Merge m-i to m-c
authorPhil Ringnalda <philringnalda@gmail.com>
Sat, 29 Mar 2014 09:00:18 -0700
changeset 176043 8da3aabb044f7c957c05a2ece79d5369eb28d0b4
parent 175983 c401296f71ae1f6edbf56ccc2c4404136f82c70c (current diff)
parent 176042 110c1a3fc74c282d52f07bd52956c07ea832c5a3 (diff)
child 176073 1d2a6c43e284f80a16b54800e13c481d4fc6eefe
push id26505
push userphilringnalda@gmail.com
push dateSat, 29 Mar 2014 16:01:43 +0000
treeherdermozilla-central@8da3aabb044f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge m-i to m-c
layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-1.xhtml
layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2-ref.xhtml
layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2.xhtml
layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3-ref.xhtml
layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3.xhtml
toolkit/library/Makefile.in
toolkit/library/moz.build
--- a/CLOBBER
+++ b/CLOBBER
@@ -17,9 +17,9 @@
 #
 # Modifying this file will now automatically clobber the buildbot machines \o/
 #
 
 # Are you updating CLOBBER because you think it's needed for your WebIDL
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Bug 981166 - Disabling Metro was causing intermittent Windows l10n packaging issues.
+Bug 957865 - Non-clobbered ASAN builds were failing all mochitests after the clang upgrade
--- a/accessible/src/base/FocusManager.cpp
+++ b/accessible/src/base/FocusManager.cpp
@@ -235,19 +235,21 @@ FocusManager::ProcessDOMFocus(nsINode* a
 {
 #ifdef A11Y_LOG
   if (logging::IsEnabled(logging::eFocus))
     logging::FocusNotificationTarget("process DOM focus", "Target", aTarget);
 #endif
 
   DocAccessible* document =
     GetAccService()->GetDocAccessible(aTarget->OwnerDoc());
+  if (!document)
+    return;
 
   Accessible* target = document->GetAccessibleEvenIfNotInMapOrContainer(aTarget);
-  if (target && document) {
+  if (target) {
     // Check if still focused. Otherwise we can end up with storing the active
     // item for control that isn't focused anymore.
     nsINode* focusedNode = FocusedDOMNode();
     if (!focusedNode)
       return;
 
     Accessible* DOMFocus =
       document->GetAccessibleEvenIfNotInMapOrContainer(focusedNode);
--- a/browser/config/tooltool-manifests/linux64/asan.manifest
+++ b/browser/config/tooltool-manifests/linux64/asan.manifest
@@ -1,17 +1,17 @@
 [
 {
-"clang_version": "r185949"
+"clang_version": "r200213"
 }, 
 {
 "size": 47, 
 "digest": "2005a41fe97a5e00997063705f39d42b6a43b1cf7ba306cbc7b1513de34cdcd050fc6326efa2107f19ba0cc67914745dbf13154fa748010a93cf072481ef4aaa", 
 "algorithm": "sha512", 
 "filename": "setup.sh"
 }, 
 {
-"size": 73050713, 
-"digest": "2c5c26a44402f974c2a4ccffb07ea1ac2d01d84dc3e4281fef6e047a62606811a16534d034477dfd9be055a07d931b17ca4e883c8edcd1f8d3a8c91b150e2288", 
+"size": 71282740, 
+"digest": "ee9edb1ef3afd9ab29e39565145545ad57e8d8d2538be4d822d7dbd64038f4529b0b287cecf48bf83def52a26ac2c6faa331686c3ad5e8b4ba4c22686ee0808f", 
 "algorithm": "sha512", 
 "filename": "clang.tar.bz2"
 }
 ]
--- a/browser/config/tooltool-manifests/macosx64/asan.manifest
+++ b/browser/config/tooltool-manifests/macosx64/asan.manifest
@@ -1,17 +1,17 @@
 [
 {
-"clang_version": "r185949"
+"clang_version": "r200213"
 }, 
 {
 "size": 47, 
 "digest": "2005a41fe97a5e00997063705f39d42b6a43b1cf7ba306cbc7b1513de34cdcd050fc6326efa2107f19ba0cc67914745dbf13154fa748010a93cf072481ef4aaa", 
 "algorithm": "sha512", 
 "filename": "setup.sh"
 }, 
 {
-"size": 61779086, 
-"digest": "b2f2861da7583e859b4fb40e1304dd284df02466c909893684341b16e2f58c4c100891504938cf62f26ac82254b9e87135ba98f8196dd26e9b58d3242f1cf811", 
+"size": 58997296, 
+"digest": "9757d142142442c881b8d1eb31c2fe80e1979a858e6133473b5574a5a3b9cdaf9abed32b2e246b715c9f0eb0969103337918215fc491feae196219e8fb03f0b1", 
 "algorithm": "sha512", 
 "filename": "clang.tar.bz2"
 }
 ]
--- a/build/mozconfig.cache
+++ b/build/mozconfig.cache
@@ -1,27 +1,39 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 # Setup for build cache
 
+read branch platform master <<EOF
+$(python2.7 -c 'import json; p = json.loads(open("'"$topsrcdir"'/../buildprops.json").read())["properties"]; print p["branch"], p["platform"], p["master"]' 2> /dev/null)
+EOF
+
 bucket=
-if test -z "$SCCACHE_DISABLE" -a -f "$topsrcdir/sccache/sccache.py"; then
-    case `hostname` in
-    try*spot*.use1.mozilla.com|try*ec2*.use1.mozilla.com)
+if test -z "$SCCACHE_DISABLE" -a -z "$no_tooltool"; then
+    case "${branch}_${master}" in
+    try_*use1.mozilla.com*)
         bucket=mozilla-releng-s3-cache-us-east-1-try
         ;;
-    try*spot*.usw2.mozilla.com|try*ec2*.usw2.mozilla.com)
+    try_*usw2.mozilla.com*)
         bucket=mozilla-releng-s3-cache-us-west-2-try
         ;;
     esac
 fi
 
 if test -z "$bucket"; then
-    ac_add_options --with-ccache
+    case "$platform" in
+    win*) : ;;
+    *)
+        ac_add_options --with-ccache
+    esac
 else
     mk_add_options "export SCCACHE_BUCKET=$bucket"
-    mk_add_options "export SCCACHE_NAMESERVER=169.254.169.253"
+    case "$master" in
+    *use1.mozilla.com*|*usw2.mozilla.com*)
+        mk_add_options "export SCCACHE_NAMESERVER=169.254.169.253"
+        ;;
+    esac
     ac_add_options "--with-compiler-wrapper=python2.7 $topsrcdir/sccache/sccache.py"
     mk_add_options MOZ_PREFLIGHT+=build/sccache.mk
     mk_add_options MOZ_POSTFLIGHT+=build/sccache.mk
 fi
--- a/build/unix/build-clang/build-clang.py
+++ b/build/unix/build-clang/build-clang.py
@@ -33,17 +33,17 @@ def patch(patch, srcdir):
 
 
 def build_package(package_source_dir, package_build_dir, configure_args,
                   make_args):
     if not os.path.exists(package_build_dir):
         os.mkdir(package_build_dir)
     run_in(package_build_dir,
            ["%s/configure" % package_source_dir] + configure_args)
-    run_in(package_build_dir, ["make", "-j8"] + make_args)
+    run_in(package_build_dir, ["make", "-j4"] + make_args)
     run_in(package_build_dir, ["make", "install"])
 
 
 def with_env(env, f):
     old_env = os.environ.copy()
     os.environ.update(env)
     f()
     os.environ.clear()
@@ -54,19 +54,19 @@ def build_tar_package(tar, name, base, d
     name = os.path.realpath(name)
     run_in(base, [tar, "-cjf", name, directory])
 
 
 def svn_co(url, directory, revision):
     check_run(["svn", "co", "-r", revision, url, directory])
 
 
-def build_one_stage(env, stage_dir, llvm_source_dir):
+def build_one_stage(env, stage_dir, llvm_source_dir, gcc_toolchain_dir):
     def f():
-        build_one_stage_aux(stage_dir, llvm_source_dir)
+        build_one_stage_aux(stage_dir, llvm_source_dir, gcc_toolchain_dir)
     with_env(env, f)
 
 
 def build_tooltool_manifest(llvm_revision):
     basedir = os.path.split(os.path.realpath(sys.argv[0]))[0]
     tooltool = basedir + '/tooltool.py'
     setup = basedir + '/setup.sh'
     manifest = 'clang.manifest'
@@ -94,17 +94,17 @@ def get_platform():
     else:
         raise NotImplementedError("Not supported platform")
 
 
 def is_darwin():
     return platform.system() == "Darwin"
 
 
-def build_one_stage_aux(stage_dir, llvm_source_dir):
+def build_one_stage_aux(stage_dir, llvm_source_dir, gcc_toolchain_dir):
     os.mkdir(stage_dir)
 
     build_dir = stage_dir + "/build"
     inst_dir = stage_dir + "/clang"
 
     targets = ["x86", "x86_64"]
     # The Darwin equivalents of binutils appear to have intermittent problems
     # with objects in compiler-rt that are compiled for arm.  Since the arm
@@ -112,33 +112,36 @@ def build_one_stage_aux(stage_dir, llvm_
     # arm support on Linux.
     if not is_darwin():
         targets.append("arm")
 
     configure_opts = ["--enable-optimized",
                       "--enable-targets=" + ",".join(targets),
                       "--disable-assertions",
                       "--prefix=%s" % inst_dir,
-                      "--with-gcc-toolchain=/tools/gcc-4.7.3-0moz1"]
+                      "--with-gcc-toolchain=%s" % gcc_toolchain_dir,
+                      "--disable-compiler-version-checks"]
     build_package(llvm_source_dir, build_dir, configure_opts, [])
 
 if __name__ == "__main__":
     # The directories end up in the debug info, so the easy way of getting
     # a reproducible build is to run it in a know absolute directory.
     # We use a directory in /builds/slave because the mozilla infrastructure
     # cleans it up automatically.
     base_dir = "/builds/slave/moz-toolchain"
 
     source_dir = base_dir + "/src"
     build_dir = base_dir + "/build"
 
     llvm_source_dir = source_dir + "/llvm"
     clang_source_dir = source_dir + "/clang"
     compiler_rt_source_dir = source_dir + "/compiler-rt"
 
+    gcc_dir = "/tools/gcc-4.7.3-0moz1"
+
     if is_darwin():
         os.environ['MACOSX_DEPLOYMENT_TARGET'] = '10.7'
 
     parser = argparse.ArgumentParser()
     parser.add_argument('-c', '--config', required=True,
                         type=argparse.FileType('r'),
                         help="Clang configuration file")
 
@@ -170,21 +173,26 @@ if __name__ == "__main__":
     if is_darwin():
         extra_cflags = ""
         extra_cxxflags = ""
         cc = "/usr/bin/clang"
         cxx = "/usr/bin/clang++"
     else:
         extra_cflags = "-static-libgcc"
         extra_cxxflags = "-static-libgcc -static-libstdc++"
-        cc = "/usr/bin/gcc"
-        cxx = "/usr/bin/g++"
+        cc = gcc_dir + "/bin/gcc"
+        cxx = gcc_dir + "/bin/g++"
 
-    build_one_stage({"CC": cc, "CXX": cxx}, stage1_dir, llvm_source_dir)
+    if os.environ.has_key('LD_LIBRARY_PATH'):
+        os.environ['LD_LIBRARY_PATH'] = '%s/lib64/:%s' % (gcc_dir, os.environ['LD_LIBRARY_PATH']);
+    else:
+        os.environ['LD_LIBRARY_PATH'] = '%s/lib64/' % gcc_dir
+
+    build_one_stage({"CC": cc, "CXX": cxx}, stage1_dir, llvm_source_dir, gcc_dir)
 
     stage2_dir = build_dir + '/stage2'
     build_one_stage(
         {"CC": stage1_inst_dir + "/bin/clang %s" % extra_cflags,
          "CXX": stage1_inst_dir + "/bin/clang++ %s" % extra_cxxflags},
-        stage2_dir, llvm_source_dir)
+        stage2_dir, llvm_source_dir, gcc_dir)
 
     build_tar_package("tar", "clang.tar.bz2", stage2_dir, "clang")
     build_tooltool_manifest(llvm_revision)
--- a/build/unix/build-clang/clang-trunk.json
+++ b/build/unix/build-clang/clang-trunk.json
@@ -1,11 +1,11 @@
 {
-    "llvm_revision": "185949",
+    "llvm_revision": "200213",
     "llvm_repo": "https://llvm.org/svn/llvm-project/llvm/trunk",
     "clang_repo": "https://llvm.org/svn/llvm-project/cfe/trunk",
     "compiler_repo": "https://llvm.org/svn/llvm-project/compiler-rt/trunk",
     "patches": {
         "macosx64": ["llvm-debug-frame.patch"],
-        "linux64": ["llvm-debug-frame.patch", "no-sse-on-linux.patch"],
-        "linux32": ["llvm-debug-frame.patch", "no-sse-on-linux.patch"]
+        "linux64": ["llvm-debug-frame.patch", "no-sse-on-linux-trunk.patch"],
+        "linux32": ["llvm-debug-frame.patch", "no-sse-on-linux-trunk.patch"]
     }
 }
new file mode 100644
--- /dev/null
+++ b/build/unix/build-clang/no-sse-on-linux-trunk.patch
@@ -0,0 +1,13 @@
+Index: lib/Driver/Tools.cpp
+===================================================================
+--- a/clang/lib/Driver/Tools.cpp	(revision 199443)
++++ b/clang/lib/Driver/Tools.cpp	(working copy)
+@@ -1226,7 +1226,7 @@
+   // All x86 devices running Android have core2 as their common
+   // denominator. This makes a better choice than pentium4.
+   if (Triple.getEnvironment() == llvm::Triple::Android)
+-    return "core2";
++    return "686";
+ 
+   // Everything else goes to x86-64 in 64-bit mode.
+   if (Is64Bit)
--- a/build/valgrind/i386-redhat-linux-gnu.sup
+++ b/build/valgrind/i386-redhat-linux-gnu.sup
@@ -44,8 +44,20 @@
 }
 {
    Bug 794373
    Memcheck:Leak
    ...
    obj:/lib/libgobject-2.0.so.0.2200.5
    ...
 }
+
+###################################
+#  Leaks in short lived precesses #
+###################################
+
+{
+   Bug 984196
+   Memcheck:Leak
+   ...
+   fun:glxtest
+   ...
+}
--- a/build/valgrind/x86_64-redhat-linux-gnu.sup
+++ b/build/valgrind/x86_64-redhat-linux-gnu.sup
@@ -66,8 +66,20 @@
    fun:calloc
    fun:xcb_connect_to_fd
    fun:xcb_connect_to_display_with_auth_info
    fun:_XConnectXCB
    fun:XOpenDisplay
    fun:gdk_display_open
    ...
 }
+
+###################################
+#  Leaks in short lived precesses #
+###################################
+
+{
+   Bug 984196
+   Memcheck:Leak
+   ...
+   fun:glxtest
+   ...
+}
--- a/dom/activities/src/Activity.cpp
+++ b/dom/activities/src/Activity.cpp
@@ -62,17 +62,17 @@ Activity::Initialize(nsPIDOMWindow* aWin
 
   // Instantiate a JS proxy that will do the child <-> parent communication
   // with the JS implementation of the backend.
   nsresult rv;
   mProxy = do_CreateInstance("@mozilla.org/dom/activities/proxy;1", &rv);
   NS_ENSURE_SUCCESS(rv, rv);
 
   JS::Rooted<JS::Value> optionsValue(aCx);
-  if (!aOptions.ToObject(aCx, JS::NullPtr(), &optionsValue)) {
+  if (!aOptions.ToObject(aCx, &optionsValue)) {
     return NS_ERROR_FAILURE;
   }
 
   mProxy->StartActivity(static_cast<nsIDOMDOMRequest*>(this), optionsValue, aWindow);
   return NS_OK;
 }
 
 Activity::~Activity()
--- a/dom/base/Console.cpp
+++ b/dom/base/Console.cpp
@@ -684,17 +684,17 @@ Console::ProfileMethod(JSContext* aCx, c
   event.mArguments.Construct();
   Sequence<JS::Value>& sequence = event.mArguments.Value();
 
   for (uint32_t i = 0; i < aData.Length(); ++i) {
     sequence.AppendElement(aData[i]);
   }
 
   JS::Rooted<JS::Value> eventValue(aCx);
-  if (!event.ToObject(aCx, JS::NullPtr(), &eventValue)) {
+  if (!event.ToObject(aCx, &eventValue)) {
     aRv.Throw(NS_ERROR_FAILURE);
     return;
   }
 
   JS::Rooted<JSObject*> eventObj(aCx, &eventValue.toObject());
   MOZ_ASSERT(eventObj);
 
   if (!JS_DefineProperty(aCx, eventObj, "wrappedJSObject", eventValue,
@@ -996,17 +996,17 @@ Console::ProcessCallData(ConsoleCallData
     event.mTimer = StopTimer(cx, aData->mArguments[0], aData->mMonotonicTimer);
   }
 
   else if (aData->mMethodName == MethodCount) {
     event.mCounter = IncreaseCounter(cx, frame, aData->mArguments);
   }
 
   JS::Rooted<JS::Value> eventValue(cx);
-  if (!event.ToObject(cx, JS::NullPtr(), &eventValue)) {
+  if (!event.ToObject(cx, &eventValue)) {
     Throw(cx, NS_ERROR_FAILURE);
     return;
   }
 
   JS::Rooted<JSObject*> eventObj(cx, &eventValue.toObject());
   MOZ_ASSERT(eventObj);
 
   if (!JS_DefineProperty(cx, eventObj, "wrappedJSObject", eventValue,
@@ -1295,17 +1295,17 @@ Console::ComposeGroupName(JSContext* aCx
 JS::Value
 Console::StartTimer(JSContext* aCx, const JS::Value& aName,
                     DOMHighResTimeStamp aTimestamp)
 {
   if (mTimerRegistry.Count() >= MAX_PAGE_TIMERS) {
     RootedDictionary<ConsoleTimerError> error(aCx);
 
     JS::Rooted<JS::Value> value(aCx);
-    if (!error.ToObject(aCx, JS::NullPtr(), &value)) {
+    if (!error.ToObject(aCx, &value)) {
       return JS::UndefinedValue();
     }
 
     return value;
   }
 
   RootedDictionary<ConsoleTimerStart> timer(aCx);
 
@@ -1327,17 +1327,17 @@ Console::StartTimer(JSContext* aCx, cons
     mTimerRegistry.Put(key, aTimestamp);
   } else {
     aTimestamp = entry;
   }
 
   timer.mStarted = aTimestamp;
 
   JS::Rooted<JS::Value> value(aCx);
-  if (!timer.ToObject(aCx, JS::NullPtr(), &value)) {
+  if (!timer.ToObject(aCx, &value)) {
     return JS::UndefinedValue();
   }
 
   return value;
 }
 
 JS::Value
 Console::StopTimer(JSContext* aCx, const JS::Value& aName,
@@ -1361,17 +1361,17 @@ Console::StopTimer(JSContext* aCx, const
 
   mTimerRegistry.Remove(key);
 
   RootedDictionary<ConsoleTimerEnd> timer(aCx);
   timer.mName = key;
   timer.mDuration = aTimestamp - entry;
 
   JS::Rooted<JS::Value> value(aCx);
-  if (!timer.ToObject(aCx, JS::NullPtr(), &value)) {
+  if (!timer.ToObject(aCx, &value)) {
     return JS::UndefinedValue();
   }
 
   return value;
 }
 
 void
 Console::ArgumentsToValueList(const nsTArray<JS::Heap<JS::Value>>& aData,
@@ -1409,33 +1409,33 @@ Console::IncreaseCounter(JSContext* aCx,
   }
 
   uint32_t count = 0;
   if (!mCounterRegistry.Get(key, &count)) {
     if (mCounterRegistry.Count() >= MAX_PAGE_COUNTERS) {
       RootedDictionary<ConsoleCounterError> error(aCx);
 
       JS::Rooted<JS::Value> value(aCx);
-      if (!error.ToObject(aCx, JS::NullPtr(), &value)) {
+      if (!error.ToObject(aCx, &value)) {
         return JS::UndefinedValue();
       }
 
       return value;
     }
   }
 
   ++count;
   mCounterRegistry.Put(key, count);
 
   RootedDictionary<ConsoleCounter> data(aCx);
   data.mLabel = label;
   data.mCount = count;
 
   JS::Rooted<JS::Value> value(aCx);
-  if (!data.ToObject(aCx, JS::NullPtr(), &value)) {
+  if (!data.ToObject(aCx, &value)) {
     return JS::UndefinedValue();
   }
 
   return value;
 }
 
 void
 Console::ClearConsoleData()
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -5673,17 +5673,17 @@ nsGlobalWindow::DispatchResizeEvent(cons
   }
 
   AutoSafeJSContext cx;
   JSAutoCompartment ac(cx, mJSObject);
   DOMWindowResizeEventDetail detail;
   detail.mWidth = aSize.width;
   detail.mHeight = aSize.height;
   JS::Rooted<JS::Value> detailValue(cx);
-  if (!detail.ToObject(cx, JS::NullPtr(), &detailValue)) {
+  if (!detail.ToObject(cx, &detailValue)) {
     return false;
   }
 
   CustomEvent* customEvent = static_cast<CustomEvent*>(domEvent.get());
   customEvent->InitCustomEvent(cx,
                                NS_LITERAL_STRING("DOMWindowResize"),
                                /* bubbles = */ true,
                                /* cancelable = */ true,
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -4667,17 +4667,17 @@ if (!returnArray) {
         return (setObject("*%s.Obj()" % result,
                           wrapAsType=type), False)
 
     if type.isUnion():
         return (wrapAndSetPtr("%s.ToJSVal(cx, ${obj}, ${jsvalHandle})" % result),
                 False)
 
     if type.isDictionary():
-        return (wrapAndSetPtr("%s.ToObject(cx, ${obj}, ${jsvalHandle})" % result),
+        return (wrapAndSetPtr("%s.ToObject(cx, ${jsvalHandle})" % result),
                 False)
 
     if type.isDate():
         return (wrapAndSetPtr("%s.ToDateObject(cx, ${jsvalHandle})" % result),
                 False)
 
     tag = type.tag()
 
@@ -9314,17 +9314,17 @@ if (!*reinterpret_cast<jsid**>(atomsCach
 
 """
             body += string.Template(initIdText).substitute(
               { "dictName": self.makeClassName(self.dictionary)})
 
         if self.dictionary.parent:
             body += (
                 "// Per spec, we define the parent's members first\n"
-                "if (!%s::ToObject(cx, parentObject, rval)) {\n"
+                "if (!%s::ToObject(cx, rval)) {\n"
                 "  return false;\n"
                 "}\n"
                 "JS::Rooted<JSObject*> obj(cx, &rval.toObject());\n"
                 "\n") % self.makeClassName(self.dictionary.parent)
         else:
             body += (
                 "JS::Rooted<JSObject*> obj(cx, JS_NewObject(cx, nullptr, JS::NullPtr(), JS::NullPtr()));\n"
                 "if (!obj) {\n"
@@ -9334,17 +9334,16 @@ if (!*reinterpret_cast<jsid**>(atomsCach
                 "\n")
 
         body += "\n\n".join(self.getMemberDefinition(m).define()
                             for m in self.memberInfo)
         body += "\n\nreturn true;"
 
         return ClassMethod("ToObject", "bool", [
             Argument('JSContext*', 'cx'),
-            Argument('JS::Handle<JSObject*>', 'parentObject'),
             Argument('JS::MutableHandle<JS::Value>', 'rval'),
         ], const=True, body=body)
 
     def initIdsMethod(self):
         assert self.needToInitIds
         idinit = [CGGeneric('!atomsCache->%s.init(cx, "%s")' %
                             (CGDictionary.makeIdName(m.identifier.name),
                              m.identifier.name))
@@ -9593,17 +9592,19 @@ if (""",
                 'result' : "currentValue",
                 'successCode' : ("if (!%s) {\n"
                                  "  return false;\n"
                                  "}\n"
                                  "break;" % propDef),
                 'jsvalRef': "temp",
                 'jsvalHandle': "&temp",
                 'returnsNewObject': False,
-                'obj': "parentObject",
+                # 'obj' can just be allowed to be the string "obj", since that
+                # will be our dictionary object, which is presumably itself in
+                # the right scope.
                 'typedArraysAreStructs': True
             })
         conversion = CGGeneric(innerTemplate)
         conversion = CGWrapper(conversion,
                                pre=("JS::Rooted<JS::Value> temp(cx);\n"
                                     "%s const & currentValue = %s;\n" %
                                     (declType.define(), memberData)
                                     ))
--- a/dom/browser-element/BrowserElementParent.cpp
+++ b/dom/browser-element/BrowserElementParent.cpp
@@ -155,17 +155,17 @@ BrowserElementParent::DispatchOpenWindow
 
   nsIGlobalObject* sgo = aPopupFrameElement->OwnerDoc()->GetScopeObject();
   if (!sgo) {
     return BrowserElementParent::OPEN_WINDOW_IGNORED;
   }
 
   JS::Rooted<JSObject*> global(cx, sgo->GetGlobalJSObject());
   JSAutoCompartment ac(cx, global);
-  if (!detail.ToObject(cx, global, &val)) {
+  if (!detail.ToObject(cx, &val)) {
     MOZ_CRASH("Failed to convert dictionary to JS::Value due to OOM.");
     return BrowserElementParent::OPEN_WINDOW_IGNORED;
   }
 
   nsEventStatus status;
   bool dispatchSucceeded =
     DispatchCustomDOMEvent(aOpenerFrameElement,
                            NS_LITERAL_STRING("mozbrowseropenwindow"),
@@ -327,19 +327,17 @@ NS_IMETHODIMP DispatchAsyncScrollEventRu
 
   AutoSafeJSContext cx;
   JS::Rooted<JSObject*> globalJSObject(cx, globalObject->GetGlobalJSObject());
   NS_ENSURE_TRUE(globalJSObject, NS_ERROR_UNEXPECTED);
 
   JSAutoCompartment ac(cx, globalJSObject);
   JS::Rooted<JS::Value> val(cx);
 
-  // We can get away with a null global here because
-  // AsyncScrollEventDetail only contains numeric values.
-  if (!detail.ToObject(cx, JS::NullPtr(), &val)) {
+  if (!detail.ToObject(cx, &val)) {
     MOZ_CRASH("Failed to convert dictionary to JS::Value due to OOM.");
     return NS_ERROR_FAILURE;
   }
 
   nsEventStatus status = nsEventStatus_eIgnore;
   DispatchCustomDOMEvent(frameElement,
                          NS_LITERAL_STRING("mozbrowserasyncscroll"),
                          cx,
--- a/dom/camera/CameraCommon.h
+++ b/dom/camera/CameraCommon.h
@@ -56,48 +56,9 @@ enum {
 #else
 #define DOM_CAMERA_LOGR( ... )
 #endif
 #define DOM_CAMERA_LOGT( ... )      DOM_CAMERA_LOG( DOM_CAMERA_LOG_TRACE, __VA_ARGS__ )
 #define DOM_CAMERA_LOGI( ... )      DOM_CAMERA_LOG( DOM_CAMERA_LOG_INFO, __VA_ARGS__ )
 #define DOM_CAMERA_LOGW( ... )      DOM_CAMERA_LOG( DOM_CAMERA_LOG_WARNING, __VA_ARGS__ )
 #define DOM_CAMERA_LOGE( ... )      DOM_CAMERA_LOG( DOM_CAMERA_LOG_ERROR, __VA_ARGS__ )
 
-#ifdef PR_LOGGING
-
-static inline void nsLogAddRefCamera(const char *file, uint32_t line, void* p, uint32_t count, const char *clazz, uint32_t size)
-{
-  if (count == 1) {
-    DOM_CAMERA_LOGR("++++++++++++++++++++++++++++++++++++++++");
-  }
-  DOM_CAMERA_LOGR("%s:%d : CAMREF-ADD(%s): this=%p, mRefCnt=%d\n", file, line, clazz, p, count);
-}
-
-static inline void nsLogReleaseCamera(const char *file, uint32_t line, void* p, uint32_t count, const char *clazz, bool abortOnDelete)
-{
-  DOM_CAMERA_LOGR("%s:%d : CAMREF-REL(%s): this=%p, mRefCnt=%d\n", file, line, clazz, p, count);
-  if (count == 0) {
-    if (!abortOnDelete) {
-      DOM_CAMERA_LOGR("----------------------------------------");
-    } else {
-      DOM_CAMERA_LOGR("---------- ABORTING ON DELETE ----------");
-      *((uint32_t *)0xdeadbeef) = 0x266230;
-    }
-  }
-}
-
-#ifdef NS_LOG_ADDREF
-#undef NS_LOG_ADDREF
-#endif
-#ifdef NS_LOG_RELEASE
-#undef NS_LOG_RELEASE
-#endif
-
-#define NS_LOG_ADDREF( p, n, c, s ) nsLogAddRefCamera(__FILE__, __LINE__, (p), (n), (c), (s))
-#ifdef DOM_CAMERA_DEBUG_REFS_ABORT_ON_DELETE
-#define NS_LOG_RELEASE( p, n, c )   nsLogReleaseCamera(__FILE__, __LINE__, (p), (n), (c), DOM_CAMERA_DEBUG_REFS_ABORT_ON_DELETE)
-#else
-#define NS_LOG_RELEASE( p, n, c )   nsLogReleaseCamera(__FILE__, __LINE__, (p), (n), (c), false)
-#endif
-
-#endif // PR_LOGGING
-
 #endif // DOM_CAMERA_CAMERACOMMON_H
--- a/dom/contacts/tests/test_migration_chrome.js
+++ b/dom/contacts/tests/test_migration_chrome.js
@@ -9,24 +9,28 @@ const {classes: Cc, interfaces: Ci, util
 
 let imports = {};
 
 Cu.import("resource://gre/modules/ContactDB.jsm", imports);
 Cu.import("resource://gre/modules/ContactService.jsm", imports);
 Cu.import("resource://gre/modules/Promise.jsm", imports);
 Cu.importGlobalProperties(["indexedDB"]);
 
-const {
+// |const| will not work because
+// it will make the Promise object immutable before assigning.
+// Using |let| and Object.freeze() instead.
+let {
   STORE_NAME,
   SAVED_GETALL_STORE_NAME,
   REVISION_STORE,
   DB_NAME,
   ContactService,
   Promise
 } = imports;
+Object.freeze(imports);
 
 let DEBUG = false;
 function debug(str) {
   if (DEBUG){
     dump("-*- TestMigrationChromeScript: " + str + "\n");
   }
 }
 
--- a/dom/datastore/DataStoreService.js
+++ b/dom/datastore/DataStoreService.js
@@ -373,39 +373,58 @@ DataStoreService.prototype = {
         !(aAppId in this.accessStores[aName])) {
       return null;
     }
 
     return this.accessStores[aName][aAppId];
   },
 
   observe: function observe(aSubject, aTopic, aData) {
-    debug('getDataStores - aTopic: ' + aTopic);
+    debug('observe - aTopic: ' + aTopic);
     if (aTopic != 'webapps-clear-data') {
       return;
     }
 
     let params =
       aSubject.QueryInterface(Ci.mozIApplicationClearPrivateDataParams);
 
     // DataStore is explosed to apps, not browser content.
     if (params.browserOnly) {
       return;
     }
 
+    function isEmpty(aMap) {
+      for (var key in aMap) {
+        if (aMap.hasOwnProperty(key)) {
+          return false;
+        }
+      }
+      return true;
+    }
+
     for (let key in this.stores) {
       if (params.appId in this.stores[key]) {
         this.deleteDatabase(key, this.stores[key][params.appId].owner);
         delete this.stores[key][params.appId];
       }
 
-      if (!this.stores[key].length) {
+      if (isEmpty(this.stores[key])) {
         delete this.stores[key];
       }
     }
+
+    for (let key in this.accessStores) {
+      if (params.appId in this.accessStores[key]) {
+        delete this.accessStores[key][params.appId];
+      }
+
+      if (isEmpty(this.accessStores[key])) {
+        delete this.accessStores[key];
+      }
+    }
   },
 
   deleteDatabase: function(aName, aOwner) {
     debug("delete database: " + aName);
 
     let db = new DataStoreDB();
     db.init(aOwner, aName);
     db.delete();
new file mode 100644
--- /dev/null
+++ b/dom/datastore/tests/file_bug986056.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for DataStore - bug 986056 app</title>
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+  <script type="application/javascript;version=1.7">
+
+  function cbError() {
+    alert('KO error');
+  }
+
+  navigator.getDataStores('foo').then(function(stores) {
+    alert("OK " + stores.length);
+  }, cbError);
+  </script>
+</pre>
+</body>
+</html>
+
copy from dom/datastore/tests/file_bug976311.template.webapp
copy to dom/datastore/tests/file_bug986056.template.webapp
--- a/dom/datastore/tests/mochitest.ini
+++ b/dom/datastore/tests/mochitest.ini
@@ -12,16 +12,18 @@ support-files =
   file_arrays.html
   file_sync.html
   file_bug924104.html
   file_certifiedApp.html
   file_keys.html
   file_duplicate.html
   file_bug976311.html
   file_bug976311.template.webapp
+  file_bug986056.html
+  file_bug986056.template.webapp
   file_event_maker.html
   file_event_receiver.html
 
 [test_app_install.html]
 [test_readonly.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) # b2g-debug(debug-only failure; time out) b2g-desktop(Bug 931116, b2g desktop specific, initial triage)
 [test_basic.html]
 [test_changes.html]
@@ -33,9 +35,10 @@ skip-if = (buildapp == 'b2g' && (toolkit
 [test_sync.html]
 skip-if = (buildapp == 'b2g' && (toolkit != 'gonk' || debug)) # b2g-debug(debug-only failure; time out) b2g-desktop(Bug 931116, b2g desktop specific, initial triage)
 [test_bug924104.html]
 [test_certifiedApp.html]
 skip-if = (toolkit == 'gonk' && debug) #debug-only failure; time out
 [test_keys.html]
 [test_duplicate.html]
 [test_bug976311.html]
+[test_bug986056.html]
 [test_oop_events.html]
new file mode 100644
--- /dev/null
+++ b/dom/datastore/tests/test_bug986056.html
@@ -0,0 +1,146 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for DataStore - bug 986056</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+  <script type="application/javascript;version=1.7">
+
+  var gHostedManifestURL = 'http://test/tests/dom/datastore/tests/file_app.sjs?testToken=file_bug986056.html&template=file_bug986056.template.webapp';
+  var gHostedManifestURL2 = 'http://example.com/tests/dom/datastore/tests/file_app.sjs?testToken=file_bug986056.html&template=file_bug986056.template.webapp';
+  var gApps = [];
+
+  function cbError() {
+    ok(false, "Error callback invoked");
+    finish();
+  }
+
+  function installApp(aApp) {
+    var request = navigator.mozApps.install(aApp);
+    request.onerror = cbError;
+    request.onsuccess = function() {
+      gApps.push(request.result);
+      runTest();
+    }
+  }
+
+  function uninstallApp(aApp) {
+    var request = navigator.mozApps.mgmt.uninstall(aApp);
+    request.onerror = cbError;
+    request.onsuccess = runTest;
+  }
+
+  function testApp(aCount) {
+    var ifr = document.createElement('iframe');
+    ifr.setAttribute('mozbrowser', 'true');
+    ifr.setAttribute('mozapp', gApps[0].manifestURL);
+    ifr.setAttribute('src', gApps[0].manifest.launch_path);
+    var domParent = document.getElementById('content');
+
+    // Set us up to listen for messages from the app.
+    var listener = function(e) {
+      var message = e.detail.message;
+      if (/KO/.exec(message)) {
+        ok(false, "Message from app: " + message);
+      } else if (/^OK/.exec(message)) {
+        is(message, "OK " + aCount, "Number of dataStore matches");
+        ifr.removeEventListener('mozbrowsershowmodalprompt', listener);
+        domParent.removeChild(ifr);
+        runTest();
+      }
+    }
+
+    // This event is triggered when the app calls "alert".
+    ifr.addEventListener('mozbrowsershowmodalprompt', listener, false);
+    domParent.appendChild(ifr);
+  }
+
+  var tests = [
+    // Permissions
+    function() {
+      SpecialPowers.pushPermissions(
+        [{ "type": "browser", "allow": 1, "context": document },
+         { "type": "embed-apps", "allow": 1, "context": document },
+         { "type": "webapps-manage", "allow": 1, "context": document }], runTest);
+    },
+
+    // Preferences
+    function() {
+      SpecialPowers.pushPrefEnv({"set": [["dom.datastore.enabled", true],
+                                         ["dom.testing.ignore_ipc_principal", true],
+                                         ["dom.testing.datastore_enabled_for_hosted_apps", true]]}, runTest);
+    },
+
+    // Enabling mozBrowser
+    function() {
+      SpecialPowers.setAllAppsLaunchable(true);
+      SpecialPowers.pushPrefEnv({"set": [["dom.mozBrowserFramesEnabled", true]]}, runTest);
+    },
+
+    // No confirmation needed when an app is installed
+    function() {
+      SpecialPowers.autoConfirmAppInstall(runTest);
+    },
+
+    // Installing the app1
+    function() { installApp(gHostedManifestURL); },
+
+    // Installing the app2
+    function() { installApp(gHostedManifestURL2); },
+
+    // Run tests in app. 2 apps are installed so we want to have 2 'foo'
+    // dataStore.
+    function() { testApp(2); },
+
+    // Uninstall the first app
+    function() { uninstallApp(gApps.shift()); },
+
+    // Run tests in app. 1 single apps is installed so we want to have 1 'foo'
+    // dataStore.
+    function() { testApp(1); },
+
+    // Installing the app1
+    function() { installApp(gHostedManifestURL); },
+
+    // Run tests in app. Back to 2 apps, 2 datastores.
+    function() { testApp(2); },
+
+    // Uninstall the first app
+    function() { uninstallApp(gApps.shift()); },
+
+    // Uninstall the second app
+    function() { uninstallApp(gApps.shift()); }
+  ];
+
+  function runTest() {
+    if (!tests.length) {
+      finish();
+      return;
+    }
+
+    var test = tests.shift();
+    test();
+  }
+
+  function finish() {
+    SimpleTest.finish();
+  }
+
+  if (SpecialPowers.isMainProcess()) {
+    SpecialPowers.Cu.import("resource://gre/modules/DataStoreChangeNotifier.jsm");
+  }
+
+  SimpleTest.waitForExplicitFinish();
+  runTest();
+  </script>
+</pre>
+</body>
+</html>
--- a/dom/events/test/mochitest.ini
+++ b/dom/events/test/mochitest.ini
@@ -120,17 +120,17 @@ skip-if = toolkit == 'android'
 [test_bug812744.html]
 [test_bug847597.html]
 [test_bug855741.html]
 [test_bug864040.html]
 skip-if = buildapp == 'b2g' # b2g(failing when the test gets moved around, and on debug) b2g-debug(failing when the test gets moved around, and on debug) b2g-desktop(failing when the test gets moved around, and on debug)
 [test_bug930374-content.html]
 [test_bug944847.html]
 [test_bug967796.html]
-skip-if = toolkit == "gonk"
+skip-if = toolkit == "gonk" || e10s
 [test_bug944011.html]
 [test_bug946632.html]
 [test_clickevent_on_input.html]
 skip-if = toolkit == 'android' #CRASH_DUMP, RANDOM
 [test_continuous_wheel_events.html]
 skip-if = buildapp == 'b2g' || e10s # b2g(5535 passed, 108 failed - more tests running than desktop) b2g-debug(5535 passed, 108 failed - more tests running than desktop) b2g-desktop(5535 passed, 108 failed - more tests running than desktop)
 [test_dblclick_explicit_original_target.html]
 [test_dom_keyboard_event.html]
--- a/dom/events/test/test_bug432698.html
+++ b/dom/events/test/test_bug432698.html
@@ -126,16 +126,17 @@ function runTests() {
   synthesizeMouse(iframe.contentDocument.body, r.width / 2, r.height - (r.height / 4), {type: "mousemove"},
                   iframe.contentWindow);
   is(mouseentercount, 7, "Unexpected mouseenter event count!");
   expectedRelatedEnter = iframe;
   expectedRelatedLeave = outside;
   sendMouseEvent("mousemove", outside);
   is(mouseleavecount, 7, "Unexpected mouseleave event count!");
 
+  checkRelatedTarget = false;
   SimpleTest.finish();
 }
 
 function menter(evt) {
   ++mouseentercount;
   evt.stopPropagation();
   if (expectedMouseEnterTargets.length) {
     var t = expectedMouseEnterTargets.shift();
--- a/dom/imptests/html/mochitest.ini
+++ b/dom/imptests/html/mochitest.ini
@@ -293,17 +293,17 @@ skip-if = (toolkit == 'gonk' && debug) #
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-id.xhtml]
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-namespace.html]
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-namespace.xhtml]
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-newelements.html]
-skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
+skip-if = (toolkit == 'gonk' && debug) || (e10s && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-newelements.xhtml]
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-null-undef.html]
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-null-undef.xhtml]
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
 [html/dom/documents/dta/doc.gEBN/test_document.getElementsByName-param.html]
 skip-if = (toolkit == 'gonk' && debug) #b2g-debug(debug-only failure)
--- a/dom/media/MediaManager.cpp
+++ b/dom/media/MediaManager.cpp
@@ -85,17 +85,17 @@ using dom::Sequence;
 
 static nsresult CompareDictionaries(JSContext* aCx, JSObject *aA,
                                     const MediaTrackConstraintSet &aB,
                                     nsString *aDifference)
 {
   JS::Rooted<JSObject*> a(aCx, aA);
   JSAutoCompartment ac(aCx, aA);
   JS::Rooted<JS::Value> bval(aCx);
-  aB.ToObject(aCx, JS::NullPtr(), &bval);
+  aB.ToObject(aCx, &bval);
   JS::Rooted<JSObject*> b(aCx, &bval.toObject());
 
   // Iterate over each property in A, and check if it is in B
 
   JS::AutoIdArray props(aCx, JS_Enumerate(aCx, a));
 
   for (size_t i = 0; i < props.length(); i++) {
     JS::Rooted<JS::Value> bprop(aCx);
--- a/dom/src/notification/DesktopNotification.cpp
+++ b/dom/src/notification/DesktopNotification.cpp
@@ -96,17 +96,17 @@ DesktopNotification::PostDesktopNotifica
       nsString manifestUrl = EmptyString();
       appsService->GetManifestURLByLocalId(appId, manifestUrl);
       mozilla::AutoSafeJSContext cx;
       JS::Rooted<JS::Value> val(cx);
       AppNotificationServiceOptions ops;
       ops.mTextClickable = true;
       ops.mManifestURL = manifestUrl;
 
-      if (!ops.ToObject(cx, JS::NullPtr(), &val)) {
+      if (!ops.ToObject(cx, &val)) {
         return NS_ERROR_FAILURE;
       }
 
       return appNotifier->ShowAppNotification(mIconURL, mTitle, mDescription,
                                               mObserver, val);
     }
   }
 #endif
--- a/dom/src/notification/Notification.cpp
+++ b/dom/src/notification/Notification.cpp
@@ -578,17 +578,17 @@ Notification::ShowInternal()
         AppNotificationServiceOptions ops;
         ops.mTextClickable = true;
         ops.mManifestURL = manifestUrl;
         ops.mId = alertName;
         ops.mDir = DirectionToString(mDir);
         ops.mLang = mLang;
         ops.mTag = mTag;
 
-        if (!ops.ToObject(cx, JS::NullPtr(), &val)) {
+        if (!ops.ToObject(cx, &val)) {
           NS_WARNING("Converting dict to object failed!");
           return;
         }
 
         appNotifier->ShowAppNotification(mIconUrl, mTitle, mBody,
                                          observer, val);
         return;
       }
--- a/dom/system/gonk/NetworkWorker.cpp
+++ b/dom/system/gonk/NetworkWorker.cpp
@@ -203,17 +203,17 @@ NetworkWorker::PostMessage(JS::Handle<JS
 void
 NetworkWorker::DispatchNetworkResult(const NetworkResultOptions& aOptions)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
   mozilla::AutoSafeJSContext cx;
   JS::RootedValue val(cx);
 
-  if (!aOptions.ToObject(cx, JS::NullPtr(), &val)) {
+  if (!aOptions.ToObject(cx, &val)) {
     return;
   }
 
   // Call the listener with a JS value.
   if (mListener) {
     mListener->OnEvent(val);
   }
 }
--- a/dom/tests/mochitest/pointerlock/mochitest.ini
+++ b/dom/tests/mochitest/pointerlock/mochitest.ini
@@ -20,9 +20,9 @@ support-files =
   file_targetOutOfFocus.html
   file_screenClientXYConst.html
   file_suppressSomeMouseEvents.html
   file_locksvgelement.html
   file_allowPointerLockSandboxFlag.html
   iframe_differentDOM.html
 
 [test_pointerlock-api.html]
-skip-if = buildapp == 'b2g' || toolkit == 'android' #TIMED_OUT # b2g(window.open focus issues (using fullscreen)) b2g-debug(window.open focus issues (using fullscreen)) b2g-desktop(window.open focus issues (using fullscreen))
+skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s #TIMED_OUT # b2g(window.open focus issues (using fullscreen)) b2g-debug(window.open focus issues (using fullscreen)) b2g-desktop(window.open focus issues (using fullscreen))
--- a/dom/wifi/WifiProxyService.cpp
+++ b/dom/wifi/WifiProxyService.cpp
@@ -276,17 +276,17 @@ WifiProxyService::WaitForEvent(const nsA
 void
 WifiProxyService::DispatchWifiResult(const WifiResultOptions& aOptions, const nsACString& aInterface)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
   mozilla::AutoSafeJSContext cx;
   JS::Rooted<JS::Value> val(cx);
 
-  if (!aOptions.ToObject(cx, JS::NullPtr(), &val)) {
+  if (!aOptions.ToObject(cx, &val)) {
     return;
   }
 
   // Call the listener with a JS value.
   mListener->OnCommand(val, aInterface);
 }
 
 void
--- a/gfx/layers/basic/BasicCompositor.cpp
+++ b/gfx/layers/basic/BasicCompositor.cpp
@@ -558,16 +558,19 @@ BasicCompositor::BeginFrame(const nsIntR
   // manager styling. We want to ignore that.
   intRect.MoveTo(0, 0);
   Rect rect = Rect(0, 0, intRect.width, intRect.height);
 
   // Sometimes the invalid region is larger than we want to draw.
   nsIntRegion invalidRegionSafe;
   invalidRegionSafe.And(aInvalidRegion, intRect);
 
+  // FIXME: Redraw the whole screen in every frame to work around bug 972728.
+  invalidRegionSafe = intRect;
+
   nsIntRect invalidRect = invalidRegionSafe.GetBounds();
   mInvalidRect = IntRect(invalidRect.x, invalidRect.y, invalidRect.width, invalidRect.height);
   mInvalidRegion = invalidRegionSafe;
 
   if (aRenderBoundsOut) {
     *aRenderBoundsOut = Rect();
   }
 
--- a/gfx/tests/gtest/TestAsyncPanZoomController.cpp
+++ b/gfx/tests/gtest/TestAsyncPanZoomController.cpp
@@ -856,16 +856,17 @@ TEST_F(AsyncPanZoomControllerTester, Lon
 
   time += 1000;
 
   MultiTouchInput mti = MultiTouchInput(MultiTouchInput::MULTITOUCH_MOVE, time, 0);
   mti.mTouches.AppendElement(SingleTouchData(0, ScreenIntPoint(touchX, touchEndY), ScreenSize(0, 0), 0, 0));
   status = apzc->ReceiveInputEvent(mti);
   EXPECT_EQ(status, nsEventStatus_eIgnore);
 
+  EXPECT_CALL(*mcc, HandleLongTapUp(CSSPoint(touchX, touchEndY), 0, apzc->GetGuid())).Times(1);
   status = ApzcUp(apzc, touchX, touchEndY, time);
   EXPECT_EQ(nsEventStatus_eIgnore, status);
 
   // Flush the event queue. Once the "contextmenu" event is handled, any touch
   // events that come from the same series of start->n*move->end events should
   // be discarded, even if only the "contextmenu" event is preventDefaulted.
   apzc->ContentReceivedTouch(false);
 
--- a/ipc/chromium/src/base/message_pump_default.cc
+++ b/ipc/chromium/src/base/message_pump_default.cc
@@ -49,23 +49,29 @@ void MessagePumpDefault::Run(Delegate* d
       break;
 
     if (did_work)
       continue;
 
     if (delayed_work_time_.is_null()) {
       hangMonitor.NotifyWait();
       PROFILER_LABEL("MessagePump", "Wait");
-      event_.Wait();
+      {
+        GeckoProfilerSleepRAII profiler_sleep;
+        event_.Wait();
+      }
     } else {
       TimeDelta delay = delayed_work_time_ - TimeTicks::Now();
       if (delay > TimeDelta()) {
         hangMonitor.NotifyWait();
         PROFILER_LABEL("MessagePump", "Wait");
-        event_.TimedWait(delay);
+        {
+          GeckoProfilerSleepRAII profiler_sleep;
+          event_.TimedWait(delay);
+        }
       } else {
         // It looks like delayed_work_time_ indicates a time in the past, so we
         // need to call DoDelayedWork now.
         delayed_work_time_ = TimeTicks();
       }
     }
     // Since event_ is auto-reset, we don't need to do anything special here
     // other than service each delegate method.
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/testBug989166.js
@@ -0,0 +1,8 @@
+(function(stdlib) {
+    "use asm";
+    var pow = stdlib.Math.pow
+    function f() {
+        return +pow(.0, .0)
+    }
+    return f
+})(this, {}, ArrayBuffer)()
--- a/js/src/jit-test/tests/auto-regress/bug782083.js
+++ b/js/src/jit-test/tests/auto-regress/bug782083.js
@@ -6,11 +6,11 @@ gcPreserveCode();
 function r() {}
 gczeal(2);
 evaluate("");
 evaluate("\
 function randomFloat () {\
     if (r < 0.25)\
         fac = 10000000;\
 }\
-for (var i = 0; i < 100000; i++)\
+for (var i = 0; i < 2000; i++)\
     randomFloat();\
 ");
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Memory-01.js
@@ -0,0 +1,6 @@
+assertEq(typeof Debugger.Memory, "function");
+let dbg = new Debugger;
+assertEq(dbg.memory instanceof Debugger.Memory, true);
+
+load(libdir + "asserts.js");
+assertThrowsInstanceOf(() => new Debugger.Memory, TypeError);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug958432.js
@@ -0,0 +1,27 @@
+function h(i, i) {
+    i = ([Infinity([])])(1 ? l : arguments)
+}
+for (var j = 0; j < 2; ++j) {
+    try {
+        h(-Number, -Number)
+    } catch (e) {}
+}
+
+function f() {
+    function f(i0, i1) {
+        i0 = i0 | 0;
+        i = i1 | 0;
+        switch (1) {
+            case -3:
+                switch (f) {}
+        } {
+            return 0
+        }(arguments)
+    }
+    return f
+};
+for (var j = 0; j < 5; ++j) {
+    (function(x) {
+        f()(f()(x, f()()))
+    })()
+}
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -3913,18 +3913,20 @@ IonBuilder::inlineScriptedCall(CallInfo 
 
     // Improve type information of |this| when not set.
     if (callInfo.constructing() &&
         !callInfo.thisArg()->resultTypeSet() &&
         calleeScript->types)
     {
         types::StackTypeSet *types = types::TypeScript::ThisTypes(calleeScript);
         if (!types->unknown()) {
-            MTypeBarrier *barrier =
-                MTypeBarrier::New(alloc(), callInfo.thisArg(), types->clone(alloc_->lifoAlloc()));
+            types::TemporaryTypeSet *clonedTypes = types->clone(alloc_->lifoAlloc());
+            if (!clonedTypes)
+                return oom();
+            MTypeBarrier *barrier = MTypeBarrier::New(alloc(), callInfo.thisArg(), clonedTypes);
             current->add(barrier);
             callInfo.setThis(barrier);
         }
     }
 
     // Start inlining.
     LifoAlloc *lifoAlloc = alloc_->lifoAlloc();
     CompileInfo *info = lifoAlloc->new_<CompileInfo>(calleeScript, target,
--- a/js/src/jit/IonBuilder.h
+++ b/js/src/jit/IonBuilder.h
@@ -839,16 +839,21 @@ class IonBuilder : public MIRGenerator
 
     /* Information used for inline-call builders. */
     MResumePoint *callerResumePoint_;
     jsbytecode *callerPC() {
         return callerResumePoint_ ? callerResumePoint_->pc() : nullptr;
     }
     IonBuilder *callerBuilder_;
 
+    bool oom() {
+        abortReason_ = AbortReason_Alloc;
+        return false;
+    }
+
     struct LoopHeader {
         jsbytecode *pc;
         MBasicBlock *header;
 
         LoopHeader(jsbytecode *pc, MBasicBlock *header)
           : pc(pc), header(header)
         {}
     };
--- a/js/src/jit/IonTypes.h
+++ b/js/src/jit/IonTypes.h
@@ -44,19 +44,16 @@ enum BailoutKind
 
     // A shape guard based on TI information failed.
     Bailout_ShapeGuard,
 
     // A bailout caused by invalid assumptions based on Baseline code.
     Bailout_BaselineInfo
 };
 
-static const uint32_t BAILOUT_KIND_BITS = 3;
-static const uint32_t BAILOUT_RESUME_BITS = 1;
-
 inline const char *
 BailoutKindString(BailoutKind kind)
 {
     switch (kind) {
       case Bailout_Normal:
         return "Bailout_Normal";
       case Bailout_ArgumentCheck:
         return "Bailout_ArgumentCheck";
--- a/js/src/jit/LIR-Common.h
+++ b/js/src/jit/LIR-Common.h
@@ -865,17 +865,16 @@ class LTypeOfV : public LInstructionHelp
         return mir_->toTypeOf();
     }
 };
 
 class LToIdV : public LInstructionHelper<BOX_PIECES, 2 * BOX_PIECES, 1>
 {
   public:
     LIR_HEADER(ToIdV)
-    BOX_OUTPUT_ACCESSORS()
 
     LToIdV(const LDefinition &temp)
     {
         setTemp(0, temp);
     }
 
     static const size_t Object = 0;
     static const size_t Index = BOX_PIECES;
@@ -2803,17 +2802,16 @@ class LModD : public LBinaryMath<1>
 
 // Call a VM function to perform a binary operation.
 class LBinaryV : public LCallInstructionHelper<BOX_PIECES, 2 * BOX_PIECES, 0>
 {
     JSOp jsop_;
 
   public:
     LIR_HEADER(BinaryV)
-    BOX_OUTPUT_ACCESSORS()
 
     LBinaryV(JSOp jsop)
       : jsop_(jsop)
     { }
 
     JSOp jsop() const {
         return jsop_;
     }
@@ -3505,17 +3503,16 @@ class LLambdaPar : public LInstructionHe
     }
 };
 
 // Determines the implicit |this| value for function calls.
 class LImplicitThis : public LInstructionHelper<BOX_PIECES, 1, 0>
 {
   public:
     LIR_HEADER(ImplicitThis)
-    BOX_OUTPUT_ACCESSORS()
 
     LImplicitThis(const LAllocation &callee) {
         setOperand(0, callee);
     }
 
     const MImplicitThis *mir() const {
         return mir_->toImplicitThis();
     }
@@ -3795,17 +3792,16 @@ class LBoundsCheckLower : public LInstru
     }
 };
 
 // Load a value from a dense array's elements vector. Bail out if it's the hole value.
 class LLoadElementV : public LInstructionHelper<BOX_PIECES, 2, 0>
 {
   public:
     LIR_HEADER(LoadElementV)
-    BOX_OUTPUT_ACCESSORS()
 
     LLoadElementV(const LAllocation &elements, const LAllocation &index) {
         setOperand(0, elements);
         setOperand(1, index);
     }
 
     const char *extraName() const {
         return mir()->needsHoleCheck() ? "HoleCheck" : nullptr;
@@ -3853,17 +3849,16 @@ class LInArray : public LInstructionHelp
 };
 
 
 // Load a value from a dense array's elements vector. Bail out if it's the hole value.
 class LLoadElementHole : public LInstructionHelper<BOX_PIECES, 3, 0>
 {
   public:
     LIR_HEADER(LoadElementHole)
-    BOX_OUTPUT_ACCESSORS()
 
     LLoadElementHole(const LAllocation &elements, const LAllocation &index, const LAllocation &initLength) {
         setOperand(0, elements);
         setOperand(1, index);
         setOperand(2, initLength);
     }
 
     const char *extraName() const {
@@ -4195,17 +4190,16 @@ class LLoadTypedArrayElement : public LI
         return getTemp(0);
     }
 };
 
 class LLoadTypedArrayElementHole : public LInstructionHelper<BOX_PIECES, 2, 0>
 {
   public:
     LIR_HEADER(LoadTypedArrayElementHole)
-    BOX_OUTPUT_ACCESSORS()
 
     LLoadTypedArrayElementHole(const LAllocation &object, const LAllocation &index) {
         setOperand(0, object);
         setOperand(1, index);
     }
     const MLoadTypedArrayElementHole *mir() const {
         return mir_->toLoadTypedArrayElementHole();
     }
@@ -4368,17 +4362,16 @@ class LClampVToUint8 : public LInstructi
     }
 };
 
 // Load a boxed value from an object's fixed slot.
 class LLoadFixedSlotV : public LInstructionHelper<BOX_PIECES, 1, 0>
 {
   public:
     LIR_HEADER(LoadFixedSlotV)
-    BOX_OUTPUT_ACCESSORS()
 
     LLoadFixedSlotV(const LAllocation &object) {
         setOperand(0, object);
     }
     const MLoadFixedSlot *mir() const {
         return mir_->toLoadFixedSlot();
     }
 };
@@ -4439,34 +4432,32 @@ class LStoreFixedSlotT : public LInstruc
     }
 };
 
 // Note, Name ICs always return a Value. There are no V/T variants.
 class LGetNameCache : public LInstructionHelper<BOX_PIECES, 1, 0>
 {
   public:
     LIR_HEADER(GetNameCache)
-    BOX_OUTPUT_ACCESSORS()
 
     LGetNameCache(const LAllocation &scopeObj) {
         setOperand(0, scopeObj);
     }
     const LAllocation *scopeObj() {
         return getOperand(0);
     }
     const MGetNameCache *mir() const {
         return mir_->toGetNameCache();
     }
 };
 
 class LCallGetIntrinsicValue : public LCallInstructionHelper<BOX_PIECES, 0, 0>
 {
   public:
     LIR_HEADER(CallGetIntrinsicValue)
-    BOX_OUTPUT_ACCESSORS()
 
     const MCallGetIntrinsicValue *mir() const {
         return mir_->toCallGetIntrinsicValue();
     }
 };
 
 class LCallsiteCloneCache : public LInstructionHelper<1, 1, 0>
 {
@@ -4485,17 +4476,16 @@ class LCallsiteCloneCache : public LInst
 };
 
 // Patchable jump to stubs generated for a GetProperty cache, which loads a
 // boxed value.
 class LGetPropertyCacheV : public LInstructionHelper<BOX_PIECES, 1, 0>
 {
   public:
     LIR_HEADER(GetPropertyCacheV)
-    BOX_OUTPUT_ACCESSORS()
 
     LGetPropertyCacheV(const LAllocation &object) {
         setOperand(0, object);
     }
     const MGetPropertyCache *mir() const {
         return mir_->toGetPropertyCache();
     }
 };
@@ -4520,17 +4510,16 @@ class LGetPropertyCacheT : public LInstr
 };
 
 // Emit code to load a boxed value from an object's slots if its shape matches
 // one of the shapes observed by the baseline IC, else bails out.
 class LGetPropertyPolymorphicV : public LInstructionHelper<BOX_PIECES, 1, 0>
 {
   public:
     LIR_HEADER(GetPropertyPolymorphicV)
-    BOX_OUTPUT_ACCESSORS()
 
     LGetPropertyPolymorphicV(const LAllocation &obj) {
         setOperand(0, obj);
     }
     const LAllocation *obj() {
         return getOperand(0);
     }
     const MGetPropertyPolymorphic *mir() const {
@@ -4622,17 +4611,16 @@ class LSetPropertyPolymorphicT : public 
         return StringFromMIRType(valueType_);
     }
 };
 
 class LGetElementCacheV : public LInstructionHelper<BOX_PIECES, 1 + BOX_PIECES, 0>
 {
   public:
     LIR_HEADER(GetElementCacheV)
-    BOX_OUTPUT_ACCESSORS()
 
     static const size_t Index = 1;
 
     LGetElementCacheV(const LAllocation &object) {
         setOperand(0, object);
     }
     const LAllocation *object() {
         return getOperand(0);
@@ -4686,17 +4674,16 @@ class LBindNameCache : public LInstructi
     }
 };
 
 // Load a value from an object's dslots or a slots vector.
 class LLoadSlotV : public LInstructionHelper<BOX_PIECES, 1, 0>
 {
   public:
     LIR_HEADER(LoadSlotV)
-    BOX_OUTPUT_ACCESSORS()
 
     LLoadSlotV(const LAllocation &in) {
         setOperand(0, in);
     }
     const MLoadSlot *mir() const {
         return mir_->toLoadSlot();
     }
 };
@@ -4910,32 +4897,30 @@ class LCallGetProperty : public LCallIns
     }
 };
 
 // Call js::GetElement.
 class LCallGetElement : public LCallInstructionHelper<BOX_PIECES, 2 * BOX_PIECES, 0>
 {
   public:
     LIR_HEADER(CallGetElement)
-    BOX_OUTPUT_ACCESSORS()
 
     static const size_t LhsInput = 0;
     static const size_t RhsInput = BOX_PIECES;
 
     MCallGetElement *mir() const {
         return mir_->toCallGetElement();
     }
 };
 
 // Call js::SetElement.
 class LCallSetElement : public LCallInstructionHelper<0, 1 + 2 * BOX_PIECES, 0>
 {
   public:
     LIR_HEADER(CallSetElement)
-    BOX_OUTPUT_ACCESSORS()
 
     static const size_t Index = 1;
     static const size_t Value = 1 + BOX_PIECES;
 };
 
 // Call js::InitElementArray.
 class LCallInitElementArray : public LCallInstructionHelper<0, 1 + BOX_PIECES, 0>
 {
@@ -5166,17 +5151,16 @@ class LIteratorStart : public LInstructi
         return mir_->toIteratorStart();
     }
 };
 
 class LIteratorNext : public LInstructionHelper<BOX_PIECES, 1, 1>
 {
   public:
     LIR_HEADER(IteratorNext)
-    BOX_OUTPUT_ACCESSORS()
 
     LIteratorNext(const LAllocation &iterator, const LDefinition &temp) {
         setOperand(0, iterator);
         setTemp(0, temp);
     }
     const LAllocation *object() {
         return getOperand(0);
     }
@@ -5244,17 +5228,16 @@ class LArgumentsLength : public LInstruc
     LIR_HEADER(ArgumentsLength)
 };
 
 // Load a value from the actual arguments.
 class LGetFrameArgument : public LInstructionHelper<BOX_PIECES, 1, 0>
 {
   public:
     LIR_HEADER(GetFrameArgument)
-    BOX_OUTPUT_ACCESSORS()
 
     LGetFrameArgument(const LAllocation &index) {
         setOperand(0, index);
     }
     const LAllocation *index() {
         return getOperand(0);
     }
 };
@@ -5295,17 +5278,16 @@ class LSetFrameArgumentC : public LInstr
     }
 };
 
 // Load a value from the actual arguments.
 class LSetFrameArgumentV : public LInstructionHelper<0, BOX_PIECES, 0>
 {
   public:
     LIR_HEADER(SetFrameArgumentV)
-    BOX_OUTPUT_ACCESSORS()
 
     LSetFrameArgumentV() {}
 
     static const size_t Input = 0;
 
     MSetFrameArgument *mir() const {
         return mir_->toSetFrameArgument();
     }
--- a/js/src/jit/LIR.h
+++ b/js/src/jit/LIR.h
@@ -1534,31 +1534,16 @@ LAllocation::toRegister() const
     Opcode op() const {                                                     \
         return LInstruction::LOp_##opcode;                                  \
     }                                                                       \
     bool accept(LInstructionVisitor *visitor) {                             \
         visitor->setInstruction(this);                                      \
         return visitor->visit##opcode(this);                                \
     }
 
-#if defined(JS_NUNBOX32)
-# define BOX_OUTPUT_ACCESSORS()                                             \
-    const LDefinition *outputType() {                                       \
-        return getDef(TYPE_INDEX);                                          \
-    }                                                                       \
-    const LDefinition *outputPayload() {                                    \
-        return getDef(PAYLOAD_INDEX);                                       \
-    }
-#elif defined(JS_PUNBOX64)
-# define BOX_OUTPUT_ACCESSORS()                                             \
-    const LDefinition *outputValue() {                                      \
-        return getDef(0);                                                   \
-    }
-#endif
-
 #include "jit/LIR-Common.h"
 #if defined(JS_CODEGEN_X86) || defined(JS_CODEGEN_X64)
 # if defined(JS_CODEGEN_X86)
 #  include "jit/x86/LIR-x86.h"
 # elif defined(JS_CODEGEN_X64)
 #  include "jit/x64/LIR-x64.h"
 # endif
 # include "jit/shared/LIR-x86-shared.h"
--- a/js/src/jit/Snapshots.cpp
+++ b/js/src/jit/Snapshots.cpp
@@ -15,18 +15,19 @@
 # include "jit/MIR.h"
 #endif
 
 using namespace js;
 using namespace js::jit;
 
 // Snapshot header:
 //
-//   [vwu] bits (n-31]: frame count
-//         bits [0,n):  bailout kind (n = BAILOUT_KIND_BITS)
+//   [vwu] bits ((n+1)-31]: frame count
+//         bit n+1: resume after
+//         bits [0,n): bailout kind (n = SNAPSHOT_BAILOUTKIND_BITS)
 //
 // Snapshot body, repeated "frame count" times, from oldest frame to newest frame.
 // Note that the first frame doesn't have the "parent PC" field.
 //
 //   [ptr] Debug only: JSScript *
 //   [vwu] pc offset
 //   [vwu] # of RVA's indexes, including nargs
 //  [vwu*] List of indexes to R(ecover)ValueAllocation table. Contains
@@ -458,30 +459,42 @@ SnapshotReader::SnapshotReader(const uin
     allocRead_(0)
 {
     if (!snapshots)
         return;
     IonSpew(IonSpew_Snapshots, "Creating snapshot reader");
     readSnapshotHeader();
 }
 
-static const uint32_t BAILOUT_KIND_SHIFT = 0;
-static const uint32_t BAILOUT_KIND_MASK = (1 << BAILOUT_KIND_BITS) - 1;
-static const uint32_t BAILOUT_RESUME_SHIFT = BAILOUT_KIND_SHIFT + BAILOUT_KIND_BITS;
-static const uint32_t BAILOUT_FRAMECOUNT_SHIFT = BAILOUT_KIND_BITS + BAILOUT_RESUME_BITS;
-static const uint32_t BAILOUT_FRAMECOUNT_BITS = (8 * sizeof(uint32_t)) - BAILOUT_FRAMECOUNT_SHIFT;
+#define COMPUTE_SHIFT_AFTER_(name) (name ## _BITS + name ##_SHIFT)
+#define COMPUTE_MASK_(name) (((1 << name ## _BITS) - 1) << name ##_SHIFT)
+
+static const uint32_t SNAPSHOT_BAILOUTKIND_SHIFT = 0;
+static const uint32_t SNAPSHOT_BAILOUTKIND_BITS = 3;
+static const uint32_t SNAPSHOT_BAILOUTKIND_MASK = COMPUTE_MASK_(SNAPSHOT_BAILOUTKIND);
+
+static const uint32_t SNAPSHOT_RESUMEAFTER_SHIFT = COMPUTE_SHIFT_AFTER_(SNAPSHOT_BAILOUTKIND);
+static const uint32_t SNAPSHOT_RESUMEAFTER_BITS = 1;
+static const uint32_t SNAPSHOT_RESUMEAFTER_MASK = COMPUTE_MASK_(SNAPSHOT_RESUMEAFTER);
+
+static const uint32_t SNAPSHOT_FRAMECOUNT_SHIFT = COMPUTE_SHIFT_AFTER_(SNAPSHOT_RESUMEAFTER);
+static const uint32_t SNAPSHOT_FRAMECOUNT_BITS = 32 - 4;
+static const uint32_t SNAPSHOT_FRAMECOUNT_MASK = COMPUTE_MASK_(SNAPSHOT_FRAMECOUNT);
+
+#undef COMPUTE_MASK_
+#undef COMPUTE_SHIFT_AFTER_
 
 void
 SnapshotReader::readSnapshotHeader()
 {
     uint32_t bits = reader_.readUnsigned();
-    frameCount_ = bits >> BAILOUT_FRAMECOUNT_SHIFT;
+    frameCount_ = bits >> SNAPSHOT_FRAMECOUNT_SHIFT;
     JS_ASSERT(frameCount_ > 0);
-    bailoutKind_ = BailoutKind((bits >> BAILOUT_KIND_SHIFT) & BAILOUT_KIND_MASK);
-    resumeAfter_ = !!(bits & (1 << BAILOUT_RESUME_SHIFT));
+    bailoutKind_ = BailoutKind((bits & SNAPSHOT_BAILOUTKIND_MASK) >> SNAPSHOT_BAILOUTKIND_SHIFT);
+    resumeAfter_ = !!(bits & (1 << SNAPSHOT_RESUMEAFTER_SHIFT));
 
 #ifdef TRACK_SNAPSHOTS
     pcOpcode_  = reader_.readUnsigned();
     mirOpcode_ = reader_.readUnsigned();
     mirId_     = reader_.readUnsigned();
     lirOpcode_ = reader_.readUnsigned();
     lirId_     = reader_.readUnsigned();
 #endif
@@ -554,23 +567,23 @@ RecoverReader::readFrame(SnapshotReader 
 SnapshotOffset
 SnapshotWriter::startSnapshot(uint32_t frameCount, BailoutKind kind, bool resumeAfter)
 {
     lastStart_ = writer_.length();
 
     IonSpew(IonSpew_Snapshots, "starting snapshot with frameCount %u, bailout kind %u",
             frameCount, kind);
     JS_ASSERT(frameCount > 0);
-    JS_ASSERT(frameCount < (1 << BAILOUT_FRAMECOUNT_BITS));
-    JS_ASSERT(uint32_t(kind) < (1 << BAILOUT_KIND_BITS));
+    JS_ASSERT(frameCount < (1 << SNAPSHOT_FRAMECOUNT_BITS));
+    JS_ASSERT(uint32_t(kind) < (1 << SNAPSHOT_BAILOUTKIND_BITS));
 
-    uint32_t bits = (uint32_t(kind) << BAILOUT_KIND_SHIFT) |
-                    (frameCount << BAILOUT_FRAMECOUNT_SHIFT);
+    uint32_t bits = (uint32_t(kind) << SNAPSHOT_BAILOUTKIND_SHIFT) |
+                    (frameCount << SNAPSHOT_FRAMECOUNT_SHIFT);
     if (resumeAfter)
-        bits |= (1 << BAILOUT_RESUME_SHIFT);
+        bits |= (1 << SNAPSHOT_RESUMEAFTER_SHIFT);
 
     writer_.writeUnsigned(bits);
     return lastStart_;
 }
 
 #ifdef TRACK_SNAPSHOTS
 void
 SnapshotWriter::trackSnapshot(uint32_t pcOpcode, uint32_t mirOpcode, uint32_t mirId,
--- a/js/src/jit/x64/CodeGenerator-x64.cpp
+++ b/js/src/jit/x64/CodeGenerator-x64.cpp
@@ -131,21 +131,21 @@ CodeGeneratorX64::visitUnbox(LUnbox *unb
     }
 
     return true;
 }
 
 bool
 CodeGeneratorX64::visitLoadSlotV(LLoadSlotV *load)
 {
-    Register dest = ToRegister(load->outputValue());
+    ValueOperand dest = ToOutValue(load);
     Register base = ToRegister(load->input());
     int32_t offset = load->mir()->slot() * sizeof(js::Value);
 
-    masm.loadPtr(Address(base, offset), dest);
+    masm.loadValue(Address(base, offset), dest);
     return true;
 }
 
 void
 CodeGeneratorX64::loadUnboxedValue(Operand source, MIRType type, const LDefinition *dest)
 {
     switch (type) {
       case MIRType_Double:
--- a/js/src/jit/x86/CodeGenerator-x86.cpp
+++ b/js/src/jit/x86/CodeGenerator-x86.cpp
@@ -682,23 +682,27 @@ CodeGeneratorX86::visitAsmJSLoadFFIFunc(
 void
 CodeGeneratorX86::postAsmJSCall(LAsmJSCall *lir)
 {
     MAsmJSCall *mir = lir->mir();
     if (!IsFloatingPointType(mir->type()) || mir->callee().which() != MAsmJSCall::Callee::Builtin)
         return;
 
     if (mir->type() == MIRType_Float32) {
-        Operand op(esp, -sizeof(float));
+        masm.reserveStack(sizeof(float));
+        Operand op(esp, 0);
         masm.fstp32(op);
         masm.loadFloat32(op, ReturnFloatReg);
+        masm.freeStack(sizeof(float));
     } else {
-        Operand op(esp, -sizeof(double));
+        masm.reserveStack(sizeof(double));
+        Operand op(esp, 0);
         masm.fstp(op);
         masm.loadDouble(op, ReturnFloatReg);
+        masm.freeStack(sizeof(double));
     }
 }
 
 void
 DispatchIonCache::initializeAddCacheState(LInstruction *ins, AddCacheState *addState)
 {
     // On x86, where there is no general purpose scratch register available,
     // child cache classes must manually specify a dispatch scratch register.
--- a/js/src/moz.build
+++ b/js/src/moz.build
@@ -158,16 +158,17 @@ UNIFIED_SOURCES += [
     'prmjtime.cpp',
     'vm/ArgumentsObject.cpp',
     'vm/ArrayBufferObject.cpp',
     'vm/CallNonGenericMethod.cpp',
     'vm/CharacterEncoding.cpp',
     'vm/Compression.cpp',
     'vm/DateTime.cpp',
     'vm/Debugger.cpp',
+    'vm/DebuggerMemory.cpp',
     'vm/ErrorObject.cpp',
     'vm/ForkJoin.cpp',
     'vm/GlobalObject.cpp',
     'vm/Id.cpp',
     'vm/Interpreter.cpp',
     'vm/MemoryMetrics.cpp',
     'vm/Monitor.cpp',
     'vm/ObjectImpl.cpp',
--- a/js/src/tests/js1_5/extensions/regress-406572.js
+++ b/js/src/tests/js1_5/extensions/regress-406572.js
@@ -9,29 +9,36 @@ var summary = 'JSOP_CLOSURE unconditiona
 var actual = '';
 var expect = '';
 
 printBugNumber(BUGNUMBER);
 printStatus (summary);
 
 if (typeof window != 'undefined')
 {
-  var s = self;
+  try {
+    actual = "FAIL: Unexpected exception thrown";
 
-  document.writeln(uneval(self));
-  self = 1;
-  document.writeln(uneval(self));
+    var win = window;
+    var windowString = String(window);
+    window = 1;
+    reportCompare(windowString, String(window), "window should be readonly");
+
+    actual = ""; // We should reach this line, and throw an exception after it
 
-  if (1)
-    function self() { return 1; }
+    if (1)
+      function window() { return 1; }
+
+    actual = "FAIL: this line should never be reached";
 
-  document.writeln(uneval(self));
-
-  // The test harness might rely on self having its original value: restore it.
-  self = s;
+    // The test harness might rely on window having its original value:
+    // restore it.
+    window = win;
+  } catch (e) {
+  }
 }
 else
 {
   expect = actual = 'Test can only run in a Gecko 1.9 browser or later.';
   print(actual);
 }
 reportCompare(expect, actual, summary);
 
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -7,29 +7,27 @@
 #include "vm/Debugger-inl.h"
 
 #include "jscntxt.h"
 #include "jscompartment.h"
 #include "jshashutil.h"
 #include "jsnum.h"
 #include "jsobj.h"
 #include "jswrapper.h"
-
 #include "frontend/BytecodeCompiler.h"
 #include "gc/Marking.h"
 #include "jit/BaselineJIT.h"
 #include "js/Vector.h"
 #include "vm/ArgumentsObject.h"
+#include "vm/DebuggerMemory.h"
 #include "vm/WrapperObject.h"
-
 #include "jsgcinlines.h"
 #include "jsobjinlines.h"
 #include "jsopcodeinlines.h"
 #include "jsscriptinlines.h"
-
 #include "vm/ObjectImpl-inl.h"
 #include "vm/Stack-inl.h"
 
 using namespace js;
 
 using js::frontend::IsIdentifier;
 using mozilla::ArrayLength;
 using mozilla::Maybe;
@@ -1924,21 +1922,27 @@ Debugger::setUncaughtExceptionHook(JSCon
 {
     REQUIRE_ARGC("Debugger.set uncaughtExceptionHook", 1);
     THIS_DEBUGGER(cx, argc, vp, "set uncaughtExceptionHook", args, dbg);
     if (!args[0].isNull() && (!args[0].isObject() || !args[0].toObject().isCallable())) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_ASSIGN_FUNCTION_OR_NULL,
                              "uncaughtExceptionHook");
         return false;
     }
-
     dbg->uncaughtExceptionHook = args[0].toObjectOrNull();
     args.rval().setUndefined();
     return true;
 }
+bool
+Debugger::getMemory(JSContext *cx, unsigned argc, Value *vp)
+{
+    THIS_DEBUGGER(cx, argc, vp, "get memory", args, dbg);
+    args.rval().set(dbg->object->getReservedSlot(JSSLOT_DEBUG_MEMORY_INSTANCE));
+    return true;
+}
 
 GlobalObject *
 Debugger::unwrapDebuggeeArgument(JSContext *cx, const Value &v)
 {
     if (!v.isObject()) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_UNEXPECTED_TYPE,
                              "argument", "not a global object");
         return nullptr;
@@ -2130,27 +2134,34 @@ Debugger::construct(JSContext *cx, unsig
 
     /* Get Debugger.prototype. */
     RootedValue v(cx);
     RootedObject callee(cx, &args.callee());
     if (!JSObject::getProperty(cx, callee, callee, cx->names().prototype, &v))
         return false;
     RootedObject proto(cx, &v.toObject());
     JS_ASSERT(proto->getClass() == &Debugger::jsclass);
-
     /*
      * Make the new Debugger object. Each one has a reference to
-     * Debugger.{Frame,Object,Script}.prototype in reserved slots. The rest of
-     * the reserved slots are for hooks; they default to undefined.
+     * Debugger.{Frame,Object,Script,Memory}.prototype in reserved slots. The
+     * rest of the reserved slots are for hooks; they default to undefined.
      */
     RootedObject obj(cx, NewObjectWithGivenProto(cx, &Debugger::jsclass, proto, nullptr));
     if (!obj)
         return false;
     for (unsigned slot = JSSLOT_DEBUG_PROTO_START; slot < JSSLOT_DEBUG_PROTO_STOP; slot++)
         obj->setReservedSlot(slot, proto->getReservedSlot(slot));
+    /* Create the Debugger.Memory instance accessible by the
+     * |Debugger.prototype.memory| getter. */
+    Value memoryProto = obj->getReservedSlot(JSSLOT_DEBUG_MEMORY_PROTO);
+    RootedObject memory(cx, NewObjectWithGivenProto(cx, &DebuggerMemory::class_,
+                                                    &memoryProto.toObject(), nullptr));
+    if (!memory)
+        return false;
+    obj->setReservedSlot(JSSLOT_DEBUG_MEMORY_INSTANCE, ObjectValue(*memory));
 
     /* Construct the underlying C++ object. */
     Debugger *dbg = cx->new_<Debugger>(cx, obj.get());
     if (!dbg)
         return false;
     if (!dbg->init(cx)) {
         js_delete(dbg);
         return false;
@@ -2809,19 +2820,19 @@ const JSPropertySpec Debugger::propertie
             Debugger::setOnDebuggerStatement, 0),
     JS_PSGS("onExceptionUnwind", Debugger::getOnExceptionUnwind,
             Debugger::setOnExceptionUnwind, 0),
     JS_PSGS("onNewScript", Debugger::getOnNewScript, Debugger::setOnNewScript, 0),
     JS_PSGS("onEnterFrame", Debugger::getOnEnterFrame, Debugger::setOnEnterFrame, 0),
     JS_PSGS("onNewGlobalObject", Debugger::getOnNewGlobalObject, Debugger::setOnNewGlobalObject, 0),
     JS_PSGS("uncaughtExceptionHook", Debugger::getUncaughtExceptionHook,
             Debugger::setUncaughtExceptionHook, 0),
+    JS_PSG("memory", Debugger::getMemory, 0),
     JS_PS_END
 };
-
 const JSFunctionSpec Debugger::methods[] = {
     JS_FN("addDebuggee", Debugger::addDebuggee, 1, 0),
     JS_FN("addAllGlobalsAsDebuggees", Debugger::addAllGlobalsAsDebuggees, 0, 0),
     JS_FN("removeDebuggee", Debugger::removeDebuggee, 1, 0),
     JS_FN("removeAllDebuggees", Debugger::removeAllDebuggees, 0, 0),
     JS_FN("hasDebuggee", Debugger::hasDebuggee, 1, 0),
     JS_FN("getDebuggees", Debugger::getDebuggees, 0, 0),
     JS_FN("getNewestFrame", Debugger::getNewestFrame, 0, 0),
@@ -5900,23 +5911,21 @@ JS_DefineDebuggerObject(JSContext *cx, H
     RootedObject
         objProto(cx),
         debugCtor(cx),
         debugProto(cx),
         frameProto(cx),
         scriptProto(cx),
         sourceProto(cx),
         objectProto(cx),
-        envProto(cx);
-
+        envProto(cx),
+        memoryProto(cx);
     objProto = obj->as<GlobalObject>().getOrCreateObjectPrototype(cx);
     if (!objProto)
         return false;
-
-
     debugProto = js_InitClass(cx, obj,
                               objProto, &Debugger::jsclass, Debugger::construct,
                               1, Debugger::properties, Debugger::methods, nullptr, nullptr,
                               debugCtor.address());
     if (!debugProto)
         return false;
 
     frameProto = js_InitClass(cx, debugCtor, objProto, &DebuggerFrame_class,
@@ -5941,23 +5950,28 @@ JS_DefineDebuggerObject(JSContext *cx, H
         return false;
 
     objectProto = js_InitClass(cx, debugCtor, objProto, &DebuggerObject_class,
                                DebuggerObject_construct, 0,
                                DebuggerObject_properties, DebuggerObject_methods,
                                nullptr, nullptr);
     if (!objectProto)
         return false;
-
     envProto = js_InitClass(cx, debugCtor, objProto, &DebuggerEnv_class,
                                       DebuggerEnv_construct, 0,
                                       DebuggerEnv_properties, DebuggerEnv_methods,
                                       nullptr, nullptr);
     if (!envProto)
         return false;
+    memoryProto = js_InitClass(cx, debugCtor, objProto, &DebuggerMemory::class_,
+                               DebuggerMemory::construct, 0, DebuggerMemory::properties,
+                               DebuggerMemory::methods, nullptr, nullptr);
+    if (!memoryProto)
+        return false;
 
     debugProto->setReservedSlot(Debugger::JSSLOT_DEBUG_FRAME_PROTO, ObjectValue(*frameProto));
     debugProto->setReservedSlot(Debugger::JSSLOT_DEBUG_OBJECT_PROTO, ObjectValue(*objectProto));
     debugProto->setReservedSlot(Debugger::JSSLOT_DEBUG_SCRIPT_PROTO, ObjectValue(*scriptProto));
     debugProto->setReservedSlot(Debugger::JSSLOT_DEBUG_SOURCE_PROTO, ObjectValue(*sourceProto));
     debugProto->setReservedSlot(Debugger::JSSLOT_DEBUG_ENV_PROTO, ObjectValue(*envProto));
+    debugProto->setReservedSlot(Debugger::JSSLOT_DEBUG_MEMORY_PROTO, ObjectValue(*memoryProto));
     return true;
 }
--- a/js/src/vm/Debugger.h
+++ b/js/src/vm/Debugger.h
@@ -165,30 +165,30 @@ class Debugger : private mozilla::Linked
     enum Hook {
         OnDebuggerStatement,
         OnExceptionUnwind,
         OnNewScript,
         OnEnterFrame,
         OnNewGlobalObject,
         HookCount
     };
-
     enum {
         JSSLOT_DEBUG_PROTO_START,
         JSSLOT_DEBUG_FRAME_PROTO = JSSLOT_DEBUG_PROTO_START,
         JSSLOT_DEBUG_ENV_PROTO,
         JSSLOT_DEBUG_OBJECT_PROTO,
         JSSLOT_DEBUG_SCRIPT_PROTO,
         JSSLOT_DEBUG_SOURCE_PROTO,
+        JSSLOT_DEBUG_MEMORY_PROTO,
         JSSLOT_DEBUG_PROTO_STOP,
         JSSLOT_DEBUG_HOOK_START = JSSLOT_DEBUG_PROTO_STOP,
         JSSLOT_DEBUG_HOOK_STOP = JSSLOT_DEBUG_HOOK_START + HookCount,
-        JSSLOT_DEBUG_COUNT = JSSLOT_DEBUG_HOOK_STOP
+        JSSLOT_DEBUG_MEMORY_INSTANCE = JSSLOT_DEBUG_HOOK_STOP,
+        JSSLOT_DEBUG_COUNT
     };
-
   private:
     HeapPtrObject object;               /* The Debugger object. Strong reference. */
     GlobalObjectSet debuggees;          /* Debuggee globals. Cross-compartment weak references. */
     js::HeapPtrObject uncaughtExceptionHook; /* Strong reference. */
     bool enabled;
     JSCList breakpoints;                /* Circular list of all js::Breakpoints in this debugger */
 
     /*
@@ -316,16 +316,17 @@ class Debugger : private mozilla::Linked
     static bool getOnNewScript(JSContext *cx, unsigned argc, Value *vp);
     static bool setOnNewScript(JSContext *cx, unsigned argc, Value *vp);
     static bool getOnEnterFrame(JSContext *cx, unsigned argc, Value *vp);
     static bool setOnEnterFrame(JSContext *cx, unsigned argc, Value *vp);
     static bool getOnNewGlobalObject(JSContext *cx, unsigned argc, Value *vp);
     static bool setOnNewGlobalObject(JSContext *cx, unsigned argc, Value *vp);
     static bool getUncaughtExceptionHook(JSContext *cx, unsigned argc, Value *vp);
     static bool setUncaughtExceptionHook(JSContext *cx, unsigned argc, Value *vp);
+    static bool getMemory(JSContext *cx, unsigned argc, Value *vp);
     static bool addDebuggee(JSContext *cx, unsigned argc, Value *vp);
     static bool addAllGlobalsAsDebuggees(JSContext *cx, unsigned argc, Value *vp);
     static bool removeDebuggee(JSContext *cx, unsigned argc, Value *vp);
     static bool removeAllDebuggees(JSContext *cx, unsigned argc, Value *vp);
     static bool hasDebuggee(JSContext *cx, unsigned argc, Value *vp);
     static bool getDebuggees(JSContext *cx, unsigned argc, Value *vp);
     static bool getNewestFrame(JSContext *cx, unsigned argc, Value *vp);
     static bool clearAllBreakpoints(JSContext *cx, unsigned argc, Value *vp);
new file mode 100644
--- /dev/null
+++ b/js/src/vm/DebuggerMemory.cpp
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "vm/DebuggerMemory.h"
+
+namespace js {
+
+/* static */ bool
+DebuggerMemory::construct(JSContext *cx, unsigned argc, Value *vp)
+{
+    JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_NO_CONSTRUCTOR,
+                         "Debugger.Memory");
+    return false;
+}
+
+/* static */ const Class DebuggerMemory::class_ = {
+    "Memory",
+    JSCLASS_HAS_PRIVATE | JSCLASS_IMPLEMENTS_BARRIERS |
+    JSCLASS_HAS_RESERVED_SLOTS(JSSLOT_DEBUGGER_MEMORY_COUNT),
+
+    JS_PropertyStub,       // addProperty
+    JS_DeletePropertyStub, // delProperty
+    JS_PropertyStub,       // getProperty
+    JS_StrictPropertyStub, // setProperty
+    JS_EnumerateStub,      // enumerate
+    JS_ResolveStub,        // resolve
+    JS_ConvertStub,        // convert
+
+    nullptr, // finalize
+    nullptr, // call
+    nullptr, // hasInstance
+    nullptr, // construct
+    nullptr  // trace
+};
+
+/* static */ const JSPropertySpec DebuggerMemory::properties[] = {
+    JS_PS_END
+};
+
+/* static */ const JSFunctionSpec DebuggerMemory::methods[] = {
+    JS_FS_END
+};
+
+} /* namespace js */
new file mode 100644
--- /dev/null
+++ b/js/src/vm/DebuggerMemory.h
@@ -0,0 +1,34 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef vm_DebuggerMemory_h
+#define vm_DebuggerMemory_h
+
+#include "jsapi.h"
+#include "jscntxt.h"
+#include "jsobj.h"
+#include "js/Class.h"
+#include "js/Value.h"
+
+namespace js {
+
+class DebuggerMemory : public JSObject {
+    enum {
+        JSSLOT_DEBUGGER_MEMORY_COUNT
+    };
+
+public:
+
+    static bool construct(JSContext *cx, unsigned argc, Value *vp);
+
+    static const Class          class_;
+    static const JSPropertySpec properties[];
+    static const JSFunctionSpec methods[];
+};
+
+} /* namespace js */
+
+#endif /* vm_DebuggerMemory_h */
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@@ -26,16 +26,17 @@
 #include "nsXMLHttpRequest.h"
 #include "WrapperFactory.h"
 #include "xpcprivate.h"
 #include "XPCQuickStubs.h"
 #include "XPCWrapper.h"
 #include "XrayWrapper.h"
 #include "mozilla/dom/BindingUtils.h"
 #include "mozilla/dom/indexedDB/IndexedDatabaseManager.h"
+#include "mozilla/dom/PromiseBinding.h"
 #include "mozilla/dom/TextDecoderBinding.h"
 #include "mozilla/dom/TextEncoderBinding.h"
 #include "mozilla/dom/URLBinding.h"
 
 using namespace mozilla;
 using namespace JS;
 using namespace js;
 using namespace xpc;
@@ -969,27 +970,30 @@ xpc::SandboxProxyHandler::iterate(JSCont
 bool
 xpc::GlobalProperties::Parse(JSContext *cx, JS::HandleObject obj)
 {
     MOZ_ASSERT(JS_IsArrayObject(cx, obj));
 
     uint32_t length;
     bool ok = JS_GetArrayLength(cx, obj, &length);
     NS_ENSURE_TRUE(ok, false);
+    bool promise = Promise;
     for (uint32_t i = 0; i < length; i++) {
         RootedValue nameValue(cx);
         ok = JS_GetElement(cx, obj, i, &nameValue);
         NS_ENSURE_TRUE(ok, false);
         if (!nameValue.isString()) {
             JS_ReportError(cx, "Property names must be strings");
             return false;
         }
         JSAutoByteString name(cx, nameValue.toString());
         NS_ENSURE_TRUE(name, false);
-        if (!strcmp(name.ptr(), "indexedDB")) {
+        if (promise && !strcmp(name.ptr(), "-Promise")) {
+            Promise = false;
+        } else if (!strcmp(name.ptr(), "indexedDB")) {
             indexedDB = true;
         } else if (!strcmp(name.ptr(), "XMLHttpRequest")) {
             XMLHttpRequest = true;
         } else if (!strcmp(name.ptr(), "TextEncoder")) {
             TextEncoder = true;
         } else if (!strcmp(name.ptr(), "TextDecoder")) {
             TextDecoder = true;
         } else if (!strcmp(name.ptr(), "URL")) {
@@ -1004,16 +1008,19 @@ xpc::GlobalProperties::Parse(JSContext *
         }
     }
     return true;
 }
 
 bool
 xpc::GlobalProperties::Define(JSContext *cx, JS::HandleObject obj)
 {
+    if (Promise && !dom::PromiseBinding::GetConstructorObject(cx, obj))
+        return false;
+
     if (indexedDB && AccessCheck::isChrome(obj) &&
         !IndexedDatabaseManager::DefineIndexedDB(cx, obj))
         return false;
 
     if (XMLHttpRequest &&
         !JS_DefineFunction(cx, obj, "XMLHttpRequest", CreateXMLHttpRequest, 0, JSFUN_CONSTRUCTOR))
         return false;
 
--- a/js/xpconnect/src/XPCComponents.cpp
+++ b/js/xpconnect/src/XPCComponents.cpp
@@ -2751,17 +2751,17 @@ nsXPCComponents_Utils::Unload(const nsAC
  * JSObject importGlobalProperties (in jsval aPropertyList);
  */
 NS_IMETHODIMP
 nsXPCComponents_Utils::ImportGlobalProperties(HandleValue aPropertyList,
                                               JSContext* cx)
 {
     RootedObject global(cx, CurrentGlobalOrNull(cx));
     MOZ_ASSERT(global);
-    GlobalProperties options;
+    GlobalProperties options(false);
     NS_ENSURE_TRUE(aPropertyList.isObject(), NS_ERROR_INVALID_ARG);
     RootedObject propertyList(cx, &aPropertyList.toObject());
     NS_ENSURE_TRUE(JS_IsArrayObject(cx, propertyList), NS_ERROR_INVALID_ARG);
     if (!options.Parse(cx, propertyList) ||
         !options.Define(cx, global))
     {
         return NS_ERROR_FAILURE;
     }
--- a/js/xpconnect/src/nsXPConnect.cpp
+++ b/js/xpconnect/src/nsXPConnect.cpp
@@ -25,35 +25,33 @@
 #ifdef MOZ_JSDEBUGGER
 #include "jsdIDebuggerService.h"
 #endif
 
 #include "XPCQuickStubs.h"
 
 #include "mozilla/dom/BindingUtils.h"
 #include "mozilla/dom/Exceptions.h"
-#include "mozilla/dom/indexedDB/IndexedDatabaseManager.h"
+#include "mozilla/dom/PromiseBinding.h"
 #include "mozilla/dom/TextDecoderBinding.h"
 #include "mozilla/dom/TextEncoderBinding.h"
 #include "mozilla/dom/DOMErrorBinding.h"
 
 #include "nsDOMMutationObserver.h"
 #include "nsICycleCollectorListener.h"
 #include "nsThread.h"
 #include "mozilla/XPTInterfaceInfoManager.h"
 #include "nsIObjectInputStream.h"
 #include "nsIObjectOutputStream.h"
 
 using namespace mozilla;
 using namespace mozilla::dom;
 using namespace xpc;
 using namespace JS;
 
-using mozilla::dom::indexedDB::IndexedDatabaseManager;
-
 NS_IMPL_ISUPPORTS4(nsXPConnect,
                    nsIXPConnect,
                    nsISupportsWeakReference,
                    nsIThreadObserver,
                    nsIJSRuntimeService)
 
 nsXPConnect* nsXPConnect::gSelf = nullptr;
 bool         nsXPConnect::gOnceAliveNowDead = false;
@@ -448,17 +446,18 @@ nsXPConnect::InitClassesWithNewWrappedGl
     // XXX Someone who knows why we can assert this should re-check
     //     (after bug 720580).
     MOZ_ASSERT(js::GetObjectClass(global)->flags & JSCLASS_DOM_GLOBAL);
 
     // Init WebIDL binding constructors wanted on all XPConnect globals.
     //
     // XXX Please do not add any additional classes here without the approval of
     //     the XPConnect module owner.
-    if (!TextDecoderBinding::GetConstructorObject(aJSContext, global) ||
+    if (!PromiseBinding::GetConstructorObject(aJSContext, global) ||
+        !TextDecoderBinding::GetConstructorObject(aJSContext, global) ||
         !TextEncoderBinding::GetConstructorObject(aJSContext, global) ||
         !DOMErrorBinding::GetConstructorObject(aJSContext, global)) {
         return UnexpectedFailure(NS_ERROR_FAILURE);
     }
 
     wrappedGlobal.forget(_retval);
     return NS_OK;
 }
--- a/js/xpconnect/src/xpcprivate.h
+++ b/js/xpconnect/src/xpcprivate.h
@@ -3284,19 +3284,23 @@ bool
 NewFunctionForwarder(JSContext *cx, JS::HandleObject callable,
                      bool doclone, JS::MutableHandleValue vp);
 
 // Old fashioned xpc error reporter. Try to use JS_ReportError instead.
 nsresult
 ThrowAndFail(nsresult errNum, JSContext *cx, bool *retval);
 
 struct GlobalProperties {
-    GlobalProperties() { mozilla::PodZero(this); }
+    GlobalProperties(bool aPromise) {
+      mozilla::PodZero(this);
+      Promise = true;
+    }
     bool Parse(JSContext *cx, JS::HandleObject obj);
     bool Define(JSContext *cx, JS::HandleObject obj);
+    bool Promise : 1;
     bool indexedDB : 1;
     bool XMLHttpRequest : 1;
     bool TextDecoder : 1;
     bool TextEncoder : 1;
     bool URL : 1;
     bool atob : 1;
     bool btoa : 1;
 };
@@ -3337,16 +3341,17 @@ public:
                    JSObject *options = nullptr)
         : OptionsBase(cx, options)
         , wantXrays(true)
         , wantComponents(true)
         , wantExportHelpers(false)
         , proto(cx)
         , sameZoneAs(cx)
         , invisibleToDebugger(false)
+        , globalProperties(true)
         , metadata(cx)
     { }
 
     virtual bool Parse();
 
     bool wantXrays;
     bool wantComponents;
     bool wantExportHelpers;
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/unit/test_promise.js
@@ -0,0 +1,12 @@
+function run_test() {
+  var Cu = Components.utils;
+  sb = new Cu.Sandbox('http://www.example.com');
+  sb.do_check_eq = do_check_eq;
+  Cu.evalInSandbox('do_check_eq(typeof new Promise(function(resolve){resolve();}), "object");',
+                   sb);
+  sb = new Cu.Sandbox('http://www.example.com',
+                      { wantGlobalProperties: ["-Promise"] });
+  sb.do_check_eq = do_check_eq;
+  Cu.evalInSandbox('do_check_eq(typeof Promise, "undefined");', sb);
+  do_check_eq(typeof new Promise(function(resolve){resolve();}), "object");
+}
--- a/js/xpconnect/tests/unit/xpcshell.ini
+++ b/js/xpconnect/tests/unit/xpcshell.ini
@@ -65,16 +65,17 @@ fail-if = os == "android"
 [test_tearoffs.js]
 [test_want_components.js]
 [test_components.js]
 [test_allowedDomains.js]
 [test_allowedDomainsXHR.js]
 [test_nuke_sandbox.js]
 [test_sandbox_metadata.js]
 [test_exportFunction.js]
+[test_promise.js]
 [test_textDecoder.js]
 [test_url.js]
 [test_sandbox_atob.js]
 [test_isProxy.js]
 [test_getObjectPrincipal.js]
 [test_watchdog_enable.js]
 head = head_watchdog.js
 [test_watchdog_disable.js]
--- a/layout/base/tests/mochitest.ini
+++ b/layout/base/tests/mochitest.ini
@@ -48,16 +48,17 @@ support-files =
   bug570378-persian-3-ref.html
   bug570378-persian-4.html
   bug570378-persian-4-ref.html
   bug570378-persian-5.html
   bug570378-persian-5-ref.html
 
 [test_preserve3d_sorting_hit_testing.html]
 [test_after_paint_pref.html]
+skip-if = e10s
 [test_border_radius_hit_testing.html]
 [test_bug66619.html]
 [test_bug93077-1.html]
 [test_bug93077-2.html]
 [test_bug93077-3.html]
 [test_bug93077-4.html]
 [test_bug93077-5.html]
 [test_bug93077-6.html]
@@ -448,17 +449,17 @@ skip-if = (buildapp == 'b2g' && toolkit 
 skip-if = (buildapp == 'b2g' && toolkit != 'gonk') || toolkit == "win" #times out
 [test_bug570378-persian-5e.html]
 skip-if = (buildapp == 'b2g' && toolkit != 'gonk') || toolkit == "win" #times out
 [test_bug570378-persian-5f.html]
 skip-if = (buildapp == 'b2g' && toolkit != 'gonk') || toolkit == "win" #times out
 [test_bug570378-persian-5g.html]
 skip-if = (buildapp == 'b2g' && toolkit != 'gonk') || toolkit == "win" #times out
 [test_bug749186.html]
-skip-if = toolkit == "win"
+skip-if = toolkit == "win" || e10s
 [test_bug644768.html]
 skip-if = toolkit == "win"
 [test_flush_on_paint.html]
 skip-if = true || (toolkit == 'android') || (toolkit == "cocoa") # Bug 688128, bug 539356
 [test_getBoxQuads_convertPointRectQuad.html]
 skip-if = (buildapp == 'b2g' && toolkit != 'gonk') # Bug 948948
 [test_bug687297.html]
 skip-if = (buildapp == 'b2g' && toolkit != 'gonk') # Bug 948948
--- a/layout/inspector/inDOMUtils.cpp
+++ b/layout/inspector/inDOMUtils.cpp
@@ -636,17 +636,17 @@ inDOMUtils::ColorNameToRGB(const nsAStri
     return NS_ERROR_INVALID_ARG;
   }
 
   InspectorRGBTriple triple;
   triple.mR = NS_GET_R(color);
   triple.mG = NS_GET_G(color);
   triple.mB = NS_GET_B(color);
 
-  if (!triple.ToObject(aCx, JS::NullPtr(), aValue)) {
+  if (!triple.ToObject(aCx, aValue)) {
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 inDOMUtils::RgbToColorName(uint8_t aR, uint8_t aG, uint8_t aB,
--- a/layout/reftests/reftest.list
+++ b/layout/reftests/reftest.list
@@ -352,12 +352,12 @@ include ../../dom/imptests/reftest.list
 
 # editor/
 include ../../editor/reftests/reftest.list
 
 # box-sizing
 include box-sizing/reftest.list
 
 # invalidation - only run on B2G
-skip-if(!B2G) include invalidation/reftest.list
+include invalidation/reftest.list
 
 # encodings
 include ../../dom/encoding/test/reftest/reftest.list
rename from layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-1.xhtml
rename to layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-1a.xhtml
copy from layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-1.xhtml
copy to layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-1b.xhtml
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-1.xhtml
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-1b.xhtml
@@ -1,28 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
      Any copyright is dedicated to the Public Domain.
      http://creativecommons.org/publicdomain/zero/1.0/
 -->
 <!-- Testcase for behavior of the 'baseline' value for align-items (and
      align-self, implicitly). This test baseline-aligns various types of
      content, and the flexbox's vertical size depends on the aggregate
-     post-alignment height of its children.
+     post-alignment height of its children. This test also uses
+     "flex-wrap: wrap-reverse" to make the cross-axis bottom-to-top instead
+     of top-to-bottom.
 -->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <title>CSS Test: Baseline alignment of block flex items with 'baseline' value for 'align-items' / 'align-self'</title>
+    <title>CSS Test: Baseline alignment of block flex items with 'baseline' value for 'align-items' / 'align-self' in a wrap-reverse flex container</title>
     <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com"/>
     <link rel="help" href="http://www.w3.org/TR/css3-flexbox/#baseline-participation"/>
     <link rel="match" href="flexbox-align-self-baseline-horiz-1-ref.xhtml"/>
     <style>
       .flexbox {
         display: flex;
         align-items: baseline;
+        flex-wrap: wrap-reverse;
         border: 1px dashed blue;
         font: 14px sans-serif;
       }
 
       .big {
         height: 100px;
         font: 24px sans-serif;
         margin-top: 20px;
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2-ref.xhtml
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2-ref.xhtml
@@ -1,56 +1,82 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
      Any copyright is dedicated to the Public Domain.
      http://creativecommons.org/publicdomain/zero/1.0/
 -->
-<!-- Reference case for behavior of the 'baseline' value for align-items and
-     align-self, in a multi-line flex container.
-
-     This reference case just consists of three single-line flex containers,
-     to match the testcase's one flex container with three flex lines.
--->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <title>CSS Reftest Reference</title>
     <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com"/>
     <style>
       .flexbox {
-        display: flex;
-        align-items: baseline;
-        width: 90px;
+        width: 40px;
+        height: 40px;
+        border: 1px solid gray;
+        margin: 5px; /* just for visual separation */
+        float: left;
       }
 
       .flexbox > * {
-        width: 28px;
         background: yellow;
         border: 1px solid black;
+        height: 20px;
       }
-
-      .big    { font: 24px sans-serif; }
-      .medium { font: 14px sans-serif; }
-      .small  { font: 8px sans-serif;  }
-
    </style>
   </head>
   <body>
+    <!-- ZEROTH ROW: NO MARGINS -->
+    <!-- No margins on flex item: -->
     <div class="flexbox">
-      <!-- First flex line: Just 3 different sizes of text -->
-      <div class="big">a</div>
-      <div class="small">b</div>
-      <div class="medium">c</div>
+      <div>a</div>
+    </div>
+
+
+    <!-- FIRST ROW: SETTING MARGIN-TOP: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
+    <div class="flexbox">
+      <div style="margin-top: 18px">a</div>
     </div>
+
+    <!-- Negative: -->
+    <div class="flexbox">
+      <div style="margin-top: -4px">a</div>
+    </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div style="margin-top: 4px">a</div>
+    </div>
+
+    <!-- Large (pushing us out of container): -->
     <div class="flexbox">
-      <!-- Second flex line: different margin/padding amounts on each item,
-           and one non-baseline-aligned item.-->
-      <div class="medium" style="padding-top: 10px">d</div>
-      <div class="medium" style="margin-bottom: 8px">e</div>
-      <div class="medium" style="align-self: stretch">f</div>
+      <div style="margin-top: 25px">a</div>
+    </div>
+
+
+    <!-- SECOND ROW: SETTING MARGIN-BOTTOM: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
+    <div class="flexbox">
+      <div>a</div>
     </div>
+
+    <!-- Negative: -->
     <div class="flexbox">
-      <!-- Third flex line: other margin/padding amounts on each item -->
-      <div class="small" style="margin-top: 20px">g</div>
-      <div class="big">h</div>
-      <div class="medium" style="padding-bottom: 6px">i</div>
+      <div>a</div>
+    </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div>a</div>
     </div>
+
+    <!-- Large: -->
+    <div class="flexbox">
+      <div>a</div>
+    </div>
+
   </body>
 </html>
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2.xhtml
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2.xhtml
@@ -1,56 +1,90 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
      Any copyright is dedicated to the Public Domain.
      http://creativecommons.org/publicdomain/zero/1.0/
 -->
-<!-- Testcase for behavior of the 'baseline' value for align-items (and
-     align-self, implicitly), in a multi-line flex container.
-     This test baseline-aligns variously-sized flex items, and the container's
-     vertical size depends on the aggregate post-alignment height of its items.
+<!-- Testcase for how a baseline-aligned flex item's position is impacted by
+     cross-axis margins, in a fixed-size flex container.
   -->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <title>CSS Test: Baseline alignment of block flex items with 'baseline' value for 'align-items' / 'align-self' in a multi-line flex container</title>
+    <title>CSS Test: Baseline alignment of flex items in fixed-size single-line flex container</title>
     <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com"/>
     <link rel="help" href="http://www.w3.org/TR/css3-flexbox/#baseline-participation"/>
     <link rel="match" href="flexbox-align-self-baseline-horiz-2-ref.xhtml"/>
     <style>
       .flexbox {
         display: flex;
-        flex-wrap: wrap;
         align-items: baseline;
-        width: 90px;
+        width: 40px;
+        height: 40px;
+        border: 1px solid gray;
+        margin: 5px; /* just for visual separation */
+        float: left;
       }
 
       .flexbox > * {
-        width: 28px; /* 3 items per Flex Line */
         background: yellow;
         border: 1px solid black;
+        height: 20px;
+        flex: 1;
       }
-
-      .big    { font: 24px sans-serif; }
-      .medium { font: 14px sans-serif; }
-      .small  { font: 8px sans-serif;  }
-
    </style>
   </head>
   <body>
+    <!-- ZEROTH ROW: NO MARGINS -->
+    <!-- No margins on flex item: -->
     <div class="flexbox">
-      <!-- First flex line: Just 3 different sizes of text -->
-      <div class="big">a</div>
-      <div class="small">b</div>
-      <div class="medium">c</div>
+      <div>a</div>
+    </div>
+
+
+    <!-- FIRST ROW: SETTING MARGIN-TOP: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
+    <div class="flexbox">
+      <div style="margin-top: auto">a</div>
+    </div>
+
+    <!-- Negative: -->
+    <div class="flexbox">
+      <div style="margin-top: -4px">a</div>
+    </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div style="margin-top: 4px">a</div>
+    </div>
 
-      <!-- Second flex line: different margin/padding amounts on each item,
-           and one non-baseline-aligned item.-->
-      <div class="medium" style="padding-top: 10px">d</div>
-      <div class="medium" style="margin-bottom: 8px">e</div>
-      <div class="medium" style="align-self: stretch">f</div>
+    <!-- Large (pushing us out of container): -->
+    <div class="flexbox">
+      <div style="margin-top: 25px">a</div>
+    </div>
+
+
+    <!-- SECOND ROW: SETTING MARGIN-BOTTOM: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
+    <div class="flexbox">
+      <div style="margin-bottom: auto">a</div>
+    </div>
 
-      <!-- Third flex line: other margin/padding amounts on each item -->
-      <div class="small" style="margin-top: 20px">g</div>
-      <div class="big">h</div>
-      <div class="medium" style="padding-bottom: 6px">i</div>
+    <!-- Negative: -->
+    <div class="flexbox">
+      <div style="margin-bottom: -4px">a</div>
     </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div style="margin-bottom: 4px">a</div>
+    </div>
+
+    <!-- Large: -->
+    <div class="flexbox">
+      <div style="margin-bottom: 25px">a</div>
+    </div>
+
   </body>
 </html>
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3-ref.xhtml
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3-ref.xhtml
@@ -1,58 +1,82 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
      Any copyright is dedicated to the Public Domain.
      http://creativecommons.org/publicdomain/zero/1.0/
 -->
-<!-- Reference case for behavior of the 'baseline' value for align-items and
-     align-self, in a multi-line flex container.
-
-     This reference case just consists of three single-line flex containers,
-     to match the testcase's one flex container with three flex lines.
--->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <title>CSS Reftest Reference</title>
     <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com"/>
     <style>
       .flexbox {
-        display: flex;
-        align-items: baseline;
-        width: 90px;
+        width: 40px;
+        height: 40px;
+        border: 1px solid gray;
+        margin: 5px; /* just for visual separation */
+        float: left;
       }
 
       .flexbox > * {
-        width: 28px;
         background: yellow;
         border: 1px solid black;
+        height: 20px;
       }
-
-      .big    { font: 24px sans-serif; }
-      .medium { font: 14px sans-serif; }
-      .small  { font: 8px sans-serif;  }
-
    </style>
   </head>
   <body>
-    <!-- Note: The lines are reversed here with respect to the testcase,
-         due to the testcase's "wrap-reverse". -->
+    <!-- ZEROTH ROW: NO MARGINS -->
+    <!-- No margins on flex item: -->
+    <div class="flexbox">
+      <div style="margin-top: 18px">a</div>
+    </div>
+
+
+    <!-- FIRST ROW: SETTING MARGIN-TOP: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
     <div class="flexbox">
-      <!-- Third flex line: other margin/padding amounts on each item -->
-      <div class="small" style="margin-top: 20px">g</div>
-      <div class="big">h</div>
-      <div class="medium" style="padding-bottom: 6px">i</div>
+      <div style="margin-top: 18px">a</div>
+    </div>
+
+    <!-- Negative: -->
+    <div class="flexbox">
+      <div style="margin-top: 18px">a</div>
     </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div style="margin-top: 18px">a</div>
+    </div>
+
+    <!-- Large (pushing us out of container): -->
     <div class="flexbox">
-      <!-- Second flex line: different margin/padding amounts on each item,
-           and one non-baseline-aligned item.-->
-      <div class="medium" style="padding-top: 10px">d</div>
-      <div class="medium" style="margin-bottom: 8px">e</div>
-      <div class="medium" style="align-self: stretch">f</div>
+      <div style="margin-top: 18px">a</div>
+    </div>
+
+
+    <!-- SECOND ROW: SETTING MARGIN-BOTTOM: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
+    <div class="flexbox">
+      <div>a</div>
     </div>
+
+    <!-- Negative: -->
     <div class="flexbox">
-      <!-- First flex line: Just 3 different sizes of text -->
-      <div class="big">a</div>
-      <div class="small">b</div>
-      <div class="medium">c</div>
+      <div style="margin-top: 22px">a</div>
+    </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div style="margin-top: 14px">a</div>
     </div>
+
+    <!-- Large: -->
+    <div class="flexbox">
+      <div style="margin-top: -7px">a</div>
+    </div>
+
   </body>
 </html>
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3.xhtml
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3.xhtml
@@ -1,56 +1,92 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
      Any copyright is dedicated to the Public Domain.
      http://creativecommons.org/publicdomain/zero/1.0/
 -->
-<!-- Testcase for behavior of the 'baseline' value for align-items (and
-     align-self, implicitly), in a wrap-reverse multi-line flex container.
-     This test baseline-aligns variously-sized flex items, and the container's
-     vertical size depends on the aggregate post-alignment height of its items.
+<!-- Testcase for how a baseline-aligned flex item's position is impacted by
+     cross-axis margins, in a fixed-size flex container with the cross axis
+     reversed via "flex-wrap: wrap-reverse".
   -->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
-    <title>CSS Test: Baseline alignment of block flex items with 'baseline' value for 'align-items' / 'align-self' in a multi-line flex container</title>
+    <title>CSS Test: Baseline alignment of flex items in fixed-size single-line flex container, with cross axis reversed</title>
     <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com"/>
     <link rel="help" href="http://www.w3.org/TR/css3-flexbox/#baseline-participation"/>
     <link rel="match" href="flexbox-align-self-baseline-horiz-3-ref.xhtml"/>
     <style>
       .flexbox {
         display: flex;
-        flex-wrap: wrap-reverse;
         align-items: baseline;
-        width: 90px;
+        flex-wrap: wrap-reverse; /* Just to flip cross-axis */
+        width: 40px;
+        height: 40px;
+        border: 1px solid gray;
+        margin: 5px; /* just for visual separation */
+        float: left;
       }
 
       .flexbox > * {
-        width: 28px; /* 3 items per Flex Line */
         background: yellow;
         border: 1px solid black;
+        height: 20px;
+        flex: 1;
       }
-
-      .big    { font: 24px sans-serif; }
-      .medium { font: 14px sans-serif; }
-      .small  { font: 8px sans-serif;  }
-
    </style>
   </head>
   <body>
+    <!-- ZEROTH ROW: NO MARGINS -->
+    <!-- No margins on flex item: -->
     <div class="flexbox">
-      <!-- First flex line: Just 3 different sizes of text -->
-      <div class="big">a</div>
-      <div class="small">b</div>
-      <div class="medium">c</div>
+      <div>a</div>
+    </div>
+
+
+    <!-- FIRST ROW: SETTING MARGIN-TOP: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
+    <div class="flexbox">
+      <div style="margin-top: auto">a</div>
+    </div>
+
+    <!-- Negative: -->
+    <div class="flexbox">
+      <div style="margin-top: -4px">a</div>
+    </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div style="margin-top: 4px">a</div>
+    </div>
 
-      <!-- Second flex line: different margin/padding amounts on each item,
-           and one non-baseline-aligned item.-->
-      <div class="medium" style="padding-top: 10px">d</div>
-      <div class="medium" style="margin-bottom: 8px">e</div>
-      <div class="medium" style="align-self: stretch">f</div>
+    <!-- Large (pushing us out of container): -->
+    <div class="flexbox">
+      <div style="margin-top: 25px">a</div>
+    </div>
+
+
+    <!-- SECOND ROW: SETTING MARGIN-BOTTOM: -->
+    <br style="clear: both"/>
+
+    <!-- auto: -->
+    <div class="flexbox">
+      <div style="margin-bottom: auto">a</div>
+    </div>
 
-      <!-- Third flex line: other margin/padding amounts on each item -->
-      <div class="small" style="margin-top: 20px">g</div>
-      <div class="big">h</div>
-      <div class="medium" style="padding-bottom: 6px">i</div>
+    <!-- Negative: -->
+    <div class="flexbox">
+      <div style="margin-bottom: -4px">a</div>
     </div>
+
+    <!-- Small: -->
+    <div class="flexbox">
+      <div style="margin-bottom: 4px">a</div>
+    </div>
+
+    <!-- Large: -->
+    <div class="flexbox">
+      <div style="margin-bottom: 25px">a</div>
+    </div>
+
   </body>
 </html>
copy from layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2-ref.xhtml
copy to layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-4-ref.xhtml
copy from layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2.xhtml
copy to layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-4.xhtml
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-2.xhtml
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-4.xhtml
@@ -8,17 +8,17 @@
      This test baseline-aligns variously-sized flex items, and the container's
      vertical size depends on the aggregate post-alignment height of its items.
   -->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <title>CSS Test: Baseline alignment of block flex items with 'baseline' value for 'align-items' / 'align-self' in a multi-line flex container</title>
     <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com"/>
     <link rel="help" href="http://www.w3.org/TR/css3-flexbox/#baseline-participation"/>
-    <link rel="match" href="flexbox-align-self-baseline-horiz-2-ref.xhtml"/>
+    <link rel="match" href="flexbox-align-self-baseline-horiz-4-ref.xhtml"/>
     <style>
       .flexbox {
         display: flex;
         flex-wrap: wrap;
         align-items: baseline;
         width: 90px;
       }
 
copy from layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3-ref.xhtml
copy to layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-5-ref.xhtml
copy from layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3.xhtml
copy to layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-5.xhtml
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-3.xhtml
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-align-self-baseline-horiz-5.xhtml
@@ -8,17 +8,17 @@
      This test baseline-aligns variously-sized flex items, and the container's
      vertical size depends on the aggregate post-alignment height of its items.
   -->
 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <title>CSS Test: Baseline alignment of block flex items with 'baseline' value for 'align-items' / 'align-self' in a multi-line flex container</title>
     <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com"/>
     <link rel="help" href="http://www.w3.org/TR/css3-flexbox/#baseline-participation"/>
-    <link rel="match" href="flexbox-align-self-baseline-horiz-3-ref.xhtml"/>
+    <link rel="match" href="flexbox-align-self-baseline-horiz-5-ref.xhtml"/>
     <style>
       .flexbox {
         display: flex;
         flex-wrap: wrap-reverse;
         align-items: baseline;
         width: 90px;
       }
 
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-1.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-1.html
@@ -1,16 +1,16 @@
 <!DOCTYPE html>
 <!--
      Any copyright is dedicated to the Public Domain.
      http://creativecommons.org/publicdomain/zero/1.0/
 -->
 <html>
 <head>
-  <title>CSS Test: Testing all the values of the "flex-flow" shorthand property</title>
+  <title>CSS Test: Testing all the values of the "flex-flow" shorthand property, with 4 flex items in each container</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
   <link rel="help" href="http://www.w3.org/TR/css3-flexbox/#flex-flow-property">
   <link rel="match" href="flexbox-flex-flow-1-ref.html">
   <meta charset="utf-8">
   <style>
     .flexContainer {
       display: flex;
       height: 60px;
copy from layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-1-ref.html
copy to layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-2-ref.html
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-1-ref.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-2-ref.html
@@ -21,107 +21,113 @@
       border: 1px dotted gray;
       width: 28px;
       height: 28px;
       float: left;
     }
 
     /* The single-line flex containers' flex items are shrunk in main axis: */
     .singleLineHoriz > * {
-      width: 13px;
+      width: 18px;
     }
     .singleLineVert  > * {
-      height: 13px;
+      height: 18px;
       float: none;
     }
+    .hidden {
+      /* We use this to hide the "4" box in each of the multi-line chunks.
+         The testcase has 3 flex items in each flex container, but it's easier
+         to write this reference case w/ a hidden 4th box as a space-filler. */
+      visibility: hidden;
+    }
   </style>
 </head>
 <body>
   <!-- single-line (flex-wrap unspecified): -->
   <div class="flexContainer singleLineHoriz"><!-- flex-flow: row -->
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer singleLineHoriz"><!-- flex-flow: row-reverse -->
-    <div>4</div><div>3</div><div>2</div><div>1</div>
+    <div>3</div><div>2</div><div>1</div>
   </div>
   <div class="flexContainer singleLineVert"><!-- flex-flow: column -->
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer singleLineVert"><!-- flex-flow: column-reverse -->
-    <div>4</div><div>3</div><div>2</div><div>1</div>
+    <div>3</div><div>2</div><div>1</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap", after flex-direction: -->
   <div class="flexContainer"><!-- flex-flow: row wrap -->
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div><div class="hidden">4</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: row-reverse wrap -->
-    <div>2</div><div>1</div><div>4</div><div>3</div>
+    <div>2</div><div>1</div><div class="hidden">4</div><div>3</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: column wrap -->
-    <div>1</div><div>3</div><div>2</div><div>4</div>
+    <div>1</div><div>3</div><div>2</div><div class="hidden">4</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: column-reverse wrap -->
-    <div>2</div><div>4</div><div>1</div><div>3</div>
+    <div>2</div><div class="hidden">4</div><div>1</div><div>3</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap", before flex-direction: -->
   <div class="flexContainer"><!-- flex-flow: wrap row -->
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div><div class="hidden">4</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: wrap row-reverse -->
-    <div>2</div><div>1</div><div>4</div><div>3</div>
+    <div>2</div><div>1</div><div class="hidden">4</div><div>3</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: wrap column -->
-    <div>1</div><div>3</div><div>2</div><div>4</div>
+    <div>1</div><div>3</div><div>2</div><div class="hidden">4</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: wrap column-reverse -->
-    <div>2</div><div>4</div><div>1</div><div>3</div>
+    <div>2</div><div class="hidden">4</div><div>1</div><div>3</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap-reverse", after flex-direction: -->
   <div class="flexContainer"><!-- flex-flow: row wrap-reverse -->
-    <div>3</div><div>4</div><div>1</div><div>2</div>
+    <div>3</div><div class="hidden">4</div><div>1</div><div>2</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: row-reverse wrap-reverse -->
-    <div>4</div><div>3</div><div>2</div><div>1</div>
+    <div class="hidden">4</div><div>3</div><div>2</div><div>1</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: column wrap-reverse -->
-    <div>3</div><div>1</div><div>4</div><div>2</div>
+    <div>3</div><div>1</div><div class="hidden">4</div><div>2</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: column-reverse wrap-reverse -->
-    <div>4</div><div>2</div><div>3</div><div>1</div>
+    <div class="hidden">4</div><div>2</div><div>3</div><div>1</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap-reverse", before flex-direction: -->
   <div class="flexContainer"><!-- flex-flow: wrap-reverse row -->
-    <div>3</div><div>4</div><div>1</div><div>2</div>
+    <div>3</div><div class="hidden">4</div><div>1</div><div>2</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: wrap-reverse row-reverse -->
-    <div>4</div><div>3</div><div>2</div><div>1</div>
+    <div class="hidden">4</div><div>3</div><div>2</div><div>1</div>
   </div>
   <div class="flexContainer"> <!-- flex-flow: wrap-reverse column -->
-    <div>3</div><div>1</div><div>4</div><div>2</div>
+    <div>3</div><div>1</div><div class="hidden">4</div><div>2</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: wrap-reverse column-reverse -->
-    <div>4</div><div>2</div><div>3</div><div>1</div>
+    <div class="hidden">4</div><div>2</div><div>3</div><div>1</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now just specifying flex-wrap (no flex-direction) -->
   <div class="flexContainer"><!-- flex-flow: wrap -->
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div><div class="hidden">4</div>
   </div>
   <div class="flexContainer"><!-- flex-flow: wrap-reverse -->
-    <div>3</div><div>4</div><div>1</div><div>2</div>
+    <div>3</div><div class="hidden">4</div><div>1</div><div>2</div>
   </div>
 
 </body>
 </html>
copy from layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-1.html
copy to layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-2.html
--- a/layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-1.html
+++ b/layout/reftests/w3c-css/submitted/flexbox/flexbox-flex-flow-2.html
@@ -1,19 +1,19 @@
 <!DOCTYPE html>
 <!--
      Any copyright is dedicated to the Public Domain.
      http://creativecommons.org/publicdomain/zero/1.0/
 -->
 <html>
 <head>
-  <title>CSS Test: Testing all the values of the "flex-flow" shorthand property</title>
+  <title>CSS Test: Testing all the values of the "flex-flow" shorthand property, with 3 flex items in each container</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
   <link rel="help" href="http://www.w3.org/TR/css3-flexbox/#flex-flow-property">
-  <link rel="match" href="flexbox-flex-flow-1-ref.html">
+  <link rel="match" href="flexbox-flex-flow-2-ref.html">
   <meta charset="utf-8">
   <style>
     .flexContainer {
       display: flex;
       height: 60px;
       width: 60px;
       font: 10px sans-serif;
       background: yellow;
@@ -25,96 +25,96 @@
       width: 28px;
       height: 28px;
     }
   </style>
 </head>
 <body>
   <!-- single-line (flex-wrap unspecified): -->
   <div class="flexContainer" style="flex-flow: row">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: row-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: column">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: column-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap", after flex-direction: -->
   <div class="flexContainer" style="flex-flow: row wrap">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: row-reverse wrap">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: column wrap">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: column-reverse wrap">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap", before flex-direction: -->
   <div class="flexContainer" style="flex-flow: wrap row">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: wrap row-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: wrap column">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: wrap column-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap-reverse", after flex-direction: -->
   <div class="flexContainer" style="flex-flow: row wrap-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: row-reverse wrap-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: column wrap-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: column-reverse wrap-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now using "wrap-reverse", before flex-direction: -->
   <div class="flexContainer" style="flex-flow: wrap-reverse row">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: wrap-reverse row-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: wrap-reverse column">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: wrap-reverse column-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
 
   <div style="clear:both"></div>
 
   <!-- now just specifying flex-wrap (no flex-direction) -->
   <div class="flexContainer" style="flex-flow: wrap">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
   <div class="flexContainer" style="flex-flow: wrap-reverse">
-    <div>1</div><div>2</div><div>3</div><div>4</div>
+    <div>1</div><div>2</div><div>3</div>
   </div>
 
 </body>
 </html>
--- a/layout/reftests/w3c-css/submitted/flexbox/reftest.list
+++ b/layout/reftests/w3c-css/submitted/flexbox/reftest.list
@@ -7,19 +7,22 @@
 
 # Tests for alignment of flex lines (align-content property)
 == flexbox-align-content-horiz-1a.xhtml flexbox-align-content-horiz-1-ref.xhtml
 == flexbox-align-content-horiz-1b.xhtml flexbox-align-content-horiz-1-ref.xhtml
 == flexbox-align-content-vert-1a.xhtml  flexbox-align-content-vert-1-ref.xhtml
 == flexbox-align-content-vert-1b.xhtml  flexbox-align-content-vert-1-ref.xhtml
 
 # Tests for cross-axis alignment (align-self / align-items properties)
-== flexbox-align-self-baseline-horiz-1.xhtml flexbox-align-self-baseline-horiz-1-ref.xhtml
+== flexbox-align-self-baseline-horiz-1a.xhtml flexbox-align-self-baseline-horiz-1-ref.xhtml
+== flexbox-align-self-baseline-horiz-1b.xhtml flexbox-align-self-baseline-horiz-1-ref.xhtml
 == flexbox-align-self-baseline-horiz-2.xhtml flexbox-align-self-baseline-horiz-2-ref.xhtml
 == flexbox-align-self-baseline-horiz-3.xhtml flexbox-align-self-baseline-horiz-3-ref.xhtml
+== flexbox-align-self-baseline-horiz-4.xhtml flexbox-align-self-baseline-horiz-4-ref.xhtml
+== flexbox-align-self-baseline-horiz-5.xhtml flexbox-align-self-baseline-horiz-5-ref.xhtml
 
 == flexbox-align-self-stretch-vert-1.html flexbox-align-self-stretch-vert-1-ref.html
 
 == flexbox-align-self-horiz-1-block.xhtml  flexbox-align-self-horiz-1-ref.xhtml
 == flexbox-align-self-horiz-1-table.xhtml  flexbox-align-self-horiz-1-ref.xhtml
 == flexbox-align-self-horiz-2.xhtml  flexbox-align-self-horiz-2-ref.xhtml
 == flexbox-align-self-horiz-3.xhtml  flexbox-align-self-horiz-3-ref.xhtml
 == flexbox-align-self-horiz-4.xhtml  flexbox-align-self-horiz-4-ref.xhtml
@@ -80,16 +83,17 @@ fuzzy-if(Android,158,32) == flexbox-alig
 # Tests for flex items with "visibility:collapse"
 == flexbox-collapsed-item-baseline-1.html flexbox-collapsed-item-baseline-1-ref.html
 == flexbox-collapsed-item-horiz-1.html flexbox-collapsed-item-horiz-1-ref.html
 == flexbox-collapsed-item-horiz-2.html flexbox-collapsed-item-horiz-2-ref.html
 == flexbox-collapsed-item-horiz-3.html flexbox-collapsed-item-horiz-3-ref.html
 
 # Tests for flex-flow shorthand property
 == flexbox-flex-flow-1.html flexbox-flex-flow-1-ref.html
+== flexbox-flex-flow-2.html flexbox-flex-flow-2-ref.html
 
 # Tests for flex-wrap property
 == flexbox-flex-wrap-horiz-1.html flexbox-flex-wrap-horiz-1-ref.html
 == flexbox-flex-wrap-horiz-2.html flexbox-flex-wrap-horiz-2-ref.html
 == flexbox-flex-wrap-vert-1.html  flexbox-flex-wrap-vert-1-ref.html
 == flexbox-flex-wrap-vert-2.html  flexbox-flex-wrap-vert-2-ref.html
 
 # Tests for flex items as (pseudo) stacking contexts
--- a/layout/tools/reftest/Makefile.in
+++ b/layout/tools/reftest/Makefile.in
@@ -18,60 +18,65 @@ DEFINES += -DREFTEST_B2G
 endif
 
 # Used in install.rdf
 USE_EXTENSION_MANIFEST=1
 else
 EXTRA_COMPONENTS += reftest-cmdline.manifest
 endif
 
-include $(topsrcdir)/config/rules.mk
-
-# We're installing to _tests/reftest
-TARGET_DEPTH = ../..
-include $(topsrcdir)/build/automation-build.mk
-
 _DEST_DIR = $(DEPTH)/_tests/reftest
 
-# We want to get an extension-packaged version of reftest as well, 
-# so this seems to be the simplest way to make that happen.
-ifndef XPI_NAME
-make-xpi:
-	+$(MAKE) -C $(DEPTH)/netwerk/test/httpserver libs XPI_NAME=reftest
-	+$(MAKE) libs XPI_NAME=reftest
-copy-harness: make-xpi
-libs:: copy-harness
-endif
-
 _HARNESS_FILES = \
   $(srcdir)/runreftest.py \
   $(srcdir)/remotereftest.py \
   $(srcdir)/runreftestb2g.py \
   $(srcdir)/b2g_desktop.py \
-  $(srcdir)/b2g_start_script.js \
   automation.py \
   $(topsrcdir)/testing/mozbase/mozdevice/mozdevice/devicemanager.py \
   $(topsrcdir)/testing/mozbase/mozdevice/mozdevice/devicemanagerADB.py \
   $(topsrcdir)/testing/mozbase/mozdevice/mozdevice/devicemanagerSUT.py \
   $(topsrcdir)/testing/mozbase/mozdevice/mozdevice/droid.py \
   $(topsrcdir)/testing/mozbase/mozdevice/mozdevice/Zeroconf.py \
   $(topsrcdir)/build/mobile/b2gautomation.py \
   $(topsrcdir)/build/automationutils.py \
   $(topsrcdir)/build/mobile/remoteautomation.py \
   $(topsrcdir)/testing/mochitest/server.js \
   $(topsrcdir)/build/pgo/server-locations.txt \
   $(NULL)
 
+_HARNESS_PP_FILES = \
+  b2g_start_script.js \
+  $(NULL)
+_HARNESS_PP_FILES_PATH = $(_DEST_DIR)
+PP_TARGETS += _HARNESS_PP_FILES
+
+include $(topsrcdir)/config/rules.mk
+
+# We're installing to _tests/reftest
+TARGET_DEPTH = ../..
+include $(topsrcdir)/build/automation-build.mk
+
+# We want to get an extension-packaged version of reftest as well, 
+# so this seems to be the simplest way to make that happen.
+ifndef XPI_NAME
+make-xpi:
+	+$(MAKE) -C $(DEPTH)/netwerk/test/httpserver libs XPI_NAME=reftest
+	+$(MAKE) libs XPI_NAME=reftest
+copy-harness: make-xpi
+libs:: copy-harness
+endif
+
 $(_DEST_DIR):
 	$(NSINSTALL) -D $@
 
 $(_HARNESS_FILES): $(_DEST_DIR)
 
 # copy harness and the reftest extension bits to $(_DEST_DIR)
-copy-harness: $(_HARNESS_FILES)
+copy-harness: $(_HARNESS_FILES) $(addprefix $(_DEST_DIR)/,$(_HARNESS_PP_FILES))
 	$(INSTALL) $(_HARNESS_FILES) $(_DEST_DIR)
 	(cd $(DIST)/xpi-stage && tar $(TAR_CREATE_FLAGS) - reftest) | (cd $(_DEST_DIR) && tar -xf -)
 
 PKG_STAGE = $(DIST)/test-package-stage
 
 # stage harness and tests for packaging
 stage-package:
 	$(NSINSTALL) -D $(PKG_STAGE)/reftest && $(NSINSTALL) -D $(PKG_STAGE)/reftest/tests
--- a/layout/tools/reftest/b2g_start_script.js
+++ b/layout/tools/reftest/b2g_start_script.js
@@ -1,59 +1,19 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 function setDefaultPrefs() {
-    // This code sets the preferences for extension-based reftest; for
-    // command-line based reftest they are set in function handler_handle in
-    // reftest-cmdline.js.  These two locations should stay in sync.
-    //
-    // FIXME: These should be in only one place.
+    // This code sets the preferences for extension-based reftest.
     var prefs = Cc["@mozilla.org/preferences-service;1"].
                 getService(Ci.nsIPrefService);
     var branch = prefs.getDefaultBranch("");
-    branch.setBoolPref("dom.use_xbl_scopes_for_remote_xul", false);
-    branch.setBoolPref("gfx.color_management.force_srgb", true);
-    branch.setBoolPref("browser.dom.window.dump.enabled", true);
-    branch.setIntPref("ui.caretBlinkTime", -1);
-    branch.setBoolPref("dom.send_after_paint_to_content", true);
-    // no slow script dialogs
-    branch.setIntPref("dom.max_script_run_time", 0);
-    branch.setIntPref("dom.max_chrome_script_run_time", 0);
-    branch.setIntPref("hangmonitor.timeout", 0);
-    // Ensure autoplay is enabled for all platforms.
-    branch.setBoolPref("media.autoplay.enabled", true);
-    // Disable updates
-    branch.setBoolPref("app.update.enabled", false);
-    // Disable addon updates and prefetching so we don't leak them
-    branch.setBoolPref("extensions.update.enabled", false);
-    branch.setBoolPref("extensions.getAddons.cache.enabled", false);
-    // Disable blocklist updates so we don't have them reported as leaks
-    branch.setBoolPref("extensions.blocklist.enabled", false);
-    // Make url-classifier updates so rare that they won't affect tests
-    branch.setIntPref("urlclassifier.updateinterval", 172800);
-    // Disable high-quality downscaling, since it makes reftests more difficult.
-    branch.setBoolPref("image.high_quality_downscaling.enabled", false);
-    // Checking whether two files are the same is slow on Windows.
-    // Setting this pref makes tests run much faster there.
-    branch.setBoolPref("security.fileuri.strict_origin_policy", false);
-    // Disable the thumbnailing service
-    branch.setBoolPref("browser.pagethumbnails.capturing_disabled", true);
-    // Enable APZC so we can test it
-    branch.setBoolPref("layers.async-pan-zoom.enabled", true);
-    // Since our tests are 800px wide, set the assume-designed-for width of all
-    // pages to be 800px (instead of the default of 980px). This ensures that
-    // in our 800px window we don't zoom out by default to try to fit the
-    // assumed 980px content.
-    branch.setIntPref("browser.viewport.desktopWidth", 800);
-    // Disable the fade out (over time) of overlay scrollbars, since we
-    // can't guarantee taking both reftest snapshots at the same point
-    // during the fade.
-    branch.setBoolPref("layout.testing.overlay-scrollbars.always-visible", true);
+
+#include reftest-preferences.js
 }
 
 function setPermissions() {
   if (__marionetteParams.length < 2) {
     return;
   }
 
   let serverAddr = __marionetteParams[0];
--- a/layout/tools/reftest/bootstrap.js
+++ b/layout/tools/reftest/bootstrap.js
@@ -1,64 +1,20 @@
 Components.utils.import("resource://gre/modules/FileUtils.jsm");        
 
 function loadIntoWindow(window) {}
 function unloadFromWindow(window) {}
 
 function setDefaultPrefs() {
-    // This code sets the preferences for extension-based reftest; for
-    // command-line based reftest they are set in function handler_handle in
-    // reftest-cmdline.js.  These two locations should stay in sync.
-    //
-    // FIXME: These should be in only one place.
+    // This code sets the preferences for extension-based reftest.
     var prefs = Components.classes["@mozilla.org/preferences-service;1"].
                 getService(Components.interfaces.nsIPrefService);
     var branch = prefs.getDefaultBranch("");
-    // For mochitests, we're more interested in testing the behavior of in-
-    // content XBL bindings, so we set this pref to true. In reftests, we're
-    // more interested in testing the behavior of XBL as it works in chrome,
-    // so we want this pref to be false.
-    branch.setBoolPref("dom.use_xbl_scopes_for_remote_xul", false);
-    branch.setBoolPref("gfx.color_management.force_srgb", true);
-    branch.setBoolPref("browser.dom.window.dump.enabled", true);
-    branch.setIntPref("ui.caretBlinkTime", -1);
-    branch.setBoolPref("dom.send_after_paint_to_content", true);
-    // no slow script dialogs
-    branch.setIntPref("dom.max_script_run_time", 0);
-    branch.setIntPref("dom.max_chrome_script_run_time", 0);
-    branch.setIntPref("hangmonitor.timeout", 0);
-    // Ensure autoplay is enabled for all platforms.
-    branch.setBoolPref("media.autoplay.enabled", true);
-    // Disable updates
-    branch.setBoolPref("app.update.enabled", false);
-    // Disable addon updates and prefetching so we don't leak them
-    branch.setBoolPref("extensions.update.enabled", false);
-    branch.setBoolPref("extensions.getAddons.cache.enabled", false);
-    // Disable blocklist updates so we don't have them reported as leaks
-    branch.setBoolPref("extensions.blocklist.enabled", false);
-    // Make url-classifier updates so rare that they won't affect tests
-    branch.setIntPref("urlclassifier.updateinterval", 172800);
-    // Disable high-quality downscaling, since it makes reftests more difficult.
-    branch.setBoolPref("image.high_quality_downscaling.enabled", false);
-    // Checking whether two files are the same is slow on Windows.
-    // Setting this pref makes tests run much faster there.
-    branch.setBoolPref("security.fileuri.strict_origin_policy", false);
-    // Disable the thumbnailing service
-    branch.setBoolPref("browser.pagethumbnails.capturing_disabled", true);
-    // Enable APZC so we can test it
-    branch.setBoolPref("layers.async-pan-zoom.enabled", true);
-    // Since our tests are 800px wide, set the assume-designed-for width of all
-    // pages to be 800px (instead of the default of 980px). This ensures that
-    // in our 800px window we don't zoom out by default to try to fit the
-    // assumed 980px content.
-    branch.setIntPref("browser.viewport.desktopWidth", 800);
-    // Disable the fade out (over time) of overlay scrollbars, since we
-    // can't guarantee taking both reftest snapshots at the same point
-    // during the fade.
-    branch.setBoolPref("layout.testing.overlay-scrollbars.always-visible", true);
+
+#include reftest-preferences.js
 }
 
 var windowListener = {
     onOpenWindow: function(aWindow) {
         let domWindow = aWindow.QueryInterface(Components.interfaces.nsIInterfaceRequestor).getInterface(Components.interfaces.nsIDOMWindowInternal || Components.interfaces.nsIDOMWindow);
         domWindow.addEventListener("load", function() {
             domWindow.removeEventListener("load", arguments.callee, false);
 
--- a/layout/tools/reftest/mach_commands.py
+++ b/layout/tools/reftest/mach_commands.py
@@ -201,17 +201,17 @@ class ReftestRunner(MozbuildObject):
         options.b2gPath = b2g_home
         options.logcat_dir = self.reftest_dir
         options.httpdPath = os.path.join(self.topsrcdir, 'netwerk', 'test', 'httpserver')
         options.xrePath = xre_path
         options.ignoreWindowSize = True
         return reftest.run_remote_reftests(parser, options, args)
 
     def run_desktop_test(self, test_file=None, filter=None, suite=None,
-            debugger=None, parallel=False):
+            debugger=None, parallel=False, e10s=False):
         """Runs a reftest.
 
         test_file is a path to a test file. It can be a relative path from the
         top source directory, an absolute filename, or a directory containing
         test files.
 
         filter is a regular expression (in JS syntax, as could be passed to the
         RegExp constructor) to select which reftests to run from the manifest.
@@ -243,16 +243,19 @@ class ReftestRunner(MozbuildObject):
 
         if debugger:
             extra_args.append('--debugger=%s' % debugger)
             pass_thru = True
 
         if parallel:
             extra_args.append('--run-tests-in-parallel')
 
+        if e10s:
+            extra_args.append('--e10s')
+
         if extra_args:
             args = [os.environ.get(b'EXTRA_TEST_ARGS', '')]
             args.extend(extra_args)
             env[b'EXTRA_TEST_ARGS'] = ' '.join(args)
 
         # TODO hook up harness via native Python
         return self._run_make(directory='.', target=suite, append_env=env,
             pass_thru=pass_thru, ensure_exit_code=False)
@@ -274,16 +277,20 @@ def ReftestCommand(func):
         help='Reftest manifest file, or a directory in which to select '
              'reftest.list. If omitted, the entire test suite is executed.')
     func = path(func)
 
     parallel = CommandArgument('--parallel', action='store_true',
         help='Run tests in parallel.')
     func = parallel(func)
 
+    e10s = CommandArgument('--e10s', action='store_true',
+                           help='Use content processes.')
+    func = e10s(func)
+
     return func
 
 def B2GCommand(func):
     """Decorator that adds shared command arguments to b2g mochitest commands."""
 
     busybox = CommandArgument('--busybox', default=None,
         help='Path to busybox binary to install on device')
     func = busybox(func)
--- a/layout/tools/reftest/moz.build
+++ b/layout/tools/reftest/moz.build
@@ -1,11 +1,11 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-EXTRA_COMPONENTS += [
+EXTRA_PP_COMPONENTS += [
     'reftest-cmdline.js',
 ]
 
-JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file
+JAR_MANIFESTS += ['jar.mn']
--- a/layout/tools/reftest/reftest-cmdline.js
+++ b/layout/tools/reftest/reftest-cmdline.js
@@ -61,68 +61,22 @@ RefTestCmdLineHandler.prototype =
     /**
      * Manipulate preferences by adding to the *default* branch.  Adding
      * to the default branch means the changes we make won't get written
      * back to user preferences.
      *
      * We want to do this here rather than in reftest.js because it's
      * important to force sRGB as an output profile for color management
      * before we load a window.
-     *
-     * If you change these, please adjust them in the bootstrap.js function 
-     * setDefaultPrefs().  These are duplicated there so we can have a 
-     * restartless addon for reftest on native Android.
-     *
-     * FIXME: These should be in only one place. 
      */
     var prefs = Components.classes["@mozilla.org/preferences-service;1"].
                 getService(Components.interfaces.nsIPrefService);
     var branch = prefs.getDefaultBranch("");
-    // For mochitests, we're more interested in testing the behavior of in-
-    // content XBL bindings, so we set this pref to true. In reftests, we're
-    // more interested in testing the behavior of XBL as it works in chrome,
-    // so we want this pref to be false.
-    branch.setBoolPref("dom.use_xbl_scopes_for_remote_xul", false);
-    branch.setBoolPref("gfx.color_management.force_srgb", true);
-    branch.setBoolPref("browser.dom.window.dump.enabled", true);
-    branch.setIntPref("ui.caretBlinkTime", -1);
-    branch.setBoolPref("dom.send_after_paint_to_content", true);
-    // no slow script dialogs
-    branch.setIntPref("dom.max_script_run_time", 0);
-    branch.setIntPref("dom.max_chrome_script_run_time", 0);
-    branch.setIntPref("hangmonitor.timeout", 0);
-    // Ensure autoplay is enabled for all platforms.
-    branch.setBoolPref("media.autoplay.enabled", true);
-    // Disable updates
-    branch.setBoolPref("app.update.enabled", false);
-    // Disable addon updates and prefetching so we don't leak them
-    branch.setBoolPref("extensions.update.enabled", false);
-    branch.setBoolPref("extensions.getAddons.cache.enabled", false);
-    // Disable blocklist updates so we don't have them reported as leaks
-    branch.setBoolPref("extensions.blocklist.enabled", false);
-    // Make url-classifier updates so rare that they won't affect tests
-    branch.setIntPref("urlclassifier.updateinterval", 172800);
-    // Disable high-quality downscaling, since it makes reftests more difficult.
-    branch.setBoolPref("image.high_quality_downscaling.enabled", false);
-    // Checking whether two files are the same is slow on Windows.
-    // Setting this pref makes tests run much faster there.
-    branch.setBoolPref("security.fileuri.strict_origin_policy", false);
-    // Disable the thumbnailing service
-    branch.setBoolPref("browser.pagethumbnails.capturing_disabled", true);
-    // Enable APZC so we can test it
-    branch.setBoolPref("layers.async-pan-zoom.enabled", true);
-    // Since our tests are 800px wide, set the assume-designed-for width of all
-    // pages to be 800px (instead of the default of 980px). This ensures that
-    // in our 800px window we don't zoom out by default to try to fit the
-    // assumed 980px content.
-    branch.setIntPref("browser.viewport.desktopWidth", 800);
-    // Disable the fade out (over time) of overlay scrollbars, since we
-    // can't guarantee taking both reftest snapshots at the same point
-    // during the fade.
-    branch.setBoolPref("layout.testing.overlay-scrollbars.always-visible", true);
+
+#include reftest-preferences.js
 
     var wwatch = Components.classes["@mozilla.org/embedcomp/window-watcher;1"]
                            .getService(nsIWindowWatcher);
 
     function loadReftests() {
       wwatch.openWindow(null, "chrome://reftest/content/reftest.xul", "_blank",
                         "chrome,dialog=no,all", args);
     }
new file mode 100644
--- /dev/null
+++ b/layout/tools/reftest/reftest-preferences.js
@@ -0,0 +1,43 @@
+    // For mochitests, we're more interested in testing the behavior of in-
+    // content XBL bindings, so we set this pref to true. In reftests, we're
+    // more interested in testing the behavior of XBL as it works in chrome,
+    // so we want this pref to be false.
+    branch.setBoolPref("dom.use_xbl_scopes_for_remote_xul", false);
+    branch.setBoolPref("gfx.color_management.force_srgb", true);
+    branch.setBoolPref("browser.dom.window.dump.enabled", true);
+    branch.setIntPref("ui.caretBlinkTime", -1);
+    branch.setBoolPref("dom.send_after_paint_to_content", true);
+    // no slow script dialogs
+    branch.setIntPref("dom.max_script_run_time", 0);
+    branch.setIntPref("dom.max_chrome_script_run_time", 0);
+    branch.setIntPref("hangmonitor.timeout", 0);
+    // Ensure autoplay is enabled for all platforms.
+    branch.setBoolPref("media.autoplay.enabled", true);
+    // Disable updates
+    branch.setBoolPref("app.update.enabled", false);
+    // Disable addon updates and prefetching so we don't leak them
+    branch.setBoolPref("extensions.update.enabled", false);
+    branch.setBoolPref("extensions.getAddons.cache.enabled", false);
+    // Disable blocklist updates so we don't have them reported as leaks
+    branch.setBoolPref("extensions.blocklist.enabled", false);
+    // Make url-classifier updates so rare that they won't affect tests
+    branch.setIntPref("urlclassifier.updateinterval", 172800);
+    // Disable high-quality downscaling, since it makes reftests more difficult.
+    branch.setBoolPref("image.high_quality_downscaling.enabled", false);
+    // Checking whether two files are the same is slow on Windows.
+    // Setting this pref makes tests run much faster there.
+    branch.setBoolPref("security.fileuri.strict_origin_policy", false);
+    // Disable the thumbnailing service
+    branch.setBoolPref("browser.pagethumbnails.capturing_disabled", true);
+    // Enable APZC so we can test it
+    branch.setBoolPref("layers.async-pan-zoom.enabled", true);
+    // Since our tests are 800px wide, set the assume-designed-for width of all
+    // pages to be 800px (instead of the default of 980px). This ensures that
+    // in our 800px window we don't zoom out by default to try to fit the
+    // assumed 980px content.
+    branch.setIntPref("browser.viewport.desktopWidth", 800);
+    // Disable the fade out (over time) of overlay scrollbars, since we
+    // can't guarantee taking both reftest snapshots at the same point
+    // during the fade.
+    branch.setBoolPref("layout.testing.overlay-scrollbars.always-visible", true);
+
--- a/layout/tools/reftest/runreftest.py
+++ b/layout/tools/reftest/runreftest.py
@@ -158,16 +158,19 @@ class RefTest(object):
     if options.logFile:
       prefs['reftest.logFile'] = options.logFile
     if options.ignoreWindowSize:
       prefs['reftest.ignoreWindowSize'] = True
     if options.filter:
       prefs['reftest.filter'] = options.filter
     prefs['reftest.focusFilterMode'] = options.focusFilterMode
 
+    if options.e10s:
+      prefs['browser.tabs.remote.autostart'] = True
+
     for v in options.extraPrefs:
       thispref = v.split('=')
       if len(thispref) < 2:
         print "Error: syntax error in --setpref=" + v
         sys.exit(1)
       prefs[thispref[0]] = mozprofile.Preferences.cast(thispref[1].strip())
 
     # install the reftest extension bits into the profile
@@ -440,16 +443,22 @@ class ReftestOptions(OptionParser):
 
     self.add_option("--focus-filter-mode",
                     action = "store", type = "string", dest = "focusFilterMode",
                     help = "filters tests to run by whether they require focus. "
                            "Valid values are `all', `needs-focus', or `non-needs-focus'. "
                            "Defaults to `all'.")
     defaults["focusFilterMode"] = "all"
 
+    self.add_option("--e10s",
+                    action = "store_true",
+                    dest = "e10s",
+                    help = "enables content processes")
+    defaults["e10s"] = False
+
     self.set_defaults(**defaults)
 
   def verifyCommonOptions(self, options, reftest):
     if options.totalChunks is not None and options.thisChunk is None:
       self.error("thisChunk must be specified when totalChunks is specified")
 
     if options.totalChunks:
       if not 1 <= options.thisChunk <= options.totalChunks:
--- a/layout/xul/nsMenuPopupFrame.cpp
+++ b/layout/xul/nsMenuPopupFrame.cpp
@@ -1329,24 +1329,25 @@ nsMenuPopupFrame::SetPopupPosition(nsIFr
     }
 
     NS_ASSERTION(screenPoint.x >= screenRect.x && screenPoint.y >= screenRect.y &&
                  screenPoint.x + mRect.width <= screenRect.XMost() &&
                  screenPoint.y + mRect.height <= screenRect.YMost(),
                  "Popup is offscreen");
   }
 
+  // snap the popup's position in screen coordinates to device pixels,
+  // see bug 622507, bug 961431
+  screenPoint.x = presContext->RoundAppUnitsToNearestDevPixels(screenPoint.x);
+  screenPoint.y = presContext->RoundAppUnitsToNearestDevPixels(screenPoint.y);
+
   // determine the x and y position of the view by subtracting the desired
   // screen position from the screen position of the root frame.
   nsPoint viewPoint = screenPoint - rootScreenRect.TopLeft();
 
-  // snap the view's position to device pixels, see bug 622507
-  viewPoint.x = presContext->RoundAppUnitsToNearestDevPixels(viewPoint.x);
-  viewPoint.y = presContext->RoundAppUnitsToNearestDevPixels(viewPoint.y);
-
   nsView* view = GetView();
   NS_ASSERTION(view, "popup with no view");
 
   // Offset the position by the width and height of the borders and titlebar.
   // Even though GetClientOffset should return (0, 0) when there is no
   // titlebar or borders, we skip these calculations anyway for non-panels
   // to save time since they will never have a titlebar.
   nsIWidget* widget = view->GetWidget();
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
@@ -129,17 +129,16 @@ static nsresult InitNSSInContent()
 #endif // MOZILLA_INTERNAL_API
 
 namespace mozilla {
   class DataChannel;
 }
 
 class nsIDOMDataChannel;
 
-static const int DTLS_FINGERPRINT_LENGTH = 64;
 static const int MEDIA_STREAM_MUTE = 0x80;
 
 PRLogModuleInfo *signalingLogInfo() {
   static PRLogModuleInfo *logModuleInfo = nullptr;
   if (!logModuleInfo) {
     logModuleInfo = PR_NewLogModule("signaling");
   }
   return logModuleInfo;
--- a/memory/mozjemalloc/jemalloc.c
+++ b/memory/mozjemalloc/jemalloc.c
@@ -7013,25 +7013,25 @@ ozone_free_definite_size(malloc_zone_t *
 		assert(size == szone->size(zone, ptr));
 		l_szone.m16(zone, ptr, size);
 	}
 }
 
 static void
 ozone_force_lock(malloc_zone_t *zone)
 {
-	/* jemalloc locking is taken care of by the normal jemalloc zone. */
+	_malloc_prefork();
 	szone->introspect->force_lock(zone);
 }
 
 static void
 ozone_force_unlock(malloc_zone_t *zone)
 {
-	/* jemalloc locking is taken care of by the normal jemalloc zone. */
 	szone->introspect->force_unlock(zone);
+        _malloc_postfork();
 }
 
 static size_t
 zone_version_size(int version)
 {
     switch (version)
     {
         case SNOW_LEOPARD_MALLOC_ZONE_T_VERSION:
--- a/mobile/android/base/tests/BaseTest.java
+++ b/mobile/android/base/tests/BaseTest.java
@@ -176,20 +176,18 @@ abstract class BaseTest extends BaseRobo
 
         // Wait for highlighed text to gain focus
         boolean success = waitForCondition(new Condition() {
             @Override
             public boolean isSatisfied() {
                 EditText urlEditText = (EditText) mSolo.getView(R.id.url_edit_text);
                 if (urlEditText.isInputMethodTarget()) {
                     return true;
-                } else {
-                    mSolo.clickOnView(urlEditText);
-                    return false;
                 }
+                return false;
             }
         }, MAX_WAIT_ENABLED_TEXT_MS);
 
         mAsserter.ok(success, "waiting for urlbar text to gain focus", "urlbar text gained focus");
     }
 
     protected final void enterUrl(String url) {
         final EditText urlEditView = (EditText) mSolo.getView(R.id.url_edit_text);
--- a/mobile/android/base/webapp/WebappImpl.java
+++ b/mobile/android/base/webapp/WebappImpl.java
@@ -46,17 +46,20 @@ public class WebappImpl extends GeckoApp
     private static final String LOGTAG = "GeckoWebappImpl";
 
     private URL mOrigin;
     private TextView mTitlebarText = null;
     private View mTitlebar = null;
 
     private View mSplashscreen;
 
+    private boolean mIsApk = true;
     private ApkResources mApkResources;
+    private String mManifestUrl;
+    private String mAppName;
 
     protected int getIndex() { return 0; }
 
     @Override
     public int getLayout() { return R.layout.web_app; }
 
     @Override
     public boolean hasTabsSideBar() { return false; }
@@ -74,28 +77,46 @@ public class WebappImpl extends GeckoApp
         if (extras == null) {
             extras = new Bundle();
         }
 
         boolean isInstalled = extras.getBoolean("isInstalled", false);
         String packageName = extras.getString("packageName");
 
         if (packageName == null) {
-            // TODO Migration path!
-            Log.w(LOGTAG, "Can't find package name for webapp");
-            setResult(RESULT_CANCELED);
-            finish();
-        }
+            Log.w(LOGTAG, "no package name; treating as legacy shortcut");
+
+            mIsApk = false;
+
+            // Shortcut apps are already installed.
+            isInstalled = true;
 
-        try {
-            mApkResources = new ApkResources(this, packageName);
-        } catch (NameNotFoundException e) {
-            Log.e(LOGTAG, "Can't find package for webapp " + packageName, e);
-            setResult(RESULT_CANCELED);
-            finish();
+            Uri data = getIntent().getData();
+            if (data == null) {
+                Log.wtf(LOGTAG, "can't get manifest URL from shortcut data");
+                setResult(RESULT_CANCELED);
+                finish();
+                return;
+            }
+            mManifestUrl = data.toString();
+
+            String shortcutName = extras.getString(Intent.EXTRA_SHORTCUT_NAME);
+            mAppName = shortcutName != null ? shortcutName : "Web App";
+        } else {
+            try {
+                mApkResources = new ApkResources(this, packageName);
+            } catch (NameNotFoundException e) {
+                Log.e(LOGTAG, "Can't find package for webapp " + packageName, e);
+                setResult(RESULT_CANCELED);
+                finish();
+                return;
+            }
+
+            mManifestUrl = mApkResources.getManifestUrl();
+            mAppName = mApkResources.getAppName();
         }
 
         // start Gecko.
         super.onCreate(savedInstance);
 
         mTitlebarText = (TextView)findViewById(R.id.webapp_title);
         mTitlebar = findViewById(R.id.webapp_titlebar);
         mSplashscreen = findViewById(R.id.splashscreen);
@@ -108,17 +129,17 @@ public class WebappImpl extends GeckoApp
         allocator.maybeMigrateOldPrefs(index);
 
         String origin = allocator.getOrigin(index);
         boolean isInstallCompleting = (origin == null);
 
         if (!GeckoThread.checkLaunchState(GeckoThread.LaunchState.GeckoRunning) || !isInstalled || isInstallCompleting) {
             // Show the splash screen if we need to start Gecko, or we need to install this.
             overridePendingTransition(R.anim.grow_fade_in_center, android.R.anim.fade_out);
-            showSplash(true);
+            showSplash();
         } else {
             mSplashscreen.setVisibility(View.GONE);
         }
 
         if (!isInstalled || isInstallCompleting) {
             InstallHelper installHelper = new InstallHelper(getApplicationContext(), mApkResources, this);
             if (!isInstalled) {
                 // start the vanilla install.
@@ -129,51 +150,59 @@ public class WebappImpl extends GeckoApp
                 }
             } else {
                 // an install is already happening, so we should let it complete.
                 Log.i(LOGTAG, "Waiting for existing install to complete");
                 installHelper.registerGeckoListener();
             }
             return;
         } else {
-            launchWebapp(origin, mApkResources.getManifestUrl(), mApkResources.getAppName());
+            launchWebapp(origin);
         }
 
-        setTitle(mApkResources.getAppName());
+        setTitle(mAppName);
     }
 
     @Override
     protected String getURIFromIntent(Intent intent) {
         String uri = super.getURIFromIntent(intent);
         if (uri != null) {
             return uri;
         }
         // This is where we construct the URL from the Intent from the
         // the synthesized APK.
 
         // TODO Translate AndroidIntents into WebActivities here.
-        return mApkResources.getManifestUrl();
+        if (mIsApk) {
+            return mApkResources.getManifestUrl();
+        }
+
+        // If this is a legacy shortcut, then we should have been able to get
+        // the URI from the intent data.  Otherwise, we should have been able
+        // to get it from the APK resources.  So we should never get here.
+        Log.wtf(LOGTAG, "Couldn't get URI from intent nor APK resources");
+        return null;
     }
 
     @Override
     protected void loadStartupTab(String uri) {
         // NOP
     }
 
-    private void showSplash(boolean isApk) {
+    private void showSplash() {
 
         // get the favicon dominant color, stored when the app was installed
         int dominantColor = Allocator.getInstance().getColor(getIndex());
 
         setBackgroundGradient(dominantColor);
 
         ImageView image = (ImageView)findViewById(R.id.splashscreen_icon);
         Drawable d = null;
 
-        if (isApk) {
+        if (mIsApk) {
             Uri uri = mApkResources.getAppIconUri();
             image.setImageURI(uri);
             d = image.getDrawable();
         } else {
             // look for a logo.png in the profile dir and show it. If we can't find a logo show nothing
             File profile = getProfile().getDir();
             File logoFile = new File(profile, "logo.png");
             if (logoFile.exists()) {
@@ -294,53 +323,66 @@ public class WebappImpl extends GeckoApp
     @Override
     public void installCompleted(InstallHelper installHelper, String event, JSONObject message) {
         if (event == null) {
             return;
         }
 
         if (event.equals("Webapps:Postinstall")) {
             String origin = message.optString("origin");
-            launchWebapp(origin, mApkResources.getManifestUrl(), mApkResources.getAppName());
+            launchWebapp(origin);
         }
     }
 
     @Override
     public void installErrored(InstallHelper installHelper, Exception exception) {
         Log.e(LOGTAG, "Install errored", exception);
     }
 
-    public void launchWebapp(String origin, String manifestUrl, String name) {
+    private void setOrigin(String origin) {
         try {
             mOrigin = new URL(origin);
         } catch (java.net.MalformedURLException ex) {
-            // If we can't parse the this is an app protocol, just settle for not having an origin
+            // If this isn't an app: URL, just settle for not having an origin.
             if (!origin.startsWith("app://")) {
                 return;
             }
 
-            // If that failed fall back to the origin stored in the shortcut
-            Log.i(LOGTAG, "Webapp is not registered with allocator");
-            Uri data = getIntent().getData();
-            if (data != null) {
-                try {
-                    mOrigin = new URL(data.toString());
-                } catch (java.net.MalformedURLException ex2) {
-                    Log.e(LOGTAG, "Unable to parse intent url: ", ex);
+            // If that failed fall back to the origin stored in the shortcut.
+            if (!mIsApk) {
+                Log.i(LOGTAG, "Origin is app: URL; falling back to intent URL");
+                Uri data = getIntent().getData();
+                if (data != null) {
+                    try {
+                        mOrigin = new URL(data.toString());
+                    } catch (java.net.MalformedURLException ex2) {
+                        Log.e(LOGTAG, "Unable to parse intent URL: ", ex);
+                    }
                 }
             }
         }
+    }
+
+    public void launchWebapp(String origin) {
+        setOrigin(origin);
+
         try {
             JSONObject launchObject = new JSONObject();
-            launchObject.putOpt("url", manifestUrl);
-            launchObject.putOpt("name", mApkResources.getAppName());
+            launchObject.putOpt("url", mManifestUrl);
+            launchObject.putOpt("name", mAppName);
             Log.i(LOGTAG, "Trying to launch: " + launchObject);
             GeckoAppShell.sendEventToGecko(GeckoEvent.createBroadcastEvent("Webapps:Load", launchObject.toString()));
         } catch (JSONException e) {
             Log.e(LOGTAG, "Error populating launch message", e);
         }
     }
 
     @Override
     protected boolean getIsDebuggable() {
-        return mApkResources.isDebuggable();
+        if (mIsApk) {
+            return mApkResources.isDebuggable();
+        }
+
+        // This is a legacy shortcut, which didn't provide a way to determine
+        // that the app is debuggable, so we say the app is not debuggable.
+        return false;
     }
 }
--- a/netwerk/base/public/nsIThreadRetargetableRequest.idl
+++ b/netwerk/base/public/nsIThreadRetargetableRequest.idl
@@ -7,26 +7,27 @@
 #include "nsISupports.idl"
 
 interface nsIEventTarget;
 
 /**
  * nsIThreadRetargetableRequest
  *
  * Should be implemented by requests that support retargeting delivery of
- * OnDataAvailable off the main thread. Note, OnStopRequest will be delivered
- * back on the main thread.
+ * data off the main thread.
  */
 [uuid(27b84c48-5a73-4ba4-a8a4-8b5e649a145e)]
 interface nsIThreadRetargetableRequest : nsISupports
 {
   /**
    * Called to retarget delivery of OnDataAvailable to another thread. Should
-   * only be called within the context of OnStartRequest on the main thread.
-   * OnStopRequest will be delivered back on the main thread.
+   * only be called before AsyncOpen for nsIWebsocketChannels, or during
+   * OnStartRequest for nsIHttpChannels.
+   * Note: For nsIHttpChannels, OnStartRequest and OnStopRequest will still be
+   * delivered on the main thread.
    *
    * @param aNewTarget New event target, e.g. thread or threadpool.
    *
    * Note: no return value is given. If the retargeting cannot be handled,
    * normal delivery to the main thread will continue. As such, listeners
    * should be ready to deal with OnDataAvailable on either the main thread or
    * the new target thread.
    */
--- a/netwerk/base/src/Dashboard.cpp
+++ b/netwerk/base/src/Dashboard.cpp
@@ -312,17 +312,17 @@ LookupHelper::ConstructAnswer(LookupArgu
            aRecord->HasMore(&hasMore);
         }
     } else {
         dict.mAnswer = false;
         CopyASCIItoUTF16(Dashboard::GetErrorString(mStatus), dict.mError);
     }
 
     JS::RootedValue val(cx);
-    if (!dict.ToObject(cx, JS::NullPtr(), &val)) {
+    if (!dict.ToObject(cx, &val)) {
         return NS_ERROR_FAILURE;
     }
 
     this->mCallback->OnDashboardDataAvailable(val);
 
     return NS_OK;
 }
 
@@ -395,17 +395,17 @@ Dashboard::GetSockets(SocketData *aSocke
         mSocket.mReceived = (double) socketData->mData[i].received;
         dict.mSent += socketData->mData[i].sent;
         dict.mReceived += socketData->mData[i].received;
     }
 
     dict.mSent += socketData->mTotalSent;
     dict.mReceived += socketData->mTotalRecv;
     JS::RootedValue val(cx);
-    if (!dict.ToObject(cx, JS::NullPtr(), &val))
+    if (!dict.ToObject(cx, &val))
         return NS_ERROR_FAILURE;
     socketData->mCallback->OnDashboardDataAvailable(val);
 
     return NS_OK;
 }
 
 NS_IMETHODIMP
 Dashboard::RequestHttpConnections(NetDashboardCallback *aCallback)
@@ -498,17 +498,17 @@ Dashboard::GetHttpConnections(HttpData *
 
         for (uint32_t j = 0; j < httpData->mData[i].halfOpens.Length(); j++) {
             HalfOpenInfoDict &info = *halfOpens.AppendElement();
             info.mSpeculative = httpData->mData[i].halfOpens[j].speculative;
         }
     }
 
     JS::RootedValue val(cx);
-    if (!dict.ToObject(cx, JS::NullPtr(), &val)) {
+    if (!dict.ToObject(cx, &val)) {
         return NS_ERROR_FAILURE;
     }
 
     httpData->mCallback->OnDashboardDataAvailable(val);
 
     return NS_OK;
 }
 
@@ -625,17 +625,17 @@ Dashboard::GetWebSocketConnections(WebSo
         websocket.mMsgsent = mWs.data[i].mMsgSent;
         websocket.mMsgreceived = mWs.data[i].mMsgReceived;
         websocket.mSentsize = mWs.data[i].mSizeSent;
         websocket.mReceivedsize = mWs.data[i].mSizeReceived;
         websocket.mEncrypted = mWs.data[i].mEncrypted;
     }
 
     JS::RootedValue val(cx);
-    if (!dict.ToObject(cx, JS::NullPtr(), &val)) {
+    if (!dict.ToObject(cx, &val)) {
         return NS_ERROR_FAILURE;
     }
     wsRequest->mCallback->OnDashboardDataAvailable(val);
 
     return NS_OK;
 }
 
 NS_IMETHODIMP
@@ -712,17 +712,17 @@ Dashboard::GetDNSCacheEntries(DnsData *d
         if (dnsData->mData[i].family == PR_AF_INET6) {
             CopyASCIItoUTF16("ipv6", entry.mFamily);
         } else {
             CopyASCIItoUTF16("ipv4", entry.mFamily);
         }
     }
 
     JS::RootedValue val(cx);
-    if (!dict.ToObject(cx, JS::NullPtr(), &val)) {
+    if (!dict.ToObject(cx, &val)) {
         return NS_ERROR_FAILURE;
     }
     dnsData->mCallback->OnDashboardDataAvailable(val);
 
     return NS_OK;
 }
 
 NS_IMETHODIMP
@@ -814,17 +814,17 @@ Dashboard::GetConnectionStatus(Connectio
 {
     nsRefPtr<ConnectionData> connectionData = aConnectionData;
     AutoSafeJSContext cx;
 
     mozilla::dom::ConnStatusDict dict;
     dict.mStatus = connectionData->mStatus;
 
     JS::RootedValue val(cx);
-    if (!dict.ToObject(cx, JS::NullPtr(), &val))
+    if (!dict.ToObject(cx, &val))
         return NS_ERROR_FAILURE;
 
     connectionData->mCallback->OnDashboardDataAvailable(val);
 
     return NS_OK;
 }
 
 nsresult
--- a/netwerk/streamconv/converters/nsIndexedToHTML.cpp
+++ b/netwerk/streamconv/converters/nsIndexedToHTML.cpp
@@ -728,16 +728,20 @@ nsIndexedToHTML::OnIndexAvailable(nsIReq
             break;
         default:
             pushBuffer.AppendLiteral("file");
             break;
     }
 
     pushBuffer.AppendLiteral("\" href=\"");
 
+    nsXPIDLCString encoding;
+    rv = mParser->GetEncoding(getter_Copies(encoding));
+    if (NS_FAILED(rv)) return rv;
+
     // need to escape links
     nsAutoCString locEscaped;
 
     // Adding trailing slash helps to recognize whether the URL points to a file
     // or a directory (bug #214405).
     if ((type == nsIDirIndex::TYPE_DIRECTORY) && (loc.Last() != '/')) {
         loc.Append('/');
     }
@@ -759,16 +763,22 @@ nsIndexedToHTML::OnIndexAvailable(nsIReq
         // that directory will be incorrect
         escFlags = esc_Forced | esc_OnlyASCII | esc_AlwaysCopy | esc_FileBaseName | esc_Colon | esc_Directory;
     }
     NS_EscapeURL(loc.get(), loc.Length(), escFlags, locEscaped);
     // esc_Directory does not escape the semicolons, so if a filename
     // contains semicolons we need to manually escape them.
     // This replacement should be removed in bug #473280
     locEscaped.ReplaceSubstring(";", "%3b");
+    if (!encoding.EqualsLiteral("UTF-8")) {
+        // Escape all non-ASCII bytes to preserve the raw value.
+        nsAutoCString outstr;
+        NS_EscapeURL(locEscaped, esc_AlwaysCopy | esc_OnlyNonASCII, outstr);
+        locEscaped = outstr;
+    }
     nsAdoptingCString htmlEscapedURL(nsEscapeHTML(locEscaped.get()));
     pushBuffer.Append(htmlEscapedURL);
 
     pushBuffer.AppendLiteral("\">");
 
     if (type == nsIDirIndex::TYPE_FILE || type == nsIDirIndex::TYPE_UNKNOWN) {
         pushBuffer.AppendLiteral("<img src=\"moz-icon://");
         int32_t lastDot = locEscaped.RFindChar('.');
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -0,0 +1,3518 @@
+//// AUTOGENERATED FILE, DO NOT EDIT
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+
+function cert_from_file(filename) {
+  let der = readFile(do_get_file("test_cert_eku/" + filename, false));
+  return certdb.constructX509(der, der.length);
+}
+
+function load_cert(cert_name, trust_string) {
+  var cert_filename = cert_name + ".der";
+  addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
+  return cert_from_file(cert_filename);
+}
+
+function check_cert_err_generic(cert, expected_error, usage) {
+  do_print("cert cn=" + cert.commonName);
+  do_print("cert issuer cn=" + cert.issuerCommonName);
+  let hasEVPolicy = {};
+  let verifiedChain = {};
+  let error = certdb.verifyCertNow(cert, usage,
+                                   NO_FLAGS, verifiedChain, hasEVPolicy);
+  // expected error == 1 is a special marker for any error is OK
+  // use to simplify tests for the classic NSS code
+  if (expected_error != -1 ) {
+    do_check_eq(error,  expected_error);
+  } else {
+    do_check_neq (error, 0);
+  }
+}
+
+function check_ok_ca(cert) {
+  return check_cert_err_generic(cert, 0, certificateUsageSSLCA);
+}
+
+function check_ok_ee(cert, usage) {
+  return check_cert_err_generic(cert, 0, usage);
+}
+
+function run_test_in_mode(useMozillaPKIX) {
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                             useMozillaPKIX);
+
+  check_cert_err_generic(load_cert('int-EKU-CA', ',,'), useMozillaPKIX ? -1 : 0, certificateUsageSSLCA) ;
+  check_ok_ee(cert_from_file('ee-EKU-CA-int-EKU-CA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-CA_EP', ',,'), useMozillaPKIX ? -1 : 0, certificateUsageSSLCA) ;
+  check_ok_ee(cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  load_cert('int-EKU-CA_EP_NS_OS_SA_TS', ',,');
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS-int-EKU-CA_EP_NS_OS_SA_TS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_EP_NS_OS_SA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-CA_NS', ',,'));
+  check_ok_ee(cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-CA_OS', ',,'), useMozillaPKIX ? -1 : 0, certificateUsageSSLCA) ;
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_ok_ee(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS-int-EKU-CA_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-CA_SA', ',,'));
+  check_ok_ee(cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-CA_TS', ',,'), useMozillaPKIX ? -1 : 0, certificateUsageSSLCA) ;
+  check_ok_ee(cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-CA_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-EP', ',,'), useMozillaPKIX ? -1 : -1, certificateUsageSSLCA) ;
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-EP_NS', ',,'));
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-EP_OS', ',,'), useMozillaPKIX ? -1 : -1, certificateUsageSSLCA) ;
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS-int-EKU-EP_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-EP_SA', ',,'));
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-EP_TS', ',,'), useMozillaPKIX ? -1 : -1, certificateUsageSSLCA) ;
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-EP_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-NONE', ',,'));
+  check_ok_ee(cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NONE.der'), certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_OS-int-EKU-NONE.der'), certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_OS-int-EKU-NONE.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), certificateUsageEmailSigner);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_OS-int-EKU-NONE.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS-int-EKU-NONE.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_SA-int-EKU-NONE.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_TS-int-EKU-NONE.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NONE.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-NS', ',,'));
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  load_cert('int-EKU-NS_OS', ',,');
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_ok_ee(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS-int-EKU-NS_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_OS.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-NS_SA', ',,'));
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_ok_ca(load_cert('int-EKU-NS_TS', ',,'));
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-NS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_ok_ee(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-NS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-OS', ',,'), useMozillaPKIX ? -1 : -1, certificateUsageSSLCA) ;
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  load_cert('int-EKU-OS_SA', ',,');
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_ok_ee(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_SA.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_SA.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_ok_ee(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_SA.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_SA.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS-int-EKU-OS_SA.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), useMozillaPKIX? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_SA.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_ok_ee(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_SA.der'), certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : 0, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA_TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-TS-int-EKU-OS_SA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+
+  check_cert_err_generic(load_cert('int-EKU-OS_TS', ',,'), useMozillaPKIX ? -1 : -1, certificateUsageSSLCA) ;
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_EP_NS_OS_SA_TS-int-EKU-OS_TS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_OS-int-EKU-OS_TS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-CA_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  }
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_OS-int-EKU-OS_TS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-EP_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NONE-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_OS-int-EKU-OS_TS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERROR_INADEQUATE_CERT_TYPE : -1, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-NS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS-int-EKU-OS_TS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  if (useMozillaPKIX) {
+    check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  }
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_SA-int-EKU-OS_TS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), -1, certificateUsageSSLCA);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
+  check_cert_err_generic(cert_from_file('ee-EKU-OS_TS-int-EKU-OS_TS.der'), useMozillaPKIX? 0 : -1, certificateUsageStatusResponder);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLClient);
+  check_cert_err_generic(cert_from_file('ee-EKU-SA-int-EKU-OS_TS.der'), useMozillaPKIX ? SEC_ERR