1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197
//! # Pre-built X509 certificates.
//!
//! This crate provides cryptographic certificates and keys, meant for testing TLS
//! clients and servers.
//!
//! The certificates are meant to look realistic: they have most of the extensions that
//! real-world certificates have, and try to follow the CAB guidelines as a real CA would.
//!
//! This crate contains no code or dependencies, just `const` byte arrays containing
//! pre-generated certificates and private keys.
//!
//! If you would like to generate your own certificates, please try the `x509-test-gen`
//! crate. It contains the code that was used to generate the certificates in the
//! `x509-test-certs` crate.
pub mod good_certs1 {
//! A collection of CA, client and server certificates.
//!
//! The certificates can be used to test successful client or server validation.
//!
//! The keys are RSA (2048 bit) and digests are SHA-256.
//!
//! The server certificate is for a dns name `test-server`. You may need
//! to spoof dns or instruct your client to use this name.
//!
//! The client certificate is for an email address `test@example.com`.
//!
//! The client and server certificates share the same root certificate.
//!
// A quick test of these certificates:
// openssl s_server -accept 9999 -cert server_cert.pem -key server_key.pem
// openssl s_client -verify_return_error -connect localhost:9999 -CAfile root_cert.pem -verify_hostname test-server
/// The root private key, in PEM format.
pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/root_key.pem");
/// The root private key, in DER format.
pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs1/root_key.der");
/// The root certificate, in PEM format.
pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/root_cert.pem");
/// The root certificate, in DER format.
pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/good_certs1/root_cert.der");
/// The server private key, in PEM format.
pub const SERVER_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/server_key.pem");
/// The server private key, in DER format.
pub const SERVER_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs1/server_key.der");
/// The server certificate, in PEM format.
pub const SERVER_CERT_PEM: &[u8] =
include_bytes!("../static-certs/good_certs1/server_cert.pem");
/// The server certificate, in DER format.
pub const SERVER_CERT_DER: &[u8] =
include_bytes!("../static-certs/good_certs1/server_cert.der");
/// The client private key, in PEM format.
pub const CLIENT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/client_key.pem");
/// The client private key, in DER format.
pub const CLIENT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs1/client_key.der");
/// The client certificate, in PEM format.
pub const CLIENT_CERT_PEM: &[u8] =
include_bytes!("../static-certs/good_certs1/client_cert.pem");
/// The client certificate, in DER format.
pub const CLIENT_CERT_DER: &[u8] =
include_bytes!("../static-certs/good_certs1/client_cert.der");
}
pub mod good_certs2 {
//! A collection of CA, intermediate, client and server certificates
//!
//! The certificates can be used to test successful client or server validation.
//!
//! The keys are RSA (2048 bit) and digests are SHA-256.
//!
//! The server certificate is for a dns name `test-server`. You may need
//! to spoof dns or instruct your client to use this name.
//!
//! The client certificate is for an email address `test@example.com`.
//!
//! The client and server certificates share the same signature chain:
//! ```txt
//! root
//! |
//! intermediate
//! / \
//! client server
//! ```
//!
// A quick test of these certificates:
// openssl s_client -verify_return_error -connect localhost:9999 -CAfile root_cert.pem -verify_hostname test-server -cert client_cert.pem -key client_key.pem
// openssl s_server -accept 9999 -cert server_cert.pem -key server_key.pem -chainCAfile intermediate_cert.pem -verifyCAfile root_cert.pem -Verify 9
/// The root private key, in PEM format.
pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/root_key.pem");
/// The root private key, in DER format.
pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs2/root_key.der");
/// The root certificate, in PEM format.
pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/root_cert.pem");
/// The root certificate, in DER format.
pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/good_certs2/root_cert.der");
/// The intermediate CA key, in PEM format.
pub const INTERMEDIATE_KEY_PEM: &[u8] =
include_bytes!("../static-certs/good_certs2/intermediate_key.pem");
/// The intermediate CA key, in DER format.
pub const INTERMEDIATE_KEY_DER: &[u8] =
include_bytes!("../static-certs/good_certs2/intermediate_key.der");
/// The intermediate CA certificate, in PEM format.
pub const INTERMEDIATE_CERT_PEM: &[u8] =
include_bytes!("../static-certs/good_certs2/intermediate_cert.pem");
/// The intermediate CA certificate, in DER format.
pub const INTERMEDIATE_CERT_DER: &[u8] =
include_bytes!("../static-certs/good_certs2/intermediate_cert.der");
/// The server private key, in PEM format.
pub const SERVER_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/server_key.pem");
/// The server private key, in DER format.
pub const SERVER_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs2/server_key.der");
/// The server certificate, in PEM format.
pub const SERVER_CERT_PEM: &[u8] =
include_bytes!("../static-certs/good_certs2/server_cert.pem");
/// The server certificate, in DER format.
pub const SERVER_CERT_DER: &[u8] =
include_bytes!("../static-certs/good_certs2/server_cert.der");
/// The client private key, in PEM format.
pub const CLIENT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/client_key.pem");
/// The client private key, in DER format.
pub const CLIENT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs2/client_key.der");
/// The client certificate, in PEM format.
pub const CLIENT_CERT_PEM: &[u8] =
include_bytes!("../static-certs/good_certs2/client_cert.pem");
/// The client certificate, in DER format.
pub const CLIENT_CERT_DER: &[u8] =
include_bytes!("../static-certs/good_certs2/client_cert.der");
}
pub mod good_certs3 {
//! A client certificate with additional name types.
//!
//! The certificates can be used to test successful client certificate decoding and authorization.
//!
//! The keys are RSA (2048 bit) and digests are SHA-256.
//!
//! The client certificate contains a Subject Alternative Name extension containing
//! three names: a common name, a serial number, and a role.
//!
/// The root private key, in PEM format.
pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs3/root_key.pem");
/// The root private key, in DER format.
pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs3/root_key.der");
/// The root certificate, in PEM format.
pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/good_certs3/root_cert.pem");
/// The root certificate, in DER format.
pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/good_certs3/root_cert.der");
/// The client private key, in PEM format.
pub const CLIENT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs3/client_key.pem");
/// The client private key, in DER format.
pub const CLIENT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs3/client_key.der");
/// The client certificate, in PEM format.
pub const CLIENT_CERT_PEM: &[u8] =
include_bytes!("../static-certs/good_certs3/client_cert.pem");
/// The client certificate, in DER format.
pub const CLIENT_CERT_DER: &[u8] =
include_bytes!("../static-certs/good_certs3/client_cert.der");
}
pub mod bad_certs1 {
//! CA and improperly signed server certificates.
//!
//! The certificates can be used to test server validation failure.
//!
//! The keys are RSA (2048 bit) and digests are SHA-256.
//!
//! The server certificate is for a dns name `test-server`. You may need
//! to spoof dns or instruct your client to use this name.
//!
//!
/// The root private key, in PEM format.
pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/root_key.pem");
/// The root private key, in DER format.
pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/root_key.der");
/// The root certificate, in PEM format.
pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/root_cert.pem");
/// The root certificate, in DER format.
pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/root_cert.der");
/// The server private key, in PEM format.
pub const SERVER_KEY_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/server_key.pem");
/// The server private key, in DER format.
pub const SERVER_KEY_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/server_key.der");
/// The server certificate, in PEM format.
pub const SERVER_CERT_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/server_cert.pem");
/// The server certificate, in DER format.
pub const SERVER_CERT_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/server_cert.der");
}