backout 0097b4ffaf33 (bug 1058812 3/3) for mochitest orange on a CLOSED TREE
authorDavid Keeler <dkeeler@mozilla.com>
Wed, 08 Oct 2014 12:09:26 -0700
changeset 209384 2c12f4eb260763dde41867ad0255ff5fff72f7e5
parent 209383 02b1fce67dad201b5f3b7fb52e21f80fb708c9e8
child 209385 b6e4bdd2c1657dfc9607f876f676f47e6ad71ef5
push id50169
push userdkeeler@mozilla.com
push dateWed, 08 Oct 2014 19:11:02 +0000
treeherdermozilla-inbound@7fd338bf0e12 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1058812
milestone35.0a1
backs out0097b4ffaf33572285516ae3f01a76c22b7c6b34
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
backout 0097b4ffaf33 (bug 1058812 3/3) for mochitest orange on a CLOSED TREE
security/pkix/test/gtest/moz.build
security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
security/pkix/test/gtest/pkixder_pki_types_tests.cpp
security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
security/pkix/test/lib/pkixtestnss.cpp
security/pkix/test/lib/pkixtestutil.cpp
security/pkix/test/lib/pkixtestutil.h
--- a/security/pkix/test/gtest/moz.build
+++ b/security/pkix/test/gtest/moz.build
@@ -2,17 +2,16 @@
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 SOURCES += [
     'pkixbuild_tests.cpp',
     'pkixcert_extension_tests.cpp',
-    'pkixcert_signature_algorithm_tests.cpp',
     'pkixcheck_CheckKeyUsage_tests.cpp',
     'pkixcheck_CheckValidity_tests.cpp',
 
     # The naming conventions are described in ./README.txt.
 
     'pkixder_input_tests.cpp',
     'pkixder_pki_types_tests.cpp',
     'pkixder_universal_types_tests.cpp',
deleted file mode 100644
--- a/security/pkix/test/gtest/pkixcert_signature_algorithm_tests.cpp
+++ /dev/null
@@ -1,266 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-#include "pkix/pkix.h"
-#include "pkix/pkixnss.h"
-#include "pkixgtest.h"
-#include "pkixtestutil.h"
-
-using namespace mozilla::pkix;
-using namespace mozilla::pkix::test;
-
-static ByteString
-CreateCert(const char* issuerCN,
-           const char* subjectCN,
-           EndEntityOrCA endEntityOrCA,
-           const ByteString& signatureAlgorithm,
-           /*optional*/ TestKeyPair* issuerKey,
-           /*out*/ ScopedTestKeyPair& subjectKey,
-           /*out*/ ByteString& subjectDER)
-{
-  static long serialNumberValue = 0;
-  ++serialNumberValue;
-  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
-  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
-
-  ByteString issuerDER(CNToDERName(issuerCN));
-  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
-  subjectDER = CNToDERName(subjectCN);
-  EXPECT_FALSE(ENCODING_FAILED(subjectDER));
-
-  ByteString extensions[2];
-  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
-    extensions[0] =
-      CreateEncodedBasicConstraints(true, nullptr,
-                                    ExtensionCriticality::Critical);
-    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
-  }
-
-  ByteString certDER(CreateEncodedCertificate(v3, signatureAlgorithm,
-                                              serialNumber,
-                                              issuerDER, oneDayBeforeNow,
-                                              oneDayAfterNow, subjectDER,
-                                              extensions, issuerKey,
-                                              signatureAlgorithm, subjectKey));
-  EXPECT_FALSE(ENCODING_FAILED(certDER));
-  return certDER;
-}
-
-class AlgorithmTestsTrustDomain : public TrustDomain
-{
-public:
-  AlgorithmTestsTrustDomain(const ByteString& rootDER,
-                            const ByteString& rootSubjectDER,
-               /*optional*/ const ByteString& intDER,
-               /*optional*/ const ByteString& intSubjectDER)
-    : rootDER(rootDER)
-    , rootSubjectDER(rootSubjectDER)
-    , intDER(intDER)
-    , intSubjectDER(intSubjectDER)
-  {
-  }
-
-private:
-  virtual Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
-                              Input candidateCert,
-                              /*out*/ TrustLevel& trustLevel)
-  {
-    if (InputEqualsByteString(candidateCert, rootDER)) {
-      trustLevel = TrustLevel::TrustAnchor;
-    } else {
-      trustLevel = TrustLevel::InheritsTrust;
-    }
-    return Success;
-  }
-
-  virtual Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
-                            Time)
-  {
-    ByteString* issuerDER = nullptr;
-    if (InputEqualsByteString(encodedIssuerName, rootSubjectDER)) {
-      issuerDER = &rootDER;
-    } else if (InputEqualsByteString(encodedIssuerName, intSubjectDER)) {
-      issuerDER = &intDER;
-    } else {
-      // FindIssuer just returns success if it can't find a potential issuer.
-      return Success;
-    }
-    Input issuerCert;
-    Result rv = issuerCert.Init(issuerDER->data(), issuerDER->length());
-    if (rv != Success) {
-      return rv;
-    }
-    bool keepGoing;
-    return checker.Check(issuerCert, nullptr, keepGoing);
-  }
-
-  virtual Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
-                                 const Input*, const Input*)
-  {
-    return Success;
-  }
-
-  virtual Result IsChainValid(const DERArray&, Time)
-  {
-    return Success;
-  }
-
-  virtual Result VerifySignedData(const SignedDataWithSignature& signedData,
-                                  Input subjectPublicKeyInfo)
-  {
-    EXPECT_NE(SignatureAlgorithm::unsupported_algorithm, signedData.algorithm);
-    return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
-                                             nullptr);
-  }
-
-  virtual Result DigestBuf(Input, uint8_t*, size_t)
-  {
-    ADD_FAILURE();
-    return Result::FATAL_ERROR_LIBRARY_FAILURE;
-  }
-
-  virtual Result CheckPublicKey(Input subjectPublicKeyInfo)
-  {
-    return TestCheckPublicKey(subjectPublicKeyInfo);
-  }
-
-  ByteString rootDER;
-  ByteString rootSubjectDER;
-  ByteString intDER;
-  ByteString intSubjectDER;
-};
-
-static const ByteString NO_INTERMEDIATE; // empty
-
-struct ChainValidity
-{
-  // In general, a certificate is generated for each of these.  However, if
-  // optionalIntermediateSignatureAlgorithm is NO_INTERMEDIATE, then only 2
-  // certificates are generated.
-  // The certificate generated for the given rootSignatureAlgorithm is the
-  // trust anchor.
-  ByteString endEntitySignatureAlgorithm;
-  ByteString optionalIntermediateSignatureAlgorithm;
-  ByteString rootSignatureAlgorithm;
-  bool isValid;
-};
-
-static const ChainValidity CHAIN_VALIDITY[] =
-{
-  // The trust anchor may have a signature with an unsupported signature
-  // algorithm.
-  { sha256WithRSAEncryption,
-    NO_INTERMEDIATE,
-    md5WithRSAEncryption,
-    true
-  },
-  { sha256WithRSAEncryption,
-    NO_INTERMEDIATE,
-    md2WithRSAEncryption,
-    true
-  },
-
-  // Certificates that are not trust anchors must not have a signature with an
-  // unsupported signature algorithm.
-  { md5WithRSAEncryption,
-    NO_INTERMEDIATE,
-    sha256WithRSAEncryption,
-    false
-  },
-  { md2WithRSAEncryption,
-    NO_INTERMEDIATE,
-    sha256WithRSAEncryption,
-    false
-  },
-  { md2WithRSAEncryption,
-    NO_INTERMEDIATE,
-    md5WithRSAEncryption,
-    false
-  },
-  { sha256WithRSAEncryption,
-    md5WithRSAEncryption,
-    sha256WithRSAEncryption,
-    false
-  },
-  { sha256WithRSAEncryption,
-    md2WithRSAEncryption,
-    sha256WithRSAEncryption,
-    false
-  },
-  { sha256WithRSAEncryption,
-    md2WithRSAEncryption,
-    md5WithRSAEncryption,
-    false
-  },
-};
-
-class pkixcert_IsValidChainForAlgorithm
-  : public ::testing::Test
-  , public ::testing::WithParamInterface<ChainValidity>
-{
-};
-
-TEST_P(pkixcert_IsValidChainForAlgorithm, IsValidChainForAlgorithm)
-{
-  const ChainValidity& chainValidity(GetParam());
-  const char* rootCN = "CN=Root";
-  ScopedTestKeyPair rootKey;
-  ByteString rootSubjectDER;
-  ByteString rootEncoded(
-    CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
-               chainValidity.rootSignatureAlgorithm,
-               nullptr, rootKey, rootSubjectDER));
-  EXPECT_FALSE(ENCODING_FAILED(rootEncoded));
-  EXPECT_FALSE(ENCODING_FAILED(rootSubjectDER));
-
-  const char* issuerCN = rootCN;
-  TestKeyPair* issuerKey = rootKey.get();
-
-  const char* intermediateCN = "CN=Intermediate";
-  ScopedTestKeyPair intermediateKey;
-  ByteString intermediateSubjectDER;
-  ByteString intermediateEncoded;
-  if (chainValidity.optionalIntermediateSignatureAlgorithm != NO_INTERMEDIATE) {
-    intermediateEncoded =
-      CreateCert(rootCN, intermediateCN, EndEntityOrCA::MustBeCA,
-                 chainValidity.optionalIntermediateSignatureAlgorithm,
-                 rootKey.get(), intermediateKey, intermediateSubjectDER);
-    EXPECT_FALSE(ENCODING_FAILED(intermediateEncoded));
-    EXPECT_FALSE(ENCODING_FAILED(intermediateSubjectDER));
-    issuerCN = intermediateCN;
-    issuerKey = intermediateKey.get();
-  }
-
-  AlgorithmTestsTrustDomain trustDomain(rootEncoded, rootSubjectDER,
-                                        intermediateEncoded,
-                                        intermediateSubjectDER);
-
-  const char* endEntityCN = "CN=End Entity";
-  ScopedTestKeyPair endEntityKey;
-  ByteString endEntitySubjectDER;
-  ByteString endEntityEncoded(
-    CreateCert(issuerCN, endEntityCN, EndEntityOrCA::MustBeEndEntity,
-               chainValidity.endEntitySignatureAlgorithm,
-               issuerKey, endEntityKey, endEntitySubjectDER));
-  EXPECT_FALSE(ENCODING_FAILED(endEntityEncoded));
-  EXPECT_FALSE(ENCODING_FAILED(endEntitySubjectDER));
-
-  Input endEntity;
-  ASSERT_EQ(Success, endEntity.Init(endEntityEncoded.data(),
-                                    endEntityEncoded.length()));
-  Result expectedResult = chainValidity.isValid
-                        ? Success
-                        : Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
-  ASSERT_EQ(expectedResult,
-            BuildCertChain(trustDomain, endEntity, Now(),
-                           EndEntityOrCA::MustBeEndEntity,
-                           KeyUsage::noParticularKeyUsageRequired,
-                           KeyPurposeId::id_kp_serverAuth,
-                           CertPolicyId::anyPolicy, nullptr));
-}
-
-INSTANTIATE_TEST_CASE_P(pkixcert_IsValidChainForAlgorithm,
-                        pkixcert_IsValidChainForAlgorithm,
-                        testing::ValuesIn(CHAIN_VALIDITY));
--- a/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
+++ b/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
@@ -411,29 +411,29 @@ TEST_F(pkixder_SignatureAlgorithmIdentif
   static const uint8_t DER[] = {
     0x30, 0x0b, 0x06, 0x09,
     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04
   };
   Input input(DER);
   Reader reader(input);
 
   SignatureAlgorithm alg;
-  ASSERT_EQ(Success, SignatureAlgorithmIdentifier(reader, alg));
-  ASSERT_EQ(SignatureAlgorithm::unsupported_algorithm, alg);
+  ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+            SignatureAlgorithmIdentifier(reader, alg));
 }
 
 TEST_F(pkixder_SignatureAlgorithmIdentifier, Invalid_SignatureAlgorithm_SHA256)
 {
   // The OID identifies id-sha256 (2.16.840.1.101.3.4.2.1). It is invalid
   // because SHA-256 is not a signature algorithm.
   static const uint8_t DER[] = {
     0x30, 0x0b, 0x06, 0x09,
     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
   };
   Input input(DER);
   Reader reader(input);
 
   SignatureAlgorithm alg;
-  ASSERT_EQ(Success, SignatureAlgorithmIdentifier(reader, alg));
-  ASSERT_EQ(SignatureAlgorithm::unsupported_algorithm, alg);
+  ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+            SignatureAlgorithmIdentifier(reader, alg));
 }
 
 } // unnamed namespace
--- a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -234,33 +234,31 @@ public:
   static void SetUpTestCase()
   {
     pkixocsp_VerifyEncodedResponse::SetUpTestCase();
   }
 
   ByteString CreateEncodedOCSPSuccessfulResponse(
                     OCSPResponseContext::CertStatus certStatus,
                     const CertID& certID,
-       /*optional*/ const char* signerName,
+                    /*optional*/ const char* signerName,
                     const TestKeyPair& signerKeyPair,
                     time_t producedAt, time_t thisUpdate,
-       /*optional*/ const time_t* nextUpdate,
-                    const ByteString& signatureAlgorithm,
-       /*optional*/ const ByteString* certs = nullptr)
+                    /*optional*/ const time_t* nextUpdate,
+                    /*optional*/ const ByteString* certs = nullptr)
   {
     OCSPResponseContext context(certID, producedAt);
     if (signerName) {
       context.signerNameDER = CNToDERName(signerName);
       EXPECT_FALSE(ENCODING_FAILED(context.signerNameDER));
     }
     context.signerKeyPair = signerKeyPair.Clone();
     EXPECT_TRUE(context.signerKeyPair);
     context.responseStatus = OCSPResponseContext::successful;
     context.producedAt = producedAt;
-    context.signatureAlgorithm = signatureAlgorithm;
     context.certs = certs;
 
     context.certStatus = certStatus;
     context.thisUpdate = thisUpdate;
     context.nextUpdate = nextUpdate ? *nextUpdate : 0;
     context.includeNextUpdate = nextUpdate != nullptr;
 
     return CreateEncodedOCSPResponse(context);
@@ -268,18 +266,17 @@ public:
 };
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey)
 {
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, byKey,
                          *rootKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption));
+                         oneDayBeforeNow, &oneDayAfterNow));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
                                       Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -287,18 +284,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_su
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byName)
 {
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, rootName,
                          *rootKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption));
+                         oneDayBeforeNow, &oneDayAfterNow));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -306,18 +302,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_su
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey_without_nextUpdate)
 {
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, byKey,
                          *rootKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, nullptr,
-                         sha256WithRSAEncryption));
+                         oneDayBeforeNow, nullptr));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -325,18 +320,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_su
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, revoked)
 {
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::revoked, *endEntityCertID, byKey,
                          *rootKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption));
+                         oneDayBeforeNow, &oneDayAfterNow));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -344,49 +338,28 @@ TEST_F(pkixocsp_VerifyEncodedResponse_su
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
 {
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::unknown, *endEntityCertID, byKey,
                          *rootKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption));
+                         oneDayBeforeNow, &oneDayAfterNow));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
-TEST_F(pkixocsp_VerifyEncodedResponse_successful,
-       good_unsupportedSignatureAlgorithm)
-{
-  ByteString responseString(
-               CreateEncodedOCSPSuccessfulResponse(
-                         OCSPResponseContext::good, *endEntityCertID, byKey,
-                         *rootKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         md5WithRSAEncryption));
-  Input response;
-  ASSERT_EQ(Success,
-            response.Init(responseString.data(), responseString.length()));
-  bool expired;
-  ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
-            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
-                                      Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
-                                      response, expired));
-  ASSERT_FALSE(expired);
-}
-
 ///////////////////////////////////////////////////////////////////////////////
 // indirect responses (signed by a delegated OCSP responder cert)
 
 class pkixocsp_VerifyEncodedResponse_DelegatedResponder
   : public pkixocsp_VerifyEncodedResponse_successful
 {
 protected:
   // certSubjectName should be unique for each call. This way, we avoid any
@@ -394,45 +367,40 @@ protected:
   // we generate a new keypair on each call. Either one of these should be
   // sufficient to avoid issues with the NSS cache, but we do both to be
   // cautious.
   //
   // signerName should be byKey to use the byKey ResponderID construction, or
   // another value (usually equal to certSubjectName) to use the byName
   // ResponderID construction.
   //
-  // certSignatureAlgorithm specifies the signature algorithm that the
-  // certificate will be signed with, not the OCSP response.
-  //
   // If signerEKU is omitted, then the certificate will have the
   // id-kp-OCSPSigning EKU. If signerEKU is SEC_OID_UNKNOWN then it will not
   // have any EKU extension. Otherwise, the certificate will have the given
   // EKU.
   ByteString CreateEncodedIndirectOCSPSuccessfulResponse(
                const char* certSubjectName,
                OCSPResponseContext::CertStatus certStatus,
                const char* signerName,
-               const ByteString& certSignatureAlgorithm,
                /*optional*/ const Input* signerEKUDER = &OCSPSigningEKUDER,
                /*optional, out*/ ByteString* signerDEROut = nullptr)
   {
     assert(certSubjectName);
 
     const ByteString extensions[] = {
       signerEKUDER
         ? CreateEncodedEKUExtension(*signerEKUDER,
                                     ExtensionCriticality::NotCritical)
         : ByteString(),
       ByteString()
     };
     ScopedTestKeyPair signerKeyPair;
     ByteString signerDER(CreateEncodedCertificate(
                            ++rootIssuedCount, rootName,
                            oneDayBeforeNow, oneDayAfterNow, certSubjectName,
-                           certSignatureAlgorithm,
                            signerEKUDER ? extensions : nullptr,
                            rootKeyPair.get(), signerKeyPair));
     EXPECT_FALSE(ENCODING_FAILED(signerDER));
     if (signerDEROut) {
       *signerDEROut = signerDER;
     }
 
     ByteString signerNameDER;
@@ -440,27 +408,24 @@ protected:
       signerNameDER = CNToDERName(signerName);
       EXPECT_FALSE(ENCODING_FAILED(signerNameDER));
     }
     ByteString certs[] = { signerDER, ByteString() };
     return CreateEncodedOCSPSuccessfulResponse(certStatus, *endEntityCertID,
                                                signerName, *signerKeyPair,
                                                oneDayBeforeNow,
                                                oneDayBeforeNow,
-                                               &oneDayAfterNow,
-                                               sha256WithRSAEncryption,
-                                               certs);
+                                               &oneDayAfterNow, certs);
   }
 
   static ByteString CreateEncodedCertificate(uint32_t serialNumber,
                                              const char* issuer,
                                              time_t notBefore,
                                              time_t notAfter,
                                              const char* subject,
-                                             const ByteString& signatureAlg,
                                 /*optional*/ const ByteString* extensions,
                                 /*optional*/ TestKeyPair* signerKeyPair,
                                      /*out*/ ScopedTestKeyPair& keyPair)
   {
     ByteString serialNumberDER(CreateEncodedSerialNumber(serialNumber));
     if (ENCODING_FAILED(serialNumberDER)) {
       return ByteString();
     }
@@ -469,53 +434,53 @@ protected:
       return ByteString();
     }
     ByteString subjectDER(CNToDERName(subject));
     if (ENCODING_FAILED(subjectDER)) {
       return ByteString();
     }
     return ::mozilla::pkix::test::CreateEncodedCertificate(
                                     v3,
-                                    signatureAlg,
+                                    sha256WithRSAEncryption,
                                     serialNumberDER, issuerDER, notBefore,
                                     notAfter, subjectDER, extensions,
                                     signerKeyPair,
-                                    signatureAlg,
+                                    sha256WithRSAEncryption,
                                     keyPair);
   }
 
   static const Input OCSPSigningEKUDER;
 };
 
 /*static*/ const Input pkixocsp_VerifyEncodedResponse_DelegatedResponder::
   OCSPSigningEKUDER(tlv_id_kp_OCSPSigning);
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byKey)
 {
   ByteString responseString(
                CreateEncodedIndirectOCSPSuccessfulResponse(
                          "good_indirect_byKey", OCSPResponseContext::good,
-                         byKey, sha256WithRSAEncryption));
+                         byKey));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byName)
 {
   ByteString responseString(
                CreateEncodedIndirectOCSPSuccessfulResponse(
                          "good_indirect_byName", OCSPResponseContext::good,
-                         "good_indirect_byName", sha256WithRSAEncryption));
+                         "good_indirect_byName"));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Success,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -527,18 +492,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 {
   ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
   ASSERT_TRUE(missingSignerKeyPair);
 
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, byKey,
                          *missingSignerKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, nullptr,
-                         sha256WithRSAEncryption));
+                         oneDayBeforeNow, nullptr));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -549,18 +513,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
        good_byName_missing_signer)
 {
   ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
   ASSERT_TRUE(missingSignerKeyPair);
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          "missing", *missingSignerKeyPair,
-                         oneDayBeforeNow, oneDayBeforeNow, nullptr,
-                         sha256WithRSAEncryption));
+                         oneDayBeforeNow, oneDayBeforeNow, nullptr));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -577,27 +540,26 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
     ByteString()
   };
 
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                           ++rootIssuedCount, rootName,
                           now - (10 * Time::ONE_DAY_IN_SECONDS),
                           now - (2 * Time::ONE_DAY_IN_SECONDS),
-                          signerName, sha256WithRSAEncryption, extensions,
-                          rootKeyPair.get(), signerKeyPair));
+                          signerName, extensions, rootKeyPair.get(),
+                          signerKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption, certs));
+                         oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -613,45 +575,43 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
     ByteString()
   };
 
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          ++rootIssuedCount, rootName,
                          now + (2 * Time::ONE_DAY_IN_SECONDS),
                          now + (10 * Time::ONE_DAY_IN_SECONDS),
-                         signerName, sha256WithRSAEncryption, extensions,
-                         rootKeyPair.get(), signerKeyPair));
+                         signerName, extensions, rootKeyPair.get(),
+                         signerKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption, certs));
+                         oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_no_eku)
 {
   ByteString responseString(
                CreateEncodedIndirectOCSPSuccessfulResponse(
                          "good_indirect_wrong_eku",
-                         OCSPResponseContext::good, byKey,
-                         sha256WithRSAEncryption, nullptr));
+                         OCSPResponseContext::good, byKey, nullptr));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -661,18 +621,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 static const Input serverAuthEKUDER(tlv_id_kp_serverAuth);
 
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
        good_indirect_wrong_eku)
 {
   ByteString responseString(
                CreateEncodedIndirectOCSPSuccessfulResponse(
                         "good_indirect_wrong_eku",
-                        OCSPResponseContext::good, byKey,
-                        sha256WithRSAEncryption, &serverAuthEKUDER));
+                        OCSPResponseContext::good, byKey, &serverAuthEKUDER));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -680,18 +639,17 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 }
 
 // Test that signature of OCSP response signer cert is verified
 TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_tampered_eku)
 {
   ByteString tamperedResponse(
                CreateEncodedIndirectOCSPSuccessfulResponse(
                          "good_indirect_tampered_eku",
-                         OCSPResponseContext::good, byKey,
-                         sha256WithRSAEncryption, &serverAuthEKUDER));
+                         OCSPResponseContext::good, byKey, &serverAuthEKUDER));
   ASSERT_EQ(Success,
             TamperOnce(tamperedResponse,
                        ByteString(tlv_id_kp_serverAuth,
                                   sizeof(tlv_id_kp_serverAuth)),
                        ByteString(tlv_id_kp_OCSPSigning,
                                   sizeof(tlv_id_kp_OCSPSigning))));
   Input tamperedResponseInput;
   ASSERT_EQ(Success, tamperedResponseInput.Init(tamperedResponse.data(),
@@ -717,28 +675,27 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
   const ByteString extensions[] = {
     CreateEncodedEKUExtension(OCSPSigningEKUDER,
                               ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
-                         signerName, sha256WithRSAEncryption, extensions,
-                         unknownKeyPair.get(), signerKeyPair));
+                         signerName, extensions, unknownKeyPair.get(),
+                         signerKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by that delegated responder
   ByteString certs[] = { signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption, certs));
+                         oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -758,42 +715,41 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
   const ByteString subCAExtensions[] = {
     CreateEncodedBasicConstraints(true, 0, ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair;
   ByteString subCADER(CreateEncodedCertificate(
                         ++rootIssuedCount, rootName,
                         oneDayBeforeNow, oneDayAfterNow,
-                        subCAName, sha256WithRSAEncryption,
-                        subCAExtensions, rootKeyPair.get(), subCAKeyPair));
+                        subCAName, subCAExtensions, rootKeyPair.get(),
+                        subCAKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
     CreateEncodedEKUExtension(OCSPSigningEKUDER,
                               ExtensionCriticality::NotCritical),
     ByteString(),
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
-                         signerName, sha256WithRSAEncryption, extensions,
-                         subCAKeyPair.get(), signerKeyPair));
+                         signerName, extensions, subCAKeyPair.get(),
+                         signerKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   ByteString certs[] = { subCADER, signerDER, ByteString() };
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption, certs));
+                         oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
@@ -812,89 +768,64 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
   // sub-CA of root (root is the direct issuer of endEntity)
   const ByteString subCAExtensions[] = {
     CreateEncodedBasicConstraints(true, 0, ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair subCAKeyPair;
   ByteString subCADER(CreateEncodedCertificate(++rootIssuedCount, rootName,
                                                oneDayBeforeNow, oneDayAfterNow,
-                                               subCAName,
-                                               sha256WithRSAEncryption,
-                                               subCAExtensions,
+                                               subCAName, subCAExtensions,
                                                rootKeyPair.get(),
                                                subCAKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(subCADER));
 
   // Delegated responder cert signed by that sub-CA
   const ByteString extensions[] = {
     CreateEncodedEKUExtension(OCSPSigningEKUDER,
                               ExtensionCriticality::NotCritical),
     ByteString()
   };
   ScopedTestKeyPair signerKeyPair;
   ByteString signerDER(CreateEncodedCertificate(
                          1, subCAName, oneDayBeforeNow, oneDayAfterNow,
-                         signerName, sha256WithRSAEncryption, extensions,
-                         subCAKeyPair.get(), signerKeyPair));
+                         signerName, extensions, subCAKeyPair.get(),
+                         signerKeyPair));
   ASSERT_FALSE(ENCODING_FAILED(signerDER));
 
   // OCSP response signed by the delegated responder issued by the sub-CA
   // that is trying to impersonate the root.
   ByteString certs[] = { signerDER, subCADER, ByteString() };
   ByteString responseString(
                  CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID,
                          signerName, *signerKeyPair, oneDayBeforeNow,
-                         oneDayBeforeNow, &oneDayAfterNow,
-                         sha256WithRSAEncryption, certs));
+                         oneDayBeforeNow, &oneDayAfterNow, certs));
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
                                       END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                       response, expired));
   ASSERT_FALSE(expired);
 }
 
-TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
-       good_unsupportedSignatureAlgorithmOnResponder)
-{
-  // Note that the algorithm ID (md5WithRSAEncryption) identifies the signature
-  // algorithm that will be used to sign the certificate that issues the OCSP
-  // responses, not the responses themselves.
-  ByteString responseString(
-               CreateEncodedIndirectOCSPSuccessfulResponse(
-                         "good_indirect_unsupportedSignatureAlgorithm",
-                         OCSPResponseContext::good, byKey,
-                         md5WithRSAEncryption));
-  Input response;
-  ASSERT_EQ(Success,
-            response.Init(responseString.data(), responseString.length()));
-  bool expired;
-  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
-            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
-                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
-                                      response, expired));
-}
-
 class pkixocsp_VerifyEncodedResponse_GetCertTrust
   : public pkixocsp_VerifyEncodedResponse_DelegatedResponder {
 public:
   void SetUp()
   {
     pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
 
     responseString =
         CreateEncodedIndirectOCSPSuccessfulResponse(
           "OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
-          byKey, sha256WithRSAEncryption, &OCSPSigningEKUDER,
-          &signerCertDER);
+          byKey, &OCSPSigningEKUDER, &signerCertDER);
     if (ENCODING_FAILED(responseString)) {
       abort();
     }
     if (response.Init(responseString.data(), responseString.length())
           != Success) {
       abort();
     }
     if (signerCertDER.length() == 0) {
--- a/security/pkix/test/lib/pkixtestnss.cpp
+++ b/security/pkix/test/lib/pkixtestnss.cpp
@@ -26,17 +26,16 @@
 
 #include <limits>
 
 #include "cryptohi.h"
 #include "keyhi.h"
 #include "nss.h"
 #include "pk11pub.h"
 #include "pkix/pkixnss.h"
-#include "pkixder.h"
 #include "secerr.h"
 #include "secitem.h"
 
 namespace mozilla { namespace pkix { namespace test {
 
 namespace {
 
 typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
@@ -72,38 +71,20 @@ public:
     , privateKey(privateKey)
   {
   }
 
   virtual Result SignData(const ByteString& tbs,
                           const ByteString& signatureAlgorithm,
                           /*out*/ ByteString& signature) const
   {
-    // signatureAlgorithm is of the form SEQUENCE { OID { <OID bytes> } },
-    // whereas SECOID_GetAlgorithmTag wants just the OID bytes, so we have to
-    // unwrap it here. As long as signatureAlgorithm is short enough, we don't
-    // have to do full DER decoding here.
-    // Also, this is just for testing purposes - there shouldn't be any
-    // untrusted input given to this function. If we make a mistake, we only
-    // have ourselves to blame.
-    if (signatureAlgorithm.length() > 127 ||
-        signatureAlgorithm.length() < 4 ||
-        signatureAlgorithm.data()[0] != der::SEQUENCE ||
-        signatureAlgorithm.data()[2] != der::OIDTag) {
-      return Result::FATAL_ERROR_INVALID_ARGS;
-    }
-    SECAlgorithmID signatureAlgorithmID;
-    signatureAlgorithmID.algorithm.data =
-      const_cast<unsigned char*>(signatureAlgorithm.data() + 4);
-    signatureAlgorithmID.algorithm.len = signatureAlgorithm.length() - 4;
-    signatureAlgorithmID.parameters.data = nullptr;
-    signatureAlgorithmID.parameters.len = 0;
-    SECOidTag signatureAlgorithmOidTag =
-      SECOID_GetAlgorithmTag(&signatureAlgorithmID);
-    if (signatureAlgorithmOidTag == SEC_OID_UNKNOWN) {
+    SECOidTag signatureAlgorithmOidTag;
+    if (signatureAlgorithm == sha256WithRSAEncryption) {
+      signatureAlgorithmOidTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+    } else {
       return Result::FATAL_ERROR_INVALID_ARGS;
     }
 
     SECItem signatureItem;
     if (SEC_SignData(&signatureItem, tbs.data(), tbs.length(),
                      privateKey.get(), signatureAlgorithmOidTag)
           != SECSuccess) {
       return MapPRErrorCodeToResult(PR_GetError());
--- a/security/pkix/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -32,16 +32,23 @@
 
 #include "pkixder.h"
 #include "pkixutil.h"
 
 using namespace std;
 
 namespace mozilla { namespace pkix { namespace test {
 
+// python DottedOIDToCode.py --alg sha256WithRSAEncryption 1.2.840.113549.1.1.11
+static const uint8_t alg_sha256WithRSAEncryption[] = {
+  0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+};
+const ByteString sha256WithRSAEncryption(alg_sha256WithRSAEncryption,
+  MOZILLA_PKIX_ARRAY_LENGTH(alg_sha256WithRSAEncryption));
+
 namespace {
 
 inline void
 fclose_void(FILE* file) {
   (void) fclose(file);
 }
 
 typedef mozilla::pkix::ScopedPtr<FILE, fclose_void> ScopedFILE;
@@ -65,29 +72,16 @@ OpenFile(const string& dir, const string
 #else
   file = fopen(path.c_str(), mode.c_str());
 #endif
   return file.release();
 }
 
 } // unnamed namespace
 
-bool
-InputEqualsByteString(Input input, const ByteString& bs)
-{
-  Input bsInput;
-  if (bsInput.Init(bs.data(), bs.length()) != Success) {
-    // Init can only fail if it is given a bad pointer or if the input is too
-    // long, which won't ever happen. Plus, if it does, it is ok to call abort
-    // since this is only test code.
-    abort();
-  }
-  return InputsAreEqual(input, bsInput);
-}
-
 Result
 TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,
            const ByteString& to)
 {
   if (from.length() < 8) {
     return Result::FATAL_ERROR_INVALID_ARGS;
   }
   if (from.length() != to.length()) {
@@ -131,17 +125,16 @@ TLV(uint8_t tag, const ByteString& value
 
 OCSPResponseContext::OCSPResponseContext(const CertID& certID, time_t time)
   : certID(certID)
   , responseStatus(successful)
   , skipResponseBytes(false)
   , producedAt(time)
   , extensions(nullptr)
   , includeEmptyExtensions(false)
-  , signatureAlgorithm(sha256WithRSAEncryption)
   , badSignature(false)
   , certs(nullptr)
 
   , certStatus(good)
   , revocationTime(0)
   , thisUpdate(time)
   , nextUpdate(time + 10)
   , includeNextUpdate(true)
@@ -760,17 +753,17 @@ BasicOCSPResponse(OCSPResponseContext& c
 {
   ByteString tbsResponseData(ResponseData(context));
   if (ENCODING_FAILED(tbsResponseData)) {
     return ByteString();
   }
 
   // TODO(bug 980538): certs
   return SignedData(tbsResponseData, context.signerKeyPair.get(),
-                    context.signatureAlgorithm,
+                    sha256WithRSAEncryption,
                     context.badSignature, context.certs);
 }
 
 // Extension ::= SEQUENCE {
 //   id               OBJECT IDENTIFIER,
 //   critical         BOOLEAN DEFAULT FALSE
 //   value            OCTET STRING
 // }
--- a/security/pkix/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -69,46 +69,23 @@ static const uint8_t tlv_id_kp_OCSPSigni
   0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09
 };
 
 // python DottedOIDToCode.py --tlv id-kp-serverAuth 1.3.6.1.5.5.7.3.1
 static const uint8_t tlv_id_kp_serverAuth[] = {
   0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01
 };
 
-// python DottedOIDToCode.py --alg sha256WithRSAEncryption 1.2.840.113549.1.1.11
-const uint8_t alg_sha256WithRSAEncryption[] = {
-  0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
-};
-
-const ByteString sha256WithRSAEncryption(alg_sha256WithRSAEncryption,
-  MOZILLA_PKIX_ARRAY_LENGTH(alg_sha256WithRSAEncryption));
-
-// python DottedOIDToCode.py --alg md5WithRSAEncryption 1.2.840.113549.1.1.4
-const uint8_t alg_md5WithRSAEncryption[] = {
-  0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04
-};
-
-const ByteString md5WithRSAEncryption(alg_md5WithRSAEncryption,
-  MOZILLA_PKIX_ARRAY_LENGTH(alg_md5WithRSAEncryption));
-
-// python DottedOIDToCode.py --alg md2WithRSAEncryption 1.2.840.113549.1.1.2
-const uint8_t alg_md2WithRSAEncryption[] = {
-  0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x02
-};
-
-const ByteString md2WithRSAEncryption(alg_md2WithRSAEncryption,
-  MOZILLA_PKIX_ARRAY_LENGTH(alg_md2WithRSAEncryption));
+extern const ByteString sha256WithRSAEncryption;
 
 // e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
 mozilla::pkix::Time YMDHMS(int16_t year, int16_t month, int16_t day,
                            int16_t hour, int16_t minutes, int16_t seconds);
 
 ByteString CNToDERName(const char* cn);
-bool InputEqualsByteString(Input input, const ByteString& bs);
 
 class TestKeyPair
 {
 public:
   virtual ~TestKeyPair() { }
 
   // The DER encoding of the entire SubjectPublicKeyInfo structure. This is
   // what is encoded in certificates.
@@ -239,17 +216,16 @@ public:
 
   std::time_t producedAt;
 
   OCSPResponseExtension* extensions;
   bool includeEmptyExtensions; // If true, include the extension wrapper
                                // regardless of if there are any actual
                                // extensions.
   ScopedTestKeyPair signerKeyPair;
-  ByteString signatureAlgorithm; // DER encoding of signature algorithm to use.
   bool badSignature; // If true, alter the signature to fail verification
   const ByteString* certs; // optional; array terminated by an empty string
 
   // The following fields are on a per-SingleResponse basis. In the future we
   // may support including multiple SingleResponses per response.
   enum CertStatus {
     good = 0,
     revoked = 1,