summaryrefslogtreecommitdiffstats
path: root/security/manager
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager')
-rw-r--r--security/manager/ssl/tests/unit/test_pinning.js266
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic.js243
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build26
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_header_parsing.js147
-rw-r--r--security/manager/ssl/tests/unit/test_sts_holepunch.js34
-rw-r--r--security/manager/ssl/tests/unit/xpcshell.ini9
34 files changed, 0 insertions, 1040 deletions
diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js
deleted file mode 100644
index f18182002..000000000
--- a/security/manager/ssl/tests/unit/test_pinning.js
+++ /dev/null
@@ -1,266 +0,0 @@
-// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-//
-// For all cases, the acceptable pinset includes only certificates pinned to
-// Test End Entity Cert (signed by issuer testCA). Other certificates
-// are issued by otherCA, which is never in the pinset but is a user-specified
-// trust anchor. This test covers multiple cases:
-//
-// Pinned domain include-subdomains.pinning.example.com includes subdomains
-// - PASS: include-subdomains.pinning.example.com serves a correct cert
-// - PASS: good.include-subdomains.pinning.example.com serves a correct cert
-// - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert
-// not in the pinset
-// - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not
-// in the pinset, but issued by a user-specified trust domain
-//
-// Pinned domain exclude-subdomains.pinning.example.com excludes subdomains
-// - PASS: exclude-subdomains.pinning.example.com serves a correct cert
-// - FAIL: exclude-subdomains.pinning.example.com serves an incorrect cert
-// (TODO: test using verifyCertNow)
-// - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert
-
-"use strict";
-
-do_get_profile(); // must be called before getting nsIX509CertDB
-const certdb = Cc["@mozilla.org/security/x509certdb;1"]
- .getService(Ci.nsIX509CertDB);
-
-function add_clear_override(host) {
- add_test(function() {
- let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
- .getService(Ci.nsICertOverrideService);
- certOverrideService.clearValidityOverride(host, 8443);
- run_next_test();
- });
-}
-
-function test_strict() {
- // In strict mode, we always evaluate pinning data, regardless of whether the
- // issuer is a built-in trust anchor. We only enforce pins that are not in
- // test mode.
- add_test(function() {
- Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
- run_next_test();
- });
-
- // Normally this is overridable. But, since we have pinning information for
- // this host, we don't allow overrides.
- add_prevented_cert_override_test(
- "unknownissuer.include-subdomains.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
-
- // Issued by otherCA, which is not in the pinset for pinning.example.com.
- add_connection_test("bad.include-subdomains.pinning.example.com",
- MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
-
- // Check that using a FQDN doesn't bypass pinning.
- add_connection_test("bad.include-subdomains.pinning.example.com.",
- MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
- // For some reason this is also navigable (see bug 1118522).
- add_connection_test("bad.include-subdomains.pinning.example.com..",
- MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
-
- // These domains serve certs that match the pinset.
- add_connection_test("include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("good.include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
-
- // This domain serves a cert that doesn't match the pinset, but subdomains
- // are excluded.
- add_connection_test("sub.exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
-
- // This domain's pinset is exactly the same as
- // include-subdomains.pinning.example.com, serves the same cert as
- // bad.include-subdomains.pinning.example.com, but it should pass because
- // it's in test_mode.
- add_connection_test("test-mode.pinning.example.com",
- PRErrorCodeSuccess);
- // Similarly, this pin is in test-mode, so it should be overridable.
- add_cert_override_test("unknownissuer.test-mode.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.test-mode.pinning.example.com");
-}
-
-function test_mitm() {
- // In MITM mode, we allow pinning to pass if the chain resolves to any
- // user-specified trust anchor, even if it is not in the pinset.
- add_test(function() {
- Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
- run_next_test();
- });
-
- add_connection_test("include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("good.include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
-
- // Normally this is overridable. But, since we have pinning information for
- // this host, we don't allow overrides (since building a trusted chain fails,
- // we have no reason to believe this was issued by a user-added trust
- // anchor, so we can't allow overrides for it).
- add_prevented_cert_override_test(
- "unknownissuer.include-subdomains.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
-
- // In this case, even though otherCA is not in the pinset, it is a
- // user-specified trust anchor and the pinning check succeeds.
- add_connection_test("bad.include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
-
- add_connection_test("exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("sub.exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
- add_cert_override_test("unknownissuer.test-mode.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.test-mode.pinning.example.com");
-}
-
-function test_disabled() {
- // Disable pinning.
- add_test(function() {
- Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0);
- run_next_test();
- });
-
- add_connection_test("include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("good.include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("bad.include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("sub.exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
-
- add_cert_override_test("unknownissuer.include-subdomains.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
- add_cert_override_test("unknownissuer.test-mode.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.test-mode.pinning.example.com");
-}
-
-function test_enforce_test_mode() {
- // In enforce test mode, we always enforce all pins, even test pins.
- add_test(function() {
- Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3);
- run_next_test();
- });
-
- // Normally this is overridable. But, since we have pinning information for
- // this host, we don't allow overrides.
- add_prevented_cert_override_test(
- "unknownissuer.include-subdomains.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
-
- // Issued by otherCA, which is not in the pinset for pinning.example.com.
- add_connection_test("bad.include-subdomains.pinning.example.com",
- MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
-
- // These domains serve certs that match the pinset.
- add_connection_test("include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("good.include-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
- add_connection_test("exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
-
- // This domain serves a cert that doesn't match the pinset, but subdomains
- // are excluded.
- add_connection_test("sub.exclude-subdomains.pinning.example.com",
- PRErrorCodeSuccess);
-
- // This domain's pinset is exactly the same as
- // include-subdomains.pinning.example.com, serves the same cert as
- // bad.include-subdomains.pinning.example.com, is in test-mode, but we are
- // enforcing test mode pins.
- add_connection_test("test-mode.pinning.example.com",
- MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
- // Normally this is overridable. But, since we have pinning information for
- // this host (and since we're enforcing test mode), we don't allow overrides.
- add_prevented_cert_override_test(
- "unknownissuer.test-mode.pinning.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- SEC_ERROR_UNKNOWN_ISSUER);
- add_clear_override("unknownissuer.test-mode.pinning.example.com");
-}
-
-function check_pinning_telemetry() {
- let service = Cc["@mozilla.org/base/telemetry;1"].getService(Ci.nsITelemetry);
- let prod_histogram = service.getHistogramById("CERT_PINNING_RESULTS")
- .snapshot();
- let test_histogram = service.getHistogramById("CERT_PINNING_TEST_RESULTS")
- .snapshot();
- // Because all of our test domains are pinned to user-specified trust
- // anchors, effectively only strict mode and enforce test-mode get evaluated
- equal(prod_histogram.counts[0], 4,
- "Actual and expected prod (non-Mozilla) failure count should match");
- equal(prod_histogram.counts[1], 4,
- "Actual and expected prod (non-Mozilla) success count should match");
- equal(test_histogram.counts[0], 2,
- "Actual and expected test (non-Mozilla) failure count should match");
- equal(test_histogram.counts[1], 0,
- "Actual and expected test (non-Mozilla) success count should match");
-
- let moz_prod_histogram = service.getHistogramById("CERT_PINNING_MOZ_RESULTS")
- .snapshot();
- let moz_test_histogram =
- service.getHistogramById("CERT_PINNING_MOZ_TEST_RESULTS").snapshot();
- equal(moz_prod_histogram.counts[0], 0,
- "Actual and expected prod (Mozilla) failure count should match");
- equal(moz_prod_histogram.counts[1], 0,
- "Actual and expected prod (Mozilla) success count should match");
- equal(moz_test_histogram.counts[0], 0,
- "Actual and expected test (Mozilla) failure count should match");
- equal(moz_test_histogram.counts[1], 0,
- "Actual and expected test (Mozilla) success count should match");
-
- let per_host_histogram =
- service.getHistogramById("CERT_PINNING_MOZ_RESULTS_BY_HOST").snapshot();
- equal(per_host_histogram.counts[0], 0,
- "Actual and expected per host (Mozilla) failure count should match");
- equal(per_host_histogram.counts[1], 2,
- "Actual and expected per host (Mozilla) success count should match");
- run_next_test();
-}
-
-function run_test() {
- // Ensure that static pinning works when HPKP is disabled.
- Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
-
- add_tls_server_setup("BadCertServer", "bad_certs");
-
- // Add a user-specified trust anchor.
- addCertFromFile(certdb, "bad_certs/other-test-ca.pem", "CTu,u,u");
-
- test_strict();
- test_mitm();
- test_disabled();
- test_enforce_test_mode();
-
- add_test(function () {
- check_pinning_telemetry();
- });
- run_next_test();
-}
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic.js b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
deleted file mode 100644
index 60e85e041..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js
+++ /dev/null
@@ -1,243 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-"use strict";
-
-// The purpose of this test is to create a site security service state file
-// and see that the site security service reads it properly.
-
-function writeLine(aLine, aOutputStream) {
- aOutputStream.write(aLine, aLine.length);
-}
-
-var gSSService = null;
-var gSSSStateSeen = false;
-var gPreloadStateSeen = false;
-
-var profileDir = do_get_profile();
-var certdb;
-
-function certFromFile(cert_name) {
- return constructCertFromFile("test_pinning_dynamic/" + cert_name + ".pem");
-}
-
-function loadCert(cert_name, trust_string) {
- let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem";
- addCertFromFile(certdb, cert_filename, trust_string);
- return constructCertFromFile(cert_filename);
-}
-
-function checkOK(cert, hostname) {
- return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
- certificateUsageSSLServer, {}, hostname);
-}
-
-function checkFail(cert, hostname) {
- return checkCertErrorGeneric(certdb, cert, MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE,
- certificateUsageSSLServer, {}, hostname);
-}
-
-const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";
-const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
-
-function run_test() {
- Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
- Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
-
- let stateFile = profileDir.clone();
- stateFile.append(SSS_STATE_FILE_NAME);
- // Assuming we're working with a clean slate, the SSS_STATE file shouldn't
- // exist until we create it.
- ok(!stateFile.exists(),
- "State file should not exist when working with a clean slate");
- let outputStream = FileUtils.openFileOutputStream(stateFile);
- let now = (new Date()).getTime();
- writeLine(`a.pinning2.example.com:HPKP\t0\t0\t${now + 100000},1,0,${PINNING_ROOT_KEY_HASH}\n`, outputStream);
- writeLine(`b.pinning2.example.com:HPKP\t0\t0\t${now + 100000},1,1,${PINNING_ROOT_KEY_HASH}\n`, outputStream);
-
- outputStream.close();
-
- let preloadFile = profileDir.clone();
- preloadFile.append(PRELOAD_STATE_FILE_NAME);
- ok(!preloadFile.exists(),
- "Preload file should not exist when working with a clean slate");
-
- outputStream = FileUtils.openFileOutputStream(preloadFile);
- writeLine(`a.preload.example.com:HPKP\t0\t0\t${now + 100000},1,1,${PINNING_ROOT_KEY_HASH}\n`, outputStream);
- outputStream.close();
-
- Services.obs.addObserver(checkStateRead, "data-storage-ready", false);
- do_test_pending();
- gSSService = Cc["@mozilla.org/ssservice;1"]
- .getService(Ci.nsISiteSecurityService);
- notEqual(gSSService, null,
- "SiteSecurityService should have initialized successfully using" +
- " the generated state file");
-}
-
-function checkDefaultSiteHPKPStatus() {
- ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "a.pinning2.example.com", 0),
- "a.pinning2.example.com should have HPKP status");
- ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "x.a.pinning2.example.com", 0),
- "x.a.pinning2.example.com should not have HPKP status");
- ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "b.pinning2.example.com", 0),
- "b.pinning2.example.com should have HPKP status");
- ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "x.b.pinning2.example.com", 0),
- "x.b.pinning2.example.com should have HPKP status");
-}
-
-function checkStateRead(aSubject, aTopic, aData) {
- if (aData == SSS_STATE_FILE_NAME) {
- gSSSStateSeen = true;
- } else if (aData == PRELOAD_STATE_FILE_NAME) {
- gPreloadStateSeen = true;
- } else {
- throw new Error("Observed data should either be the Site Security " +
- "Service state file name or the preload file name");
- }
-
- if (!gSSSStateSeen || !gPreloadStateSeen) {
- return;
- }
-
- notEqual(gSSService, null, "SiteSecurityService should be initialized");
-
- // Initializing the certificate DB will cause NSS-initialization, which in
- // turn initializes the site security service. Since we're in part testing
- // that the site security service correctly reads its state file, we have to
- // make sure it doesn't start up before we've populated the file
- certdb = Cc["@mozilla.org/security/x509certdb;1"]
- .getService(Ci.nsIX509CertDB);
-
- loadCert("pinningroot", "CTu,CTu,CTu");
- loadCert("badca", "CTu,CTu,CTu");
-
- // the written entry is for a.pinning2.example.com without subdomains
- // and b.pinning2.example.com with subdomains
- checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com");
- checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com");
-
- checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com");
- checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com");
- checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com");
- checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com");
-
- checkDefaultSiteHPKPStatus();
-
-
- // add includeSubdomains to a.pinning2.example.com
- gSSService.setKeyPins("a.pinning2.example.com", true,
- new Date().getTime() + 1000000, 2,
- [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
- checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com");
- checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com");
- checkFail(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com");
- checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com");
- checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com");
- checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com");
- checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com");
-
- ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "a.pinning2.example.com", 0),
- "a.pinning2.example.com should still have HPKP status after adding" +
- " includeSubdomains to a.pinning2.example.com");
- ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "x.a.pinning2.example.com", 0),
- "x.a.pinning2.example.com should now have HPKP status after adding" +
- " includeSubdomains to a.pinning2.example.com");
-
- // Now setpins without subdomains
- gSSService.setKeyPins("a.pinning2.example.com", false,
- new Date().getTime() + 1000000, 2,
- [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
- checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com");
- checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com");
-
- checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com");
- checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com");
- checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com");
- checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com");
-
- checkDefaultSiteHPKPStatus();
-
- // failure to insert new pin entry leaves previous pin behavior
- throws(() => {
- gSSService.setKeyPins("a.pinning2.example.com", true,
- new Date().getTime() + 1000000, 1, ["not a hash"]);
- }, /NS_ERROR_ILLEGAL_VALUE/, "Attempting to set an invalid pin should fail");
- checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com");
- checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com");
-
- checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com");
- checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com");
- checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com");
- checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com");
-
- checkDefaultSiteHPKPStatus();
-
- // Incorrect size results in failure
- throws(() => {
- gSSService.setKeyPins("a.pinning2.example.com", true,
- new Date().getTime() + 1000000, 2, ["not a hash"]);
- }, /NS_ERROR_XPC_NOT_ENOUGH_ELEMENTS_IN_ARRAY/,
- "Attempting to set a pin with an incorrect size should fail");
-
- // Ensure built-in pins work as expected
- ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "nonexistent.example.com", 0),
- "Not built-in nonexistent.example.com should not have HPKP status");
- ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "include-subdomains.pinning.example.com", 0),
- "Built-in include-subdomains.pinning.example.com should have HPKP status");
-
- gSSService.setKeyPins("a.pinning2.example.com", false, new Date().getTime(),
- 1, [NON_ISSUED_KEY_HASH]);
-
- // Check that a preload pin loaded from file works as expected
- checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com");
- checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com");
-
- // Check a dynamic addition works as expected
- // first, it should succeed with the badCA - because there's no pin
- checkOK(certFromFile('b.preload.example.com-badca'), "b.preload.example.com");
- // then we add a pin, and we should get a failure (ensuring the expiry is
- // after the test timeout)
- gSSService.setKeyPins("b.preload.example.com", false,
- new Date().getTime() + 1000000, 2,
- [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH], true);
- checkFail(certFromFile('b.preload.example.com-badca'), "b.preload.example.com");
-
- do_timeout(1250, checkExpiredState);
-}
-
-function checkExpiredState() {
- checkOK(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com");
- checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com");
- checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com");
-
- checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com");
- checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com");
- checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com");
- checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com");
- checkPreloadClear();
-}
-
-function checkPreloadClear() {
- // Check that the preloaded pins still work after private data is cleared
- gSSService.clearAll();
- checkFail(certFromFile('b.preload.example.com-badca'), "b.preload.example.com");
-
- do_test_finished();
-}
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem
deleted file mode 100644
index 102a3bbda..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC3TCCAcegAwIBAgIUXdB7LgBGZoRV1UmEFcsOhMigpB0wCwYJKoZIhvcNAQEL
-MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw
-MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv
-plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn
-YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+
-ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM
-5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn
-JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMlMCMwIQYD
-VR0RBBowGIIWYS5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEB
-AAKhpX2t/Bz9//u1DYyLZ6dLSJt121Vb58s8gQvI/7n6MdUP1IniQLbtPW+7wnV0
-6LYagJQ11ZUJMxYUs6lB91yhwAO9NoN4QJWWB0i23DoZ6cg4dHmYKmQQ/HRndwm+
-EATkJSnBAk8O2xmIm8CXbJ0W0lvaXEjzRfeoiEjQ0/THeo4hXvGOMPm31d+r4ji5
-/u2+9jrpTII0kjCwFjqC97lPID14s9QRMqMB1CCV6fgT19EGYi9I7H6mnyukkmfX
-9wOhLHSk6A2l5+5eJrZYXLOhcS31VBd54sb1Vvg+Bp05HMYjo051JcRlvxoIUsHT
-JQDn8QrzwZBDBh4Pie3AwOM=
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec
deleted file mode 100644
index f365b8a18..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:badca
-subject:test end-entity
-issuerKey:alternate
-subjectKey:alternate
-extension:subjectAlternativeName:a.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem
deleted file mode 100644
index 2439b5775..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC4zCCAc2gAwIBAgIUPQgjdPeWdWy/0oKRi+5Lr7JJorMwCwYJKoZIhvcNAQEL
-MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx
-ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK
-zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG
-zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX
-KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp
-mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6
-kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMl
-MCMwIQYDVR0RBBowGIIWYS5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0B
-AQsDggEBAFUlxnwpxOFbSxtsBthWu6xmDxeFAzP+u5YOfuKeiIGnAx70k8ODQufJ
-Vm1rXvKtN5r8jR6AZh/hdA+tGhnu4+pGi9/aqWnaF1FEs2mW0saUV8atQZwNGRBO
-E9FXdAHA8WmGIfRf8TOuWpmEWejjJt5Zsfs+V3ARIxjCrVE7ixyfJ/hYpmthLtYJ
-5vgp0iiPjzorKeFnqooLVAfzeayRX0bE5H79NISIWq4CN/9J50ZFkRORURlANU95
-2Dcuw416b3BGrWVmWlKWOpA6NZ+Rj+AI+z9UTDpqCczTfMXMabX4EveW1GKMMYiA
-eLD8SY4VQ4403eaCp6rxYFrCNOeDczs=
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec
deleted file mode 100644
index aef72ce39..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:pinningroot
-subject:test end-entity
-subjectKey:alternate
-extension:subjectAlternativeName:a.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem
deleted file mode 100644
index 2a157d8e6..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC3DCCAcagAwIBAgIUKUG7kBZ72CvuLQ0uPfjKHLkKDQAwCwYJKoZIhvcNAQEL
-MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw
-MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv
-plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn
-YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+
-ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM
-5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn
-JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMkMCIwIAYD
-VR0RBBkwF4IVYS5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
-tx5YO8uvYac92scnMEswv4ZIslou8UYV/2mtxA+MaXf/g+MizOKeZgTI1+b9hR48
-IDOgvrqPCbn1hKY6gb2gtRI1mC5dg9T8EYEXcC1TM+ncY/l4SZUjfMhzY2iOf62x
-jhDqMMt4V5uaHUxVmJQI82X5qpxH3yJ3WOC87iGZNfMB8MSbLM3lxor9OHeTlTHQ
-vPb/r7cLW+ikxirDGyBBvThkvDA/8qyN5Qp6Ae1BiPeEMoScNf3fChvNV6Jyb8g8
-e9q0LnTlTuVgaDWtg7PVOxeiI+wf3Jhv9uqXQLX8JHZDKebLbQEkNcbR4DK/8wsP
-uFhj0j8DY6+/YZbcF7Jgfw==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec
deleted file mode 100644
index c1cb36576..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:badca
-subject:test end-entity
-issuerKey:alternate
-subjectKey:alternate
-extension:subjectAlternativeName:a.preload.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem
deleted file mode 100644
index 5fa43f052..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC4jCCAcygAwIBAgIURV3mf9Dz42lALe31OAm2SYbpFaEwCwYJKoZIhvcNAQEL
-MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx
-ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK
-zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG
-zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX
-KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp
-mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6
-kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMk
-MCIwIAYDVR0RBBkwF4IVYS5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEB
-CwOCAQEATOA0bbfg81JieQkTzr4oxBqPuFamtLSAsLpbKakikYQo2znMGNnHV7Xe
-uxMGMhCIPRsiJ6jj6ZTQJNqQRKzXWEiBgREsarmJxA53ITIcO2cK2rqyetNAAwzZ
-oViENmK3tLA5KT2VC9IGgMXdSE7IfXn+5yCdpKZ2ohwtkYHNkCbQIU+4KaCPa/dB
-yAelZZPE0mVHJLkd5HoOsFmjFOBQuOkn9/AAOmkgBZIk1Dp833ywn/mnwLZdVsdV
-+TjqWKenDJXxhO2+aCCtZbUVxKMn0TACpAA+rhjS5vigCyIZh7V4rxki9UXaOfVq
-EVy4rFlRIYYtXV40HavDZoPgxuCHDw==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec
deleted file mode 100644
index 5c1865314..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:pinningroot
-subject:test end-entity
-subjectKey:alternate
-extension:subjectAlternativeName:a.preload.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem
deleted file mode 100644
index cffb37c1f..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC3TCCAcegAwIBAgIUV89JsAhywp3graSGqjeSpMzd1B0wCwYJKoZIhvcNAQEL
-MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw
-MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv
-plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn
-YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+
-ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM
-5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn
-JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMlMCMwIQYD
-VR0RBBowGIIWYi5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEB
-ABevzhH9/hjTBgTtUk4ytZX0A7Tu0DR5F9ooFnlUwzupHFihO+9NzEoCSIvCy3L9
-+i3LbkaiUWEHQItLjIg+aice13ZkuMp+DeZ+D/YR9ulxyY1QBYeZLQj/gSdkj/fK
-uDm0Izgt8OBsgP+KFX2c2cGZyOcXmFFAwSfkLz7p2qzrmuM7r5ploNpxeHBUIxUW
-jJzSFeQMfy5wflcKDBY+PDejzN9Ik4weRyERsckVgmZSJXuodb8xgYkNPvl/GOVJ
-o+eDw+E3uOsdBIDrsyb+bcQTG7nBkQoSqG8M0610h0OqFhksfv/0HcB/wfW8VdU+
-+C4+tR2KfvqTCm3T6gzRWX8=
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec
deleted file mode 100644
index 5aa8aaa5e..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:badca
-subject:test end-entity
-issuerKey:alternate
-subjectKey:alternate
-extension:subjectAlternativeName:b.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem
deleted file mode 100644
index 791f64b4c..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC4zCCAc2gAwIBAgIUVQNTrx+mRE96ggRLuZeFm+9uBdcwCwYJKoZIhvcNAQEL
-MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx
-ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK
-zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG
-zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX
-KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp
-mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6
-kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMl
-MCMwIQYDVR0RBBowGIIWYi5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0B
-AQsDggEBAHYCfQaolF6z4IicBDTEQQVfYi4A3BcCNLTdInQlal/DHNytNRufM5TB
-ccNpau5U9e10NBYWbMqRUBb/7wtYE4O7jhEWxjaHBOz5KTYLv8hjEc2wcHXfhlYM
-QKmxOnA7SguSNYBdfXywav//ssLmDnB06nc2vv5NaKvIWbUv3HvfM8oRAr+NICUs
-UMcIb+hjY+u/qrnOeFJxXzeqPYKMa7H+33baRgy7xnL95PxAwkz0XL8vcMFupTX5
-dL5HsSKku23C0BoE6pK39TVh758fQjCAnD+QRTH/o+dfE2sIFpRiyszdXGmh2IRR
-gMSy+gJbH+zh0D9ncL0Kev0PyEuBYR4=
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec
deleted file mode 100644
index 17f22dab5..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:pinningroot
-subject:test end-entity
-subjectKey:alternate
-extension:subjectAlternativeName:b.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem
deleted file mode 100644
index 4ef23a2c2..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC3DCCAcagAwIBAgIUf2T4BVvxeCgWVp/FL3tCFNjuZYQwCwYJKoZIhvcNAQEL
-MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw
-MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv
-plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn
-YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+
-ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM
-5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn
-JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMkMCIwIAYD
-VR0RBBkwF4IVYi5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
-okmxK2NDRYWSAn6b1YZpLiZnoaNrM0HXHY6fkARY/9EiAApvNPxT663EKtTZn27a
-JtwXP2zzlYQDRc9cxa1zBX9Tp+0sn5aqokqzoVWx4VIe/emzi9FDf3lgaYewHLez
-RINv3kUZmqlw6tmMQxjd51UGyvNsi52+gcet1cPr5kBzGQv/q7iNs/lcetL3+KQF
-klJ3PfI4VjFwRRYNhScxiRczklPVDySvxSNw+csUxNRunFLXIi3+WqQzYhw7R8ga
-ASwozTfvVAUySOmDipCZZXAHFtlpBr6vAllfD9v8hAsrE7Bkivafr+i5HMD3DtJE
-4ZedqFCkTkqKvd0fMIbOIA==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec
deleted file mode 100644
index 9901ead60..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:badca
-subject:test end-entity
-issuerKey:alternate
-subjectKey:alternate
-extension:subjectAlternativeName:b.preload.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem
deleted file mode 100644
index c6ea38a12..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC4jCCAcygAwIBAgIUI5rdRX/x0w0bDx6hQhc8ZhGLfqQwCwYJKoZIhvcNAQEL
-MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx
-ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK
-zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG
-zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX
-KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp
-mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6
-kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMk
-MCIwIAYDVR0RBBkwF4IVYi5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEB
-CwOCAQEAg2VdHBLmFLJ03N9VT4uUrnpjuYY9bsvPJF2JCk9817nxBbeMf+Qn0C/o
-OeoQnZRqsaFbKZ80JXmh/j4RO6T/aaQUMpk+NXrdSPddy2B3eUByF/NJqipV3M2a
-CRNWUUVF+msjRWwbzJafju2nEZcD4d4cUkHHYAaRRxAHH3ylEvWmdv/brgfAPCPH
-WDVaCMc3OXgHkyrLAfkMKSYTNPJ7DJn/BXET5tCzqYGRUgRnME4ON2Mmp19lsdig
-dIFbm76wg6l5M+s9pqiYzODUxJXUOd6BkAR5pqB9WyIRVfBr5LGT72nv00LHVcSm
-hnsti9nAtFdJx4E1lJilrnQwu0q4Iw==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec
deleted file mode 100644
index 6f5807700..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:pinningroot
-subject:test end-entity
-subjectKey:alternate
-extension:subjectAlternativeName:b.preload.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem
deleted file mode 100644
index 9443a4c91..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyzCCAbWgAwIBAgIUXQevdaeXMieCrG6ZqhI2yfACBq4wCwYJKoZIhvcNAQEL
-MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw
-MDAwMDBaMBAxDjAMBgNVBAMMBWJhZGNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmK
-xKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZ
-gxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZ
-C8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKD
-dRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjE
-wLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABox0wGzAMBgNVHRMEBTADAQH/
-MAsGA1UdDwQEAwIBBjALBgkqhkiG9w0BAQsDggEBAHitWfZzPxR/UWEKQgz9zzm2
-NXszG7nV82w8qfC9pq8mU3f7eqbHJ2HNFkZzttJsH9DNl30OK2Y5IVLUiZHckz2e
-OFUyxK0tBCCBYd79FiK4BgP/Ys/7LK+4UaDhbRQP//MGuofwjsrNxgPgtkNaeKtF
-EXKCuDrHoa4ua7afrkUWKzPZ6JbDOEjJIyuJ3ISI0Q20Oc3ERxGwG1SQ1EldgWBr
-0dJJWBHZtNpIVvSm1dRfjMYtSrBoUXwbn6kDrdk4T98OHnFP0V0KW4j4umLHK7Gi
-OSAwvWtir3fSJaLJClTCFe1XoNvJnQ53PJs0JR26mAixV2VuylStO2KlbYy7fOc=
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec
deleted file mode 100644
index 311bbb3f8..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec
+++ /dev/null
@@ -1,6 +0,0 @@
-issuer:badca
-subject:badca
-issuerKey:alternate
-subjectKey:alternate
-extension:basicConstraints:cA,
-extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build b/security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build
deleted file mode 100644
index eb8b582f5..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build
+++ /dev/null
@@ -1,26 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-#test_certificates = (
-# 'badca.pem',
-# 'a.pinning2.example.com-badca.pem',
-# 'a.pinning2.example.com-pinningroot.pem',
-# 'a.preload.example.com-badca.pem',
-# 'a.preload.example.com-pinningroot.pem',
-# 'b.pinning2.example.com-badca.pem',
-# 'b.pinning2.example.com-pinningroot.pem',
-# 'b.preload.example.com-badca.pem',
-# 'b.preload.example.com-pinningroot.pem',
-# 'x.a.pinning2.example.com-badca.pem',
-# 'x.a.pinning2.example.com-pinningroot.pem',
-# 'x.b.pinning2.example.com-badca.pem',
-# 'x.b.pinning2.example.com-pinningroot.pem',
-# 'pinningroot.pem',
-#)
-#
-#for test_certificate in test_certificates:
-# GeneratedTestCertificate(test_certificate)
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem
deleted file mode 100644
index 9a041991a..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC1zCCAcGgAwIBAgIUMwSUmBShbg5sMNZSTiPd5Tb1udkwCwYJKoZIhvcNAQEL
-MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx
-ODAyMDUwMDAwMDBaMBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
-aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
-adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
-pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
-YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
-CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAM
-BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjALBgkqhkiG9w0BAQsDggEBADNuQnKg
-y8zWnKlfBq/50UOtdSlvevg6u6tsUTvay2kVgB8BRTvm76aw4yOLgk84eHHkrX5c
-TqdutWh2JZarUWbO7JnPTdDE2CAkDh1smSe9L/XJENbgVXleg/VYLgnfnuSQCCnK
-WjjExcorX6IKDks1ZoBJ1HIvBzMRMWzIQgBL9B2Y1V05lgfn0bwZD+TjUJBmN1w0
-NTaPgrxE7FWZ2CTcowrYRKEEDAUX4cTFoce5YMwALCgW59KfVQfQdHaiCCcdNbfi
-qSQGZu+59JrrasmgK9VTahukYWcaQCz8HBCasdknGodLAzThuWMkjXU3D2IZYl15
-GfE5yrRFop/89xo=
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec
deleted file mode 100644
index 86500e16b..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:pinningroot
-subject:pinningroot
-extension:basicConstraints:cA,
-extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem
deleted file mode 100644
index e4b6e72c0..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC3zCCAcmgAwIBAgIUe11LKIzCrdnRTgrLsfuGMoOpL1QwCwYJKoZIhvcNAQEL
-MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw
-MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv
-plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn
-YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+
-ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM
-5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn
-JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMnMCUwIwYD
-VR0RBBwwGoIYeC5hLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOC
-AQEAgdFC/SwBLRp6A+n3znR+sEuU8UvmbgbXp7pIFVh6cbC6lNF0nXk9ywPeIWyh
-B7TCn3YHj4uc/PbvzRj9Py0gQLXcimKpmLoxclV5g1uTAydgXPiPulv/kaL9NOME
-lm88pyQeDwfEkUz7VijabIzFRTEVRmOudb8mX4SuzjhxsdzSMjffpae335beJ4Im
-lxgJgMsuJdEoK0WyG5nlBhVdzrT/kwdiwULeVNV//UHid1YZy56G5Lo22Hgd4wT3
-1W3LXQelBdHhee7Hf7mg4rjCUPulFAr8qBLdywf1Hnu1o7rXUcn46PLwKLOWJPOM
-SKpiqRKqvzlrzLaHPejfT0IMrw==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec
deleted file mode 100644
index ad8636d43..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:badca
-subject:test end-entity
-issuerKey:alternate
-subjectKey:alternate
-extension:subjectAlternativeName:x.a.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem
deleted file mode 100644
index ed58de323..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC5TCCAc+gAwIBAgIUefEeE+Sj5fBSec+97B6UmZFQEncwCwYJKoZIhvcNAQEL
-MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx
-ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK
-zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG
-zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX
-KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp
-mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6
-kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMn
-MCUwIwYDVR0RBBwwGoIYeC5hLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3
-DQEBCwOCAQEAT2fxisiLJvVdFTba07a2Pc6UHBE+O0tOaLfMmHx/ET2FZdd9sLTL
-X2f+hQCmXEBQ7Au2eYTew8hTyXYGYFauMJNk+XHHUIaSOhmnYTccye4d6j5bXRCp
-7zA1qPlReCDLjp7o/34whkvngvdgdLYf60EkBO/NJfj+zsR1JTVfyVzIKXl6veLz
-0xKicBAq9vS0Yqq10japVYKKqAw6gDpbNkSAd3xsl4+EbMRq+BnMB4W2anw1gM/e
-hV11JQVA/MREtmUiTkvJFF6chHVCn5aL7JzVM2miZjZC8Ix59LUBoyO3SrxgrzZw
-xeYuwoDhzTCrcFxn8gdKNajbGHuW5ekQpg==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec
deleted file mode 100644
index 260f2184b..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:pinningroot
-subject:test end-entity
-subjectKey:alternate
-extension:subjectAlternativeName:x.a.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem
deleted file mode 100644
index dc24247e8..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC3zCCAcmgAwIBAgIUYcTc5Pz7KlQldGOO+KzbuBdf8TswCwYJKoZIhvcNAQEL
-MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw
-MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv
-plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn
-YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+
-ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM
-5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn
-JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMnMCUwIwYD
-VR0RBBwwGoIYeC5iLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOC
-AQEAd6HusXqftFBpSUzivIY6icTZ95+wY+xIOsf1QOgyzZ/CDx4Tly+rgue2xSNT
-59FmnFvh8jW202K8TykamsAX20A8ArzubNoc/+soA752YEvrMmOgWjmH2arqTfqg
-zcfNdgUDESwnOoy123F+PkT3rRDXwINzCwftxhKbvmqhO6YENteqyWWmSZoMClsJ
-xtm+bmPN+m26k6zMMYWzIu2HIXI3CgqOmJltfyqea02Y58S1+XlajrcewPpC17xD
-r5a1sizecCFrmV0ssbK8wvEYo9Xs+PNj8Vhi1DUwGjtnjrYn/WQ6v/luMEEO7EMD
-b3BbEziS3Pqej2JyprUKqOjv1g==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec
deleted file mode 100644
index 592bdcc58..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec
+++ /dev/null
@@ -1,5 +0,0 @@
-issuer:badca
-subject:test end-entity
-issuerKey:alternate
-subjectKey:alternate
-extension:subjectAlternativeName:x.b.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem
deleted file mode 100644
index 642135994..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC5TCCAc+gAwIBAgIUNXGolw8M2HU/gP4dOSMD2bdTQ+MwCwYJKoZIhvcNAQEL
-MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx
-ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK
-zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG
-zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX
-KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp
-mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6
-kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMn
-MCUwIwYDVR0RBBwwGoIYeC5iLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3
-DQEBCwOCAQEAevN1gW64H2kCjW5W4wbQFkJIITjcdEUsw+8GPzDuBDJCvgGirhOi
-ArBie8Bz+JlqzgNCXSe6pFVLoNfLosG5xksLwHljEit/7gFQ5twFazdg7dwPXs9Z
-MIV2iv3vHmKYTFTcjfw07UWy0rHHt6EH+zXqpZFtFkJHqSgngKxAHgQlvSKeyynM
-albu5YAX/hzJ7TyAVGxVN8uxnvYqPbLCy3wKf9ILFiDer6B9pE4Ii+dUyUbqVQFZ
-tY2ac1474nkcfj3uj5qbV0TTpd9EL9HMvixTnoUrT3bqkRX7orvL4gXpnJJyRjvC
-/LvTh/Vt1mYKkNLc/ruOj7WfUUC0SJIDzQ==
------END CERTIFICATE----- \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec
deleted file mode 100644
index 7e6d33d50..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:pinningroot
-subject:test end-entity
-subjectKey:alternate
-extension:subjectAlternativeName:x.b.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
deleted file mode 100644
index 0dcf6993b..000000000
--- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
+++ /dev/null
@@ -1,147 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-"use strict";
-
-// The purpose of this test is to check that parsing of HPKP headers
-// is correct.
-
-var profileDir = do_get_profile();
-const certdb = Cc["@mozilla.org/security/x509certdb;1"]
- .getService(Ci.nsIX509CertDB);
-var gSSService = Cc["@mozilla.org/ssservice;1"]
- .getService(Ci.nsISiteSecurityService);
-
-function certFromFile(cert_name) {
- return constructCertFromFile("test_pinning_dynamic/" + cert_name + ".pem");
-}
-
-function loadCert(cert_name, trust_string) {
- let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem";
- addCertFromFile(certdb, cert_filename, trust_string);
- return constructCertFromFile(cert_filename);
-}
-
-function checkFailParseInvalidPin(pinValue) {
- let sslStatus = new FakeSSLStatus(
- certFromFile('a.pinning2.example.com-pinningroot'));
- let uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
- throws(() => {
- gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
- pinValue, sslStatus, 0);
- }, /NS_ERROR_FAILURE/, `Invalid pin "${pinValue}" should be rejected`);
-}
-
-function checkPassValidPin(pinValue, settingPin, expectedMaxAge) {
- let sslStatus = new FakeSSLStatus(
- certFromFile('a.pinning2.example.com-pinningroot'));
- let uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
- let maxAge = {};
-
- // setup preconditions for the test, if setting ensure there is no previous
- // state, if removing ensure there is a valid pin in place.
- if (settingPin) {
- gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
- } else {
- // add a known valid pin!
- let validPinValue = "max-age=5000;" + VALID_PIN1 + BACKUP_PIN1;
- gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
- validPinValue, sslStatus, 0);
- }
- try {
- gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
- pinValue, sslStatus, 0, maxAge);
- ok(true, "Valid pin should be accepted");
- } catch (e) {
- ok(false, "Valid pin should have been accepted");
- }
-
- // check that maxAge was processed correctly
- if (settingPin && expectedMaxAge) {
- ok(maxAge.value == expectedMaxAge, `max-age value should be ${expectedMaxAge}`);
- }
-
- // after processing ensure that the postconditions are true, if setting
- // the host must be pinned, if removing the host must not be pinned
- let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
- "a.pinning2.example.com", 0);
- if (settingPin) {
- ok(hostIsPinned, "Host should be considered pinned");
- } else {
- ok(!hostIsPinned, "Host should not be considered pinned");
- }
-}
-
-function checkPassSettingPin(pinValue, expectedMaxAge) {
- return checkPassValidPin(pinValue, true, expectedMaxAge);
-}
-
-function checkPassRemovingPin(pinValue) {
- return checkPassValidPin(pinValue, false);
-}
-
-const MAX_MAX_AGE_SECONDS = 100000;
-const GOOD_MAX_AGE_SECONDS = 69403;
-const LONG_MAX_AGE_SECONDS = 2 * MAX_MAX_AGE_SECONDS;
-const NON_ISSUED_KEY_HASH1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
-const NON_ISSUED_KEY_HASH2 = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=";
-const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
-const MAX_AGE_ZERO = "max-age=0;";
-const VALID_PIN1 = `pin-sha256="${PINNING_ROOT_KEY_HASH}";`;
-const BACKUP_PIN1 = `pin-sha256="${NON_ISSUED_KEY_HASH1}";`;
-const BACKUP_PIN2 = `pin-sha256="${NON_ISSUED_KEY_HASH2}";`;
-const BROKEN_PIN1 = "pin-sha256=\"jdjsjsjs\";";
-const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
-const LONG_MAX_AGE = `max-age=${LONG_MAX_AGE_SECONDS};`;
-const INCLUDE_SUBDOMAINS = "includeSubdomains;";
-const REPORT_URI = "report-uri=\"https://www.example.com/report/\";";
-const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;";
-
-function run_test() {
- Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
- Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
- Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS);
- Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
-
- loadCert("pinningroot", "CTu,CTu,CTu");
- loadCert("badca", "CTu,CTu,CTu");
-
- checkFailParseInvalidPin("max-age=INVALID");
- // check that incomplete headers are failure
- checkFailParseInvalidPin(GOOD_MAX_AGE);
- checkFailParseInvalidPin(VALID_PIN1);
- checkFailParseInvalidPin(REPORT_URI);
- checkFailParseInvalidPin(UNRECOGNIZED_DIRECTIVE);
- checkFailParseInvalidPin(VALID_PIN1 + BACKUP_PIN1);
- checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1);
- checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BROKEN_PIN1);
- // next ensure a backup pin is present
- checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + VALID_PIN1);
- // next section ensure duplicate directives result in failure
- checkFailParseInvalidPin(GOOD_MAX_AGE + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
- checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + INCLUDE_SUBDOMAINS + INCLUDE_SUBDOMAINS);
- checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + REPORT_URI + REPORT_URI);
- checkFailParseInvalidPin("thisisinvalidtest");
- checkFailParseInvalidPin("invalid" + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
-
- checkPassRemovingPin("max-age=0"); //test removal without terminating ';'
- checkPassRemovingPin(MAX_AGE_ZERO);
- checkPassRemovingPin(MAX_AGE_ZERO + VALID_PIN1);
-
- checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, GOOD_MAX_AGE_SECONDS);
- checkPassSettingPin(LONG_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, MAX_MAX_AGE_SECONDS);
-
- checkPassRemovingPin(VALID_PIN1 + MAX_AGE_ZERO + VALID_PIN1);
- checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
- checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2);
- checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2 + INCLUDE_SUBDOMAINS);
- checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + INCLUDE_SUBDOMAINS);
- checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS);
- checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2);
- checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE);
-
- Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
- Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
- Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
- Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
-}
diff --git a/security/manager/ssl/tests/unit/test_sts_holepunch.js b/security/manager/ssl/tests/unit/test_sts_holepunch.js
deleted file mode 100644
index b7e643148..000000000
--- a/security/manager/ssl/tests/unit/test_sts_holepunch.js
+++ /dev/null
@@ -1,34 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-"use strict";
-
-// bug 961528: chart.apis.google.com doesn't handle https. Check that
-// it isn't considered HSTS (other example.apis.google.com hosts should be
-// HSTS as long as they're on the preload list, however).
-function run_test() {
- let SSService = Cc["@mozilla.org/ssservice;1"]
- .getService(Ci.nsISiteSecurityService);
- ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "chart.apis.google.com", 0));
- ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "CHART.APIS.GOOGLE.COM", 0));
- ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "sub.chart.apis.google.com", 0));
- ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "SUB.CHART.APIS.GOOGLE.COM", 0));
- ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "example.apis.google.com", 0));
- ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "EXAMPLE.APIS.GOOGLE.COM", 0));
- ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "sub.example.apis.google.com", 0));
- ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
- "SUB.EXAMPLE.APIS.GOOGLE.COM", 0));
- // also check isSecureURI
- let chartURI = Services.io.newURI("http://chart.apis.google.com", null, null);
- ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, chartURI, 0));
- let otherURI = Services.io.newURI("http://other.apis.google.com", null, null);
- ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, otherURI, 0));
-}
diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini
index bdf9933f4..01384b19a 100644
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -26,7 +26,6 @@ support-files =
test_ocsp_fetch_method/**
test_ocsp_url/**
test_onecrl/**
- test_pinning_dynamic/**
test_signed_apps/**
test_signed_dir/**
test_startcom_wosign/**
@@ -111,13 +110,6 @@ run-sequentially = hardcoded ports
[test_ocsp_url.js]
run-sequentially = hardcoded ports
[test_password_prompt.js]
-[test_pinning.js]
-run-sequentially = hardcoded ports
-# This test can take longer than 300 seconds on B2G emulator debug builds, so
-# give it enough time to finish. See bug 1081128.
-requesttimeoutfactor = 2
-[test_pinning_dynamic.js]
-[test_pinning_header_parsing.js]
[test_sdr.js]
[test_session_resumption.js]
run-sequentially = hardcoded ports
@@ -137,7 +129,6 @@ skip-if = toolkit == 'android'
[test_sss_savestate.js]
[test_startcom_wosign.js]
[test_sts_fqdn.js]
-[test_sts_holepunch.js]
[test_sts_ipv4_ipv6.js]
[test_sts_preloadlist_perwindowpb.js]
[test_sts_preloadlist_selfdestruct.js]