• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1This directory contains various certificates for use with SSL-related
2unit tests.
3
4===== Real-world certificates that need manual updating
5- google.binary.p7b
6- google.chain.pem
7- google.pem_cert.p7b
8- google.pem_pkcs7.p7b
9- google.pkcs7.p7b
10- google.single.der
11- google.single.pem
12- thawte.single.pem : Certificates for testing parsing of different formats.
13
14- googlenew.chain.pem : The refreshed Google certificate
15     (valid until Sept 30 2013).
16
17- mit.davidben.der : An expired MIT client certificate.
18
19- foaf.me.chromium-test-cert.der : A client certificate for a FOAF.ME identity
20     created for testing.
21
22- www_us_army_mil_cert.der
23- dod_ca_17_cert.der
24- dod_root_ca_2_cert.der :
25     A certificate chain used for testing certificate imports
26
27- unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing.
28
29- google_diginotar.pem
30- diginotar_public_ca_2025.pem : A certificate chain for the regression test
31      of http://crbug.com/94673
32
33- salesforce_com_test.pem
34- verisign_intermediate_ca_2011.pem
35- verisign_intermediate_ca_2016.pem : Certificates for testing two
36     X509Certificate objects that contain the same server certificate but
37     different intermediate CA certificates.  The two intermediate CA
38     certificates actually represent the same intermediate CA but have
39     different validity periods.
40
41- cybertrust_gte_root.pem
42- cybertrust_baltimore_root.pem
43- cybertrust_omniroot_chain.pem
44- cybertrust_baltimore_cross_certified_1.pem
45- cybertrust_baltimore_cross_certified_2.pem
46     These certificates are reflect a portion of the CyberTrust (Verizon
47     Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
48     still widely supported, while _baltimore_root.pem reflects the newer
49     2048-bit root. For clients that only support the GTE root, two versions
50     of the Baltimore root were cross-signed by GTE, namely
51     _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
52     chain that was issued under the Baltimore root. Combined, these
53     certificates can be used to test real-world cross-signing; in practice,
54     they are used to test certain workarounds for OS X's chain building code.
55
56- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
57     This is an X.509 v1 certificate that omits the version field. Used to
58     test that the certificate version gets the default value v1.
59
60- ct-test-embedded-cert.pem
61- ct-test-embedded-with-intermediate-chain.pem
62- ct-test-embedded-with-intermediate-preca-chain.pem
63- ct-test-embedded-with-preca-chain.pem
64     Test certificate chains for Certificate Transparency: Each of these
65     files contains a leaf certificate as the first certificate, which has
66     embedded SCTs, followed by the issuer certificates chain.
67     All files are from the src/test/testdada directory in
68     https://code.google.com/p/certificate-transparency/
69
70- comodo.chain.pem : A certificate chain for www.comodo.com which should be
71     recognised as EV. Expires Jun 20 2015.
72
73===== Manually generated certificates
74- client.p12 : A PKCS #12 file containing a client certificate and a private
75     key created for testing.  The password is "12345".
76
77- client-nokey.p12 : A PKCS #12 file containing a client certificate (the same
78     as the one in client.p12) but no private key. The password is "12345".
79
80- unittest.selfsigned.der : A self-signed certificate generated using private
81     key in unittest.key.bin. The common name is "unittest".
82
83- unittest.key.bin : private key stored unencrypted.
84
85- unittest.originbound.der: A test origin-bound certificate for
86     https://www.google.com:443.
87- unittest.originbound.key.der: matching PrivateKeyInfo.
88
89- x509_verify_results.chain.pem : A simple certificate chain used to test that
90    the correctly ordered, filtered certificate chain is returned during
91    verification, regardless of the order in which the intermediate/root CA
92    certificates are provided.
93
94- test_mail_google_com.pem : A certificate signed by the test CA for
95    "mail.google.com". Because it is signed by that CA instead of the true CA
96    for that host, it will fail the
97    TransportSecurityState::IsChainOfPublicKeysPermitted test.
98
99- multivalue_rdn.pem : A regression test for http://crbug.com/101009. A
100     certificate with all of the AttributeTypeAndValues stored within a single
101     RelativeDistinguishedName, rather than one AVA per RDN as normally seen.
102
103- unescaped.pem : Regression test for http://crbug.com/102839. Contains
104     characters such as '=' and '"' that would normally be escaped when
105     converting a subject/issuer name to their stringized form.
106
107- ocsp-test-root.pem : A root certificate for the code in
108      net/tools/testserver/minica.py
109
110- websocket_cacert.pem : The testing root CA for testing WebSocket client
111     certificate authentication.
112     This file is used in SSLUITest.TestWSSClientCert.
113
114- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
115     and a private key created for WebSocket testing. The password is "".
116     This file is used in SSLUITest.TestWSSClientCert.
117
118- no_subject_common_name_cert.pem: Used to test the function that generates a
119  NSS certificate nickname for a user certificate. This certificate's Subject
120  field doesn't have a common name.
121
122- quic_intermediate.crt
123- quic_test_ecc.example.com.crt
124- quic_test.example.com.crt
125- quic_root.crt
126     These certificates are used by the ProofVerifier's unit tests of QUIC.
127
128===== From net/data/ssl/scripts/generate-test-certs.sh
129- expired_cert.pem
130- ok_cert.pem
131- root_ca_cert.pem
132     These certificates are the common certificates used by the Python test
133     server for simulating HTTPS connections.
134
135- name_constraint_bad.pem
136- name_constraint_good.pem
137    Two certificates used to test the built-in ability to restrict a root to
138    a particular namespace.
139
140- sha256.pem: Used to test the handling of SHA-256 certs on Windows.
141
142- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
143
144- subjectAltName_sanity_check.pem : Used to test the handling of various types
145     within the subjectAltName extension of a certificate.
146
147- punycodetest.pem : A test self-signed server certificate with punycode name.
148     The common name is "xn--wgv71a119e.com" (日本語.com)
149
150===== From net/data/ssl/scripts/generate-weak-test-chains.sh
151- 2048-rsa-root.pem
152- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
153- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
154      {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
155      Test certificates used to ensure that weak keys are detected and rejected
156
157===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
158- cross-signed-leaf.pem
159- cross-signed-root-md5.pem
160- cross-signed-root-sha1.pem
161     A certificate chain for regression testing http://crbug.com/108514
162
163===== From net/data/ssl/scripts/generate-redundant-test-chains.sh
164- redundant-validated-chain.pem
165- redundant-server-chain.pem
166- redundant-validated-chain-root.pem
167
168     Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same
169     public key) to test that SSLInfo gets the reconstructed, re-ordered
170     chain instead of the chain as served. See
171     SSLClientSocketTest.VerifyReturnChainProperlyOrdered in
172     net/socket/ssl_client_socket_unittest.cc. These chains are valid until
173     26 Feb 2022 and are generated by
174     net/data/ssl/scripts/generate-redundant-test-chains.sh.
175
176===== From net/data/ssl/scripts/generate-policy-certs.sh
177- explicit-policy-chain.pem
178     A test certificate chain with requireExplicitPolicy field set on the
179     intermediate, with SkipCerts=0. This is used for regression testing
180     http://crbug.com/31497.
181
182===== From net/data/ssl/scripts/generate-client-certificates.sh
183- client_1.pem
184- client_1.key
185- client_1.pk8
186- client_1_ca.pem
187- client_2.pem
188- client_2.key
189- client_2.pk8
190- client_2_ca.pem
191     This is a set of files used to unit test SSL client certificate
192     authentication.
193     - client_1_ca.pem and client_2_ca.pem are the certificates of
194       two distinct signing CAs.
195     - client_1.pem and client_1.key correspond to the certificate and
196       private key for a first certificate signed by client_1_ca.pem.
197     - client_2.pem and client_2.key correspond to the certificate and
198       private key for a second certificate signed by client_2_ca.pem.
199     - each .pk8 file contains the same key as the corresponding .key file
200       as PKCS#8 PrivateKeyInfo in DER encoding.
201
202===== From net/data/ssl/scripts/generate-android-test-key.sh
203- android-test-key-rsa.pem
204- android-test-key-dsa.pem
205- android-test-key-dsa-public.pem
206- android-test-key-ecdsa.pem
207- android-test-key-ecdsa-public.pem
208     This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
209     unit test in net/android/keystore_unittest.c. They are used to verify
210     that the OpenSSL-specific wrapper for platform PrivateKey objects
211     works properly. See the generate-android-test-keys.sh script.
212
213===== From net/data/ssl/scripts/generate-bad-eku-certs.sh
214- eku-test-root.pem
215- non-crit-codeSigning-chain.pem
216- crit-codeSigning-chain.pem
217     Two code-signing certificates (eKU: codeSigning; eKU: critical,
218     codeSigning) which we use to test that clients are making sure that web
219     server certs are checked for correct eKU fields (when an eKU field is
220     present). Since codeSigning is not valid for web server auth, the checks
221     should fail.
222
223===== From net/data/ssl/scripts/generate-multi-root-test-chains.sh
224- multi-root-chain1.pem
225- multi-root-chain2.pem
226     Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
227     same public key) to test that certificate validation caching does not
228     interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
229     See CertVerifyProcChromeOSTest.
230
231===== From net/data/ssl/scripts/generate-duplicate-cn-certs.sh
232- duplicate_cn_1.p12
233- duplicate_cn_1.pem
234- duplicate_cn_2.p12
235- duplicate_cn_2.pem
236     Two certificates from the same issuer that share the same common name,
237     but have distinct subject names (namely, their O fields differ). NSS
238     requires that certificates have unique nicknames if they do not share the
239     same subject, and these certificates are used to test that the nickname
240     generation algorithm generates unique nicknames.
241     The .pem versions contain just the certs, while the .p12 versions contain
242     both the cert and a private key, since there are multiple ways to import
243     certificates into NSS.
244
245===== From net/data/ssl/scripts/generate-aia-certs.sh
246- aia-cert.pem
247- aia-intermediate.der
248- aia-root.pem
249     A certificate chain which we use to ensure AIA fetching works correctly
250     when using NSS to verify certificates (which uses our HTTP stack).
251     aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL
252     containing the intermediate, which can be served via a URLRequestFilter.
253     aia-intermediate.der is stored in DER form for convenience, since that is
254     the form expected of certificates discovered via AIA.
255
256
257