[PKI library] Prioritize newer certificates in path building.

Bug: 635205 Change-Id: I5b5e69ed79d017fcd36110c7ad73d08f8f6adea0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1876739Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#708820}

[PKI library] Prioritize newer certificates in path building.
Bug: 635205 Change-Id: I5b5e69ed79d017fcd36110c7ad73d08f8f6adea0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1876739Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#708820}
dfa4c007 · Matt Mueller · Commit Bot · b9da29aa · dfa4c007 · dfa4c007
Commit dfa4c007 authored Oct 23, 2019 by Matt Mueller Committed by Commit Bot Oct 23, 2019
16 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -4069,6 +4069,12 @@ bundle_data("net_unittests_bundle_data") {
    "data/parse_certificate_unittest/tbs_validity_utc_time_and_generalized_time.pem",
    "data/parse_certificate_unittest/v1_explicit_version.pem",
    "data/parse_certificate_unittest/v3_certificate_template.pk8",
+    "data/path_builder_unittest/validity_date_prioritization/int_ac.pem",
+    "data/path_builder_unittest/validity_date_prioritization/int_ad.pem",
+    "data/path_builder_unittest/validity_date_prioritization/int_bc.pem",
+    "data/path_builder_unittest/validity_date_prioritization/int_bd.pem",
+    "data/path_builder_unittest/validity_date_prioritization/root.pem",
+    "data/path_builder_unittest/validity_date_prioritization/target.pem",
    "data/test.html",
    "data/trial_comparison_cert_verifier_unittest/target-multiple-policies/chain.pem",
    "data/url_request_unittest/308-without-location-header",

--- a/net/cert/internal/path_builder.cc
+++ b/net/cert/internal/path_builder.cc
@@ -68,30 +68,23 @@ struct IssuerEntry {
  CertificateTrust trust;
 };
-// Simple comparator of IssuerEntry that defines the order in which issuers
+// Returns an integer that represents the relative ordering of |trust| for
-// should be explored. It puts trust anchors ahead of unknown or distrusted
+// prioritizing certificates in path building. Lower return values indicate
-// ones.
+// higer priority.
-struct IssuerEntryComparator {
+int CertificateTrustToOrder(const CertificateTrust& trust) {
-  bool operator()(const IssuerEntry& issuer1, const IssuerEntry& issuer2) {
+  switch (trust.type) {
-    return CertificateTrustToOrder(issuer1.trust) <
+    case CertificateTrustType::TRUSTED_ANCHOR:
-           CertificateTrustToOrder(issuer2.trust);
+    case CertificateTrustType::TRUSTED_ANCHOR_WITH_CONSTRAINTS:
+      return 1;
+    case CertificateTrustType::UNSPECIFIED:
+      return 2;
+    case CertificateTrustType::DISTRUSTED:
+      return 4;
  }
-  static int CertificateTrustToOrder(const CertificateTrust& trust) {
+  NOTREACHED();
-    switch (trust.type) {
+  return 5;
-      case CertificateTrustType::TRUSTED_ANCHOR:
+}
-      case CertificateTrustType::TRUSTED_ANCHOR_WITH_CONSTRAINTS:
-        return 1;
-      case CertificateTrustType::UNSPECIFIED:
-        return 2;
-      case CertificateTrustType::DISTRUSTED:
-        return 4;
-    }
-    NOTREACHED();
-    return 5;
-  }
-};
 // CertIssuersIter iterates through the intermediates from |cert_issuer_sources|
 // which may be issuers of |cert|.
@@ -256,16 +249,24 @@ void CertIssuersIter::DoAsyncIssuerQuery() {
 }
 void CertIssuersIter::SortRemainingIssuers() {
-  // TODO(mattm): sort by notbefore, etc (eg if cert issuer matches a trust
-  // anchor subject (or is a trust anchor), that should be sorted higher too.
-  // See big list of possible sorting hints in RFC 4158.)
-  // (Update PathBuilderKeyRolloverTest.TestRolloverBothRootsTrusted once that
-  // is done)
  if (!issuers_needs_sort_)
    return;
-  std::stable_sort(issuers_.begin() + cur_issuer_, issuers_.end(),
+  std::stable_sort(
-                   IssuerEntryComparator());
+      issuers_.begin() + cur_issuer_, issuers_.end(),
+      [](const IssuerEntry& issuer1, const IssuerEntry& issuer2) {
+        // TODO(crbug.com/635205): Add other prioritization hints. (See big list
+        // of possible sorting hints in RFC 4158.)
+        return std::make_tuple(CertificateTrustToOrder(issuer1.trust),
+                               // Newer(larger) notBefore & notAfter dates are
+                               // preferred, hence |issuer2| is on the LHS of
+                               // the comparison and |issuer1| on the RHS.
+                               issuer2.cert->tbs().validity_not_before,
+                               issuer2.cert->tbs().validity_not_after) <
+               std::make_tuple(CertificateTrustToOrder(issuer2.trust),
+                               issuer1.cert->tbs().validity_not_before,
+                               issuer1.cert->tbs().validity_not_after);
+      });
  issuers_needs_sort_ = false;
 }

--- a/net/cert/internal/path_builder_unittest.cc
+++ b/net/cert/internal/path_builder_unittest.cc
@@ -684,10 +684,8 @@ TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) {
  EXPECT_EQ(oldroot_, path1.certs[3]);
 }
-// Tests that if both old and new roots are trusted it can build a path through
+// Tests that if both old and new roots are trusted it builds a path through
-// either.
+// the new intermediate.
-// TODO(mattm): Once prioritization is implemented, it should test that it
-// always builds the path through the new intermediate and new root.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) {
  // Both oldroot and newroot are trusted.
  TrustStoreInMemory trust_store;
@@ -710,24 +708,15 @@ TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) {
  EXPECT_TRUE(result.HasValidPath());
-  // Path builder willattempt one of:
-  // target <- oldintermediate <- oldroot
-  // target <- newintermediate <- newroot
-  // either will succeed.
  ASSERT_EQ(1U, result.paths.size());
  const auto& path = *result.paths[0];
  EXPECT_TRUE(result.paths[0]->IsValid());
  ASSERT_EQ(3U, path.certs.size());
  EXPECT_EQ(target_, path.certs[0]);
-  if (path.certs[1] != newintermediate_) {
+  // The newer intermediate should be used as newer certs are prioritized in
-    DVLOG(1) << "USED OLD";
+  // path building.
-    EXPECT_EQ(oldintermediate_, path.certs[1]);
+  EXPECT_EQ(newintermediate_, path.certs[1]);
-    EXPECT_EQ(oldroot_, path.certs[2]);
+  EXPECT_EQ(newroot_, path.certs[2]);
-  } else {
-    DVLOG(1) << "USED NEW";
-    EXPECT_EQ(newintermediate_, path.certs[1]);
-    EXPECT_EQ(newroot_, path.certs[2]);
-  }
 }
 // If trust anchor query returned no results, and there are no issuer
@@ -1514,6 +1503,94 @@ TEST_F(PathBuilderCheckPathAfterVerificationTest, SetsDelegateData) {
  EXPECT_EQ(0xB33F, data->value);
 }
+TEST(PathBuilderPrioritizationTest, DatePrioritization) {
+  std::string test_dir =
+      "net/data/path_builder_unittest/validity_date_prioritization/";
+  scoped_refptr<ParsedCertificate> root =
+      ReadCertFromFile(test_dir + "root.pem");
+  ASSERT_TRUE(root);
+  scoped_refptr<ParsedCertificate> int_ac =
+      ReadCertFromFile(test_dir + "int_ac.pem");
+  ASSERT_TRUE(int_ac);
+  scoped_refptr<ParsedCertificate> int_ad =
+      ReadCertFromFile(test_dir + "int_ad.pem");
+  ASSERT_TRUE(int_ad);
+  scoped_refptr<ParsedCertificate> int_bc =
+      ReadCertFromFile(test_dir + "int_bc.pem");
+  ASSERT_TRUE(int_bc);
+  scoped_refptr<ParsedCertificate> int_bd =
+      ReadCertFromFile(test_dir + "int_bd.pem");
+  ASSERT_TRUE(int_bd);
+  scoped_refptr<ParsedCertificate> target =
+      ReadCertFromFile(test_dir + "target.pem");
+  ASSERT_TRUE(target);
+  SimplePathBuilderDelegate delegate(
+      1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+  der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
+  // Distrust the root certificate. This will force the path builder to attempt
+  // all possible paths.
+  TrustStoreInMemory trust_store;
+  trust_store.AddDistrustedCertificateForTest(root);
+  for (bool reverse_input_order : {false, true}) {
+    SCOPED_TRACE(reverse_input_order);
+    CertIssuerSourceStatic intermediates;
+    // Test with the intermediates supplied in two different orders to ensure
+    // the results don't depend on input ordering.
+    if (reverse_input_order) {
+      intermediates.AddCert(int_bd);
+      intermediates.AddCert(int_bc);
+      intermediates.AddCert(int_ad);
+      intermediates.AddCert(int_ac);
+    } else {
+      intermediates.AddCert(int_ac);
+      intermediates.AddCert(int_ad);
+      intermediates.AddCert(int_bc);
+      intermediates.AddCert(int_bd);
+    }
+    CertPathBuilder path_builder(
+        target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
+        InitialExplicitPolicy::kFalse, {AnyPolicy()},
+        InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
+    path_builder.AddCertIssuerSource(&intermediates);
+    CertPathBuilder::Result result = path_builder.Run();
+    EXPECT_FALSE(result.HasValidPath());
+    ASSERT_EQ(4U, result.paths.size());
+    // Path builder should have attempted paths using the intermediates in
+    // order: bd, bc, ad, ac
+    EXPECT_FALSE(result.paths[0]->IsValid());
+    ASSERT_EQ(3U, result.paths[0]->certs.size());
+    EXPECT_EQ(target, result.paths[0]->certs[0]);
+    EXPECT_EQ(int_bd, result.paths[0]->certs[1]);
+    EXPECT_EQ(root, result.paths[0]->certs[2]);
+    EXPECT_FALSE(result.paths[1]->IsValid());
+    ASSERT_EQ(3U, result.paths[1]->certs.size());
+    EXPECT_EQ(target, result.paths[1]->certs[0]);
+    EXPECT_EQ(int_bc, result.paths[1]->certs[1]);
+    EXPECT_EQ(root, result.paths[1]->certs[2]);
+    EXPECT_FALSE(result.paths[2]->IsValid());
+    ASSERT_EQ(3U, result.paths[2]->certs.size());
+    EXPECT_EQ(target, result.paths[2]->certs[0]);
+    EXPECT_EQ(int_ad, result.paths[2]->certs[1]);
+    EXPECT_EQ(root, result.paths[2]->certs[2]);
+    EXPECT_FALSE(result.paths[3]->IsValid());
+    ASSERT_EQ(3U, result.paths[3]->certs.size());
+    EXPECT_EQ(target, result.paths[3]->certs[0]);
+    EXPECT_EQ(int_ac, result.paths[3]->certs[1]);
+    EXPECT_EQ(root, result.paths[3]->certs[2]);
+  }
+}
 }  // namespace
 }  // namespace net
--- a/net/cert/internal/test_helpers.cc
+++ b/net/cert/internal/test_helpers.cc
@@ -174,6 +174,16 @@ bool ReadCertChainFromFile(const std::string& file_path_ascii,
  return true;
 }
+scoped_refptr<ParsedCertificate> ReadCertFromFile(
+    const std::string& file_path_ascii) {
+  ParsedCertificateList chain;
+  if (!ReadCertChainFromFile(file_path_ascii, &chain))
+    return nullptr;
+  if (chain.size() != 1)
+    return nullptr;
+  return chain[0];
+}
 bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
                                     VerifyCertChainTest* test) {
  // Reset all the out parameters to their defaults.

--- a/net/cert/internal/test_helpers.h
+++ b/net/cert/internal/test_helpers.h
@@ -124,6 +124,11 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
 bool ReadCertChainFromFile(const std::string& file_path_ascii,
                           ParsedCertificateList* chain);
+// Reads a certificate from |file_path_ascii|. Returns nullptr if the file
+// contained more that one certificate.
+scoped_refptr<ParsedCertificate> ReadCertFromFile(
+    const std::string& file_path_ascii);
 // Reads a data file relative to the src root directory.
 std::string ReadTestFileToString(const std::string& file_path_ascii);

--- a/net/data/path_builder_unittest/validity_date_prioritization/generate-certs.py
+++ b/net/data/path_builder_unittest/validity_date_prioritization/generate-certs.py
+#!/usr/bin/python
+# Copyright (c) 2016 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"""
+A chain with four possible intermediates with different notBefore and notAfter
+dates, for testing path bulding prioritization.
+"""
+import sys
+sys.path += ['../..']
+import gencerts
+DATE_A = '150101120000Z'
+DATE_B = '150102120000Z'
+DATE_C = '180101120000Z'
+DATE_D = '180102120000Z'
+root = gencerts.create_self_signed_root_certificate('Root')
+root.set_validity_range(DATE_A, DATE_D)
+int_ac = gencerts.create_intermediate_certificate('Intermediate', root)
+int_ac.set_validity_range(DATE_A, DATE_C)
+int_ad = gencerts.create_intermediate_certificate('Intermediate', root)
+int_ad.set_validity_range(DATE_A, DATE_D)
+int_ad.set_key(int_ac.get_key())
+int_bc = gencerts.create_intermediate_certificate('Intermediate', root)
+int_bc.set_validity_range(DATE_B, DATE_C)
+int_bc.set_key(int_ac.get_key())
+int_bd = gencerts.create_intermediate_certificate('Intermediate', root)
+int_bd.set_validity_range(DATE_B, DATE_D)
+int_bd.set_key(int_ac.get_key())
+target = gencerts.create_end_entity_certificate('Target', int_ac)
+target.set_validity_range(DATE_A, DATE_D)
+gencerts.write_chain('The root', [root], out_pem='root.pem')
+gencerts.write_chain('Intermediate with validity range A..C',
+                     [int_ac], out_pem='int_ac.pem')
+gencerts.write_chain('Intermediate with validity range A..D',
+                     [int_ad], out_pem='int_ad.pem')
+gencerts.write_chain('Intermediate with validity range B..C',
+                     [int_bc], out_pem='int_bc.pem')
+gencerts.write_chain('Intermediate with validity range B..D',
+                     [int_bd], out_pem='int_bd.pem')
+gencerts.write_chain('The target', [target], out_pem='target.pem')
--- a/net/data/path_builder_unittest/validity_date_prioritization/int_ac.pem
+++ b/net/data/path_builder_unittest/validity_date_prioritization/int_ac.pem
+[Created by: ./generate-certs.py]
+Intermediate with validity range A..C
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0e:7f:a5:4d:e2:fa:3e:e7:33:f3:bb:f6:5a:0e:91:e9:b4:8a:75:7d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root
+        Validity
+            Not Before: Jan  1 12:00:00 2015 GMT
+            Not After : Jan  1 12:00:00 2018 GMT
+        Subject: CN=Intermediate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:16:8c:a1:af:8d:dd:0d:3a:6c:d7:a5:5d:70:
+                    64:e2:d2:15:be:7b:cb:ea:db:57:17:af:d8:f1:2c:
+                    b6:e2:17:ae:11:2d:33:04:e5:ee:44:5c:2c:62:05:
+                    ff:19:9e:0d:27:e3:21:c6:2b:3c:7e:db:56:5b:de:
+                    23:a5:26:e1:99:67:d4:4f:6a:3c:9a:85:5b:10:b7:
+                    da:21:99:ba:c6:ea:a1:74:cb:b7:ca:d9:cc:c3:9e:
+                    e7:eb:dd:d2:1e:f0:75:5d:2e:3e:0b:8b:c0:0d:f5:
+                    72:17:0f:2b:3a:41:ea:c0:ef:2d:8a:ee:aa:73:cb:
+                    6c:97:63:30:be:4a:f8:75:58:05:28:05:b2:3d:91:
+                    91:c9:d4:39:a6:25:a4:88:b9:2e:e6:af:9d:f6:ac:
+                    9d:4e:46:4b:76:e6:df:d8:aa:3c:6a:6e:5d:d4:67:
+                    fb:61:86:bd:33:44:f0:7f:c2:13:9f:f2:72:85:fe:
+                    15:b6:51:20:0d:ee:28:e3:33:4d:4a:16:91:81:58:
+                    6a:a1:17:5e:33:f2:e9:4c:f2:64:9b:f1:d2:8c:8e:
+                    52:17:cd:26:f8:d1:6f:50:14:98:da:23:56:54:f6:
+                    62:5b:e6:cf:34:74:d3:40:fc:fd:31:38:5a:fb:0d:
+                    83:45:4a:7f:2e:fd:93:ef:93:4f:85:12:9e:f2:a3:
+                    91:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                A5:15:6F:A5:45:D1:4A:85:AB:82:EC:DB:97:58:AA:6E:41:D1:44:A7
+            X509v3 Authority Key Identifier: 
+                keyid:08:3C:B1:56:BA:91:3F:80:72:30:8F:4E:85:7A:26:2F:34:89:74:B5
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Root.cer
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://url-for-crl/Root.crl
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         13:c3:c2:2d:1d:0c:3f:55:d9:e5:ee:f3:03:0a:b4:91:5a:f1:
+         2d:8f:07:1d:48:b7:fa:7b:0b:8f:b0:65:37:07:c8:56:75:1d:
+         49:b7:78:dd:cb:97:8e:85:b8:be:85:34:a7:39:60:40:b6:c9:
+         25:06:ba:b6:11:8a:5e:28:cb:c5:fc:da:83:04:96:06:cd:38:
+         1b:a0:ba:85:17:f5:66:01:fe:1e:73:94:c9:09:83:64:40:c6:
+         76:ce:0f:db:d3:33:77:55:27:68:b3:c8:a0:a9:9f:1f:c0:c8:
+         c6:79:f4:9e:10:62:13:e0:f3:6a:f9:78:7f:b3:02:91:1f:75:
+         ce:e8:ef:8e:90:9f:eb:24:f3:42:ed:86:b2:de:30:c4:0d:9a:
+         10:1a:3e:94:67:75:bd:d0:28:02:f1:6f:e6:6a:3f:ef:a6:d3:
+         f2:5d:6a:ef:5a:34:81:d2:8b:a9:a0:db:df:79:5b:58:c8:b8:
+         cd:09:bf:05:ce:d2:ce:ee:00:03:11:9c:27:01:1c:9d:b8:06:
+         9a:42:8d:3f:3b:58:69:f4:c3:8c:3c:a9:e3:a7:1b:ad:f1:b0:
+         d0:e9:07:2a:a2:8e:bd:4b:69:38:1c:01:ce:ae:3a:98:8c:89:
+         5b:96:93:e6:f7:5e:fd:d1:97:92:91:8f:05:c9:54:7a:74:ba:
+         74:82:a4:22
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUDn+lTeL6Pucz87v2Wg6R6bSKdX0wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0xNTAxMDExMjAwMDBaFw0xODAxMDExMjAw
+MDBaMBcxFTATBgNVBAMMDEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALoWjKGvjd0NOmzXpV1wZOLSFb57y+rbVxev2PEstuIXrhEt
+MwTl7kRcLGIF/xmeDSfjIcYrPH7bVlveI6Um4Zln1E9qPJqFWxC32iGZusbqoXTL
+t8rZzMOe5+vd0h7wdV0uPguLwA31chcPKzpB6sDvLYruqnPLbJdjML5K+HVYBSgF
+sj2RkcnUOaYlpIi5LuavnfasnU5GS3bm39iqPGpuXdRn+2GGvTNE8H/CE5/ycoX+
+FbZRIA3uKOMzTUoWkYFYaqEXXjPy6UzyZJvx0oyOUhfNJvjRb1AUmNojVlT2Ylvm
+zzR000D8/TE4WvsNg0VKfy79k++TT4USnvKjkQ0CAwEAAaOByzCByDAdBgNVHQ4E
+FgQUpRVvpUXRSoWrguzbl1iqbkHRRKcwHwYDVR0jBBgwFoAUCDyxVrqRP4ByMI9O
+hXomLzSJdLUwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzAChhtodHRwOi8vdXJs
+LWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL3VybC1m
+b3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4IBAQATw8ItHQw/Vdnl7vMDCrSRWvEtjwcdSLf6ewuP
+sGU3B8hWdR1Jt3jdy5eOhbi+hTSnOWBAtsklBrq2EYpeKMvF/NqDBJYGzTgboLqF
+F/VmAf4ec5TJCYNkQMZ2zg/b0zN3VSdos8igqZ8fwMjGefSeEGIT4PNq+Xh/swKR
+H3XO6O+OkJ/rJPNC7Yay3jDEDZoQGj6UZ3W90CgC8W/maj/vptPyXWrvWjSB0oup
+oNvfeVtYyLjNCb8FztLO7gADEZwnARyduAaaQo0/O1hp9MOMPKnjpxut8bDQ6Qcq
+oo69S2k4HAHOrjqYjIlblpPm91790ZeSkY8FyVR6dLp0gqQi
+-----END CERTIFICATE-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/int_ad.pem
+++ b/net/data/path_builder_unittest/validity_date_prioritization/int_ad.pem
+[Created by: ./generate-certs.py]
+Intermediate with validity range A..D
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0e:7f:a5:4d:e2:fa:3e:e7:33:f3:bb:f6:5a:0e:91:e9:b4:8a:75:7e
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root
+        Validity
+            Not Before: Jan  1 12:00:00 2015 GMT
+            Not After : Jan  2 12:00:00 2018 GMT
+        Subject: CN=Intermediate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:16:8c:a1:af:8d:dd:0d:3a:6c:d7:a5:5d:70:
+                    64:e2:d2:15:be:7b:cb:ea:db:57:17:af:d8:f1:2c:
+                    b6:e2:17:ae:11:2d:33:04:e5:ee:44:5c:2c:62:05:
+                    ff:19:9e:0d:27:e3:21:c6:2b:3c:7e:db:56:5b:de:
+                    23:a5:26:e1:99:67:d4:4f:6a:3c:9a:85:5b:10:b7:
+                    da:21:99:ba:c6:ea:a1:74:cb:b7:ca:d9:cc:c3:9e:
+                    e7:eb:dd:d2:1e:f0:75:5d:2e:3e:0b:8b:c0:0d:f5:
+                    72:17:0f:2b:3a:41:ea:c0:ef:2d:8a:ee:aa:73:cb:
+                    6c:97:63:30:be:4a:f8:75:58:05:28:05:b2:3d:91:
+                    91:c9:d4:39:a6:25:a4:88:b9:2e:e6:af:9d:f6:ac:
+                    9d:4e:46:4b:76:e6:df:d8:aa:3c:6a:6e:5d:d4:67:
+                    fb:61:86:bd:33:44:f0:7f:c2:13:9f:f2:72:85:fe:
+                    15:b6:51:20:0d:ee:28:e3:33:4d:4a:16:91:81:58:
+                    6a:a1:17:5e:33:f2:e9:4c:f2:64:9b:f1:d2:8c:8e:
+                    52:17:cd:26:f8:d1:6f:50:14:98:da:23:56:54:f6:
+                    62:5b:e6:cf:34:74:d3:40:fc:fd:31:38:5a:fb:0d:
+                    83:45:4a:7f:2e:fd:93:ef:93:4f:85:12:9e:f2:a3:
+                    91:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                A5:15:6F:A5:45:D1:4A:85:AB:82:EC:DB:97:58:AA:6E:41:D1:44:A7
+            X509v3 Authority Key Identifier: 
+                keyid:08:3C:B1:56:BA:91:3F:80:72:30:8F:4E:85:7A:26:2F:34:89:74:B5
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Root.cer
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://url-for-crl/Root.crl
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         6f:6a:28:e5:77:fe:bd:b2:3c:b5:ef:4e:7f:d2:20:c5:de:c8:
+         d9:60:36:1e:00:c5:9c:ea:a2:f8:3f:ac:c1:98:b9:a3:99:39:
+         ac:e3:68:91:a1:88:08:9e:f7:b9:8a:9e:04:59:72:22:09:fd:
+         11:18:99:83:cf:79:29:b9:18:9b:34:66:6d:5e:0c:90:f8:98:
+         ae:c4:5a:57:fb:db:1c:d7:f9:56:c2:bb:bf:ae:36:bb:00:73:
+         04:7e:f7:72:93:4f:6c:c0:3c:a1:8b:82:7b:a2:11:f5:87:65:
+         fe:e4:af:f4:4e:3d:6a:f0:e6:39:1e:58:5c:c9:10:35:c3:62:
+         77:a5:1e:d6:0c:e2:12:74:d3:4c:ff:a9:10:c3:d0:af:d9:31:
+         8f:69:04:d8:61:29:5a:1d:b7:90:95:4f:c0:d1:88:87:03:43:
+         fd:bd:e3:55:92:20:61:77:ce:89:64:a3:41:d2:72:b5:60:ff:
+         47:61:22:8c:10:61:f4:d8:cb:6c:e3:5e:3f:ef:18:1e:3d:e1:
+         9b:d0:64:7c:ff:8a:8a:d4:9f:06:b7:11:84:67:5d:dc:46:e6:
+         6f:c4:35:59:42:c2:7f:f2:1b:7a:30:8f:88:4b:f2:8f:26:8d:
+         c5:aa:da:89:5d:a7:af:4e:13:da:ca:72:15:64:7d:e5:10:ee:
+         ee:72:d5:1b
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUDn+lTeL6Pucz87v2Wg6R6bSKdX4wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0xNTAxMDExMjAwMDBaFw0xODAxMDIxMjAw
+MDBaMBcxFTATBgNVBAMMDEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALoWjKGvjd0NOmzXpV1wZOLSFb57y+rbVxev2PEstuIXrhEt
+MwTl7kRcLGIF/xmeDSfjIcYrPH7bVlveI6Um4Zln1E9qPJqFWxC32iGZusbqoXTL
+t8rZzMOe5+vd0h7wdV0uPguLwA31chcPKzpB6sDvLYruqnPLbJdjML5K+HVYBSgF
+sj2RkcnUOaYlpIi5LuavnfasnU5GS3bm39iqPGpuXdRn+2GGvTNE8H/CE5/ycoX+
+FbZRIA3uKOMzTUoWkYFYaqEXXjPy6UzyZJvx0oyOUhfNJvjRb1AUmNojVlT2Ylvm
+zzR000D8/TE4WvsNg0VKfy79k++TT4USnvKjkQ0CAwEAAaOByzCByDAdBgNVHQ4E
+FgQUpRVvpUXRSoWrguzbl1iqbkHRRKcwHwYDVR0jBBgwFoAUCDyxVrqRP4ByMI9O
+hXomLzSJdLUwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzAChhtodHRwOi8vdXJs
+LWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL3VybC1m
+b3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4IBAQBvaijld/69sjy1705/0iDF3sjZYDYeAMWc6qL4
+P6zBmLmjmTms42iRoYgInve5ip4EWXIiCf0RGJmDz3kpuRibNGZtXgyQ+JiuxFpX
+9sc1/lWwru/rja7AHMEfvdyk09swDyhi4J7ohH1h2X+5K/0Tj1q8OY5HlhcyRA1
+w2J3pR7WDOISdNNM/6kQw9Cv2TGPaQTYYSlaHbeQlU/A0YiHA0P9veNVkiBhd86J
+ZKNB0nK1YP9HYSKMEGH02Mts414/7xgePeGb0GR8/4qK1J8GtxGEZ13cRuZvxDVZ
+QsJ/8ht6MI+IS/KPJo3FqtqJXaevThPaynIVZH3lEO7uctUb
+-----END CERTIFICATE-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/int_bc.pem
+++ b/net/data/path_builder_unittest/validity_date_prioritization/int_bc.pem
+[Created by: ./generate-certs.py]
+Intermediate with validity range B..C
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0e:7f:a5:4d:e2:fa:3e:e7:33:f3:bb:f6:5a:0e:91:e9:b4:8a:75:7f
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root
+        Validity
+            Not Before: Jan  2 12:00:00 2015 GMT
+            Not After : Jan  1 12:00:00 2018 GMT
+        Subject: CN=Intermediate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:16:8c:a1:af:8d:dd:0d:3a:6c:d7:a5:5d:70:
+                    64:e2:d2:15:be:7b:cb:ea:db:57:17:af:d8:f1:2c:
+                    b6:e2:17:ae:11:2d:33:04:e5:ee:44:5c:2c:62:05:
+                    ff:19:9e:0d:27:e3:21:c6:2b:3c:7e:db:56:5b:de:
+                    23:a5:26:e1:99:67:d4:4f:6a:3c:9a:85:5b:10:b7:
+                    da:21:99:ba:c6:ea:a1:74:cb:b7:ca:d9:cc:c3:9e:
+                    e7:eb:dd:d2:1e:f0:75:5d:2e:3e:0b:8b:c0:0d:f5:
+                    72:17:0f:2b:3a:41:ea:c0:ef:2d:8a:ee:aa:73:cb:
+                    6c:97:63:30:be:4a:f8:75:58:05:28:05:b2:3d:91:
+                    91:c9:d4:39:a6:25:a4:88:b9:2e:e6:af:9d:f6:ac:
+                    9d:4e:46:4b:76:e6:df:d8:aa:3c:6a:6e:5d:d4:67:
+                    fb:61:86:bd:33:44:f0:7f:c2:13:9f:f2:72:85:fe:
+                    15:b6:51:20:0d:ee:28:e3:33:4d:4a:16:91:81:58:
+                    6a:a1:17:5e:33:f2:e9:4c:f2:64:9b:f1:d2:8c:8e:
+                    52:17:cd:26:f8:d1:6f:50:14:98:da:23:56:54:f6:
+                    62:5b:e6:cf:34:74:d3:40:fc:fd:31:38:5a:fb:0d:
+                    83:45:4a:7f:2e:fd:93:ef:93:4f:85:12:9e:f2:a3:
+                    91:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                A5:15:6F:A5:45:D1:4A:85:AB:82:EC:DB:97:58:AA:6E:41:D1:44:A7
+            X509v3 Authority Key Identifier: 
+                keyid:08:3C:B1:56:BA:91:3F:80:72:30:8F:4E:85:7A:26:2F:34:89:74:B5
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Root.cer
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://url-for-crl/Root.crl
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         0a:b8:fe:ed:58:f8:43:b8:b0:63:1e:1b:e8:50:d0:7b:7c:2a:
+         21:9f:9f:e7:9a:15:8b:f2:08:ed:34:04:90:d4:d0:d1:74:19:
+         20:81:5f:31:e1:33:b9:03:25:fd:9c:2b:cc:62:8b:63:79:2a:
+         e7:04:d0:3e:45:4b:c4:f3:1f:7b:ea:68:b3:db:ae:f9:11:b2:
+         18:a2:f6:b4:ea:b4:7b:2c:5b:fc:e9:53:4f:de:d8:fa:bc:fc:
+         cf:6e:89:c3:53:12:a7:4c:76:bd:1a:80:17:bc:c9:6d:80:5b:
+         dd:f3:3f:8a:fa:9b:b4:41:44:70:c3:2d:ec:10:82:d5:b6:07:
+         b2:ac:84:49:76:59:9b:8e:59:f6:bf:ef:54:c9:33:7c:15:67:
+         3b:68:1b:b1:64:00:aa:8d:e8:c0:c0:27:8d:1f:ea:d0:da:bb:
+         60:11:91:d8:dd:f4:82:88:c7:1b:2b:24:cc:1f:6c:6e:d4:a7:
+         87:06:3f:fe:52:b4:ca:63:29:62:7e:45:ef:3c:25:35:78:e2:
+         2f:a7:e7:d6:81:48:c4:29:0b:e2:28:5a:9f:79:72:c6:e9:6b:
+         01:4f:22:1a:f4:ff:09:6b:96:f3:0b:4a:9d:c3:d7:87:93:be:
+         3c:21:d8:84:37:10:4d:55:a4:c4:f9:07:b3:36:64:44:f0:a7:
+         fe:47:b1:42
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUDn+lTeL6Pucz87v2Wg6R6bSKdX8wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0xNTAxMDIxMjAwMDBaFw0xODAxMDExMjAw
+MDBaMBcxFTATBgNVBAMMDEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALoWjKGvjd0NOmzXpV1wZOLSFb57y+rbVxev2PEstuIXrhEt
+MwTl7kRcLGIF/xmeDSfjIcYrPH7bVlveI6Um4Zln1E9qPJqFWxC32iGZusbqoXTL
+t8rZzMOe5+vd0h7wdV0uPguLwA31chcPKzpB6sDvLYruqnPLbJdjML5K+HVYBSgF
+sj2RkcnUOaYlpIi5LuavnfasnU5GS3bm39iqPGpuXdRn+2GGvTNE8H/CE5/ycoX+
+FbZRIA3uKOMzTUoWkYFYaqEXXjPy6UzyZJvx0oyOUhfNJvjRb1AUmNojVlT2Ylvm
+zzR000D8/TE4WvsNg0VKfy79k++TT4USnvKjkQ0CAwEAAaOByzCByDAdBgNVHQ4E
+FgQUpRVvpUXRSoWrguzbl1iqbkHRRKcwHwYDVR0jBBgwFoAUCDyxVrqRP4ByMI9O
+hXomLzSJdLUwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzAChhtodHRwOi8vdXJs
+LWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL3VybC1m
+b3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKuP7tWPhDuLBjHhvoUNB7fCohn5/nmhWL8gjt
+NASQ1NDRdBkggV8x4TO5AyX9nCvMYotjeSrnBNA+RUvE8x976miz2675EbIYova0
+6rR7LFv86VNP3tj6vPzPbonDUxKnTHa9GoAXvMltgFvd8z+K+pu0QURwwy3sEILV
+tgeyrIRJdlmbjln2v+9UyTN8FWc7aBuxZACqjejAwCeNH+rQ2rtgEZHY3fSCiMcb
+KyTMH2xu1KeHBj/+UrTKYylifkXvPCU1eOIvp+fWgUjEKQviKFqfeXLG6WsBTyIa
+9P8Ja5bzC0qdw9eHk748IdiENxBNVaTE+QezNmRE8Kf+R7FC
+-----END CERTIFICATE-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/int_bd.pem
+++ b/net/data/path_builder_unittest/validity_date_prioritization/int_bd.pem
+[Created by: ./generate-certs.py]
+Intermediate with validity range B..D
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0e:7f:a5:4d:e2:fa:3e:e7:33:f3:bb:f6:5a:0e:91:e9:b4:8a:75:80
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root
+        Validity
+            Not Before: Jan  2 12:00:00 2015 GMT
+            Not After : Jan  2 12:00:00 2018 GMT
+        Subject: CN=Intermediate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:16:8c:a1:af:8d:dd:0d:3a:6c:d7:a5:5d:70:
+                    64:e2:d2:15:be:7b:cb:ea:db:57:17:af:d8:f1:2c:
+                    b6:e2:17:ae:11:2d:33:04:e5:ee:44:5c:2c:62:05:
+                    ff:19:9e:0d:27:e3:21:c6:2b:3c:7e:db:56:5b:de:
+                    23:a5:26:e1:99:67:d4:4f:6a:3c:9a:85:5b:10:b7:
+                    da:21:99:ba:c6:ea:a1:74:cb:b7:ca:d9:cc:c3:9e:
+                    e7:eb:dd:d2:1e:f0:75:5d:2e:3e:0b:8b:c0:0d:f5:
+                    72:17:0f:2b:3a:41:ea:c0:ef:2d:8a:ee:aa:73:cb:
+                    6c:97:63:30:be:4a:f8:75:58:05:28:05:b2:3d:91:
+                    91:c9:d4:39:a6:25:a4:88:b9:2e:e6:af:9d:f6:ac:
+                    9d:4e:46:4b:76:e6:df:d8:aa:3c:6a:6e:5d:d4:67:
+                    fb:61:86:bd:33:44:f0:7f:c2:13:9f:f2:72:85:fe:
+                    15:b6:51:20:0d:ee:28:e3:33:4d:4a:16:91:81:58:
+                    6a:a1:17:5e:33:f2:e9:4c:f2:64:9b:f1:d2:8c:8e:
+                    52:17:cd:26:f8:d1:6f:50:14:98:da:23:56:54:f6:
+                    62:5b:e6:cf:34:74:d3:40:fc:fd:31:38:5a:fb:0d:
+                    83:45:4a:7f:2e:fd:93:ef:93:4f:85:12:9e:f2:a3:
+                    91:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                A5:15:6F:A5:45:D1:4A:85:AB:82:EC:DB:97:58:AA:6E:41:D1:44:A7
+            X509v3 Authority Key Identifier: 
+                keyid:08:3C:B1:56:BA:91:3F:80:72:30:8F:4E:85:7A:26:2F:34:89:74:B5
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Root.cer
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://url-for-crl/Root.crl
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         1a:d1:52:17:ec:4a:e3:2a:db:a7:33:f8:ca:77:89:d7:ed:f8:
+         74:44:2f:f7:b0:90:93:8f:02:a3:7f:81:a7:9c:e5:70:9b:cf:
+         91:d8:9c:12:62:75:0c:d1:fe:c0:f5:e6:e4:07:89:4f:06:88:
+         b0:1b:19:e8:e0:0a:22:bc:f0:0f:e8:2c:21:d2:58:0b:99:8f:
+         f1:32:69:46:e3:6a:02:f3:c9:df:03:f9:5e:2b:af:18:61:35:
+         b4:05:2a:3e:64:9c:55:5c:d1:26:a1:8e:62:fe:ab:5e:6e:7b:
+         47:9f:d2:f3:64:16:9e:a8:72:15:42:0c:33:29:dd:31:68:bf:
+         33:db:eb:7e:47:7b:c3:c7:bb:a0:ec:35:75:12:82:ce:28:f5:
+         7e:c8:98:b8:60:9f:a6:78:95:9f:16:0a:ba:c4:45:4e:f5:80:
+         e5:38:bb:07:b5:a5:d5:d3:09:bf:9c:92:c1:0d:d2:fd:13:32:
+         92:7a:be:10:07:ff:52:f1:39:89:be:7e:9a:7a:e9:e3:6a:43:
+         07:30:a4:19:e7:ac:96:c3:40:2b:3a:7c:d0:06:6d:2d:17:cc:
+         e9:11:e2:a8:9c:25:83:33:6f:fc:8e:47:63:ad:3e:05:95:f7:
+         e7:3e:d5:1d:ba:30:08:d5:94:1c:91:40:38:96:f6:29:03:10:
+         ee:42:ed:92
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUDn+lTeL6Pucz87v2Wg6R6bSKdYAwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0xNTAxMDIxMjAwMDBaFw0xODAxMDIxMjAw
+MDBaMBcxFTATBgNVBAMMDEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALoWjKGvjd0NOmzXpV1wZOLSFb57y+rbVxev2PEstuIXrhEt
+MwTl7kRcLGIF/xmeDSfjIcYrPH7bVlveI6Um4Zln1E9qPJqFWxC32iGZusbqoXTL
+t8rZzMOe5+vd0h7wdV0uPguLwA31chcPKzpB6sDvLYruqnPLbJdjML5K+HVYBSgF
+sj2RkcnUOaYlpIi5LuavnfasnU5GS3bm39iqPGpuXdRn+2GGvTNE8H/CE5/ycoX+
+FbZRIA3uKOMzTUoWkYFYaqEXXjPy6UzyZJvx0oyOUhfNJvjRb1AUmNojVlT2Ylvm
+zzR000D8/TE4WvsNg0VKfy79k++TT4USnvKjkQ0CAwEAAaOByzCByDAdBgNVHQ4E
+FgQUpRVvpUXRSoWrguzbl1iqbkHRRKcwHwYDVR0jBBgwFoAUCDyxVrqRP4ByMI9O
+hXomLzSJdLUwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzAChhtodHRwOi8vdXJs
+LWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL3VybC1m
+b3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4IBAQAa0VIX7ErjKtunM/jKd4nX7fh0RC/3sJCTjwKj
+f4GnnOVwm8+R2JwSYnUM0f7A9ebkB4lPBoiwGxno4AoivPAP6Cwh0lgLmY/xMmlG
+42oC88nfA/leK68YYTW0BSo+ZJxVXNEmoY5i/qtebntHn9LzZBaeqHIVQgwzKd0x
+aL8z2+t+R3vDx7ug7DV1EoLOKPV+yJi4YJ+meJWfFgq6xEVO9YDlOLsHtaXV0wm/
+nJLBDdL9EzKSer4QB/9S8TmJvn6aeunjakMHMKQZ56yWw0ArOnzQBm0tF8zpEeKo
+nCWDM2/8jkdjrT4FlffnPtUdujAI1ZQckUA4lvYpAxDuQu2S
+-----END CERTIFICATE-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/keys/Intermediate.key
+++ b/net/data/path_builder_unittest/validity_date_prioritization/keys/Intermediate.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuhaMoa+N3Q06bNelXXBk4tIVvnvL6ttXF6/Y8Sy24heuES0z
+BOXuRFwsYgX/GZ4NJ+Mhxis8fttWW94jpSbhmWfUT2o8moVbELfaIZm6xuqhdMu3
+ytnMw57n693SHvB1XS4+C4vADfVyFw8rOkHqwO8tiu6qc8tsl2Mwvkr4dVgFKAWy
+PZGRydQ5piWkiLku5q+d9qydTkZLdubf2Ko8am5d1Gf7YYa9M0Twf8ITn/Jyhf4V
+tlEgDe4o4zNNShaRgVhqoRdeM/LpTPJkm/HSjI5SF80m+NFvUBSY2iNWVPZiW+bP
+NHTTQPz9MTha+w2DRUp/Lv2T75NPhRKe8qORDQIDAQABAoIBAQCMU+bXIri7IneV
+joUQUmpxtXVaQKbEw4UIwr25GTwMgUjtgQVBQ1cLS+rYPKdjnRFUq+5TL1WeYC7e
+dkSxDQIBGhA7luR+reO/VrVysyfrSxJYLiu6F8ZXGmTQNGV4mWIX04BMWqWIoTfY
+9cJmW0D5HyRb6aC2U4ffHZirV4PHkECCCNETWR+n5pWW9oOloCqT7pSvWAYJbPLN
+5c8Ive4m2hx/V6v/x4j5VQBL5UfrSV2JpoWcjfyMJsxGZPAYJKNVOl9Rf5dBE62j
+El4kBDY7ECbx1fre/NS23H2eCGpM3UT+LNIuuyZsOcf38E7YoTd6qvjEm6n7ZoxM
+6DXM82WhAoGBAN+2Wvd8CjzirprhFVnToG2RF2lpCCUseWfr5sG8qExc61tQCsFS
+oLsQXKh/O6/pZWjj7cxQSvJf+xi64LZ3Gl02+PZ2zbWEw6lAgOI8mNqTbKYrmJX6
+CjCCGVjiIZFq3IkO/VxU5kyK4NSxFKKtKnhZUmk1Gok27LOyg98aBaIlAoGBANTy
+ERHkj1G07P7Ie102+wgKZq0ffIZBafMv9DGSq7ujPOL2ojzqSz9KvIMnH4q4efXt
+pk7c7sj8LQET3E6OysTql1/BuEiwyRjiUIb3EUQaGvak3fK93+ilxKZ+VYce+FnB
+rhmL+IX/8HLQZZL+PoqVQ6Dj0rYluRZU+gNJ6ZrJAoGAF9VPn6ohVRc5TtrH8Yfw
+QXwBqIM+EOfKD148eUtmCqyjjljarHnnEcbOeE0FyNnuqdwOi4PKWEQNdjcCla3e
+qyueHnPNupboWXG7yV53UmH+Yz2lxeSbjUtu898zgFCIKjnkmB+bYXAyP7aV4jbc
+nXG2q+qyZwfo88QC9JPLIdkCgYEArT460PnH98tgPHBSnSWL2aDMo/BH2NoDHoxW
+LXA7akCcgwBNdnPWjCtaW485RjscD3l3ac0xWMUIhpMU8UsBkRs3sS17r2U/Z+x
+r/v1mhg684px33jGX3ntoR6K6qExn6RIxhPwHuR4dJBC8vHRY+HH4W84EGRkTlzY
+AjDx0rECgYB11T7Bmr9Ie8ms9DrRr9M+caaO80dtKyf95o4VzuriX0b5PzsXpZj1
+81VMEMf9wEDv7bqj2XjV9TIfGmOjtB6zMFPy690p69tDBGMaROkg1/11Yl9Wz9Bz
+jMk1EokjzDwY5+rCHiBe+9uXxAO4opPgrhXPjZYBlo2Fw7dlvN/Bg==
+-----END RSA PRIVATE KEY-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/keys/Root.key
+++ b/net/data/path_builder_unittest/validity_date_prioritization/keys/Root.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsnrNJskwSJ4vfL1vdmxyisJiIiEM25Wxxgknffo0QSu4FyaP
+k/DHiqSlEjSNxXOcYD0ulTCE/HigGT/JUEEPqSAQZCDUxsjKuKbFddNeNtvpSDTX
+4nsxEyUON0JwmSAG2QgTajdpJaJPB4l7JBsJdXBBm8QO1jWgmEygk/nOxXFo0dW7
+WOy7IkLd6nX6fggYbzCYJW0+gaRKHlKp3ZMuWqXAWjLWxLJL/q2m4IqFTAClsFhn
+UrZxae/xYYWM2fcYwOfmlDmsAe3/Pt4CQHqZlcaoasSwpMsvF7gGu1nWIYDDU5RC
+e1u8g5qWw6CwnjG8Y2LLeL/i7D/Ufp1qR3nQcQIDAQABAoIBAHaFyDDGkBLZQU3D
+v4YfGQbO9HQQtqbaQfK0nf9LLBOmRx+lgA3eDtgpOIXFkKWSLU8S+/03YtPi3nY
+xYZbo3wZhIoH0S22LCQxzY8nCcwGJXDyc1z454EEJGvxFhbhVCg5Uu26lN8mqC1
+spnCfqCHYHpRU0z7Jd+dm1FJJf/E+U2pv8W8MbvhK5oQtSXBYqn+46/XZMDebfyj
+HwL7g0zg+w85wuJF5fmVi567+lCbyGPaImpTmGE45yiyuFsqi0dQ/lgD88E8wtnJ
+ZPGSFNG6Gj8Z3t19d6ItDNHkO5l40sassxUWZUC/bxz0xsO3dAxAkQvrWiQv/5G2
+KFoPV3UCgYEA2tYEMQbJ6thuJ0WQRkhPNOj6GvdGJMR5zR4X6gonRvZz+PupEEIj
+kmHzQUS6yyQmTS/aPf0m7Zvss3iXKEPGexvNn6nNo6sc1bU8WBvRm4Km9qjNP0rx
+ZonEe01yefNDQ6NNn6tpRypidrpGknhVPORn+ZWP/pb1VmkbVaKM5zMCgYEA0MpH
+NiY7N1gsHU+b85IEV+hXtq+5yy4sj0bMPf4xo4soF1S4yRSPszWjoauaBzKQWPB5
+s3+5amaH8ULUcjXni1Wb1zrgkopssYaAL0ONqtMmNkbnbPp2dJ+MAwJe4ML8vW/q
+cIVFAGW9CmG9JwVxcWvt9aeD+NRbmvYm0VIrmcsCgYAFB1n9TmyhauvNFzojg1He
+o2Pr7ra77Y/m+MQP6r/QT6WGmTHfX8W1fW67lzq7pE8FAw5+0ixs1WJxFVpT4IrV
+FWR6QMqq8imtd4a1d54vdqcjj+l3hN9bPds4AiWZS8/F5CDKhIPc0MqGc+1fPEip
+J46EG729Wfa1T6EDLMMUJQKBgAsjPzk8QNxq76+Al6kemOy3kDZGmXqlM+tQs4R7
+EtrOiYz1EAZp+mBs9BWjucu4fsq/yT4yCgoK/iV4kyykg32DS5TnpyMqDzJJIn1i
+9SOvr9IlZiMCGV+PQ0DF15nVzPWuCquF8HBc/QCYxiZWu/5463C3Rur3KQvTJa70
+2y6RAoGBALEuXmr0Q69YaTxAQQGKIMAidNzib5kbC8iCvDfcSIkgZgZ+HVESsf2C
+Y1tIZMqqCLwUESl3LEil6B9O1TCkkMw7V3PYWKE37AVHGVpmjHOjiS32ivCpwdIX
+9iCh/W2KliZ/eldCwzXkJhdCyoYaYvQftabGUb8bjNKV20l4mai0
+-----END RSA PRIVATE KEY-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/keys/Target.key
+++ b/net/data/path_builder_unittest/validity_date_prioritization/keys/Target.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEArUwLhI2Ff8XIUiFYgK/A+/D32/VuTgCHJHypXQAl6Mq2hymY
+poZiqNq8nEq3V3r3AZP1fPq6IDy0ewMdZEmk7wV6YZ5dV2MFg+BZtVDLmHJ3JFCu
+zki9gK/NBjhYj5NuWmsrUYI3eTF2zv0/P+pBCMEcWdRnIi+XDtjBJseR+zjIneK5
+LdMnLBjQCUGOtCTk3onZxTVBGDawwfD20bx6fn7CQtaoztyPXWsioxv+ZTA8FRg4
+z4mATxrGwro6BgAZo6qre/KSU4wgFGpA33+KQxW5gP+f/knRkJtvGD/CNLaDdShB
+/s+SdvJuYO3N5wlnwB5ywyE0Qn4UKaxT2KGyjQIDAQABAoIBADD3adG8g1pFMoMy
+dOV3w9nsjrySLubPc2A18U0b+5o5nTW35TA4jKwVknG/EusfDahefGEiH3F4da7E
+hIuP25DGRXxL2SgWDLrkq7R17fFXdp7GRX54Q0OXaSE2zp9TEz1tRsIzPyV5eo6m
+NDcFI/crSa2APNwGAnLpgDpK7c7EF6Ooh+IRGIG8BxgwreEpdwNP6wMZr/IhRDvV
+Zk5xnXNqMRMpxSJrq8BDVsOOoqg1UQFAw+GcvVzpnhran4iQcc0Lp4l22CV01qBm
+w9+0b8yWXetMAHVoDHMGr32Yqb88TPUFYTdUSo4TDaIEj/syRMU3X5lwCflgvj/3
+jVDgaYECgYEA2ZhusN+/iPHmw2j1SyqL65katwGJGqu99EbcruhfAmD0J8h2I6lm
+cGDQwoeSR0HnwmjNJxF943DjSy1MS7qXdYouIob3SK1+SRNzkNRsKDQj3qCafQOj
+s8kk9QtquHNuBFFfeYOzXGEXffIApY3C9HcfmzSEs/1aP4g4KRP9QvECgYEAy+IW
+jusp1vqRez7zH4p9yuS7xhJS1IC/wswRSvuWNLiZxp1JJxw3MKe73x0YNtX6PXlI
+0GcxJXUxcPXGfAiN6BE6HVUccab7AoiPxm6pjOZaowfZ2HI5Cz1Xa4fW5k+JFN4F
+lFpolCtJ16w/qVx6n8BhglwoRhPVEHr/QBRUcV0CgYBiMCO60qx2Wln8Ua9mhMNw
+w7zHWf0JOPhVc2h/0MGWrDNghFezDez4xudM8Ko0V2wCURJKD92TtUwLj1w/S+qu
+knTxBaAufoNe7FUYxJItriGFg0lTIkJLjXeMz+MPap75edKwXZqhE/rqzTo3enm/
+oMV1XsSHB8siohBdkPSWsQKBgDyx47FMRLphAapFBS+glO4vxc6jadElOvEMuyEt
+YHv1cKH19O8VsUBkzsMO8ERy0vo1/v07mx/hkYRlRl9qVIR/jGNrEPqskREiAls6
+WnM9qEHcdne/GUhFTJ8QY2NQzihOKC8P8w4ZDPSNrK4If+DK7rxWHw8tnEI5u38i
+DjlpAoGAKkDmAghbddnwzMBCw4tm8fmMP+1RrjtfS2s2Jz1R0yFJhYkEJNvFlD/0
+dKzlT13n7AeTj5M6iztF1XHnOifhLXM94jHKQ30kbnzWjbXC6sBUHAxyYdxR3oTR
+CPKmxqtIZeLp87f+CFFp777qfyBbyqVVAHFBjISg8cGsIb0yVUM=
+-----END RSA PRIVATE KEY-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/root.pem
+++ b/net/data/path_builder_unittest/validity_date_prioritization/root.pem
+[Created by: ./generate-certs.py]
+The root
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0e:7f:a5:4d:e2:fa:3e:e7:33:f3:bb:f6:5a:0e:91:e9:b4:8a:75:7c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root
+        Validity
+            Not Before: Jan  1 12:00:00 2015 GMT
+            Not After : Jan  2 12:00:00 2018 GMT
+        Subject: CN=Root
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:b2:7a:cd:26:c9:30:48:9e:2f:7c:bd:6f:76:6c:
+                    72:8a:c2:62:22:21:0c:db:95:b1:c6:09:27:7d:fa:
+                    34:41:2b:b8:17:26:8f:93:f0:c7:8a:a4:a5:12:34:
+                    8d:c5:73:9c:60:3d:2e:95:30:84:fc:78:a0:19:3f:
+                    c9:50:41:0f:a9:20:10:64:20:d4:c6:c8:ca:b8:a6:
+                    c5:75:d3:5e:36:db:e9:48:34:d7:e2:7b:31:13:25:
+                    0e:37:42:70:99:20:06:d9:08:13:6a:37:69:25:a2:
+                    4f:07:89:7b:24:1b:09:75:70:41:9b:c4:0e:d6:35:
+                    a0:98:4c:a0:93:f9:ce:c5:71:68:d1:d5:bb:58:ec:
+                    bb:22:42:dd:ea:75:fa:7e:08:18:6f:30:98:25:6d:
+                    3e:81:a4:4a:1e:52:a9:dd:93:2e:5a:a5:c0:5a:32:
+                    d6:c4:b2:4b:fe:ad:a6:e0:8a:85:4c:00:a5:b0:58:
+                    67:52:b6:71:69:ef:f1:61:85:8c:d9:f7:18:c0:e7:
+                    e6:94:39:ac:01:ed:ff:3e:de:02:40:7a:99:95:c6:
+                    a8:6a:c4:b0:a4:cb:2f:17:b8:06:bb:59:d6:21:80:
+                    c3:53:94:42:7b:5b:bc:83:9a:96:c3:a0:b0:9e:31:
+                    bc:63:62:cb:78:bf:e2:ec:3f:d4:7e:9d:6a:47:79:
+                    d0:71
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                08:3C:B1:56:BA:91:3F:80:72:30:8F:4E:85:7A:26:2F:34:89:74:B5
+            X509v3 Authority Key Identifier: 
+                keyid:08:3C:B1:56:BA:91:3F:80:72:30:8F:4E:85:7A:26:2F:34:89:74:B5
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Root.cer
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://url-for-crl/Root.crl
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         16:dc:08:df:95:7c:81:dd:02:d0:4b:ac:7b:49:c6:77:da:05:
+         c4:92:35:2d:a7:e6:b6:e1:9a:6d:42:f8:48:48:e4:2f:05:21:
+         eb:6f:00:e7:2e:f1:37:da:e3:9a:6d:21:05:61:1e:51:09:6b:
+         95:12:1f:e2:45:d4:5d:0e:5a:20:4a:10:0b:bb:42:09:69:38:
+         5e:55:ba:07:a1:2c:e6:ac:26:9d:50:d8:f6:e8:5d:ce:dc:96:
+         97:8f:89:c4:e1:b9:0f:12:c8:a9:bc:22:d3:aa:ce:a2:0d:c3:
+         07:ed:b9:e7:e0:67:2e:6d:7f:89:1d:21:75:4a:68:e2:7c:3d:
+         aa:6d:53:8c:42:e5:af:07:8f:a5:fc:61:af:08:52:f7:7f:b3:
+         59:1f:ca:a8:1c:95:14:76:24:24:86:6c:5e:24:68:76:5c:23:
+         80:b7:76:3d:28:a0:f2:88:8c:18:d7:56:06:24:4c:e4:04:0b:
+         6e:ce:35:48:6f:dd:51:c6:d6:4e:b5:56:b6:8c:83:75:24:fb:
+         be:bd:2d:c5:0b:f0:f5:dc:04:62:c6:c5:90:6e:c5:de:1a:58:
+         a2:bc:9f:2d:f3:7e:6e:74:7d:8b:f1:c7:a0:54:2f:9a:81:cf:
+         74:86:41:da:df:8e:8a:b8:f0:de:9c:24:ae:d7:54:ef:aa:81:
+         06:0f:1e:f6
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgIUDn+lTeL6Pucz87v2Wg6R6bSKdXwwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0xNTAxMDExMjAwMDBaFw0xODAxMDIxMjAw
+MDBaMA8xDTALBgNVBAMMBFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCyes0myTBIni98vW92bHKKwmIiIQzblbHGCSd9+jRBK7gXJo+T8MeKpKUS
+NI3Fc5xgPS6VMIT8eKAZP8lQQQ+pIBBkINTGyMq4psV101422+lINNfiezETJQ43
+QnCZIAbZCBNqN2klok8HiXskGwl1cEGbxA7WNaCYTKCT+c7FcWjR1btY7LsiQt3q
+dfp+CBhvMJglbT6BpEoeUqndky5apcBaMtbEskv+rabgioVMAKWwWGdStnFp7/Fh
+hYzZ9xjA5+aUOawB7f8+3gJAepmVxqhqxLCkyy8XuAa7WdYhgMNTlEJ7W7yDmpbD
+oLCeMbxjYst4v+LsP9R+nWpHedBxAgMBAAGjgcswgcgwHQYDVR0OBBYEFAg8sVa6
+kT+AcjCPToV6Ji80iXS1MB8GA1UdIwQYMBaAFAg8sVa6kT+AcjCPToV6Ji80iXS1
+MDcGCCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAoYbaHR0cDovL3VybC1mb3ItYWlh
+L1Jvb3QuY2VyMCwGA1UdHwQlMCMwIaAfoB2GG2h0dHA6Ly91cmwtZm9yLWNybC9S
+b290LmNybDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAFtwI35V8gd0C0Euse0nGd9oFxJI1LafmtuGabUL4SEjkLwUh
+628A5y7xN9rjmm0hBWEeUQlrlRIf4kXUXQ5aIEoQC7tCCWk4XlW6B6Es5qwmnVDY
+9uhdztyWl4+JxOG5DxLIqbwi06rOog3DB+255+BnLm1/iR0hdUpo4nw9qm1TjELl
+rwePpfxhrwhS93+zWR/KqByVFHYkJIZsXiRodlwjgLd2PSig8oiMGNdWBiRM5AQL
+bs41SG/dUcbWTrVWtoyDdST7vr0txQvw9dwEYsbFkG7F3hpYoryfLfN+bnR9i/HH
+oFQvmoHPdIZB2t+Oirjw3pwkrtdU76qBBg8e9g==
+-----END CERTIFICATE-----
--- a/net/data/path_builder_unittest/validity_date_prioritization/target.pem
+++ b/net/data/path_builder_unittest/validity_date_prioritization/target.pem
+[Created by: ./generate-certs.py]
+The target
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            54:f0:81:fd:d4:7b:6a:f2:04:73:10:a8:d7:2d:23:d1:af:ac:79:03
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Intermediate
+        Validity
+            Not Before: Jan  1 12:00:00 2015 GMT
+            Not After : Jan  2 12:00:00 2018 GMT
+        Subject: CN=Target
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ad:4c:0b:84:8d:85:7f:c5:c8:52:21:58:80:af:
+                    c0:fb:f0:f7:db:f5:6e:4e:00:87:24:7c:a9:5d:00:
+                    25:e8:ca:b6:87:29:98:a6:86:62:a8:da:bc:9c:4a:
+                    b7:57:7a:f7:01:93:f5:7c:fa:ba:20:3c:b4:7b:03:
+                    1d:64:49:a4:ef:05:7a:61:9e:5d:57:63:05:83:e0:
+                    59:b5:50:cb:98:72:77:24:50:ae:ce:48:bd:80:af:
+                    cd:06:38:58:8f:93:6e:5a:6b:2b:51:82:37:79:31:
+                    76:ce:fd:3f:3f:ea:41:08:c1:1c:59:d4:67:22:2f:
+                    97:0e:d8:c1:26:c7:91:fb:38:c8:9d:e2:b9:2d:d3:
+                    27:2c:18:d0:09:41:8e:b4:24:e4:de:89:d9:c5:35:
+                    41:18:36:b0:c1:f0:f6:d1:bc:7a:7e:7e:c2:42:d6:
+                    a8:ce:dc:8f:5d:6b:22:a3:1b:fe:65:30:3c:15:18:
+                    38:cf:89:80:4f:1a:c6:c2:ba:3a:06:00:19:a3:aa:
+                    ab:7b:f2:92:53:8c:20:14:6a:40:df:7f:8a:43:15:
+                    b9:80:ff:9f:fe:49:d1:90:9b:6f:18:3f:c2:34:b6:
+                    83:75:28:41:fe:cf:92:76:f2:6e:60:ed:cd:e7:09:
+                    67:c0:1e:72:c3:21:34:42:7e:14:29:ac:53:d8:a1:
+                    b2:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AC:D9:32:20:3D:CB:6D:E1:C6:10:69:C5:6E:11:B9:F5:95:BF:F6:13
+            X509v3 Authority Key Identifier: 
+                keyid:A5:15:6F:A5:45:D1:4A:85:AB:82:EC:DB:97:58:AA:6E:41:D1:44:A7
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Intermediate.cer
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://url-for-crl/Intermediate.crl
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+    Signature Algorithm: sha256WithRSAEncryption
+         97:a1:11:70:fb:ab:15:a1:6c:67:bf:ff:e1:08:53:f3:c5:9c:
+         73:7e:4a:bf:9d:4e:7a:bb:65:73:a8:c4:1f:e9:02:c2:e3:09:
+         54:b3:9e:df:45:e0:02:ef:f7:4a:67:e2:f2:ee:39:28:91:b8:
+         e2:74:88:d7:a4:f8:e9:13:2b:90:73:89:7b:54:09:1b:f0:ac:
+         fb:4b:7c:a1:3a:d7:f4:2f:4b:7e:2a:c9:f5:4b:8e:fb:77:9e:
+         66:0e:59:57:3a:b2:f9:a8:2c:90:b8:af:27:88:b3:6f:3c:ab:
+         ea:14:a9:ec:2e:54:80:1a:ed:b1:3f:09:54:f1:12:6b:d4:c4:
+         23:2e:e5:d2:7d:71:18:d0:b9:ad:02:c4:75:bc:60:50:ae:2f:
+         6e:65:ff:1d:21:f0:dd:56:cb:51:15:30:e4:ea:40:ca:9a:e3:
+         6d:e9:21:8e:5d:11:ef:e4:9b:72:1a:cf:a0:ff:e3:fc:44:9f:
+         34:83:3b:e4:a2:d8:e8:99:a3:8a:8d:ff:75:50:ed:d4:32:b7:
+         49:04:61:be:89:52:ed:61:e5:32:88:71:43:72:fc:f7:03:a4:
+         dc:dc:96:b6:70:bc:00:52:08:8c:a6:e5:fe:12:1d:99:d4:76:
+         bd:1e:50:bf:07:4f:ca:fd:dd:71:d4:eb:e1:42:d8:84:3c:d5:
+         8c:06:f1:e9
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIUVPCB/dR7avIEcxCo1y0j0a+seQMwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMSW50ZXJtZWRpYXRlMB4XDTE1MDEwMTEyMDAwMFoXDTE4
+MDEwMjEyMDAwMFowETEPMA0GA1UEAwwGVGFyZ2V0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEArUwLhI2Ff8XIUiFYgK/A+/D32/VuTgCHJHypXQAl6Mq2
+hymYpoZiqNq8nEq3V3r3AZP1fPq6IDy0ewMdZEmk7wV6YZ5dV2MFg+BZtVDLmHJ3
+JFCuzki9gK/NBjhYj5NuWmsrUYI3eTF2zv0/P+pBCMEcWdRnIi+XDtjBJseR+zjI
+neK5LdMnLBjQCUGOtCTk3onZxTVBGDawwfD20bx6fn7CQtaoztyPXWsioxv+ZTA8
+FRg4z4mATxrGwro6BgAZo6qre/KSU4wgFGpA33+KQxW5gP+f/knRkJtvGD/CNLaD
+dShB/s+SdvJuYO3N5wlnwB5ywyE0Qn4UKaxT2KGyjQIDAQABo4HpMIHmMB0GA1Ud
+DgQWBBSs2TIgPctt4cYQacVuEbn1lb/2EzAfBgNVHSMEGDAWgBSlFW+lRdFKhauC
+7NuXWKpuQdFEpzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKGI2h0dHA6Ly91
+cmwtZm9yLWFpYS9JbnRlcm1lZGlhdGUuY2VyMDQGA1UdHwQtMCswKaAnoCWGI2h0
+dHA6Ly91cmwtZm9yLWNybC9JbnRlcm1lZGlhdGUuY3JsMA4GA1UdDwEB/wQEAwIF
+oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQAD
+ggEBAJehEXD7qxWhbGe//+EIU/PFnHN+Sr+dTnq7ZXOoxB/pAsLjCVSznt9F4ALv
+90pn4vLuOSiRuOJ0iNek+OkTK5BziXtUCRvwrPtLfKE61/QvS34qyfVLjvt3nmYO
+WVc6svmoLJC4ryeIs288q+oUqewuVIAa7bE/CVTxEmvUxCMu5dJ9cRjQua0CxHW8
+YFCuL25l/x0h8N1Wy1EVMOTqQMqa423pIY5dEe/km3Iaz6D/4/xEnzSDO+Si2OiZ
+o4qN/3VQ7dQyt0kEYb6JUu1h5TKIcUNy/PcDpNzclrZwvABSCIym5f4SHZnUdr0e
+UL8HT8r93XHU6+FC2IQ81YwG8ek=
+-----END CERTIFICATE-----
--- a/net/tools/update_ios_bundle_data.py
+++ b/net/tools/update_ios_bundle_data.py
@@ -49,6 +49,7 @@ net_unittest_bundle_data_globs = [
    "data/name_constraints_unittest/*.pem",
    "data/ocsp_unittest/*.pem",
    "data/ov_name_constraints/*.pem",
+    "data/path_builder_unittest/**/*.pem",
    "data/parse_certificate_unittest/*.pem",
    "data/parse_certificate_unittest/*.pk8",
    "data/test.html",