Bug 1699294 - add 'mach generate-test-certs' command to generate test certificate and key artifacts r=glandium

In bug 1174288 and related bugs we created a framework for generating
test certificates (and later, keys) from specifications at build time. This
turned out to take too long to run on each build, so this system was largely
left disabled (see all of the "# Temporarily disabled. See bug 1256495."
comments removed in this patch). This patch introduces a mach command
("generate-test-certs") that can generate test certificates and keys. The
expectation is that when a developer needs to add new such artifacts, they can
use this new command. Similarly, when the artifacts need to be updated (for
example, because they've expired), this command can regenerate them all at
once.

Differential Revision: https://phabricator.services.mozilla.com/D108869

build/mach_bootstrap.py

@@ -56,6 +56,7 @@ MACH_MODULES = [
     "python/mozperftest/mozperftest/mach_commands.py",
     "python/mozrelease/mozrelease/mach_commands.py",
     "remote/mach_commands.py",
+    "security/manager/tools/mach_commands.py",
     "taskcluster/mach_commands.py",
     "testing/awsy/mach_commands.py",
     "testing/condprofile/mach_commands.py",

build/pgo/genpgocert.py

@@ -104,12 +104,8 @@ def constructCertDatabase(build, srcDir):
         print("{}\n\n{}\n".format(e, e.help()))
         return 1
     openssl = find_executable("openssl")
-    pycert = os.path.join(
-        build.topsrcdir, "security", "manager", "ssl", "tests", "unit", "pycert.py"
-    )
-    pykey = os.path.join(
-        build.topsrcdir, "security", "manager", "ssl", "tests", "unit", "pykey.py"
-    )
+    pycert = os.path.join(build.topsrcdir, "security", "manager", "tools", "pycert.py")
+    pykey = os.path.join(build.topsrcdir, "security", "manager", "tools", "pykey.py")
 
     with NamedTemporaryFile(mode="wt+") as pwfile, TemporaryDirectory() as pemfolder:
         pwfile.write("\n")

build/templates.mozbuild

@@ -211,7 +211,6 @@ def CbindgenHeader(name, inputs):
 
 
 include('gecko_templates.mozbuild')
-include('test_templates.mozbuild')
 
 
 @template

build/test_templates.mozbuild

@@ -1,33 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-@template
-def GeneratedTestCertificate(name):
-    if not CONFIG['COMPILE_ENVIRONMENT']:
-        return
-    GeneratedFile(name, script='/security/manager/ssl/tests/unit/pycert.py',
-                  inputs=['%s.certspec' % name])
-    # Turn RELATIVEDIR into list entry: like
-    # 'security/manager/ssl/tests/unit/bad_certs' ->
-    # TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.bad_certs.
-    files = TEST_HARNESS_FILES.xpcshell
-    for part in RELATIVEDIR.split('/'):
-        files = files[part]
-    files += ['!%s' % name]
-
-@template
-def GeneratedTestKey(name):
-    if not CONFIG['COMPILE_ENVIRONMENT']:
-        return
-    GeneratedFile(name, script='/security/manager/ssl/tests/unit/pykey.py',
-                  inputs=['%s.keyspec' % name])
-    # Turn RELATIVEDIR into list entry: like
-    # 'security/manager/ssl/tests/unit/bad_certs' ->
-    # TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.bad_certs.
-    files = TEST_HARNESS_FILES.xpcshell
-    for part in RELATIVEDIR.split('/'):
-        files = files[part]
-    files += ['!%s' % name]

netwerk/test/moz.build

@@ -4,7 +4,7 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-TEST_DIRS += ["httpserver", "gtest", "unit", "http3server"]
+TEST_DIRS += ["httpserver", "gtest", "http3server"]
 
 BROWSER_CHROME_MANIFESTS += ["browser/browser.ini"]
 MOCHITEST_MANIFESTS += ["mochitests/mochitest.ini"]

netwerk/test/unit/moz.build

@@ -1,8 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# GeneratedTestCertificate('http2-ca.pem')

security/ct/tests/gtest/createSTHTestData.py

@@ -31,9 +31,7 @@ import os
 import sys
 
 sys.path.append(
-    os.path.join(
-        os.path.dirname(__file__), "..", "..", "..", "manager", "ssl", "tests", "unit"
-    )
+    os.path.join(os.path.dirname(__file__), "..", "..", "..", "manager", "tools")
 )
 import pykey
 

security/manager/ssl/tests/mochitest/browser/moz.build

@@ -5,37 +5,3 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 BROWSER_CHROME_MANIFESTS += ["browser.ini"]
-
-# Temporarily disabled. See bug 1256495.
-# (Note that when this gets enabled, some extra work will have to happen so
-# that the mochitest harness knows where to get the generated certificates -
-# right now it assumes they're in the source directory, which isn't the case
-# when they're automatically generated.)
-# test_certificates = (
-#    'ca.pem',
-#    'client-cert-via-intermediate.pem',
-#    'client-cert-with-ocsp-signing.pem',
-#    'code-ee.pem',
-#    'ee-from-expired-ca.pem',
-#    'ee-from-untrusted-ca.pem',
-#    'email-ee.pem',
-#    'expired-ca.pem',
-#    'has-cn.pem',
-#    'has-empty-subject.pem',
-#    'has-non-empty-subject.pem',
-#    'has-o.pem',
-#    'has-ou.pem',
-#    'intermediate.pem',
-#    'invalid.pem',
-#    'longOID.pem',
-#    'md5-ee.pem',
-#    'pgo-ca-all-usages.pem',
-#    'pgo-ca-regular-usages.pem',
-#    'revoked.pem',
-#    'ssl-ee.pem',
-#    'unknown-issuer.pem',
-#    'untrusted-ca.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/bad_certs/moz.build

@@ -1,71 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'badSubjectAltNames.pem',
-#    'beforeEpoch.pem',
-#    'beforeEpochINT.pem',
-#    'beforeEpochIssuer.pem',
-#    'ca-used-as-end-entity.pem',
-#    'default-ee.pem',
-#    'ee-from-missing-intermediate.pem',
-#    'ee-imminently-distrusted.pem',
-#    'eeIssuedByNonCA.pem',
-#    'eeIssuedByV1Cert.pem',
-#    'emptyIssuerName.pem',
-#    'emptyNameCA.pem',
-#    'ev-test-intermediate.pem',
-#    'ev-test.pem',
-#    'evroot.pem',
-#    'expired-ee.pem',
-#    'expiredINT.pem',
-#    'expiredissuer.pem',
-#    'idn-certificate.pem',
-#    'inadequateKeySizeEE.pem',
-#    'inadequatekeyusage-ee.pem',
-#    'ipAddressAsDNSNameInSAN.pem',
-#    'md5signature-expired.pem',
-#    'md5signature.pem',
-#    'mismatch-expired.pem',
-#    'mismatch-notYetValid.pem',
-#    'mismatch-untrusted-expired.pem',
-#    'mismatch-untrusted.pem',
-#    'mismatch.pem',
-#    'mismatchCN.pem',
-#    'mitm.pem',
-#    'noValidNames.pem',
-#    'notYetValid.pem',
-#    'notYetValidINT.pem',
-#    'notYetValidIssuer.pem',
-#    'nsCertTypeCritical.pem',
-#    'nsCertTypeCriticalWithExtKeyUsage.pem',
-#    'nsCertTypeNotCritical.pem',
-#    'other-issuer-ee.pem',
-#    'other-test-ca.pem',
-#    'self-signed-EE-with-cA-true.pem',
-#    'selfsigned-inadequateEKU.pem',
-#    'selfsigned.pem',
-#    'test-ca.pem',
-#    'test-int.pem',
-#    'unknownissuer.pem',
-#    'untrusted-expired.pem',
-#    'untrustedissuer.pem',
-#    'v1Cert.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'default-ee.key',
-#    'evroot.key',
-#    'inadequateKeySizeEE.key',
-#    'other-test-ca.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/moz.build

@@ -8,35 +8,3 @@ DIRS += ["tlsserver"]
 
 if not CONFIG["MOZ_NO_SMART_CARDS"]:
     DIRS += ["pkcs11testmodule"]
-
-TEST_DIRS += [
-    "bad_certs",
-    "ocsp_certs",
-    "test_baseline_requirements",
-    "test_cert_eku",
-    "test_cert_embedded_null",
-    "test_cert_keyUsage",
-    "test_cert_sha1",
-    "test_cert_signatures",
-    "test_cert_trust",
-    "test_cert_utf8",
-    "test_cert_version",
-    "test_certDB_import",
-    "test_content_signing",
-    "test_ct",
-    "test_delegated_credentials",
-    "test_encrypted_client_hello",
-    "test_ev_certs",
-    "test_intermediate_basic_usage_constraints",
-    "test_intermediate_preloads",
-    "test_keysize",
-    "test_keysize_ev",
-    "test_missing_intermediate",
-    "test_name_constraints",
-    "test_ocsp_url",
-    "test_onecrl",
-    "test_sanctions",
-    "test_signed_apps",
-    "test_startcom_wosign",
-    "test_validity",
-]

security/manager/ssl/tests/unit/ocsp_certs/moz.build

@@ -1,42 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca-used-as-end-entity.pem',
-#    'default-ee.pem',
-#    'delegatedSHA1Signer.pem',
-#    'delegatedSigner.pem',
-#    'invalidDelegatedSignerFromIntermediate.pem',
-#    'invalidDelegatedSignerKeyUsageCrlSigning.pem',
-#    'invalidDelegatedSignerNoExtKeyUsage.pem',
-#    'invalidDelegatedSignerWrongExtKeyUsage.pem',
-#    'multi-tls-feature-bad-ee.pem',
-#    'multi-tls-feature-good-ee.pem',
-#    'must-staple-ee.pem',
-#    'must-staple-ee-with-must-staple-int.pem',
-#    'must-staple-missing-ee.pem',
-#    'ocspEEWithIntermediate.pem',
-#    'ocspOtherEndEntity.pem',
-#    'other-test-ca.pem',
-#    'rsa-1016-keysizeDelegatedSigner.pem',
-#    'test-ca.pem',
-#    'test-int.pem',
-#    'test-multi-tls-feature-int.pem',
-#    'test-must-staple-int.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'default-ee.key',
-#    'other-test-ca.key',
-#    'rsa-1016-keysizeDelegatedSigner.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_baseline_requirements/moz.build

@@ -1,19 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'no-san-old.pem',
-#    'no-san-older.pem',
-#    'no-san-recent.pem',
-#    'san-contains-no-hostnames-old.pem',
-#    'san-contains-no-hostnames-older.pem',
-#    'san-contains-no-hostnames-recent.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_certDB_import/moz.build

@@ -1,14 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See Bug 1256495.
-# test_certificates = (
-#    'emailEE.pem',
-#    'importedCA.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_eku/moz.build

@@ -1,35 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'ee-CA.pem',
-#    'ee-SA-CA.pem',
-#    'ee-SA-OCSP.pem',
-#    'ee-SA-nsSGC.pem',
-#    'ee-SA.pem',
-#    'ee-int-CA.pem',
-#    'ee-int-SA-CA.pem',
-#    'ee-int-SA-OCSP.pem',
-#    'ee-int-SA-nsSGC.pem',
-#    'ee-int-SA.pem',
-#    'ee-int-nsSGC-old.pem',
-#    'ee-int-nsSGC-older.pem',
-#    'ee-int-nsSGC-recent.pem',
-#    'ee-nsSGC.pem',
-#    'int-CA.pem',
-#    'int-SA-CA.pem',
-#    'int-SA-OCSP.pem',
-#    'int-SA-nsSGC.pem',
-#    'int-SA.pem',
-#    'int-nsSGC-old.pem',
-#    'int-nsSGC-older.pem',
-#    'int-nsSGC-recent.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_embedded_null/moz.build

@@ -1,17 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'embeddedNull.pem',
-#    'embeddedNullCNAndSAN.pem',
-#    'embeddedNullSAN.pem',
-#    'embeddedNullSAN2.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_keyUsage/moz.build

@@ -1,27 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca-all-usages.pem',
-#    'ca-missing-keyCertSign.pem',
-#    'ca-no-keyUsage-extension.pem',
-#    'ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem',
-#    'ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem',
-#    'ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem',
-#    'ee-keyCertSign-only-ca-all-usages.pem',
-#    'ee-keyCertSign-only-ca-missing-keyCertSign.pem',
-#    'ee-keyCertSign-only-ca-no-keyUsage-extension.pem',
-#    'ee-keyEncipherment-only-ca-all-usages.pem',
-#    'ee-keyEncipherment-only-ca-missing-keyCertSign.pem',
-#    'ee-keyEncipherment-only-ca-no-keyUsage-extension.pem',
-#    'ee-no-keyUsage-extension-ca-all-usages.pem',
-#    'ee-no-keyUsage-extension-ca-missing-keyCertSign.pem',
-#    'ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_sha1/moz.build

@@ -1,18 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'int-pre.pem',
-#    'ee-pre_int-pre.pem',
-#    'ee-post_int-pre.pem',
-#    'int-post.pem',
-#    'ee-post_int-post.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_signatures/moz.build

@@ -1,20 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca-rsa.pem',
-#    'ca-secp384r1.pem',
-#    'ee-rsa-direct.pem',
-#    'ee-rsa.pem',
-#    'ee-secp384r1-direct.pem',
-#    'ee-secp384r1.pem',
-#    'int-rsa.pem',
-#    'int-secp384r1.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_trust/moz.build

@@ -1,15 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'ee.pem',
-#    'int.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_utf8/moz.build

@@ -1,13 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'certificateToAlter.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_cert_version/moz.build

@@ -1,61 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'ee_int-v1-BC-cA.pem',
-#    'ee_int-v1-BC-not-cA.pem',
-#    'ee_int-v1-noBC.pem',
-#    'ee_int-v2-BC-cA.pem',
-#    'ee_int-v2-BC-not-cA.pem',
-#    'ee_int-v2-noBC.pem',
-#    'ee_int-v3-BC-cA.pem',
-#    'ee_int-v3-BC-not-cA.pem',
-#    'ee_int-v3-noBC.pem',
-#    'ee_int-v4-BC-cA.pem',
-#    'ee_int-v4-BC-not-cA.pem',
-#    'ee_int-v4-noBC.pem',
-#    'ee-v1-BC-cA_ca.pem',
-#    'ee-v1-BC-not-cA_ca.pem',
-#    'ee-v1-noBC_ca.pem',
-#    'ee-v2-BC-cA_ca.pem',
-#    'ee-v2-BC-not-cA_ca.pem',
-#    'ee-v2-noBC_ca.pem',
-#    'ee-v3-BC-cA_ca.pem',
-#    'ee-v3-BC-not-cA_ca.pem',
-#    'ee-v3-noBC_ca.pem',
-#    'ee-v4-BC-cA_ca.pem',
-#    'ee-v4-BC-not-cA_ca.pem',
-#    'ee-v4-noBC_ca.pem',
-#    'int-v1-BC-cA_ca.pem',
-#    'int-v1-BC-not-cA_ca.pem',
-#    'int-v1-noBC_ca.pem',
-#    'int-v2-BC-cA_ca.pem',
-#    'int-v2-BC-not-cA_ca.pem',
-#    'int-v2-noBC_ca.pem',
-#    'int-v3-BC-cA_ca.pem',
-#    'int-v3-BC-not-cA_ca.pem',
-#    'int-v3-noBC_ca.pem',
-#    'int-v4-BC-cA_ca.pem',
-#    'int-v4-BC-not-cA_ca.pem',
-#    'int-v4-noBC_ca.pem',
-#    'ss-v1-BC-cA.pem',
-#    'ss-v1-BC-not-cA.pem',
-#    'ss-v1-noBC.pem',
-#    'ss-v2-BC-cA.pem',
-#    'ss-v2-BC-not-cA.pem',
-#    'ss-v2-noBC.pem',
-#    'ss-v3-BC-cA.pem',
-#    'ss-v3-BC-not-cA.pem',
-#    'ss-v3-noBC.pem',
-#    'ss-v4-BC-cA.pem',
-#    'ss-v4-BC-not-cA.pem',
-#    'ss-v4-noBC.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_content_signing/moz.build

@@ -1,21 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'content_signing_int.pem',
-#    'content_signing_onecrl_RSA_ee.pem',
-#    'content_signing_onecrl_ee.pem',
-#    'content_signing_onecrl_ee_expired.pem',
-#    'content_signing_onecrl_ee_not_valid_yet.pem',
-#    'content_signing_onecrl_no_SAN_ee.pem',
-#    'content_signing_onecrl_wrong_key_ee.pem',
-#    'content_signing_remote_newtab_ee.pem',
-#    'content_signing_root.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_ct/moz.build

@@ -1,23 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ct-valid.example.com.pem',
-#    'ct-insufficient-scts.example.com.pem',
-#    'default-ee.pem',
-#    'test-ca.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'default-ee.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_delegated_credentials/moz.build

@@ -1,24 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'test-ca.pem',
-#    'test-int.pem',
-#    'delegated-ee.pem',
-#    'default-ee.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'default-ee.key',
-#    'delegated.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_encrypted_client_hello/moz.build

@@ -1,24 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'default-ee.pem',
-#    'private-ee.pem',
-#    'selfsigned.pem',
-#    'test-ca.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'public-ee.key',
-#    'private-ee.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_ev_certs/moz.build

@@ -1,48 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'anyPolicy-ee-path-ee.pem',
-#    'anyPolicy-ee-path-int.pem',
-#    'anyPolicy-int-path-ee.pem',
-#    'anyPolicy-int-path-int.pem',
-#    'cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem',
-#    'cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem',
-#    'cabforum-and-test-oid-ee-path-ee.pem',
-#    'cabforum-and-test-oid-ee-path-int.pem',
-#    'cabforum-oid-path-ee.pem',
-#    'cabforum-oid-path-int.pem',
-#    'evroot.pem',
-#    'no-ocsp-ee-path-ee.pem',
-#    'no-ocsp-ee-path-int.pem',
-#    'no-ocsp-int-path-ee.pem',
-#    'no-ocsp-int-path-int.pem',
-#    'non-ev-root-path-ee.pem',
-#    'non-ev-root-path-int.pem',
-#    'non-evroot-ca.pem',
-#    'reverse-order-oids-path-ee.pem',
-#    'reverse-order-oids-path-int.pem',
-#    'test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem',
-#    'test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem',
-#    'test-and-cabforum-oid-ee-path-ee.pem',
-#    'test-and-cabforum-oid-ee-path-int.pem',
-#    'test-oid-ee-cabforum-oid-int-path-ee.pem',
-#    'test-oid-ee-cabforum-oid-int-path-int.pem',
-#    'test-oid-path-ee.pem',
-#    'test-oid-path-int.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'evroot.key',
-#    'test-oid-path-int.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/moz.build

@@ -1,35 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'ee-int-bad-ku-no-eku.pem',
-#    'ee-int-bad-ku-server-eku.pem',
-#    'ee-int-cA-FALSE-asserts-keyCertSign.pem',
-#    'ee-int-limited-depth.pem',
-#    'ee-int-limited-depth-invalid.pem',
-#    'ee-int-no-extensions.pem',
-#    'ee-int-no-ku-no-eku.pem',
-#    'ee-int-no-ku-server-eku.pem',
-#    'ee-int-not-a-ca.pem',
-#    'ee-int-valid-ku-no-eku.pem',
-#    'ee-int-valid-ku-server-eku.pem',
-#    'int-bad-ku-no-eku.pem',
-#    'int-bad-ku-server-eku.pem',
-#    'int-cA-FALSE-asserts-keyCertSign.pem',
-#    'int-limited-depth.pem',
-#    'int-limited-depth-invalid.pem',
-#    'int-no-extensions.pem',
-#    'int-no-ku-no-eku.pem',
-#    'int-no-ku-server-eku.pem',
-#    'int-not-a-ca.pem',
-#    'int-valid-ku-no-eku.pem',
-#    'int-valid-ku-server-eku.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_intermediate_preloads/moz.build

@@ -1,24 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ca.pem',
-#    'default-ee.pem',
-#    'ee2.pem',
-#    'int.pem',
-#    'int2.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'default-ee.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_keysize/moz.build

@@ -1,41 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem',
-#    'ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem',
-#    'ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem',
-#    'ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem',
-#    'ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem',
-#    'ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem',
-#    'ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem',
-#    'ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem',
-#    'ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem',
-#    'ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem',
-#    'ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem',
-#    'ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem',
-#    'ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem',
-#    'int_rsa_1016-root_rsa_1024.pem',
-#    'int_rsa_1016-root_secp256r1_256.pem',
-#    'int_rsa_1024-root_rsa_1016.pem',
-#    'int_rsa_1024-root_rsa_1024.pem',
-#    'int_secp224r1_224-root_secp256r1_256.pem',
-#    'int_secp256r1_256-root_rsa_2048.pem',
-#    'int_secp256r1_256-root_secp224r1_224.pem',
-#    'int_secp256r1_256-root_secp256k1_256.pem',
-#    'int_secp256r1_256-root_secp256r1_256.pem',
-#    'int_secp384r1_384-root_secp256r1_256.pem',
-#    'root_rsa_1016.pem',
-#    'root_rsa_1024.pem',
-#    'root_rsa_2048.pem',
-#    'root_secp224r1_224.pem',
-#    'root_secp256k1_256.pem',
-#    'root_secp256r1_256.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_keysize_ev/moz.build

@@ -1,31 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem',
-#    'ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem',
-#    'ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem',
-#    'ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem',
-#    'ev_int_rsa_2040-evroot.pem',
-#    'ev_int_rsa_2048-ev_root_rsa_2040.pem',
-#    'ev_int_rsa_2048-evroot.pem',
-#    'ev_root_rsa_2040.pem',
-#    'evroot.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'ev_int_rsa_2040.key',
-#    'ev_int_rsa_2048.key',
-#    'ev_root_rsa_2040.key',
-#    'evroot.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_missing_intermediate/moz.build

@@ -1,19 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# BadCertAndPinningServer takes as an argument a path to a directory and loads
-# every key and certificate in it. We want to test what happens when a
-# server doesn't include an intermediate that is necessary to build a
-# complete trust path. The easiest way to do this right now is to put
-# the intermediate in a different directory, so that BadCertAndPinningServer
-# doesn't know about it and can't send it in the TLS handshake.
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'missing-intermediate.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_name_constraints/moz.build

@@ -1,21 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'NameConstraints.dcissallowed.pem',
-#    'NameConstraints.dcissblocked.pem',
-#    'ca-example-com-permitted.pem',
-#    'int-example-org-permitted.pem',
-#    'ee-example-com-and-org.pem',
-#    'ee-example-com.pem',
-#    'ee-example-org.pem',
-#    'ee-example-test.pem',
-#    'dciss.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_ocsp_url/moz.build

@@ -1,33 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'bad-scheme.pem',
-#    'ca.pem',
-#    'empty-scheme-url.pem',
-#    'ftp-url.pem',
-#    'hTTp-url.pem',
-#    'https-url.pem',
-#    'int.pem',
-#    'negative-port.pem',
-#    'no-host-url.pem',
-#    'no-path-url.pem',
-#    'no-scheme-host-port.pem',
-#    'no-scheme-url.pem',
-#    'unknown-scheme.pem',
-#    'user-pass.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'int.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/ssl/tests/unit/test_onecrl/moz.build

@@ -1,18 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'another-ee-revoked-by-revocations-txt-serial-2.pem',
-#    'another-ee-revoked-by-revocations-txt.pem',
-#    'ee-revoked-by-revocations-txt.pem',
-#    'ee-revoked-by-subject-and-pubkey.pem',
-#    'same-issuer-ee.pem',
-#    'test-int-ee.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_sanctions/default-ee.key

@@ -25,4 +25,4 @@ TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
 tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
 ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
 NBinA5ZsT8d0v3QCr2xDJH9D
------END PRIVATE KEY-----
+-----END PRIVATE KEY-----

security/manager/ssl/tests/unit/test_sanctions/moz.build

@@ -1,21 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'default-ee.pem',
-#    'symantec-ee-from-allowlist-after-cutoff.pem',
-#    'symantec-ee-from-allowlist-before-cutoff.pem',
-#    'symantec-ee-not-allowlisted-after-cutoff.pem',
-#    'symantec-ee-not-allowlisted-before-cutoff.pem',
-#    'symantec-intermediate-other.pem',
-#    'symantec-intermediate-other-crossigned.pem',
-#    'symantec-intermediate-allowlisted.pem',
-#    'symantec-test-ca.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_startcom_wosign/moz.build

@@ -1,19 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'StartCom-after-cutoff.pem',
-#    'StartCom-before-cutoff.pem',
-#    'StartComCA.pem',
-#    'WoSign-after-cutoff.pem',
-#    'WoSign-before-cutoff.pem',
-#    'WoSignCA.pem',
-#    'ca.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_validity/moz.build

@@ -1,24 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# test_certificates = (
-#    'ev_ee_27_months-ev_int_60_months-evroot.pem',
-#    'ev_ee_28_months-ev_int_60_months-evroot.pem',
-#    'ev_int_60_months-evroot.pem',
-#    'evroot.pem',
-# )
-#
-# for test_certificate in test_certificates:
-#    GeneratedTestCertificate(test_certificate)
-#
-# test_keys = (
-#    'ev_int_60_months-evroot.key',
-#    'evroot.key',
-# )
-#
-# for test_key in test_keys:
-#    GeneratedTestKey(test_key)

security/manager/tools/mach_commands.py

@@ -0,0 +1,119 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import os
+import sys
+
+from mach.util import UserError
+from mozbuild.base import MachCommandBase
+from mozpack.files import FileFinder
+from mozpack.path import basedir
+
+
+from mach.decorators import (
+    CommandArgument,
+    CommandProvider,
+    Command,
+)
+
+
+here = os.path.abspath(os.path.dirname(__file__))
+sys.path.append(here)
+
+
+def run_module_main_on(module, input_filename):
+    """Run the given module (pycert or pykey) on the given
+    file."""
+    # By convention, the specification files have names of the form
+    # "name.ext.*spec", where "ext" is some extension, and the "*" in
+    # "*spec" identifies what kind of specification it represents
+    # (certspec or keyspec). Taking off the ".*spec" part results in the
+    # desired filename for this file.
+    output_filename = os.path.splitext(input_filename)[0]
+    with open(output_filename, mode="w", encoding="utf-8", newline="\n") as output:
+        module.main(output, input_filename)
+
+
+def is_certspec_file(filename):
+    """Returns True if the given filename is a certificate
+    specification file (.certspec) and False otherwise."""
+    return filename.endswith(".certspec")
+
+
+def is_keyspec_file(filename):
+    """Returns True if the given filename is a key specification
+    file (.keyspec) and False otherwise."""
+    return filename.endswith(".keyspec")
+
+
+def is_specification_file(filename):
+    """Returns True if the given filename is a specification
+    file supported by this script, and False otherewise."""
+    return is_certspec_file(filename) or is_keyspec_file(filename)
+
+
+def is_excluded_directory(directory, exclusions):
+    """Returns True if the given directory is in or is a
+    subdirectory of a directory in the list of exclusions and
+    False otherwise."""
+
+    for exclusion in exclusions:
+        if directory.startswith(exclusion):
+            return True
+    return False
+
+
+@CommandProvider
+class MachCommands(MachCommandBase):
+    @Command(
+        "generate-test-certs",
+        category="devenv",
+        description="Generate test certificates and keys from specifications.",
+    )
+    @CommandArgument(
+        "specifications",
+        nargs="*",
+        help="Specification files for test certs. If omitted, all certs are regenerated.",
+    )
+    def generate_test_certs(self, specifications):
+        """Generate test certificates and keys from specifications."""
+
+        self.activate_virtualenv()
+        import pycert
+        import pykey
+
+        if not specifications:
+            specifications = self.find_all_specifications()
+
+        for specification in specifications:
+            if is_certspec_file(specification):
+                module = pycert
+            elif is_keyspec_file(specification):
+                module = pykey
+            else:
+                raise UserError(
+                    "'{}' is not a .certspec or .keyspec file".format(specification)
+                )
+            run_module_main_on(module, os.path.abspath(specification))
+        return 0
+
+    def find_all_specifications(self):
+        """Searches the source tree for all specification files
+        and returns them as a list."""
+        specifications = []
+        inclusions = [
+            "netwerk/test/unit",
+            "security/manager/ssl/tests",
+            "services/settings/test/unit/test_remote_settings_signatures",
+            "testing/xpcshell/moz-http2",
+        ]
+        exclusions = ["security/manager/ssl/tests/unit/test_signed_apps"]
+        finder = FileFinder(self.topsrcdir)
+        for inclusion_path in inclusions:
+            for f, _ in finder.find(inclusion_path):
+                if basedir(f, exclusions):
+                    continue
+                if is_specification_file(f):
+                    specifications.append(os.path.join(self.topsrcdir, f))
+        return specifications

services/settings/moz.build

@@ -5,8 +5,6 @@
 with Files("**"):
     BUG_COMPONENT = ("Firefox", "Remote Settings Client")
 
-TEST_DIRS += ["test"]
-
 DIRS += [
     "dumps",
 ]

services/settings/test/moz.build

@@ -1,7 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-TEST_DIRS += ["unit"]

services/settings/test/unit/moz.build

@@ -1,7 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-TEST_DIRS += ["test_remote_settings_signatures"]

services/settings/test/unit/test_remote_settings_signatures/collection_signing_ee.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdTCCAV2gAwIBAgIULWXqMXrDQ3IYzpWJIseQRInl9zEwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY29sbGVjdGlvbi1zaWduZXItaW50LUNBMCIYDzIwMTkx
+MTI4MDAwMDAwWhgPMjAyMjAyMDUwMDAwMDBaMCYxJDAiBgNVBAMMG2NvbGxlY3Rp
+b24tc2lnbmVyLWVlLWludC1DQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKFockM2
+K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFTTmqcDAsJyNY5regy
+BuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/dzIN0qm6pzqNIMEYw
+EwYDVR0lBAwwCgYIKwYBBQUHAwMwLwYDVR0RBCgwJoIkb25lY3JsLmNvbnRlbnQt
+c2lnbmF0dXJlLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBrU5DuGjBv
+Dj2seQLI1jDxDB8oS4oPU1sbHp5OCfisPYl2JMKo5Cy1nPC/8t/W3BDC0wI7ug7J
+5OyZGIy5I2dgN3zIShql7X2bLLw/SSZGY0jIWa+GFOE5YmkWtM8uFB8FVtpOtYeF
++zXIyeWyPv/JL9A9/c8EfzzYMc/2NCQV+J0QsXOcWvsV794dG0Poq0N3W35ai/jd
+itmWERTlPS4ivZliIcSUyR57lfRIFZP9KjcJSuKfYIuntG7YPtsqioLRKQjyricj
+p85QFZ+8z2XOQxd1Nt5DoBBO3gx9TsVDErbTxPMRkWxzHiIbVQxDj+frB+ChpQVk
+zufihT+yBVxE
+-----END CERTIFICATE-----

services/settings/test/unit/test_remote_settings_signatures/collection_signing_int.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIUP+jlP5+sjznUojGrupiX+yQReYswDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUY29sbGVjdGlvbi1zaWduZXItY2EwIhgPMjAxOTExMjgw
+MDAwMDBaGA8yMDIyMDIwNTAwMDAwMFowIzEhMB8GA1UEAwwYY29sbGVjdGlvbi1z
+aWduZXItaW50LUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/MBMGA1UdJQQMMAoG
+CCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQCWEYQGVaiI5LNAAPOAPy5hYdfz
+i6mLMxjr/sPpOq1+W79KfxJBnZQv0K2fhyP2Sp78wBpgkZ6NOR/7f7XwWXkhFb+N
+u7f9Wmb9Ogbiy4rzlHaOitduzj/O0ohUZa+9v4q7LUJC/2xMlVXS2AxEZWdvh1NX
+zC9QujqgmhU5aTODJq2M87f3qHq7NJ1CGKeIx7dpEJ8mSeiboY3dXxK9iFBj0OuG
+YCh4ZW/IUwIB6QW6S0oPugCMvJJ0f3qr/npAHF7VzkPi1Pde4zxMVVBL9PNGV3WT
+x6/jV3zfMYu+OhU6shUJS4I4mA+EIT4Lr6JCO6QfcHjzYrgCvcwZmW5/j9l4
+-----END CERTIFICATE-----

services/settings/test/unit/test_remote_settings_signatures/collection_signing_root.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd2gAwIBAgIUV6J20TV5oEm+lv4oelnu2EJ+9bMwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUY29sbGVjdGlvbi1zaWduZXItY2EwIhgPMjAxOTExMjgw
+MDAwMDBaGA8yMDIyMDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUY29sbGVjdGlvbi1z
+aWduZXItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjJTAjMAwGA1UdEwQFMAMBAf8wEwYDVR0lBAwwCgYIKwYB
+BQUHAwMwDQYJKoZIhvcNAQELBQADggEBAEgx0mT791EuD+v0QBALSNrHo+dWUpuI
+w1FalKVxsdDxM6V6O1NEcGTKndBDaBex3lwmH4aT/rYWwNr/Xyy7Koqal83JA9WG
+J9ofyHK+0tuL+zrAojHEg9JIUwWwi5Jbc+ewVwvD61BKU7ixcjcGxEfwF1Q1lILd
+iJoGZd50P6/bEN9QQeGQV0y+mkn82GPgpvfu/uNhYRmCCs+qm1OuRWrXaCuO+epN
+IuUXbInCSB03y3XUK8JnB1igVH0Sx9r9P+7tylQDsy4udq3tghuneI+GJnLxtfUH
+d6p55v4o5khhgaH1sI/bqYXj0Dl4EWdsvoGzjuxaJ11RnNn38vKPmlE=
+-----END CERTIFICATE-----

services/settings/test/unit/test_remote_settings_signatures/moz.build

@@ -1,14 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-test_certificates = (
-    "collection_signing_root.pem",
-    "collection_signing_int.pem",
-    "collection_signing_ee.pem",
-)
-
-for test_certificate in test_certificates:
-    GeneratedTestCertificate(test_certificate)

testing/xpcshell/moz-http2/moz.build

@@ -1,9 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-# GeneratedTestCertificate('http2-cert.pem')
-# GeneratedTestKey('http2-cert.key')

testing/xpcshell/moz.build

@@ -4,7 +4,7 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-TEST_DIRS += ["example", "moz-http2"]
+TEST_DIRS += ["example"]
 
 TESTING_JS_MODULES += [
     "dbg-actors.js",