The PayPalEE.cert expired on April 02 2015. $ pp -t c -i tests/libpkix/certs/PayPalEE.cert | grep 'Not After' Not After : Thu Apr 02 23:59:59 2015 We must update it.
In general, I wonder if we should switch our tests to ones that we generate ourselves on the fly. On the other hand, maybe the purpose here is to ensure that we have at least real world certificate, instead of an artificially created one. Anyway... There are several easy ways to download the latest certificate used by the paypal website. You can simply use Firefox to connect to https://paypal.com use page security info, view the certificate details, and use the "export" functionality to save certificate to a file. The file in the NSS is binary, so use the "DER" file format in the save dialog. Another way is to use the recently added tstclnt functionality that is able to dump a server's certificate to the terminal, e.g.: tstclnt -bD -CCC -h paypal.com -p 443 On purpose of this test is to verify the "EV policy OID". This time, Paypal has switched to a different issuer CA, which uses a different OID. That means we must change the expected OID, too.
Created attachment 8590416 [details] [diff] [review] patch v1
Comment on attachment 8590416 [details] [diff] [review] patch v1 patch doesn't work, probably because the required different intermediates aren't imported yet
Created attachment 8590453 [details] [diff] [review] patch v2 This patch works for me. Given this is a bustage and test only, I'll check in without review.
This bug resurfaced today since the PayPal certificate expired again. $ nss-pp -t c -i tests/libpkix/certs/PayPalEE.cert|grep After Not After : Fri Dec 16 12:00:00 2016
Already fixed on NSS trunk with bug 1323978