Add m-esr52 at 52.6.0

23 files changed, 2496 insertions, 0 deletions

diff --git a/security/nss/tests/chains/scenarios/aia.cfg b/security/nss/tests/chains/scenarios/aia.cfg
new file mode 100644
index 000000000..df3b1ef02
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/aia.cfg
@@ -0,0 +1,35 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AIA
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    aia CA1:Root
+
+entity User
+  type EE
+  issuer CA2
+
+testdb User
+
+verify User:CA2
+  cert CA2:CA1
+  trust Root:
+  result fail
+
+verify User:CA2
+  cert CA2:CA1
+  trust Root:
+  fetch
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/anypolicy.cfg b/security/nss/tests/chains/scenarios/anypolicy.cfg
new file mode 100644
index 000000000..fd647ad23
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicy.cfg
@@ -0,0 +1,77 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicy
+
+entity RootCA
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer RootCA
+  policy any
+
+entity CA2
+  type Intermediate
+  issuer CA1
+  policy OID.1.0
+  inhibit 0
+
+entity CA3
+  type Intermediate
+  issuer CA1
+  policy OID.1.0
+
+entity User1
+  type EE
+  issuer CA2
+  policy OID.1.0
+
+entity User2
+  type EE
+  issuer CA2
+  policy any
+
+entity User3
+  type EE
+  issuer CA3
+  policy any
+ 
+db All
+
+import RootCA::
+import CA1:RootCA:
+import CA2:CA1:
+import CA3:CA1:
+
+verify User1:CA2
+  trust RootCA
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust RootCA
+  policy OID.2.0
+  result fail
+
+verify User2:CA2
+  trust RootCA
+  policy OID.1.0
+  result fail
+
+verify User2:CA2
+  trust RootCA
+  policy OID.2.0
+  result fail
+
+verify User3:CA3
+  trust RootCA
+  policy OID.1.0
+  result pass
+
+verify User3:CA3
+  trust RootCA
+  policy OID.2.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
new file mode 100644
index 000000000..9dd84a797
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
@@ -0,0 +1,399 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicyWithLevel
+
+entity RootCA
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer RootCA
+  policy any
+  inhibit 1
+
+entity CA12
+  type Intermediate
+  issuer CA1
+  policy any
+
+entity CA13
+  type Intermediate
+  issuer CA12
+  policy OID.1.0
+
+entity EE1 
+  type EE
+  issuer CA13
+  policy OID.1.0
+
+entity CA22
+  type Intermediate
+  issuer CA1
+  policy any
+
+entity CA23
+  type Intermediate
+  issuer CA22
+  policy any
+
+entity EE2
+  type EE
+  issuer CA23
+  policy OID.1.0
+
+entity CA32
+  type Intermediate
+  issuer CA1
+  policy any
+  inhibit 1
+
+entity CA33
+  type Intermediate
+  issuer CA32
+  policy any
+
+entity EE3
+  type EE
+  issuer CA33
+  policy OID.1.0
+
+entity CA42
+  type Intermediate
+  issuer CA1
+  policy any
+  policy OID.1.0
+
+entity CA43
+  type Intermediate
+  issuer CA42
+  policy any
+  policy OID.1.0
+
+entity EE4
+  type EE
+  issuer CA43
+  policy OID.1.0
+
+entity CA52
+  type Intermediate
+  issuer CA1
+  policy any
+  policy OID.1.0
+
+entity CA53
+  type Intermediate
+  issuer CA52
+  policy any
+
+entity EE5
+  type EE
+  issuer CA53
+  policy OID.1.0
+
+entity CA61
+  type Intermediate
+  issuer RootCA
+  policy any
+  inhibit 5
+
+entity CA62
+  type Intermediate
+  issuer CA61
+  policy any
+
+entity EE62
+  type EE
+  issuer CA62
+  policy OID.1.0
+
+entity CA63
+  type Intermediate
+  issuer CA62
+  policy any
+
+entity EE63
+  type EE
+  issuer CA63
+  policy OID.1.0
+
+entity CA64
+  type Intermediate
+  issuer CA63
+  policy any
+
+entity EE64
+  type EE
+  issuer CA64
+  policy OID.1.0
+
+entity CA65
+  type Intermediate
+  issuer CA64
+  policy any
+
+entity EE65
+  type EE
+  issuer CA65
+  policy OID.1.0
+
+entity CA66
+  type Intermediate
+  issuer CA65
+  policy any
+
+entity EE66
+  type EE
+  issuer CA66
+  policy OID.1.0
+
+entity CA67
+  type Intermediate
+  issuer CA66
+  policy any
+
+entity EE67
+  type EE
+  issuer CA67
+  policy OID.1.0
+
+db All
+
+verify EE1:CA13
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA12:CA1
+  cert CA13:CA12
+  trust RootCA:
+  policy OID.1.0
+  result pass 
+
+verify EE1:CA13
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA12:CA1
+  cert CA13:CA12
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE1:CA13
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA12:CA1
+  cert CA13:CA12
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result pass
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result fail
+
+verify EE2:CA23
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA22:CA1
+  cert CA23:CA22
+  trust RootCA:
+  result pass
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result fail
+
+verify EE3:CA33
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA32:CA1
+  cert CA33:CA32
+  trust RootCA:
+  result pass
+
+verify EE4:CA43
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA42:CA1
+  cert CA43:CA42
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE4:CA43
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA42:CA1
+  cert CA43:CA42
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE4:CA43
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA42:CA1
+  cert CA43:CA42
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result pass
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  policy OID.2.0
+  result fail
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  policy OID.2.5.29.32.0
+  result fail
+
+verify EE5:CA53
+  cert RootCA:
+  cert CA1:RootCA
+  cert CA52:CA1
+  cert CA53:CA52
+  trust RootCA:
+  result pass
+
+verify EE62:CA62
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE63:CA63
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE64:CA64
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE65:CA65
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE66:CA66
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result pass
+
+verify EE67:CA67
+  cert RootCA:
+  cert CA61:RootCA
+  cert CA62:CA61
+  cert CA63:CA62
+  cert CA64:CA63
+  cert CA65:CA64
+  cert CA66:CA65
+  cert CA67:CA66
+  trust RootCA:
+  policy OID.1.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/bridge.cfg b/security/nss/tests/chains/scenarios/bridge.cfg
new file mode 100644
index 000000000..14dba6adc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridge.cfg
@@ -0,0 +1,106 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Bridge
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity Bridge
+  type Bridge
+  issuer Army
+  issuer Navy
+
+entity User
+  type EE
+  issuer Bridge
+
+db All
+
+import Army::
+import Navy::
+
+verify User:Bridge
+  cert Bridge:Navy
+  trust Navy 
+  result pass
+
+verify User:Bridge
+  cert Bridge:Army
+  trust Army
+  result pass
+
+verify User:Bridge
+  cert Bridge:Navy
+  trust Army
+  result fail
+
+import Bridge:Army:
+import Bridge:Navy:
+
+verify User:Bridge
+  trust Army
+  result pass
+
+verify User:Bridge
+  trust Navy 
+  result pass
+
+db ArmyOnly
+
+import Army::C,,
+
+verify User:Bridge
+  result fail
+
+verify User:Bridge
+  cert Bridge:Navy
+  result fail
+
+verify User:Bridge
+  cert Bridge:Navy
+  cert Navy:
+  result fail
+
+verify User:Bridge
+  cert Bridge:Navy
+  cert Navy:
+  trust Navy:
+  result pass
+
+verify User:Bridge
+  cert Bridge:Navy
+  trust Navy:
+  result pass
+
+db NavyOnly
+
+import Navy::C,,
+
+verify User:Bridge
+  result fail
+
+verify User:Bridge
+  cert Bridge:Army
+  result fail
+
+verify User:Bridge
+  cert Bridge:Army
+  cert Army:
+  result fail
+
+verify User:Bridge
+  cert Bridge:Army
+  cert Army:
+  trust Army:
+  result pass
+
+verify User:Bridge
+  cert Bridge:Army
+  trust Army:
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithaia.cfg b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
new file mode 100644
index 000000000..640edb87a
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
@@ -0,0 +1,54 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithAIA
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity Bridge
+  type Bridge
+  issuer Army
+  issuer Navy
+
+entity CA1
+  type Intermediate
+  issuer Bridge
+    aia Bridge
+
+entity EE1
+  type EE
+  issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+  result dbm:fail all:pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Navy:
+  fetch
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:Army
+  trust Navy:
+  fetch
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
new file mode 100644
index 000000000..914828ea1
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
@@ -0,0 +1,89 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithHalfAIA
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity Bridge
+  type Bridge
+  issuer Army
+  issuer Navy
+
+entity CA1
+  type Intermediate
+  issuer Bridge
+    aia Bridge
+
+entity EE1
+  type EE
+  issuer CA1
+
+entity CA2
+  type Intermediate
+  issuer Bridge
+    aia Bridge:Navy
+
+entity EE2
+  type EE
+  issuer CA2
+
+testdb EE1
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Army:
+  fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+  result dbm:fail all:pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  trust Navy:
+  fetch
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:Army
+  trust Navy:
+  fetch
+  result pass
+
+verify EE2:CA2
+  cert Bridge:Army
+  trust Army:
+  fetch
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:Army
+  trust Army:
+  fetch
+  result pass
+
+verify EE2:CA2
+  cert CA2:Bridge
+  trust Navy:
+  fetch
+  result pass
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:Army
+  trust Navy:
+  fetch
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
new file mode 100644
index 000000000..f7554cabc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
@@ -0,0 +1,187 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithPolicyExtensionAndMapping
+
+entity Army
+  type Root
+
+entity Navy
+  type Root
+
+entity CAArmy
+  type Intermediate
+  issuer Army
+    policy OID.1.0
+    policy OID.1.1
+
+entity CANavy
+  type Intermediate
+  issuer Navy
+    policy OID.2.0
+    policy OID.2.1
+
+entity Bridge
+  type Bridge
+  issuer CAArmy
+    policy OID.1.0
+    policy OID.1.1
+    mapping OID.1.1:OID.2.1
+  issuer CANavy
+    policy OID.2.0
+    policy OID.2.1
+    mapping OID.2.1:OID.1.1
+
+entity CA1
+  type Intermediate
+  issuer Bridge
+    policy OID.1.1
+    policy OID.2.1
+
+entity CA2
+  type Intermediate
+  issuer Bridge
+    policy OID.1.0
+    policy OID.2.0
+
+entity EE1
+  type EE
+  issuer CA1
+    policy OID.2.1
+
+entity EE2
+  type EE
+  issuer CA2
+    policy OID.2.0
+
+testdb
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.1
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.1
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.1
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.0
+  result fail
+
+verify EE1:CA1
+  cert CA1:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.0
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.1.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.0
+  result pass
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CANavy
+  cert CANavy:Navy
+  trust Navy:
+  policy OID.2.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.0
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.1.1
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.0
+  result fail
+
+verify EE2:CA2
+  cert CA2:Bridge
+  cert Bridge:CAArmy
+  cert CAArmy:Army
+  trust Army:
+  policy OID.2.1
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/crldp.cfg b/security/nss/tests/chains/scenarios/crldp.cfg
new file mode 100644
index 000000000..a9949ae40
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/crldp.cfg
@@ -0,0 +1,105 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario CRLDP
+
+entity Root
+  type Root
+
+entity CA0
+  type Intermediate
+  issuer Root
+
+entity CA1
+  type Intermediate
+  crldp CA0
+  issuer CA0
+  serial 10
+    aia CA0:Root
+
+entity EE11
+  type EE
+  crldp CA0
+  issuer CA1
+
+entity CA2
+  type Intermediate
+  crldp CA0
+  issuer CA0
+  serial 20
+    aia CA0:Root
+
+entity EE21
+  type EE
+  issuer CA2
+
+entity EE1
+  type EE
+  crldp CA0
+  issuer CA0
+  serial 30
+    aia CA0:Root
+
+entity EE2
+  type EE
+  crldp CA0
+  issuer CA0
+  serial 40
+    aia CA0:Root
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA0
+  serial 20
+
+revoke CA0
+  serial 40
+
+copycrl CA0
+
+db All
+
+import Root::CTu,CTu,CTu
+
+# intermediate CA - OK, EE - OK
+verify EE11:CA1
+  cert CA1:CA0
+  trust Root:
+  fetch
+  rev_type chain
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result pass
+
+# intermediate CA - revoked, EE - OK
+verify EE21:CA2
+  cert CA2:CA0
+  trust Root:
+  fetch
+  rev_type chain
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result fail
+
+# direct EE - OK 
+verify EE1:CA0
+  trust Root:
+  fetch
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result pass
+
+# direct EE - revoked
+verify EE2:CA0
+  trust Root:
+  fetch
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype crl
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/dsa.cfg b/security/nss/tests/chains/scenarios/dsa.cfg
new file mode 100644
index 000000000..896e455fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/dsa.cfg
@@ -0,0 +1,72 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario DSA
+
+entity Root
+  type Root
+  ctype dsa
+
+entity CA1
+  type Intermediate
+  issuer Root
+  ctype dsa
+
+entity EE1
+  type EE
+  issuer CA1
+  ctype dsa
+
+entity CA2
+  type Intermediate
+  issuer Root
+  ctype dsa
+
+entity EE2
+  type EE
+  issuer CA2
+  ctype rsa
+
+entity CA3
+  type Intermediate
+  issuer Root
+  ctype rsa
+
+entity EE3
+  type EE
+  issuer CA3
+  ctype dsa
+
+entity CA4
+  type Intermediate
+  issuer Root
+  ctype rsa
+
+entity EE4
+  type EE
+  issuer CA4
+  ctype rsa
+
+db All
+
+verify EE1:CA1
+  cert CA1:Root
+  trust Root:
+  result pass
+
+verify EE2:CA2
+  cert CA2:Root
+  trust Root:
+  result pass
+
+verify EE3:CA3
+  cert CA3:Root
+  trust Root:
+  result pass
+
+verify EE4:CA4
+  cert CA4:Root
+  trust Root:
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/explicitPolicy.cfg b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
new file mode 100644
index 000000000..20f79c45b
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
@@ -0,0 +1,78 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario explicitPolicy
+
+entity Root
+  type Root
+
+entity nonEVCA
+  type Intermediate
+  issuer Root 
+
+entity EVCA
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+
+entity otherEVCA
+  type Intermediate
+  issuer Root 
+    policy OID.2.0
+
+entity validEV
+  type EE
+  issuer EVCA
+    policy OID.1.0
+
+entity invalidEV
+  type EE
+  issuer nonEVCA
+    policy OID.1.0
+
+entity wrongEVOID
+  type EE
+  issuer otherEVCA
+    policy OID.1.0
+
+db All
+
+verify validEV:EVCA
+  cert EVCA:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result pass
+
+verify invalidEV:nonEVCA
+  cert nonEVCA:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result fail
+
+verify wrongEVOID:otherEVCA
+  cert otherEVCA:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result fail
+
+import Root::C,C,C
+
+verify validEV:EVCA
+  cert EVCA:Root
+  policy OID.1.0
+  result pass
+
+verify invalidEV:nonEVCA
+  cert nonEVCA:Root
+  policy OID.1.0
+  result fail
+
+verify wrongEVOID:otherEVCA
+  cert otherEVCA:Root
+  policy OID.1.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension.cfg b/security/nss/tests/chains/scenarios/extension.cfg
new file mode 100644
index 000000000..fd1c3a0da
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension.cfg
@@ -0,0 +1,102 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.0
+
+entity User
+  type EE
+  issuer CA2
+    policy OID.1.0
+
+db All
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.2.0
+  result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+  trust Root
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  trust Root
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  trust CA1
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  trust CA1
+  policy OID.2.0
+  result fail
+
+verify User:CA2
+  trust CA2
+  policy OID.1.0
+  result pass
+
+verify User:CA2
+  trust CA2
+  policy OID.2.0
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension2.cfg b/security/nss/tests/chains/scenarios/extension2.cfg
new file mode 100644
index 000000000..9a6a7cd2d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension2.cfg
@@ -0,0 +1,140 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension2
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+    policy OID.2.0
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.0
+    policy OID.2.0
+
+entity User1
+  type EE
+  issuer CA2
+    policy OID.1.0
+
+entity User2
+  type EE
+  issuer CA2
+    policy OID.1.0
+    policy OID.2.0
+
+db All
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  cert Root:
+  trust Root:
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  cert CA2:CA1
+  cert CA1:Root
+  trust CA1:Root
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  cert CA2:CA1
+  trust CA2:CA1
+  policy OID.2.0
+  result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User1:CA2
+  trust Root
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust Root
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  trust CA1
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust CA1
+  policy OID.2.0
+  result fail
+
+verify User1:CA2
+  trust CA2
+  policy OID.1.0
+  result pass
+
+verify User1:CA2
+  trust CA2
+  policy OID.2.0
+  result fail
+
+verify User2:CA2
+  trust Root
+  policy OID.1.0
+  result pass
+
+verify User2:CA2
+  trust Root
+  policy OID.2.0
+  result pass
+
+verify User2:CA2
+  trust CA1
+  policy OID.1.0
+  result pass
+
+verify User2:CA2
+  trust CA1
+  policy OID.2.0
+  result pass
+
+verify User2:CA2
+  trust CA2
+  policy OID.1.0
+  result pass
+
+verify User2:CA2
+  trust CA2
+  policy OID.2.0
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping.cfg b/security/nss/tests/chains/scenarios/mapping.cfg
new file mode 100644
index 000000000..d4e4a296d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping.cfg
@@ -0,0 +1,63 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+    mapping OID.1.0:OID.1.1
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.1
+
+entity User
+  type EE
+  issuer CA2
+    policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+  trust Root
+  policy OID.1.0
+# should fail, bug 430859
+  result pass
+
+verify User:CA2
+  trust Root
+  policy OID.1.1
+# should pass, bug 430859
+  result fail
+
+verify User:CA2
+  trust CA1
+  policy OID.1.0
+  result fail
+
+verify User:CA2
+  trust CA1
+  policy OID.1.1
+  result pass
+
+verify User:CA2
+  trust CA2
+  policy OID.1.0
+  result fail
+
+verify User:CA2
+  trust CA2
+  policy OID.1.1
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping2.cfg b/security/nss/tests/chains/scenarios/mapping2.cfg
new file mode 100644
index 000000000..cae1daf07
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping2.cfg
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping2
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+    policy OID.1.0
+
+entity CA2
+  type Intermediate
+  issuer CA1
+    policy OID.1.0
+    mapping OID.1.0:OID.1.1
+
+entity CA3
+  type Intermediate
+  issuer CA2
+    policy OID.1.1
+
+entity User
+  type EE
+  issuer CA3
+    policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+import CA3:CA2:
+
+verify User:CA3
+  trust Root
+  policy OID.1.0
+# should fail, bug 430859
+  result pass
+
+verify User:CA3
+  trust Root
+  policy OID.1.1
+# should pass, bug 430859
+  result fail
+
+verify User:CA3
+  trust CA1
+  policy OID.1.0
+# should fail, bug 430859
+  result pass
+
+verify User:CA3
+  trust CA1
+  policy OID.1.1
+# should pass, bug 430859
+  result fail
+
+verify User:CA3
+  trust CA2
+  policy OID.1.0
+  result fail
+
+verify User:CA3
+  trust CA2
+  policy OID.1.1
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/megabridge_3_2.cfg b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
new file mode 100644
index 000000000..f1d4545fc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
@@ -0,0 +1,130 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario MegaBridge_3_2
+
+entity Root1
+  type Root
+
+entity Root2
+  type Root
+
+entity Root3
+  type Root
+
+entity Root4
+  type Root
+
+entity Root5
+  type Root
+
+entity Root6
+  type Root
+
+entity Root7
+  type Root
+
+entity Root8
+  type Root
+
+entity Root9
+  type Root
+
+entity Bridge11
+  type Bridge
+  issuer Root1
+  issuer Root2
+  issuer Root3
+
+entity Bridge12
+  type Bridge
+  issuer Root4
+  issuer Root5
+  issuer Root6
+
+entity Bridge13
+  type Bridge
+  issuer Root7
+  issuer Root8
+  issuer Root9
+
+entity Bridge21
+  type Bridge
+  issuer Bridge11
+  issuer Bridge12
+  issuer Bridge13
+
+entity CA1
+  type Intermediate
+  issuer Bridge21
+
+entity EE1
+  type EE
+  issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge11
+  cert Bridge11:Root1
+  trust Root1:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge11
+  cert Bridge11:Root2
+  trust Root2:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge11
+  cert Bridge11:Root3
+  trust Root3:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge12
+  cert Bridge12:Root4
+  trust Root4:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge12
+  cert Bridge12:Root5
+  trust Root5:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge12
+  cert Bridge12:Root6
+  trust Root6:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge13
+  cert Bridge13:Root7
+  trust Root7:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge13
+  cert Bridge13:Root8
+  trust Root8:
+  result pass
+
+verify EE1:CA1
+  cert CA1:Bridge21
+  cert Bridge21:Bridge13
+  cert Bridge13:Root9
+  trust Root9:
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/method.cfg b/security/nss/tests/chains/scenarios/method.cfg
new file mode 100644
index 000000000..4223c39cc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/method.cfg
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Method
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+testdb ../OCSPD/Client
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg
new file mode 100644
index 000000000..6eda441ce
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -0,0 +1,161 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+db trustanchors
+
+import NameConstraints.ca:x:CT,C,C
+# Name Constrained CA:  Name constrained to permited DNSName ".example"
+import NameConstraints.ncca:x:CT,C,C
+import NameConstraints.dcisscopy:x:CT,C,C
+
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server1:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server3:x
+  cert NameConstraints.intermediate:x
+  result pass
+
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server5:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+#                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+#                 and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+#  Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+#  Fail: CN not in name constraints
+verify NameConstraints.server10:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+#   Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+#   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3.
+#                 Intermediate 5's subject is not in Intermediate 3's permitted
+#                 names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+#   Fail: Org matches Intermediate 5's name constraints, but does not match
+#         Intermediate 3' name constraints
+verify NameConstraints.server13:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+#  Fail: Matches Intermediate 5's name constraints, but fails because
+#        Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+#                 No name constraints present
+#                 Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server16:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+  cert NameConstraints.intermediate6:x
+  result pass
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+  result fail
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+  result pass
+
+
diff --git a/security/nss/tests/chains/scenarios/ocsp.cfg b/security/nss/tests/chains/scenarios/ocsp.cfg
new file mode 100644
index 000000000..cdfff89fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocsp.cfg
@@ -0,0 +1,177 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSP
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+db OCSPRoot
+import OCSPRoot:d:CT,C,C
+
+db OCSPCA1
+import_key OCSPCA1
+
+crl OCSPCA1
+
+revoke OCSPCA1
+  serial 3
+
+revoke OCSPCA1
+  serial 4 
+
+testdb OCSPRoot
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - unknown 
+verify OCSPEE15OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
+#EE - unknown, requireFreshInfo
+verify OCSPEE15OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - OK, CA - revoked, leaf, no fresh info
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
+#EE - OK, CA - revoked, leaf, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - OK, CA - revoked, chain, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type chain
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - OK, CA - unknown
+verify OCSPEE31OCSPCA3:d
+  cert OCSPCA3OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
+#EE - OK, CA - unknown, requireFreshInfo
+verify OCSPEE31OCSPCA3:d
+  cert OCSPCA3OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_flags requireFreshInfo
+  rev_mtype ocsp
+  result fail
+
+#EE - revoked, doNotUse
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags doNotUse
+  result pass
+
+#EE - revoked, forbidFetching
+verify OCSPEE12OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags forbidFetching
+  result pass
+
+#EE - unknown status, failIfNoInfo
+verify OCSPEE15OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags failIfNoInfo
+  result fail
+
+#EE - OK, CA - revoked, leaf, failIfNoInfo
+verify OCSPEE21OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type leaf
+  rev_mtype ocsp
+  rev_mflags failIfNoInfo
+  result fail
+
+testdb OCSPCA1
+
+#EE - OK on OCSP, revoked locally - should fail ??
+# two things about this test: crl is not imported into the db and
+# cert 13 is not revoked by crl.
+verify OCSPEE13OCSPCA1:d
+  cert OCSPCA1OCSPRoot:d
+  trust OCSPCA1
+  rev_type leaf
+  rev_flags testLocalInfoFirst
+  rev_mtype ocsp
+  result pass
+
+db OCSPRoot1
+import OCSPRoot:d:CT,C,C
+
+verify OCSPEE23OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type chain
+  rev_mtype ocsp
+  rev_type leaf
+  rev_mtype ocsp
+  result fail
+
+db OCSPRoot2
+import OCSPRoot:d:T,,
+
+# bug 527438
+# expected result of this test is FAIL
+verify OCSPEE23OCSPCA2:d
+  cert OCSPCA2OCSPRoot:d
+  trust OCSPRoot
+  rev_type chain
+  rev_mtype ocsp
+  rev_type leaf
+  rev_mtype ocsp
+  result pass
+
diff --git a/security/nss/tests/chains/scenarios/ocspd.cfg b/security/nss/tests/chains/scenarios/ocspd.cfg
new file mode 100644
index 000000000..e48f9068e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocspd.cfg
@@ -0,0 +1,172 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSPD
+
+#root CA
+entity OCSPRoot
+  type Root
+  export_key
+
+#CA - OK
+entity OCSPCA1
+  type Intermediate
+  issuer OCSPRoot
+  serial 1
+  ocsp online
+  export_key
+
+#CA - revoked
+entity OCSPCA2
+  type Intermediate
+  issuer OCSPRoot
+  serial 2
+  ocsp online
+  export_key
+
+#CA - unknown status
+entity OCSPCA3
+  type Intermediate
+  issuer OCSPRoot
+  serial 3
+  ocsp offline
+  export_key
+
+#EE - OK
+entity OCSPEE11
+  type EE
+  issuer OCSPCA1
+  serial 1
+  ocsp online
+
+#EE - revoked on OCSP
+entity OCSPEE12
+  type EE
+  issuer OCSPCA1
+  serial 2
+  ocsp online
+
+#EE - revoked on CRL
+entity OCSPEE13
+  type EE
+  issuer OCSPCA1
+  serial 3
+  ocsp online
+
+#EE - revoked on OCSP and CRL
+entity OCSPEE14
+  type EE
+  issuer OCSPCA1
+  serial 4
+  ocsp online
+
+#EE - unknown status
+entity OCSPEE15
+  type EE
+  issuer OCSPCA1
+  serial 5
+  ocsp offline
+
+#EE - valid EE, revoked CA
+entity OCSPEE21
+  type EE
+  issuer OCSPCA2
+  serial 1
+  ocsp online
+
+#EE - revoked EE, revoked CA
+entity OCSPEE22
+  type EE 
+  issuer OCSPCA2 
+  serial 2
+  ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE23
+  type EE 
+  issuer OCSPCA2 
+  serial 3
+  ocsp offline
+
+#EE - valid EE, CA pointing to invalid OCSP
+entity OCSPEE31
+  type EE
+  issuer OCSPCA3
+  serial 1
+  ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE32
+  type EE 
+  issuer OCSPCA3 
+  serial 2
+  ocsp online
+
+#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP
+entity OCSPEE33
+  type EE 
+  issuer OCSPCA3 
+  serial 3
+  ocsp offline
+
+crl OCSPRoot
+
+revoke OCSPRoot
+  serial 2
+
+crl OCSPCA1
+
+revoke OCSPCA1
+  serial 2
+
+revoke OCSPCA1
+  serial 4
+
+crl OCSPCA2
+
+revoke OCSPCA2
+  serial 2
+
+revoke OCSPCA2
+  serial 3
+
+crl OCSPCA3
+
+revoke OCSPCA3
+  serial 2
+
+revoke OCSPCA3
+  serial 3
+
+# Used for running a single OCSP server (httpserv) instance that can
+# handle multiple CAs, e.g.:
+# httpserv -p 8641 -d . -f dbpasswd \
+#   -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \
+#   -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl
+db Server
+import OCSPRoot::CT,C,C
+import_key OCSPRoot
+import_key OCSPCA1
+import_key OCSPCA2
+import_key OCSPCA3
+
+# A DB containing all certs, but no keys.
+# Useful for manual OCSP client testing, e.g.:
+# ocspclnt -d .  -S OCSPEE12OCSPCA1 -u s
+db Client
+import OCSPRoot::CT,C,C
+import OCSPCA1OCSPRoot::
+import OCSPCA2OCSPRoot::
+import OCSPCA3OCSPRoot::
+import OCSPEE11OCSPCA1::
+import OCSPEE12OCSPCA1::
+import OCSPEE13OCSPCA1::
+import OCSPEE14OCSPCA1::
+import OCSPEE15OCSPCA1::
+import OCSPEE21OCSPCA2::
+import OCSPEE22OCSPCA2::
+import OCSPEE23OCSPCA2::
+import OCSPEE31OCSPCA3::
+import OCSPEE32OCSPCA3::
+import OCSPEE33OCSPCA3::
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
new file mode 100644
index 000000000..d2a8c7143
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -0,0 +1,29 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario RealCerts
+
+db All
+
+import TestCA.ca:x:CT,C,C
+import TestUser50:x:
+import TestUser51:x:
+import PayPalRootCA:x:CT,C,C
+import PayPalICA:x:
+import PayPalEE:x:
+import BrAirWaysBadSig:x:
+
+verify TestUser50:x
+  result pass
+
+verify TestUser51:x
+  result pass
+
+verify PayPalEE:x
+  policy OID.2.16.840.1.114412.1.1 
+  result pass
+
+verify BrAirWaysBadSig:x
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/revoc.cfg b/security/nss/tests/chains/scenarios/revoc.cfg
new file mode 100644
index 000000000..a4ec78622
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/revoc.cfg
@@ -0,0 +1,86 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Revocation
+
+entity Root
+  type Root
+  serial 10
+
+entity CA0
+  type Intermediate
+  issuer Root
+  serial 11
+
+entity CA1
+  type Intermediate
+  issuer CA0
+  serial 12
+
+entity EE11
+  type EE
+  issuer CA1
+  serial 13
+
+entity EE12
+  type EE
+  issuer CA1
+  serial 14
+
+entity CA2
+  type Intermediate
+  issuer CA0
+  serial 15
+
+entity EE21
+  type EE
+  issuer CA2
+  serial 16
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA1
+  serial 14
+
+revoke CA0
+  serial 15
+
+db All
+
+import Root::CTu,CTu,CTu
+import CA0:Root:
+import CA1:CA0:
+import CA2:CA0:
+
+# EE11 - not revoked 
+verify EE11:CA1
+  trust Root:
+  rev_type leaf
+  rev_mtype crl
+  result pass
+
+# EE12 - revoked
+verify EE12:CA1
+  trust Root:
+  rev_type leaf
+  rev_mtype crl
+  result fail
+
+# EE11 - CA1 not revoked 
+verify EE11:CA1
+  trust Root:
+  rev_type chain
+  rev_mtype crl
+  result pass
+
+# EE21 - CA2 revoked
+verify EE21:CA2
+  trust Root:
+  rev_type chain
+  rev_mtype crl
+  result fail
+
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
new file mode 100644
index 000000000..d26c3f92e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+bridge.cfg
+megabridge_3_2.cfg
+extension.cfg
+extension2.cfg
+anypolicy.cfg
+anypolicywithlevel.cfg
+explicitPolicy.cfg
+mapping.cfg
+mapping2.cfg
+aia.cfg
+bridgewithaia.cfg
+bridgewithhalfaia.cfg
+bridgewithpolicyextensionandmapping.cfg
+realcerts.cfg
+dsa.cfg
+revoc.cfg
+ocsp.cfg
+crldp.cfg
+trustanchors.cfg
+nameconstraints.cfg
diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg
new file mode 100644
index 000000000..db18990ac
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/trustanchors.cfg
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+entity RootCA
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer RootCA
+
+entity CA2
+  type Intermediate
+  issuer CA1
+
+entity EE1
+  type EE
+  issuer CA2
+
+entity OtherRoot
+  type Root
+
+entity OtherIntermediate
+  type Intermediate
+  issuer OtherRoot
+
+entity EE2
+  type EE
+  issuer OtherIntermediate
+
+# Scenarios where trust only comes from the DB
+db DBOnly
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Simple chaining - no trust anchors
+verify EE1:CA2
+  cert CA2:CA1
+  result pass
+
+# Simple trust anchors - ignore the Cert DB
+verify EE1:CA2
+  trust CA2:CA1
+  result pass
+
+# Redundant trust - trust anchor and DB
+verify EE1:CA2
+  cert CA2:CA1
+  trust RootCA
+  result pass
+
+
+# Scenarios where trust only comes from trust anchors
+db TrustOnly
+
+# Simple checking - direct trust anchor
+verify EE1:CA2
+  cert CA2:CA1
+  cert CA1:RootCA:
+  trust RootCA:
+  result pass
+
+# Partial chain (not self-signed), with a trust anchor
+verify EE1:CA2
+  trust CA2:CA1
+  result pass
+
+
+# Scenarios where trust comes from both trust anchors and the DB
+db TrustAndDB
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Check that trust in the DB works
+verify EE1:CA2
+  cert CA2:CA1
+  result pass
+
+# Check that trust anchors work
+verify EE2:OtherIntermediate
+  cert OtherIntermediate:OtherRoot
+  trust OtherRoot:
+  result pass
+
+# Check that specifying a trust anchor still allows searching the cert DB
+verify EE1:CA2
+  trust_and_db
+  cert CA2:CA1
+  trust OtherIntermediate:OtherRoot
+  trust OtherRoot:
+  result pass
+
+# Scenarios where the trust DB has explicitly distrusted one or more certs,
+# even when the trust anchors indicate trust
+db ExplicitDistrust
+
+import RootCA::CT,C,C
+import CA1:RootCA:p,p,p
+import OtherRoot::p,p,p
+
+# Verify that a distrusted intermediate, but trusted root, is rejected.
+verify EE1:CA2
+  cert CA2:CA1
+  trust CA1:RootCA
+  result fail
+
+# Verify that a trusted intermediate, but distrusted root, is accepted.
+verify EE2:OtherIntermediate
+  trust OtherIntermediate:OtherRoot
+  result pass