summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/chains
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /security/nss/tests/chains
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/nss/tests/chains')
-rwxr-xr-xsecurity/nss/tests/chains/chains.sh1308
-rwxr-xr-xsecurity/nss/tests/chains/ocspd-config/ocspd-certs.sh116
-rw-r--r--security/nss/tests/chains/ocspd-config/ocspd.conf.template46
-rw-r--r--security/nss/tests/chains/ocspd-config/readme3
-rw-r--r--security/nss/tests/chains/scenarios/aia.cfg35
-rw-r--r--security/nss/tests/chains/scenarios/anypolicy.cfg77
-rw-r--r--security/nss/tests/chains/scenarios/anypolicywithlevel.cfg399
-rw-r--r--security/nss/tests/chains/scenarios/bridge.cfg106
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithaia.cfg54
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg89
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg187
-rw-r--r--security/nss/tests/chains/scenarios/crldp.cfg105
-rw-r--r--security/nss/tests/chains/scenarios/dsa.cfg72
-rw-r--r--security/nss/tests/chains/scenarios/explicitPolicy.cfg78
-rw-r--r--security/nss/tests/chains/scenarios/extension.cfg102
-rw-r--r--security/nss/tests/chains/scenarios/extension2.cfg140
-rw-r--r--security/nss/tests/chains/scenarios/mapping.cfg63
-rw-r--r--security/nss/tests/chains/scenarios/mapping2.cfg71
-rw-r--r--security/nss/tests/chains/scenarios/megabridge_3_2.cfg130
-rw-r--r--security/nss/tests/chains/scenarios/method.cfg25
-rw-r--r--security/nss/tests/chains/scenarios/nameconstraints.cfg161
-rw-r--r--security/nss/tests/chains/scenarios/ocsp.cfg177
-rw-r--r--security/nss/tests/chains/scenarios/ocspd.cfg172
-rw-r--r--security/nss/tests/chains/scenarios/realcerts.cfg29
-rw-r--r--security/nss/tests/chains/scenarios/revoc.cfg86
-rw-r--r--security/nss/tests/chains/scenarios/scenarios24
-rw-r--r--security/nss/tests/chains/scenarios/trustanchors.cfg114
27 files changed, 3969 insertions, 0 deletions
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
new file mode 100755
index 000000000..4c3fa57a0
--- /dev/null
+++ b/security/nss/tests/chains/chains.sh
@@ -0,0 +1,1308 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cert/chains.sh
+#
+# Script to test certificate chains validity.
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+
+########################### is_httpserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_httpserv_alive()
+{
+ if [ ! -f "${HTTPPID}" ]; then
+ echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist"
+ sleep 5
+ if [ ! -f "${HTTPPID}" ]; then
+ Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist"
+ fi
+ fi
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
+
+ echo "httpserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_httpserv ##########################
+# local shell function to wait until httpserver is running and initialized
+########################################################################
+wait_for_httpserv()
+{
+ echo "trying to connect to httpserv at `date`"
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+ sleep 5
+ echo "retrying to connect to httpserv at `date`"
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+ html_failed "Waiting for Server"
+ fi
+ fi
+ is_httpserv_alive
+}
+
+########################### kill_httpserv ##############################
+# local shell function to kill the httpserver after the tests are done
+########################################################################
+kill_httpserv()
+{
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "trying to kill httpserv with PID ${PID} at `date`"
+
+ if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+ echo "${KILL} ${PID}"
+ ${KILL} ${PID}
+ else
+ echo "${KILL} -USR1 ${PID}"
+ ${KILL} -USR1 ${PID}
+ fi
+ wait ${PID}
+
+ # On Linux httpserv needs up to 30 seconds to fully die and free
+ # the port. Wait until the port is free. (Bug 129701)
+ if [ "${OS_ARCH}" = "Linux" ]; then
+ echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+ until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do
+ echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+ sleep 1
+ done
+ fi
+
+ echo "httpserv with PID ${PID} killed at `date`"
+
+ rm ${HTTPPID}
+ html_detect_core "kill_httpserv core detection step"
+}
+
+########################### start_httpserv #############################
+# local shell function to start the httpserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_httpserv()
+{
+ HTTP_METHOD=$1
+
+ if [ -n "$testname" ] ; then
+ echo "$SCRIPTNAME: $testname ----"
+ fi
+ echo "httpserv starting at `date`"
+ ODDIR="${HOSTDIR}/chains/OCSPD"
+ echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
+ echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
+ echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
+ echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
+ echo " -i ${HTTPPID} $verbose &"
+ ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
+ -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
+ -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
+ -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
+ -i ${HTTPPID} $verbose &
+ RET=$?
+
+ # The PID $! returned by the MKS or Cygwin shell is not the PID of
+ # the real background process, but rather the PID of a helper
+ # process (sh.exe). MKS's kill command has a bug: invoking kill
+ # on the helper process does not terminate the real background
+ # process. Our workaround has been to have httpserv save its PID
+ # in the ${HTTPPID} file and "kill" that PID instead. But this
+ # doesn't work under Cygwin; its kill command doesn't recognize
+ # the PID of the real background process, but it does work on the
+ # PID of the helper process. So we save the value of $! in the
+ # SHELL_HTTPPID variable, and use it instead of the ${HTTPPID}
+ # file under Cygwin. (In fact, this should work in any shell
+ # other than the MKS shell.)
+ SHELL_HTTPPID=$!
+ wait_for_httpserv
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "httpserv with PID ${PID} started at `date`"
+}
+
+############################# chains_init ##############################
+# local shell function to initialize this script
+########################################################################
+chains_init()
+{
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ SCRIPTNAME="chains.sh"
+
+ CHAINS_DIR="${HOSTDIR}/chains"
+ mkdir -p ${CHAINS_DIR}
+ cd ${CHAINS_DIR}
+
+ CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
+
+ CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
+ CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
+
+ PK7_NONCE=${CERT_SN_CNT}
+ SCEN_CNT=${CERT_SN_CNT}
+
+ AIA_FILES="${HOSTDIR}/aiafiles"
+
+ CU_DATA=${HOSTDIR}/cu_data
+ CRL_DATA=${HOSTDIR}/crl_data
+
+ DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
+ NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
+ DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
+ NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
+ NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
+ NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
+ NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
+ NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
+
+ html_head "Certificate Chains Tests"
+}
+
+chains_run_httpserv()
+{
+ HTTP_METHOD=$1
+
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ HTTPPID=${NSS_AIA_PATH}/http_pid.$$
+ mkdir -p "${NSS_AIA_PATH}"
+ SAVEPWD=`pwd`
+ cd "${NSS_AIA_PATH}"
+ # Start_httpserv sets environment variables, which are required for
+ # correct cleanup. (Running it in a subshell doesn't work, the
+ # value of $SHELL_HTTPPID wouldn't arrive in this scope.)
+ start_httpserv ${HTTP_METHOD}
+ cd "${SAVEPWD}"
+ fi
+}
+
+chains_stop_httpserv()
+{
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ kill_httpserv
+ fi
+}
+
+############################ chains_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+chains_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+############################ print_cu_data #############################
+# local shell function to print certutil input data
+########################################################################
+print_cu_data()
+{
+ echo "=== Certutil input data ==="
+ cat ${CU_DATA}
+ echo "==="
+}
+
+set_cert_sn()
+{
+ if [ -z "${SERIAL}" ]; then
+ CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
+ CERT_SN=${CERT_SN_CNT}
+ else
+ echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_SN=$(echo ${SERIAL} | cut -b 2-)
+ CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
+ else
+ CERT_SN=${SERIAL}
+ fi
+ fi
+}
+
+############################# create_db ################################
+# local shell function to create certificate database
+########################################################################
+create_db()
+{
+ DB=$1
+
+ [ -d "${DB}" ] && rm -rf ${DB}
+ mkdir -p ${DB}
+
+ echo "${DB}passwd" > ${DB}/dbpasswd
+
+ TESTNAME="Creating DB ${DB}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -N -d ${DB} -f ${DB}/dbpasswd"
+ ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################### create_root_ca #############################
+# local shell function to generate self-signed root certificate
+########################################################################
+create_root_ca()
+{
+ ENTITY=$1
+ ENTITY_DB=${ENTITY}DB
+
+ set_cert_sn
+ date >> ${NOISE_FILE} 2>&1
+
+ CTYPE_OPT=
+ if [ -n "${CTYPE}" ]; then
+ CTYPE_OPT="-k ${CTYPE}"
+ fi
+
+ echo "5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+" > ${CU_DATA}
+
+ TESTNAME="Creating Root CA ${ENTITY}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+ TESTNAME="Exporting Root CA ${ENTITY}.der"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der"
+ ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################### create_cert_req ############################
+# local shell function to generate certificate sign request
+########################################################################
+create_cert_req()
+{
+ ENTITY=$1
+ TYPE=$2
+
+ ENTITY_DB=${ENTITY}DB
+
+ REQ=${ENTITY}Req.der
+
+ date >> ${NOISE_FILE} 2>&1
+
+ CTYPE_OPT=
+ if [ -n "${CTYPE}" ]; then
+ CTYPE_OPT="-k ${CTYPE}"
+ fi
+
+ CA_FLAG=
+ EXT_DATA=
+ OPTIONS=
+
+ if [ "${TYPE}" != "EE" ]; then
+ CA_FLAG="-2"
+ EXT_DATA="y
+-1
+y
+"
+ fi
+
+ process_crldp
+
+ echo "${EXT_DATA}" > ${CU_DATA}
+
+ TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################ create_entity #############################
+# local shell function to create certificate chain entity
+########################################################################
+create_entity()
+{
+ ENTITY=$1
+ TYPE=$2
+
+ if [ -z "${ENTITY}" ]; then
+ echo "Configuration error: Unnamed entity"
+ exit 1
+ fi
+
+ DB=${ENTITY}DB
+ ENTITY_DB=${ENTITY}DB
+
+ case "${TYPE}" in
+ "Root")
+ create_db "${DB}"
+ create_root_ca "${ENTITY}"
+ ;;
+ "Intermediate" | "Bridge" | "EE")
+ create_db "${DB}"
+ create_cert_req "${ENTITY}" "${TYPE}"
+ ;;
+ "*")
+ echo "Configuration error: Unknown type ${TYPE}"
+ exit 1
+ ;;
+ esac
+}
+
+########################################################################
+# List of global variables related to certificate extensions processing:
+#
+# Generated by process_extensions and functions called from it:
+# OPTIONS - list of command line policy extensions
+# DATA - list of inpud data related to policy extensions
+#
+# Generated by parse_config:
+# POLICY - list of certificate policies
+# MAPPING - list of policy mappings
+# INHIBIT - inhibit flag
+# AIA - AIA list
+########################################################################
+
+############################ process_policy ############################
+# local shell function to process policy extension parameters and
+# generate input for certutil
+########################################################################
+process_policy()
+{
+ if [ -n "${POLICY}" ]; then
+ OPTIONS="${OPTIONS} --extCP"
+
+ NEXT=
+ for ITEM in ${POLICY}; do
+ if [ -n "${NEXT}" ]; then
+ DATA="${DATA}y
+"
+ fi
+
+ NEXT=1
+ DATA="${DATA}${ITEM}
+1
+
+n
+"
+ done
+
+ DATA="${DATA}n
+n
+"
+ fi
+}
+
+########################### process_mapping ############################
+# local shell function to process policy mapping parameters and
+# generate input for certutil
+########################################################################
+process_mapping()
+{
+ if [ -n "${MAPPING}" ]; then
+ OPTIONS="${OPTIONS} --extPM"
+
+ NEXT=
+ for ITEM in ${MAPPING}; do
+ if [ -n "${NEXT}" ]; then
+ DATA="${DATA}y
+"
+ fi
+
+ NEXT=1
+ IDP=`echo ${ITEM} | cut -d: -f1`
+ SDP=`echo ${ITEM} | cut -d: -f2`
+ DATA="${DATA}${IDP}
+${SDP}
+"
+ done
+
+ DATA="${DATA}n
+n
+"
+ fi
+}
+
+########################### process_inhibit#############################
+# local shell function to process inhibit extension and generate input
+# for certutil
+########################################################################
+process_inhibit()
+{
+ if [ -n "${INHIBIT}" ]; then
+ OPTIONS="${OPTIONS} --extIA"
+
+ DATA="${DATA}${INHIBIT}
+n
+"
+ fi
+}
+
+############################# process_aia ##############################
+# local shell function to process AIA extension parameters and
+# generate input for certutil
+########################################################################
+process_aia()
+{
+ if [ -n "${AIA}" ]; then
+ OPTIONS="${OPTIONS} --extAIA"
+
+ DATA="${DATA}1
+"
+
+ for ITEM in ${AIA}; do
+ PK7_NONCE=`expr $PK7_NONCE + 1`
+
+ echo ${ITEM} | grep ":" > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+ CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der"
+ CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der"
+ else
+ CERT_LOCAL="${ITEM}.p7"
+ CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7"
+ fi
+
+ DATA="${DATA}7
+${NSS_AIA_HTTP}/${CERT_PUBLIC}
+"
+
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null
+ chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC}
+ echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES}
+ fi
+ done
+
+ DATA="${DATA}0
+n
+n"
+ fi
+}
+
+process_ocsp()
+{
+ if [ -n "${OCSP}" ]; then
+ OPTIONS="${OPTIONS} --extAIA"
+
+ if [ "${OCSP}" = "offline" ]; then
+ MY_OCSP_URL=${NSS_OCSP_UNUSED}
+ else
+ MY_OCSP_URL=${NSS_AIA_OCSP}
+ fi
+
+ DATA="${DATA}2
+7
+${MY_OCSP_URL}
+0
+n
+n
+"
+ fi
+}
+
+process_crldp()
+{
+ if [ -n "${CRLDP}" ]; then
+ OPTIONS="${OPTIONS} -4"
+
+ EXT_DATA="${EXT_DATA}1
+"
+
+ for ITEM in ${CRLDP}; do
+ CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
+
+ EXT_DATA="${EXT_DATA}7
+${NSS_AIA_HTTP}/${CRL_PUBLIC}
+"
+ done
+
+ EXT_DATA="${EXT_DATA}-1
+-1
+-1
+n
+n
+"
+ fi
+}
+
+process_ku_ns_eku()
+{
+ if [ -n "${EXT_KU}" ]; then
+ OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
+ fi
+ if [ -n "${EXT_NS}" ]; then
+ EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
+ EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
+
+ OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
+ DATA="${DATA}${EXT_NS_CODE}
+-1
+n
+"
+ fi
+ if [ -n "${EXT_EKU}" ]; then
+ OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
+ fi
+}
+
+copy_crl()
+
+{
+ if [ -z "${NSS_AIA_PATH}" ]; then
+ return;
+ fi
+
+ CRL_LOCAL="${COPYCRL}.crl"
+ CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
+
+ cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
+ chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
+ echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
+}
+
+########################## process_extension ###########################
+# local shell function to process entity extension parameters and
+# generate input for certutil
+########################################################################
+process_extensions()
+{
+ OPTIONS=
+ DATA=
+
+ process_policy
+ process_mapping
+ process_inhibit
+ process_aia
+ process_ocsp
+ process_ku_ns_eku
+}
+
+############################## sign_cert ###############################
+# local shell function to sign certificate sign reuqest
+########################################################################
+sign_cert()
+{
+ ENTITY=$1
+ ISSUER=$2
+ TYPE=$3
+
+ [ -z "${ISSUER}" ] && return
+
+ ENTITY_DB=${ENTITY}DB
+ ISSUER_DB=${ISSUER}DB
+ REQ=${ENTITY}Req.der
+ CERT=${ENTITY}${ISSUER}.der
+
+ set_cert_sn
+
+ EMAIL_OPT=
+ if [ "${TYPE}" = "Bridge" ]; then
+ EMAIL_OPT="-7 ${ENTITY}@${ISSUER}"
+
+ [ -n "${EMAILS}" ] && EMAILS="${EMAILS},"
+ EMAILS="${EMAILS}${ENTITY}@${ISSUER}"
+ fi
+
+ process_extensions
+
+ echo "${DATA}" > ${CU_DATA}
+
+ TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+ TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}"
+ ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# create_pkcs7##############################
+# local shell function to package bridge certificates into pkcs7
+# package
+########################################################################
+create_pkcs7()
+{
+ ENTITY=$1
+ ENTITY_DB=${ENTITY}DB
+
+ TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7"
+ ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_key ###############################
+# local shell function to import private key + cert into database
+########################################################################
+import_key()
+{
+ KEY_NAME=$1.p12
+ DB=$2
+
+ KEY_FILE=../OCSPD/${KEY_NAME}
+
+ TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss"
+ ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+export_key()
+{
+ KEY_NAME=$1.p12
+ DB=$2
+
+ TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
+ ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_cert ##############################
+# local shell function to import certificate into database
+########################################################################
+import_cert()
+{
+ IMPORT=$1
+ DB=$2
+
+ CERT_NICK=`echo ${IMPORT} | cut -d: -f1`
+ CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2`
+ CERT_TRUST=`echo ${IMPORT} | cut -d: -f3`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+ fi
+
+ IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}`
+
+ ASCII_OPT=
+ if [ "${IS_ASCII}" -gt 0 ]; then
+ ASCII_OPT="-a"
+ fi
+
+ TESTNAME="Importing certificate ${CERT} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}"
+ ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+import_crl()
+{
+ IMPORT=$1
+ DB=$2
+
+ CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
+ CRL_FILE=${CRL_NICK}.crl
+
+ if [ ! -f "${CRL_FILE}" ]; then
+ return
+ fi
+
+ TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
+ ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+create_crl()
+{
+ ISSUER=$1
+ ISSUER_DB=${ISSUER}DB
+
+ CRL=${ISSUER}.crl
+
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ DATE_LAST="${DATE}"
+
+ UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
+
+ echo "update=${DATE}" > ${CRL_DATA}
+ echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
+
+ TESTNAME="Create CRL for ${ISSUER_DB}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+ echo "=== Crlutil input data ==="
+ cat ${CRL_DATA}
+ echo "==="
+ ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+revoke_cert()
+{
+ ISSUER=$1
+ ISSUER_DB=${ISSUER}DB
+
+ CRL=${ISSUER}.crl
+
+ set_cert_sn
+
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ while [ "${DATE}" = "${DATE_LAST}" ]; do
+ sleep 1
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ done
+ DATE_LAST="${DATE}"
+
+ echo "update=${DATE}" > ${CRL_DATA}
+ echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
+
+ TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+ echo "=== Crlutil input data ==="
+ cat ${CRL_DATA}
+ echo "==="
+ ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################################################################
+# List of global variables related to certificate verification:
+#
+# Generated by parse_config:
+# DB - DB used for testing
+# FETCH - fetch flag (used with AIA extension)
+# POLICY - list of policies
+# TRUST - trust anchor
+# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
+# VERIFY - list of certificates to use as vfychain parameters
+# EXP_RESULT - expected result
+# REV_OPTS - revocation options
+########################################################################
+
+############################# verify_cert ##############################
+# local shell function to verify certificate validity
+########################################################################
+verify_cert()
+{
+ ENGINE=$1
+
+ DB_OPT=
+ FETCH_OPT=
+ POLICY_OPT=
+ TRUST_OPT=
+ VFY_CERTS=
+ VFY_LIST=
+ TRUST_AND_DB_OPT=
+
+ if [ -n "${DB}" ]; then
+ DB_OPT="-d ${DB}"
+ fi
+
+ if [ -n "${FETCH}" ]; then
+ FETCH_OPT="-f"
+ if [ -z "${NSS_AIA_HTTP}" ]; then
+ echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
+ return
+ fi
+ fi
+
+ if [ -n "${TRUST_AND_DB}" ]; then
+ TRUST_AND_DB_OPT="-T"
+ fi
+
+ for ITEM in ${POLICY}; do
+ POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
+ done
+
+ for ITEM in ${TRUST}; do
+ echo ${ITEM} | grep ":" > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+
+ TRUST_OPT="${TRUST_OPT} -t ${CERT}"
+ else
+ TRUST_OPT="${TRUST_OPT} -t ${ITEM}"
+ fi
+ done
+
+ for ITEM in ${VERIFY}; do
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT="../OCSPD/${CERT_NICK}.der"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT}"
+ fi
+ done
+
+ VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+ VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+
+ TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "vfychain ${VFY_OPTS_ALL}"
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
+ RESULT=$?
+ echo "${VFY_OUT}"
+ else
+ VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
+ RESULT=$?
+ echo "${VFY_OUT}"
+ fi
+
+ echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
+ E5990=$?
+ echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
+ E8030=$?
+
+ if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
+ echo "Result of this test is not valid due to network time out."
+ html_unknown "${SCENARIO}${TESTNAME}"
+ return
+ fi
+
+ echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}"
+
+ if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
+ html_passed "${SCENARIO}${TESTNAME}"
+ elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
+ html_passed "${SCENARIO}${TESTNAME}"
+ else
+ html_failed "${SCENARIO}${TESTNAME}"
+ fi
+}
+
+check_ocsp()
+{
+ OCSP_CERT=$1
+
+ CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
+ CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+ fi
+
+ # sample line:
+ # URI: "http://ocsp.server:2601"
+ OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+ OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+
+ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+ tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+ return $?
+}
+
+############################ parse_result ##############################
+# local shell function to process expected result value
+# this function was created for case that expected result depends on
+# some conditions - in our case type of cert DB
+#
+# default results are pass and fail
+# this function added parsable values in format:
+# type1:value1 type2:value2 .... typex:valuex
+#
+# allowed types are dbm, sql, all (all means all other cases)
+# allowed values are pass and fail
+#
+# if this format is not used, EXP_RESULT will stay unchanged (this also
+# covers pass and fail states)
+########################################################################
+parse_result()
+{
+ for RES in ${EXP_RESULT}
+ do
+ RESTYPE=$(echo ${RES} | cut -d: -f1)
+ RESSTAT=$(echo ${RES} | cut -d: -f2)
+
+ if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then
+ EXP_RESULT=${RESSTAT}
+ break
+ fi
+ done
+}
+
+############################ parse_config ##############################
+# local shell function to parse and process file containing certificate
+# chain configuration and list of tests
+########################################################################
+parse_config()
+{
+ SCENARIO=
+ LOGNAME=
+
+ while read KEY VALUE
+ do
+ case "${KEY}" in
+ "entity")
+ ENTITY="${VALUE}"
+ TYPE=
+ ISSUER=
+ CTYPE=
+ POLICY=
+ MAPPING=
+ INHIBIT=
+ AIA=
+ CRLDP=
+ OCSP=
+ DB=
+ EMAILS=
+ EXT_KU=
+ EXT_NS=
+ EXT_EKU=
+ SERIAL=
+ EXPORT_KEY=
+ ;;
+ "type")
+ TYPE="${VALUE}"
+ ;;
+ "issuer")
+ if [ -n "${ISSUER}" ]; then
+ if [ -z "${DB}" ]; then
+ create_entity "${ENTITY}" "${TYPE}"
+ fi
+ sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+ fi
+
+ ISSUER="${VALUE}"
+ POLICY=
+ MAPPING=
+ INHIBIT=
+ AIA=
+ EXT_KU=
+ EXT_NS=
+ EXT_EKU=
+ ;;
+ "ctype")
+ CTYPE="${VALUE}"
+ ;;
+ "policy")
+ POLICY="${POLICY} ${VALUE}"
+ ;;
+ "mapping")
+ MAPPING="${MAPPING} ${VALUE}"
+ ;;
+ "inhibit")
+ INHIBIT="${VALUE}"
+ ;;
+ "aia")
+ AIA="${AIA} ${VALUE}"
+ ;;
+ "crldp")
+ CRLDP="${CRLDP} ${VALUE}"
+ ;;
+ "ocsp")
+ OCSP="${VALUE}"
+ ;;
+ "db")
+ DB="${VALUE}DB"
+ create_db "${DB}"
+ ;;
+ "import")
+ IMPORT="${VALUE}"
+ import_cert "${IMPORT}" "${DB}"
+ import_crl "${IMPORT}" "${DB}"
+ ;;
+ "import_key")
+ IMPORT="${VALUE}"
+ import_key "${IMPORT}" "${DB}"
+ ;;
+ "crl")
+ ISSUER="${VALUE}"
+ create_crl "${ISSUER}"
+ ;;
+ "revoke")
+ REVOKE="${VALUE}"
+ ;;
+ "serial")
+ SERIAL="${VALUE}"
+ ;;
+ "export_key")
+ EXPORT_KEY=1
+ ;;
+ "copycrl")
+ COPYCRL="${VALUE}"
+ copy_crl "${COPYCRL}"
+ ;;
+ "verify")
+ VERIFY="${VALUE}"
+ TRUST=
+ TRUST_AND_DB=
+ POLICY=
+ FETCH=
+ EXP_RESULT=
+ REV_OPTS=
+ USAGE_OPT=
+ ;;
+ "cert")
+ VERIFY="${VERIFY} ${VALUE}"
+ ;;
+ "testdb")
+ if [ -n "${VALUE}" ]; then
+ DB="${VALUE}DB"
+ else
+ DB=
+ fi
+ ;;
+ "trust")
+ TRUST="${TRUST} ${VALUE}"
+ ;;
+ "trust_and_db")
+ TRUST_AND_DB=1
+ ;;
+ "fetch")
+ FETCH=1
+ ;;
+ "result")
+ EXP_RESULT="${VALUE}"
+ parse_result
+ ;;
+ "rev_type")
+ REV_OPTS="${REV_OPTS} -g ${VALUE}"
+ ;;
+ "rev_flags")
+ REV_OPTS="${REV_OPTS} -h ${VALUE}"
+ ;;
+ "rev_mtype")
+ REV_OPTS="${REV_OPTS} -m ${VALUE}"
+ ;;
+ "rev_mflags")
+ REV_OPTS="${REV_OPTS} -s ${VALUE}"
+ ;;
+ "scenario")
+ SCENARIO="${VALUE}: "
+
+ CHAINS_DIR="${HOSTDIR}/chains/${VALUE}"
+ mkdir -p ${CHAINS_DIR}
+ cd ${CHAINS_DIR}
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ LOGNAME="libpkix-${VALUE}"
+ LOGFILE="${LOGDIR}/${LOGNAME}"
+ fi
+
+ SCEN_CNT=$(expr ${SCEN_CNT} + 1)
+ ;;
+ "sleep")
+ sleep ${VALUE}
+ ;;
+ "break")
+ break
+ ;;
+ "check_ocsp")
+ TESTNAME="Test that OCSP server is reachable"
+ check_ocsp ${VALUE}
+ if [ $? -ne 0 ]; then
+ html_failed "$TESTNAME"
+ break;
+ else
+ html_passed "$TESTNAME"
+ fi
+ ;;
+ "ku")
+ EXT_KU="${VALUE}"
+ ;;
+ "ns")
+ EXT_NS="${VALUE}"
+ ;;
+ "eku")
+ EXT_EKU="${VALUE}"
+ ;;
+ "usage")
+ USAGE_OPT="-u ${VALUE}"
+ ;;
+ "")
+ if [ -n "${ENTITY}" ]; then
+ if [ -z "${DB}" ]; then
+ create_entity "${ENTITY}" "${TYPE}"
+ fi
+ sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+ if [ "${TYPE}" = "Bridge" ]; then
+ create_pkcs7 "${ENTITY}"
+ fi
+ if [ -n "${EXPORT_KEY}" ]; then
+ export_key "${ENTITY}" "${DB}"
+ fi
+ ENTITY=
+ fi
+
+ if [ -n "${VERIFY}" ] && \
+ [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ verify_cert "-pp"
+ if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ] && \
+ [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ verify_cert ""
+ verify_cert "-p"
+ fi
+ VERIFY=
+ fi
+
+ if [ -n "${REVOKE}" ]; then
+ revoke_cert "${REVOKE}" "${DB}"
+ REVOKE=
+ fi
+ ;;
+ *)
+ if [ `echo ${KEY} | cut -b 1` != "#" ]; then
+ echo "Configuration error: Unknown keyword ${KEY}"
+ exit 1
+ fi
+ ;;
+ esac
+ done
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ log_parse
+ html_msg $? 0 "${SCENARIO}Memory leak checking"
+ fi
+}
+
+process_scenario()
+{
+ SCENARIO_FILE=$1
+
+ > ${AIA_FILES}
+
+ parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
+
+ while read AIA_FILE
+ do
+ rm ${AIA_FILE} 2> /dev/null
+ done < ${AIA_FILES}
+ rm ${AIA_FILES}
+}
+
+# process ocspd.cfg separately
+chains_ocspd()
+{
+ process_scenario "ocspd.cfg"
+}
+
+# process ocsp.cfg separately
+chains_method()
+{
+ process_scenario "method.cfg"
+}
+
+############################# chains_main ##############################
+# local shell function to process all testing scenarios
+########################################################################
+chains_main()
+{
+ while read LINE
+ do
+ [ `echo ${LINE} | cut -b 1` != "#" ] || continue
+
+ [ ${LINE} != 'ocspd.cfg' ] || continue
+ [ ${LINE} != 'method.cfg' ] || continue
+
+ process_scenario ${LINE}
+ done < "${CHAINS_SCENARIOS}"
+}
+
+################################ main ##################################
+
+chains_init
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_ocspd
+VERIFY_CLASSIC_ENGINE_TOO=1
+chains_run_httpserv get
+chains_method
+chains_stop_httpserv
+chains_run_httpserv post
+chains_method
+chains_stop_httpserv
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_run_httpserv random
+chains_main
+chains_stop_httpserv
+chains_run_httpserv get-unknown
+chains_main
+chains_stop_httpserv
+chains_cleanup
diff --git a/security/nss/tests/chains/ocspd-config/ocspd-certs.sh b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh
new file mode 100755
index 000000000..2f7d45898
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+
+DATA_DIR=$1
+OCSP_DIR=$2
+CERT_DIR=$3
+
+TEST_PWD="nssnss"
+CONF_TEMPLATE="ocspd.conf.template"
+
+convert_cert()
+{
+ CERT_NAME=$1
+ CERT_SIGNER=$2
+
+ openssl x509 -in ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der -inform DER -out ${DATA_DIR}/${CERT_NAME}.pem -outform PEM
+}
+
+convert_crl()
+{
+ CRL_NAME=$1
+
+ openssl crl -in ${DATA_DIR}/${CRL_NAME}.crl -inform DER -out ${DATA_DIR}/${CRL_NAME}crl.pem -outform PEM
+}
+
+convert_key()
+{
+ KEY_NAME=$1
+
+ pk12util -o ${DATA_DIR}/${KEY_NAME}.p12 -n ${KEY_NAME} -d ${DATA_DIR}/${KEY_NAME}DB -k ${DATA_DIR}/${KEY_NAME}DB/dbpasswd -W ${TEST_PWD}
+ openssl pkcs12 -in ${DATA_DIR}/${KEY_NAME}.p12 -out ${DATA_DIR}/${KEY_NAME}.key.tmp -passin pass:${TEST_PWD} -passout pass:${TEST_PWD}
+
+ STATUS=0
+ cat ${DATA_DIR}/${KEY_NAME}.key.tmp | while read LINE; do
+ echo "${LINE}" | grep "BEGIN ENCRYPTED PRIVATE KEY" > /dev/null && STATUS=1
+ [ ${STATUS} -eq 1 ] && echo "${LINE}"
+ echo "${LINE}" | grep "END ENCRYPTED PRIVATE KEY" > /dev/null && break
+ done > ${DATA_DIR}/${KEY_NAME}.key
+
+ rm ${DATA_DIR}/${KEY_NAME}.key.tmp
+}
+
+create_conf()
+{
+ CONF_FILE=$1
+ CA=$2
+ OCSP=$3
+ PORT=$4
+
+ cat ${CONF_TEMPLATE} | \
+ sed "s:@DIR@:${OCSP_DIR}:" | \
+ sed "s:@CA_CERT@:${DATA_DIR}/${CA}.pem:" | \
+ sed "s:@CA_CRL@:${DATA_DIR}/${CA}crl.pem:" | \
+ sed "s:@CA_KEY@:${DATA_DIR}/${CA}.key:" | \
+ sed "s:@OCSP_PID@:${OCSP}.pid:" | \
+ sed "s:@PORT@:${PORT}:" \
+ > ${CONF_FILE}
+}
+
+copy_cert()
+{
+ CERT_NAME=$1
+ CERT_SIGNER=$2
+
+ cp ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der ${CERT_DIR}/${CERT_NAME}.cert
+}
+
+
+copy_key()
+{
+ KEY_NAME=$1
+
+ cp ${DATA_DIR}/${KEY_NAME}.p12 ${CERT_DIR}/${KEY_NAME}.p12
+}
+
+convert_cert OCSPRoot
+convert_crl OCSPRoot
+convert_key OCSPRoot
+
+convert_cert OCSPCA1 OCSPRoot
+convert_crl OCSPCA1
+convert_key OCSPCA1
+
+convert_cert OCSPCA2 OCSPRoot
+convert_crl OCSPCA2
+convert_key OCSPCA2
+
+convert_cert OCSPCA3 OCSPRoot
+convert_crl OCSPCA3
+convert_key OCSPCA3
+
+create_conf ocspd0.conf OCSPRoot ocspd0 2600
+create_conf ocspd1.conf OCSPCA1 ocspd1 2601
+create_conf ocspd2.conf OCSPCA2 ocspd2 2602
+create_conf ocspd3.conf OCSPCA3 ocspd3 2603
+
+copy_cert OCSPRoot
+copy_cert OCSPCA1 OCSPRoot
+copy_cert OCSPCA2 OCSPRoot
+copy_cert OCSPCA3 OCSPRoot
+copy_cert OCSPEE11 OCSPCA1
+copy_cert OCSPEE12 OCSPCA1
+copy_cert OCSPEE13 OCSPCA1
+copy_cert OCSPEE14 OCSPCA1
+copy_cert OCSPEE15 OCSPCA1
+copy_cert OCSPEE21 OCSPCA2
+copy_cert OCSPEE22 OCSPCA2
+copy_cert OCSPEE23 OCSPCA2
+copy_cert OCSPEE31 OCSPCA3
+copy_cert OCSPEE32 OCSPCA3
+copy_cert OCSPEE33 OCSPCA3
+
+copy_key OCSPRoot
+copy_key OCSPCA1
+copy_key OCSPCA2
+copy_key OCSPCA3
+
diff --git a/security/nss/tests/chains/ocspd-config/ocspd.conf.template b/security/nss/tests/chains/ocspd-config/ocspd.conf.template
new file mode 100644
index 000000000..456c74a16
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/ocspd.conf.template
@@ -0,0 +1,46 @@
+[ ocspd ]
+
+default_ocspd = OCSPD_default
+
+[ OCSPD_default ]
+
+dir = @DIR@
+db = $dir/index.txt
+md = sha1
+
+ca_certificate = $dir/@CA_CERT@
+ocspd_certificate = $dir/@CA_CERT@
+ocspd_key = $dir/@CA_KEY@
+pidfile = $dir/@OCSP_PID@
+
+user = nobody
+group = nobody
+
+bind = *
+port = @PORT@
+
+max_req_size = 8192
+threads_num = 150
+max_timeout_secs = 5
+crl_auto_reload = 3600
+crl_check_validity = 600
+crl_reload_expired = yes
+response = ocsp_response
+dbms = dbms_file
+
+[ ocsp_response ]
+
+dir = @DIR@
+next_update_days = 0
+next_update_mins = 5
+
+[ dbms_file ]
+
+0.ca = @first_ca
+
+[ first_ca ]
+
+crl_url = file:///@DIR@/@CA_CRL@
+ca_url = file:///@DIR@/@CA_CERT@
+server_cert = file:///@DIR@/@CA_CERT@
+
diff --git a/security/nss/tests/chains/ocspd-config/readme b/security/nss/tests/chains/ocspd-config/readme
new file mode 100644
index 000000000..5069af6fe
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/readme
@@ -0,0 +1,3 @@
+OBSOLETE
+
+tests have been changed to use a local ocsp server (using httpserv)
diff --git a/security/nss/tests/chains/scenarios/aia.cfg b/security/nss/tests/chains/scenarios/aia.cfg
new file mode 100644
index 000000000..df3b1ef02
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/aia.cfg
@@ -0,0 +1,35 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AIA
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ aia CA1:Root
+
+entity User
+ type EE
+ issuer CA2
+
+testdb User
+
+verify User:CA2
+ cert CA2:CA1
+ trust Root:
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ trust Root:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/anypolicy.cfg b/security/nss/tests/chains/scenarios/anypolicy.cfg
new file mode 100644
index 000000000..fd647ad23
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicy.cfg
@@ -0,0 +1,77 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicy
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+ policy any
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ inhibit 0
+
+entity CA3
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+
+entity User1
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+entity User2
+ type EE
+ issuer CA2
+ policy any
+
+entity User3
+ type EE
+ issuer CA3
+ policy any
+
+db All
+
+import RootCA::
+import CA1:RootCA:
+import CA2:CA1:
+import CA3:CA1:
+
+verify User1:CA2
+ trust RootCA
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust RootCA
+ policy OID.2.0
+ result fail
+
+verify User2:CA2
+ trust RootCA
+ policy OID.1.0
+ result fail
+
+verify User2:CA2
+ trust RootCA
+ policy OID.2.0
+ result fail
+
+verify User3:CA3
+ trust RootCA
+ policy OID.1.0
+ result pass
+
+verify User3:CA3
+ trust RootCA
+ policy OID.2.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
new file mode 100644
index 000000000..9dd84a797
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
@@ -0,0 +1,399 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicyWithLevel
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+ policy any
+ inhibit 1
+
+entity CA12
+ type Intermediate
+ issuer CA1
+ policy any
+
+entity CA13
+ type Intermediate
+ issuer CA12
+ policy OID.1.0
+
+entity EE1
+ type EE
+ issuer CA13
+ policy OID.1.0
+
+entity CA22
+ type Intermediate
+ issuer CA1
+ policy any
+
+entity CA23
+ type Intermediate
+ issuer CA22
+ policy any
+
+entity EE2
+ type EE
+ issuer CA23
+ policy OID.1.0
+
+entity CA32
+ type Intermediate
+ issuer CA1
+ policy any
+ inhibit 1
+
+entity CA33
+ type Intermediate
+ issuer CA32
+ policy any
+
+entity EE3
+ type EE
+ issuer CA33
+ policy OID.1.0
+
+entity CA42
+ type Intermediate
+ issuer CA1
+ policy any
+ policy OID.1.0
+
+entity CA43
+ type Intermediate
+ issuer CA42
+ policy any
+ policy OID.1.0
+
+entity EE4
+ type EE
+ issuer CA43
+ policy OID.1.0
+
+entity CA52
+ type Intermediate
+ issuer CA1
+ policy any
+ policy OID.1.0
+
+entity CA53
+ type Intermediate
+ issuer CA52
+ policy any
+
+entity EE5
+ type EE
+ issuer CA53
+ policy OID.1.0
+
+entity CA61
+ type Intermediate
+ issuer RootCA
+ policy any
+ inhibit 5
+
+entity CA62
+ type Intermediate
+ issuer CA61
+ policy any
+
+entity EE62
+ type EE
+ issuer CA62
+ policy OID.1.0
+
+entity CA63
+ type Intermediate
+ issuer CA62
+ policy any
+
+entity EE63
+ type EE
+ issuer CA63
+ policy OID.1.0
+
+entity CA64
+ type Intermediate
+ issuer CA63
+ policy any
+
+entity EE64
+ type EE
+ issuer CA64
+ policy OID.1.0
+
+entity CA65
+ type Intermediate
+ issuer CA64
+ policy any
+
+entity EE65
+ type EE
+ issuer CA65
+ policy OID.1.0
+
+entity CA66
+ type Intermediate
+ issuer CA65
+ policy any
+
+entity EE66
+ type EE
+ issuer CA66
+ policy OID.1.0
+
+entity CA67
+ type Intermediate
+ issuer CA66
+ policy any
+
+entity EE67
+ type EE
+ issuer CA67
+ policy OID.1.0
+
+db All
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result pass
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ result pass
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ result pass
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result pass
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ result pass
+
+verify EE62:CA62
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE63:CA63
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE64:CA64
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE65:CA65
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE66:CA66
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE67:CA67
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/bridge.cfg b/security/nss/tests/chains/scenarios/bridge.cfg
new file mode 100644
index 000000000..14dba6adc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridge.cfg
@@ -0,0 +1,106 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Bridge
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity User
+ type EE
+ issuer Bridge
+
+db All
+
+import Army::
+import Navy::
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Navy
+ result pass
+
+verify User:Bridge
+ cert Bridge:Army
+ trust Army
+ result pass
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Army
+ result fail
+
+import Bridge:Army:
+import Bridge:Navy:
+
+verify User:Bridge
+ trust Army
+ result pass
+
+verify User:Bridge
+ trust Navy
+ result pass
+
+db ArmyOnly
+
+import Army::C,,
+
+verify User:Bridge
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ cert Navy:
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ cert Navy:
+ trust Navy:
+ result pass
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Navy:
+ result pass
+
+db NavyOnly
+
+import Navy::C,,
+
+verify User:Bridge
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ cert Army:
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ cert Army:
+ trust Army:
+ result pass
+
+verify User:Bridge
+ cert Bridge:Army
+ trust Army:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithaia.cfg b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
new file mode 100644
index 000000000..640edb87a
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
@@ -0,0 +1,54 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithAIA
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ aia Bridge
+
+entity EE1
+ type EE
+ issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+ result dbm:fail all:pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
new file mode 100644
index 000000000..914828ea1
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
@@ -0,0 +1,89 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithHalfAIA
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ aia Bridge
+
+entity EE1
+ type EE
+ issuer CA1
+
+entity CA2
+ type Intermediate
+ issuer Bridge
+ aia Bridge:Navy
+
+entity EE2
+ type EE
+ issuer CA2
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+ result dbm:fail all:pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert Bridge:Army
+ trust Army:
+ fetch
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:Army
+ trust Army:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
new file mode 100644
index 000000000..f7554cabc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
@@ -0,0 +1,187 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithPolicyExtensionAndMapping
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity CAArmy
+ type Intermediate
+ issuer Army
+ policy OID.1.0
+ policy OID.1.1
+
+entity CANavy
+ type Intermediate
+ issuer Navy
+ policy OID.2.0
+ policy OID.2.1
+
+entity Bridge
+ type Bridge
+ issuer CAArmy
+ policy OID.1.0
+ policy OID.1.1
+ mapping OID.1.1:OID.2.1
+ issuer CANavy
+ policy OID.2.0
+ policy OID.2.1
+ mapping OID.2.1:OID.1.1
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ policy OID.1.1
+ policy OID.2.1
+
+entity CA2
+ type Intermediate
+ issuer Bridge
+ policy OID.1.0
+ policy OID.2.0
+
+entity EE1
+ type EE
+ issuer CA1
+ policy OID.2.1
+
+entity EE2
+ type EE
+ issuer CA2
+ policy OID.2.0
+
+testdb
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.1
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.1
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.1
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.0
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.1
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/crldp.cfg b/security/nss/tests/chains/scenarios/crldp.cfg
new file mode 100644
index 000000000..a9949ae40
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/crldp.cfg
@@ -0,0 +1,105 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario CRLDP
+
+entity Root
+ type Root
+
+entity CA0
+ type Intermediate
+ issuer Root
+
+entity CA1
+ type Intermediate
+ crldp CA0
+ issuer CA0
+ serial 10
+ aia CA0:Root
+
+entity EE11
+ type EE
+ crldp CA0
+ issuer CA1
+
+entity CA2
+ type Intermediate
+ crldp CA0
+ issuer CA0
+ serial 20
+ aia CA0:Root
+
+entity EE21
+ type EE
+ issuer CA2
+
+entity EE1
+ type EE
+ crldp CA0
+ issuer CA0
+ serial 30
+ aia CA0:Root
+
+entity EE2
+ type EE
+ crldp CA0
+ issuer CA0
+ serial 40
+ aia CA0:Root
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA0
+ serial 20
+
+revoke CA0
+ serial 40
+
+copycrl CA0
+
+db All
+
+import Root::CTu,CTu,CTu
+
+# intermediate CA - OK, EE - OK
+verify EE11:CA1
+ cert CA1:CA0
+ trust Root:
+ fetch
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result pass
+
+# intermediate CA - revoked, EE - OK
+verify EE21:CA2
+ cert CA2:CA0
+ trust Root:
+ fetch
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result fail
+
+# direct EE - OK
+verify EE1:CA0
+ trust Root:
+ fetch
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result pass
+
+# direct EE - revoked
+verify EE2:CA0
+ trust Root:
+ fetch
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/dsa.cfg b/security/nss/tests/chains/scenarios/dsa.cfg
new file mode 100644
index 000000000..896e455fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/dsa.cfg
@@ -0,0 +1,72 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario DSA
+
+entity Root
+ type Root
+ ctype dsa
+
+entity CA1
+ type Intermediate
+ issuer Root
+ ctype dsa
+
+entity EE1
+ type EE
+ issuer CA1
+ ctype dsa
+
+entity CA2
+ type Intermediate
+ issuer Root
+ ctype dsa
+
+entity EE2
+ type EE
+ issuer CA2
+ ctype rsa
+
+entity CA3
+ type Intermediate
+ issuer Root
+ ctype rsa
+
+entity EE3
+ type EE
+ issuer CA3
+ ctype dsa
+
+entity CA4
+ type Intermediate
+ issuer Root
+ ctype rsa
+
+entity EE4
+ type EE
+ issuer CA4
+ ctype rsa
+
+db All
+
+verify EE1:CA1
+ cert CA1:Root
+ trust Root:
+ result pass
+
+verify EE2:CA2
+ cert CA2:Root
+ trust Root:
+ result pass
+
+verify EE3:CA3
+ cert CA3:Root
+ trust Root:
+ result pass
+
+verify EE4:CA4
+ cert CA4:Root
+ trust Root:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/explicitPolicy.cfg b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
new file mode 100644
index 000000000..20f79c45b
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
@@ -0,0 +1,78 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario explicitPolicy
+
+entity Root
+ type Root
+
+entity nonEVCA
+ type Intermediate
+ issuer Root
+
+entity EVCA
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity otherEVCA
+ type Intermediate
+ issuer Root
+ policy OID.2.0
+
+entity validEV
+ type EE
+ issuer EVCA
+ policy OID.1.0
+
+entity invalidEV
+ type EE
+ issuer nonEVCA
+ policy OID.1.0
+
+entity wrongEVOID
+ type EE
+ issuer otherEVCA
+ policy OID.1.0
+
+db All
+
+verify validEV:EVCA
+ cert EVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify invalidEV:nonEVCA
+ cert nonEVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result fail
+
+verify wrongEVOID:otherEVCA
+ cert otherEVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result fail
+
+import Root::C,C,C
+
+verify validEV:EVCA
+ cert EVCA:Root
+ policy OID.1.0
+ result pass
+
+verify invalidEV:nonEVCA
+ cert nonEVCA:Root
+ policy OID.1.0
+ result fail
+
+verify wrongEVOID:otherEVCA
+ cert otherEVCA:Root
+ policy OID.1.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension.cfg b/security/nss/tests/chains/scenarios/extension.cfg
new file mode 100644
index 000000000..fd1c3a0da
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension.cfg
@@ -0,0 +1,102 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+
+entity User
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+db All
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.2.0
+ result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust Root
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust CA1
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust CA2
+ policy OID.2.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension2.cfg b/security/nss/tests/chains/scenarios/extension2.cfg
new file mode 100644
index 000000000..9a6a7cd2d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension2.cfg
@@ -0,0 +1,140 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension2
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+ policy OID.2.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ policy OID.2.0
+
+entity User1
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+entity User2
+ type EE
+ issuer CA2
+ policy OID.1.0
+ policy OID.2.0
+
+db All
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.2.0
+ result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User1:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust Root
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust CA1
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust CA2
+ policy OID.2.0
+ result fail
+
+verify User2:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust Root
+ policy OID.2.0
+ result pass
+
+verify User2:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust CA1
+ policy OID.2.0
+ result pass
+
+verify User2:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust CA2
+ policy OID.2.0
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping.cfg b/security/nss/tests/chains/scenarios/mapping.cfg
new file mode 100644
index 000000000..d4e4a296d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping.cfg
@@ -0,0 +1,63 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+ mapping OID.1.0:OID.1.1
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.1
+
+entity User
+ type EE
+ issuer CA2
+ policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+ trust Root
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA2
+ trust Root
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.0
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.1
+ result pass
+
+verify User:CA2
+ trust CA2
+ policy OID.1.0
+ result fail
+
+verify User:CA2
+ trust CA2
+ policy OID.1.1
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping2.cfg b/security/nss/tests/chains/scenarios/mapping2.cfg
new file mode 100644
index 000000000..cae1daf07
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping2.cfg
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping2
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ mapping OID.1.0:OID.1.1
+
+entity CA3
+ type Intermediate
+ issuer CA2
+ policy OID.1.1
+
+entity User
+ type EE
+ issuer CA3
+ policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+import CA3:CA2:
+
+verify User:CA3
+ trust Root
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA3
+ trust Root
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA3
+ trust CA1
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA3
+ trust CA1
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA3
+ trust CA2
+ policy OID.1.0
+ result fail
+
+verify User:CA3
+ trust CA2
+ policy OID.1.1
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/megabridge_3_2.cfg b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
new file mode 100644
index 000000000..f1d4545fc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
@@ -0,0 +1,130 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario MegaBridge_3_2
+
+entity Root1
+ type Root
+
+entity Root2
+ type Root
+
+entity Root3
+ type Root
+
+entity Root4
+ type Root
+
+entity Root5
+ type Root
+
+entity Root6
+ type Root
+
+entity Root7
+ type Root
+
+entity Root8
+ type Root
+
+entity Root9
+ type Root
+
+entity Bridge11
+ type Bridge
+ issuer Root1
+ issuer Root2
+ issuer Root3
+
+entity Bridge12
+ type Bridge
+ issuer Root4
+ issuer Root5
+ issuer Root6
+
+entity Bridge13
+ type Bridge
+ issuer Root7
+ issuer Root8
+ issuer Root9
+
+entity Bridge21
+ type Bridge
+ issuer Bridge11
+ issuer Bridge12
+ issuer Bridge13
+
+entity CA1
+ type Intermediate
+ issuer Bridge21
+
+entity EE1
+ type EE
+ issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root1
+ trust Root1:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root2
+ trust Root2:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root3
+ trust Root3:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root4
+ trust Root4:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root5
+ trust Root5:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root6
+ trust Root6:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root7
+ trust Root7:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root8
+ trust Root8:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root9
+ trust Root9:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/method.cfg b/security/nss/tests/chains/scenarios/method.cfg
new file mode 100644
index 000000000..4223c39cc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/method.cfg
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Method
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+testdb ../OCSPD/Client
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg
new file mode 100644
index 000000000..6eda441ce
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -0,0 +1,161 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+db trustanchors
+
+import NameConstraints.ca:x:CT,C,C
+# Name Constrained CA: Name constrained to permited DNSName ".example"
+import NameConstraints.ncca:x:CT,C,C
+import NameConstraints.dcisscopy:x:CT,C,C
+
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server1:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server3:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server5:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+# and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+# Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+# Fail: CN not in name constraints
+verify NameConstraints.server10:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+# Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3.
+# Intermediate 5's subject is not in Intermediate 3's permitted
+# names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+# Fail: Org matches Intermediate 5's name constraints, but does not match
+# Intermediate 3' name constraints
+verify NameConstraints.server13:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+# Fail: Matches Intermediate 5's name constraints, but fails because
+# Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+# No name constraints present
+# Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server16:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+ cert NameConstraints.intermediate6:x
+ result pass
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+ result fail
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+ result pass
+
+
diff --git a/security/nss/tests/chains/scenarios/ocsp.cfg b/security/nss/tests/chains/scenarios/ocsp.cfg
new file mode 100644
index 000000000..cdfff89fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocsp.cfg
@@ -0,0 +1,177 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSP
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+db OCSPRoot
+import OCSPRoot:d:CT,C,C
+
+db OCSPCA1
+import_key OCSPCA1
+
+crl OCSPCA1
+
+revoke OCSPCA1
+ serial 3
+
+revoke OCSPCA1
+ serial 4
+
+testdb OCSPRoot
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - unknown
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - unknown, requireFreshInfo
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - revoked, leaf, no fresh info
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - OK, CA - revoked, leaf, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - revoked, chain, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - unknown
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - OK, CA - unknown, requireFreshInfo
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - revoked, doNotUse
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags doNotUse
+ result pass
+
+#EE - revoked, forbidFetching
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags forbidFetching
+ result pass
+
+#EE - unknown status, failIfNoInfo
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags failIfNoInfo
+ result fail
+
+#EE - OK, CA - revoked, leaf, failIfNoInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags failIfNoInfo
+ result fail
+
+testdb OCSPCA1
+
+#EE - OK on OCSP, revoked locally - should fail ??
+# two things about this test: crl is not imported into the db and
+# cert 13 is not revoked by crl.
+verify OCSPEE13OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPCA1
+ rev_type leaf
+ rev_flags testLocalInfoFirst
+ rev_mtype ocsp
+ result pass
+
+db OCSPRoot1
+import OCSPRoot:d:CT,C,C
+
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+ rev_type leaf
+ rev_mtype ocsp
+ result fail
+
+db OCSPRoot2
+import OCSPRoot:d:T,,
+
+# bug 527438
+# expected result of this test is FAIL
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/ocspd.cfg b/security/nss/tests/chains/scenarios/ocspd.cfg
new file mode 100644
index 000000000..e48f9068e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocspd.cfg
@@ -0,0 +1,172 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSPD
+
+#root CA
+entity OCSPRoot
+ type Root
+ export_key
+
+#CA - OK
+entity OCSPCA1
+ type Intermediate
+ issuer OCSPRoot
+ serial 1
+ ocsp online
+ export_key
+
+#CA - revoked
+entity OCSPCA2
+ type Intermediate
+ issuer OCSPRoot
+ serial 2
+ ocsp online
+ export_key
+
+#CA - unknown status
+entity OCSPCA3
+ type Intermediate
+ issuer OCSPRoot
+ serial 3
+ ocsp offline
+ export_key
+
+#EE - OK
+entity OCSPEE11
+ type EE
+ issuer OCSPCA1
+ serial 1
+ ocsp online
+
+#EE - revoked on OCSP
+entity OCSPEE12
+ type EE
+ issuer OCSPCA1
+ serial 2
+ ocsp online
+
+#EE - revoked on CRL
+entity OCSPEE13
+ type EE
+ issuer OCSPCA1
+ serial 3
+ ocsp online
+
+#EE - revoked on OCSP and CRL
+entity OCSPEE14
+ type EE
+ issuer OCSPCA1
+ serial 4
+ ocsp online
+
+#EE - unknown status
+entity OCSPEE15
+ type EE
+ issuer OCSPCA1
+ serial 5
+ ocsp offline
+
+#EE - valid EE, revoked CA
+entity OCSPEE21
+ type EE
+ issuer OCSPCA2
+ serial 1
+ ocsp online
+
+#EE - revoked EE, revoked CA
+entity OCSPEE22
+ type EE
+ issuer OCSPCA2
+ serial 2
+ ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE23
+ type EE
+ issuer OCSPCA2
+ serial 3
+ ocsp offline
+
+#EE - valid EE, CA pointing to invalid OCSP
+entity OCSPEE31
+ type EE
+ issuer OCSPCA3
+ serial 1
+ ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE32
+ type EE
+ issuer OCSPCA3
+ serial 2
+ ocsp online
+
+#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP
+entity OCSPEE33
+ type EE
+ issuer OCSPCA3
+ serial 3
+ ocsp offline
+
+crl OCSPRoot
+
+revoke OCSPRoot
+ serial 2
+
+crl OCSPCA1
+
+revoke OCSPCA1
+ serial 2
+
+revoke OCSPCA1
+ serial 4
+
+crl OCSPCA2
+
+revoke OCSPCA2
+ serial 2
+
+revoke OCSPCA2
+ serial 3
+
+crl OCSPCA3
+
+revoke OCSPCA3
+ serial 2
+
+revoke OCSPCA3
+ serial 3
+
+# Used for running a single OCSP server (httpserv) instance that can
+# handle multiple CAs, e.g.:
+# httpserv -p 8641 -d . -f dbpasswd \
+# -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \
+# -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl
+db Server
+import OCSPRoot::CT,C,C
+import_key OCSPRoot
+import_key OCSPCA1
+import_key OCSPCA2
+import_key OCSPCA3
+
+# A DB containing all certs, but no keys.
+# Useful for manual OCSP client testing, e.g.:
+# ocspclnt -d . -S OCSPEE12OCSPCA1 -u s
+db Client
+import OCSPRoot::CT,C,C
+import OCSPCA1OCSPRoot::
+import OCSPCA2OCSPRoot::
+import OCSPCA3OCSPRoot::
+import OCSPEE11OCSPCA1::
+import OCSPEE12OCSPCA1::
+import OCSPEE13OCSPCA1::
+import OCSPEE14OCSPCA1::
+import OCSPEE15OCSPCA1::
+import OCSPEE21OCSPCA2::
+import OCSPEE22OCSPCA2::
+import OCSPEE23OCSPCA2::
+import OCSPEE31OCSPCA3::
+import OCSPEE32OCSPCA3::
+import OCSPEE33OCSPCA3::
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
new file mode 100644
index 000000000..d2a8c7143
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -0,0 +1,29 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario RealCerts
+
+db All
+
+import TestCA.ca:x:CT,C,C
+import TestUser50:x:
+import TestUser51:x:
+import PayPalRootCA:x:CT,C,C
+import PayPalICA:x:
+import PayPalEE:x:
+import BrAirWaysBadSig:x:
+
+verify TestUser50:x
+ result pass
+
+verify TestUser51:x
+ result pass
+
+verify PayPalEE:x
+ policy OID.2.16.840.1.114412.1.1
+ result pass
+
+verify BrAirWaysBadSig:x
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/revoc.cfg b/security/nss/tests/chains/scenarios/revoc.cfg
new file mode 100644
index 000000000..a4ec78622
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/revoc.cfg
@@ -0,0 +1,86 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Revocation
+
+entity Root
+ type Root
+ serial 10
+
+entity CA0
+ type Intermediate
+ issuer Root
+ serial 11
+
+entity CA1
+ type Intermediate
+ issuer CA0
+ serial 12
+
+entity EE11
+ type EE
+ issuer CA1
+ serial 13
+
+entity EE12
+ type EE
+ issuer CA1
+ serial 14
+
+entity CA2
+ type Intermediate
+ issuer CA0
+ serial 15
+
+entity EE21
+ type EE
+ issuer CA2
+ serial 16
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA1
+ serial 14
+
+revoke CA0
+ serial 15
+
+db All
+
+import Root::CTu,CTu,CTu
+import CA0:Root:
+import CA1:CA0:
+import CA2:CA0:
+
+# EE11 - not revoked
+verify EE11:CA1
+ trust Root:
+ rev_type leaf
+ rev_mtype crl
+ result pass
+
+# EE12 - revoked
+verify EE12:CA1
+ trust Root:
+ rev_type leaf
+ rev_mtype crl
+ result fail
+
+# EE11 - CA1 not revoked
+verify EE11:CA1
+ trust Root:
+ rev_type chain
+ rev_mtype crl
+ result pass
+
+# EE21 - CA2 revoked
+verify EE21:CA2
+ trust Root:
+ rev_type chain
+ rev_mtype crl
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
new file mode 100644
index 000000000..d26c3f92e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+bridge.cfg
+megabridge_3_2.cfg
+extension.cfg
+extension2.cfg
+anypolicy.cfg
+anypolicywithlevel.cfg
+explicitPolicy.cfg
+mapping.cfg
+mapping2.cfg
+aia.cfg
+bridgewithaia.cfg
+bridgewithhalfaia.cfg
+bridgewithpolicyextensionandmapping.cfg
+realcerts.cfg
+dsa.cfg
+revoc.cfg
+ocsp.cfg
+crldp.cfg
+trustanchors.cfg
+nameconstraints.cfg
diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg
new file mode 100644
index 000000000..db18990ac
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/trustanchors.cfg
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+
+entity CA2
+ type Intermediate
+ issuer CA1
+
+entity EE1
+ type EE
+ issuer CA2
+
+entity OtherRoot
+ type Root
+
+entity OtherIntermediate
+ type Intermediate
+ issuer OtherRoot
+
+entity EE2
+ type EE
+ issuer OtherIntermediate
+
+# Scenarios where trust only comes from the DB
+db DBOnly
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Simple chaining - no trust anchors
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Simple trust anchors - ignore the Cert DB
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+# Redundant trust - trust anchor and DB
+verify EE1:CA2
+ cert CA2:CA1
+ trust RootCA
+ result pass
+
+
+# Scenarios where trust only comes from trust anchors
+db TrustOnly
+
+# Simple checking - direct trust anchor
+verify EE1:CA2
+ cert CA2:CA1
+ cert CA1:RootCA:
+ trust RootCA:
+ result pass
+
+# Partial chain (not self-signed), with a trust anchor
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+
+# Scenarios where trust comes from both trust anchors and the DB
+db TrustAndDB
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Check that trust in the DB works
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Check that trust anchors work
+verify EE2:OtherIntermediate
+ cert OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Check that specifying a trust anchor still allows searching the cert DB
+verify EE1:CA2
+ trust_and_db
+ cert CA2:CA1
+ trust OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Scenarios where the trust DB has explicitly distrusted one or more certs,
+# even when the trust anchors indicate trust
+db ExplicitDistrust
+
+import RootCA::CT,C,C
+import CA1:RootCA:p,p,p
+import OtherRoot::p,p,p
+
+# Verify that a distrusted intermediate, but trusted root, is rejected.
+verify EE1:CA2
+ cert CA2:CA1
+ trust CA1:RootCA
+ result fail
+
+# Verify that a trusted intermediate, but distrusted root, is accepted.
+verify EE2:OtherIntermediate
+ trust OtherIntermediate:OtherRoot
+ result pass