From e24c7f21749e4d203e0e0f8a3433ca021ae11bda Mon Sep 17 00:00:00 2001 From: Kevin Jacobs Date: Sat, 23 Jan 2021 18:50:04 +0000 Subject: [PATCH] Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D102670 --HG-- extra : moz-landing-system : lando --- tests/chains/scenarios/nameconstraints.cfg | 12 ++++++++++-- tests/libpkix/certs/NameConstraints.ipaca.cert | Bin 981 -> 1000 bytes tests/libpkix/certs/NameConstraints.ocsp1.cert | Bin 898 -> 956 bytes 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg index 4a149032b1..a2de4be446 100644 --- a/tests/chains/scenarios/nameconstraints.cfg +++ b/tests/chains/scenarios/nameconstraints.cfg @@ -159,12 +159,20 @@ verify NameConstraints.dcissblocked:x verify NameConstraints.dcissallowed:x result pass -# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" +# Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC" +# EKUs: OCSPSigning,ipsecUser # # This tests that a non server certificate (i.e. id-kp-serverAuth # not present in EKU) does *NOT* have CN treated as dnsName for -# purposes of Name Constraints validation +# purposes of Name Constraints validation (certificateUsageStatusResponder) +# https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650 verify NameConstraints.ocsp1:x usage 10 result pass +# This tests that a non server certificate (i.e. id-kp-serverAuth +# not present in EKU) does *NOT* have CN treated as dnsName for +# purposes of Name Constraints validation (certificateUsageIPsec) +verify NameConstraints.ocsp1:x + usage 12 + result pass diff --git a/tests/libpkix/certs/NameConstraints.ipaca.cert b/tests/libpkix/certs/NameConstraints.ipaca.cert index 6c7d68c770062d12f3a90693142e0a08f0f1e8d5..4a451f3429d25ab6d3a9cb00b2f005118f7cac08 100644 GIT binary patch literal 1000 zcmXqLVt!)K#B^o>GZP~d6DPy|^k+KryEhsc@Un4gwRyCC=VfH%W@Rw&GL$xuWMd9x z;Sv_|3~ss2{VNT8_F5TfH=&;qRy#BC7EfN$%!SY z3XY{E8Tmz-C6xvW;=EvOMg|6kmc}Mg68uIWGmMNZp#oI3t%*?y*)xo+49rc8{0s(7 zj9g4jjEoG=^1s)l`)r?{?G*K{efrz@^y51jSY#?Qrv7h?HS|xJwyR@Kb#XoSS;k@` zsnyQM3ryGy#WsHSVY$Dg^{G_h`%Mr31m-(W;crQ1^qduS#_$YF{p|^7gJ%S~&q!HW zm(3G@CaCp?<;oYmA#W!&GCx=N{6P0c-oNwp#+pmdoLYZ0GCC^kL&QoMpHn;Sj(>Qe z^hQm=O0D0%H-6Ih3kIU0fhJcnWwxL0RlXc-l2#_+w#?P(S@YRe@9B#!@pBZMNXePs z#64l9Oa=R2fe+QeDM|AR{Ml+s&wNX=u{yg}=;L43N9z-pu=4KysD4%b=6dyoUg<0! z52apDsQdXg`^iRm&1dslnV1eyHr_^;KV3M8$}QfyGzfK|alza>7@jL9aX)Co#pvT{I2vIrRn zEZ{TXY2wn$EJ)PL$xlwqL5^-<+66{8BSWu1di8`|O}m!dVwtxpYDH(l^O)n^EA4l3 z2Rcm5V9HPnT;@5OTT`YgmH*njX#oeAOsrSN+As3`-O|vv$fQhr`L8dpcAUF7(@-ym zp*GO$s#)TcbR|ob^_L{HZ|84+p?QqM+2n2c1(x(BcbIl*#%b-UdvaBi_t078nTmLQ-nt@LY0vHRrzwT}_?+z8Sn%C=^~-miMw^$+=01`oQa<@mMQC2xlwb3s zR5$K8d`&sCuu8 oe}au0v=w%&75+F|gzv*HC4Yeh^Q0HMr%t--6)E;wBf+r-0MfH^bpQYW literal 981 zcmXqLV!mk5#I$n(GZP~d6DPyP?%>QT)${udc-c6$+C196^D;8>ure4#8gd(OvN4CU zun99ch8hYR2!c2qJY0dLsi}FzIf;2GhJptCAVGE>4yU5b;-tj9R6_v+K9CR>4|`B* zih@UC2~32Uhdm^lEJ~c$2*@?GfN~8S4do4F!KMg{ zc?LM@`S?3K`Y0F~Kr|Veni?6(8OVSXFbj)1rxulDre!84mZT~;mX>7X7iE@I8ZF)m|AX~LmnPfe%eM6I^GMeF zcXz#9-ka~cH{1SyHu>Z82Xk&jXV2?gmv>9~vH$H98N)co%k1+79?ojx&Pp&oa_!Y= zrC*7=TGx7AC@x|>5yiUf(}j?NRLQ27cTR3Q>T2-z{hpf**1Heh^qI8tQ&5{=eUI(& zX(j)e*XWAATcndR_0*kHS^T22H{OxBV)g5N)8`%jtG@HID4t~vFx&0AXtK?fCU&ib zrT5PNj5L=pvl9tl5_Qb)_oQO>Q&XDezMK^6A$*pJnUR5UapPu##tq;&loe)V{LjK_ zzzn3oVK2+aBE}+;ACb16d+|br33?}XOux$iTjQ$rWq944Whmjji{otW#VY3>OxsQmaN=Ba+17VpG#&Sh2GVp$$WSsO6qZ{1W< zpJz8oXQjixf)hV~rt8Sadg-ivEXJ5T!Kr6c_bo@c4t?dtm8{mFZ!TOF4bwW?p&E-ydkx6^rp z?Q730In6YYgUp+EyLXxXtGP7ogR|!9t*-C0ZI$$-lpgPnYq_V-E%D;~%RQ%Ej?PWh l|Glxtu~Lg@4SqR+^h@+UWU>Jl5EVOEL_4u zo&k<}KK{;*J_<$#MurB4Mh1r52Am*CHesgFU_&_r84!nASkyVSs3bEjGdZy&Rl%{e zBqP5lv!v2ML7W$?4XE45(AXkMg5N0E2xy3rfhknPz!}v?A4HGcGgd4K(v^@jv) zmL50~D-!xco_7y#SzcoQfjs6(U%sr_&f9W2M)KsdhbtT7uEoeO)mImpQ+sj{igLVB>AI)1XefRPfudQ48_0+3n*=&Ei1qg3=lTl<~Y(B}1 zQL*!=#+QeytEbB_-aewy*Lluo!=Lw=UrrTWbEv+Ny0h&?Pmkq~32E1hg16uDJ@dL> zocVRdz6jpTUhaFf`#wp`nzwRF=G@0j%!~|-iyPM(G_C^2k*qKalL3PPA27&d`577i zv#>BTu^li_0P$5pd@%zNHV$nzMpjmKW==SZ-9Q$kf{#UvMMQOqLUvAW)HD%U@n}Oa z*$q-Ti906CFxl1fvvEQ+8Zff5Fac8yY9eB8Vq|34v3JKzi3PhN%-=a~n7-`jv3=pZ zU5iS!TOaW2G?ZU>^FV0Ew>x=7x*DB3Th70^F^!L3Grp1QB&YZ#u1#xXb~%T)XIHFF z_+lWvjFaW$4CiBlm)~^f>Byfxb?{tEz2TCK1xY88?-cCm8M^cx~~< xGP=@QO*h&|H7lts^nSpsmgGGLB|D~1KK)>OyPQb$tbn42PZpPpbPKr$001YfNPqwU delta 822 zcmdnP-o)-?(8OG4(8QFsfSHMriHVWhfR~L^tIebBJ1-+6H!FjIqoKTkEE{tu3zx8% zXMm%gkH52{kAjhbp{0SLk)fffsnJAl#dP14&5s*6u_R$DsM z{aE4ama4g6#l2(a?JmCFckJ)F`%|B=DXmC7aj3G_FMnA_V%+tu>!vcyYxJ*sa`}HT zkKd9jTpOlcRf^S(GT?G*;CNEIzT=(~|0UmfHYN3D{;4r4meVS4l?D0xcYP54$eh~w zWbMQpPlv);;m7BkpY(+Nfr{FZ3+azz*I9Tjd3Gr~;OE8n7A$_d)Hmz>ZnIyQx#zg; z-R5BVR}MB4Pi3vCo0Y$mp-T7L_NtO~S<6>`7oN0MbxKUd)CCW!FI-78cH=xzX~_Oc z@aLYYA_<*FCL3l(2FAsW?FNl42J*mAlvQStFc51H$&W}|&%Jn|!UVk&JEmXd|E=-X zX@>zn8>coKBP%Pr0V6956Dz~yC?>mlVUR9W79ImGHV%j^GbeJW1Cs(U)EOCca+k{I z{(O-oubQ^(^7)9Lj8T?{PdI89w5&XlcmClLNs%yt8o4jL54A3CyBM-!^9IkUPL95e zpV(Vgc5Gw*zRqT6zTd+O%XpJE?y;D7QDnl8X)zDA^`@+?|5&@e;^3(n|L1Di`>HhcKqS|(N-