• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1This directory contains various certificates for use with SSL-related
2unit tests.
3
4- google.binary.p7b
5- google.chain.pem
6- google.pem_cert.p7b
7- google.pem_pkcs7.p7b
8- google.pkcs7.p7b
9- google.single.der
10- google.single.pem
11- thawte.single.pem : Certificates for testing parsing of different formats.
12
13- googlenew.chain.pem : The refreshed Google certificate
14     (valid until Sept 30 2013).
15
16- mit.davidben.der : An expired MIT client certificate.
17
18- foaf.me.chromium-test-cert.der : A client certificate for a FOAF.ME identity
19     created for testing.
20
21- www_us_army_mil_cert.der
22- dod_ca_17_cert.der
23- dod_root_ca_2_cert.der :
24     A certificate chain used for testing certificate imports
25
26- unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing.
27
28- client.p12 : A PKCS #12 file containing a client certificate and a private
29     key created for testing.  The password is "12345".
30
31- client-nokey.p12 : A PKCS #12 file containing a client certificate (the same
32     as the one in client.p12) but no private key. The password is "12345".
33
34- punycodetest.der : A test self-signed server certificate with punycode name.
35     The common name is "xn--wgv71a119e.com" (日本語.com)
36
37- unittest.selfsigned.der : A self-signed certificate generated using private
38     key in unittest.key.bin. The common name is "unittest".
39
40- unittest.key.bin : private key stored unencrypted.
41
42- unittest.originbound.der: A test origin-bound certificate for
43     https://www.google.com:443.
44- unittest.originbound.key.der: matching PrivateKeyInfo.
45
46- x509_verify_results.chain.pem : A simple certificate chain used to test that
47    the correctly ordered, filtered certificate chain is returned during
48    verification, regardless of the order in which the intermediate/root CA
49    certificates are provided.
50
51- google_diginotar.pem
52- diginotar_public_ca_2025.pem : A certificate chain for the regression test
53      of http://crbug.com/94673
54
55- test_mail_google_com.pem : A certificate signed by the test CA for
56    "mail.google.com". Because it is signed by that CA instead of the true CA
57    for that host, it will fail the
58    TransportSecurityState::IsChainOfPublicKeysPermitted test.
59
60- salesforce_com_test.pem
61- verisign_intermediate_ca_2011.pem
62- verisign_intermediate_ca_2016.pem : Certificates for testing two
63     X509Certificate objects that contain the same server certificate but
64     different intermediate CA certificates.  The two intermediate CA
65     certificates actually represent the same intermediate CA but have
66     different validity periods.
67
68- multivalue_rdn.pem : A regression test for http://crbug.com/101009. A
69     certificate with all of the AttributeTypeAndValues stored within a single
70     RelativeDistinguishedName, rather than one AVA per RDN as normally seen.
71
72- unescaped.pem : Regression test for http://crbug.com/102839. Contains
73     characters such as '=' and '"' that would normally be escaped when
74     converting a subject/issuer name to their stringized form.
75
76- 2048-rsa-root.pem
77- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
78- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
79      {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
80     These certficates are generated by
81     net/data/ssl/scripts/generate-weak-test-chains.sh and used in the
82     RejectWeakKeys test in net/base/x509_certificate_unittest.cc.
83
84- cross-signed-leaf.pem
85- cross-signed-root-md5.pem
86- cross-signed-root-sha1.pem
87     A certificate chain for regression testing http://crbug.com/108514,
88     generated via scripts/generate-cross-signed-certs.sh
89
90- redundant-validated-chain.pem
91- redundant-server-chain.pem
92- redundant-validated-chain-root.pem
93
94     Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same
95     public key) to test that SSLInfo gets the reconstructed, re-ordered
96     chain instead of the chain as served. See
97     SSLClientSocketTest.VerifyReturnChainProperlyOrdered in
98     net/socket/ssl_client_socket_unittest.cc. These chains are valid until
99     26 Feb 2022 and are generated by
100     net/data/ssl/scripts/generate-redundant-test-chains.sh.
101
102- comodo.chain.pem : A certificate chain for www.comodo.com which should be
103     recognised as EV. Expires Jun 21 2013.
104
105- ocsp-test-root.pem : A root certificate for the code in
106      net/tools/testserver/minica.py
107
108- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
109     Generated by using the command
110     "openssl req -x509 -days 3650 -sha1 -extensions req_spdy_pooling \
111          -config ../scripts/ee.cnf -newkey rsa:1024 -text \
112          -out spdy_pooling.pem"
113
114- subjectAltName_sanity_check.pem : Used to test the handling of various types
115     within the subjectAltName extension of a certificate. Generated by using
116     the command
117     "openssl req -x509 -days 3650 -sha1 -extensions req_san_sanity \
118          -config ../scripts/ee.cnf -newkey rsa:1024 -text \
119          -out subjectAltName_sanity_check.pem"
120
121- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
122     This is an X.509 v1 certificate that omits the version field. Used to
123     test that the certificate version gets the default value v1.
124
125- websocket_cacert.pem : The testing root CA for testing WebSocket client
126     certificate authentication.
127     This file is used in SSLUITest.TestWSSClientCert.
128
129- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
130     and a private key created for WebSocket testing. The password is "".
131     This file is used in SSLUITest.TestWSSClientCert.
132
133- android-test-key-rsa.pem
134- android-test-key-dsa.pem
135- android-test-key-dsa-public.pem
136- android-test-key-ecdsa.pem
137- android-test-key-ecdsa-public.pem
138     This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
139     unit test in net/android/keystore_unittest.c. They are used to verify
140     that the OpenSSL-specific wrapper for platform PrivateKey objects
141     works properly. See the generate-android-test-keys.sh script.
142
143- client_1.pem
144- client_1.key
145- client_1_ca.pem
146- client_2.pem
147- client_2.key
148- client_2_ca.pem
149     This is a set of files used to unit test SSL client certificate
150     authentication. These are generated by
151     net/data/ssl/scripts/generate-client-certificates.sh
152     - client_1_ca.pem and client_2_ca.pem are the certificates of
153       two distinct signing CAs.
154     - client_1.pem and client_1.key correspond to the certificate and
155       private key for a first certificate signed by client_1_ca.pem.
156     - client_2.pem and client_2.key correspond to the certificate and
157       private key for a second certificate signed by client_2_ca.pem.
158
159- eku-test-root.pem
160- non-crit-codeSigning-chain.pem
161- crit-codeSigning-chain.pem
162     Two code-signing certificates (eKU: codeSigning; eKU: critical,
163     codeSigning) which we use to test that clients are making sure that web
164     server certs are checked for correct eKU fields (when an eKU field is
165     present). Since codeSigning is not valid for web server auth, the checks
166     should fail.
167
168- duplicate_cn_1.p12
169- duplicate_cn_1.pem
170- duplicate_cn_2.p12
171- duplicate_cn_2.pem
172     Two certificates from the same issuer that share the same common name,
173     but have distinct subject names (namely, their O fields differ). NSS
174     requires that certificates have unique nicknames if they do not share the
175     same subject, and these certificates are used to test that the nickname
176     generation algorithm generates unique nicknames.
177     The .pem versions contain just the certs, while the .p12 versions contain
178     both the cert and a private key, since there are multiple ways to import
179     certificates into NSS.
180
181- aia-cert.pem
182- aia-intermediate.der
183- aia-root.pem
184     A certificate chain which we use to ensure AIA fetching works correctly
185     when using NSS to verify certificates (which uses our HTTP stack).
186     aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL
187     containing the intermediate, which can be served via a URLRequestFilter.
188     aia-intermediate.der is stored in DER form for convenience, since that is
189     the form expected of certificates discovered via AIA.
190
191- cybertrust_gte_root.pem
192- cybertrust_baltimore_root.pem
193- cybertrust_omniroot_chain.pem
194- cybertrust_baltimore_cross_certified_1.pem
195- cybertrust_baltimore_cross_certified_2.pem
196     These certificates are reflect a portion of the CyberTrust (Verizon
197     Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
198     still widely supported, while _baltimore_root.pem reflects the newer
199     2048-bit root. For clients that only support the GTE root, two versions
200     of the Baltimore root were cross-signed by GTE, namely
201     _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
202     chain that was issued under the Baltimore root. Combined, these
203     certificates can be used to test real-world cross-signing; in practice,
204     they are used to test certain workarounds for OS X's chain building code.
205
206- no_subject_common_name_cert.pem: Used to test the function that generates a
207  NSS certificate nickname for a user certificate. This certificate's Subject
208  field doesn't have a common name.
209
210- expired_cert.pem
211- ok_cert.pem
212- root_ca_cert.pem
213     These certificates are the common certificates used by the Python test
214     server for simulating HTTPS connections. They are generated by running
215     the script net/data/ssl/scripts/generate-test-certs.sh.
216
217- quic_intermediate.crt
218- quic_test_ecc.example.com.crt
219- quic_test.example.com.crt
220- quic_root.crt
221     These certificates are used by the ProofVerifier's unit tests of QUIC.
222
223- explicit-policy-chain.pem
224     A test certificate chain with requireExplicitPolicy field set on the
225     intermediate, with SkipCerts=0. This is used for regression testing
226     http://crbug.com/31497. It is generated by running the script
227     net/data/ssl/scripts/generate-policy-certs.sh
228
229- ct-test-embedded-cert.pem
230- ct-test-embedded-with-intermediate-chain.pem
231- ct-test-embedded-with-intermediate-preca-chain.pem
232- ct-test-embedded-with-preca-chain.pem
233     Test certificate chains for Certificate Transparency: Each of these
234     files contains a leaf certificate as the first certificate, which has
235     embedded SCTs, followed by the issuer certificates chain.
236     All files are from the src/test/testdada directory in
237     https://code.google.com/p/certificate-transparency/
238