5wAhPjcwCwYJKoZIhvcNAQEL
-MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
-MTcwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBuby1vY3NwLXVybC1jZXJ0MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-oyMwITAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0B
-AQsDggEBAGD4KgUYaMaVoU2ioXkVXR99IrOz65d6DsI8JZHlI1/5fykVbzPq7gpI
-fHB2iIp5RzP/eDDZPyriJ7L2LEUIGC/yr68C96d5FqlpeTL9hgkWQaM2Z9hisgoe
-vk1uBsvZ6KmCQhG9TTCcEAQks7Qe9qDo3j3zk35795Q57w4xYYJZKiBtKFgMTtF2
-nkpoSTHQ8wmPgok0T7H4c3WxXwRz9Pxa+X63q5Whd8tDeHHp2o+Fm3HzW7aGTb1t
-F1UJQsF4hCEsnqhfbx2pEPUkYHjtLi2WXFT/AYDbYsqzly4PZhMOdNldJu/S3TS0
-wSsKiflXOecc1Voy2BHO3igasqYZ6Tk=
+MIIDDDCCAfagAwIBAgIUN1tZuouNywOlI92yfPVp0g1KyqswCwYJKoZIhvcNAQEL
+MB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwIhgPMjAxNDExMjcwMDAw
+MDBaGA8yMDE3MDIwNDAwMDAwMFowHTEbMBkGA1UEAwwSbm8tb2NzcC1lZS1wYXRo
+LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABo0MwQTAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAe
+BgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
+PIRn3vteO/sx0OrU73mnICPuA8sVwv+bC8LbVAV8hgboad6ypC6/i/l3KComDtgK
+NsbANmhq8gF3XpvHzxvlBqnjO9qaZnmV4ETJMlSISm8NaK6xFJvHxLrbpH82g7WH
+5eLUxDNvkXBDClcs5iwa5cDnRykdXFttmxN5riw+dAT7rCsrNQODnYvF6C5J9e/S
+I7wyDkbfAdEsioDBHC2xAjuxdKLJr7+YKAaxN54q0U5EZ8dIThuAGLxQK2hSAw8O
+e34OwOPK11tH3tsrbxXAlaykuFgEeJnBfurq3Ff2OO8WirQ8pFiqYxl93sLIPFd6
+nMpuKlS/wpXkZV+NwwwJaQ==
 -----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
@@ -1,3 +1,4 @@
-issuer:int-ev-valid
-subject:no-ocsp-url-cert
+issuer:no-ocsp-ee-path-int
+subject:no-ocsp-ee-path-ee
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiWgAwIBAgIUY7txKTVVTBc2roj9KXXVlQxF20YwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAeMRwwGgYDVQQDDBNuby1vY3NwLWVlLXBhdGgtaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo34w
+fDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBMBggrBgEFBQcBAQRAMD4wPAYI
+KwYBBQUHMAGGMGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWVl
+LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcNAQELA4IBAQCE
+tGJOFahnFAubE9prxtKV5wEHxGhHWlwXC3lCFFeNMjZ0jOaMeI7JpeX18Nnzvy9u
+qNZfsvzUZk0fu22MDjwOSjJmZk3OI2B9Sc01gXU/IEQH7Jw3uy8NwVOGZctHjMyn
+MDIIaFcNDaAIQgjTRCLMyjrD0A86qSG795TQj6xjRuPy5NByLuT3We8cml3AJqy0
+F0dhLoeFbL5f4HN2xJFsb6UcTMb0bMAAtsvkIu3TTI01mu4ffiI6JVhWfraLLTig
+X30yMU8oJjeYGfcOyxrnvD/Y6MzIWQat97U8mRnuyfuISxilWvLeTJCasnpmnNWH
+wrWzbB62tJ1DJw3ngTGj
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:no-ocsp-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
+extension:certificatePolicies:any
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXjCCAkigAwIBAgIUNQic6jgct61lYPUlwpd2hHK2YJMwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtaW50LXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
+dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm8tb2NzcC1pbnQtcGF0aC1lZS8w
+HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH5n55Iw3ulJPDVG7pjY
+SZHl1wfxcr0mhJ8wSJtv+QwPJDc6dDEAyttdiwZPlTZ/zPAws7xChsYaSsPlHnUG
+QSMDpssbEa4HNz4z+dAMp8lcMO4mwJi8z/hoB+G4J/yW6zWJpIqENrgyZmS2w/zR
+4ztwIEgEOPH5wsglxhrSzwihYr6lk0LMaOPU+EQ9a+ohbAJeFF9mPyc8VtWOhsYY
+5o2eHCl9BgIJQ5zuqpul2Liv6lLQQLmu9Y40TPp30lWtUX4I1KechDaRySZDeScx
+dFvF87rn3X09R+KBDUxcQMxAuJG9lzgAegxSwsCwQduE03+Ba3zJCXoFUTo1CVuc
+zLc=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:no-ocsp-int-path-int
+subject:no-ocsp-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAdigAwIBAgIUdXjljKCreZHFVnBN7VXrPJiBz8AwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAfMR0wGwYDVQQDDBRuby1vY3NwLWludC1wYXRoLWludDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMw
+MC4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MAsGCSqGSIb3DQEBCwOCAQEAkCLoPzlhyoE0haiNXg2V767zsoTJMxA4XDKh2Ndb
+oaMfxJdqit/4yQregeCMh+zbgOt5i7gs5OQ0JR3Mo3fZ6HYxNLukCmxKD7OjYRAp
+ZsUbXQAeuNN+0q49rB1Sf7/Huk0WLbS8fG/oAK7HUwpJBxfzgCPbLRYt0ZeXooD+
+glh+2nUmlMmmjWgzc3xbQ1K1shqWatDT49BPcBel/GHsfpyDuJzzAvop8itJY+I0
+rUfrA+kJzojBJOykoucNx2cYx/0NxT+Rv3jWL4Qp0YdjCa9huJzdAFv0q0Rk6IlJ
+ef+7wWlvP6YoDUgwT4H8JPq/vSfCsB5yXKz/Hu0Ykc+3hQ==
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:evroot
+subject:no-ocsp-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:certificatePolicies:any
rename from security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
@@ -1,19 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDJzCCAhGgAwIBAgIULwMSM80UKgeh7YdspJB7dG8Yn3owCwYJKoZIhvcNAQEL
-MBoxGDAWBgNVBAMMD2ludC1ub24tZXYtcm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoY
-DzIwMTcwMjA0MDAwMDAwWjAWMRQwEgYDVQQDDAtub24tZXYtcm9vdDCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
-SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
-zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
-K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
-bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
-JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNp
-MGcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vd3d3LmV4YW1w
-bGUuY29tOjg4ODgvbm9uLWV2LXJvb3QvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUa
-hRqFGgGDdAkBMAsGCSqGSIb3DQEBCwOCAQEAAtXIU+ufmDNCqfjUZiJ+9nHcE14I
-t158M0bTBeAsmwtenY9WsBz2Svd3JJ4k8/0OjIfS44o9XPnGvAT/KmHKcTjmTkHR
-vixUvEa3923AsJzoGzxQcF2BtyQufGWBW8/Oq5d6G5ISB/C4VA3Ez8j7o+OE+6bp
-ID60osGbUJsQ/mknXxj0MsZoeuz3upbdTDe49jNYPkyyJqKnctOacq3PIs1Ai10A
-iMgKtn0e5wEEUCouKwuKXxK1kFIrxDiiKLWEhgBKTPxDf8E+ZuJbp+nZo3TDfI1j
-rQDQsbH6cao5EzrVe/weHRYDQMJ1tk17RXrW+PPsgWYia8Mi11qbI9w+1Q==
+MIIDXjCCAkigAwIBAgIUPx1bQ/YwNzxyiIIEYEoQjqZUmHUwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFG5vbi1ldi1yb290LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vbi1ldi1yb290LXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
+dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm9uLWV2LXJvb3QtcGF0aC1lZS8w
+HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAIkYTJJR3JK3wbcNaBKL
+5R2qbPJLSJSP2ZbwyBF28HnzrOncI6elJFi9LxVwTDLKIchJolUqQmxLTbmuO/Y5
+hH9VXBKmct1PbWuDuH2ASFXVTvf3FREg+qHH9/s+GGnIxTSleS0lj2RsHdrC9Q8O
+ChtSg1Fcuz6ZDMEQgpc52tGaTmB2Q/ZHFV6dIdcZtwxH0AqSy1aX432MAjyaEg6G
+dFX4ObU/JWOPk8qz+Mw/q0d8b4U6OP7uP2buURYR60KFJx1Iqfcwu2bWl0VdaHrQ
+1xU1SGViOHaCZMTXrV8l3cvAGbpnFXTp6MAdiTMc8+44M9/SOQVmqWVwULpCtNNv
+e5M=
 -----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
@@ -1,4 +1,5 @@
-issuer:int-non-ev-root
-subject:non-ev-root
-extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root/
+issuer:non-ev-root-path-int
+subject:non-ev-root-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
rename from security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDSjCCAjSgAwIBAgIUD22BRPEQk1ohdq0TWpDiC9DX0QgwCwYJKoZIhvcNAQEL
+MIIDRDCCAi6gAwIBAgIUe8flRD9fpbyM3B5myFA50T3jScUwCwYJKoZIhvcNAQEL
 MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
-MDE3MDIwNDAwMDAwMFowGjEYMBYGA1UEAwwPaW50LW5vbi1ldi1yb290MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-o4GJMIGGMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEgGCCsGAQUFBwEBBDww
-OjA4BggrBgEFBQcwAYYsaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2ludC1u
-b24tZXYtcm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJ
-KoZIhvcNAQELA4IBAQCNfizDGiKBxkquDAvy/RDTwOiYDliOvReGjlZOZrQBkf52
-xvfHAkl/m/GluDeCjHSSlGU/8cloXnyN6PRzRfxf46Lx+RuiStgDPS1OfqGw961l
-dV2xEa2g5SHkHS1aTnadO83GxkagYes6OEZbe7fexrOnPIhNx4Da9wfFyQBOi8/t
-4Y69eBk+cC5AaSBwHpf12TDc4NKvW2/Qtl1G8idn24OhPlucxBd/dPOxduztde5a
-bmvQW4m66HHjF5aIXaJn7I5+drY2vSIJz3Nry05pgrJapf7rOi0iKNrv5vKoAyi9
-IYeIPTOD377JbUBdSOt0yGV2yx5bkvWfMUET51i3
+MDE3MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjfzB9MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME0GCCsGAQUFBwEB
+BEEwPzA9BggrBgEFBQcwAYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25v
+bi1ldi1yb290LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcN
+AQELA4IBAQCw1nYDX13O3uLXnQBJ5aM8/x6IM1tzVd6UWqgtbLDiTDqmQIRw52jz
+n+Fl/feTEjYn2/GF++LgKS031wXSjbAs2EIe3QtKQZfpMo+XtJzYtOmkQ6dzM5PV
+GsV5PJG/JvUgC4X/FpSFNbh+5jNEuU8nZatrhqlVShTVmFCHC8bpcQhZlyt3uwY2
+Vd7x2qSem5XCPP+7Hmvt6jlP0ZO1oTyqfMf1K7Q1m+r97pmHj3xkhYQKTBkiwRMJ
++pwIkbvYJONIR30V2tg3bZuJwzwt9R4f4dl2J03UQkg1ge2eJUF9d3odaWmLma7N
+nuwrO2Y0DpQv3HqvZZOOYX8chPO8IIVe
 -----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
@@ -1,6 +1,6 @@
 issuer:non-evroot-ca
-subject:int-non-ev-root
+subject:non-ev-root-path-int
 extension:basicConstraints:cA,
 extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-non-ev-root/
-extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
+extension:certificatePolicies:any
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
@@ -1,19 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDHjCCAgigAwIBAgIUIWjgvey0rx7/CM8k0zC+FVdlHG0wCwYJKoZIhvcNAQEL
-MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
-MTcwMjA0MDAwMDAwWjATMREwDwYDVQQDDAhldi12YWxpZDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
-bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
-OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
-uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
-t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
-NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNmMGQwQQYI
-KwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vd3d3LmV4YW1wbGUuY29t
-Ojg4ODgvZXYtdmFsaWQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
-MAsGCSqGSIb3DQEBCwOCAQEAAZ49c1ZNqOYEz0x2EzYaInvPcK2Fxbc8CjX71xIj
-ahLnIZ1cb/VIe88wvidZdQYQdRn0aTfc8Z7+P62XnPqM3nlF85b7g4H2yxJRq7or
-V1skztvKxm+YC/iY4ogsR8x24gdEn/IdwAdjtfZnI471A69CN3t0V6tmt26SNGix
-jNnabOus9JGfhii+qL8svIYR6T+Gmr2fDuQBEJtTpcHjLbrPAV4pOlFu3WmOsVsF
-9yaUy72WFBXg0kas+Tz1QvKWgi4XZ9640HoBVdmHGBnAiBjx62d4pxf4ttbrvh9r
-G26w6vWsfTKWDsoJKi1gYtf9hTcG04jrHg2EAx06+A0yFw==
+MIIDVTCCAj+gAwIBAgIULwfe1XYxIxI1GOvu3ZnTqxvVOYYwCwYJKoZIhvcNAQEL
+MBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAw
+WhgPMjAxNzAyMDQwMDAwMDBaMBsxGTAXBgNVBAMMEHRlc3Qtb2lkLXBhdGgtZWUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjgY8wgYwwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8v
+d3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtcGF0aC1lZS8wHwYDVR0gBBgw
+FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
+cGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGBM93ylo+yXjVAr7GHY2/Suvddfd47X
+i+0qQc5Aif2f5okWm7k8BaLdhQYMcLo/D/AZzKcPvO5wUFdiInHPF069ebu8s6qL
+qZ7ybJK7AR/UfkS4Yn+gTdvPUxasFCtorT3tx8aws3Y9NBK0YV2IImgC+wS2Qe37
+XBUF+526UjJ/ooInFnW6Ukf8rdhxMpSOAXzblJCfHMnnkg36m5zSWNH83oTWEGwe
+tWolqulTICNpRA4rqwO7i2BRHkgQrq9lhQS3/rCyGYgeqware7QPSj5S4WXBLM3p
+a7je/NteBTOUVsfngQSz5ETVu3Bj7mgJYmtkCC5ZRVfQmjWsfPyqslE=
 -----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
@@ -1,4 +1,5 @@
-issuer:int-ev-valid
-subject:ev-valid
-extension:authorityInformationAccess:http://www.example.com:8888/ev-valid/
+issuer:test-oid-path-int
+subject:test-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key.keyspec
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAiegAwIBAgIUJ6ZiwLEBBmRIxjG+KN4K/KQ+NKkwCwYJKoZIhvcNAQEL
+MIIDRzCCAjGgAwIBAgIUXX3/aud0LGpAvxl0RGcu8j7gbsAwCwYJKoZIhvcNAQEL
 MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAXMRUwEwYDVQQDDAxpbnQtZXYtdmFsaWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
-e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
-KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
-YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
-lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
-HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgYYwgYMwDAYD
-VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUF
-BzABhilodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvaW50LWV2LXZhbGlkLzAf
-BgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0BAQsDggEB
-AHuI7ZqTAYzCj2QtErvEKbo16WctTXslepQmnD9hrAFNkhrT9ParJ+EViwaq8wXL
-RpBs4QNtH5j1lrlIIY3SEeGRvNv7pIC1vQoBa15ieg6IJOxs0Zq/TszAEcdIQSpr
-p1fcl/51kAoXoV74VBOer6dIqenuK043aa2aai58Jz/cMaWd7E55Ak+aU9pb+Mdc
-x6k9vV8sSfkpSR2Jmx5GEq5Sat8eJ7lib9/+wHGGCObUzxXnMJN50ZsR6R77DP/E
-+cafdtTxYgFTsPdA1OTBxUEbk2hx3c08T1kmPL+nmg3WoSu8fXuaZWzCBegDMFMI
-wgiVIyUZPm9H356bgW+nVeo=
+MDAwMDAwWjAcMRowGAYDVQQDDBF0ZXN0LW9pZC1wYXRoLWludDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBizCB
+iDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBKBggrBgEFBQcBAQQ+MDwwOgYI
+KwYBBQUHMAGGLmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1w
+YXRoLWludC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJKoZI
+hvcNAQELA4IBAQBonq8E1t3lQQAdEimupSIEFehQNe5wE69Hj9O941yTTIYZazR/
+kgKiFb4daLhvmeay1WxKq2D4SabCyvQpkU2acUunOolNcUUYwzqjeOr3OB369vvy
+13vshQs6PL9y5sTNEFCt8xYeBgiMoUKrelLe9iql4h/jyqOBYAuk8hQzztaW986p
+q8mF0V59hT3EZNEGdHf2LcPBlR24i7mdA45mWHQ+v5zySVptxJG9xi5bv2PoT3i3
+HUcBfOERE+6d14OZmMsDcmv3G6JRtbAow0ZKbi7UXemrHk0Xszb570gEvii2PKyD
+mQbrJ3k0g8SGTK+mWEYtpowoPVWMa3Do/KpO
 -----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
@@ -1,7 +1,7 @@
 issuer:evroot
-subject:int-ev-valid
+subject:test-oid-path-int
 issuerKey:ev
 extension:basicConstraints:cA,
 extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid/
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
--- a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -36,26 +36,26 @@ function testOff() {
     do_print("Setting security.OCSP.enabled to 0");
     run_next_test();
   });
 
   // EV chains should verify successfully but never get EV status.
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = getFailingOCSPResponder();
-    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                   false);
     ocspResponder.stop(run_next_test);
   });
 
   // A DV chain should verify successfully.
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = getFailingOCSPResponder();
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                           PRErrorCodeSuccess, certificateUsageSSLServer);
     ocspResponder.stop(run_next_test);
   });
 }
 
 // Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
 function testOn() {
   add_test(() => {
@@ -64,29 +64,29 @@ function testOn() {
     run_next_test();
   });
 
   // If a successful OCSP response is fetched, then an EV chain should verify
   // successfully and get EV status as well.
   add_test(() => {
     clearOCSPCache();
     let ocspResponder =
-      getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"]
-                                   : ["ev-valid"]);
-    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+      getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
+                                   : ["test-oid-path-ee"]);
+    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                   gEVExpected);
     ocspResponder.stop(run_next_test);
   });
 
   // If a successful OCSP response is fetched, then a DV chain should verify
   // successfully.
   add_test(() => {
     clearOCSPCache();
-    let ocspResponder = getOCSPResponder(["non-ev-root"]);
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+    let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                           PRErrorCodeSuccess, certificateUsageSSLServer);
     ocspResponder.stop(run_next_test);
   });
 }
 
 // Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
 function testEVOnly() {
   add_test(() => {
@@ -95,28 +95,28 @@ function testEVOnly() {
     run_next_test();
   });
 
   // If a successful OCSP response is fetched, then an EV chain should verify
   // successfully and get EV status as well.
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = gEVExpected
-                      ? getOCSPResponder(["int-ev-valid", "ev-valid"])
+                      ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
                       : getFailingOCSPResponder();
-    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                   gEVExpected);
     ocspResponder.stop(run_next_test);
   });
 
   // A DV chain should verify successfully even without doing OCSP fetches.
   add_test(() => {
     clearOCSPCache();
     let ocspResponder = getFailingOCSPResponder();
-    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                           PRErrorCodeSuccess, certificateUsageSSLServer);
     ocspResponder.stop(run_next_test);
   });
 }
 
 function run_test() {
   do_register_cleanup(() => {
     Services.prefs.clearUserPref("network.dns.localDomains");
@@ -124,18 +124,18 @@ function run_test() {
     Services.prefs.clearUserPref("security.OCSP.require");
   });
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
   // Enable hard fail to ensure chains that should only succeed because they get
   // a good OCSP response do not succeed due to soft fail leniency.
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
   loadCert("evroot", "CTu,,");
-  loadCert("int-ev-valid", ",,");
+  loadCert("test-oid-path-int", ",,");
   loadCert("non-evroot-ca", "CTu,,");
-  loadCert("int-non-ev-root", ",,");
+  loadCert("non-ev-root-path-int", ",,");
 
   testOff();
   testOn();
   testEVOnly();
 
   run_next_test();
 }