diff options
Diffstat (limited to 'chromium/net/data/ssl/certificates/README')
| -rw-r--r-- | chromium/net/data/ssl/certificates/README | 228 |
1 files changed, 228 insertions, 0 deletions
diff --git a/chromium/net/data/ssl/certificates/README b/chromium/net/data/ssl/certificates/README new file mode 100644 index 00000000000..01f6dfd69c8 --- /dev/null +++ b/chromium/net/data/ssl/certificates/README @@ -0,0 +1,228 @@ +This directory contains various certificates for use with SSL-related +unit tests. + +- google.binary.p7b +- google.chain.pem +- google.pem_cert.p7b +- google.pem_pkcs7.p7b +- google.pkcs7.p7b +- google.single.der +- google.single.pem +- thawte.single.pem : Certificates for testing parsing of different formats. + +- googlenew.chain.pem : The refreshed Google certificate + (valid until Sept 30 2013). + +- mit.davidben.der : An expired MIT client certificate. + +- foaf.me.chromium-test-cert.der : A client certificate for a FOAF.ME identity + created for testing. + +- www_us_army_mil_cert.der +- dod_ca_17_cert.der +- dod_root_ca_2_cert.der : + A certificate chain used for testing certificate imports + +- unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing. + +- client.p12 : A PKCS #12 file containing a client certificate and a private + key created for testing. The password is "12345". + +- client-nokey.p12 : A PKCS #12 file containing a client certificate (the same + as the one in client.p12) but no private key. The password is "12345". + +- punycodetest.der : A test self-signed server certificate with punycode name. + The common name is "xn--wgv71a119e.com" (日本語.com) + +- unittest.selfsigned.der : A self-signed certificate generated using private + key in unittest.key.bin. The common name is "unittest". + +- unittest.key.bin : private key stored unencrypted. + +- unittest.originbound.der: A test origin-bound certificate for + https://www.google.com:443. +- unittest.originbound.key.der: matching PrivateKeyInfo. + +- x509_verify_results.chain.pem : A simple certificate chain used to test that + the correctly ordered, filtered certificate chain is returned during + verification, regardless of the order in which the intermediate/root CA + certificates are provided. + +- google_diginotar.pem +- diginotar_public_ca_2025.pem : A certificate chain for the regression test + of http://crbug.com/94673 + +- test_mail_google_com.pem : A certificate signed by the test CA for + "mail.google.com". Because it is signed by that CA instead of the true CA + for that host, it will fail the + TransportSecurityState::IsChainOfPublicKeysPermitted test. + +- salesforce_com_test.pem +- verisign_intermediate_ca_2011.pem +- verisign_intermediate_ca_2016.pem : Certificates for testing two + X509Certificate objects that contain the same server certificate but + different intermediate CA certificates. The two intermediate CA + certificates actually represent the same intermediate CA but have + different validity periods. + +- multivalue_rdn.pem : A regression test for http://crbug.com/101009. A + certificate with all of the AttributeTypeAndValues stored within a single + RelativeDistinguishedName, rather than one AVA per RDN as normally seen. + +- unescaped.pem : Regression test for http://crbug.com/102839. Contains + characters such as '=' and '"' that would normally be escaped when + converting a subject/issuer name to their stringized form. + +- 2048-rsa-root.pem +- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem +- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by- + {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem + These certficates are generated by + net/data/ssl/scripts/generate-weak-test-chains.sh and used in the + RejectWeakKeys test in net/base/x509_certificate_unittest.cc. + +- cross-signed-leaf.pem +- cross-signed-root-md5.pem +- cross-signed-root-sha1.pem + A certificate chain for regression testing http://crbug.com/108514, + generated via scripts/generate-cross-signed-certs.sh + +- redundant-validated-chain.pem +- redundant-server-chain.pem +- redundant-validated-chain-root.pem + + Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same + public key) to test that SSLInfo gets the reconstructed, re-ordered + chain instead of the chain as served. See + SSLClientSocketTest.VerifyReturnChainProperlyOrdered in + net/socket/ssl_client_socket_unittest.cc. These chains are valid until + 26 Feb 2022 and are generated by + net/data/ssl/scripts/generate-redundant-test-chains.sh. + +- comodo.chain.pem : A certificate chain for www.comodo.com which should be + recognised as EV. Expires Jun 21 2013. + +- ocsp-test-root.pem : A root certificate for the code in + net/tools/testserver/minica.py + +- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling + Generated by using the command + "openssl req -x509 -days 3650 -sha1 -extensions req_spdy_pooling \ + -config ../scripts/ee.cnf -newkey rsa:1024 -text \ + -out spdy_pooling.pem" + +- subjectAltName_sanity_check.pem : Used to test the handling of various types + within the subjectAltName extension of a certificate. Generated by using + the command + "openssl req -x509 -days 3650 -sha1 -extensions req_san_sanity \ + -config ../scripts/ee.cnf -newkey rsa:1024 -text \ + -out subjectAltName_sanity_check.pem" + +- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate. + This is an X.509 v1 certificate that omits the version field. Used to + test that the certificate version gets the default value v1. + +- websocket_cacert.pem : The testing root CA for testing WebSocket client + certificate authentication. + This file is used in SSLUITest.TestWSSClientCert. + +- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate + and a private key created for WebSocket testing. The password is "". + This file is used in SSLUITest.TestWSSClientCert. + +- android-test-key-rsa.pem +- android-test-key-dsa.pem +- android-test-key-dsa-public.pem +- android-test-key-ecdsa.pem +- android-test-key-ecdsa-public.pem + This is a set of test RSA/DSA/ECDSA keys used by the Android-specific + unit test in net/android/keystore_unittest.c. They are used to verify + that the OpenSSL-specific wrapper for platform PrivateKey objects + works properly. See the generate-android-test-keys.sh script. + +- client_1.pem +- client_1.key +- client_1_ca.pem +- client_2.pem +- client_2.key +- client_2_ca.pem + This is a set of files used to unit test SSL client certificate + authentication. These are generated by + net/data/ssl/scripts/generate-client-certificates.sh + - client_1_ca.pem and client_2_ca.pem are the certificates of + two distinct signing CAs. + - client_1.pem and client_1.key correspond to the certificate and + private key for a first certificate signed by client_1_ca.pem. + - client_2.pem and client_2.key correspond to the certificate and + private key for a second certificate signed by client_2_ca.pem. + +- eku-test-root.pem +- non-crit-codeSigning-chain.pem +- crit-codeSigning-chain.pem + Two code-signing certificates (eKU: codeSigning; eKU: critical, + codeSigning) which we use to test that clients are making sure that web + server certs are checked for correct eKU fields (when an eKU field is + present). Since codeSigning is not valid for web server auth, the checks + should fail. + +- duplicate_cn_1.p12 +- duplicate_cn_1.pem +- duplicate_cn_2.p12 +- duplicate_cn_2.pem + Two certificates from the same issuer that share the same common name, + but have distinct subject names (namely, their O fields differ). NSS + requires that certificates have unique nicknames if they do not share the + same subject, and these certificates are used to test that the nickname + generation algorithm generates unique nicknames. + The .pem versions contain just the certs, while the .p12 versions contain + both the cert and a private key, since there are multiple ways to import + certificates into NSS. + +- aia-cert.pem +- aia-intermediate.der +- aia-root.pem + A certificate chain which we use to ensure AIA fetching works correctly + when using NSS to verify certificates (which uses our HTTP stack). + aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL + containing the intermediate, which can be served via a URLRequestFilter. + aia-intermediate.der is stored in DER form for convenience, since that is + the form expected of certificates discovered via AIA. + +- cybertrust_gte_root.pem +- cybertrust_baltimore_root.pem +- cybertrust_omniroot_chain.pem +- cybertrust_baltimore_cross_certified_1.pem +- cybertrust_baltimore_cross_certified_2.pem + These certificates are reflect a portion of the CyberTrust (Verizon + Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is + still widely supported, while _baltimore_root.pem reflects the newer + 2048-bit root. For clients that only support the GTE root, two versions + of the Baltimore root were cross-signed by GTE, namely + _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate + chain that was issued under the Baltimore root. Combined, these + certificates can be used to test real-world cross-signing; in practice, + they are used to test certain workarounds for OS X's chain building code. + +- no_subject_common_name_cert.pem: Used to test the function that generates a + NSS certificate nickname for a user certificate. This certificate's Subject + field doesn't have a common name. + +- expired_cert.pem +- ok_cert.pem +- root_ca_cert.pem + These certificates are the common certificates used by the Python test + server for simulating HTTPS connections. They are generated by running + the script net/data/ssl/scripts/generate-test-certs.sh. + +- quic_intermediate.crt +- quic_test_ecc.example.com.crt +- quic_test.example.com.crt +- quic_root.crt + These certificates are used by the ProofVerifier's unit tests of QUIC. + +- explicit-policy-chain.pem + A test certificate chain with requireExplicitPolicy field set on the + intermediate, with SkipCerts=0. This is used for regression testing + http://crbug.com/31497. It is generated by running the script + net/data/ssl/scripts/generate-policy-certs.sh + |