This project helps with the testing of X.509 PKIX (RFC5280) implementations, by providing test certificates and automation.
The original idea for this project was to work through the text of RFC5280 and create an invalid test certificate corresponding to each MUST or SHOULD clause in the RFC. These invalid certificates are then signed by a fake CA, and can be fed to various TLS implementations to see whether they are accepted.
This project relies on the following tools being present in the
der2asciitools from the der-ascii open source project
The project is built from the top-level
Makefile, where the
check target will:
ca/fake-ca.private.pem) for the fake CA, and build a corresponding CA certificate (in
tbs/*.tbs), signed by the fake CA (in
The project is organized as follows.
tbs/directory holds the test certificates, in the form of ASCII files suitable for feeding to the
ascii2dertool. These certificates are in the form of the
TBSCertificateASN.1 type, and they pull in shared common fragments (from the
tbs/fragment/subdirectory) using a
#includeextension to the ASCII format.
tbs2/directory holds pairs of certificates where the leaf certificate (
*.leaf.tbs) is signed by an intermediate CA certificate (
scripts/directory holds scripts that allow the certificates to be fed to the different TLS implementations and their results checked.
cfg/directory holds additional configuration files, e.g. for controlling OpenSSL's certificate generation process.
third_party/ietf/holds local copies of the relevant specifications and RFCs.
This is not an official Google product.