| Index: net/data/ssl/certificates/README
|
| diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
|
| index a3a94c807f3cc7321245f9d5b24f915cd6f0c3fe..5d1faf2602e93cac097843f2fd24e1b62a7401b7 100644
|
| --- a/net/data/ssl/certificates/README
|
| +++ b/net/data/ssl/certificates/README
|
| @@ -1,6 +1,7 @@
|
| This directory contains various certificates for use with SSL-related
|
| unit tests.
|
|
|
| +===== Real-world certificates that need manual updating
|
| - google.binary.p7b
|
| - google.chain.pem
|
| - google.pem_cert.p7b
|
| @@ -25,15 +26,57 @@ unit tests.
|
|
|
| - unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing.
|
|
|
| +- google_diginotar.pem
|
| +- diginotar_public_ca_2025.pem : A certificate chain for the regression test
|
| + of http://crbug.com/94673
|
| +
|
| +- salesforce_com_test.pem
|
| +- verisign_intermediate_ca_2011.pem
|
| +- verisign_intermediate_ca_2016.pem : Certificates for testing two
|
| + X509Certificate objects that contain the same server certificate but
|
| + different intermediate CA certificates. The two intermediate CA
|
| + certificates actually represent the same intermediate CA but have
|
| + different validity periods.
|
| +
|
| +- cybertrust_gte_root.pem
|
| +- cybertrust_baltimore_root.pem
|
| +- cybertrust_omniroot_chain.pem
|
| +- cybertrust_baltimore_cross_certified_1.pem
|
| +- cybertrust_baltimore_cross_certified_2.pem
|
| + These certificates are reflect a portion of the CyberTrust (Verizon
|
| + Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
|
| + still widely supported, while _baltimore_root.pem reflects the newer
|
| + 2048-bit root. For clients that only support the GTE root, two versions
|
| + of the Baltimore root were cross-signed by GTE, namely
|
| + _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
|
| + chain that was issued under the Baltimore root. Combined, these
|
| + certificates can be used to test real-world cross-signing; in practice,
|
| + they are used to test certain workarounds for OS X's chain building code.
|
| +
|
| +- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
|
| + This is an X.509 v1 certificate that omits the version field. Used to
|
| + test that the certificate version gets the default value v1.
|
| +
|
| +- ct-test-embedded-cert.pem
|
| +- ct-test-embedded-with-intermediate-chain.pem
|
| +- ct-test-embedded-with-intermediate-preca-chain.pem
|
| +- ct-test-embedded-with-preca-chain.pem
|
| + Test certificate chains for Certificate Transparency: Each of these
|
| + files contains a leaf certificate as the first certificate, which has
|
| + embedded SCTs, followed by the issuer certificates chain.
|
| + All files are from the src/test/testdada directory in
|
| + https://code.google.com/p/certificate-transparency/
|
| +
|
| +- comodo.chain.pem : A certificate chain for www.comodo.com which should be
|
| + recognised as EV. Expires Jun 20 2015.
|
| +
|
| +===== Manually generated certificates
|
| - client.p12 : A PKCS #12 file containing a client certificate and a private
|
| key created for testing. The password is "12345".
|
|
|
| - client-nokey.p12 : A PKCS #12 file containing a client certificate (the same
|
| as the one in client.p12) but no private key. The password is "12345".
|
|
|
| -- punycodetest.der : A test self-signed server certificate with punycode name.
|
| - The common name is "xn--wgv71a119e.com" (日本語.com)
|
| -
|
| - unittest.selfsigned.der : A self-signed certificate generated using private
|
| key in unittest.key.bin. The common name is "unittest".
|
|
|
| @@ -48,23 +91,11 @@ unit tests.
|
| verification, regardless of the order in which the intermediate/root CA
|
| certificates are provided.
|
|
|
| -- google_diginotar.pem
|
| -- diginotar_public_ca_2025.pem : A certificate chain for the regression test
|
| - of http://crbug.com/94673
|
| -
|
| - test_mail_google_com.pem : A certificate signed by the test CA for
|
| "mail.google.com". Because it is signed by that CA instead of the true CA
|
| for that host, it will fail the
|
| TransportSecurityState::IsChainOfPublicKeysPermitted test.
|
|
|
| -- salesforce_com_test.pem
|
| -- verisign_intermediate_ca_2011.pem
|
| -- verisign_intermediate_ca_2016.pem : Certificates for testing two
|
| - X509Certificate objects that contain the same server certificate but
|
| - different intermediate CA certificates. The two intermediate CA
|
| - certificates actually represent the same intermediate CA but have
|
| - different validity periods.
|
| -
|
| - multivalue_rdn.pem : A regression test for http://crbug.com/101009. A
|
| certificate with all of the AttributeTypeAndValues stored within a single
|
| RelativeDistinguishedName, rather than one AVA per RDN as normally seen.
|
| @@ -73,20 +104,63 @@ unit tests.
|
| characters such as '=' and '"' that would normally be escaped when
|
| converting a subject/issuer name to their stringized form.
|
|
|
| +- ocsp-test-root.pem : A root certificate for the code in
|
| + net/tools/testserver/minica.py
|
| +
|
| +- websocket_cacert.pem : The testing root CA for testing WebSocket client
|
| + certificate authentication.
|
| + This file is used in SSLUITest.TestWSSClientCert.
|
| +
|
| +- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
|
| + and a private key created for WebSocket testing. The password is "".
|
| + This file is used in SSLUITest.TestWSSClientCert.
|
| +
|
| +- no_subject_common_name_cert.pem: Used to test the function that generates a
|
| + NSS certificate nickname for a user certificate. This certificate's Subject
|
| + field doesn't have a common name.
|
| +
|
| +- quic_intermediate.crt
|
| +- quic_test_ecc.example.com.crt
|
| +- quic_test.example.com.crt
|
| +- quic_root.crt
|
| + These certificates are used by the ProofVerifier's unit tests of QUIC.
|
| +
|
| +===== From net/data/ssl/scripts/generate-test-certs.sh
|
| +- expired_cert.pem
|
| +- ok_cert.pem
|
| +- root_ca_cert.pem
|
| + These certificates are the common certificates used by the Python test
|
| + server for simulating HTTPS connections.
|
| +
|
| +- name_constraint_bad.pem
|
| +- name_constraint_good.pem
|
| + Two certificates used to test the built-in ability to restrict a root to
|
| + a particular namespace.
|
| +
|
| +- sha256.pem: Used to test the handling of SHA-256 certs on Windows.
|
| +
|
| +- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
|
| +
|
| +- subjectAltName_sanity_check.pem : Used to test the handling of various types
|
| + within the subjectAltName extension of a certificate.
|
| +
|
| +- punycodetest.pem : A test self-signed server certificate with punycode name.
|
| + The common name is "xn--wgv71a119e.com" (日本語.com)
|
| +
|
| +===== From net/data/ssl/scripts/generate-weak-test-chains.sh
|
| - 2048-rsa-root.pem
|
| - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
|
| - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
|
| {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
|
| - These certficates are generated by
|
| - net/data/ssl/scripts/generate-weak-test-chains.sh and used in the
|
| - RejectWeakKeys test in net/base/x509_certificate_unittest.cc.
|
| + Test certificates used to ensure that weak keys are detected and rejected
|
|
|
| +===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
|
| - cross-signed-leaf.pem
|
| - cross-signed-root-md5.pem
|
| - cross-signed-root-sha1.pem
|
| - A certificate chain for regression testing http://crbug.com/108514,
|
| - generated via scripts/generate-cross-signed-certs.sh
|
| + A certificate chain for regression testing http://crbug.com/108514
|
|
|
| +===== From net/data/ssl/scripts/generate-redundant-test-chains.sh
|
| - redundant-validated-chain.pem
|
| - redundant-server-chain.pem
|
| - redundant-validated-chain-root.pem
|
| @@ -99,59 +173,13 @@ unit tests.
|
| 26 Feb 2022 and are generated by
|
| net/data/ssl/scripts/generate-redundant-test-chains.sh.
|
|
|
| -- multi-root-chain1.pem
|
| -- multi-root-chain2.pem
|
| - Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
|
| - same public key) to test that certificate validation caching does not
|
| - interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
|
| - See CertVerifyProcChromeOSTest.
|
| -
|
| -- comodo.chain.pem : A certificate chain for www.comodo.com which should be
|
| - recognised as EV. Expires Jun 21 2013.
|
| -
|
| -- ocsp-test-root.pem : A root certificate for the code in
|
| - net/tools/testserver/minica.py
|
| -
|
| -- sha256.pem: Used to test the handling of SHA-256 certs on Windows.
|
| - Generated by using the command:
|
| - "openssl req -x509 -days 3650 -sha256 -newkey rsa:2048 -text \
|
| - -config ../scripts/ee.cnf -out sha256.pem"
|
| -
|
| -- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
|
| - Generated by using the command
|
| - "openssl req -x509 -days 3650 -sha1 -extensions req_spdy_pooling \
|
| - -config ../scripts/ee.cnf -newkey rsa:1024 -text \
|
| - -out spdy_pooling.pem"
|
| -
|
| -- subjectAltName_sanity_check.pem : Used to test the handling of various types
|
| - within the subjectAltName extension of a certificate. Generated by using
|
| - the command
|
| - "openssl req -x509 -days 3650 -sha1 -extensions req_san_sanity \
|
| - -config ../scripts/ee.cnf -newkey rsa:1024 -text \
|
| - -out subjectAltName_sanity_check.pem"
|
| -
|
| -- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
|
| - This is an X.509 v1 certificate that omits the version field. Used to
|
| - test that the certificate version gets the default value v1.
|
| -
|
| -- websocket_cacert.pem : The testing root CA for testing WebSocket client
|
| - certificate authentication.
|
| - This file is used in SSLUITest.TestWSSClientCert.
|
| -
|
| -- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
|
| - and a private key created for WebSocket testing. The password is "".
|
| - This file is used in SSLUITest.TestWSSClientCert.
|
| -
|
| -- android-test-key-rsa.pem
|
| -- android-test-key-dsa.pem
|
| -- android-test-key-dsa-public.pem
|
| -- android-test-key-ecdsa.pem
|
| -- android-test-key-ecdsa-public.pem
|
| - This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
|
| - unit test in net/android/keystore_unittest.c. They are used to verify
|
| - that the OpenSSL-specific wrapper for platform PrivateKey objects
|
| - works properly. See the generate-android-test-keys.sh script.
|
| +===== From net/data/ssl/scripts/generate-policy-certs.sh
|
| +- explicit-policy-chain.pem
|
| + A test certificate chain with requireExplicitPolicy field set on the
|
| + intermediate, with SkipCerts=0. This is used for regression testing
|
| + http://crbug.com/31497.
|
|
|
| +===== From net/data/ssl/scripts/generate-client-certificates.sh
|
| - client_1.pem
|
| - client_1.key
|
| - client_1.pk8
|
| @@ -161,8 +189,7 @@ unit tests.
|
| - client_2.pk8
|
| - client_2_ca.pem
|
| This is a set of files used to unit test SSL client certificate
|
| - authentication. These are generated by
|
| - net/data/ssl/scripts/generate-client-certificates.sh
|
| + authentication.
|
| - client_1_ca.pem and client_2_ca.pem are the certificates of
|
| two distinct signing CAs.
|
| - client_1.pem and client_1.key correspond to the certificate and
|
| @@ -172,6 +199,18 @@ unit tests.
|
| - each .pk8 file contains the same key as the corresponding .key file
|
| as PKCS#8 PrivateKeyInfo in DER encoding.
|
|
|
| +===== From net/data/ssl/scripts/generate-android-test-key.sh
|
| +- android-test-key-rsa.pem
|
| +- android-test-key-dsa.pem
|
| +- android-test-key-dsa-public.pem
|
| +- android-test-key-ecdsa.pem
|
| +- android-test-key-ecdsa-public.pem
|
| + This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
|
| + unit test in net/android/keystore_unittest.c. They are used to verify
|
| + that the OpenSSL-specific wrapper for platform PrivateKey objects
|
| + works properly. See the generate-android-test-keys.sh script.
|
| +
|
| +===== From net/data/ssl/scripts/generate-bad-eku-certs.sh
|
| - eku-test-root.pem
|
| - non-crit-codeSigning-chain.pem
|
| - crit-codeSigning-chain.pem
|
| @@ -181,6 +220,15 @@ unit tests.
|
| present). Since codeSigning is not valid for web server auth, the checks
|
| should fail.
|
|
|
| +===== From net/data/ssl/scripts/generate-multi-root-test-chains.sh
|
| +- multi-root-chain1.pem
|
| +- multi-root-chain2.pem
|
| + Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
|
| + same public key) to test that certificate validation caching does not
|
| + interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
|
| + See CertVerifyProcChromeOSTest.
|
| +
|
| +===== From net/data/ssl/scripts/generate-duplicate-cn-certs.sh
|
| - duplicate_cn_1.p12
|
| - duplicate_cn_1.pem
|
| - duplicate_cn_2.p12
|
| @@ -194,6 +242,7 @@ unit tests.
|
| both the cert and a private key, since there are multiple ways to import
|
| certificates into NSS.
|
|
|
| +===== From net/data/ssl/scripts/generate-aia-certs.sh
|
| - aia-cert.pem
|
| - aia-intermediate.der
|
| - aia-root.pem
|
| @@ -204,50 +253,4 @@ unit tests.
|
| aia-intermediate.der is stored in DER form for convenience, since that is
|
| the form expected of certificates discovered via AIA.
|
|
|
| -- cybertrust_gte_root.pem
|
| -- cybertrust_baltimore_root.pem
|
| -- cybertrust_omniroot_chain.pem
|
| -- cybertrust_baltimore_cross_certified_1.pem
|
| -- cybertrust_baltimore_cross_certified_2.pem
|
| - These certificates are reflect a portion of the CyberTrust (Verizon
|
| - Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
|
| - still widely supported, while _baltimore_root.pem reflects the newer
|
| - 2048-bit root. For clients that only support the GTE root, two versions
|
| - of the Baltimore root were cross-signed by GTE, namely
|
| - _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
|
| - chain that was issued under the Baltimore root. Combined, these
|
| - certificates can be used to test real-world cross-signing; in practice,
|
| - they are used to test certain workarounds for OS X's chain building code.
|
| -
|
| -- no_subject_common_name_cert.pem: Used to test the function that generates a
|
| - NSS certificate nickname for a user certificate. This certificate's Subject
|
| - field doesn't have a common name.
|
| -
|
| -- expired_cert.pem
|
| -- ok_cert.pem
|
| -- root_ca_cert.pem
|
| - These certificates are the common certificates used by the Python test
|
| - server for simulating HTTPS connections. They are generated by running
|
| - the script net/data/ssl/scripts/generate-test-certs.sh.
|
| -
|
| -- quic_intermediate.crt
|
| -- quic_test_ecc.example.com.crt
|
| -- quic_test.example.com.crt
|
| -- quic_root.crt
|
| - These certificates are used by the ProofVerifier's unit tests of QUIC.
|
| -
|
| -- explicit-policy-chain.pem
|
| - A test certificate chain with requireExplicitPolicy field set on the
|
| - intermediate, with SkipCerts=0. This is used for regression testing
|
| - http://crbug.com/31497. It is generated by running the script
|
| - net/data/ssl/scripts/generate-policy-certs.sh
|
|
|
| -- ct-test-embedded-cert.pem
|
| -- ct-test-embedded-with-intermediate-chain.pem
|
| -- ct-test-embedded-with-intermediate-preca-chain.pem
|
| -- ct-test-embedded-with-preca-chain.pem
|
| - Test certificate chains for Certificate Transparency: Each of these
|
| - files contains a leaf certificate as the first certificate, which has
|
| - embedded SCTs, followed by the issuer certificates chain.
|
| - All files are from the src/test/testdada directory in
|
| - https://code.google.com/p/certificate-transparency/
|
|
|
Chromium Code Reviews
Issue 515583004:
Update test cert generation scripts to use SHA-256 by default (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@test_cert_scripts