Bug 1145679 - Part 2 - Tests. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Mon, 29 Jun 2015 22:19:00 +0200
changeset 250686 ade5f5dd22ea3072588d1f25c6f82693b4bec470
parent 250685 a2b818a26d8528a8da37b16622e06df4d0c1676f
child 250687 5f973e6a9fac3935dad37d2b4ff3460f18fa496e
push idunknown
push userunknown
push dateunknown
reviewerskeeler
bugs1145679
milestone42.0a1
Bug 1145679 - Part 2 - Tests. r=keeler
security/manager/ssl/tests/unit/test_validity.js
security/manager/ssl/tests/unit/test_validity/cert9.db
security/manager/ssl/tests/unit/test_validity/ev_ee_39_months-ev_int_60_months-evroot.der
security/manager/ssl/tests/unit/test_validity/ev_ee_40_months-ev_int_60_months-evroot.der
security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.der
security/manager/ssl/tests/unit/test_validity/generate_ev.py
security/manager/ssl/tests/unit/test_validity/key4.db
security/manager/ssl/tests/unit/test_validity/pkcs11.txt
security/manager/ssl/tests/unit/xpcshell.ini
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity.js
@@ -0,0 +1,92 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that chains containing an end-entity cert with an overly long validity
+// period are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+  let expectedPaths = expectedCertNames.slice();
+  return startOCSPResponder(SERVER_PORT, "www.example.com", [],
+                            "test_validity", expectedCertNames, expectedPaths);
+}
+
+function certFromFile(filename) {
+  return constructCertFromFile(`test_validity/${filename}`);
+}
+
+function loadCert(certFilename, trustString) {
+  addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
+}
+
+/**
+ * Adds a single EV test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ *        An array of nicknames of the certs to be responded to.
+ * @param {String} rootCertFileName
+ *        The file name of the root cert. Can begin with ".." to reference
+ *        certs in folders other than "test_validity/".
+ * @param {Array} intCertFileNames
+ *        An array of file names of any intermediate certificates.
+ * @param {String} endEntityCertFileName
+ *        The file name of the end entity cert.
+ * @param {Boolean} expectedResult
+ *        Whether the chain is expected to validate as EV.
+ */
+function addEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames,
+                   endEntityCertFileName, expectedResult)
+{
+  add_test(function() {
+    clearOCSPCache();
+    let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+    loadCert(`${rootCertFileName}.der`, "CTu,CTu,CTu");
+    for (let intCertFileName of intCertFileNames) {
+      loadCert(`${intCertFileName}.der`, ",,");
+    }
+    checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.der`),
+                  certificateUsageSSLServer, expectedResult);
+
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+function checkEVChains() {
+  // Chain with an end entity cert with a validity period that is acceptable
+  // for EV.
+  const intFullName = "ev_int_60_months-evroot";
+  let eeFullName = `ev_ee_39_months-${intFullName}`;
+  let expectedNamesForOCSP = gEVExpected
+                           ? [ intFullName,
+                               eeFullName ]
+                           : [ eeFullName ];
+  addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ],
+            eeFullName, gEVExpected);
+
+  // Chain with an end entity cert with a validity period that is too long
+  // for EV.
+  eeFullName = `ev_ee_40_months-${intFullName}`;
+  expectedNamesForOCSP = gEVExpected
+                           ? [ intFullName,
+                               eeFullName ]
+                           : [ eeFullName ];
+  addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ],
+            eeFullName, false);
+}
+
+function run_test() {
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+  checkEVChains();
+
+  run_next_test();
+}
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..87e043dd65fee06d399fde2054edd69eab294369
GIT binary patch
literal 18432
zc%1E92|QGL^uKrREXGcgHB9vqD()=Cpp-2Ul91@d7*mEpF}6IFC4}(Ww8<+;O53Z@
zUbN97X`@tHDXLdbl6w8`y@OFtpZx3pUirWIa?hOK@BGgBo%_4@ch0%jm^RgsFXT~Y
zhlT}ngj5EA2S5;*K&1izpn@FAT?dF91mwU2Vt~Mxp#qF~L_`%qs1t1yMIRDKAi?(s
z9z^#h1pR?Fl%P)NwTP8K0tx=VLV<)3IW(2a;-nEuhIRwc8|XRo2x@??K<A)x=m63s
zfdmr#V330FpuSYvbuz{f7gD59M(?eX3JGIg6OxG-^CzjAfHBQl`|%j_SgixXm|G4!
z90|gc_3B-V<p8vhcL31eZ$k<LB&q7?fSJZZj-P-R5+3dn;V0m8dl;OxtF5J*E!EA^
z%F&kE(@oXm`%_(9?VT)LXHX~G&Y-$G+fQ}3rA~3CT2FDF=xA^4Mzyq>;_5b<%7KxC
zh8%R{V4ytKf%eeQE;ia^qfIu}M2E1MC^1F}3neBfVWY$pB^;FaA;c6j1&b(V5vF5Q
zG!GM_#u#N`)C8k!jGAJUgHb<>axuq5?uq=vc)EzkEYmT|bj&gxvrNY<(=p3*%rXPh
zVqjVfOpAeOF)%F_CS_q#7A9q3QkF=H*<@ihO|X${5ye&zJ5xF=;!#~X<}DLOK*wC}
zVzITxMl-O{3~V$L7L67S6!kDL%EYKKM$x&M*sM%!Rwi~`j4@qfOxG9|^`N?3o-u>T
zFs6xFx|r=XfGK8;#VkwAnuu9;56cp(vBYXDu^LOP#_CpMiQQp|-C>E{VTs*giQQp|
z-C>E{VTs*ASW_{}5wm_`mMdoc#Vk+E&hBBc8$rbSiQVx--SIc(!2W*NinC!1;`L>j
z>SOsIOa-9HxRtm$U@A@kE`?lhYr&Flk5v-%A9x4=$$F3*2oIxCVQnJhj)!Dbd67Q+
z5TOqX_6ZIR5e9^h;YEgph6<(PjqnM+ARJ#vlYz<TSmGd@`?T(clq}BLlBNPv&<06X
z&M7n^M9ATXP(Ap(DB5s%DB3SAtKk$npDz$_sAH(M9#nsxU&I`$kQXkbBFb8@COSw)
zmNJdUjR@llW2m+vbNC@VUKl@Q4$TN2Bl1w!)5UsP08b!5O}HV-h?J^_OcxdrE{qBd
z69&ZSBlbw>=@I*TdIWSdexRKrgnEsOH$=Q94;-)2{7=A@15g@t1hRqf2rGdE0|*m{
zL{(KCa0WlbpBK#y;_&@@N=tHA#cA(sW9v!9WN2C0tMo*xJbeoSX2Bh^AmI4%1U)09
zKC*zxKDEHmx4{!tHFdzBG5zoezd#;W*fWCkk%cbl-@Tye({MypTOAM(S(zu`3wb`A
z2w^DJ_URezL+fE7ONgkd-hJx)@bCy;SdWnK(Yzwzr_-`&qWq7`25>cy4(>K?HRJ+K
zf>d$WkS+-%_}4*#l)(bPi_C_EAoB15!-k@CHWH~7csw6wuTr7!(g@AMq%JGO&sbrY
ze!&W%%K*N=B@5K0FyQjP=>4A;0BwN$pv%x}=owT6t%5R<E(s)%;H%Lc$won5V1I*G
zmrhUo66^LqWNAWX;FqEl8B!yQx<vb*2|%+UCx{7^K)Fy8R1GCTLEn4*B#_|8gc`&I
zffX%jwTrg2PIjj~$S<c*7Oi-wN&cKbRFt673#aV8xQF81TeQk4URGs+L-X7T#Lo!`
zs9>tz(ho~*bt|6}!(O*ff14wJR5u>~IRS(UmOE^yQInG`S{ZbsP=42{2jiv^YH_L%
zliZg8Js)v304IRMU^yb$AbC=9yBr9D1OQ3^6#%4P8kYcqz<&EBGjjpOrAiw+@=}WK
z*A(3R`EAP|srA#3`40-n8vP(_^asUk_6Z@b(#*ha+!4LN*73J$xz%3!lqm4X4YlhW
z?+)XjtF>ntf!i|3^H^!biVHTJ0~S-QoK<ZO8E(50xSf4bJz(f6os@YFDqQ|}a^#RZ
zPC*+-Jh^!0=twzsR&<`=PV`QiO{?C?Suy%-Zs8__Nvow<o8`l<##9~{ap%pM<t(H3
z0Xc;yA{=MsRL-e*(x9<3ZPWRS%ruZ+Ca<^Yx~#@3*-(bhnBUf|^B?bZ?4W(qwxalE
z-+OT>lVlp)8&;^kRddNZ<nCA<zu9y_`c~yM=8>1tyc0_vhEMrjpMZlv0L-_7C%_6w
znWZ%d1V7*jFob--@@R(w+JT2~U^1+Qw&n3Ec*^O)QZ{Ubd-N35$%b^n?P?FR!CQN;
zvJAG$AQ1L*p;K#PXq|to`ost3)56{ZmnST5n7XjZZmz`w=!G6$Mw4Fn+)Q!CSzZ2L
z1<|)vm?QFMZAl5>3%Sj@8VRslowvhJM-y!3)n^!x^M*mKp+knAOTCsGU3STID6_U{
zm|^;h8JE1LD*iq^vf|Jfs@(AthJJ%bYmTkR=c`|AAKIxq!{D-|(m~&?t%}_3(VNU~
zl-#%3*r>BL<dIRsq{^p}#W^L*mTXrVJnpdk`#_tQ4yNs8H5s)99cc%gST0X>45hMW
zmRwyk?)~!Ez=G=Iqbu#JnjN@c>*QCK@3(LS(p#IY3s$&UjF_B~Bs{eBUQR~Nj?$~i
z+g=(^$Xj6YA}a*F7Y9z|j3eOglwPPGI1cx<{ju-x{jE;;Vi>rmk#J?6OJ&L7LvLRl
z-V8=W%vyI7XOg_HecKrWb(6@3^TlVDhd^f^B;5$`$=w^7Pq|jCV7(|;n16dm!>@&M
z<)qya=T6@)@v^YD`Nj9d6%A5=aqLWm!hOZp$Go!8x>LQH=<R<p{V_)~BdmV@9j3`!
z`zx-4`PUDRsn%iNPjB!z=MZ%Hc$@!-%<|J#nz{ii<Q`fq2;9lNF+R{+s(rfs=3vsB
zU$vcPl8c6nE_r49Q`q~w=D0r>f55NWYH(W1xZb8LD8OA~x2mQ>haq)J%B);v?%hh?
zrp-+&eOH7}2rjLAb-rfjt&GWLZz8J_6=-&@Wkj{;gGuU!p0ukjiAE)sqA(DD0**iW
z_dp<n1p+Jz5MdXh)F>iIAdo;1Zv!KNqq_}*$;<$uaITq=QB+ivAupN}JXgRo<c0>D
zu@M-3ri3$s9Z~aCye(`ETN0HKV|ehX{bCLD2TT-_L3k9b-#rNqRMG01Bsd1Wt^7lS
zk$cck5X$8UjJR{d`wBx-ay1T&rKq^P{AK@IZCi~RQbAUH@SKQ_!SdQX<%J7vtkxHq
zA2qpf%zn1)(}FW+>!j><o}3ln{rCack<W?MRv{JpXPFhJ2a^}8zg!E)HLfStJB-v%
z-?e=8Z!6{-=01L~m9Xx{(ib<YtT*{L+-J$Us$40ksQ7i%HP#DF59yWrj8<+7?;IEW
zX69wLOVJOuOl_YKYc8c2cT28j*Qt$lBb_GRP#_d`o=QqEPxOv;D=E)kEjX@F;8Unr
z4qW~-beK`#-Ip2j&-xc9`4ol0w-;7cwG0}1(R)<zB6h)FzrXMtX6x;l{e&D6drMO#
zbNZ=tYmLUhHRc<9G@v;iDN-8xX9idp!h>ptLH&70(O1C$qVNB401W`|Bcwk_G{QyU
zDf05lp9(0-Oh6v_0RVYKs+=SXd@@A7>-bur-&;Vv1p(v{2JJvT`iyA^P#N<3UoTgX
zC<TBS%3ut7#ngao7C=ex)#$aR3BJrPuKPD#vwGKJ<O8`N-I)ci1SjA+enWyIt~-N%
z9D@eV)`PWG<!B5VjZUXAU=~dGQkA2lO}MN1qn`<KVWdU-e;0t`AmqnKq7nXkMW1G^
z{lF*Dr_YEgjz0hODhZ1|=@cj$y<%oSwjLUN)OxL{+dmw99;<Z#UBRc%jEF=dX(SrG
z6h$LZA|24d$QWkPX-Mp0z%(=%!7z(v+STl%LO|9=23@Dc$QlHT)&L5H8b4ivev}rU
zOpZoE8XGq4X@1S$V7~YevNg`BJ=1D!fHC(Fx9XY7%@Uwx(2^s2l=d!Zb~nB6m3n&U
z`K+`#s$3mcC7(8L??nrpEKUG5O$P#O!hbp#UzErgq<Ao7wB7I~a`T#nZ|f>Li8&_Q
zc3*P}+m{eCKS=Gsv)EfVeQW1FnHsrLzVw>epxp+p=f}0(e;IjRZAXiL!v5n&RI}9H
zMN;D7H+%MH<So>bxv1e<*M93ZE@4k=)bs|g>w>igRWy0oveQo<{&L&lY|5r{rpeZp
z+0D~yQ&MKcaSqw)Q;tOy@3-Bk3@`(h^F6r}q^|y{-RXE`RP^pyA#Tpajk9s~k1|~B
zp2a?VU0Hsyak|_ZMbFgWu*Mm~t|@grgzSamcf-ED9y8ovSMg&9@|a=sg~yEkT#SF=
zv7?eZHg!^LK<m?k2Ns`wX1xB!yY%qXWT-`fblq!Jm3L<HopsZAC(FW~#jLP9FYf>m
zWLB_u3D=R7b5FMHP?wI?AM<9f#_%(x^Wz1L)Ef&Lo~|UE&efaJTzLM0%n5?$erJ8@
zlPVr14>MZ~jalj2v-ck<-N>%Ce&Ui9V_h2W9#dGuUFunS_nd`Mo?Kvt`dBL&qRA7r
zwtEXkL~VE$yzCY(6Bki6*zRORY|4UEzE{#C%{PA>a!cCH8Lc97ciz?C4&yHkiP`+F
zaKUhWc-Efi`6Z@zXpVIw%eCgEZ+fup-OREJ7F*O8w=_pn%&Nv0-<fUNaM!53qn((Q
zyN}zHxpM=$6Z^B*M0@lrHdJ4)7_s^v0t^Aj8C;Kid;tkTBysxvxRUG#{&%sQf&kNE
zjz%c@4d;u~tfyhQb>Kwht`ZkSUGIGW>;0bJ+}ZJz<=JUoYv;c_H(5XMZl&X8lM(qB
z{<^uuh?qTn!J$MW;`b_cUK5gmPl}yBZy#~7^Iwm~Sh2HYBmui(UO=WcKyg#)wWPv-
zxYqfTR1I|3I{izpQ1_GxxR9<22xuI<=iAdi155ujm`?9%e$5v-zL@?`!|O~PpA3#!
zHGk0E^dqo=64&Hv@WpV7Kxv~=IxR|TnNP<}`x9=YQ`4Km>vHl-LXuo&J~Vq>;kjV9
zMk!EK=G=5z)7<nJyiqXz^5|1FN>6QA{*!4*2|FgbzCBemzU}O(qSFmreZ1oH^NHa`
z6VmNSHOW@7hnaJ9-)(YwIR23Z%fz{jT6|8^%XtkuQeC-hs(DMwv7BgaZmGrGgKcWw
z+*L>FWIf}CdfCFmA9GSaEM~qUkG!dybouA~WQR7}Y$vrnlnReHJ9^A;N=n37XLkm9
z#<fi&4J#WX()M;vzVee^hvv&H-n!y-{&UASTs1W3wU&%%ZVIYz%N<`UU-5sK{=axJ
z{)P0fy-oV?!+Pb-8FN)N-l=n}mp#lo$aEN%_99t`Td(qDd*{sdHT7KUIFpLO0lqKy
z+4y+qmxlZ@vN1TPqiStAgZ##Ts5|+&cKBJ3knEeCbwf9pbu^t>COa>0X~5IN>9gC~
z+<mvbJ*jtT_uhpsWSlGtG+f@Vt-(7M)GHT--z&>^yl`V>i(~7OS8+QZ4Kd`c%86RP
zw@Ge_*@v=y?@lgi<DB1<moiCr3*|zh`o7hP&rH^jiYgtuwCSK(QPA1hxAM0rL@9Js
z$6Y-bzhrCbtlO96S}G@&l)j%$D$DP9<vBa>cgHY~e8C3YD4The#a7Q<6y~3pSu;bs
z*xa(%Jonm?+UDixM(kJm7j4q7*in7`Wm5G14_pgCjtG(92STC|`8#EQ^#99%PqKfX
zH;*{`|JQ@DDEsS6b!UGnlKp$X>G+4UKl+b=K(FlIkL(I1!-$6BH%uyl1QHBz{0|BM
Blr{hW
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..e0ce4a8f680e91b09bee453785b4d2b2aaa30a9b
GIT binary patch
literal 905
zc$_n6Vs15PV#-~>%*4pV#GKFk(14eXQ>)FR?K>|cBR4C9fs&zufgBriC<`->cxqXE
zW?o6WnL&JReqKpNv2JQvQGR}jft)z6p{aqHk)eT^fw6&66p(9SU<v0M09gil5Hr+)
zW~8RZ8(Sibz;0#}qY|=H7+D#Zn;7{SfZ|+CO^l2TD{6he_c_hVFiqZ_eCnOp?QINi
zggf_c6x`hTGSu>MRL3#JGyPrZ;>q$sg7IIYqZ{gd?G7?re6cgbrC4QG<H}}ZVS!zF
zI_}CZIA6}J|8?{5Z?@^?t2SKoE!xslS(PoZ^Ii3w+X<HoUIms-<=cMEN_c}-&>7pW
zk3W^2ky!gCrD^Mdz2f~6f67D}4SsCg+B3gigZrFR(9Q36?lCoOd|MuVH|l!MEUi<9
zd^|gjy?R=6&+A0{qSKab&W;mahF@-PkE~7H?W!rVzkJPB*M&k1CK;16Ba$6Bu6~jG
z?Q=!DVnbYBh~JurX-uBadIH?vRX_c9^3b`5;k+{iB06%59!4r%6J%m$WMEv}xY?j_
zgFylthc+7{D=RxABTI-ukU;>9Z@}2*l2KApV5P5LUS6)3T9KGrkdvyHoS$oD0R;L)
zMuxtD4>0y*6<AyioDCe=gn)*#FuwL|l>$M=<`Pau18oCMn59gNVzN+6b1O?yi%U}S
za}zW3^m6i(6La*F3yRT_7&9n3PbS-RcvNS+eZ6aE>xp-!b8h_UF79Y!e#6gxJ!;yi
z=)Si5vx8HQ>?nFyImP`9pBFPL_Y{luC9~Ou<{o*oR+6h)Q}@SaDdpqas~U42D%_~M
z`+6$tvAG)lFPEQr!hMi6VymAf*AcO>ZBP5&=$V>zub!}V@Aicj=bc{#^jA7>Zw#$m
zelfW>V*7*BcKY*qvw9?LoVeM{UrBs@RHs@#?_KVsJ4}5{rKd#QkCaxo*L7q@wLFvl
z@o{%Z%Z5Z9G42P2R~PJIxgb-y<j?XtWle*)jTKefEbklo+*Cg#TiCtm$*MmwJI>lI
jlWcwSvO>h_l>M6fX_j{%=pXv|ovnZFmgE<G>*fIfVCQI3
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..3ebaec9b34559a0d4ea79c2ad9e1c1f6d33f77ec
GIT binary patch
literal 906
zc$_n6Vs0~NV#-^<%*4pV#KQ1UbfW<;8>d#AN85K^Mn-N{1_LES1p_%Y=1>-99`V$&
z_{_YLcr%0e-2A+fjAGr?vZDO_5(7DLUPDs@Gb2L-GXrA-<0v54!qC9T2+B18N*L%t
z%uolKk(wHBf@B1CGn*Kdke$NF%D~*j$j<;2=VEGNWMnvIFx%4Sm1yO(D&Ys+dkwS%
zlg+Q@o+}o~5nL$PZCEZlDgNhe&x0ZCN5fwf-<-a9TV6{*%u}mxha>7XNNs0Wxx??p
zF==bd{RRtj>@VpYy(swF#Vp0!u%&6OThOngEA79YIJ)xK-DFJ`f%j*ci}fA4-Ptd;
zIaTj5Nmu)`$oHxJGdnYLzpn~wPD@Am&9o?!6xtDJ{ic2Y^a{D;?REvbzDh(VPuqKw
zC!$s{%GE&md1A-^R+G=1>bKQeF2!!;^!n;L!B=9V$l<VBccV&Wk@iv>zffb&$ZLz#
z^-ex4?b`g?`-+OjPw7wnsk7J2PARazdsWXm_3bv*moKt!eVuE6neQ+YGb01z;>OJe
zjT;OS*f_M=7+G1_85vnZ41x>-V0;6{HkXW&k^(Dz{qpj1z0``t+=84`z2y8{D+?gd
zCo(eh4SayHC#%5XYT#_($R-3doQ3hVXR8zlGB%fRG8$+bXu>RIVic2wTAEu~l3HAn
zlAoKHnWvYNpPZPZpIlIkmc*Dr(J8lzYtPeLLQ8rI#HId7COS`gI)9gmmr~b<wi2c}
zVy{;Jj`=?GR<d)g`C-wFgil*s;=?qz=hdh`%$@%8)T~3soIkYK)V$xz6`u&pn{fO0
zO~rXuKVKZ5#8WuGH{<o5?zFF8Llaj0I-+r5!{+)A+`e{8r2_uWy2#?Q^p?=d;zv6c
z`<%To^^MQl&d;^$p2_H?PMcmnXY&hQf2;pHw){EL@HO$w#`*0YYRg2<HcM`q(frPQ
zj&}KWo8A|@tX5{9NV~Im8Gkwd&-1lccQtmd=!m;_iTBM(w{6@1rm^o>{PS}}TGl3?
mqOip|^VG^+3Qw+adLO`Fbui{)q}&>7$2Hb-uXSF2IT-+tD`*7(
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..8f15ff9061aa4f844662d7cc4089f5da6bb8ae15
GIT binary patch
literal 1038
zc$_n6V&O7qV*0dznTe5!iG@)@FWZ2ZjZ>@5qwPB{BO^B}gF)kRLv903Hs(+kHesgF
zU>JvkhsoK|P|QFC#9`;*_02EMD@n}EQwYmUEjLs)Py~r{@ksgRS7qkpBr51CxP~dD
zq$ZW7E0m-bmnZ-=%Nj_76mj#21g9pK7G;)HD!AsQXXd4*7G>t88|oYAf~1*w)FJ|$
zgELZdazI9e05t<;6*Pd>6_pm3l;;<fWK?Pb%`=b_=QT7nFf%eVFf%YVFpLuCH8L<T
zGqi+q4U`NO4CEk2il>&vXXcf}n;FFC=I51U6zisz73Jrb7&I{|AqM~>D+6;ABR>OB
zoQtW6k&)q%RMVBhfRo$y?Edw6&l1Mc(zw~Tnata^d|!23OVYgT?wK{mC+9Jrc+zqs
zBYy7Yvc)3T*6=$w%q>}bZ|&WQ%Xts6Zzw%|?B2F0J5QIIgo9V4*fUJ4WB8YES#w?Y
zvz_ey^E23@Q;u{$Pn7N{x>a@G#Qc}%l_1f~>w9$1%Ue9|z8iMhEBn%cuPLg1hmJW(
zt7S~#eQH;iwJ!OFeO5Hb_i)c8x$HkC%K64{u9VT)_SsdX=<ocOwO?BQvrJo|bxhXu
zmdlRpj8Lf!;?n#-^%VTu<K_w_KRB82V#$lC2~&z4a<||7eCFc1J3Zc3Kgv!u^BcMc
z?O>Cr*wrGb7h!lcpjm&LBNH<t1LNYxg9eTJ4ETXzDJ#s#_@9N<fEh>`aDxQ+Sy+IH
ziOnE@jYFG_k(HI5k&(s4z{$V?#y4PWGs!3^DX`MlFE20GORY%EEyzjLOU}==vH${o
z98sfh-~%#VfyLFp*}#!a2xu4!<7>}WDG+3AF5zS}&^FM7S;E99CJVJBw-S`#Qu1?w
zsZ%c}KRGc+Ke?b7EtxZeBG-Se)J_`_v4BrCTW86+N?l}M+TWO)Uiwp%PcBuczTU-Y
z&PwZj=4bbNrt!R9di=yq4)=9O;xeM2KVkg2II&tzjD1Z?ztx)VT+UX>PqPeaAI@RB
z<)yCKy?*kH1yic@=01P2f_3(d-Ve7=IWJ1N``C;pNbJhe!-pqoUo-n49mX|vi~iJA
z#lLNHf5co0xlr+BS>ShvYHJRG+B>`#*B@PYQ{C6?20!ca-$z@Ttec~&L$)1SJR|1-
z|I+y70*4qbeaTnS&wB8wr|Lw?nwI#LMF#ikPo8=stavV3JGa4N>Ay`MB9vUCBPP7!
f%&Wd5E!G!)wA)$gVb)CRdGS)r>0#|0QkusB<X3oX
new file mode 100755
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/generate_ev.py
@@ -0,0 +1,142 @@
+#!/usr/bin/env python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import math
+import os
+import random
+import sys
+import tempfile
+
+sys.path.append(os.path.abspath('../psm_common_py'))
+import CertUtils
+
+src_dir = os.getcwd()
+temp_dir = tempfile.mkdtemp()
+
+generated_ev_certs = []
+def generate_and_import_cert(cert_name_prefix, cert_name_suffix,
+                             base_ext_text, signer_key_filename,
+                             signer_cert_filename, validity_in_months):
+    """
+    Generates a certificate and imports it into the NSS DB.
+
+    Arguments:
+        cert_name_prefix - prefix of the generated cert name
+        cert_name_suffix - suffix of the generated cert name
+        base_ext_text - the base text for the x509 extensions to be
+                        added to the certificate (extra extensions will
+                        be added if generating an EV cert)
+        signer_key_filename - the filename of the key from which the
+                              cert will be signed. If an empty string is
+                              passed in the cert will be self signed
+                              (think CA roots).
+        signer_cert_filename - the filename of the signer cert that will
+                               sign the certificate being generated.
+                               Ignored if an empty string is passed in
+                               for signer_key_filename.
+                               Must be in DER format.
+        validity_in_months - the number of months the cert should be
+                             valid for.
+
+    Output:
+      cert_name - the resultant (nick)name of the certificate
+      key_filename - the filename of the key file (PEM format)
+      cert_filename - the filename of the certificate (DER format)
+    """
+    cert_name = 'ev_%s_%u_months' % (cert_name_prefix, validity_in_months)
+
+    # If the suffix is not the empty string, add a hyphen for visual
+    # separation
+    if cert_name_suffix:
+        cert_name += '-' + cert_name_suffix
+
+    subject_string = '/CN=%s' % cert_name
+    ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix +
+                   CertUtils.mozilla_testing_ev_policy)
+
+    # Reuse the existing RSA EV root
+    if (signer_key_filename == '' and signer_cert_filename == ''):
+        cert_name = 'evroot'
+        key_filename = '../test_ev_certs/evroot.key'
+        cert_filename = '../test_ev_certs/evroot.der'
+        CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
+                                         '../test_ev_certs/evroot.p12',
+                                         cert_name, ',,')
+        return [cert_name, key_filename, cert_filename]
+
+    # Don't regenerate a previously generated cert
+    for cert in generated_ev_certs:
+        if cert_name == cert[0]:
+            return cert
+
+    validity_years = math.floor(validity_in_months / 12)
+    validity_months = validity_in_months % 12
+    [key_filename, cert_filename] = CertUtils.generate_cert_generic(
+        temp_dir,
+        src_dir,
+        random.randint(100, 40000000),
+        'rsa',
+        cert_name,
+        base_ext_text + ev_ext_text,
+        signer_key_filename,
+        signer_cert_filename,
+        subject_string,
+        validity_in_days = validity_years * 365 + validity_months * 31)
+    generated_ev_certs.append([cert_name, key_filename, cert_filename])
+
+    # The dest_dir argument of generate_pkcs12() is also set to temp_dir
+    # as the .p12 files do not need to be kept once they have been
+    # imported.
+    pkcs12_filename = CertUtils.generate_pkcs12(temp_dir, temp_dir,
+                                                cert_filename,
+                                                key_filename,
+                                                cert_name)
+    CertUtils.import_cert_and_pkcs12(src_dir, cert_filename,
+                                     pkcs12_filename, cert_name, ',,')
+
+    return [cert_name, key_filename, cert_filename]
+
+def generate_chain(ee_validity_months):
+    """
+    Generates a certificate chain and imports the individual
+    certificates into the NSS DB.
+    """
+    ca_ext_text = ('basicConstraints = critical, CA:TRUE\n' +
+                   'keyUsage = keyCertSign, cRLSign\n')
+
+    [root_nick, root_key_file, root_cert_file] = generate_and_import_cert(
+        'root',
+        '',
+        ca_ext_text,
+        '',
+        '',
+        60)
+
+    [int_nick, int_key_file, int_cert_file] = generate_and_import_cert(
+        'int',
+        root_nick,
+        ca_ext_text,
+        root_key_file,
+        root_cert_file,
+        60)
+
+    generate_and_import_cert(
+        'ee',
+        int_nick,
+        '',
+        int_key_file,
+        int_cert_file,
+        ee_validity_months)
+
+# Create a NSS DB for use by the OCSP responder.
+[noise_file, pwd_file] = CertUtils.init_nss_db(src_dir)
+
+generate_chain(39)
+generate_chain(40)
+
+# Remove unnecessary files
+os.remove(noise_file)
+os.remove(pwd_file)
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..804e9b196834c2311c10fdfaf32dad9b36b4fb61
GIT binary patch
literal 27648
zc%1Eh2_Tef+y5-~?E7vAS)#!hOJ&KvFOe<Tvy**^82eUsD#;#M%1%gRk3=GpBot*U
z*~w>S&N<HMIQYKregEhCzsJu!*If5=-PiT}=6;_0o_l%bab82&+SLMb+0ohF#1$d{
zzyJV&00{^L007YLY;-#t!OjNU*|2st48SgcfP+B`;Q5G!iOdY%K&G+KZ$~)75&nK)
z0FiYQ4E~Bt5P~<r%V_loM>xWND#*b*f*7<Th=6!I5(7K}0I!1Q!5?>&BOKuf{~5pm
zV*ojEA_g#!3db^LFc_swGn9j{!5Fw4ZxzkaoqIU|^7X$!C>)4Q#mo%6A>?XeYG>i#
z;-c<s?QY`wI}IeIDI=*R1JRN^rz`{6-4EfgHixKdDyT?m>Oqub^dQ=*3L4rn5H(eZ
zl$xrnvVxQrMDm=Prq)S_33O-U+u8VcHUXrL+JW4|hukHMObR2D!l)!Ni!cl+1d#%c
z6hcTLj1(eBVS*H<J3<5%3W}Dfh){l%L>~u+l7c7+M@b=+6h=uAlr%v}Q<OAA5ku2M
z^F!(UXdM-q9~GG&6`3CunI9FI9~GG&6<Gk~C4ll0KzRwEyaZ5QaFi8}vcgeTILZn~
zTTwCLsF*^ioWf{{DnZmI<%gnmq%S{;EeyH?eiY?jR8(1`atokx3!rktpy=G_jOaZA
zC<#MJL6k%u8-_Y640Ti(>bwY|d<9Xyf>87xq_3HUpa4ujkZ)Jz-&KE?0k*3O?yB%z
zRcKcg{!NANy1{qd;Ja?{T{rlzZtz_?@Lf9aT{`exI`CaO@Lf9aT{`exIy<V!u4=NY
zn(nG*yQ=xFYO$+c{!K+)2x!%GmyRitj=7)-)Z7$R;=)iAcFPwo!ioO=p9O$7!7Jcz
zJIWD`aD@L%V1NNY45R=f1qciV;1Yn!0oWi405}9(3l;-yf~r9jpuoSI=n?)_*kNN+
zF)#oT+^Ei+y@jiZw27<9ukUz&=*a!L_b}Z!O&N7%Nhz6=5NlTpdp`6VKj$eNEGj7m
zAi&ze+``kv$!=$_k%^nDBPwn5YkVWVU$tX93^C4OVNp>r0}W7_%xq1p&3Aj0xW5oo
zP?eU^g`kW`8o%#yB71k75}2qMI;a?SCZ-m4yIFAl5CdiWQw#x4Sqv;HI%c2|n!1~*
zjfI)(ZWio6#Q4R$2NOO{0T33I9P?il!ESaVzFi$G1;(PH`LzhFU0mEOoOi95e>gVU
z`lmw+^P#{0K@|Y-3D6v<0<8XbUwTJ4!hsM5y8?GcCQv9Z7FZhtjDNzy-N?ei2nIE>
zcXV*Ia^cxYTRXTK!GE{I+0oGz<1ZWqL=JESbAYvgP!>K2lo9Pn^%ogI2wsc;V_YaA
zm+u%97nv7}45WSj*8~neNJ^5A5=xFtVB-_0IJ!BwnpitPE?8T5@EwOTBlqLs)2cXn
zTie;0KzJZB7a-;qrf!xHR|^+c$c{4uln$Bc7(V%V3o|!oYgaFbjDw}MgN22&wSy(!
zDJTz`A-k@+)OjllJ3C|utsUnbD}-a`aL#Tnt{#rgu2x>0JMqx{{{R5^0XP8s2E6=t
zpV}iF;hzO=us-mx?bmMJgPSZmuqg1aS}9yGH7;63*Z))iI2HT?JO!@&yG!E;M>xVS
zpa#Q$fP|TdKL2~OO4@uASx?Ey{SzkXFp!4lEeiT(wFvDQhNtBE=c;X()3h<cNP`B)
z_3i62>>cx1&dV!0>&b-m><ADQ7=|0Kc(<3D0RMiX?O-n9!=#C`8kl{*TmQ#DTK_-7
z5&rW*LAoPI@pl9X7V`U_8Yln&e+S<JdxM$408kDn1lR>E0?C8$K$aj*;1{4KPyjpt
zt_EKOi-A6Xnt{<kr@#3l{GDI~O9EZ2Ese}9oL!ChMWDjMCgws$=%p2Ye(HVAP$~wn
zILd5m;q|K({+l!9epV>OA43aYMy@TwjecEEBH!06OtzodRFHIEZ&Q+ey<x=rdYcgK
zXNE%we>TIRg2KC{La?tHivNc~Lt6!Zb3V486^i#$XbTZObJJaC+<nbZoIl1!Sz*69
zWAA5$V*M1_+ze&{-#s$szGf)KA7i7eyGI7^XN7`}ff;bGn7FujI69-&|FHn90I&h5
z5=07g0CemmegcAp8dEZW6!6y<Jrv;&y@-X&6(S$9LIA`hgsMR$ca!)~7zU(<)8XZ2
zs#YE86E9#uu=L7`@Yegn)tCnW(UbRIRaI1ifItus0>#6^LA!x)f3IUeu-=YJPR1F^
zeCx*2xDS08o6rMNrWw2P!-Pl2l2*4%8NoueKS}5zNIviEzVIbcJo&B<tzB0qy{-H(
zBup*S<`FKXZMenf>-P^Lx!|)j`}DL}Sq2>?fZwq%AHUNOGU48<{y|mkj2A;wAcC0^
zQ~Vc_do}=v;K+efn=KP~EIw?JL6TIq?JVwUGB%gM#q{SSnUdGX`U(%?7|j`w@ZO{q
zc3qih^e$g>i2$uu=lna;_T0SJhR^!-0}#v<`*J)?If`(Puq@2bd&^2`(^>aH*IVM9
zz9rC;$|TlOCe2%IavsESZMe0q!c%>d^ZXFo!o~W_lDSkoJb;D%FSvxHcfva25G>?B
zo$Q|*!$Xkt^`fjE?(SrWb^+y^2DTXz-istV9nFj*7m^$G1Tofl5J^nePFcXKZrj?#
z6Kw62YDv^Q$9vzqyb}kp3`=ka_nt+tknK-W_z)yDUf$*8B9H_IGGTZPf<8Zd&(<b_
z{dU3$+Vzp?<Cw|pK_t883QE6V1G!eYjr+Ds1Wrl#*_!5-$%Ch((@P485EOsI_vaCg
zaD@LOK;8cbjsxtx{x<;E{%hzQ;Rye5M4Mn-!yqRl)c@H)?g}FW?EDcD0sw@hq(S%q
z(qKS<&#!;K<RV1c2@iWP+J8~~Kf)1?@Gn7(5YP`<|EYgAkOvt5%Nqb1^!@)Z0P=NM
zL`#BDEtKe=7;63NTd1G06BK~_1;dUC2L9CoCo<z<Zr9jrsRW1wAP1no^ZGy=@XATO
zqq44ceX%YZ=;n4QWf&wBQofSk#ziCKKGId#7ViLVp9mVXGD<CT&mtcvB$Dz^b<KKL
zG!mOj@D#h)t+VxArM{Sgw2yJ)D_U$T!K)XEa?1-}^DK%njJ~*uWnkVM`N@PX%K44=
zC`@Qw;gu$Z_3JvG7fizAks}v66>VQOESa<2c-nf7j@>GOU{dUw%>%PRaT^1i6&;0a
zd+gO%MwN@W_vueoF3PYvZ>3H9eh=QpNXp}CWe|KLU2SWnO<PPwN3_NZQ4774N^17L
z!+0utD$zK>MZ&&nXtAsJ!P_V$(N*_nfkb?An$=j;o;5)<yt;h->Vc;!C4m4SGyn*P
za$p_%WmJlf2?RrFFvuO5lFSy$ie^tejvs@nfD~OMuS@QXMKJ<^INu4H1I^1mK}_JX
z^;xUglx)Yy_0(#gnQl6M*X!pF4ik|jEXO?uY0IO(?xO0z9*N5rDN9=#{(y}^EQ~Bl
zZc*`L;k`olV}{1G0#7K^_zFlpvM(;c%9(gTx7I=ASX1H+<?zYoySnxCnLSm(<Et2)
z4_F^++uk8S#OUM)hPV604vXI*a&}B^vN@h8?tcdFw94rdErRC?V^}<4ZwF~Y@)Ec4
zXrDfdW?Lw~Qiqd&ImSt|D>&w*6ys280jzVY8btnVu0VD`s;;_G#_jyA_J%KEZxH&|
zpL76?-rBF*K_bQ+gfsJAr#BjM7P0FSe0>+HC$+Ktie601?|Z}<`!SQ=%1x7;MJS?T
zkAlPP-5Aag#lO$jrfmSIrjY`iV8%ff93rf&1aIbA`4F3(t7}gSo+aEG+bHo$z!>Pf
zP0cV{T|?On@Jk@9D2eI}Iqk=3!<w0%8&z#rCwb`I{Jgqe)H`yQ+!ocKc>P8cPV2<L
z%Hb+bsiU9Hld=iGAaP(!Y|a~6#UoOp;p*b=CBf#Ed{`51yHiQX(DQ%R0B{;;1Ed2i
z1rqEe{vALtWBqYj>E{X2LrjL4yeXBhc`i4iPd-7ToWbx2CXcs$wft^rI9Utc7lkOo
zgC;`)JQJA~NsM}cNiF;(Y*zIO(mys&IFArK4FC>nWcr39STKK{vH59Q_7Eh$GA*+N
zywQk7Wc)C^o!^e}p+;N;H|&aX$P+3S9476&gGdHS#~70=5@`aG*Eh%#?j`ZZQQuMC
zrZd2Gf~3Xu+HWCPF!m>Tn3BY)Gh14Dm`luEm#H5N^9a*YBfwK9{W0_0cDhskhegOi
zB%San!l$5hA1qbI)oF{8C2_la!U_rTt!0)Q2E8o>?jV@KKb`HLrl=3WF_cIm?`ie~
z(~#b+`PIR5eMNW76=#S|#(SL4+7T}at{%kko6nu7t*<zj+IV}-A>x^Eqw<Ged~d2B
zzyJNT7ot9m2*C{6m*Zi|k*G|SHSwx3_glBV^CIyl9+%5zE@htez{J*L+A7V-z(0s%
z<s~i)G3(}5)#)?T0=N5o6Nt}ceDSAjc&u=1ZaK$L%Ls_c07KyXI$QrZ^W&}JEy#ka
zC#HALXuu19TN`}nnLS#WvhNqQ6Pm4$FXE~s)fB0pr)6`!hHPbs=ac6LOD9jOD$208
zFHI(Cqw7B#0DKWtg_{3=wv+f%-DSc5(@f?c*I*7&R97GtHh1V$%vvW%Rl^*XUMl$x
zlQC7BJ4RdjUDk4P7&)k@?qX#j)@?43oRsqkFHedj_rd=Hj=+w+%n@UsJ|53xiC{kV
z)9L(aCFl?wKZf~qQHL$5yCe;|NZ<)JbTTQi*U&4})Gu20I9_;t;UJE++ig8@6e`D_
zj&q&*@eZW&?M4XQozfT=CL7p5!>b`j1T)^g91m4>+ZW(C@5?7miKb#&s9e7CHr3`7
zw0;3H`06XE>C+n=#F6Pjxc=0+hXx{o(`j)YGckHtx74_TzLMA9CaiY9U(A7E!TtGU
z|FkN02$GH6;r*M~SyLFZT&4pLq&||Zq*R@977Tgb@His>N}S6<Bp;Y!ygKG^#mZk_
zs`tC)mq>Eq?qz44GO^DD&V+VfD3lN^IQx@4Oi6YLQNWv--Uqy97vSMvcB<*Y8H{Qq
zu&f{(?_i;IL0}z35~HeY_*gbwp9f6Y^~RUb69uhp-sAZKQFHa|?})BYBqErx_x;K{
zOhJCqk2a>qXI;K|;t6>(MHprFs{fqh&`E0+k46VD#Fh9UjvWsl2pPU3Zgb}X=co?}
zre{g6n>;!WbF!WGP|j5`^g>qeMd2zDmaTLEm_F)^@`wJ1onPn)x@?2??!OeMt(p}-
z5Xt6kefDKS_w9;R@m3qU|AN0N#r@$C_CRGe%NGrWDvi`Yv2cBPhYwM*f)BY3bK*8I
zH8zvO?Hgd2c0rH1X4RLuq&3xezlaH7c__?LD?BSM@=)e?oV;*zNZUKOs3_u<k3XqT
zUWP3#H>Tr*u>fgFmJqKMmhhS<cAsxA@zvuND6q^3)ZcuR*`)Jc-+u&4)_!Ee)+jV_
zZ{BSd&x_kxYbQ;&X)=v7gr1-5saiwxmZ&`UEt)f-{?xTJ*JOrsZn;j&+@getWp<)5
znX}5#iv`-FXWsW+(Lzjxd|tNVQ*~BUdaMDt6b_>Kq@sBGcq7l%57}c+z3`HT^rSPp
zB(=p|&oT2$@=x?B&b4oOblxYLS?2kW{y?NFr6})aAhS%8K38Ui2NCa$qR_ZCk?atP
zWUB^lr9kezd6$QLiTA$oTI%zsQrXB_^%GaV!?w}9z3>b<jX;l$uzmGNw3M-RTn#Yo
z8$PoPL?y9@*4O$wY>|_!Wbi6pACuaQ9%~`Pk|${@+zh-Ry+vXud*x)yjrk^GYpD~0
z+Wn;N;UxCbI7~%1yt`Ni+)NdQ;$ab&p4SI(o@H4L(tPsG^z3G~UQq1qk;ZR>mp)>9
z%Y?6uo+Dt(NbqxXkNUnh@7r-h_+_!P1cag94<G6%KPw$vc0u$0c;k-QS@8IzqFT>X
zof~fY0Io90MV5~y`f+ZTJFIg3i%TqT)AM#j&jb*0i-x=VS~kRFSz)nk-dTKH8B}92
zS0(*{-P?4V;4MOdca5+QmmE$#YLZIp^F;jvox@-h?UWH~k-c6$AJs}xhu`RkZ`#e;
zc=L3h;mYq>d<!WzM1>|Rg+)Cdzd}C03iwYS;T_HYAK?i9mk@0N{(m?BPl@jTv!L()
zApzO}+IA9u0D^^d-`f~W1rO1Up`9eh)9w?zT~yni<NA`y4o8L|A<4Qr@2ZlE_IcrZ
zj0bgNwAP*{V&k(X7^@$9>ND3uRhXZZLL^k{v+`hBjQ^XHDT0M$|9dS=4?*(mjg^y_
zy4sP-pIE(9I=47dwlAb%i~2TPD3P>}0K^F#L=szwWW4ugs%$%9tV2?~G?nRs>Z;&d
z*0ocVSGkH_X2>B}i1#l^*da)^z0v4j{*gxD(dc|WUNEJl>hqHe4r_506im9){khz7
z2a%Mo66+fuW9u$9d!Nq{k@2OkBK+dx+KU_0=5M?|ICJG9Scvv7Ns~j6JUz`>gR?3J
zSsk_{@M6reW7lGgEViOo2!!Ym*$@AyI*8;(JMha!+ARJIgNgm6mr<Ib`qdmpk6g&C
zux|Fe!>9uzSP1te2|rBt|DCbBpjDm{UQ;L_^ju}^HDzA*Twhae8@8}6XfB=0fh0@V
z-Dms&)I5OMlX7=Ij=gHdU3D6+&=u&lW+Zup`Q`$Gg<$_t^I`h`G_kkRjq8dr>bD6L
z72c7CG~K?k{vqe00AcKtY{2$CnS)5?KS*>_!YVb7O6y~VcQolgu27j)>=>e_tTIlR
z(W^7vso+$5v<s+N_GQdqz^}9Hhxy47((!-t>&m@;$?*GG_&i^gl^f@7TM3%gnmwDN
z9Igb+kcB@kAt?)=))pDp4{K%aijJ_PGGo#tF<LS(@b^;@YXtO8J+hK^VXZ;j4-_CH
zu5maicYF$W`j+4NP}2rhvQU2UfQoZ@fS0!|^`p6~Z-<Thu6)*TPb91w5G5<-((F3B
zH2%%Ki@IpWJfNcCF;z76raL(Tx>`~ZmFCBBteaMIXyxrYP(aD7ht7!pYrETA&-e)O
zt6M)$`n*$Y56$cp36YYFnbzqG4b}5Csg>a*f8tSCA(KH0fLX;`>zYa6^nYjEP=3Yj
zS$xSsOSN$9GDzWLl)Bv9)yd_Kr`=;Z1h<HF!|a{M^jHQ+{(2Vv8&oGw;4$uWlrN6L
zD$XWGrMOb~FSGE^nKAou82m5d3o*j(2PU0v^<rRNAESwdi?Z6~+)Ed@%#yPS`6^oI
zG18tj4vK;L4Mf}vXdSBTD^n1}tvO-i9Y*VovH7&%+w0ro8$Qn>Z37>Af70v6>?Hy+
zau$@*tmzuu&W#U~s^>KVDX^t<nlvfbu$NH^i?YYwHsWkp)2<@IP9~^c!#U~s-MKNi
zc8x?ZCarxezs1A#p+PF8R7rSgQg?J+ykBCPIDX)HeGf#hWK;SnY0NFXakl=bHiIts
zdet~x!C=h`fjl-}KsVVaL17RT=_hyb>5{UKvtZg6*_5}nu}8T*nzD`aQsq9spl@TO
zZ-620Vpou=L7Kg&Z0TQW(d|7td5h2p*>tyBE>0V2x?LBxO#){SMvqQz-`aG>Sl37r
z3=J&7bxCMo7h$;B9Nlh|@XkCe&8e$4ee!tBd%4pxnlXhxT9<X}UFzf>^t=g?90)WE
zeio6M_KHEYLv5b>lzItpq*u^6KcjbyiPy(>@soMqQnvQ%$~sKgoL+v+y_hg*E9-lv
zV}rSpKiFgIS^zzR6uCblbGK<6Q%`DR3hd4MdfV4LYB?Eg7DHwc_q+8?{-<A3qIti?
z09`X+BGk;*xg9lXA;aP&vrHX3YA@+e1)8=I8RrSPwDPjoKpKae{r+ZAC4~QZjAZoe
z>{Dc&&Ab(m8rg5E7Cvk};v9SKR*i&)1gi$1I{&ol81@2iy!L*I=8fcOm6QGOD#zOw
zA-y?WfzQOb=v3*b*z-(kc<)8{j1WXR-}r8lv4j!!X;pr2?%7M?RzCWV`YJ}Qsi*M1
zc;0*79Ej#lS(sd%NRrip`K+)n;?CG4HjWTQ0$VZvh8(T7M%MKYi3@y`#+yp%R0+bY
zx~oAOS&gcTbMq?7o2l(aJ|>n~41&HC#a)ywI-dgWzw6m5-&9683lGw0PQq%Q6*&gW
zzY^sMc(phe@V%?x;VXBrj{&!Ch9%F2h%CdY(aku8#gxh??`_v?i1y}Pe1<D_{pC%H
zJkC>mAGhI9_Jrf<Xx`_-+E>TsmSnkW2Ww+fT%tdAj5}%EEcd*2>h2HH0c%#ni<EEr
zp3MT6PJ`wF*Z9N&foD^3S@HtJxH%<8%WCSX3)?mfY#qPm41(XM18=dvZ9tfvTkkS|
zcTHo#Alts2+(lf}@q%><Pm|QDbz~TSLbKcxkIBV5lLa$lDob3NHNy~wc0UEqy?HNi
zR)<N6o#3z+F1CDO*Zwj;LiQ1w_w_k`Ydr8!mVI7I{2jWtu|s~G_nY2=D$SBdnl3Bo
z4J)W{o1GsrB=$krw#eR$;{w&*Tg9O$R3;$(<b2(BrpR-ldGckYrQs$e_155kH|}=p
zWj7KI&8$*=#4QoK4}ybTA1+R$%1Y)K0d?_3T$@Jy&hxGwZ>b4Fd_Ob(@?N1YVO0Su
zYt05~1pZHN-4EMU|MvlPwe<MTYgSb!ndvKgl||WcXG=>um7uSdjC|G~TkXf&DLB)=
z2f2n-(~?{VTQx=mVT})1R2OcXkyIyX3F2cM%;$HmlqY!@Dkf!Q+!G^T)s_TSG_6u2
zG7tV(;m37W=z`|}8~KQ5NP8hI*HpK~*7K4QwOLS=mc&BNhflWy^$hbr;_!af)|2t4
zY_=etB$ag(cyW7v_(2i_;a8qEzly!D@+%c=_AmnCA?%WdM)lastYMxF<!IhLF5#zG
z9Gt@3jz6gz(P+1_*8CPpPA6-AD%IqSe&IahO0k~()c_;B$dnLI)~76%SIX%}b0_QY
zoqNJQXmMs^G9;fa19wgF+~B%*-ci>&r}os^ijLXbSM^K8b^NR&xb<(A-qBynN*z`1
zf@Wwkrd&<!T{+VroWnZP1r;DMzekbrvY>J<TV`+G(Oxs`cKpii3p(IZxWl-UtsuW1
znzxpM(OZ)CXpuHHwFlVUk|~@w{iOkTRgyHsP6*YmHr-5m%&adk&r!TUy7`rav7xoc
zienl>@eHW}5(BpG>Nv)g?P6+NS(7*f5mghSB*F8A*GnDEY%$-k=Q34}sX(SwmEOPq
zoZ{T49wRa{RTy}oa>`_Fv^cJRdpK%KjM4YUnJ~ao-^tp&d1o?hj>(W2j^FQ-5TtcU
z<G}(1<)V2vX!@P^ud?y_;h}2*Muc6y5#aX?GsT9(WkLU{K09OZ6VaJ(C+zrCli51M
z-a=dY9O^twP6}#RYYV|>m^F;g`vy#qLqriR9d!YIsW`U$4#QVEo;HufC_jA|9?h(f
zP8s+vxfVOD(|?KQYd76-u+b@-#grn#QXe3+8i&qKtl~$ZcFtFJ9#pGRp%8vC6+nEQ
zBx5Zt^!|8n&amP7%-66tI#0~WtfEg&IG@}mjuCEj1$BsW$(?=7VKXcKw$JQ^J}0>c
z@bMt^YZHStLEHYmb^)9GC|oCa1Xj~?X_H4{8s}80q-%NeU)dB0chgugCozRODN>qQ
zi{rY}kE+;auzl`st3N>?9POEAH|qI-PkNT4`H~l>uvu;<m;6mUcs8MPzgNd2w$atL
zc=)L;tK{59H|0yo9hOa>M`#~JWOjAKB7oM_gdCZ#@oAIr9R-Yd(o<5*#r2=mC`{$w
zM@$=k@C}teHljU}K($V-o>r@^`~s0JaxF5CGy?Yco2Nx%_@s+kDJSNCqx%2pMk6Fp
z1Aw=R=73)Y0KfI`|G#;%$zH#9{{5)ppMHh>^{B!)v-{(BhilF5Wu6x6^sg^Kds5&1
zGOAdiBbv5xO%Y+l8@*m^2RT6-AyR6GEAM+U?FvuzeIv^zggky?#+El-Scqa?*DKG~
zN2Mhr4)aYxrX4P(M&)#50@U;i29!l&L9>bky|VfG&d<~BWbeeEUL8>Vv7r$)!gxzO
zveFgiG_4zIv^HAcLNv=%o5s2@DDkYU<n;KGgr>km!qfEkO1@1_>+O?o9q;QB4h?no
zZpCm8Jts5D{w%53K+LJP7N4keNorZe^L<4VP9k^7HCMm`KFHRyBH82jrBW-t<CuB6
z25H=lAHCw_(f=VxvG+!Ch8{xw!sdghyKy+=IVoAt@;mBSX^c>A8G6Kd*trS!t3DY+
z9h}lzlJnd{7ufc08#~4)h{rLE9%3ZM>v?v+cuEJ$zx7M+Ja?A4q?PTYQ!!r$d88=$
z8z_Cr8ApLSDX#g!Eh>>lTO0Gl(0ScvIR46c&tQzc_K`S#itQCSd14lN3k*4%ON2JM
zk#c22I*H>U<z5w+2qw1UJ~rwak$oz)v(2;H#`r$h%JZs58#k-A-h#R_S>E`AP)MWh
zuovv9WY&*rMLle-%kwX%GycRIfc_sJdsTnrlY;@j8~-2pcoJ0m@IQDg(_W7__<c=n
zg{Fuof2QzC@+Ny9`54MYVkXpY-|a$fN0LDj$>+fkXS6n~(5QvoqBG?(l$=%R5Tt%_
zQgpdV_gXP+72tlg>QpP;X^|(;3_J0cCtG?+zDUE(mH2`Jiexp{TkeZ5wYS`F9Wmp?
zAfE3EbU7svDTmz~a_(v!%#wXGQ)N>8qZnLBbqP|~NvE%ROW2);v|8izOz4wjPe!vU
zu`4x8)COirkB9JeeVO%TpvOO%glz}I7I9Auvj@F2tiV-Vl8I5FE+KEa;48=Pb(}oZ
z?To6n0IuFZ<_X@8F}H}a4W(DC9BXvnqAgMiQ_Qc3kM#4NwwSGCo1U_Lvy>{{N7(e&
zHI?FKiFBhBzi`&<k2X0zMLl`dBBozzY9E(u=~bUa23OgI62HC)?BNA*j4rOR8CFSx
zj+P6rA{D{I_~*Ok%_D?}%r2c@+@MiXm&bjkdv)T9v$Y2zGihefpv3mmWf#!4-RQki
zMcoX>p16oS0%FhE39M6;)=y_95K35VkrS5O3U|BvI9tx;#?kuo<J)=<y?in>G}|A1
zlHDt7GBq?H%%&}T=(P9EZu>@B`zV?>$rpW@b<%r^FpMZapS*_?3Gw>I8b2Xa)`FlF
zwi7?K_$5{@KrZk^Wy&LuKwyP=NI_Cm%7r!a<J&_8H*#dcqMNy9p|$!3<39RAXRDQ2
zLmjZ#*B-Vt{75tqNDFLGD{0RbU#1T!zc`a|YWu-0xxH)Z`x!00EpvsIT8x{e8UAHL
zWu}iWqHF3>i_tf)net&962C`pJ_g?6{4n}eKo)aNSZT4&?)a+5)T?}aWsYl{ZSMKo
z3XBbeA`wp|*pk0F8&)p_1W33ro}IW}AeO<9UVH6zb5w4$^;3;8u!Fhi-B^JWG8Xw&
z<bpwt*_rO+vuZ*o8CL|yXR>7GR%h-6w_1M=?oQ(M@%)&QBXfLOL3?lBhDGu&&+S5D
zeOI)pEt-SAs^!^OqIt)#mQcHBr>x1VHq%xOWf^*L^d;i-IEG!0b;qxbZ)0xynlIao
ze`C|nd`&Dw|FrzFj{OwFc@t!v#dji?v%Ko9t)5XL%r5iUrPBSbeOLb+eCNvYU&BAM
zkxuu}Rri(D0?y}0xjn<rDo5$B`7?E2z2wHoDj$~W6yu%xI(xXrDeX>CV+mOx&bavA
z+}SeDZZ17uu~*2!h6*tIbF&f{A4hYKTW>9R=~aODtd@S98`GWq3`5t0^z~A9%@U5_
ztte0LrfPfRhlAlk61r+Dq4jr!<_q|^uU}!m<{KC;D0c4!h1%w9S>YYcMYn$M4_u$h
zxhn!|uLc3*q`|b|-D79-9VIH&m+wkkI&O4J7(wRCR^PyKNwnMcw!NfI*LY*S+eL=v
z5y7q+IoZ8=8^vdXr@z0pT~D?skg)3<=oWm{jOKmy9)GT8d7x=^e=soT(qq12Ast=3
zy2g-eEM^{NvO`1yi$hT@o0-#>s-|mH$muU-25*(#X7?Eg!1RrOt9+XN+nn5I3%{s@
zPvO^0E>_$70%+E;3$O!%s|jByp4W>|TC2X79fc{vc$cDB*3D-P#+G;N1tq<bib(JB
zC6OzUMSSKopEG`NtnSUb&S(Cnd4l`Z0hc8qhC5)5fgf6fXx_)f?~YB+EKhBmYfF6R
z-UBvBH>8_>KNIFS-FYh!^Q~29?b#@%IZ9^xfKG%|z1ixxH3o^8^I+oBARdOU&6+S3
ziLOZmFUyoLW@2DNm!F*?so~dYWB2USLXodCZ+O+4T^7xGvr)`-O&;UHY*Zll$LDYi
lt%XvLsPw)n?eRMbzT8~hH$tM*P(Ag3dh7n*=&Ao3@L#9T2m}BC
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/home/m-c_drive/mozilla-inbound/security/manager/ssl/tests/unit/test_validity' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -16,16 +16,17 @@ support-files =
   test_cert_trust/**
   test_cert_version/**
   test_cert_eku/**
   test_ocsp_url/**
   test_ocsp_fetch_method/**
   test_keysize/**
   test_pinning_dynamic/**
   test_onecrl/**
+  test_validity/**
 
 [test_datasignatureverifier.js]
 [test_hash_algorithms.js]
 [test_hash_algorithms_wrap.js]
 # bug 1124289 - run_test_in_child violates the sandbox on b2g and android
 skip-if = toolkit == 'android' || toolkit == 'gonk'
 [test_hmac.js]
 
@@ -126,10 +127,12 @@ run-sequentially = hardcoded ports
 [test_cert_chains.js]
 run-sequentially = hardcoded ports
 [test_client_cert.js]
 run-sequentially = hardcoded ports
 [test_nsCertType.js]
 run-sequentially = hardcoded ports
 [test_nsIX509Cert_utf8.js]
 [test_constructX509FromBase64.js]
+[test_validity.js]
+run-sequentially = hardcoded ports
 [test_certviewer_invalid_oids.js]
 skip-if = toolkit == 'android' || buildapp == 'b2g'