bug 1255153 - (re)move redundant xpcshell name constraint tests to gtests r=Cykesiopka,jcj
authorDavid Keeler <dkeeler@mozilla.com>
Wed, 09 Mar 2016 14:33:31 -0800
changeset 288647 e6092e439db9d332d8f62d0cfcf10b6e13379ad4
parent 288646 9ccaec771922f823a5e006ccaff6fc177dd2ee4f
child 288648 7b559b11d4d1a07ba987fe5a2ec7b036a73185ef
push id18174
push usercbook@mozilla.com
push dateTue, 15 Mar 2016 09:44:58 +0000
treeherderfx-team@dd0baa33759d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCykesiopka, jcj
bugs1255153
milestone48.0a1
bug 1255153 - (re)move redundant xpcshell name constraint tests to gtests r=Cykesiopka,jcj MozReview-Commit-ID: 8eFSIhB1RId
security/manager/ssl/tests/unit/test_name_constraints.js
security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/generate.py
security/manager/ssl/tests/unit/test_name_constraints/int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-ca-nc-perm-foo.com.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-excl-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com_a.us.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-c-uk-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
security/manager/ssl/tests/unit/test_name_constraints/moz.build
security/pkix/test/gtest/pkixnames_tests.cpp
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -1,270 +1,63 @@
 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 "use strict";
 
+// This test tests two specific items:
+// 1. Are name constraints properly enforced across the entire constructed
+// certificate chain? This makes use of a certificate hierarchy like so:
+//  - (trusted) root CA with permitted subtree dNSName example.com
+//  - intermediate CA with permitted subtree dNSName example.org
+//    a. end-entity with dNSNames example.com and example.org
+//       (the first entry is allowed by the root but not by the intermediate,
+//        and the second entry is allowed by the intermediate but not by the
+//        root)
+//    b. end-entity with dNSName example.com (not allowed by the intermediate)
+//    c. end-entity with dNSName examle.org (not allowed by the root)
+//    d. end-entity with dNSName example.test (not allowed by either)
+//  All of these cases should fail to verify with the error that the
+//  end-entity is not in the name space permitted by the hierarchy.
+//
+// 2. Are externally-imposed name constraints properly enforced? This makes use
+// of a certificate hierarchy rooted by a certificate with the same DN as an
+// existing hierarchy that has externally-imposed name constraints (DCISS).
+
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function certFromFile(name) {
   return constructCertFromFile(`test_name_constraints/${name}.pem`);
 }
 
-function load_cert(cert_name, trust_string) {
-  addCertFromFile(certdb, `test_name_constraints/${cert_name}.pem`, trust_string);
-  return certFromFile(cert_name);
-}
-
-function check_cert_err(cert, expected_error) {
-  checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(certdb, `test_name_constraints/${certName}.pem`,
+                  trustString);
 }
 
-function check_ok(x) {
-  return check_cert_err(x, PRErrorCodeSuccess);
-}
-
-function check_ok_ca (x) {
-  checkCertErrorGeneric(certdb, x, PRErrorCodeSuccess, certificateUsageSSLCA);
+function checkCertNotInNameSpace(cert) {
+  checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
+                        certificateUsageSSLServer);
 }
 
-function check_fail(x) {
-  return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
-}
-
-function check_fail_ca(x) {
-  checkCertErrorGeneric(certdb, x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
-                        certificateUsageSSLCA);
+function checkCertInNameSpace(cert) {
+  checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
+                        certificateUsageSSLServer);
 }
 
 function run_test() {
-  load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
-  load_cert("ca-nc", "CTu,CTu,CTu");
-
-  // Note that CN is only looked at when there is NO subjectAltName!
-
-  // Testing with a unconstrained root, and intermediate constrained to PERMIT
-  // foo.com. All failures on this section are doe to the cert DNS names
-  // not being under foo.com.
-  check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
-  // no dirName
-  check_ok(certFromFile('cn-www.foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc'));
-  // C=US O=bar
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc'));
-  // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc'));
-
-  // Testing with an unconstrained root and intermediate constrained to
-  // EXCLUDE DNS:example.com. All failures on this section are due to the cert
-  // DNS names containing example.com. The dirname does not affect evaluation.
-  check_ok_ca(load_cert('int-nc-excl-foo.com-ca-nc', ',,'));
-  // no dirName
-  check_fail(certFromFile('cn-www.foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org-int-nc-excl-foo.com-ca-nc'));
-  // notice that since the name constrains apply to the dns name the cn is not
-  // evaluated in the case where a subjectAltName exists. Thus the next case is
-  // correctly passing.
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  // multiple subjectAltnames
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc'));
-  // C=US O=bar
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc'));
-
-  // Testing with an unconstrained root, and intermediate constrained to
-  // permitting dirName:C=US. All failures on this section are due to cert
-  // name not being C=US.
-  check_ok_ca(load_cert('int-nc-c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc'));
-
-  // Testing with an unconstrained root, and intermediate constrained to
-  // permitting dirNAME:C=US that issues an intermediate name constrained to
-  // permitting DNS:foo.com. Checks for inheritance and intersection of
-  // different name constraints.
-  check_ok_ca(load_cert('int-nc-foo.com-int-nc-c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc'));
-
-  // Testing on a non constrainted root an intermediate name contrainted to
-  // permited dirNAME:C=US and  permited DNS:foo.com
-  // checks for compostability of different name constraints with same cert
-  check_ok_ca(load_cert('int-nc-perm-foo.com_c-us-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  // next check is ok as there is an altname and thus the name constraints do
-  // not apply to the common name
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc'));
+  // Test that name constraints from the entire certificate chain are enforced.
+  loadCertWithTrust("ca-example-com-permitted", "CTu,,");
+  loadCertWithTrust("int-example-org-permitted", ",,");
+  checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
+  checkCertNotInNameSpace(certFromFile("ee-example-com"));
+  checkCertNotInNameSpace(certFromFile("ee-example-org"));
+  checkCertNotInNameSpace(certFromFile("ee-example-test"));
 
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted dirNAME: C=UK all but the intermeduate should fail because they
-  // dont have C=UK (missing or C=US)
-  check_ok_ca(load_cert('int-nc-perm-c-uk-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc'));
-
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted dirNAME: C=UK and an unconstrained intermediate that contains
-  // dirNAME C=US. EE and and Intermediates should fail
-  check_fail_ca(load_cert('int-c-us-int-nc-perm-c-uk-ca-nc', ',,'));
-  check_fail(certFromFile('cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc'));
-
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted DNS: foo.com and permitted: DNS: a.us
-  check_ok_ca(load_cert('int-nc-foo.com_a.us', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us'));
-
-  // Testing on an unconstrained root and an intermediate name constrained to
-  // permitted DNS: foo.com and permitted: DNS:a.us that issues an intermediate
-  // permitted DNS: foo.com .
-  // Goal is to ensure that the stricter (inner) name constraint is enforced.
-  // The multi-subject alt should fail and is the difference from the sets of
-  // tests above.
-  check_ok_ca(load_cert('int-nc-foo.com-int-nc-foo.com_a.us', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us'));
-
-  // Testing on a root name constrainted to DNS:foo.com and an unconstrained
-  // intermediate.
-  // Checks that root constraints are enforced.
-  check_ok_ca(load_cert('int-ca-nc-perm-foo.com', ',,'));
-  check_ok(certFromFile('cn-www.foo.com-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com'));
-  check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com'));
-
-  // We don't enforce dNSName name constraints on CN unless we're validating
-  // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
-  // NSS get it right.
-  {
-    let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc');
-    checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
-                          certificateUsageSSLServer);
-    checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
-                          certificateUsageSSLClient);
-  }
-
-  // DCISS tests
-  // The certs used here were generated by the NSS test suite and are
-  // originally located as security/nss/tests/libpkix/cert/
-  load_cert("dciss", "C,C,C");
-  check_ok(certFromFile('NameConstraints.dcissallowed'));
-  check_fail(certFromFile('NameConstraints.dcissblocked'));
+  // Test that externally-imposed name constraints are enforced (DCISS tests).
+  loadCertWithTrust("dciss", "CTu,,");
+  checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
+  checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
 }
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:ca-example-com-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:ca-nc-perm-foo.com
-subject:ca-nc-perm-foo.com
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/ca-nc.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:ca-nc
-subject:ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
-extension:subjectAlternativeName:*.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-ca-nc-perm-foo.com
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-excl-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com-int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,2 +0,0 @@
-issuer:int-nc-perm-foo.com_c-us-ca-nc
-subject:/C=US/O=bar/CN=www.foo.org
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com-and-org
+extension:subjectAlternativeName:example.com,example.org
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com
+extension:subjectAlternativeName:example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-org
+extension:subjectAlternativeName:example.org
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-test
+extension:subjectAlternativeName:example.test
deleted file mode 100755
--- a/security/manager/ssl/tests/unit/test_name_constraints/generate.py
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/usr/bin/env python
-
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-def writeSpecification(subject, issuer, extensions, fileBase):
-    with open('%s.pem.certspec' % fileBase, 'w+') as f:
-        f.write('issuer:%s\n' % issuer)
-        f.write('subject:%s\n' % subject)
-        if extensions:
-            f.write('%s\n' % extensions)
-
-def generateCommonEndEntityCertificates(issuer, issuerFileBase):
-    writeSpecification('www.foo.com', issuer, None, 'cn-www.foo.com-%s' % issuerFileBase)
-    writeSpecification('www.foo.org', issuer, None, 'cn-www.foo.org-%s' % issuerFileBase)
-    writeSpecification('www.foo.com', issuer, 'extension:subjectAlternativeName:*.foo.org',
-        'cn-www.foo.com-alt-foo.org-%s' % issuerFileBase)
-    writeSpecification('www.foo.org', issuer, 'extension:subjectAlternativeName:*.foo.com',
-        'cn-www.foo.org-alt-foo.com-%s' % issuerFileBase)
-    writeSpecification('www.foo.com', issuer, 'extension:subjectAlternativeName:*.foo.com',
-        'cn-www.foo.com-alt-foo.com-%s' % issuerFileBase)
-    writeSpecification('www.foo.org', issuer, 'extension:subjectAlternativeName:*.foo.org',
-        'cn-www.foo.org-alt-foo.org-%s' % issuerFileBase)
-    writeSpecification('www.foo.com', issuer,
-        'extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us',
-        'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-%s' % issuerFileBase)
-    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer, None,
-        'cn-www.foo.com_o-bar_c-us-%s' % issuerFileBase)
-    writeSpecification('/C=US/O=bar/CN=www.foo.org', issuer, None,
-        'cn-www.foo.org_o-bar_c-us-%s' % issuerFileBase)
-    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer,
-        'extension:subjectAlternativeName:*.foo.org',
-        'cn-www.foo.com_o-bar_c-us-alt-foo.org-%s' % issuerFileBase)
-    writeSpecification('/C=US/O=bar/CN=www.foo.org', issuer,
-        'extension:subjectAlternativeName:*.foo.com',
-        'cn-www.foo.org_o-bar_c-us-alt-foo.com-%s' % issuerFileBase)
-    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer,
-        'extension:subjectAlternativeName:*.foo.com',
-        'cn-www.foo.com_o-bar_c-us-alt-foo.com-%s' % issuerFileBase)
-    writeSpecification('/C=US/O=bar/CN=www.foo.org', issuer,
-        'extension:subjectAlternativeName:*.foo.org',
-        'cn-www.foo.org_o-bar_c-us-alt-foo.org-%s' % issuerFileBase)
-    writeSpecification('/C=US/O=bar/CN=www.foo.com', issuer,
-        'extension:subjectAlternativeName:*.foo.com,*.a.a.us,*.b.a.us',
-        'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-%s' % issuerFileBase)
-
-def generateCerts():
-    # Unconstrainted root certificate to issue most intermediates
-    caExtensions = 'extension:basicConstraints:cA,\nextension:keyUsage:cRLSign,keyCertSign'
-    writeSpecification('ca-nc', 'ca-nc', caExtensions, 'ca-nc')
-
-    # Intermediate with permitted subtree: dNSName:foo.com
-    writeSpecification('int-nc-perm-foo.com-ca-nc', 'ca-nc',
-        caExtensions + '\nextension:nameConstraints:permitted:foo.com',
-        'int-nc-perm-foo.com-ca-nc')
-    generateCommonEndEntityCertificates('int-nc-perm-foo.com-ca-nc', 'int-nc-perm-foo.com-ca-nc')
-
-    # Intermediate with excluded subtree: dNSName:foo.com
-    writeSpecification('int-nc-excl-foo.com-ca-nc', 'ca-nc',
-        caExtensions + '\nextension:nameConstraints:excluded:foo.com',
-        'int-nc-excl-foo.com-ca-nc')
-    generateCommonEndEntityCertificates('int-nc-excl-foo.com-ca-nc', 'int-nc-excl-foo.com-ca-nc')
-
-    # Intermediate with permitted subtree: directoryName:/C=US
-    writeSpecification('int-nc-c-us-ca-nc', 'ca-nc',
-        caExtensions + '\nextension:nameConstraints:permitted:/C=US', 'int-nc-c-us-ca-nc')
-    generateCommonEndEntityCertificates('int-nc-c-us-ca-nc', 'int-nc-c-us-ca-nc')
-
-    # Intermediate issued by previous intermediate with permitted subtree: dnsName:foo.com
-    writeSpecification('/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc', 'int-nc-c-us-ca-nc',
-        caExtensions + '\nextension:nameConstraints:permitted:foo.com',
-        'int-nc-foo.com-int-nc-c-us-ca-nc')
-    generateCommonEndEntityCertificates('/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc',
-        'int-nc-foo.com-int-nc-c-us-ca-nc')
-
-    # Intermediate with permitted subtree: dNSName:foo.com, directoryName:/C=US
-    writeSpecification('int-nc-perm-foo.com_c-us-ca-nc', 'ca-nc',
-        caExtensions + '\nextension:nameConstraints:permitted:foo.com,/C=US',
-        'int-nc-perm-foo.com_c-us-ca-nc')
-    generateCommonEndEntityCertificates('int-nc-perm-foo.com_c-us-ca-nc',
-        'int-nc-perm-foo.com_c-us-ca-nc')
-
-    # Intermediate with permitted subtree: directoryName:/C=UK
-    writeSpecification('int-nc-perm-c-uk-ca-nc', 'ca-nc',
-        caExtensions + '\nextension:nameConstraints:permitted:/C=UK', 'int-nc-perm-c-uk-ca-nc')
-    generateCommonEndEntityCertificates('int-nc-perm-c-uk-ca-nc', 'int-nc-perm-c-uk-ca-nc')
-
-    # Intermediate issued by previous intermediate in a different directoryName tree
-    writeSpecification('/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc', 'int-nc-perm-c-uk-ca-nc',
-        caExtensions, 'int-c-us-int-nc-perm-c-uk-ca-nc')
-    generateCommonEndEntityCertificates('/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc',
-        'int-c-us-int-nc-perm-c-uk-ca-nc')
-
-    # Intermediate with permitted subtree: dNSName:foo.com, dNSName:a.us
-    writeSpecification('int-nc-foo.com_a.us', 'ca-nc',
-        caExtensions + '\nextension:nameConstraints:permitted:foo.com,a.us',
-        'int-nc-foo.com_a.us')
-    generateCommonEndEntityCertificates('int-nc-foo.com_a.us', 'int-nc-foo.com_a.us')
-
-    # Intermediate issued by previous intermediate with permitted subtree: dNSName:foo.com
-    writeSpecification('int-nc-foo.com-int-nc-foo.com_a.us', 'int-nc-foo.com_a.us',
-        caExtensions + '\nextension:nameConstraints:permitted:foo.com',
-        'int-nc-foo.com-int-nc-foo.com_a.us')
-    generateCommonEndEntityCertificates('int-nc-foo.com-int-nc-foo.com_a.us',
-        'int-nc-foo.com-int-nc-foo.com_a.us')
-
-    # Root certificate with permitted subtree: dNSName:foo.com
-    writeSpecification('ca-nc-perm-foo.com', 'ca-nc-perm-foo.com',
-        caExtensions + '\nextension:nameConstraints:permitted:foo.com', 'ca-nc-perm-foo.com')
-
-    # Intermediate without name constraints issued by constrained root
-    writeSpecification('int-ca-nc-perm-foo.com', 'ca-nc-perm-foo.com', caExtensions,
-        'int-ca-nc-perm-foo.com')
-    generateCommonEndEntityCertificates('int-ca-nc-perm-foo.com', 'int-ca-nc-perm-foo.com')
-
-generateCerts()
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-c-us-int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:int-nc-perm-c-uk-ca-nc
-subject:/C=US/CN=int-c-us-int-nc-perm-c-uk-ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-ca-nc-perm-foo.com.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:ca-nc-perm-foo.com
-subject:int-ca-nc-perm-foo.com
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:int-example-org-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.org
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:ca-nc
-subject:int-nc-c-us-ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:/C=US
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-excl-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:ca-nc
-subject:int-nc-excl-foo.com-ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:excluded:foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:int-nc-c-us-ca-nc
-subject:/C=US/CN=int-nc-foo.com-int-nc-c-us-ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com-int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:int-nc-foo.com_a.us
-subject:int-nc-foo.com-int-nc-foo.com_a.us
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-foo.com_a.us.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:ca-nc
-subject:int-nc-foo.com_a.us
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:foo.com,a.us
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-c-uk-ca-nc.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:ca-nc
-subject:int-nc-perm-c-uk-ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:/C=UK
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com-ca-nc.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:ca-nc
-subject:int-nc-perm-foo.com-ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:foo.com
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_name_constraints/int-nc-perm-foo.com_c-us-ca-nc.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:ca-nc
-subject:int-nc-perm-foo.com_c-us-ca-nc
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
-extension:nameConstraints:permitted:foo.com,/C=US
--- a/security/manager/ssl/tests/unit/test_name_constraints/moz.build
+++ b/security/manager/ssl/tests/unit/test_name_constraints/moz.build
@@ -2,165 +2,19 @@
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 test_certificates = (
     'NameConstraints.dcissallowed.pem',
     'NameConstraints.dcissblocked.pem',
-    'ca-nc-perm-foo.com.pem',
-    'ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.org-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.pem',
-    'cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.pem',
+    'ca-example-com-permitted.pem',
+    'int-example-org-permitted.pem',
+    'ee-example-com-and-org.pem',
+    'ee-example-com.pem',
+    'ee-example-org.pem',
+    'ee-example-test.pem',
     'dciss.pem',
-    'int-c-us-int-nc-perm-c-uk-ca-nc.pem',
-    'int-ca-nc-perm-foo.com.pem',
-    'int-nc-c-us-ca-nc.pem',
-    'int-nc-excl-foo.com-ca-nc.pem',
-    'int-nc-foo.com-int-nc-c-us-ca-nc.pem',
-    'int-nc-foo.com-int-nc-foo.com_a.us.pem',
-    'int-nc-foo.com_a.us.pem',
-    'int-nc-perm-c-uk-ca-nc.pem',
-    'int-nc-perm-foo.com-ca-nc.pem',
-    'int-nc-perm-foo.com_c-us-ca-nc.pem',
 )
 
 for test_certificate in test_certificates:
     GeneratedTestCertificate(test_certificate)
--- a/security/pkix/test/gtest/pkixnames_tests.cpp
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@@ -1527,29 +1527,41 @@ static const CheckCertHostnameParams CHE
            TLV((2 << 6) | (1 << 5) | 0, ByteString()) + DNSName("example.com"),
            Success),
   WITH_SAN("example.com", ByteString(),
            TLV((2 << 6) | (1 << 5) | 0, ByteString()),
            Result::ERROR_BAD_CERT_DOMAIN),
 };
 
 ByteString
-CreateCert(const ByteString& subject, const ByteString& subjectAltName)
+CreateCert(const ByteString& subject, const ByteString& subjectAltName,
+           EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity)
 {
   ByteString serialNumber(CreateEncodedSerialNumber(1));
   EXPECT_FALSE(ENCODING_FAILED(serialNumber));
 
   ByteString issuerDER(Name(RDN(CN("issuer"))));
   EXPECT_FALSE(ENCODING_FAILED(issuerDER));
 
   ByteString extensions[2];
   if (subjectAltName != NO_SAN) {
     extensions[0] = CreateEncodedSubjectAltName(subjectAltName);
     EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
   }
+  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    // Currently, these tests assume that if we're creating a CA certificate, it
+    // will not have a subjectAlternativeName extension. If that assumption
+    // changes, this code will have to be updated. Ideally this would be
+    // ASSERT_EQ, but that inserts a 'return;', which doesn't match this
+    // function's return type.
+    EXPECT_EQ(subjectAltName, NO_SAN);
+    extensions[0] = CreateEncodedBasicConstraints(true, nullptr,
+                                                  Critical::Yes);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  }
 
   ScopedTestKeyPair keyPair(CloneReusedKeyPair());
   return CreateEncodedCertificate(
                     v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
                     oneDayBeforeNow, oneDayAfterNow, Name(subject), *keyPair,
                     extensions, *keyPair, sha256WithRSAEncryption());
 }
 
@@ -2499,29 +2511,79 @@ static const NameConstraintParams NAME_C
   },
   { // Only UTF8String and PrintableString are considered equivalent.
     RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")),
     NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
                                                      der::TeletexString)) +
                                               RDN(CN("example.com"))))),
     Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
   },
+  // Some additional tests for completeness:
+  // Ensure that wildcards are handled:
+  { RDN(CN("*.example.com")), NO_SAN, GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("*.example.com"),
+    GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("www.example.com"),
+    GeneralSubtree(DNSName("*.example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  // Handle multiple name constraint entries:
+  { RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DNSName("example.org")) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName("example.org")) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle multiple names in subject alternative name extension:
+  { ByteString(), DNSName("example.com") + DNSName("example.org"),
+    GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle a mix of DNSName and DirectoryName:
+  { RDN(OU("Example Organization")), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(OU("Other Example Organization")), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(OU("Example Organization")), DNSName("example.org"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle a certificate with no DirectoryName:
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
 };
 
 class pkixnames_CheckNameConstraints
   : public ::testing::Test
   , public ::testing::WithParamInterface<NameConstraintParams>
 {
 };
 
 TEST_P(pkixnames_CheckNameConstraints,
        NameConstraintsEnforcedForDirectlyIssuedEndEntity)
 {
   // Test that name constraints are enforced on a certificate directly issued by
-  // this certificate.
+  // a certificate with the given name constraints.
 
   const NameConstraintParams& param(GetParam());
 
   ByteString certDER(CreateCert(param.subject, param.subjectAltName));
   ASSERT_FALSE(ENCODING_FAILED(certDER));
   Input certInput;
   ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
   BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
@@ -2564,8 +2626,161 @@ TEST_P(pkixnames_CheckNameConstraints,
               CheckNameConstraints(nameConstraints, cert,
                                    KeyPurposeId::id_kp_serverAuth));
   }
 }
 
 INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraints,
                         pkixnames_CheckNameConstraints,
                         testing::ValuesIn(NAME_CONSTRAINT_PARAMS));
+
+// The |subjectAltName| param is not used for these test cases (hence the use of
+// "NO_SAN").
+static const NameConstraintParams NO_FALLBACK_NAME_CONSTRAINT_PARAMS[] =
+{
+  // The only difference between end-entities being verified for serverAuth and
+  // intermediates or end-entities being verified for other uses is that for
+  // the latter cases, there is no fallback matching of DNSName entries to the
+  // subject common name.
+  { RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  // Sanity-check that name constraints are in fact enforced in these cases.
+  { RDN(CN("Example Name")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // (In this implementation, if a DirectoryName is in excludedSubtrees, nothing
+  // is considered to be in the name space.)
+  { RDN(CN("Other Example Name")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+};
+
+class pkixnames_CheckNameConstraintsOnIntermediate
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsOnIntermediate,
+       NameConstraintsEnforcedOnIntermediate)
+{
+  // Test that name constraints are enforced on an intermediate certificate
+  // directly issued by a certificate with the given name constraints.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, NO_SAN,
+                                EndEntityOrCA::MustBeCA));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeCA, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsOnIntermediate,
+                        pkixnames_CheckNameConstraintsOnIntermediate,
+                        testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));
+
+class pkixnames_CheckNameConstraintsForNonServerAuthUsage
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+       NameConstraintsEnforcedForNonServerAuthUsage)
+{
+  // Test that for key purposes other than serverAuth, fallback to the subject
+  // common name does not occur.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+                        pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+                        testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));