CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop.

net/data/ssl/certificates/README

 This directory contains various certificates for use with SSL-related
 unit tests.
 
 ===== Real-world certificates that need manual updating
 - google.binary.p7b
 - google.chain.pem
 - google.pem_cert.p7b
 - google.pem_pkcs7.p7b
 - google.pkcs7.p7b
 - google.single.der
@@ skipping 40 matching lines @@
      embedded SCTs, followed by the issuer certificates chain.
      All files are from the src/test/testdada directory in
      https://code.google.com/p/certificate-transparency/
 
 - comodo.chain.pem : A certificate chain for www.comodo.com which should be
      recognised as EV. Expires Jun 20 2015.
 
 - twitter-chain.pem : A certificate chain for twitter.com which should be
      valid. Expires May 9 2016.
 
+- tripadvisor-verisign-chain.pem: A certificate chain for www.tripadvisor.com
+  issued by VeriSign Class 3 Public Primary Certification Authority - G5.
+  Expires Apr 2 2018.
+- verisign_class3_g5_crosssigned.pem: The SHA1 cross-signed version of
+  VeriSign Class 3 Public Primary Certification Authority - G5
+- verisign_class3_g5_crosssigned-trusted.keychain: OSX Keychain set to Always
+  Trust the certificate in verisign_class3_g5_crosssigned.pem (Generated by
+  scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh)
+
 ===== Manually generated certificates
 - client.p12 : A PKCS #12 file containing a client certificate and a private
      key created for testing.  The password is "12345".
 
 - client-nokey.p12 : A PKCS #12 file containing a client certificate (the same
      as the one in client.p12) but no private key. The password is "12345".
 
 - unittest.selfsigned.der : A self-signed certificate generated using private
      key in unittest.key.bin. The common name is "unittest".
 
@@ skipping 182 matching lines @@
      should fail.
 
 ===== From net/data/ssl/scripts/generate-multi-root-test-chains.sh
 - multi-root-chain1.pem
 - multi-root-chain2.pem
      Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
      same public key) to test that certificate validation caching does not
      interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
      See CertVerifyProcChromeOSTest.
 
+===== From net/data/ssl/scripts/generate-multi-root-BFE-keychain.sh
+- multi-root-BFE.keychain: An OSX Keychain containing the generated
+  certificates "multi-root-B-by-F.pem" and "multi-root-F-by-E.pem".
+
 ===== From net/data/ssl/scripts/generate-duplicate-cn-certs.sh
 - duplicate_cn_1.p12
 - duplicate_cn_1.pem
 - duplicate_cn_2.p12
 - duplicate_cn_2.pem
      Two certificates from the same issuer that share the same common name,
      but have distinct subject names (namely, their O fields differ). NSS
      requires that certificates have unique nicknames if they do not share the
      same subject, and these certificates are used to test that the nickname
      generation algorithm generates unique nicknames.
@@ skipping 10 matching lines @@
      aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL
      containing the intermediate, which can be served via a URLRequestFilter.
      aia-intermediate.der is stored in DER form for convenience, since that is
      the form expected of certificates discovered via AIA.
 
 ===== From net/data/ssl/scripts/generate-self-signed-certs.sh
  - self-signed-invalid-name.pem
  - self-signed-invalid-sig.pem
      Two "self-signed" certificates with mismatched names or an invalid
      signature, respectively.