1 This directory contains various certificates for use with SSL-related 2 unit tests. 3 4 ===== Real-world certificates that need manual updating 5 - google.binary.p7b 6 - google.chain.pem 7 - google.pem_cert.p7b 8 - google.pem_pkcs7.p7b 9 - google.pkcs7.p7b 10 - google.single.der 11 - google.single.pem 12 - thawte.single.pem : Certificates for testing parsing of different formats. 13 14 - googlenew.chain.pem : The refreshed Google certificate 15 (valid until Sept 30 2013). 16 17 - mit.davidben.der : An expired MIT client certificate. 18 19 - foaf.me.chromium-test-cert.der : A client certificate for a FOAF.ME identity 20 created for testing. 21 22 - www_us_army_mil_cert.der 23 - dod_ca_17_cert.der 24 - dod_root_ca_2_cert.der : 25 A certificate chain used for testing certificate imports 26 27 - unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing. 28 29 - google_diginotar.pem 30 - diginotar_public_ca_2025.pem : A certificate chain for the regression test 31 of http://crbug.com/94673 32 33 - salesforce_com_test.pem 34 - verisign_intermediate_ca_2011.pem 35 - verisign_intermediate_ca_2016.pem : Certificates for testing two 36 X509Certificate objects that contain the same server certificate but 37 different intermediate CA certificates. The two intermediate CA 38 certificates actually represent the same intermediate CA but have 39 different validity periods. 40 41 - cybertrust_gte_root.pem 42 - cybertrust_baltimore_root.pem 43 - cybertrust_omniroot_chain.pem 44 - cybertrust_baltimore_cross_certified_1.pem 45 - cybertrust_baltimore_cross_certified_2.pem 46 These certificates are reflect a portion of the CyberTrust (Verizon 47 Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is 48 still widely supported, while _baltimore_root.pem reflects the newer 49 2048-bit root. For clients that only support the GTE root, two versions 50 of the Baltimore root were cross-signed by GTE, namely 51 _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate 52 chain that was issued under the Baltimore root. Combined, these 53 certificates can be used to test real-world cross-signing; in practice, 54 they are used to test certain workarounds for OS X's chain building code. 55 56 - ndn.ca.crt: "New Dream Network Certificate Authority" root certificate. 57 This is an X.509 v1 certificate that omits the version field. Used to 58 test that the certificate version gets the default value v1. 59 60 - ct-test-embedded-cert.pem 61 - ct-test-embedded-with-intermediate-chain.pem 62 - ct-test-embedded-with-intermediate-preca-chain.pem 63 - ct-test-embedded-with-preca-chain.pem 64 Test certificate chains for Certificate Transparency: Each of these 65 files contains a leaf certificate as the first certificate, which has 66 embedded SCTs, followed by the issuer certificates chain. 67 All files are from the src/test/testdada directory in 68 https://code.google.com/p/certificate-transparency/ 69 70 - comodo.chain.pem : A certificate chain for www.comodo.com which should be 71 recognised as EV. Expires Jun 20 2015. 72 73 ===== Manually generated certificates 74 - client.p12 : A PKCS #12 file containing a client certificate and a private 75 key created for testing. The password is "12345". 76 77 - client-nokey.p12 : A PKCS #12 file containing a client certificate (the same 78 as the one in client.p12) but no private key. The password is "12345". 79 80 - unittest.selfsigned.der : A self-signed certificate generated using private 81 key in unittest.key.bin. The common name is "unittest". 82 83 - unittest.key.bin : private key stored unencrypted. 84 85 - unittest.originbound.der: A test origin-bound certificate for 86 https://www.google.com:443. 87 - unittest.originbound.key.der: matching PrivateKeyInfo. 88 89 - x509_verify_results.chain.pem : A simple certificate chain used to test that 90 the correctly ordered, filtered certificate chain is returned during 91 verification, regardless of the order in which the intermediate/root CA 92 certificates are provided. 93 94 - test_mail_google_com.pem : A certificate signed by the test CA for 95 "mail.google.com". Because it is signed by that CA instead of the true CA 96 for that host, it will fail the 97 TransportSecurityState::IsChainOfPublicKeysPermitted test. 98 99 - multivalue_rdn.pem : A regression test for http://crbug.com/101009. A 100 certificate with all of the AttributeTypeAndValues stored within a single 101 RelativeDistinguishedName, rather than one AVA per RDN as normally seen. 102 103 - unescaped.pem : Regression test for http://crbug.com/102839. Contains 104 characters such as '=' and '"' that would normally be escaped when 105 converting a subject/issuer name to their stringized form. 106 107 - ocsp-test-root.pem : A root certificate for the code in 108 net/tools/testserver/minica.py 109 110 - websocket_cacert.pem : The testing root CA for testing WebSocket client 111 certificate authentication. 112 This file is used in SSLUITest.TestWSSClientCert. 113 114 - websocket_client_cert.p12 : A PKCS #12 file containing a client certificate 115 and a private key created for WebSocket testing. The password is "". 116 This file is used in SSLUITest.TestWSSClientCert. 117 118 - no_subject_common_name_cert.pem: Used to test the function that generates a 119 NSS certificate nickname for a user certificate. This certificate's Subject 120 field doesn't have a common name. 121 122 - quic_intermediate.crt 123 - quic_test_ecc.example.com.crt 124 - quic_test.example.com.crt 125 - quic_root.crt 126 These certificates are used by the ProofVerifier's unit tests of QUIC. 127 128 ===== From net/data/ssl/scripts/generate-test-certs.sh 129 - expired_cert.pem 130 - ok_cert.pem 131 - root_ca_cert.pem 132 These certificates are the common certificates used by the Python test 133 server for simulating HTTPS connections. 134 135 - name_constraint_bad.pem 136 - name_constraint_good.pem 137 Two certificates used to test the built-in ability to restrict a root to 138 a particular namespace. 139 140 - sha256.pem: Used to test the handling of SHA-256 certs on Windows. 141 142 - spdy_pooling.pem : Used to test the handling of spdy IP connection pooling 143 144 - subjectAltName_sanity_check.pem : Used to test the handling of various types 145 within the subjectAltName extension of a certificate. 146 147 - punycodetest.pem : A test self-signed server certificate with punycode name. 148 The common name is "xn--wgv71a119e.com" (.com) 149 150 ===== From net/data/ssl/scripts/generate-weak-test-chains.sh 151 - 2048-rsa-root.pem 152 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem 153 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by- 154 {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem 155 Test certificates used to ensure that weak keys are detected and rejected 156 157 ===== From net/data/ssl/scripts/generate-cross-signed-certs.sh 158 - cross-signed-leaf.pem 159 - cross-signed-root-md5.pem 160 - cross-signed-root-sha1.pem 161 A certificate chain for regression testing http://crbug.com/108514 162 163 ===== From net/data/ssl/scripts/generate-redundant-test-chains.sh 164 - redundant-validated-chain.pem 165 - redundant-server-chain.pem 166 - redundant-validated-chain-root.pem 167 168 Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same 169 public key) to test that SSLInfo gets the reconstructed, re-ordered 170 chain instead of the chain as served. See 171 SSLClientSocketTest.VerifyReturnChainProperlyOrdered in 172 net/socket/ssl_client_socket_unittest.cc. These chains are valid until 173 26 Feb 2022 and are generated by 174 net/data/ssl/scripts/generate-redundant-test-chains.sh. 175 176 ===== From net/data/ssl/scripts/generate-policy-certs.sh 177 - explicit-policy-chain.pem 178 A test certificate chain with requireExplicitPolicy field set on the 179 intermediate, with SkipCerts=0. This is used for regression testing 180 http://crbug.com/31497. 181 182 ===== From net/data/ssl/scripts/generate-client-certificates.sh 183 - client_1.pem 184 - client_1.key 185 - client_1.pk8 186 - client_1_ca.pem 187 - client_2.pem 188 - client_2.key 189 - client_2.pk8 190 - client_2_ca.pem 191 This is a set of files used to unit test SSL client certificate 192 authentication. 193 - client_1_ca.pem and client_2_ca.pem are the certificates of 194 two distinct signing CAs. 195 - client_1.pem and client_1.key correspond to the certificate and 196 private key for a first certificate signed by client_1_ca.pem. 197 - client_2.pem and client_2.key correspond to the certificate and 198 private key for a second certificate signed by client_2_ca.pem. 199 - each .pk8 file contains the same key as the corresponding .key file 200 as PKCS#8 PrivateKeyInfo in DER encoding. 201 202 ===== From net/data/ssl/scripts/generate-android-test-key.sh 203 - android-test-key-rsa.pem 204 - android-test-key-dsa.pem 205 - android-test-key-dsa-public.pem 206 - android-test-key-ecdsa.pem 207 - android-test-key-ecdsa-public.pem 208 This is a set of test RSA/DSA/ECDSA keys used by the Android-specific 209 unit test in net/android/keystore_unittest.c. They are used to verify 210 that the OpenSSL-specific wrapper for platform PrivateKey objects 211 works properly. See the generate-android-test-keys.sh script. 212 213 ===== From net/data/ssl/scripts/generate-bad-eku-certs.sh 214 - eku-test-root.pem 215 - non-crit-codeSigning-chain.pem 216 - crit-codeSigning-chain.pem 217 Two code-signing certificates (eKU: codeSigning; eKU: critical, 218 codeSigning) which we use to test that clients are making sure that web 219 server certs are checked for correct eKU fields (when an eKU field is 220 present). Since codeSigning is not valid for web server auth, the checks 221 should fail. 222 223 ===== From net/data/ssl/scripts/generate-multi-root-test-chains.sh 224 - multi-root-chain1.pem 225 - multi-root-chain2.pem 226 Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the 227 same public key) to test that certificate validation caching does not 228 interfere with the chain_verify_callback used by CertVerifyProcChromeOS. 229 See CertVerifyProcChromeOSTest. 230 231 ===== From net/data/ssl/scripts/generate-duplicate-cn-certs.sh 232 - duplicate_cn_1.p12 233 - duplicate_cn_1.pem 234 - duplicate_cn_2.p12 235 - duplicate_cn_2.pem 236 Two certificates from the same issuer that share the same common name, 237 but have distinct subject names (namely, their O fields differ). NSS 238 requires that certificates have unique nicknames if they do not share the 239 same subject, and these certificates are used to test that the nickname 240 generation algorithm generates unique nicknames. 241 The .pem versions contain just the certs, while the .p12 versions contain 242 both the cert and a private key, since there are multiple ways to import 243 certificates into NSS. 244 245 ===== From net/data/ssl/scripts/generate-aia-certs.sh 246 - aia-cert.pem 247 - aia-intermediate.der 248 - aia-root.pem 249 A certificate chain which we use to ensure AIA fetching works correctly 250 when using NSS to verify certificates (which uses our HTTP stack). 251 aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL 252 containing the intermediate, which can be served via a URLRequestFilter. 253 aia-intermediate.der is stored in DER form for convenience, since that is 254 the form expected of certificates discovered via AIA. 255 256 257
