bug 1194013 - convert test_name_constraints.js to generate certificates at build time r=Cykesiopka,mgoodwin
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 11 Aug 2015 16:40:38 -0700
changeset 259083 7ca1f23e9685df0910b5bfbe878bfdeecd397b7d
parent 259082 f39b4a4435f56d019bbbd84edff7764677a135f7
child 259084 cf01526b97cee41c9fdb03b0d4e98da4dc7bed9b
push id17144
push userryanvm@gmail.com
push dateTue, 25 Aug 2015 01:00:31 +0000
treeherderb2g-inbound@f30a43492433 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCykesiopka, mgoodwin
bugs1194013
milestone43.0a1
bug 1194013 - convert test_name_constraints.js to generate certificates at build time r=Cykesiopka,mgoodwin
security/manager/ssl/tests/unit/moz.build
security/manager/ssl/tests/unit/pycert.py
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.cert
security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.cert
security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/dcisscopy.der
security/manager/ssl/tests/unit/test_name_constraints/generate.py
security/manager/ssl/tests/unit/test_name_constraints/int-c-us-int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-ca-nc-perm-foo.com.der
security/manager/ssl/tests/unit/test_name_constraints/int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-excl-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com_a.us.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-c-uk-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com_c-us-ca-nc.der
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/moz.build
--- a/security/manager/ssl/tests/unit/moz.build
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -10,16 +10,17 @@ TEST_DIRS += [
     'test_cert_embedded_null',
     'test_cert_keyUsage',
     'test_cert_trust',
     'test_cert_version',
     'test_ev_certs',
     'test_intermediate_basic_usage_constraints',
     'test_keysize',
     'test_keysize_ev',
-    'test_pinning_dynamic',
+    'test_name_constraints',
     'test_ocsp_fetch_method',
     'test_ocsp_url',
+    'test_pinning_dynamic',
     'test_validity',
 ]
 
 if not CONFIG['MOZ_NO_SMART_CARDS']:
     DIRS += ['pkcs11testmodule']
--- a/security/manager/ssl/tests/unit/pycert.py
+++ b/security/manager/ssl/tests/unit/pycert.py
@@ -5,18 +5,18 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 """
 Reads a certificate specification from stdin or a file and outputs a
 signed x509 certificate with the desired properties.
 
 The input format is as follows:
 
-issuer:<string to use as the issuer common name>
-subject:<string to use as the subject common name>
+issuer:<issuer distinguished name specification>
+subject:<subject distinguished name specification>
 [version:{1,2,3,4}]
 [validity:<YYYYMMDD-YYYYMMDD|duration in days>]
 [issuerKey:<key specification>]
 [subjectKey:<key specification>]
 [signature:{sha256WithRSAEncryption,ecdsaWithSHA256}]
 [extension:<extension name:<extension-specific data>>]
 [...]
 
@@ -25,16 +25,17 @@ basicConstraints:[cA],[pathLenConstraint
 keyUsage:[digitalSignature,nonRepudiation,keyEncipherment,
           dataEncipherment,keyAgreement,keyCertSign,cRLSign]
 extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection
              nsSGC, # Netscape Server Gated Crypto
              OCSPSigning,timeStamping]
 subjectAlternativeName:[<dNSName>,...]
 authorityInformationAccess:<OCSP URI>
 certificatePolicies:<policy OID>
+nameConstraints:{permitted,excluded}:[<dNSName|directoryName>,...]
 
 Where:
   [] indicates an optional field or component of a field
   <> indicates a required component of a field
   {} indicates a choice of exactly one value among a set of values
   [a,b,c] indicates a list of potential values, of which zero or more
           may be used
 
@@ -48,30 +49,65 @@ fields. Using "issuerKey:<key specificat
 signing or as the subject public key information field, respectively.
 See pykey.py for the list of available specifications.
 The signature algorithm is sha256WithRSAEncryption by default.
 
 The validity period may be specified as either concrete notBefore and
 notAfter values or as a validity period centered around 'now'. For the
 latter, this will result in a notBefore of 'now' - duration/2 and a
 notAfter of 'now' + duration/2.
+
+Issuer and subject distinguished name specifications are of the form
+'[stringEncoding]/C=XX/O=Example/CN=example.com'. C (country name), ST
+(state or province name), L (locality name), O (organization name), OU
+(organizational unit name), CN (common name) and emailAddress (email
+address) are currently supported. The optional stringEncoding field may
+be 'utf8String' or 'printableString'. If the given string does not
+contain a '/', it is assumed to represent a common name.
+DirectoryNames also use this format. When specifying a directoryName in
+a nameConstraints extension, the implicit form may not be used.
 """
 
 from pyasn1.codec.der import decoder
 from pyasn1.codec.der import encoder
-from pyasn1.type import constraint, tag, univ, useful
+from pyasn1.type import constraint, namedtype, tag, univ, useful
 from pyasn1_modules import rfc2459
 import base64
 import datetime
 import hashlib
 import re
 import sys
 
 import pykey
 
+# The GeneralSubtree definition in pyasn1_modules.rfc2459 is incorrect.
+# Where this definition uses a DefaultedNamedType, pyasn1_modules uses
+# a NamedType, which results in the default value being explicitly
+# encoded, which is incorrect for DER.
+class GeneralSubtree(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('base', rfc2459.GeneralName()),
+        namedtype.DefaultedNamedType('minimum', rfc2459.BaseDistance(0).subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
+        namedtype.OptionalNamedType('maximum', rfc2459.BaseDistance().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1)))
+    )
+
+
+# The NameConstraints definition in pyasn1_modules.rfc2459 is incorrect.
+# excludedSubtrees has a tag value of 1, not 0.
+class NameConstraints(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.OptionalNamedType('permittedSubtrees', rfc2459.GeneralSubtrees().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
+        namedtype.OptionalNamedType('excludedSubtrees', rfc2459.GeneralSubtrees().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1)))
+    )
+
+
 class UnknownBaseError(Exception):
     """Base class for handling unexpected input in this module."""
     def __init__(self, value):
         self.value = value
         self.category = 'input'
 
     def __str__(self):
         return 'Unknown %s type "%s"' % (self.category, repr(self.value))
@@ -120,16 +156,33 @@ class UnknownKeyTargetError(UnknownBaseE
 class UnknownVersionError(UnknownBaseError):
     """Helper exception type to handle unknown specified versions."""
 
     def __init__(self, value):
         UnknownBaseError.__init__(self, value)
         self.category = 'version'
 
 
+class UnknownNameConstraintsSpecificationError(UnknownBaseError):
+    """Helper exception type to handle unknown specified
+    nameConstraints."""
+
+    def __init__(self, value):
+        UnknownBaseError.__init__(self, value)
+        self.category = 'nameConstraints specification'
+
+
+class UnknownDNTypeError(UnknownBaseError):
+    """Helper exception type to handle unknown DN types."""
+
+    def __init__(self, value):
+        UnknownBaseError.__init__(self, value)
+        self.category = 'DN'
+
+
 def getASN1Tag(asn1Type):
     """Helper function for returning the base tag value of a given
     type from the pyasn1 package"""
     return asn1Type.baseTagSet.getBaseTag().asTuple()[2]
 
 def stringToAccessDescription(string):
     """Helper function that takes a string representing a URI
     presumably identifying an OCSP authority information access
@@ -137,51 +190,89 @@ def stringToAccessDescription(string):
     accessMethod = rfc2459.id_ad_ocsp
     accessLocation = rfc2459.GeneralName()
     accessLocation.setComponentByName('uniformResourceIdentifier', string)
     sequence = univ.Sequence()
     sequence.setComponentByPosition(0, accessMethod)
     sequence.setComponentByPosition(1, accessLocation)
     return sequence
 
+def stringToDN(string, tag=None):
+    """Takes a string representing a distinguished name or directory
+    name and returns a Name for use by pyasn1. See the documentation
+    for the issuer and subject fields for more details. Takes an
+    optional implicit tag in cases where the Name needs to be tagged
+    differently."""
+    if '/' not in string:
+        string = '/CN=%s' % string
+    rdns = rfc2459.RDNSequence()
+    pos = 0
+    pattern = '/(C|ST|L|O|OU|CN|emailAddress)='
+    split = re.split(pattern, string)
+    # split should now be [[encoding], <type>, <value>, <type>, <value>, ...]
+    if split[0]:
+        encoding = split[0]
+    else:
+        encoding = 'utf8String'
+    for (nameType, value) in zip(split[1::2], split[2::2]):
+        ava = rfc2459.AttributeTypeAndValue()
+        if nameType == 'C':
+            ava.setComponentByName('type', rfc2459.id_at_countryName)
+            nameComponent = rfc2459.X520countryName(value)
+        elif nameType == 'ST':
+            ava.setComponentByName('type', rfc2459.id_at_stateOrProvinceName)
+            nameComponent = rfc2459.X520StateOrProvinceName()
+        elif nameType == 'L':
+            ava.setComponentByName('type', rfc2459.id_at_localityName)
+            nameComponent = rfc2459.X520LocalityName()
+        elif nameType == 'O':
+            ava.setComponentByName('type', rfc2459.id_at_organizationName)
+            nameComponent = rfc2459.X520OrganizationName()
+        elif nameType == 'OU':
+            ava.setComponentByName('type', rfc2459.id_at_organizationalUnitName)
+            nameComponent = rfc2459.X520OrganizationalUnitName()
+        elif nameType == 'CN':
+            ava.setComponentByName('type', rfc2459.id_at_commonName)
+            nameComponent = rfc2459.X520CommonName()
+        elif nameType == 'emailAddress':
+            ava.setComponentByName('type', rfc2459.emailAddress)
+            nameComponent = rfc2459.Pkcs9email(value)
+        else:
+            raise UnknownDNTypeError(nameType)
+        if not nameType == 'C' and not nameType == 'emailAddress':
+            # The value may have things like '\0' (i.e. a slash followed by
+            # the number zero) that have to be decoded into the resulting
+            # '\x00' (i.e. a byte with value zero).
+            nameComponent.setComponentByName(encoding, value.decode(encoding='string_escape'))
+        ava.setComponentByName('value', nameComponent)
+        rdn = rfc2459.RelativeDistinguishedName()
+        rdn.setComponentByPosition(0, ava)
+        rdns.setComponentByPosition(pos, rdn)
+        pos = pos + 1
+    if tag:
+        name = rfc2459.Name().subtype(implicitTag=tag)
+    else:
+        name = rfc2459.Name()
+    name.setComponentByPosition(0, rdns)
+    return name
+
 def stringToAlgorithmIdentifier(string):
     """Helper function that converts a description of an algorithm
     to a representation usable by the pyasn1 package"""
     algorithmIdentifier = rfc2459.AlgorithmIdentifier()
     algorithm = None
     if string == 'sha256WithRSAEncryption':
         algorithm = univ.ObjectIdentifier('1.2.840.113549.1.1.11')
     elif string == 'ecdsaWithSHA256':
         algorithm = univ.ObjectIdentifier('1.2.840.10045.4.3.2')
     else:
         raise UnknownAlgorithmTypeError(string)
     algorithmIdentifier.setComponentByName('algorithm', algorithm)
     return algorithmIdentifier
 
-def stringToCommonName(string):
-    """Helper function for taking a string and building an x520 name
-    representation usable by the pyasn1 package. Currently returns one
-    RDN with one AVA consisting of a Common Name encoded as a
-    UTF8String."""
-    commonName = rfc2459.X520CommonName()
-    # The string may have things like '\0' (i.e. a slash followed by
-    # the number zero) that have to be decoded into the resulting
-    # '\x00' (i.e. a byte with value zero).
-    commonName.setComponentByName('utf8String', string.decode(encoding='string_escape'))
-    ava = rfc2459.AttributeTypeAndValue()
-    ava.setComponentByName('type', rfc2459.id_at_commonName)
-    ava.setComponentByName('value', commonName)
-    rdn = rfc2459.RelativeDistinguishedName()
-    rdn.setComponentByPosition(0, ava)
-    rdns = rfc2459.RDNSequence()
-    rdns.setComponentByPosition(0, rdn)
-    name = rfc2459.Name()
-    name.setComponentByPosition(0, rdns)
-    return name
-
 def datetimeToTime(dt):
     """Takes a datetime object and returns an rfc2459.Time object with
     that time as its value as a GeneralizedTime"""
     time = rfc2459.Time()
     time.setComponentByName('generalTime', useful.GeneralizedTime(dt.strftime('%Y%m%d%H%M%SZ')))
     return time
 
 class Certificate:
@@ -290,16 +381,18 @@ class Certificate:
         elif extensionType == 'extKeyUsage':
             self.addExtKeyUsage(value)
         elif extensionType == 'subjectAlternativeName':
             self.addSubjectAlternativeName(value)
         elif extensionType == 'authorityInformationAccess':
             self.addAuthorityInformationAccess(value)
         elif extensionType == 'certificatePolicies':
             self.addCertificatePolicies(value)
+        elif extensionType == 'nameConstraints':
+            self.addNameConstraints(value)
         else:
             raise UnknownExtensionTypeError(extensionType)
 
     def setupKey(self, subjectOrIssuer, value):
         if subjectOrIssuer == 'subject':
             self.subjectKey = pykey.keyFromSpecification(value)
         elif subjectOrIssuer == 'issuer':
             self.issuerKey = pykey.keyFromSpecification(value)
@@ -383,43 +476,70 @@ class Certificate:
         policy = rfc2459.PolicyInformation()
         if policyOID == 'any':
             policyOID = '2.5.29.32.0'
         policyIdentifier = rfc2459.CertPolicyId(policyOID)
         policy.setComponentByName('policyIdentifier', policyIdentifier)
         policies.setComponentByPosition(0, policy)
         self.addExtension(rfc2459.id_ce_certificatePolicies, policies)
 
+    def addNameConstraints(self, constraints):
+        nameConstraints = NameConstraints()
+        if constraints.startswith('permitted:'):
+            (subtreesType, subtreesTag) = ('permittedSubtrees', 0)
+        elif constraints.startswith('excluded:'):
+            (subtreesType, subtreesTag) = ('excludedSubtrees', 1)
+        else:
+            raise UnknownNameConstraintsSpecificationError(constraints)
+        generalSubtrees = rfc2459.GeneralSubtrees().subtype(
+            implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, subtreesTag))
+        subtrees = constraints[(constraints.find(':') + 1):]
+        pos = 0
+        for name in subtrees.split(','):
+            generalName = rfc2459.GeneralName()
+            if '/' in name:
+                directoryName = stringToDN(name,
+                  tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))
+                generalName.setComponentByName('directoryName', directoryName)
+            else:
+                generalName.setComponentByName('dNSName', name)
+            generalSubtree = GeneralSubtree()
+            generalSubtree.setComponentByName('base', generalName)
+            generalSubtrees.setComponentByPosition(pos, generalSubtree)
+            pos = pos + 1
+        nameConstraints.setComponentByName(subtreesType, generalSubtrees)
+        self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints)
+
     def getVersion(self):
         return rfc2459.Version(self.versionValue).subtype(
             explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
 
     def getSerialNumber(self):
         return decoder.decode(self.serialNumber)[0]
 
     def getSignature(self):
         return stringToAlgorithmIdentifier(self.signature)
 
     def getIssuer(self):
-        return stringToCommonName(self.issuer)
+        return stringToDN(self.issuer)
 
     def getValidity(self):
         validity = rfc2459.Validity()
         validity.setComponentByName('notBefore', self.getNotBefore())
         validity.setComponentByName('notAfter', self.getNotAfter())
         return validity
 
     def getNotBefore(self):
         return datetimeToTime(self.notBefore)
 
     def getNotAfter(self):
         return datetimeToTime(self.notAfter)
 
     def getSubject(self):
-        return stringToCommonName(self.subject)
+        return stringToDN(self.subject)
 
     def toDER(self):
         signatureOID = self.getSignature()
         tbsCertificate = rfc2459.TBSCertificate()
         tbsCertificate.setComponentByName('version', self.getVersion())
         tbsCertificate.setComponentByName('serialNumber', self.getSerialNumber())
         tbsCertificate.setComponentByName('signature', signatureOID)
         tbsCertificate.setComponentByName('issuer', self.getIssuer())
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -4,25 +4,23 @@
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 "use strict";
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
-function certFromFile(filename) {
-  let der = readFile(do_get_file("test_name_constraints/" + filename, false));
-  return certdb.constructX509(der, der.length);
+function certFromFile(name) {
+  return constructCertFromFile(`test_name_constraints/${name}.pem`);
 }
 
 function load_cert(cert_name, trust_string) {
-  var cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_name_constraints/" + cert_filename, trust_string);
-  return certFromFile(cert_filename);
+  addCertFromFile(certdb, `test_name_constraints/${cert_name}.pem`, trust_string);
+  return certFromFile(cert_name);
 }
 
 function check_cert_err(cert, expected_error) {
   checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
 }
 
 function check_ok(x) {
   return check_cert_err(x, PRErrorCodeSuccess);
@@ -47,226 +45,226 @@ function run_test() {
 
   // Note that CN is only looked at when there is NO subjectAltName!
 
   // Testing with a unconstrained root, and intermediate constrained to PERMIT
   // foo.com. All failures on this section are doe to the cert DNS names
   // not being under foo.com.
   check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
   // no dirName
-  check_ok(certFromFile('cn-www.foo.com-int-nc-perm-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
+  check_ok(certFromFile('cn-www.foo.com-int-nc-perm-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
   // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc'));
   // C=US O=bar
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
   // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc'));
 
   // Testing with an unconstrained root and intermediate constrained to
   // EXCLUDE DNS:example.com. All failures on this section are due to the cert
   // DNS names containing example.com. The dirname does not affect evaluation.
   check_ok_ca(load_cert('int-nc-excl-foo.com-ca-nc', ',,'));
   // no dirName
-  check_fail(certFromFile('cn-www.foo.com-int-nc-excl-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org-int-nc-excl-foo.com-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-int-nc-excl-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org-int-nc-excl-foo.com-ca-nc'));
   // notice that since the name constrains apply to the dns name the cn is not
   // evaluated in the case where a subjectAltName exists. Thus the next case is
   // correctly passing.
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
+  check_ok(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
   // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc'));
   // C=US O=bar
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc'));
 
   // Testing with an unconstrained root, and intermediate constrained to
   // permitting dirName:C=US. All failures on this section are due to cert
   // name not being C=US.
   check_ok_ca(load_cert('int-nc-c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc'));
 
   // Testing with an unconstrained root, and intermediate constrained to
   // permitting dirNAME:C=US that issues an intermediate name constrained to
   // permitting DNS:foo.com. Checks for inheritance and intersection of
   // different name constraints.
   check_ok_ca(load_cert('int-nc-foo.com-int-nc-c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc'));
 
   // Testing on a non constrainted root an intermediate name contrainted to
   // permited dirNAME:C=US and  permited DNS:foo.com
   // checks for compostability of different name constraints with same cert
   check_ok_ca(load_cert('int-nc-perm-foo.com_c-us-ca-nc' , ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
   // next check is ok as there is an altname and thus the name constraints do
   // not apply to the common name
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc'));
 
   // Testing on an unconstrained root and an intermediate name constrained to
   // permitted dirNAME: C=UK all but the intermeduate should fail because they
   // dont have C=UK (missing or C=US)
   check_ok_ca(load_cert('int-nc-perm-c-uk-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc'));
 
   // Testing on an unconstrained root and an intermediate name constrained to
   // permitted dirNAME: C=UK and an unconstrained intermediate that contains
   // dirNAME C=US. EE and and Intermediates should fail
   check_fail_ca(load_cert('int-c-us-int-nc-perm-c-uk-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
+  check_fail(certFromFile('cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc'));
 
   // Testing on an unconstrained root and an intermediate name constrained to
   // permitted DNS: foo.com and permitted: DNS: a.us
   check_ok_ca(load_cert('int-nc-foo.com_a.us', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der'));
+  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us'));
 
   // Testing on an unconstrained root and an intermediate name constrained to
   // permitted DNS: foo.com and permitted: DNS:a.us that issues an intermediate
   // permitted DNS: foo.com .
-  // Goal is to ensure that the stricter (inner) name constraint ins enforced.
+  // Goal is to ensure that the stricter (inner) name constraint is enforced.
   // The multi-subject alt should fail and is the difference from the sets of
   // tests above.
   check_ok_ca(load_cert('int-nc-foo.com-int-nc-foo.com_a.us', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
+  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us'));
 
   // Testing on a root name constrainted to DNS:foo.com and an unconstrained
   // intermediate.
   // Checks that root constraints are enforced.
   check_ok_ca(load_cert('int-ca-nc-perm-foo.com', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.org-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.der'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.der'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
+  check_ok(certFromFile('cn-www.foo.com-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.org-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com'));
+  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com'));
+  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com'));
+  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com'));
+  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com'));
+  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com'));
 
   // We don't enforce dNSName name constraints on CN unless we're validating
   // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
   // NSS get it right.
   {
-    let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
+    let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc');
     checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
                           certificateUsageSSLServer);
     checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
                           certificateUsageSSLClient);
   }
 
   // DCISS tests
   // The certs used here were generated by the NSS test suite and are
   // originally located as security/nss/tests/libpkix/cert/
-  load_cert("dcisscopy", "C,C,C");
-  check_ok(certFromFile('NameConstraints.dcissallowed.cert'));
-  check_fail(certFromFile('NameConstraints.dcissblocked.cert'));
+  load_cert("dciss", "C,C,C");
+  check_ok(certFromFile('NameConstraints.dcissallowed'));
+  check_fail(certFromFile('NameConstraints.dcissblocked'));
 }
deleted file mode 100644
index 539adcfee927bdd583c848eea16281217f5b958a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.fr
deleted file mode 100644
index 28f84919de2e82c0e0334e9da9c35b1c5482311b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.com
deleted file mode 100644
index 4ab247cc45d4591af1ca3224600d533e296483de..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-nc-perm-foo.com
+subject:ca-nc-perm-foo.com
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:foo.com
deleted file mode 100644
index 08ad4d381cdebcef67a468e71e1ed161ba3c4410..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-nc.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-nc
+subject:ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
index 0160d3925c5475eea49e58b2d011b2f3576452e4..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 21dc62154c060e46a84efef65c3813d12b0bfbed..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 018790fac9dd13a91491455999a9ef6906e923c0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 7f63752e5d47470ec11dfd0290ffadb14a9ae98a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index d5da78b6482ee21ed20a137cb2caa6a18de6bfd7..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index eb003603a8c3481b8e48fa41bf2daff1d8d8a848..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 2d8698264f5228d73670f235869b75644bd9e92b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index cc39f027941d63d3ad4c38038d460e3c8d44f12d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 5095ce1e5760232b35e3aa05fe51371be93e0392..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 2261438111881e340dbdd5bca44823687105db6b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 366f80b8b9d6ec385cc2f545958b0e42ba61f9d3..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 74dd301385ced0b7d81c11e0fca8625fc97a1df8..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 256889e924b202c17dacf4ec4b6c365a73ec8dac..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 8603649b6a284639dd86d459ca5b278d96bec9d8..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index ba2195cb43fd1b47a82f940d3db0ee27a9ff3766..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index af4d98888f1f546063716ac1ab0ef057c3f1ee5d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index f92a84f41b6629380f6da5004dabd61172858bf7..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 52b65883fa4e31afcae0ee27cc1cb216e8ca6581..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 38893867e983e723c0b29fb93a13bbf45583ee06..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 8819dba08207e8389901d3cfd0a5a470a0db2838..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 51f538afa9e29bc845d7df4382072234e7a6d25e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 382ee42869489df5d71cff55f4a3bc7acbae9b7c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 9a2a904a557e5d61ed951732e2019d4d0f8f729c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 0c5e593d9fca12f2b65f275fc586e2ff2000127e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 8a6d2ce263afe9cc94024b3ca0f7210a82490879..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 164dd8270a145e464898cd2bf99732f310af5776..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 7745d82e1370407a36711c0d29be9f22a38b9aed..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index a886782848c29b1a56042723e345e68d1f8995a8..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 9bca21b809ab5aab8ce18074401e8908b9ddb6b9..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 66a52718e0d462e8fccc04aa8490fd989723b6b0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index bf68a9b3497b2d4d9019be13e5187bb6733bd7f9..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
deleted file mode 100644
index 8b8a75d8c696ba5c9c7560445d8ece65e8f9180c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-ca-nc-perm-foo.com
+subject:www.foo.com
deleted file mode 100644
index fb2a618b3b48f09a45e600391a7856fcc66c2f6c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-c-us-ca-nc
+subject:www.foo.com
deleted file mode 100644
index 758942cd7f5fb1e0b1557728a646b40456a14ec6..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:www.foo.com
deleted file mode 100644
index d580b5b40cf4ad380329b1713a030395eda98745..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:www.foo.com
deleted file mode 100644
index 4eac49699a72358ab587d6454c5bdf4ac5fab571..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:www.foo.com
deleted file mode 100644
index ff7f826bf692d78e5a16a6be88f804a0bed7e45a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com_a.us
+subject:www.foo.com
deleted file mode 100644
index c0c8c346bdb533f4e04c1e5cc308e6738cd65652..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:www.foo.com
deleted file mode 100644
index 1bf74571ce74f4630af01f39157df7cd666248af..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:www.foo.com
deleted file mode 100644
index 1d1e156cf9258d85ac8d169912f31f0557a9b647..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:www.foo.com
deleted file mode 100644
index 8dbcc7dedbdf19a09b288c7a6aa0991bfda54bca..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index bd6841f172f48c017b5d1e19271d9b1cde30c40c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 7370690f5fd1757561aed839ae3a19a8748ca96d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index b425d8576f29bbadde5df22ee37161489808cbf0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 8920d29b9503619ca3535d60675f80c6d17431a9..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 9ab870294ce16c2139c2de662fface6410e540f8..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index daacee80eb3f582c4513b41982d214b64705b2a8..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index e376a02de9ced7abd68076af0b002f2e117db8ad..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 3daa8f6eca56c95e789e26d1d3ed1e2fb9672145..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 905ef19a5a39f29c3827e156a02683f9263d432b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
index 7d88bd522079c79d771e42e9d9b129d75a97eac5..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 4f544228fc7f3282c351ee37c8ad43818229fc08..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 6f2b1fffb89e186e8aa4ba784bbe5dab42a214ca..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index fa9dd1a773927684aa95e4593007b4583a0097ae..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index d0774f72526cce5e370970a0def1da8e26a7b006..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 220cd9e26e5709a3902495b7b934927aa3a5f333..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 6972877c1d06edce363ccb44c0898a2369a0edb5..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 4226514cb9e9b00f661b35951b09e124120ed11a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 8e1e8ba955ff8aa3c9004da250383c3b382c1e79..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 74b52f5d682e949ed70e948e8a6fbd4ae699d207..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index a009183bd538fbcee0a7ee2248ba945092e47fdb..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 2609a435fe4da953fad45196bc5628e45050fae3..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index e694493e5713ae311f21816d997b71860bb8bc50..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 708661f5b12844eb1f6656eeaa61a5c54071f0da..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 3962eafae0b33b38734da0da29f29f916fc10b86..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 84b7359406bb504abbf521203b52a569d12b3b9b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 2e72ad7e7db0318b9716efcf1dc2be694d06b053..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index c5936133569d0b37bb766c33459b311f5a939eba..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index b4b0d76952c13f70f75f8c2d0f8a408495d49948..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 427b87d806be7b5c9dac45e85a3556c8c8034728..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index a9146da2e2196b2983258f1e77071d5988aec085..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index 05eb36142801d73754c1f0098a54e0d6b15c5c97..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-ca-nc-perm-foo.com
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index 244c1195bb52b2b54de397337bae22906e16eb6b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index 8b0576f6ef05ac647e997ed32d97061e30ff9a0e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index c92228005ef0b6537d845ce2f534e71997c96285..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index 87e4d3e127365ec9da39679e4f92eb90966da3c2..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index 6525003840aa7371781e6a554d3bd81a2673bd03..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index eb9defd0d61435ae01caa57693741cc9c6802001..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index fbf7bcc42e29eebb3f1df48c0edad99d6ba76095..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index 62a4e8ea7f6fe2dc8ed259aeb9ad0471e3c0faad..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
index 51945da31108def1b5b2b902dccacbfaf7955560..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index ab10102d0d128db7881a27677cabaa5b7bf45556..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index bc400d9d205614613d4b424f075b0cd7c4cebee2..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index a00e59a66aca37269488a154d29a9bf31befa688..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 301982154e45dcfc9d16a1d1ef3f25f76bdfc261..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 07fec6d14f6867c7691c6f746c99c277ab655a0c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 05e15c5c9b2423fa0445babbcae6c36148cd30fb..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 3db5640a85b9135414c03cfe9aa6c836eb6ab2c1..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 647eef39e6b4bf7e2c6e9a6ccc4907a1e01e591e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index ae3d47fdf467fde8b1d4ba4920bda9f5f533307e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 32778e95bc5cff72cbc9dc27f3d48a345bdbe29d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index d3ebdc92049cc45125e2c8db5d41bf36e0860302..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 35cddfb5390ed7466043a293e41e3fd4e427219a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 27f8aed4fedfec7ca4af87194421d75e6715378b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 2b4512cfe362cce535108fb055a746ab67f13988..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index ccd0da0e2f6b20ca084993b51c2982545ef5dd4a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 4943cdd0dfeba24fbc48dd96a243ee64e3b1548b..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 1935c5d5d46db58be009d65b1c6839f416949799..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index ba81d27b1e1220e37e3cd9a1e5ef37aa8c397e02..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 06f25329ef807c701d1067a305aef717fd79c97c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 7de0aebfd3a95d53fcad38eed28506126502a6d9..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:www.foo.org
deleted file mode 100644
index 40e41042f7eb960a6ff72e7f87bf318ca25f4f90..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-ca-nc-perm-foo.com
+subject:www.foo.org
deleted file mode 100644
index 8732ecfd4c4f92956d413b9352d81fec4f6ad67e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-c-us-ca-nc
+subject:www.foo.org
deleted file mode 100644
index b15097c61064b1fd4da9737ccb1b1181fa355c72..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:www.foo.org
deleted file mode 100644
index 4da42fb61fed0464831b185952c05e5799c93638..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:www.foo.org
deleted file mode 100644
index 0d2bd9fa7493034bedf9d35628234eeee4f52cd7..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:www.foo.org
deleted file mode 100644
index d7a33c805d0b07df188b860a423dc85bac0be21e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com_a.us
+subject:www.foo.org
deleted file mode 100644
index 39c0187113d2514d5841957c899076dc0dcbd37d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:www.foo.org
deleted file mode 100644
index c78703b9c0f985c47b0bfb40a4c29efff6de408c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:www.foo.org
deleted file mode 100644
index 064fd35a547e8768ae080ec999d82512fb9abe29..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:www.foo.org
deleted file mode 100644
index 2018edb8f09f8ca81bc89406f93652b3291941f6..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 84d6a48b4cb4243d8467c9b964fdae9b1070d4d6..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index c0759af0476b6db79a78d098baad44ea28422e3f..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 739d08a3540438c00364a3f2f9a734e5181d84d6..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 02d856e21e90b1d816f895b5a10eb38b97326c11..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 614feaa2ccc468ccb764238919465fe0f0759225..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 91a6953875f80078eb513034ab68155ae4d76e2e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index ca320c899239cbb817a0e8a8d60d9abe1e5abf32..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 0145924f1db37dc5dbb266391669e015c5aa364d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 29659b5635438d23ae2fa93b28eb98432dd4f181..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
index 8806bbfbd45bdd9d0e886bd6aaefc034e1a48954..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 6fa1fbaa5a3db26db90ca7ac9ead51c88a80e7d9..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-ca-nc-perm-foo.com
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index c85d85008d392a487e30ba87ccd5595eb9829ba0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 99169a7e5e3cf014197e150e51a6f1592a2fb3a0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index a8717205b4fb2f6251027913d832077da46730bb..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 5adf36017179b56980e0afa10085ded16ac3e261..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index d7f275ec71f2b808682c4765bba6bba5fa8a3152..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 36de02024d07ed91308674f40e81bdc60b53139d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index d257615fbd7e1990bdf140eecc487cd7c773ead3..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 2677c909b76a664d4956e50515cfe815bf383631..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
+extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
index 16b8ffcc6fca927a3cf476497311ed25abbdd20d..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index f123439d9aa08f9ced39262bd3f9a6ea290e683c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-ca-nc-perm-foo.com
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index 42d8eddc7c2c3420e079e55c444659271fc01ccc..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index 309ee4a1339ef593bb1d55f57aa556478db6e78a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-excl-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index 31915ebf85bf65c8f58f0ae2a540e26267280d2a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index 410707ce0a42d669e8876deb478f14ce61e5ccdf..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com-int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index 914fe952b7f6383ec624dd7119bc9ded9a9866ab..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-foo.com_a.us
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index 3b804292588dfd8766e384c0820906446e742434..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index 0231f888f6058173c6d81019f42516135f3b1d2a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
index cb6afea4428e637a2bd9aa450663e07b6a88a07f..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-nc-perm-foo.com_c-us-ca-nc
+subject:/C=US/O=bar/CN=www.foo.org
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
index a3fbd91f3fd4521875fafd981592dd6ea263e2b1..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
--- a/security/manager/ssl/tests/unit/test_name_constraints/generate.py
+++ b/security/manager/ssl/tests/unit/test_name_constraints/generate.py
@@ -1,363 +1,117 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-import tempfile, os, sys
-import random
-import pexpect
-import subprocess
-import shutil
-
-libpath = os.path.abspath('../psm_common_py')
-
-sys.path.append(libpath)
-
-import CertUtils
-
-srcdir = os.getcwd()
-db = tempfile.mkdtemp()
-
-CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
-EE_basic_constraints = "basicConstraints = CA:FALSE\n"
-
-CA_full_ku = ("keyUsage = keyCertSign, cRLSign\n")
-
-authority_key_ident = "authorityKeyIdentifier = keyid, issuer\n"
-subject_key_ident = "subjectKeyIdentifier = hash\n"
+def writeSpecification(subject, issuer, extensions, fileBase):
+    with open('%s.pem.certspec' % fileBase, 'w+') as f:
+        f.write('issuer:%s\n' % issuer)
+        f.write('subject:%s\n' % subject)
+        if extensions:
+            f.write('%s\n' % extensions)
 
-def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
-    key_type = 'rsa'
-    ee_ext_base = EE_basic_constraints + authority_key_ident;
-    #cn =foo.com
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    10,
-                                    key_type,
-                                    'cn-www.foo.com-'+ base_name,
-                                    ee_ext_base,
-                                    ca_key,
-                                    ca_cert,
-                                    '/CN=www.foo.com')
-    #cn = foo.org
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    11,
-                                    key_type,
-                                    'cn-www.foo.org-'+ base_name,
-                                    ee_ext_base,
-                                    ca_key,
-                                    ca_cert,
-                                    '/CN=www.foo.org')
-    #cn = foo.com, alt= foo.org
-    alt_name_ext = 'subjectAltName =DNS:*.foo.org'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    12,
-                                    key_type,
-                                    'cn-www.foo.com-alt-foo.org-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/CN=www.foo.com')
-    #cn = foo.org, alt= foo.com
-    alt_name_ext = 'subjectAltName =DNS:*.foo.com'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    13,
-                                    key_type,
-                                    'cn-www.foo.org-alt-foo.com-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/CN=www.foo.org')
-    #cn = foo.com, alt=foo.com
-    alt_name_ext = 'subjectAltName =DNS:*.foo.com'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    14,
-                                    key_type,
-                                    'cn-www.foo.com-alt-foo.com-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/CN=www.foo.com')
-    #cn = foo.org, alt=foo.org
-    alt_name_ext = 'subjectAltName =DNS:*.foo.org'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    15,
-                                    key_type,
-                                    'cn-www.foo.org-alt-foo.org-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/CN=www.foo.org')
+def generateCommonEndEntityCertificates(issuer, issuerFileBase):
+    writeSpecification('www.foo.com', issuer, None, 'cn-www.foo.com-%s' % issuerFileBase)
+    writeSpecification('www.foo.org', issuer, None, 'cn-www.foo.org-%s' % issuerFileBase)
+    writeSpecification('www.foo.com', issuer, 'extension:subjectAlternativeName:*.foo.org',
+        'cn-www.foo.com-alt-foo.org-%s' % issuerFileBase)
+    writeSpecification('www.foo.org', issuer, 'extension:subjectAlternativeName:*.foo.com',
+        'cn-www.foo.org-alt-foo.com-%s' % issuerFileBase)
+    writeSpecification('www.foo.com', issuer, 'extension:subjectAlternativeName:*.foo.com',
+        'cn-www.foo.com-alt-foo.com-%s' % issuerFileBase)
+    writeSpecification('www.foo.org', issuer, 'extension:subjectAlternativeName:*.foo.org',
+        'cn-www.foo.org-alt-foo.org-%s' % issuerFileBase)
+    writeSpecification('www.foo.com', issuer,
+        'extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us',
+        'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-%s' % issuerFileBase)
+    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer, None,
+        'cn-www.foo.com_o-bar_c-us-%s' % issuerFileBase)
+    writeSpecification('/C=US/O=bar/CN=www.foo.org', issuer, None,
+        'cn-www.foo.org_o-bar_c-us-%s' % issuerFileBase)
+    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer,
+        'extension:subjectAlternativeName:*.foo.org',
+        'cn-www.foo.com_o-bar_c-us-alt-foo.org-%s' % issuerFileBase)
+    writeSpecification('/C=US/O=bar/CN=www.foo.org', issuer,
+        'extension:subjectAlternativeName:*.foo.com',
+        'cn-www.foo.org_o-bar_c-us-alt-foo.com-%s' % issuerFileBase)
+    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer,
+        'extension:subjectAlternativeName:*.foo.com',
+        'cn-www.foo.com_o-bar_c-us-alt-foo.com-%s' % issuerFileBase)
+    writeSpecification('/C=US/O=bar/CN=www.foo.org', issuer,
+        'extension:subjectAlternativeName:*.foo.org',
+        'cn-www.foo.org_o-bar_c-us-alt-foo.org-%s' % issuerFileBase)
+    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer,
+        'extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us',
+        'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-%s' % issuerFileBase)
 
-    #cn = foo.com, alt=foo.com,a.a.us,b.a.us
-    alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    16,
-                                    key_type,
-                                    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/CN=www.foo.com')
-
-
-
-    #cn =foo.com O=bar C=US
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    17,
-                                    key_type,
-                                    'cn-www.foo.com_o-bar_c-us-'+ base_name,
-                                    ee_ext_base,
-                                    ca_key,
-                                    ca_cert,
-                                    '/C=US/O=bar/CN=www.foo.com')
+def generateCerts():
+    # Unconstrainted root certificate to issue most intermediates
+    caExtensions = 'extension:basicConstraints:cA,\nextension:keyUsage:cRLSign,keyCertSign'
+    writeSpecification('ca-nc', 'ca-nc', caExtensions, 'ca-nc')
 
-    #cn = foo.org O=bar C=US
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    18,
-                                    key_type,
-                                    'cn-www.foo.org_o-bar_c-us-'+ base_name,
-                                    ee_ext_base,
-                                    ca_key,
-                                    ca_cert,
-                                    '/C=US/O=bar/CN=www.foo.org')
-    #cn = foo.com, alt= foo.org
-    alt_name_ext = 'subjectAltName =DNS:*.foo.org'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    19,
-                                    key_type,
-                                    'cn-www.foo.com_o-bar_c-us-alt-foo.org-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/C=US/O=bar/CN=www.foo.com')
-    #cn = foo.org, alt= foo.com
-    alt_name_ext = 'subjectAltName =DNS:*.foo.com'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    20,
-                                    key_type,
-                                    'cn-www.foo.org_o-bar_c-us-alt-foo.com-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/C=US/O=bar/CN=www.foo.org')
-    #cn = foo.com, alt=foo.com
-    alt_name_ext = 'subjectAltName =DNS:*.foo.com'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    21,
-                                    key_type,
-                                    'cn-www.foo.com_o-bar_c-us-alt-foo.com-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/C=US/O=bar/CN=www.foo.com')
-    #cn = foo.org, alt=foo.org
-    alt_name_ext = 'subjectAltName =DNS:*.foo.org'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    22,
-                                    key_type,
-                                    'cn-www.foo.org_o-bar_c-us-alt-foo.org-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/C=US/O=bar/CN=www.foo.org')
+    # Intermediate with permitted subtree: dNSName:foo.com
+    writeSpecification('int-nc-perm-foo.com-ca-nc', 'ca-nc',
+        caExtensions + '\nextension:nameConstraints:permitted:foo.com',
+        'int-nc-perm-foo.com-ca-nc')
+    generateCommonEndEntityCertificates('int-nc-perm-foo.com-ca-nc', 'int-nc-perm-foo.com-ca-nc')
 
-    #cn = foo.com, alt=foo.com,a.a.us.com,b.a.us
-    alt_name_ext = 'subjectAltName =DNS:*.foo.com,DNS:*.a.a.us,DNS:*.b.a.us'
-    CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    23,
-                                    key_type,
-                                    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-'+ base_name,
-                                    ee_ext_base + alt_name_ext,
-                                    ca_key,
-                                    ca_cert,
-                                    '/C=US/O=bar/CN=www.foo.com')
-
-
-
+    # Intermediate with excluded subtree: dNSName:foo.com
+    writeSpecification('int-nc-excl-foo.com-ca-nc', 'ca-nc',
+        caExtensions + '\nextension:nameConstraints:excluded:foo.com',
+        'int-nc-excl-foo.com-ca-nc')
+    generateCommonEndEntityCertificates('int-nc-excl-foo.com-ca-nc', 'int-nc-excl-foo.com-ca-nc')
 
-def self_sign_csr(db_dir, dst_dir, csr_name, key_file, serial_num, ext_text,
-                  out_prefix):
-    extensions_filename = db_dir + "/openssl-exts"
-    f = open(extensions_filename, 'w')
-    f.write(ext_text)
-    f.close()
-    cert_name = dst_dir + "/" + out_prefix + ".der"
-    os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
-               " -signkey " + key_file +
-               " -set_serial " + str(serial_num) +
-               " -extfile " + extensions_filename +
-               " -outform DER -out " + cert_name)
-
-
+    # Intermediate with permitted subtree: directoryName:/C=US
+    writeSpecification('int-nc-c-us-ca-nc', 'ca-nc',
+        caExtensions + '\nextension:nameConstraints:permitted:/C=US', 'int-nc-c-us-ca-nc')
+    generateCommonEndEntityCertificates('int-nc-c-us-ca-nc', 'int-nc-c-us-ca-nc')
 
-def generate_certs():
-    key_type = 'rsa'
-    ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident;
-    ee_ext_text = (EE_basic_constraints + authority_key_ident)
-    [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
-                                                        srcdir,
-                                                        1,
-                                                        key_type,
-                                                        'ca-nc',
-                                                         ca_ext)
-    #now the constrained via perm
-    name = 'int-nc-perm-foo.com-ca-nc'
-    name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    101,
-                                    key_type,
-                                    name,
-                                    ca_ext + authority_key_ident + name_constraints,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name)
+    # Intermediate issued by previous intermediate with permitted subtree: dnsName:foo.com
+    writeSpecification('/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc', 'int-nc-c-us-ca-nc',
+        caExtensions + '\nextension:nameConstraints:permitted:foo.com',
+        'int-nc-foo.com-int-nc-c-us-ca-nc')
+    generateCommonEndEntityCertificates('/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc',
+        'int-nc-foo.com-int-nc-c-us-ca-nc')
 
-    #now the constrained via excl
-    name = 'int-nc-excl-foo.com-ca-nc'
-    name_constraints = "nameConstraints = excluded;DNS:foo.com\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    102,
-                                    key_type,
-                                    name,
-                                    ca_ext + name_constraints + authority_key_ident,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name)
+    # Intermediate with permitted subtree: dNSName:foo.com, directoryName:/C=US
+    writeSpecification('int-nc-perm-foo.com_c-us-ca-nc', 'ca-nc',
+        caExtensions + '\nextension:nameConstraints:permitted:foo.com,/C=US',
+        'int-nc-perm-foo.com_c-us-ca-nc')
+    generateCommonEndEntityCertificates('int-nc-perm-foo.com_c-us-ca-nc',
+        'int-nc-perm-foo.com_c-us-ca-nc')
 
-    #now constrained to permitted: O=bar C=US
-    name = 'int-nc-c-us-ca-nc'
-    name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    103,
-                                    key_type,
-                                    name,
-                                    ca_ext + authority_key_ident + name_constraints,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name)
-
-    #now make a subCA that is also constrainted to foo.com (combine constraints) 
-    name = 'int-nc-foo.com-int-nc-c-us-ca-nc'
-    name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    104,
-                                    key_type,
-                                    name,
-                                    ca_ext + name_constraints + authority_key_ident,
-                                    int_key,
-                                    int_cert,
-                                    '/C=US/CN='+ name)
-    generate_family(db, srcdir, int_key, int_cert, name)
+    # Intermediate with permitted subtree: directoryName:/C=UK
+    writeSpecification('int-nc-perm-c-uk-ca-nc', 'ca-nc',
+        caExtensions + '\nextension:nameConstraints:permitted:/C=UK', 'int-nc-perm-c-uk-ca-nc')
+    generateCommonEndEntityCertificates('int-nc-perm-c-uk-ca-nc', 'int-nc-perm-c-uk-ca-nc')
 
-
-    #now single intermediate constrainted to  permitted O=bar C=US & DNS foo.com
-    name = 'int-nc-perm-foo.com_c-us-ca-nc'
-    name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;dirName:dir_sect\n[dir_sect]\nC=US\n\n\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    105,
-                                    key_type,
-                                    name,
-                                    ca_ext + authority_key_ident + name_constraints,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name)
+    # Intermediate issued by previous intermediate in a different directoryName tree
+    writeSpecification('/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc', 'int-nc-perm-c-uk-ca-nc',
+        caExtensions, 'int-c-us-int-nc-perm-c-uk-ca-nc')
+    generateCommonEndEntityCertificates('/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc',
+        'int-c-us-int-nc-perm-c-uk-ca-nc')
 
-    #now constrainted to permitted C=UK (all ee must fail)
-    name = 'int-nc-perm-c-uk-ca-nc'
-    name_constraints = "nameConstraints = permitted;dirName:dir_sect\n[dir_sect]\nC=UK\n\n\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    106,
-                                    key_type,
-                                    name,
-                                    ca_ext + authority_key_ident + name_constraints,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name)
-
-    #now an unconstrained sub intermediate from the UK cert (all ee must fail) not in the same name space
-    name = 'int-c-us-int-nc-perm-c-uk-ca-nc'
-    #name_constraints = "nameConstraints = permitted;DNS:foo.com\n\n\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    108,
-                                    key_type,
-                                    name,
-                                    ca_ext + authority_key_ident,
-                                    int_key,
-                                    int_cert,
-                                    '/C=US/CN='+ name)
-    generate_family(db, srcdir, int_key, int_cert, name)
+    # Intermediate with permitted subtree: dNSName:foo.com, dNSName:a.us
+    writeSpecification('int-nc-foo.com_a.us', 'ca-nc',
+        caExtensions + '\nextension:nameConstraints:permitted:foo.com,a.us',
+        'int-nc-foo.com_a.us')
+    generateCommonEndEntityCertificates('int-nc-foo.com_a.us', 'int-nc-foo.com_a.us')
 
-    #now we generate permitted to foo.com and example2.com
-    name = 'int-nc-foo.com_a.us'
-    name_constraints = "nameConstraints = permitted;DNS:foo.com,permitted;DNS:a.us\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    109,
-                                    key_type,
-                                    name,
-                                    ca_ext + authority_key_ident + name_constraints,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name)
-
-    #A sub ca contrained to foo.com with signer constrained to foo.com and example2.com
-    name = 'int-nc-foo.com-int-nc-foo.com_a.us'
-    name_constraints = "nameConstraints = permitted;DNS:foo.com\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    110,
-                                    key_type,
-                                    name,
-                                    ca_ext + authority_key_ident + name_constraints,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name)
+    # Intermediate issued by previous intermediate with permitted subtree: dNSName:foo.com
+    writeSpecification('int-nc-foo.com-int-nc-foo.com_a.us', 'int-nc-foo.com_a.us',
+        caExtensions + '\nextension:nameConstraints:permitted:foo.com',
+        'int-nc-foo.com-int-nc-foo.com_a.us')
+    generateCommonEndEntityCertificates('int-nc-foo.com-int-nc-foo.com_a.us',
+        'int-nc-foo.com-int-nc-foo.com_a.us')
 
-
-
-    #now we generate a root that is name constrained
-    name_constraints = "nameConstraints = permitted;DNS:foo.com\n "
-    [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
-                                                        srcdir,
-                                                        1,
-                                                        key_type,
-                                                        'ca-nc-perm-foo.com',
-                                                        ca_ext + name_constraints)
+    # Root certificate with permitted subtree: dNSName:foo.com
+    writeSpecification('ca-nc-perm-foo.com', 'ca-nc-perm-foo.com',
+        caExtensions + '\nextension:nameConstraints:permitted:foo.com', 'ca-nc-perm-foo.com')
 
-    #and an unconstrained int
-    name = 'int-ca-nc-perm-foo.com'
-    name_constraints = "\n"
-    [int_key, int_cert] = CertUtils.generate_cert_generic(db,
-                                    srcdir,
-                                    111,
-                                    key_type,
-                                    name,
-                                    ca_ext + name_constraints + authority_key_ident,
-                                    ca_key,
-                                    ca_cert)
-    generate_family(db, srcdir, int_key, int_cert, name) 
+    # Intermediate without name constraints issued by constrained root
+    writeSpecification('int-ca-nc-perm-foo.com', 'ca-nc-perm-foo.com', caExtensions,
+        'int-ca-nc-perm-foo.com')
+    generateCommonEndEntityCertificates('int-ca-nc-perm-foo.com', 'int-ca-nc-perm-foo.com')
 
-
-generate_certs()
+generateCerts()
deleted file mode 100644
index 8e78c7729a33c5e945631ecc93d472a342290017..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-nc-perm-c-uk-ca-nc
+subject:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
index c209e24fa4ff6d09aa288b17bfeccec488b62e2c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-ca-nc-perm-foo.com.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-nc-perm-foo.com
+subject:int-ca-nc-perm-foo.com
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
index e6e09cd7ce2b0c68967752cf9a9effb0f73b28ce..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-nc
+subject:int-nc-c-us-ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:/C=US
deleted file mode 100644
index 4b47b9981422a78b274bb2c3781331217c90f8e9..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-excl-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-nc
+subject:int-nc-excl-foo.com-ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:excluded:foo.com
deleted file mode 100644
index a0301066c26f8a15f466bc8eca20174641351f1c..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-nc-c-us-ca-nc
+subject:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:foo.com
deleted file mode 100644
index aaf473d5ab3c366034d5fb3c77d44be7a20ce0a8..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-nc-foo.com_a.us
+subject:int-nc-foo.com-int-nc-foo.com_a.us
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:foo.com
deleted file mode 100644
index 32fbc8817b3cfbc383bd1564582cbf2b55150d31..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com_a.us.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-nc
+subject:int-nc-foo.com_a.us
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:foo.com,a.us
deleted file mode 100644
index a14a36c007d08f3e42db0881e47352835be880c0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-c-uk-ca-nc.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-nc
+subject:int-nc-perm-c-uk-ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:/C=UK
deleted file mode 100644
index eee054a8e279921f8b53e3a39d47c904e9a865d7..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com-ca-nc.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-nc
+subject:int-nc-perm-foo.com-ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:foo.com
deleted file mode 100644
index 0c4959f74b021134bb6a8643e8c9c004309b40f0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-nc
+subject:int-nc-perm-foo.com_c-us-ca-nc
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:foo.com,/C=US
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/moz.build
@@ -0,0 +1,171 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+test_certificates = (
+    'NameConstraints.dcissallowed.pem',
+    'NameConstraints.dcissblocked.pem',
+    'ca-nc-perm-foo.com.pem',
+    'ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.org-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem',
+    'cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'dciss.pem',
+    'int-c-us-int-nc-perm-c-uk-ca-nc.pem',
+    'int-ca-nc-perm-foo.com.pem',
+    'int-nc-c-us-ca-nc.pem',
+    'int-nc-excl-foo.com-ca-nc.pem',
+    'int-nc-foo.com-int-nc-c-us-ca-nc.pem',
+    'int-nc-foo.com-int-nc-foo.com_a.us.pem',
+    'int-nc-foo.com_a.us.pem',
+    'int-nc-perm-c-uk-ca-nc.pem',
+    'int-nc-perm-foo.com-ca-nc.pem',
+    'int-nc-perm-foo.com_c-us-ca-nc.pem',
+)
+
+for test_certificate in test_certificates:
+    input_file = test_certificate + '.certspec'
+    GENERATED_FILES += [test_certificate]
+    props = GENERATED_FILES[test_certificate]
+    props.script = '../pycert.py'
+    props.inputs = [input_file]
+    TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_name_constraints += ['!%s' % test_certificate]