x509_test_certs/lib.rs
1//! # Pre-built X509 certificates.
2//!
3//! This crate provides cryptographic certificates and keys, meant for testing TLS
4//! clients and servers.
5//!
6//! The certificates are meant to look realistic: they have most of the extensions that
7//! real-world certificates have, and try to follow the CAB guidelines as a real CA would.
8//!
9//! This crate contains no code or dependencies, just `const` byte arrays containing
10//! pre-generated certificates and private keys.
11//!
12//! If you would like to generate your own certificates, please try the `x509-test-gen`
13//! crate. It contains the code that was used to generate the certificates in the
14//! `x509-test-certs` crate.
15
16pub mod good_certs1 {
17 //! A collection of CA, client and server certificates.
18 //!
19 //! The certificates can be used to test successful client or server validation.
20 //!
21 //! The keys are RSA (2048 bit) and digests are SHA-256.
22 //!
23 //! The server certificate is for a dns name `test-server`. You may need
24 //! to spoof dns or instruct your client to use this name.
25 //!
26 //! The client certificate is for an email address `test@example.com`.
27 //!
28 //! The client and server certificates share the same root certificate.
29 //!
30 // A quick test of these certificates:
31 // openssl s_server -accept 9999 -cert server_cert.pem -key server_key.pem
32 // openssl s_client -verify_return_error -connect localhost:9999 -CAfile root_cert.pem -verify_hostname test-server
33
34 /// The root private key, in PEM format.
35 pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/root_key.pem");
36 /// The root private key, in DER format.
37 pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs1/root_key.der");
38 /// The root certificate, in PEM format.
39 pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/root_cert.pem");
40 /// The root certificate, in DER format.
41 pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/good_certs1/root_cert.der");
42
43 /// The server private key, in PEM format.
44 pub const SERVER_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/server_key.pem");
45 /// The server private key, in DER format.
46 pub const SERVER_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs1/server_key.der");
47 /// The server certificate, in PEM format.
48 pub const SERVER_CERT_PEM: &[u8] =
49 include_bytes!("../static-certs/good_certs1/server_cert.pem");
50 /// The server certificate, in DER format.
51 pub const SERVER_CERT_DER: &[u8] =
52 include_bytes!("../static-certs/good_certs1/server_cert.der");
53
54 /// The client private key, in PEM format.
55 pub const CLIENT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs1/client_key.pem");
56 /// The client private key, in DER format.
57 pub const CLIENT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs1/client_key.der");
58 /// The client certificate, in PEM format.
59 pub const CLIENT_CERT_PEM: &[u8] =
60 include_bytes!("../static-certs/good_certs1/client_cert.pem");
61 /// The client certificate, in DER format.
62 pub const CLIENT_CERT_DER: &[u8] =
63 include_bytes!("../static-certs/good_certs1/client_cert.der");
64}
65
66pub mod good_certs2 {
67 //! A collection of CA, intermediate, client and server certificates
68 //!
69 //! The certificates can be used to test successful client or server validation.
70 //!
71 //! The keys are RSA (2048 bit) and digests are SHA-256.
72 //!
73 //! The server certificate is for a dns name `test-server`. You may need
74 //! to spoof dns or instruct your client to use this name.
75 //!
76 //! The client certificate is for an email address `test@example.com`.
77 //!
78 //! The client and server certificates share the same signature chain:
79 //! ```txt
80 //! root
81 //! |
82 //! intermediate
83 //! / \
84 //! client server
85 //! ```
86 //!
87 // A quick test of these certificates:
88 // openssl s_client -verify_return_error -connect localhost:9999 -CAfile root_cert.pem -verify_hostname test-server -cert client_cert.pem -key client_key.pem
89 // openssl s_server -accept 9999 -cert server_cert.pem -key server_key.pem -chainCAfile intermediate_cert.pem -verifyCAfile root_cert.pem -Verify 9
90
91 /// The root private key, in PEM format.
92 pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/root_key.pem");
93 /// The root private key, in DER format.
94 pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs2/root_key.der");
95 /// The root certificate, in PEM format.
96 pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/root_cert.pem");
97 /// The root certificate, in DER format.
98 pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/good_certs2/root_cert.der");
99
100 /// The intermediate CA key, in PEM format.
101 pub const INTERMEDIATE_KEY_PEM: &[u8] =
102 include_bytes!("../static-certs/good_certs2/intermediate_key.pem");
103 /// The intermediate CA key, in DER format.
104 pub const INTERMEDIATE_KEY_DER: &[u8] =
105 include_bytes!("../static-certs/good_certs2/intermediate_key.der");
106 /// The intermediate CA certificate, in PEM format.
107 pub const INTERMEDIATE_CERT_PEM: &[u8] =
108 include_bytes!("../static-certs/good_certs2/intermediate_cert.pem");
109 /// The intermediate CA certificate, in DER format.
110 pub const INTERMEDIATE_CERT_DER: &[u8] =
111 include_bytes!("../static-certs/good_certs2/intermediate_cert.der");
112
113 /// The server private key, in PEM format.
114 pub const SERVER_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/server_key.pem");
115 /// The server private key, in DER format.
116 pub const SERVER_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs2/server_key.der");
117 /// The server certificate, in PEM format.
118 pub const SERVER_CERT_PEM: &[u8] =
119 include_bytes!("../static-certs/good_certs2/server_cert.pem");
120 /// The server certificate, in DER format.
121 pub const SERVER_CERT_DER: &[u8] =
122 include_bytes!("../static-certs/good_certs2/server_cert.der");
123
124 /// The client private key, in PEM format.
125 pub const CLIENT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs2/client_key.pem");
126 /// The client private key, in DER format.
127 pub const CLIENT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs2/client_key.der");
128 /// The client certificate, in PEM format.
129 pub const CLIENT_CERT_PEM: &[u8] =
130 include_bytes!("../static-certs/good_certs2/client_cert.pem");
131 /// The client certificate, in DER format.
132 pub const CLIENT_CERT_DER: &[u8] =
133 include_bytes!("../static-certs/good_certs2/client_cert.der");
134}
135
136pub mod good_certs3 {
137 //! A client certificate with additional name types.
138 //!
139 //! The certificates can be used to test successful client certificate decoding and authorization.
140 //!
141 //! The keys are RSA (2048 bit) and digests are SHA-256.
142 //!
143 //! The client certificate contains a Subject Alternative Name extension containing
144 //! three names: a common name, a serial number, and a role.
145 //!
146
147 /// The root private key, in PEM format.
148 pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs3/root_key.pem");
149 /// The root private key, in DER format.
150 pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs3/root_key.der");
151 /// The root certificate, in PEM format.
152 pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/good_certs3/root_cert.pem");
153 /// The root certificate, in DER format.
154 pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/good_certs3/root_cert.der");
155
156 /// The client private key, in PEM format.
157 pub const CLIENT_KEY_PEM: &[u8] = include_bytes!("../static-certs/good_certs3/client_key.pem");
158 /// The client private key, in DER format.
159 pub const CLIENT_KEY_DER: &[u8] = include_bytes!("../static-certs/good_certs3/client_key.der");
160 /// The client certificate, in PEM format.
161 pub const CLIENT_CERT_PEM: &[u8] =
162 include_bytes!("../static-certs/good_certs3/client_cert.pem");
163 /// The client certificate, in DER format.
164 pub const CLIENT_CERT_DER: &[u8] =
165 include_bytes!("../static-certs/good_certs3/client_cert.der");
166}
167
168pub mod bad_certs1 {
169 //! CA and improperly signed server certificates.
170 //!
171 //! The certificates can be used to test server validation failure.
172 //!
173 //! The keys are RSA (2048 bit) and digests are SHA-256.
174 //!
175 //! The server certificate is for a dns name `test-server`. You may need
176 //! to spoof dns or instruct your client to use this name.
177 //!
178 //!
179
180 /// The root private key, in PEM format.
181 pub const ROOT_KEY_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/root_key.pem");
182 /// The root private key, in DER format.
183 pub const ROOT_KEY_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/root_key.der");
184 /// The root certificate, in PEM format.
185 pub const ROOT_CERT_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/root_cert.pem");
186 /// The root certificate, in DER format.
187 pub const ROOT_CERT_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/root_cert.der");
188
189 /// The server private key, in PEM format.
190 pub const SERVER_KEY_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/server_key.pem");
191 /// The server private key, in DER format.
192 pub const SERVER_KEY_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/server_key.der");
193 /// The server certificate, in PEM format.
194 pub const SERVER_CERT_PEM: &[u8] = include_bytes!("../static-certs/bad_certs1/server_cert.pem");
195 /// The server certificate, in DER format.
196 pub const SERVER_CERT_DER: &[u8] = include_bytes!("../static-certs/bad_certs1/server_cert.der");
197}