Index: net/data/ssl/certificates/README |
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README |
index a3a94c807f3cc7321245f9d5b24f915cd6f0c3fe..5d1faf2602e93cac097843f2fd24e1b62a7401b7 100644 |
--- a/net/data/ssl/certificates/README |
+++ b/net/data/ssl/certificates/README |
@@ -1,6 +1,7 @@ |
This directory contains various certificates for use with SSL-related |
unit tests. |
+===== Real-world certificates that need manual updating |
- google.binary.p7b |
- google.chain.pem |
- google.pem_cert.p7b |
@@ -25,15 +26,57 @@ unit tests. |
- unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing. |
+- google_diginotar.pem |
+- diginotar_public_ca_2025.pem : A certificate chain for the regression test |
+ of http://crbug.com/94673 |
+ |
+- salesforce_com_test.pem |
+- verisign_intermediate_ca_2011.pem |
+- verisign_intermediate_ca_2016.pem : Certificates for testing two |
+ X509Certificate objects that contain the same server certificate but |
+ different intermediate CA certificates. The two intermediate CA |
+ certificates actually represent the same intermediate CA but have |
+ different validity periods. |
+ |
+- cybertrust_gte_root.pem |
+- cybertrust_baltimore_root.pem |
+- cybertrust_omniroot_chain.pem |
+- cybertrust_baltimore_cross_certified_1.pem |
+- cybertrust_baltimore_cross_certified_2.pem |
+ These certificates are reflect a portion of the CyberTrust (Verizon |
+ Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is |
+ still widely supported, while _baltimore_root.pem reflects the newer |
+ 2048-bit root. For clients that only support the GTE root, two versions |
+ of the Baltimore root were cross-signed by GTE, namely |
+ _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate |
+ chain that was issued under the Baltimore root. Combined, these |
+ certificates can be used to test real-world cross-signing; in practice, |
+ they are used to test certain workarounds for OS X's chain building code. |
+ |
+- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate. |
+ This is an X.509 v1 certificate that omits the version field. Used to |
+ test that the certificate version gets the default value v1. |
+ |
+- ct-test-embedded-cert.pem |
+- ct-test-embedded-with-intermediate-chain.pem |
+- ct-test-embedded-with-intermediate-preca-chain.pem |
+- ct-test-embedded-with-preca-chain.pem |
+ Test certificate chains for Certificate Transparency: Each of these |
+ files contains a leaf certificate as the first certificate, which has |
+ embedded SCTs, followed by the issuer certificates chain. |
+ All files are from the src/test/testdada directory in |
+ https://code.google.com/p/certificate-transparency/ |
+ |
+- comodo.chain.pem : A certificate chain for www.comodo.com which should be |
+ recognised as EV. Expires Jun 20 2015. |
+ |
+===== Manually generated certificates |
- client.p12 : A PKCS #12 file containing a client certificate and a private |
key created for testing. The password is "12345". |
- client-nokey.p12 : A PKCS #12 file containing a client certificate (the same |
as the one in client.p12) but no private key. The password is "12345". |
-- punycodetest.der : A test self-signed server certificate with punycode name. |
- The common name is "xn--wgv71a119e.com" (日本語.com) |
- |
- unittest.selfsigned.der : A self-signed certificate generated using private |
key in unittest.key.bin. The common name is "unittest". |
@@ -48,23 +91,11 @@ unit tests. |
verification, regardless of the order in which the intermediate/root CA |
certificates are provided. |
-- google_diginotar.pem |
-- diginotar_public_ca_2025.pem : A certificate chain for the regression test |
- of http://crbug.com/94673 |
- |
- test_mail_google_com.pem : A certificate signed by the test CA for |
"mail.google.com". Because it is signed by that CA instead of the true CA |
for that host, it will fail the |
TransportSecurityState::IsChainOfPublicKeysPermitted test. |
-- salesforce_com_test.pem |
-- verisign_intermediate_ca_2011.pem |
-- verisign_intermediate_ca_2016.pem : Certificates for testing two |
- X509Certificate objects that contain the same server certificate but |
- different intermediate CA certificates. The two intermediate CA |
- certificates actually represent the same intermediate CA but have |
- different validity periods. |
- |
- multivalue_rdn.pem : A regression test for http://crbug.com/101009. A |
certificate with all of the AttributeTypeAndValues stored within a single |
RelativeDistinguishedName, rather than one AVA per RDN as normally seen. |
@@ -73,20 +104,63 @@ unit tests. |
characters such as '=' and '"' that would normally be escaped when |
converting a subject/issuer name to their stringized form. |
+- ocsp-test-root.pem : A root certificate for the code in |
+ net/tools/testserver/minica.py |
+ |
+- websocket_cacert.pem : The testing root CA for testing WebSocket client |
+ certificate authentication. |
+ This file is used in SSLUITest.TestWSSClientCert. |
+ |
+- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate |
+ and a private key created for WebSocket testing. The password is "". |
+ This file is used in SSLUITest.TestWSSClientCert. |
+ |
+- no_subject_common_name_cert.pem: Used to test the function that generates a |
+ NSS certificate nickname for a user certificate. This certificate's Subject |
+ field doesn't have a common name. |
+ |
+- quic_intermediate.crt |
+- quic_test_ecc.example.com.crt |
+- quic_test.example.com.crt |
+- quic_root.crt |
+ These certificates are used by the ProofVerifier's unit tests of QUIC. |
+ |
+===== From net/data/ssl/scripts/generate-test-certs.sh |
+- expired_cert.pem |
+- ok_cert.pem |
+- root_ca_cert.pem |
+ These certificates are the common certificates used by the Python test |
+ server for simulating HTTPS connections. |
+ |
+- name_constraint_bad.pem |
+- name_constraint_good.pem |
+ Two certificates used to test the built-in ability to restrict a root to |
+ a particular namespace. |
+ |
+- sha256.pem: Used to test the handling of SHA-256 certs on Windows. |
+ |
+- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling |
+ |
+- subjectAltName_sanity_check.pem : Used to test the handling of various types |
+ within the subjectAltName extension of a certificate. |
+ |
+- punycodetest.pem : A test self-signed server certificate with punycode name. |
+ The common name is "xn--wgv71a119e.com" (日本語.com) |
+ |
+===== From net/data/ssl/scripts/generate-weak-test-chains.sh |
- 2048-rsa-root.pem |
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem |
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by- |
{768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem |
- These certficates are generated by |
- net/data/ssl/scripts/generate-weak-test-chains.sh and used in the |
- RejectWeakKeys test in net/base/x509_certificate_unittest.cc. |
+ Test certificates used to ensure that weak keys are detected and rejected |
+===== From net/data/ssl/scripts/generate-cross-signed-certs.sh |
- cross-signed-leaf.pem |
- cross-signed-root-md5.pem |
- cross-signed-root-sha1.pem |
- A certificate chain for regression testing http://crbug.com/108514, |
- generated via scripts/generate-cross-signed-certs.sh |
+ A certificate chain for regression testing http://crbug.com/108514 |
+===== From net/data/ssl/scripts/generate-redundant-test-chains.sh |
- redundant-validated-chain.pem |
- redundant-server-chain.pem |
- redundant-validated-chain-root.pem |
@@ -99,59 +173,13 @@ unit tests. |
26 Feb 2022 and are generated by |
net/data/ssl/scripts/generate-redundant-test-chains.sh. |
-- multi-root-chain1.pem |
-- multi-root-chain2.pem |
- Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the |
- same public key) to test that certificate validation caching does not |
- interfere with the chain_verify_callback used by CertVerifyProcChromeOS. |
- See CertVerifyProcChromeOSTest. |
- |
-- comodo.chain.pem : A certificate chain for www.comodo.com which should be |
- recognised as EV. Expires Jun 21 2013. |
- |
-- ocsp-test-root.pem : A root certificate for the code in |
- net/tools/testserver/minica.py |
- |
-- sha256.pem: Used to test the handling of SHA-256 certs on Windows. |
- Generated by using the command: |
- "openssl req -x509 -days 3650 -sha256 -newkey rsa:2048 -text \ |
- -config ../scripts/ee.cnf -out sha256.pem" |
- |
-- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling |
- Generated by using the command |
- "openssl req -x509 -days 3650 -sha1 -extensions req_spdy_pooling \ |
- -config ../scripts/ee.cnf -newkey rsa:1024 -text \ |
- -out spdy_pooling.pem" |
- |
-- subjectAltName_sanity_check.pem : Used to test the handling of various types |
- within the subjectAltName extension of a certificate. Generated by using |
- the command |
- "openssl req -x509 -days 3650 -sha1 -extensions req_san_sanity \ |
- -config ../scripts/ee.cnf -newkey rsa:1024 -text \ |
- -out subjectAltName_sanity_check.pem" |
- |
-- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate. |
- This is an X.509 v1 certificate that omits the version field. Used to |
- test that the certificate version gets the default value v1. |
- |
-- websocket_cacert.pem : The testing root CA for testing WebSocket client |
- certificate authentication. |
- This file is used in SSLUITest.TestWSSClientCert. |
- |
-- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate |
- and a private key created for WebSocket testing. The password is "". |
- This file is used in SSLUITest.TestWSSClientCert. |
- |
-- android-test-key-rsa.pem |
-- android-test-key-dsa.pem |
-- android-test-key-dsa-public.pem |
-- android-test-key-ecdsa.pem |
-- android-test-key-ecdsa-public.pem |
- This is a set of test RSA/DSA/ECDSA keys used by the Android-specific |
- unit test in net/android/keystore_unittest.c. They are used to verify |
- that the OpenSSL-specific wrapper for platform PrivateKey objects |
- works properly. See the generate-android-test-keys.sh script. |
+===== From net/data/ssl/scripts/generate-policy-certs.sh |
+- explicit-policy-chain.pem |
+ A test certificate chain with requireExplicitPolicy field set on the |
+ intermediate, with SkipCerts=0. This is used for regression testing |
+ http://crbug.com/31497. |
+===== From net/data/ssl/scripts/generate-client-certificates.sh |
- client_1.pem |
- client_1.key |
- client_1.pk8 |
@@ -161,8 +189,7 @@ unit tests. |
- client_2.pk8 |
- client_2_ca.pem |
This is a set of files used to unit test SSL client certificate |
- authentication. These are generated by |
- net/data/ssl/scripts/generate-client-certificates.sh |
+ authentication. |
- client_1_ca.pem and client_2_ca.pem are the certificates of |
two distinct signing CAs. |
- client_1.pem and client_1.key correspond to the certificate and |
@@ -172,6 +199,18 @@ unit tests. |
- each .pk8 file contains the same key as the corresponding .key file |
as PKCS#8 PrivateKeyInfo in DER encoding. |
+===== From net/data/ssl/scripts/generate-android-test-key.sh |
+- android-test-key-rsa.pem |
+- android-test-key-dsa.pem |
+- android-test-key-dsa-public.pem |
+- android-test-key-ecdsa.pem |
+- android-test-key-ecdsa-public.pem |
+ This is a set of test RSA/DSA/ECDSA keys used by the Android-specific |
+ unit test in net/android/keystore_unittest.c. They are used to verify |
+ that the OpenSSL-specific wrapper for platform PrivateKey objects |
+ works properly. See the generate-android-test-keys.sh script. |
+ |
+===== From net/data/ssl/scripts/generate-bad-eku-certs.sh |
- eku-test-root.pem |
- non-crit-codeSigning-chain.pem |
- crit-codeSigning-chain.pem |
@@ -181,6 +220,15 @@ unit tests. |
present). Since codeSigning is not valid for web server auth, the checks |
should fail. |
+===== From net/data/ssl/scripts/generate-multi-root-test-chains.sh |
+- multi-root-chain1.pem |
+- multi-root-chain2.pem |
+ Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the |
+ same public key) to test that certificate validation caching does not |
+ interfere with the chain_verify_callback used by CertVerifyProcChromeOS. |
+ See CertVerifyProcChromeOSTest. |
+ |
+===== From net/data/ssl/scripts/generate-duplicate-cn-certs.sh |
- duplicate_cn_1.p12 |
- duplicate_cn_1.pem |
- duplicate_cn_2.p12 |
@@ -194,6 +242,7 @@ unit tests. |
both the cert and a private key, since there are multiple ways to import |
certificates into NSS. |
+===== From net/data/ssl/scripts/generate-aia-certs.sh |
- aia-cert.pem |
- aia-intermediate.der |
- aia-root.pem |
@@ -204,50 +253,4 @@ unit tests. |
aia-intermediate.der is stored in DER form for convenience, since that is |
the form expected of certificates discovered via AIA. |
-- cybertrust_gte_root.pem |
-- cybertrust_baltimore_root.pem |
-- cybertrust_omniroot_chain.pem |
-- cybertrust_baltimore_cross_certified_1.pem |
-- cybertrust_baltimore_cross_certified_2.pem |
- These certificates are reflect a portion of the CyberTrust (Verizon |
- Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is |
- still widely supported, while _baltimore_root.pem reflects the newer |
- 2048-bit root. For clients that only support the GTE root, two versions |
- of the Baltimore root were cross-signed by GTE, namely |
- _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate |
- chain that was issued under the Baltimore root. Combined, these |
- certificates can be used to test real-world cross-signing; in practice, |
- they are used to test certain workarounds for OS X's chain building code. |
- |
-- no_subject_common_name_cert.pem: Used to test the function that generates a |
- NSS certificate nickname for a user certificate. This certificate's Subject |
- field doesn't have a common name. |
- |
-- expired_cert.pem |
-- ok_cert.pem |
-- root_ca_cert.pem |
- These certificates are the common certificates used by the Python test |
- server for simulating HTTPS connections. They are generated by running |
- the script net/data/ssl/scripts/generate-test-certs.sh. |
- |
-- quic_intermediate.crt |
-- quic_test_ecc.example.com.crt |
-- quic_test.example.com.crt |
-- quic_root.crt |
- These certificates are used by the ProofVerifier's unit tests of QUIC. |
- |
-- explicit-policy-chain.pem |
- A test certificate chain with requireExplicitPolicy field set on the |
- intermediate, with SkipCerts=0. This is used for regression testing |
- http://crbug.com/31497. It is generated by running the script |
- net/data/ssl/scripts/generate-policy-certs.sh |
-- ct-test-embedded-cert.pem |
-- ct-test-embedded-with-intermediate-chain.pem |
-- ct-test-embedded-with-intermediate-preca-chain.pem |
-- ct-test-embedded-with-preca-chain.pem |
- Test certificate chains for Certificate Transparency: Each of these |
- files contains a leaf certificate as the first certificate, which has |
- embedded SCTs, followed by the issuer certificates chain. |
- All files are from the src/test/testdada directory in |
- https://code.google.com/p/certificate-transparency/ |