From 34e04960e009510c84d419ec3edd6d31cfff1bea Mon Sep 17 00:00:00 2001
From: Kevin Jacobs <kjacobs@mozilla.com>
Date: Sat, 23 Jan 2021 18:50:04 +0000
Subject: Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D102670
---
 tests/chains/scenarios/nameconstraints.cfg     |  12 ++++++++++--
 tests/libpkix/certs/NameConstraints.ipaca.cert | Bin 981 -> 1000 bytes
 tests/libpkix/certs/NameConstraints.ocsp1.cert | Bin 898 -> 956 bytes
 3 files changed, 10 insertions(+), 2 deletions(-)

(limited to 'tests')

diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
index 4a149032b..a2de4be44 100644
--- a/tests/chains/scenarios/nameconstraints.cfg
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -159,12 +159,20 @@ verify NameConstraints.dcissblocked:x
 verify NameConstraints.dcissallowed:x
   result pass
 
-# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem"
+# Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC"
+# EKUs: OCSPSigning,ipsecUser
 #
 # This tests that a non server certificate (i.e. id-kp-serverAuth
 # not present in EKU) does *NOT* have CN treated as dnsName for
-# purposes of Name Constraints validation
+# purposes of Name Constraints validation (certificateUsageStatusResponder)
+# https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650
 verify NameConstraints.ocsp1:x
   usage 10
   result pass
 
+# This tests that a non server certificate (i.e. id-kp-serverAuth
+# not present in EKU) does *NOT* have CN treated as dnsName for
+# purposes of Name Constraints validation (certificateUsageIPsec)
+verify NameConstraints.ocsp1:x
+ usage 12
+ result pass
diff --git a/tests/libpkix/certs/NameConstraints.ipaca.cert b/tests/libpkix/certs/NameConstraints.ipaca.cert
index 6c7d68c77..4a451f342 100644
Binary files a/tests/libpkix/certs/NameConstraints.ipaca.cert and b/tests/libpkix/certs/NameConstraints.ipaca.cert differ
diff --git a/tests/libpkix/certs/NameConstraints.ocsp1.cert b/tests/libpkix/certs/NameConstraints.ocsp1.cert
index ce7325fca..817faafe3 100644
Binary files a/tests/libpkix/certs/NameConstraints.ocsp1.cert and b/tests/libpkix/certs/NameConstraints.ocsp1.cert differ
-- 
cgit v1.2.1