Bug 1409259 - Add xpcshell tests for the Symantec distrust r=keeler
authorJ.C. Jones <jjones@mozilla.com>
Wed, 01 Nov 2017 11:12:11 -0700
changeset 440846 862c080c29138942409519f244c965be2cb04873
parent 440845 595e27212723846a3f0763d20e2919e96f257e3f
child 440847 98b1272e170c8b84fba7d39eaf1c909a4e5f2e34
push id8120
push userryanvm@gmail.com
push dateSat, 04 Nov 2017 17:45:29 +0000
treeherdermozilla-beta@78568f0b1068 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1409259
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1409259 - Add xpcshell tests for the Symantec distrust r=keeler This commit adds two new xpcshell tests, both of them testing whether the security state in TransportSecurityInfo includes the new STATE_CERT_DISTRUST_IMMINENT flag under the correct circumstances. The first test, test_symantec_apple_google.js, tests the four combinations of certs that chain to an affected Symantec root: with/without a whitelisted intermediate, and before/after the notBefore cutoff date. The second test, test_symantec_apple_google_unaffected.js, tests an unrelated ca->intermediate->ee chain that does not chain to an affected root, and ensures the flag is not set. This patch adds SymantecSanctionsServer to the mozbuild and xpcshell test infrastructure files to ensure it runs properly on TaskCluster, too. MozReview-Commit-ID: GtUXH2VFFh
python/mozbuild/mozbuild/action/test_archive.py
python/mozbuild/mozbuild/artifacts.py
security/manager/ssl/tests/unit/moz.build
security/manager/ssl/tests/unit/test_symantec_apple_google.js
security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key
security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec
security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google/moz.build
security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem
security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem.certspec
security/manager/ssl/tests/unit/test_symantec_apple_google_unaffected.js
security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
security/manager/ssl/tests/unit/xpcshell.ini
testing/xpcshell/remotexpcshelltests.py
toolkit/mozapps/installer/upload-files.mk
--- a/python/mozbuild/mozbuild/action/test_archive.py
+++ b/python/mozbuild/mozbuild/action/test_archive.py
@@ -30,16 +30,17 @@ import mozpack.path as mozpath
 import buildconfig
 
 STAGE = mozpath.join(buildconfig.topobjdir, 'dist', 'test-stage')
 
 TEST_HARNESS_BINS = [
     'BadCertServer',
     'GenerateOCSPResponse',
     'OCSPStaplingServer',
+    'SymantecSanctionsServer',
     'SmokeDMD',
     'certutil',
     'crashinject',
     'fileid',
     'geckodriver',
     'minidumpwriter',
     'pk12util',
     'screenshot',
--- a/python/mozbuild/mozbuild/artifacts.py
+++ b/python/mozbuild/mozbuild/artifacts.py
@@ -124,16 +124,17 @@ class ArtifactJob(object):
     # Each item is a pair of (pattern, (src_prefix, dest_prefix), where src_prefix
     # is the prefix of the pattern relevant to its location in the archive, and
     # dest_prefix is the prefix to be added that will yield the final path relative
     # to dist/.
     test_artifact_patterns = {
         ('bin/BadCertServer', ('bin', 'bin')),
         ('bin/GenerateOCSPResponse', ('bin', 'bin')),
         ('bin/OCSPStaplingServer', ('bin', 'bin')),
+        ('bin/SymantecSanctionsServer', ('bin', 'bin')),
         ('bin/certutil', ('bin', 'bin')),
         ('bin/fileid', ('bin', 'bin')),
         ('bin/geckodriver', ('bin', 'bin')),
         ('bin/pk12util', ('bin', 'bin')),
         ('bin/screentopng', ('bin', 'bin')),
         ('bin/ssltunnel', ('bin', 'bin')),
         ('bin/xpcshell', ('bin', 'bin')),
         ('bin/plugins/gmp-*/*/*', ('bin/plugins', 'bin')),
@@ -429,16 +430,17 @@ class WinArtifactJob(ArtifactJob):
 
     product = 'firefox'
 
     # These are a subset of TEST_HARNESS_BINS in testing/mochitest/Makefile.in.
     test_artifact_patterns = {
         ('bin/BadCertServer.exe', ('bin', 'bin')),
         ('bin/GenerateOCSPResponse.exe', ('bin', 'bin')),
         ('bin/OCSPStaplingServer.exe', ('bin', 'bin')),
+        ('bin/SymantecSanctionsServer.exe', ('bin', 'bin')),
         ('bin/certutil.exe', ('bin', 'bin')),
         ('bin/fileid.exe', ('bin', 'bin')),
         ('bin/geckodriver.exe', ('bin', 'bin')),
         ('bin/pk12util.exe', ('bin', 'bin')),
         ('bin/screenshot.exe', ('bin', 'bin')),
         ('bin/ssltunnel.exe', ('bin', 'bin')),
         ('bin/xpcshell.exe', ('bin', 'bin')),
         ('bin/plugins/gmp-*/*/*', ('bin/plugins', 'bin')),
--- a/security/manager/ssl/tests/unit/moz.build
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -31,10 +31,11 @@ TEST_DIRS += [
     'test_missing_intermediate',
     'test_name_constraints',
     'test_ocsp_fetch_method',
     'test_ocsp_url',
     'test_onecrl',
     'test_pinning_dynamic',
     'test_signed_apps',
     'test_startcom_wosign',
+    'test_symantec_apple_google',
     'test_validity',
 ]
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google.js
@@ -0,0 +1,40 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates issued by Symantec. If such
+// certificates have a notBefore before 1 June 2016, and are not
+// issued by an Apple or Google intermediate, they should emit a
+// warning to the console.
+
+function shouldBeImminentlyDistrusted(aTransportSecurityInfo) {
+  let isDistrust = aTransportSecurityInfo.securityState &
+                     Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+  Assert.ok(isDistrust, "This host should be imminently distrusted");
+}
+
+function shouldNotBeImminentlyDistrusted(aTransportSecurityInfo) {
+  let isDistrust = aTransportSecurityInfo.securityState &
+                     Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+  Assert.ok(!isDistrust, "This host should not be imminently distrusted");
+}
+
+do_get_profile();
+
+add_tls_server_setup("SymantecSanctionsServer", "test_symantec_apple_google");
+
+// Whitelisted certs aren't to be distrusted
+add_connection_test("symantec-whitelist-after-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+add_connection_test("symantec-whitelist-before-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+// Not-whitelisted certs after the cutoff aren't distrusted
+add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+// Not whitelisted certs before the cutoff are to be distrusted
+add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldBeImminentlyDistrusted);
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.key
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.pem
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
--- a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
@@ -13,9 +13,9 @@ aW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3Vi
 YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUu
 Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z
 dDo4ODg4LzALBgkqhkiG9w0BAQsDggEBAH6+Qe/y1TTCx2w6f31VWp5lcizPkS8s
 ODfbgT9pKYqqvYDeiDu3q8SLGHTTsHWWewBCu5Jd0mXPXfZ4FEHcwbVJZUZBvQVr
 1aNBCriuzhNUyfjkvfCgM4OuxgNwjbihGDE8VzfxTiz8mDN0AgACCZaUTQnybQc0
 SW+ldxspBgQJom0tkZ+TGi80L3/5P5J2+7AchxhAZzQmebDnxNYDZXCJH8w15was
 OzM5BrQzz3vuxupO7lsRzZIzAU+uQD4bjcMpz3oMdj3/0lb0HZGMdU22Ub36PvLC
 6mYbTtf0IS5TVyLnbCNeliE6zoPnQPBzAUfoOeD1Tn6HQUQUT8oTf2E=
------END CERTIFICATE-----
\ No newline at end of file
+-----END CERTIFICATE-----
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiSgAwIBAgIULyGlSNswcf4LYUR3oA5x6jdzOSMwCwYJKoZIhvcNAQEL
+MEkxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxH
+b29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMCIYDzIwMTYwNjAxMDAwMDAwWhgP
+MjA1MDAxMDEwMDAwMDBaMCkxJzAlBgNVBAMMHmVlLWZyb20td2hpdGVsaXN0LWFm
+dGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaM6MDgwNgYDVR0RBC8wLYIrc3ltYW50ZWMtd2hpdGVs
+aXN0LWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH6N
+yRA+aDb6ZnxXq9STgk4nm6ajT6OLIdMOBM5YSFLcTldPKSqgNwUZtkYgCpCqy4PQ
+S80r2YitwexfyzpfEO3Wq+CpvFsOOIit6tlt1nt60oxVylm8cXCrRX3gGO0KrwMl
+gLxXUXDf8lrgYIdsc4zM5bKUK9APnjsdl4SkJ+uuIj4geqCpJk3RNETPOQgxoW48
+GrWBOM6BPG5aRsC2Kq1uEFE4UbaW6vKm2DIiN3Omk3PDHSBRrFUkXtNGDP/cidis
+++ZB7wexNlciVwP88tgPSE7XgbdDtKS3e9EkOw6zulHllSXFXY9Lz/Lru0ecunnl
+HG8CumzG3hGgyxMMvYI=
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-whitelist-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-whitelist-after-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiagAwIBAgIUTdHuf60HnLh9wyRmnGMqcwdxDkYwCwYJKoZIhvcNAQEL
+MEkxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxH
+b29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMCIYDzIwMTQwNjAxMDAwMDAwWhgP
+MjA1MDAxMDEwMDAwMDBaMCoxKDAmBgNVBAMMH2VlLWZyb20td2hpdGVsaXN0LWJl
+Zm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGA1UdEQQwMC6CLHN5bWFudGVjLXdoaXRl
+bGlzdC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
+VxmVTbXIMs+3EsaQmwf8uIwWC+fGoPkl4/7+TFJn10rga7ixjthfNsOsBAM3NIxg
+qtn7fPFNdY8X6iPloUZtd4APQBcGYDGlviE6fyvGfR9Azu2FjqArVR/IIuJuaOao
+Lo+z+EQ8ZJUwuykkAsA4PWwrE/Y31gB45sAC6BOBWcsWeCmJgd/sIbVjsEB9uC1M
+Ihp/CxW6z23/KKrnJpa+jLtaQ0J7vG2GUhn+7WuuSqnzXKivsJjY02dTt2drNzgu
+Zm1rpqDfbdZ7JKaUzcweIW5MG9Jcc86EiTZvBf9SrEtwXX3OO8ZD5ggD17gkPUT/
+EBQzORg4QMlKFlCz0dqVdg==
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-whitelist-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-whitelist-before-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAjGgAwIBAgIUKWMZImQYpUD8orDGzVkiD2/4DU4wCwYJKoZIhvcNAQEL
+ME8xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNV
+BAMTHVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMCIYDzIwMTYwNjAxMDAw
+MDAwWhgPMjA1MDAxMDEwMDAwMDBaMCoxKDAmBgNVBAMMH2VlLW5vdC13aGl0ZWxp
+c3RlZC1hZnRlci1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQDA+MDwGA1UdEQQ1MDOCMXN5bWFudGVj
+LW5vdC13aGl0ZWxpc3RlZC1hZnRlci1jdXRvZmYuZXhhbXBsZS5jb20wCwYJKoZI
+hvcNAQELA4IBAQANqjDZ6fpwQHHPs0U5hB5h/twTX2TXcth1MNSHBY5js33vMKSZ
+rhMK7YtAwEeSqUpvPGJSjq84PSUWJRHZn07Tt0NiCSTC98sZCr/+j0lRBYDF0Zd4
+KY7mBT3GHDKKRiF353Qgw/Shv3N0VxgTHY4qpQFjiQ1Ihz250xbqrNlXNF18LTng
+JQVC0LNhPl7jf5kbSGZBL6upTOhz24eCbZQBetF+cGH5iurSz8o6CAUDtK6nDRpP
+jKGv0euysS72GXk5kG8Hnv+qMGBJKZwOytilawyWeKW+wzPmgWA2QEP99JxhUcrA
+PPxN+ZhdTQahKiizefnJeouEoyU24ufgX7xr
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-whitelisted-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-not-whitelisted-after-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjOgAwIBAgIUA8x0aNBUQ08bBOtgaAQjVSarFUUwCwYJKoZIhvcNAQEL
+ME8xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNV
+BAMTHVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMCIYDzIwMTQwNjAxMDAw
+MDAwWhgPMjA1MDAxMDEwMDAwMDBaMCsxKTAnBgNVBAMMIGVlLW5vdC13aGl0ZWxp
+c3RlZC1iZWZvcmUtY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0EwPzA9BgNVHREENjA0gjJzeW1hbnRl
+Yy1ub3Qtd2hpdGVsaXN0ZWQtYmVmb3JlLWN1dG9mZi5leGFtcGxlLmNvbTALBgkq
+hkiG9w0BAQsDggEBAE0WCx+/EFCXGQwZDBY0W0AJ4zvHD8m1BNzFi0UPS1QwSVch
+Ic9jMbwehw0ONGNzpHKdEm4kpIrzzqdGuV2+Zohw2uqVhHuE2VFUDp24gW+MTE9g
+UAdwTv5oKsQrbY3bXY8ssKw2qoLYGwDHJbrKn+QtJeEklDWPLO2Xhpy9v5Ug8pvk
+pSRHyS2KEFSvHLAdpWUE37bXqHaTEM3xT/OEwqsXYzPgCX2RVy6Z9Z/vOz4/qHN7
+WrYmhQ+y+z0QlYl3N4Vo3kJc8mBJzMgSwgrZGHUbSISOiLC3F4qfkoEiZ4AY2ZkH
+hM8CK6afklgNCFamt6Q0/lr9pVbww2l5Cs9cMq8=
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-whitelisted-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-not-whitelisted-before-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiagAwIBAgIUSeAhQo5HgA/QPjSlL7bpwnAVbWIwCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5j
+LjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+HTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MAsGCSqGSIb3DQEBCwOCAQEA
+a7Im726SOtReXjBQnRHJIOXOx/bLStaQRg1Q+eDD2ThLu6F86D8NHmuu/eCPspXI
++Yk8yCY7vHmRV6kzeBM5PRKND5DY1ryzAA3YLIo1TZxd2wkoyBHlwx0tYmKXrTB/
+Mc7BM+8PsFrFOulZYIdsoTeFSjACADrZBLDH9ppN9cNlzJfm/kUo/2rxJsaz5rU3
+xidZSUl5y9apuRHmV2uGlDlTsWQFQq05xeyPsQcI077Q4okmgZvC1flweoquIkc7
+GEQT0hahe8ZhfQXZo3xRBZoaCieFcPYbnwtaVH3Zn4hw+VcFAAl2PqB3ING0fTtc
+OCqKSIcSjbpx9ukW4vmpxg==
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAiCgAwIBAgIUO4dkpdcTqBgGNMyqCmUAgib+sNQwCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAj
+BgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsG
+A1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MAsGCSqGSIb3DQEBCwOCAQEALIJ2Il50
+8ME2FmcjWPF6xjwLgyMNbhVjhYW4BeqH/pGq1cDt9ZT59aWsGVJqEa0VQHwtcgFY
+1JFuQqQkFZ+/9OmRVXC+EM99L593yrQLzoi8XKIgKS4w+EE1Cz+W583SWtFXgmvC
+P0C5awrTCs9QM0gRF1huJvusu29XTQL5a/3g4F2dtvT95j/XX4K4ddV0sv+sAmbC
+wn732djB9j6VJLfpUfJCeOWBHbMMijEgK0+1hW7BoE4Oa0592tLCvfyx4L5Yf9Nc
+B445/1MMZ/tf/ZSbatzaq7S/p40ez+NvZwfg3Wy3dHqRDeaNIxEf3hE6gAcGexw7
+1LfMGE1Jmr7wyQ==
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/moz.build
@@ -0,0 +1,20 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Temporarily disabled. See bug 1256495.
+#test_certificates = (
+#    'default-ee.pem',
+#    'ee-from-whitelist-after-cutoff.pem',
+#    'ee-from-whitelist-before-cutoff.pem',
+#    'ee-not-whitelisted-after-cutoff.pem',
+#    'ee-not-whitelisted-before-cutoff.pem',
+#    'intermediate-other.pem',
+#    'intermediate-whitelisted.pem',
+#    'test-ca.pem',
+#)
+#
+#for test_certificate in test_certificates:
+#    GeneratedTestCertificate(test_certificate)
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhmgAwIBAgIUJ7UgecGaZcRZ3+HplOj02+8ZfAswCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4x
+GzAZBgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQD
+AgEGMAwGA1UdEwQFMAMBAf8wCwYJKoZIhvcNAQELA4IBAQC1TOSmG2bkZ5sJXNvm
+GehL8NJIhE8W/x4hFyfVz6Hh5RtSMCpfFppYE8ulL8Vi3a0ddRyy1T+/KyQu29Kx
+y3o9kYWkE6Z4fhfGfODsSFmLdJVd2jyX5NFelEHgQJLvOLzW4cYzfl1WnRpjL2XC
+5UsNnQuJFQHLZKWc4+W+uG7kRdRsOig7wQcOF1Patz3CagGOyuHB62bjrGs02hSF
+ciGUENaRDkTdbiAzUdaUOU9DIZ1IUUhbn9gxACKt4P6QLlkT4BWlyplWbjfu5Y4T
+StpExt/mn/V0uclWpnJRNdfrqLAIXAXcKa+RWHdy0NRcklSAAz9L7hopr8dAEv40
+YKVN
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google_unaffected.js
@@ -0,0 +1,22 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates issued by Symantec. If such
+// certificates have a notBefore before 1 June 2016, and are not
+// issued by an Apple or Google intermediate, they should emit a
+// warning to the console.
+
+function shouldNotBeImminentlyDistrusted(aTransportSecurityInfo) {
+  let isDistrust = aTransportSecurityInfo.securityState &
+                     Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+  Assert.ok(!isDistrust, "This host should not be imminently distrusted");
+}
+
+do_get_profile();
+
+add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+add_connection_test("ocsp-stapling-good.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
copy from security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
copy to security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
@@ -13,77 +13,30 @@
 
 #include <stdio.h>
 
 #include "TLSServer.h"
 
 using namespace mozilla;
 using namespace mozilla::test;
 
-struct BadCertHost
+struct SymantecCertHost
 {
   const char *mHostName;
   const char *mCertName;
 };
 
 // Hostname, cert nickname pairs.
-const BadCertHost sBadCertHosts[] =
+const SymantecCertHost sSymantecCertHosts[] =
 {
-  { "expired.example.com", "expired-ee" },
-  { "notyetvalid.example.com", "notYetValid" },
-  { "before-epoch.example.com", "beforeEpoch" },
-  { "selfsigned.example.com", "selfsigned" },
-  { "unknownissuer.example.com", "unknownissuer" },
-  { "mismatch.example.com", "mismatch" },
-  { "mismatch-CN.example.com", "mismatchCN" },
-  { "expiredissuer.example.com", "expiredissuer" },
-  { "notyetvalidissuer.example.com", "notYetValidIssuer" },
-  { "before-epoch-issuer.example.com", "beforeEpochIssuer" },
-  { "md5signature.example.com", "md5signature" },
-  { "untrusted.example.com", "default-ee" },
-  { "untrustedissuer.example.com", "untrustedissuer" },
-  { "mismatch-expired.example.com", "mismatch-expired" },
-  { "mismatch-notYetValid.example.com", "mismatch-notYetValid" },
-  { "mismatch-untrusted.example.com", "mismatch-untrusted" },
-  { "untrusted-expired.example.com", "untrusted-expired" },
-  { "md5signature-expired.example.com", "md5signature-expired" },
-  { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
-  { "inadequatekeyusage.example.com", "inadequatekeyusage-ee" },
-  { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
-  { "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" },
-  { "ca-used-as-end-entity.example.com", "ca-used-as-end-entity" },
-  { "ca-used-as-end-entity-name-mismatch.example.com", "ca-used-as-end-entity" },
-  // All of include-subdomains.pinning.example.com is pinned to End Entity
-  // Test Cert with nick default-ee. Any other nick will only
-  // pass pinning when security.cert_pinning.enforcement.level != strict and
-  // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
-  { "include-subdomains.pinning.example.com", "default-ee" },
-  { "good.include-subdomains.pinning.example.com", "default-ee" },
-  { "bad.include-subdomains.pinning.example.com", "other-issuer-ee" },
-  { "bad.include-subdomains.pinning.example.com.", "other-issuer-ee" },
-  { "bad.include-subdomains.pinning.example.com..", "other-issuer-ee" },
-  { "exclude-subdomains.pinning.example.com", "default-ee" },
-  { "sub.exclude-subdomains.pinning.example.com", "other-issuer-ee" },
-  { "test-mode.pinning.example.com", "other-issuer-ee" },
-  { "unknownissuer.include-subdomains.pinning.example.com", "unknownissuer" },
-  { "unknownissuer.test-mode.pinning.example.com", "unknownissuer" },
-  { "nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical" },
-  { "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
-  { "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
-  { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
-  { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
-  { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
-  { "badSubjectAltNames.example.com", "badSubjectAltNames" },
-  { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
-  { "noValidNames.example.com", "noValidNames" },
-  { "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" },
-  { "emptyissuername.example.com", "emptyIssuerName" },
-  { "ev-test.example.com", "ev-test" },
-  { "ee-from-missing-intermediate.example.com", "ee-from-missing-intermediate" },
-  { "localhost", "unknownissuer" },
+  { "symantec-whitelist-after-cutoff.example.com", "ee-from-whitelist-after-cutoff" },
+  { "symantec-whitelist-before-cutoff.example.com", "ee-from-whitelist-before-cutoff" },
+  { "symantec-not-whitelisted-after-cutoff.example.com", "ee-not-whitelisted-after-cutoff" },
+  { "symantec-not-whitelisted-before-cutoff.example.com", "ee-not-whitelisted-before-cutoff" },
+  { "symantec-unaffected.example.com", "ee-unaffected" },
   { nullptr, nullptr }
 };
 
 int32_t
 DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr,
                              uint32_t aSrvNameArrSize)
 {
   for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
@@ -100,18 +53,18 @@ DoSNISocketConfigBySubjectCN(PRFileDesc*
 
   return SSL_SNI_SEND_ALERT;
 }
 
 int32_t
 DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
                   uint32_t aSrvNameArrSize, void* aArg)
 {
-  const BadCertHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
-                                          sBadCertHosts);
+  const SymantecCertHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
+                                               sSymantecCertHosts);
   if (!host) {
     // No static cert <-> hostname mapping found. This happens when we use a
     // collection of certificates in a given directory and build a cert DB at
     // runtime, rather than using an NSS cert DB populated at build time.
     // (This will be the default in the future.)
     // For all given server names, check if the runtime-built cert DB contains
     // a certificate with a matching subject CN.
     return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -3,16 +3,17 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 GeckoSimplePrograms([
     'BadCertServer',
     'GenerateOCSPResponse',
     'OCSPStaplingServer',
+    'SymantecSanctionsServer',
 ], linkage=None)
 
 LOCAL_INCLUDES += [
     '../lib',
 ]
 
 USE_LIBS += [
     'mozillapkix',
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -29,16 +29,17 @@ support-files =
   test_ocsp_url/**
   test_onecrl/**
   test_pinning_dynamic/**
   test_sdr_preexisting/**
   test_sdr_preexisting_with_password/**
   test_signed_apps/**
   test_signed_dir/**
   test_startcom_wosign/**
+  test_symantec_apple_google/**
   test_validity/**
   tlsserver/**
 
 [test_add_preexisting_cert.js]
 [test_baseline_requirements_subject_common_name.js]
 [test_broken_fips.js]
 # FIPS has never been a thing on Android, so the workaround doesn't
 # exist on that platform.
@@ -167,14 +168,18 @@ skip-if = toolkit == 'android'
 [test_startcom_wosign.js]
 [test_sts_fqdn.js]
 [test_sts_holepunch.js]
 [test_sts_ipv4_ipv6.js]
 [test_sts_parser.js]
 [test_sts_preload_dynamic.js]
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
+[test_symantec_apple_google.js]
+run-sequentially = hardcoded ports
+[test_symantec_apple_google_unaffected.js]
+run-sequentially = hardcoded ports
 [test_validity.js]
 run-sequentially = hardcoded ports
 [test_x509.js]
 
 # The TLS error reporting functionality lives in /toolkit but needs tlsserver
 [test_toolkit_securityreporter.js]
--- a/testing/xpcshell/remotexpcshelltests.py
+++ b/testing/xpcshell/remotexpcshelltests.py
@@ -415,17 +415,18 @@ class XPCShellRemote(xpcshell.XPCShellTe
         # are required for some tests. This list should be similar to
         # TEST_HARNESS_BINS in testing/mochitest/Makefile.in.
         binaries = ["xpcshell",
                     "ssltunnel",
                     "certutil",
                     "pk12util",
                     "BadCertServer",
                     "OCSPStaplingServer",
-                    "GenerateOCSPResponse"]
+                    "GenerateOCSPResponse",
+                    "SymantecSanctionsServer"]
         for fname in binaries:
             local = os.path.join(self.localBin, fname)
             if os.path.isfile(local):
                 print("Pushing %s.." % fname, file=sys.stderr)
                 remoteFile = remoteJoin(self.remoteBinDir, fname)
                 self.device.pushFile(local, remoteFile)
             else:
                 print("*** Expected binary %s not found in %s!" %
--- a/toolkit/mozapps/installer/upload-files.mk
+++ b/toolkit/mozapps/installer/upload-files.mk
@@ -273,16 +273,17 @@ NO_PKG_FILES += \
 	nsinstall* \
 	res/samples \
 	res/throbber \
 	shlibsign* \
 	certutil* \
 	pk12util* \
 	BadCertServer* \
 	OCSPStaplingServer* \
+	SymantecSanctionsServer* \
 	GenerateOCSPResponse* \
 	chrome/chrome.rdf \
 	chrome/app-chrome.manifest \
 	chrome/overlayinfo \
 	components/compreg.dat \
 	components/xpti.dat \
 	content_unit_tests \
 	necko_unit_tests \