Backed out changeset f5fa8ea86d3b (bug 622859)
authorCarsten "Tomcat" Book <cbook@mozilla.com>
Fri, 17 Oct 2014 13:13:01 +0200
changeset 211020 a7e637d5287d642af2c48bf8ed9961c80960ee57
parent 211019 ce11ac061a1bdd1071615a878bce8cc0300dd178
child 211021 209ec35a59c13bfccd4b5a787268cb4e1eaf1bb3
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
bugs622859
milestone36.0a1
backs outf5fa8ea86d3b7645835b35b4fe6ff35860eea18c
Backed out changeset f5fa8ea86d3b (bug 622859)
security/certverifier/ExtendedValidation.cpp
security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
security/manager/ssl/tests/unit/test_keysize/cert9.db
security/manager/ssl/tests/unit/test_keysize/dsa-caBad.der
security/manager/ssl/tests/unit/test_keysize/dsa-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeBad-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeOK-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeOK-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/dsa-eeOK-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/dsa-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/dsa-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-caBad.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeBad-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeOK-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeOK-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-eeOK-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/ev-rsa-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/generate.py
security/manager/ssl/tests/unit/test_keysize/key4.db
security/manager/ssl/tests/unit/test_keysize/pkcs11.txt
security/manager/ssl/tests/unit/test_keysize/rsa-caBad.der
security/manager/ssl/tests/unit/test_keysize/rsa-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeBad-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeOK-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeOK-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/rsa-eeOK-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-intBad-caOK.der
security/manager/ssl/tests/unit/test_keysize/rsa-intOK-caBad.der
security/manager/ssl/tests/unit/test_keysize/rsa-intOK-caOK.der
security/manager/ssl/tests/unit/test_keysize_ev.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -85,58 +85,44 @@ struct nsMyTrustedEVInfo
 //
 // If you are able to connect to the site without certificate errors,
 // but you don't see the EV status indicator, then most likely the CA
 // has a problem in their infrastructure. The most common problems are
 // related to the CA's OCSP infrastructure, either they use an incorrect
 // OCSP signing certificate, or OCSP for the intermediate certificates
 // isn't working, or OCSP isn't working at all.
 
-static const size_t NUM_TEST_EV_ROOTS = 2;
 static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
   // IMPORTANT! When extending this list,
   // pairs of dotted_oid and oid_name should always be unique pairs.
   // In other words, if you add another list, that uses the same dotted_oid
   // as an existing entry, then please use the same oid_name.
 #ifdef DEBUG
   // Debug EV certificates should all use the OID (repeating EV OID is OK):
   // 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
-  // If you add or remove debug EV certs you must also modify NUM_TEST_EV_ROOTS
-  // so that the correct number of certs are skipped as these debug EV certs are
-  // NOT part of the default trust store.
+  // If you add or remove debug EV certs you must also modify IdentityInfoInit
+  // (there is another #ifdef DEBUG section there) so that the correct number of
+  // certs are skipped as these debug EV certs are NOT part of the default trust
+  // store.
   {
     // This is the testing EV signature (xpcshell) (RSA)
     // CN=XPCShell EV Testing (untrustworthy) CA,OU=Security Engineering,O=Mozilla - EV debug test CA,L=Mountain View,ST=CA,C=US"
     "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
     "DEBUGtesting EV OID",
     SEC_OID_UNKNOWN,
     { 0x2D, 0x94, 0x52, 0x70, 0xAA, 0x92, 0x13, 0x0B, 0x1F, 0xB1, 0x24,
       0x0B, 0x24, 0xB1, 0xEE, 0x4E, 0xFB, 0x7C, 0x43, 0x45, 0x45, 0x7F,
       0x97, 0x6C, 0x90, 0xBF, 0xD4, 0x8A, 0x04, 0x79, 0xE4, 0x68 },
     "MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu"
     "IFZpZXcxIzAhBgNVBAoMGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD"
     "VQQLDBRTZWN1cml0eSBFbmdpbmVlcmluZzEvMC0GA1UEAwwmWFBDU2hlbGwgRVYg"
     "VGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0E=",
     "At+3zdo=",
     nullptr
   },
-  {
-    // The RSA root with an inadequate key size used for EV key size checking
-    // O=ev-rsa-caBad,CN=XPCShell Key Size Testing rsa 2040-bit (EV)
-    "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
-    "DEBUGtesting EV OID",
-    SEC_OID_UNKNOWN,
-    { 0x0E, 0xE2, 0x7A, 0x44, 0xD3, 0xAB, 0x66, 0x1A, 0x31, 0xBF, 0x0C,
-      0x1C, 0xFC, 0xAA, 0xD9, 0xD6, 0x27, 0x75, 0xC2, 0xDB, 0xC5, 0x69,
-      0xD7, 0x1C, 0xDE, 0x9C, 0x7E, 0xD5, 0x86, 0x88, 0x6C, 0xB7 },
-    "ME0xNDAyBgNVBAMMK1hQQ1NoZWxsIEtleSBTaXplIFRlc3RpbmcgcnNhIDIwNDAt"
-    "Yml0IChFVikxFTATBgNVBAoMDGV2LXJzYS1jYUJhZA==",
-    "PCQ3",
-    nullptr
-  },
 #endif
   {
     // OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
     "1.2.392.200091.100.721.1",
     "SECOM EV OID",
     SEC_OID_UNKNOWN,
     { 0xA2, 0x2D, 0xBA, 0x68, 0x1E, 0x97, 0x37, 0x6E, 0x2D, 0x39, 0x7D,
       0x72, 0x8A, 0xAE, 0x3A, 0x9B, 0x62, 0x96, 0xB9, 0xFD, 0xBA, 0x60,
@@ -1091,19 +1077,18 @@ IdentityInfoInit()
     SECITEM_FreeItem(&ias.serialNumber, false);
 
     // If an entry is missing in the NSS root database, it may be because the
     // root database is out of sync with what we expect (e.g. a different
     // version of system NSS is installed). We will just silently avoid
     // treating that root cert as EV.
     if (!entry.cert) {
 #ifdef DEBUG
-      // The debug CA structs are at positions 0 to NUM_TEST_EV_ROOTS - 1, and
-      // are NOT in the NSS root DB.
-      if (iEV < NUM_TEST_EV_ROOTS) {
+      // The debug CA info is at position 0, and is NOT on the NSS root db
+      if (iEV == 0) {
         continue;
       }
 #endif
       PR_NOT_REACHED("Could not find EV root in NSS storage");
       continue;
     }
 
     unsigned char certFingerprint[SHA256_LENGTH];
--- a/security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
+++ b/security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
@@ -178,43 +178,16 @@ def generate_pkcs12(db_dir, dest_dir, de
                           pk12_filename)
     child.expect('Enter Export Password:')
     child.sendline('')
     child.expect('Verifying - Enter Export Password:')
     child.sendline('')
     child.expect(pexpect.EOF)
     return pk12_filename
 
-def import_cert_and_pkcs12(db_dir, cert_filename, pkcs12_filename, nickname,
-                           trust_flags):
-    """
-    Imports a given certificate file and PKCS12 file into the SQL NSS DB.
-
-    Arguments:
-      db_dir -- the location of the database and password file
-      cert_filename -- the filename of the cert in DER format
-      pkcs12_filename -- the filename of the private key of the cert in PEM
-                         format
-      nickname -- the nickname to assign to the cert
-      trust_flags -- the trust flags the cert should have
-    """
-    os.system('certutil -A -d sql:' + db_dir + ' -n ' + nickname + ' -i ' +
-              cert_filename + ' -t "' + trust_flags + '"')
-    os.system('pk12util -i ' + pkcs12_filename + ' -d sql:' + db_dir +
-              ' -w ' + db_dir + '/pwfile')
-
-def print_cert_info_for_ev(cert_filename):
-    """
-    Prints out the information required to enable EV for the given cert.
-
-    Arguments:
-      cert_filename -- the filename of the cert in DER format
-    """
-    os.system('pp -t certificate-identity -i ' + cert_filename)
-
 def init_nss_db(db_dir):
     """
     Remove the current nss database in the specified directory and create a new
     nss database with the sql format.
     Arguments
       db_dir -- the desired location of the new database
     output
      noise_file -- the path to a noise file suitable to generate TEST
deleted file mode 100644
index fc7e8d3ec2d9a9958b9806b875a0bc1cc30b79bb..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
index c947b11aee4d6c182a4db36fe6e821b9add6fd1f..b7ea48d517058bcbc65a5930e2e522252218d515
GIT binary patch
literal 605
zc$_n6Vv00qViH@x%*4pV#4PGiYrxIMnb79Jn99t;%w!;9C}beO#vIDR%)^;doT!_e
z=#-dZAScdiXkuV)Xl!U|Vqs(+CC+OE;u=7?ICM2J&H`ddHg>Hxk8>6*j6e<#QzgTk
z<AD?OFP+-@YuUZv#+0&B!3UFNV)*a;>7KgPY~tHx*57NpEHgrH-+rmJxMP}YWmI8E
zz-x8hi+tB-+KD?)_kN(Nd#Z5*^ZtzvvkjxP_Sk;i!><2B*Urr?%w+l@v4ave5AHbX
z39EU0vG|ncs=-+EBPr48v24@4VkS|B-gV)LPEnpwr{Z&sPVlc2KN*&InyDiE&a~Eq
zbAPU;)fDbmv=qB!5tHB>zG<iDBsKmi3sX#+ik>~~3+5IQo^<Bzk6-#d!qVR!?XCT|
zEq6=E;j&Us>Au6^dJ3;+-8(E|7c+P9j=o6!j86>--gAvI*1nb#Vv2h(d#b(ErmMVq
zhc0~b)w~!beCUDBQgJ(LHs)#uri#qu#k0jSO*F2Gi->Djdnxo^+TyWvlFILPP0LG%
zg?C5nRSfHSA~0+9kMy3-2kB*-cw=AWE-&mkC$!uy$nS5+uBE^DMLA#YkWadItIsYp
zk2fJ+RHAd?Op}S*kCX;U-QT~+;#kR1rzcf4<v%NRSI=nfV={d_cg=g|#li-H2K>M{
zlNDxU{LjK_zzn2N(gL#qgMluSNbKi(CSGfP2S3U9sq2svx6YLN<Og6-wwP2atDVd%
Sn6UEgGmXZ=q*W1TcK`s|^y|R@
index 0d23ff16acd40ab6df8cdb1bf7389cc2fad1b557..c57957fc455ca242a26c80cfaeb17468e7961cf3
GIT binary patch
literal 633
zc$_n6Vk$LgVlrO9%*4pV#KM@?J=uVpjWeOmgE5tvg_+4f*ig`bpN%<`g_(yVr8rSH
zInm$SKu(<3(8R#p(Adz_#KOotN}SgS#5I6&v1@8#+yTToZ0uTX9_K7r7=avlrp88w
z`!P=Q_y3E{yL0Bb;}WY-e{QY=Efbn^<X-4TmtJI;W3y<&g8N!G%j5s6p4OWG|I40s
z*{?I_Z_|xop7DWa_Q8P0HS?+>UY3_$ZrgKXgI0CT`c5rxyMT24xw|&3TxX;t^I;cn
zT+4T^G*;f?z??4CPVN;^Nv^t{8A7a6udhCsm6FXQ%Fw<$**#h0@osg=cg%-8#q-}k
z+R6xW+Pvk($A5UKKb-Q4U-#al-#q=_ZYbTIZF<1lev<RlMeG-B{;*bCZoGXuH2q<_
z_W2v1+&IG`9(A&)CSR#KCTr5H<FtB9eZ|%AHZ|7hy;a$sg$K)i-(j9``-u^kMBR1A
z>bi!5Hi7>aoLQ;3)o4}whQ|i25BCY!$G8~m-nYi1a^vS<=EhbAkUQ=fK9sg`^mu$h
z>*L&Dm5=u<GtbC<eyMS9{_A5tQzCw^t@yjLtED4Y_kX;>@wrE%)UN+r#=CX<)&=&7
zt@nfs6)(-Hx%SpPdBeT!cCot~8jXxN*oBXtWZrKv#p}QS*6@<0Q=NY1>E(zUTOAIs
zkTBoktPyY_H0{;;5BE$CO7Rs&^eq-PfJCUQFeBrC7FGjhAcc}nnDrS9beKd84WBJo
sy2JAUzoX{+Prl|n-f=3QnM5RJu=d^Y{2b2F+5c$Crq_o8PZeDS092^~W&i*H
index a7947ec96f63b99c0a3f0333dafccdea62a04075..07629f06038e7b03599ef159c6e983c8e65d7cf8
GIT binary patch
literal 600
zc$_n6VhS;6ViH=w%*4pV#KLIb*ki!W#+lIO!I;X-!pvkKX((<W%ElbZ!py^$Qk<xp
znOEZPt(%<a?`<F_&TD95U~Xt^Xli0%WF95XYXssNK)D9;hO!3I5UnC0t*NO_i7Chi
zG%?NsVo5f3tu~Ky7A%ZF4i8f$!<^%R6Z9{g+WKqRz2L@_vQohZlVxJ~@BHbWy47sr
z+hx|@Yr8BnLT}%GskOLcnrmfLVMxGhb>547*Js*^J5Tq1psIVSaRc-IjSjO7qqO$e
ze%-^a|3lZ#%`MDi`XRA{5;hO+IO++jd3>?>l;*0zSo0$((dn^l)4XCPQHI`i;fYRB
zo>8abbB#{$uM<BRmUx<}BK*#@)`W9^uBO!#?pL%FyJQiQ;2XYar{^R!{wWJnOq+_H
zJ?#tT780Ix=IxJP`aQzZ-yZF){kSc6OUU7}Qcvl=!{K@guV>vmEMgZkckzzCNd1gY
z4GG?JjWX80mJ?!%doX*dz0{_wyn2T&eDc-27$tn@fzDEKJ8L%PY6hkX+jz5H9<gOF
zlowY>gk?BMCklorZL<FU=+-2E1D$)j_Oo2fv<Wsnt2Q-pOSb&o(+q+iZrV$Ka1QX}
zDA{7RN}ge(*CFli2dkof_#~*`wm->lYW%Wu@$H$tSznblHBGS;>0!L4z_j#1yUu$H
z)!=)*{}lK({J8aa%SDuAz^u<;pu;30*vrnE5i7CXDE<A-A5)XI2no&aWD+qbfB!%1
UP{f12NUwXB_xDx0RmaW-0DD^NAOHXW
index c01e16e6dfa83d4783f5997bb79e2ac6a9a86df7..9b5cf38bf6f09a71c3ef86b2f51ad9605ec6005f
GIT binary patch
literal 630
zc$_n6Vk$CdVlr63%*4pV#B43L(14qbGoj6cF_oExnaM!PP{KfrjX9KsnTJ26I8iq<
zuf!=aMK?Lo-`hY=oY&CAz}(Q-(A31j$UI7%*9gQlfN~Aw4P_0aA$mnXdQ(&Vy-^Hk
zV%!15I&AD(Z64<=SQvpEd8WojhWjy2^Y{OY&AW5vx#JS6P=9W&11%GpbL3v=Mweb>
zm}9eO!h-u+H_PMytDe@H|NqOLcG<5p=Wo-EVV?1UXZFE>#x?V*B3_o4UT)iSV}n+8
z&H7F)Z@YkW{kgj~tXyZLB=cbxZ(PfFt~6HO;=r6P)lTjeQAw`4o*6={Q?IW+n3a;v
zB+AgfJJ~&1<neBG$#=|$JjL_hKibL&a@xG*#m9emsXv_ZieLBMqu)IJ-)<<~oo#x+
z+kTSs)J5zUZ2quTTW-94IyC)ZyY~4TpWHaZA|7?Js3u>jIwot<tmCwLOMS)F@HREp
z=)G0ho`na?e&1o9aQlf7mqgul$LhL<gEoQx7o1tCxYcM?`-aB`tq=DJ*vGgS?B2J=
zqjKZtVCKeF29P`M31)m1%VE9Da^CrC?j?h&Pvwo$Li-ymRO_c(=0pY+x>$JZd3K^{
zsf{*^B7@VlgRJj)0%GoX+Uyp{xg?geQ#DB{&h2tcL*B;qZ7V(YvER9KGx_1Ccanau
z17zPOKAirrS6#nxb+D}X6Q2mb$Z6jim~-c;F1LD>B^^2Ceo2V?5|mWJtj}Pe!z5zI
v^+i^H@3qv);!0i<Z1tzuUHM<mBx3OHk&)5=i@7XE<+oVP3*4buU;6+6hi3f9
index 063df6a78dc81ea90fee3314c3bcb9bc90ee0403..b3b083d686e299d3bb358ac9ca88dad5d9cb50d1
GIT binary patch
literal 630
zc$_n6Vk$CdVlr63%*4pV#KLfj_q_o(8)rhB2V*KT3p0~}l%a%y7#nja3o{RYN^zoY
zW?qTEw{CKxQ(}sNoH(zciGjJHv7xDng^_ubIIj_iYXIdM$Q#NUNJI3Bfb^!O0<|I=
z(8RbMh;`W5wc0$+S+FnyIr2=6jSTl=oaXQU7n^tI%yY*jR-yjfTnAbvH0Q{@(2Xv=
z$S}ud(S!x}wQiQj|5rV&HUIyYJ?*kzXU^ZI8^b)~1JCS(0gY?sRYklkFTLEh=f(!D
z>YDYPTHba6>H2ebZCJU^NJ-|yF5bA7?_6oDyv2bzU8<ejE25HIbv-kLSf^fJeK0E}
zn@N<ReRr~ZvdH7z>XPr64|$5`zkjrq5#+Ra%Zrcy@KS#`<rTl~y+^-!`oG;!x;xwS
zfVcf5=c$X>FWCHHt+w2F`*djf!*=cSH$J&>hDAK;WKm7NQguw$q*=#l^_KdItKn^G
ztkHX`vONnAmi@lNJmK~eBQA-$>yFiR4F_!k|1UVRQgN%%s`d?!4O$=W6R?kQG1$Ft
zjYs9i&%w-%EeuSJ4UxhRIr`=<dGXNTrkzq*!v3!tZte8G7h0UQ*`{*KhqE8rGS1~^
zZ1}K#W!na~`^Wl&mBdmL{cSQb8ftqC(|a%UoVoiynmP2$s)Ji2xA0u?Jo;^Nu9F!X
zBcE7=?cqO9r&&G{{<*3w@VaLGm&QAPeItJP=}$3xZM^tz`cW%q#bA$CltjX;&tRa#
yBvNvzvFTLp;+?Mgb<f`%E1z*n(^7;<MAYtyNnY*3fA4kg@cG{O+k9}={T%?l!U*O7
index c391cca156216925c7ecfaf633da74fd41c3645f..97ad32b1e9e1b0ab4784fb70b39ed5b225640245
GIT binary patch
literal 628
zc$_n6Vk$6bV$xf{%*4pV#KQP)&3OZEHqL}L55`nx7G@>`Nkef1Q8wmK7G@s4l;T9)
z%)AnRZ{6fXe{Tahab80c19L-TLsJtABl9S6ULz3K0LnFxGn6rqf@l>6X-!Q9>O|7t
z#JC-Zb=cUo+C0u#urLBS@=T454EJN4=I{R(n|J5TbH^oCq5j-l2U;dH=g7U#jV`^&
zFvn)mga!AtZkEUYS3RvY|Noag?Xq8I&flgR!#v{y&+LN%jcevrMZ7F8z1+6v#s;nG
zn)RJp-gW`$`g3<}Sh>zfN#?^Y-nf?UTxqPl#eq3ps-4^`qLN&7Ju`$@r(R!uFe@dS
zNtB^|cd~o3$m8AWlJA%gd5Y)1f3%em<g|Iqi;w^CQhzw*6~FGiN56Uczui!}JKOYt
zxBVpNsf*Yz*!*Fww%mC8bZGj+cJ1>wKDlv*MLg<cQBA&5bxhWzS;uMhmimgT;caTH
z(R-`1Jqr(({l3FI;r0_FE{VG9j@5My2W<lXFF3POajVg)_6?5>S|9Ecu#a&u*u8I!
zN9D%P!OV><3`~s;>8eu>Uaz_REAC|}@7F-#8iwr!*6-^6<!mrY*?2(C^~2<Sn@&{C
zX%*lssGZ(%?Cjb-7b31OAKlUV@9g?gw~XE+qE#!q3vXu$IxT;jF~#MTg7XoUgBlX6
zPd_aTGxzR!*y_F3SFP0H1B*Wk*R>62?tahTI$?Y1%)@>^3}?>mF9`BMNg~Yp3<f$(
xA|CU#oLQAhr&_LPd*Z4xFU6kYW+Ib_X6Cl?kNJ;#PV^aM*eED?u2DPo766qf1H}LU
index ad2a39bcefb5d9b521f9d9a5b5707a912c9ffd6b..79795850171c81c728430ece330b041a35e3aa57
GIT binary patch
literal 610
zc$_n6Vu~|pVv<?F%*4pV#KO2JN7aCvjWeOmgE5tvg_+4f*ig`bpN%<`g_(yVr8rSH
zInm$SKu(<3(8R#p(Adz_#KOotN}SgS#5I6&4WtYu48$Os_(7U7^Gci&Qy_Yq7-s>o
zBpbU{o5wi|7Dgb4hpCcb&hfwr`j<{^{k7~~aAQhYso;ajGBNyj{&Y{>YBurhGVAZP
zU6vW4w{O4HTHG<swKA$OB;d6=??t}rGwsBkr+Yt8)jid?fqDN%huMZvT6=82?qS#e
zp=;;n7G^U2kk~;9n+JCs^@P<tzF2%pbJbw1`H__9^jNlOUNMs>L+`rqM5idvs8jK|
zMkn~!iJuHhJk3-QerH;1!nr?J(`pL$D_V+OvWQ9W4d1lWbCMeWl!Ym#O-0Y1_62hb
z2~Rrn_Qx;%9%1QkkM`Dn+?Kl~<ZxN3r*z-pa6N_Bv+f-hv5T3zct>BPe#WPU1n;><
z8Eaq52{FYzm_5~AYSUF-y+ap1`D$K_5<c`mXQ{ZIH5+p^15<_XiqA*gzDihD|N5Y9
zqOz%mQ?sl*yzBBhrbXTHXZ?=}?md#G7rZIinajH8?7@w<9;`U<uKb5USi*~-z{qxw
z+8rY4AAT;{qiNIfrC1_m*}nz6Up8BO=dhdB{!K7x`_zAooY6PtSG=wimC&(_yq{8H
z#jw2D{1Bt+t;NCykm!~bW@P-&!fL<_q)-wBvp$1?4wDGy=V!}Pidydm86UQ>-1Lj_
f`HDhWCJ~0?tE)2D`tQgrSy6b7>DDxP)wzxUbIt9~
index 035ac42e0c72c98716487764adf9a7970cf1db85..09476591dc20b5b84e48f170c679cdc4d39ac768
GIT binary patch
literal 640
zc$_n6VyZD{VzOGm%*4pV#KJhm^@ssC8)rhB2V*KT3p0~}h@p^y02^~C3o{RAN^zoY
za-vgWih-Osuc3*7xuLP4sfmS=d6YP>5r}I5<r+vCN*IVibn%09W#*Omdqed$F>VK9
z9X58YHji@_EQ~;oJX2#M!~Gbi`TPIH=G{5-+;NFjs6RK?ftCr)IdU&_qf0L`%&}QC
zVZnW^o8|HURZnZp|NmuAyX@DQ^S9~7FwgkFGy7mb<C=L@5iiS2FSqTvu|cc4W__oY
zw_QNG{@h&~R<1KrlKHTUH?HM7R~jpCabQlDYA5%Ks3cci&kP~fsn=H@%u2~-5@l%L
zo$Q`0@_4tp<U8g=p5poMA8lm>Ic?tZ;^RNO)E`cH#jkts(QlsqZ#R_g&Ne;ZZ9mC*
z>LT_FHh);FEjQji9h&~IUHklvPi~xH5sx}qRFkh%9g{U_)^S?BrM}{7c$*q)^xmp$
z&%%Rczwa<lxc$V4OQP<&V|87_L7Tw;3(l-m+-kI{eZyme)`$B9>|<OEcJEu`QMvJR
zFmq!I15;yz<FY8f$wIgI?C<L@Kd19n>%WJ=p2&%kQ88iCj`rso<+yG8xK<iO$97Hn
zxxRMMJ;$&~54c15gEZb-dst4hl0V(fc&BgT{`p=$o)K3Ce+4{{^?3Hh{?^yL#M2gm
zE9<ncz4d>dqG9@hyZyxFGafMxy%%5iJTrIC+OXxFLAZ=5N9<x@13?3RV6@5#Gcx{X
zVKra|QYguVS)ai`he@Q&wYla~%>VDHjtbVVzn(2w_GZ%>CXtwx+mg=j5AbS^VSi=o
LocU&7bfPc-BM1Qc
index 4a1a9a91fb2e17e13d99a05115e825702b95bbfd..c12bf8851064c59d9abe94e33878c1e6766d0ae8
GIT binary patch
literal 639
zc$_n6VyZT1VzOMo%*4pV#KLH*zrui<jWeOmgE5tvg_+4f*ig`bpN%<`g_(yVr8rSH
zInm$SKu(<3(8R#p(Adz_#KOotN}SgS#5I6&4I~Z44MZWD_&}O6^Gf`^AzGUlcL1>t
z8@pDU$2kiYMj%I?sj-paevH%n{r_U~?won<xWp>dpPTDI%Y^0}xfi<8r573I*esf`
z;J(()^7#L%r?uw)|FWlD_Up{~+jL`?XMEt9eK4SL&Ah6Jm*u6G+xFbppjBP7zEjKF
zE+Ach?ye0h*BL3veAvYs*Yce!jg_}JFsDnklY2!}lB=#~h7jx2>#GlDrDQXSGPLhb
zc25?0yjxxJ9rGbi@%;CXwlad8Hg9?H@gH9552w81*S+`XH&6e!8%lR)n;!7CpX5As
z5&H$3KdjZ38*iTuO@G*~eg4KLH_ot#N1ZIH$ych5$(l6lIIZ4NUvV|OO^r2rZ&kKu
z;lZ-scbF&KeqzKWQFq<3x~}1%P2m3pXI3h1HCola;juyM!+iqwF)jwX_pR}$-1s?|
zxv`Z2<c{fU70zFM#kHaL<7$<~I~eQ^i!CZx{3zl0*$CBNRXaGFBWITfENER`e8B&v
z?D~l4vvE}|8yk7oEuFW?_VVka`wp)D`k-rDX88Vo_r7bZY!+Vo(WR-+%<%Basjr(S
zgvjjvr}e?9<kc3An6jT@3;%95xH2Q+>Q^@nd%?8qrKf#LubV9vHh`oBSz$)T|17Kq
z%s>hywJ_^580avG$U9szdb#dumfSg$QscR2|30`Bsm3ItXVtLTK}oy1LE>fSGG2zA
Ji<%8@004}x2Ic?&
deleted file mode 100644
index eabede0ac26ab3d3eabc6e175c14ffc35b0d66ec..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index c2f4fdf85865e54b4eee235bca2bdffe94b7f0b2..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 3be15bfe7840fd23cf980260e9e9d9a2f7d6147a..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index f04231307a4fd4d41beb058e5bfd75261cc4c5b0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 0d7a0fe87b6e83f66f2a06a7dfd0d2fe9cee5543..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 50d382c3117549d5f764a8a57cff1760e175f17e..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 3147b266c44938b472deebeae887c6d8c923f900..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index 660da8e45d9aeb8a0857c4f6f6acdafa260b6dcc..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@@ -13,227 +13,126 @@ sys.path.append(libpath)
 
 import CertUtils
 
 srcdir = os.getcwd()
 db_dir = tempfile.mkdtemp()
 dsaBad_param_filename = 'dsaBad_param.pem'
 dsaOK_param_filename = 'dsaOK_param.pem'
 
-ca_ext_text = ('basicConstraints = critical, CA:TRUE\n' +
-               'keyUsage = keyCertSign, cRLSign\n')
+ca_ext_text = 'basicConstraints = critical, CA:TRUE\n'
 ee_ext_text = ''
 
-aia_prefix = 'authorityInfoAccess = OCSP;URI:http://www.example.com:8888/'
-aia_suffix = '/\n'
-
-mozilla_testing_ev_policy = ('certificatePolicies = @v3_ca_ev_cp\n\n' +
-                             '[ v3_ca_ev_cp ]\n' +
-                             'policyIdentifier = ' +
-                             '1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n' +
-                             'CPS.1 = "http://mytestdomain.local/cps"')
-
-generated_ev_root_filenames = []
-
-def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text,
-                                   signer_key_filename, signer_cert_filename,
-                                   dsa_param_filename, key_size, generate_ev):
-    """
-    Generates a certificate and imports it into the NSS DB if appropriate.
-
-    Arguments:
-      key_type -- the type of key generated: potential values: 'rsa', 'dsa',
-                  or any of the curves found by 'openssl ecparam -list_curves'
-      cert_name_suffix -- suffix of the generated cert name
-      base_ext_text -- the base text for the x509 extensions to be added to the
-                       certificate (extra extensions will be added if generating
-                       an EV cert)
-      signer_key_filename -- the filename of the key from which the cert will
-                             be signed. If an empty string is passed in the cert
-                             will be self signed (think CA roots).
-      signer_cert_filename -- the filename of the signer cert that will sign the
-                              certificate being generated. Ignored if an empty
-                              string is passed in for signer_key_filename.
-                              Must be in DER format.
-      dsa_param_filename -- the filename for the DSA param file
-      key_size -- public key size for RSA certs
-      generate_ev -- whether an EV cert should be generated
-
-    Output:
-      key_filename -- the filename of the key file (PEM format)
-      cert_filename -- the filename of the certificate (DER format)
-    """
-    cert_name = key_type + cert_name_suffix
-    ev_ext_text = ''
-    subject_string = ('/CN=XPCShell Key Size Testing %s %s-bit' %
-                      (key_type, key_size))
-    if generate_ev:
-        cert_name = 'ev-' + cert_name
-        ev_ext_text = (aia_prefix + cert_name + aia_suffix +
-                       mozilla_testing_ev_policy)
-        subject_string += ' (EV)'
-
-    # Use the organization field to store the cert nickname for easier debugging
-    subject_string += '/O=' + cert_name
-
-    [key_filename, cert_filename] = CertUtils.generate_cert_generic(
-        db_dir,
-        srcdir,
-        random.randint(100, 40000000),
-        key_type,
-        cert_name,
-        base_ext_text + ev_ext_text,
-        signer_key_filename,
-        signer_cert_filename,
-        subject_string,
-        dsa_param_filename,
-        key_size)
-
-    if generate_ev:
-        # The dest_dir argument of generate_pkcs12() is also set to db_dir as
-        # the .p12 files do not need to be kept once they have been imported.
-        pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
-                                                    cert_filename, key_filename,
-                                                    cert_name)
-        CertUtils.import_cert_and_pkcs12(srcdir, cert_filename, pkcs12_filename,
-                                         cert_name, ',,')
-
-        if not signer_key_filename:
-            generated_ev_root_filenames.append(cert_filename)
-
-    return [key_filename, cert_filename]
-
-def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
-    """
-    Generates the various certificates used by the key size tests.
-
-    Arguments:
-      key_type -- the type of key generated: potential values: 'rsa', 'dsa',
-                  or any of the curves found by 'openssl ecparam -list_curves'
-      bad_key_size -- the public key size bad certs should have
-      ok_key_size -- the public key size OK certs should have
-      generate_ev -- whether an EV cert should be generated
-    """
+def generate_certs(key_type, bad_key_size, ok_key_size):
     if key_type == 'dsa':
         CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
         CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
 
     # OK Chain
-    if generate_ev and key_type == 'rsa':
-        # Reuse the existing RSA EV root
-        caOK_cert_name = 'evroot'
-        caOK_key = '../test_ev_certs/evroot.key'
-        caOK_cert = '../test_ev_certs/evroot.der'
-        caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
-        CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
-                                         caOK_cert_name, ',,')
-    else:
-        [caOK_key, caOK_cert] = generate_and_maybe_import_cert(
-            key_type,
-            '-caOK',
-            ca_ext_text,
-            '',
-            '',
-            dsaOK_param_filename,
-            ok_key_size,
-            generate_ev)
+    [caOK_key, caOK_cert] = CertUtils.generate_cert_generic(
+                                db_dir,
+                                srcdir,
+                                random.randint(100, 40000000),
+                                key_type,
+                                key_type + '-caOK',
+                                ca_ext_text,
+                                dsa_param_filename = dsaOK_param_filename,
+                                key_size = ok_key_size)
 
-    [intOK_key, intOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-intOK-caOK',
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    [intOK_key, intOK_cert] = CertUtils.generate_cert_generic(
+                                  db_dir,
+                                  srcdir,
+                                  random.randint(100, 40000000),
+                                  key_type,
+                                  key_type + '-intOK-caOK',
+                                  ca_ext_text,
+                                  caOK_key,
+                                  caOK_cert,
+                                  dsa_param_filename = dsaOK_param_filename,
+                                  key_size = ok_key_size)
 
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeOK-intOK-caOK',
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeOK-intOK-caOK',
+                                    ee_ext_text,
+                                    intOK_key,
+                                    intOK_cert,
+                                    dsa_param_filename = dsaOK_param_filename,
+                                    key_size = ok_key_size)
 
     # Bad CA
-    [caBad_key, caBad_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-caBad',
-        ca_ext_text,
-        '',
-        '',
-        dsaBad_param_filename,
-        bad_key_size,
-        generate_ev)
+    [caBad_key, caBad_cert] = CertUtils.generate_cert_generic(
+                                  db_dir,
+                                  srcdir,
+                                  random.randint(100, 40000000),
+                                  key_type,
+                                  key_type + '-caBad',
+                                  ca_ext_text,
+                                  dsa_param_filename = dsaBad_param_filename,
+                                  key_size = bad_key_size)
 
-    [int_key, int_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-intOK-caBad',
-        ca_ext_text,
-        caBad_key,
-        caBad_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    [int_key, int_cert] = CertUtils.generate_cert_generic(
+                              db_dir,
+                              srcdir,
+                              random.randint(100, 40000000),
+                              key_type,
+                              key_type + '-intOK-caBad',
+                              ca_ext_text,
+                              caBad_key,
+                              caBad_cert,
+                              dsa_param_filename = dsaOK_param_filename,
+                              key_size = ok_key_size)
 
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeOK-intOK-caBad',
-        ee_ext_text,
-        int_key,
-        int_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeOK-intOK-caBad',
+                                    ee_ext_text,
+                                    int_key,
+                                    int_cert,
+                                    dsa_param_filename = dsaOK_param_filename,
+                                    key_size = ok_key_size)
 
     # Bad Intermediate
-    [intBad_key, intBad_cert] = generate_and_maybe_import_cert(
-        key_type,
-        '-intBad-caOK',
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
-        generate_ev)
+    [intBad_key, intBad_cert] = CertUtils.generate_cert_generic(
+                                    db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-intBad-caOK',
+                                    ca_ext_text,
+                                    caOK_key,
+                                    caOK_cert,
+                                    dsa_param_filename = dsaBad_param_filename,
+                                    key_size = bad_key_size)
 
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeOK-intBad-caOK',
-        ee_ext_text,
-        intBad_key,
-        intBad_cert,
-        dsaOK_param_filename,
-        ok_key_size,
-        generate_ev)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeOK-intBad-caOK',
+                                    ee_ext_text,
+                                    intBad_key,
+                                    intBad_cert,
+                                    dsa_param_filename = dsaOK_param_filename,
+                                    key_size = ok_key_size)
 
     # Bad End Entity
-    generate_and_maybe_import_cert(
-        key_type,
-        '-eeBad-intOK-caOK',
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
-        generate_ev)
-
-# Create a NSS DB for use by the OCSP responder.
-CertUtils.init_nss_db(srcdir)
+    CertUtils.generate_cert_generic(db_dir,
+                                    srcdir,
+                                    random.randint(100, 40000000),
+                                    key_type,
+                                    key_type + '-eeBad-intOK-caOK',
+                                    ee_ext_text,
+                                    intOK_key,
+                                    intOK_cert,
+                                    dsa_param_filename = dsaBad_param_filename,
+                                    key_size = bad_key_size)
 
-# TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
-# bits to the next multiple of 8 - therefore the highest key size less than 1024
-# that can be tested is 1016, less than 2048 is 2040 and so on.
-generate_certs('rsa', '1016', '1024', False)
-generate_certs('rsa', '2040', '2048', True)
-
-generate_certs('dsa', '960', '1024', False)
+# SECKEY_PublicKeyStrengthInBits() rounds up the number of bits to the next
+# multiple of 8 - therefore the highest key size less than 1024 that can be
+# tested at the moment is 1016
+generate_certs('rsa', '1016', '1024')
 
-# Print a blank line and the information needed to enable EV for any roots
-# generated by this script.
-print
-for cert_filename in generated_ev_root_filenames:
-    CertUtils.print_cert_info_for_ev(cert_filename)
-print ('You now MUST update the compiled test EV root information to match ' +
-       'the EV root information printed above.')
+generate_certs('dsa', '960', '1024')
deleted file mode 100644
index dba491b555c9bb73295e2308200897bb07a907c4..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_keysize/pkcs11.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='sql:/home/m-c_drive/mozilla-inbound/security/manager/ssl/tests/unit/test_keysize' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-
index b7ff2c94e03e8e855ec42946ed5cfae2e4351837..f7079a333a18af457a124c02931266d2f500c1b2
GIT binary patch
literal 438
zc$_n6V%%iV#3-|XnTe5!iG|^`td9XN8>d#AN85K^Mn-N{1_Kd8Ap-$6=1>-99?qiT
zMBU^>r^FNkIdNV?69aQYV?$FD3nTL=ab6=3*8s}Jp{sEovgwSh49tx^3<ixIOpOf;
z2SnDmc|EB7<ojyw>K+Mkxf5m2H19_9x84&EXAfBXTQlc`SH_jocN!bls|zWoX<QcL
z_@*kHH`_|;P3Kc>ZSmzkJKoFa9caq(`?UE(n$(nE`sc(#LLdLlbv}1~Wpd%dNg5VB
zo6bgGx$)lGe*4<UZOYBl60EPr^IV=+xvI8iVI~tZBLm}NVFN(}exS2ug&7(Dv#=U4
z11YosVFtR@qW5#J-~W5YQ+`VQ^3GkBapJ}NOK1NdvYa5dCidkiu46l=6)xgF^KV<p
zYE73VpDySxXAwL0-f>C7HWfd=FR$WR7iN4)PhXJD*41EFTgi2D$?Ll-Gdmv0{au&U
rowK+^<gtX>Zr;Y~>YT4H6~0JZt)FCFv*5GI?i&@8ULI=t*H{DqJV&WS
index ab42878ab1455ea8ac473caf0498abe468d222e1..0016f5152ca9fcb536e6cf63c605826391f8da32
GIT binary patch
literal 438
zc$_n6V%%iV#3;RhnTe5!iG^XuI}Zb1HcqWJkGAi;jEvl@3<ko6f(HC-%%LpIJRC*E
ziMq*&{@w<1;=G0?2IhvwhNdPKMrKjsyhb3d0hEhfQ{#MOvl&?#m>YW;3>rI`8XFm2
zRA=8RI#nIGrpDekFjM|#m#fGVE#5bCD)LV-3bYu@it90OGKnwx^5FUu@s+oC%~N=>
z>MZj^fzLjfIlZFJ&nh&QZ7M3Qwb9pHo*{4ghdc7${q)TaJKhS+h+x_`&!aEGF)vCa
zXitw_hg?kM+xw-LW;dxQOg5~!zGA9wSyjXAtxU{}42+9~4Is{z6=r1o&%$cJ45ZM)
zgBj@9ODlh-=Bn0OEGfD>rE8JAq|i@!eVzKR4AJ*zEsnc(ZQHE{t>Q%~VpE?<CH#FF
z&$~46y1}DOyF*ncuK9YS%cxdyXW8$6Ei>Nfe@NBVdV8!@c=!J{-xEb^_I}<xNo&s!
oCmyc#DW1DC=gw`vdtK7(x4r;(VCsZ|nz>@7GHaL2eNeLr08zZ70RR91
index 2ec11beb7a00d95f163c485082461ccfbd7c4c44..7397577653cc496ac8f07e8b7351fe4af172cb1b
GIT binary patch
literal 434
zc$_n6Vq9m?#3;UinTe5!iG|^w;#vb<HcqWJkGAi;jEvl@3<i>h;s&B@%%LpIJbXpP
ziMpA2CH~&J$%+2n26E!Oh9(B)hQ@}bCKg8KQR2KtAg%$FYankZYak8LDgx4)n(CC8
zf^0zJJY?G#Ss9ocdl(EFJD3_97%slbUFPybPiM>Njw(J@t4J4?J_~(y_xkA{OPv)f
z-|bkj`ecmW<27<;PU?M34LJDy-~uVL4flk$l{lR;@&0sUlEsGdWtJIhKh0CKFAe&a
zB(^fbeaVk4jk_H#Eq7`xk@+_3?A=)}nKZg>B#);o*#BAnpZRgNsO7J7o?i14RJdx%
z#LURRh!z&ijg1Uy1}nD(${qT?;It;kLg6Imh^NcGT=*xO#HS^7#3u5?rzf+&$1OMF
zRP5g^xc^nokAH=Y$11Cqf1CKO_wF;(^a{O4h2Q0B3@oEsBGx=zZq&${;Ogo4W`$6X
u)szUe%g#QAv!9zLu&=Xu+!1;zhD&43%ZCQ>89Keb(-r>hy6inEO%4EWv!>nv
index bd23f70d7506a3dcb8c84f5c65a8299fe5de1ade..f8d60726e084558f2f7dc76e0c589b359b21182a
GIT binary patch
literal 435
zc$_n6Vq9;~#3;FdnTe5!iG|Va2D<?-8>d#AN85K^Mn-N{1_LQW2?H@U=1>-99{!@@
zMBU815~suz-Q+}nZv#1TUPBWDb3<c8Qxgj#^C)p%BM{dB$~BNTlr@ls=oJC!O-=Rp
zMlqmqKC*R;tPISJy$lA8olK3543G8RTv+LH_v_E~TSW`5XIgcKs@(FM|3u-2_Sf1!
z{XZ|)G@X!Ek6JFjX7a71j)^>BF+c5B*Y9&>yPETKPUqG>B{y}?tIwvK^<VnykUHCu
zl&QW!tejVwAO1S?Qt|x6cXKEHon<F-X?}FajH4=Vqw_i3a^#i^AGiGy&ipurWtO;A
zEfX^%10z~!FgG?Z@E>lx5hIaU@vUL+qN`<AS$a#DZ_7OXxvyF=<Ia`6zuzaRq>21~
z68JHOy<YQa2zz>_-TJ_<1&*Is8_!K&xGgm~L%QWUo8ZJ7S0^aHvRU4DI?_P8c2Cv0
vsz)L&4oS;=*K9vN_muCVC;O(RZQi~-jWs__T%qLB|N1p1HG3O-R_Or%=;Er3
index 8ad88d3f551804afa4cbd6739cec647cfe3735d8..5ec9faf69dfe2fb5754b3066887b16bba2090b32
GIT binary patch
literal 436
zc$_n6V%%WR#3;FdnTe5!iG|@y)m8&uHcqWJkGAi;jEvl@3<gq$5(Z*y%%LpIJp4t)
ziMpA2CH~&J$%#&hDF$-lyoM$Q=7z?GrY06f=27CjMj);MlxrYwC~F`M(JKPdo0<yL
ziflmRd}QkwSs9ocdl?KGJDD0A8EzEG&em_5@l>s{_T<x-l|K$hbbLBn<6a)@dt@(T
z^j*o?kIRyhTGe~cyxnECFS)b+!divC<xe+OUrfn)d48gil;#yT#Yc>dY<x??-?ird
zF3>ntymo`oQ7(};D<%iXIr)8m%lkL}Oy4x=H%^KlY{NtBXPHeA?(dHMe_B9CW?^h2
z6Eh<NBU)%M1KlOHzvEK=>Z2l+>o?kpe*L^Q@64|kicy<qp6+?E(^~cV*|M(%0^1`p
z&wkL`n)*j!-;0RJ#ph2{&iwe$X#Ms8HO&{#A2>2jI-Is%u-?S3U~8mFK<S}GE@4aS
uwX+?A)0g^s&6e_bdAqx*>u!4G#=U#$=jrfhos?Z>a6-k8zuYR8Hx>YGI;jBw
index be843f5263e288faad1ee2be7e75fa46da6f3708..94dfef87e0e90302740d7280c42f1bbd7599b625
GIT binary patch
literal 434
zc$_n6Vq9m?#3;UinTe5!iG}h0=kEr*Y@Awc9&O)w85y}*84M&1#SKK+m_u2ZdH9No
z6LmB5O8mWblN0^D4dldm4NVNp4UG*=O)QMeqQrTPKwJYT*Fert#y|?9RT!i-H5I56
zNq^&fWXl*?8JHV;84MabnHn1zuB^HEMl4f2HL!L2wC_{SvR`$s+NYaip*Nw-bKb{z
z8;;BGj(mNW&8-nyoV9)O)ToPM0nAcMk2qC6_PcOp+LrF5bFUB1*}M4uvZG2`85#4w
z-#@+P%1MDoAM~HbUHri&@kMIRyg$8~U(^cRK0P{n_3KW<?Pq&M44M?#?iX%9xaI1h
zlT6Hv42)=D!3=bl-Gejpo@f90@$z}Y@;-<8ag3|JA9WE-%*(2e59aS$vx-0ai+9Bh
zv#>{B$`ZG2X1qQ<^+n&ku8ro&cO;KaGd<@wq33Bu^VaJ>{kJNFM7nQcbI@~G9l!p+
vRi1vgvFF)C^Y71CEA8=3<MynTE2b>ARfrLaZ`~2hHaE+Wqs{ZTe>*b(M76Lp
index 58b688db61cf13ec39a953cf2167b3600d4d9a25..707d0004daf4ea55bd44da53451e5ce96065e5f3
GIT binary patch
literal 444
zc$_n6V%%ZS#HhG{nTe5!iG@k}ZK(k-8>d#AN85K^Mn-N{1_NP3K?8m^=1>-99*&~o
zMBU^>e{Tahab80c19L-TLsJtABl9S6ULz3K0LnFxGL$e7gJ|LhY0AtiaY{^q=xv;b
zYy~4L19M{!gF#~lQ)2_exy)Ji(+~Y$QTQ`)0rRQp3?6*fwdT%9eZDF0^`eLVM_+L7
z{nV_lKP4~w^r20L+CCTa-UW3C^PS|<nLaI2`Py;;)ws7>+V!e$C#s8_b-yVh#_@84
zw0dPj<iqRMcFXRuA9mY&tv<*pg*oK%fA*t2-2P3g@1ESeYVzWe5~r1apT1;bW@KPo
zENlSrv8*s7<9`-b17;wF7Ank*jSPJL5BZkmRtTlN(X2mrBYDc6O}9El%DcES?tc1h
z&$rw&dg`TZOP(EPes<O+VYclD6XDR`<t)wS^MvzzWxlFTY2na%U-8<}EA3u<sUX{i
zwd-4J8}hsNGR(T|dLZb|!J0)^g|7Vj_ULSq{$uMs&x}m2q`K+^DCEoZwcnrpQfuX;
F2mlV*r?db7
index 26f46a1bbc47f0d42c3b2ca49b0a2515a9505714..b7391c49ab365f162407d3e272a5e35fddf2c038
GIT binary patch
literal 445
zc$_n6V%%xa#HhT0nTe5!iG`v2S+4;v8>d#AN85K^Mn-N{1_Kd8Ap-$6=1>-99?qiT
zMBU^>r^FNkIdNV?69aQYV?$FD3nTL=ab6=3*8s{jkTR4o5QFIA2kFYpEAjV+>TR5l
zYzHGN19M|9gF#~_Q)45;b}t9!&f0|^IG^nmlDzHqApF2f?YjE%MS8)P^c?GNu6h4s
z)5nZpov;&!4Nn({H#C(rFMK0w_3*m;%e{{;YzyA9v~P*UJWeO?d-rQ&eYjdqeD1#`
z?k}G_-#g*&W{cp{yWOMnA7_1S><fQf5mTc4u=Ga5A%8KRS+^_~d^_0a&}YlU%*epF
zSlB?&fFJ03Sz$)T|17Kq%s>h)T$mdh7(xX9I^Fsuz31&B=gSu^3*K)myXt)|_K}v(
z?@gs?O+CyDw?De3*Z5j^J7Z2??sbMmVS>UUeXHx7A1(LJ{M@+hNrFeM*<$<a8kM#>
z-;%NvV-vTxtm@mZxb(|iamkl+6MBW!GHi{Xt+w<1YQ(j!{*=e>`OIG`z4k4ON&B&)
Hz9|X-mm#Y<
index 74c7eddfcac8594e6ad1d78d40ccb43e1caeeb8c..d41c1cb05c90f8e10e0453581b3aee6e0c63ad00
GIT binary patch
literal 444
zc$_n6V%%ZS#HhG{nTe5!iG@+@VXgr$8>d#AN85K^Mn-N{1_NP3K?8m^=1>-99*&~o
zMBU^>e{Tahab80c19L-TLsJtABeN)RULz3K0LnFxG!!=wg=pdfY0Ati@%M&kZJdv6
z10yQ~b7L=qL1QOVV<W?cuO1<f`C1=+eEd_KXXc0P70aT&%ru*+_|UpgRb}s`ZI4$a
zbI-ZCY1XrJ*B)*oRyKRZQ$iDd``2;rN?bFeY|HGhZw`XRxwc7v9n&{hb%bo5b6@ZM
znfZIy&Esy#{#bPFL)@!w|9kVa)>_Cs);~7EZuVk>+AMkNC0D*ZVw$~us+v6$Gb01z
zVqpV_k7b1!8UM4e8ZZMXv`}FNI(Ao0z$xaru9w(8_=Zkj$GxQVkJGG~y5edwhpt@V
z<Ko<vvC~w%o#*S3(>7Jo*ZwqJPB^kLHgp2#*|Ue%nb<Ku_ndu8R52me_~sN#^;sqY
z5#5u_Bo$4xZP}z}9@(|WZu9Yvx71zgl@u@AFKKG(dX|0Zzv}MPJ5v3dugmYUaCQsm
F1OS9!qyhi{
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ /dev/null
@@ -1,154 +0,0 @@
-// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
-// Any copyright is dedicated to the Public Domain.
-// http://creativecommons.org/publicdomain/zero/1.0/
-"use strict";
-
-// Checks that RSA certs with key sizes below 2048 bits when verifying for EV
-// are rejected.
-
-do_get_profile(); // Must be called before getting nsIX509CertDB
-const certDB = Cc["@mozilla.org/security/x509certdb;1"]
-                 .getService(Ci.nsIX509CertDB);
-
-const SERVER_PORT = 8888;
-
-function getOCSPResponder(expectedCertNames) {
-  let expectedPaths = expectedCertNames.slice();
-  return startOCSPResponder(SERVER_PORT, "www.example.com", [],
-                            "test_keysize", expectedCertNames, expectedPaths);
-}
-
-function certFromFile(filename) {
-  let der = readFile(do_get_file("test_keysize/" + filename, false));
-  return certDB.constructX509(der, der.length);
-}
-
-function loadCert(certName, trustString) {
-  let certFilename = certName + ".der";
-  addCertFromFile(certDB, "test_keysize/" + certFilename, trustString);
-  return certFromFile(certFilename);
-}
-
-function checkEVStatus(cert, usage, isEVExpected) {
-  do_print("cert cn=" + cert.commonName);
-  do_print("cert o=" + cert.organization);
-  do_print("cert issuer cn=" + cert.issuerCommonName);
-  do_print("cert issuer o=" + cert.issuerOrganization);
-  let hasEVPolicy = {};
-  let verifiedChain = {};
-  let error = certDB.verifyCertNow(cert, usage, NO_FLAGS, verifiedChain,
-                                   hasEVPolicy);
-  equal(hasEVPolicy.value, isEVExpected);
-  equal(0, error);
-}
-
-/**
- * Adds a single EV key size test.
- *
- * @param {Array} expectedNamesForOCSP
- *        An array of nicknames of the certs to be responded to. The cert name
- *        prefix is not added to the nicknames in this array.
- * @param {String} certNamePrefix
- *        The prefix to prepend to the passed in cert names.
- * @param {String} rootCACertFileName
- *        The file name of the root CA cert. Can begin with ".." to reference
- *        certs in folders other than "test_keysize/".
- * @param {Array} subCACertFileNames
- *        An array of file names of any sub CA certificates.
- * @param {String} endEntityCertFileName
- *        The file name of the end entity cert.
- * @param {Boolean} expectedResult
- *        Whether the chain is expected to validate as EV.
- */
-function addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                             rootCACertFileName, subCACertFileNames,
-                             endEntityCertFileName, expectedResult)
-{
-  add_test(function() {
-    clearOCSPCache();
-    let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
-
-    // Don't prepend the cert name prefix if rootCACertFileName starts with ".."
-    // to support reusing certs in other directories.
-    let rootCertNamePrefix = rootCACertFileName.startsWith("..")
-                           ? ""
-                           : certNamePrefix;
-    loadCert(rootCertNamePrefix + rootCACertFileName, "CTu,CTu,CTu");
-    for (let subCACertFileName of subCACertFileNames) {
-      loadCert(certNamePrefix + subCACertFileName, ",,");
-    }
-    checkEVStatus(certFromFile(certNamePrefix + endEntityCertFileName + ".der"),
-                  certificateUsageSSLServer, expectedResult);
-
-    ocspResponder.stop(run_next_test);
-  });
-}
-
-/**
- * For debug builds which have the test EV roots compiled in, checks for the
- * given key type that good chains validate as EV, while bad chains fail EV and
- * validate as DV.
- * For opt builds which don't have the test EV roots compiled in, checks that
- * none of the chains validate as EV.
- *
- * Note: This function assumes that the key size requirements for EV are greater
- * than or equal to the requirements for DV.
- *
- * @param {String} keyType
- *        The key type to check (e.g. "rsa").
- */
-function checkForKeyType(keyType) {
-  let certNamePrefix = "ev-" + keyType;
-
-  // Reuse the existing test RSA EV root
-  let rootCAOKCertFileName = keyType == "rsa" ? "../test_ev_certs/evroot"
-                                              : "-caOK";
-
-  // OK CA -> OK INT -> OK EE
-  // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
-  // will not be done for the "-intOK-caOK" intermediate in such a build.
-  let expectedNamesForOCSP = isDebugBuild
-                           ? [ certNamePrefix + "-intOK-caOK",
-                               certNamePrefix + "-eeOK-intOK-caOK" ]
-                           : [ certNamePrefix + "-eeOK-intOK-caOK" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      rootCAOKCertFileName,
-                      ["-intOK-caOK"],
-                      "-eeOK-intOK-caOK",
-                      isDebugBuild);
-
-  // Bad CA -> OK INT -> OK EE
-  expectedNamesForOCSP = [ certNamePrefix + "-eeOK-intOK-caBad" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      "-caBad",
-                      ["-intOK-caBad"],
-                      "-eeOK-intOK-caBad",
-                      false);
-
-  // OK CA -> Bad INT -> OK EE
-  expectedNamesForOCSP = isDebugBuild
-                       ? [ certNamePrefix + "-intBad-caOK" ]
-                       : [ certNamePrefix + "-eeOK-intBad-caOK" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      rootCAOKCertFileName,
-                      ["-intBad-caOK"],
-                      "-eeOK-intBad-caOK",
-                      false);
-
-  // OK CA -> OK INT -> Bad EE
-  expectedNamesForOCSP = [ certNamePrefix + "-eeBad-intOK-caOK" ];
-  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
-                      rootCAOKCertFileName,
-                      ["-intOK-caOK"],
-                      "-eeBad-intOK-caOK",
-                      false);
-}
-
-function run_test() {
-  // Setup OCSP responder
-  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
-
-  checkForKeyType("rsa");
-
-  run_next_test();
-}
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -101,21 +101,16 @@ run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
 [test_ocsp_no_hsts_upgrade.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
 [test_add_preexisting_cert.js]
 [test_keysize.js]
-[test_keysize_ev.js]
-run-sequentially = hardcoded ports
-# Bug 1009158: this test times out on Android
-# Bug 1008316: B2G doesn't have EV enabled
-skip-if = os == "android" || buildapp == "b2g"
 [test_cert_chains.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
 [test_client_cert.js]
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"