README
1 This directory contains various certificates for use with SSL-related 2 unit tests. 3 4 - google.binary.p7b 5 - google.chain.pem 6 - google.pem_cert.p7b 7 - google.pem_pkcs7.p7b 8 - google.pkcs7.p7b 9 - google.single.der 10 - google.single.pem 11 - thawte.single.pem : Certificates for testing parsing of different formats. 12 13 - googlenew.chain.pem : The refreshed Google certificate 14 (valid until Sept 30 2013). 15 16 - mit.davidben.der : An expired MIT client certificate. 17 18 - foaf.me.chromium-test-cert.der : A client certificate for a FOAF.ME identity 19 created for testing. 20 21 - www_us_army_mil_cert.der 22 - dod_ca_17_cert.der 23 - dod_root_ca_2_cert.der : 24 A certificate chain used for testing certificate imports 25 26 - unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing. 27 28 - client.p12 : A PKCS #12 file containing a client certificate and a private 29 key created for testing. The password is "12345". 30 31 - client-nokey.p12 : A PKCS #12 file containing a client certificate (the same 32 as the one in client.p12) but no private key. The password is "12345". 33 34 - punycodetest.der : A test self-signed server certificate with punycode name. 35 The common name is "xn--wgv71a119e.com" (.com) 36 37 - unittest.selfsigned.der : A self-signed certificate generated using private 38 key in unittest.key.bin. The common name is "unittest". 39 40 - unittest.key.bin : private key stored unencrypted. 41 42 - unittest.originbound.der: A test origin-bound certificate for 43 https://www.google.com:443. 44 - unittest.originbound.key.der: matching PrivateKeyInfo. 45 46 - x509_verify_results.chain.pem : A simple certificate chain used to test that 47 the correctly ordered, filtered certificate chain is returned during 48 verification, regardless of the order in which the intermediate/root CA 49 certificates are provided. 50 51 - google_diginotar.pem 52 - diginotar_public_ca_2025.pem : A certificate chain for the regression test 53 of http://crbug.com/94673 54 55 - test_mail_google_com.pem : A certificate signed by the test CA for 56 "mail.google.com". Because it is signed by that CA instead of the true CA 57 for that host, it will fail the 58 TransportSecurityState::IsChainOfPublicKeysPermitted test. 59 60 - salesforce_com_test.pem 61 - verisign_intermediate_ca_2011.pem 62 - verisign_intermediate_ca_2016.pem : Certificates for testing two 63 X509Certificate objects that contain the same server certificate but 64 different intermediate CA certificates. The two intermediate CA 65 certificates actually represent the same intermediate CA but have 66 different validity periods. 67 68 - multivalue_rdn.pem : A regression test for http://crbug.com/101009. A 69 certificate with all of the AttributeTypeAndValues stored within a single 70 RelativeDistinguishedName, rather than one AVA per RDN as normally seen. 71 72 - unescaped.pem : Regression test for http://crbug.com/102839. Contains 73 characters such as '=' and '"' that would normally be escaped when 74 converting a subject/issuer name to their stringized form. 75 76 - 2048-rsa-root.pem 77 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem 78 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by- 79 {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem 80 These certficates are generated by 81 net/data/ssl/scripts/generate-weak-test-chains.sh and used in the 82 RejectWeakKeys test in net/base/x509_certificate_unittest.cc. 83 84 - cross-signed-leaf.pem 85 - cross-signed-root-md5.pem 86 - cross-signed-root-sha1.pem 87 A certificate chain for regression testing http://crbug.com/108514, 88 generated via scripts/generate-cross-signed-certs.sh 89 90 - redundant-validated-chain.pem 91 - redundant-server-chain.pem 92 - redundant-validated-chain-root.pem 93 94 Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same 95 public key) to test that SSLInfo gets the reconstructed, re-ordered 96 chain instead of the chain as served. See 97 SSLClientSocketTest.VerifyReturnChainProperlyOrdered in 98 net/socket/ssl_client_socket_unittest.cc. These chains are valid until 99 26 Feb 2022 and are generated by 100 net/data/ssl/scripts/generate-redundant-test-chains.sh. 101 102 - comodo.chain.pem : A certificate chain for www.comodo.com which should be 103 recognised as EV. Expires Jun 21 2013. 104 105 - ocsp-test-root.pem : A root certificate for the code in 106 net/tools/testserver/minica.py 107 108 - spdy_pooling.pem : Used to test the handling of spdy IP connection pooling 109 Generated by using the command 110 "openssl req -x509 -days 3650 -sha1 -extensions req_spdy_pooling \ 111 -config ../scripts/ee.cnf -newkey rsa:1024 -text \ 112 -out spdy_pooling.pem" 113 114 - subjectAltName_sanity_check.pem : Used to test the handling of various types 115 within the subjectAltName extension of a certificate. Generated by using 116 the command 117 "openssl req -x509 -days 3650 -sha1 -extensions req_san_sanity \ 118 -config ../scripts/ee.cnf -newkey rsa:1024 -text \ 119 -out subjectAltName_sanity_check.pem" 120 121 - ndn.ca.crt: "New Dream Network Certificate Authority" root certificate. 122 This is an X.509 v1 certificate that omits the version field. Used to 123 test that the certificate version gets the default value v1. 124 125 - websocket_cacert.pem : The testing root CA for testing WebSocket client 126 certificate authentication. 127 This file is used in SSLUITest.TestWSSClientCert. 128 129 - websocket_client_cert.p12 : A PKCS #12 file containing a client certificate 130 and a private key created for WebSocket testing. The password is "". 131 This file is used in SSLUITest.TestWSSClientCert. 132 133 - android-test-key-rsa.pem 134 - android-test-key-dsa.pem 135 - android-test-key-dsa-public.pem 136 - android-test-key-ecdsa.pem 137 - android-test-key-ecdsa-public.pem 138 This is a set of test RSA/DSA/ECDSA keys used by the Android-specific 139 unit test in net/android/keystore_unittest.c. They are used to verify 140 that the OpenSSL-specific wrapper for platform PrivateKey objects 141 works properly. See the generate-android-test-keys.sh script. 142 143 - client_1.pem 144 - client_1.key 145 - client_1_ca.pem 146 - client_2.pem 147 - client_2.key 148 - client_2_ca.pem 149 This is a set of files used to unit test SSL client certificate 150 authentication. These are generated by 151 net/data/ssl/scripts/generate-client-certificates.sh 152 - client_1_ca.pem and client_2_ca.pem are the certificates of 153 two distinct signing CAs. 154 - client_1.pem and client_1.key correspond to the certificate and 155 private key for a first certificate signed by client_1_ca.pem. 156 - client_2.pem and client_2.key correspond to the certificate and 157 private key for a second certificate signed by client_2_ca.pem. 158 159 - eku-test-root.pem 160 - non-crit-codeSigning-chain.pem 161 - crit-codeSigning-chain.pem 162 Two code-signing certificates (eKU: codeSigning; eKU: critical, 163 codeSigning) which we use to test that clients are making sure that web 164 server certs are checked for correct eKU fields (when an eKU field is 165 present). Since codeSigning is not valid for web server auth, the checks 166 should fail. 167 168 - duplicate_cn_1.p12 169 - duplicate_cn_1.pem 170 - duplicate_cn_2.p12 171 - duplicate_cn_2.pem 172 Two certificates from the same issuer that share the same common name, 173 but have distinct subject names (namely, their O fields differ). NSS 174 requires that certificates have unique nicknames if they do not share the 175 same subject, and these certificates are used to test that the nickname 176 generation algorithm generates unique nicknames. 177 The .pem versions contain just the certs, while the .p12 versions contain 178 both the cert and a private key, since there are multiple ways to import 179 certificates into NSS. 180 181 - aia-cert.pem 182 - aia-intermediate.der 183 - aia-root.pem 184 A certificate chain which we use to ensure AIA fetching works correctly 185 when using NSS to verify certificates (which uses our HTTP stack). 186 aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL 187 containing the intermediate, which can be served via a URLRequestFilter. 188 aia-intermediate.der is stored in DER form for convenience, since that is 189 the form expected of certificates discovered via AIA. 190 191 - cybertrust_gte_root.pem 192 - cybertrust_baltimore_root.pem 193 - cybertrust_omniroot_chain.pem 194 - cybertrust_baltimore_cross_certified_1.pem 195 - cybertrust_baltimore_cross_certified_2.pem 196 These certificates are reflect a portion of the CyberTrust (Verizon 197 Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is 198 still widely supported, while _baltimore_root.pem reflects the newer 199 2048-bit root. For clients that only support the GTE root, two versions 200 of the Baltimore root were cross-signed by GTE, namely 201 _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate 202 chain that was issued under the Baltimore root. Combined, these 203 certificates can be used to test real-world cross-signing; in practice, 204 they are used to test certain workarounds for OS X's chain building code. 205 206 - no_subject_common_name_cert.pem: Used to test the function that generates a 207 NSS certificate nickname for a user certificate. This certificate's Subject 208 field doesn't have a common name. 209 210 - expired_cert.pem 211 - ok_cert.pem 212 - root_ca_cert.pem 213 These certificates are the common certificates used by the Python test 214 server for simulating HTTPS connections. They are generated by running 215 the script net/data/ssl/scripts/generate-test-certs.sh. 216 217 - quic_intermediate.crt 218 - quic_test_ecc.example.com.crt 219 - quic_test.example.com.crt 220 - quic_root.crt 221 These certificates are used by the ProofVerifier's unit tests of QUIC. 222 223 - explicit-policy-chain.pem 224 A test certificate chain with requireExplicitPolicy field set on the 225 intermediate, with SkipCerts=0. This is used for regression testing 226 http://crbug.com/31497. It is generated by running the script 227 net/data/ssl/scripts/generate-policy-certs.sh 228 229
