# Test vectors

Testing the correctness of the primitives implemented in `cryptography`

requires trusted test vectors. Where possible these vectors are
obtained from official sources such as NIST or IETF RFCs. When this is
not possible `cryptography`

has chosen to create a set of custom vectors
using an official vector file as input.

Vectors are kept in the `cryptography_vectors`

package rather than within our
main test suite.

## Sources

### Project Wycheproof

We run vectors from Project Wycheproof – a collection of known edge-cases
for various cryptographic algorithms. These are not included in the repository
(or `cryptography_vectors`

package), but rather cloned from Git in our
continuous integration environments.

### Asymmetric ciphers

RSA PKCS #1 from the RSA FTP site (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/ and ftp://ftp.rsa.com/pub/rsalabs/tmp/).

RSA FIPS 186-2 and PKCS1 v1.5 vulnerability test vectors from NIST CAVP.

FIPS 186-2 and FIPS 186-3 DSA test vectors from NIST CAVP.

FIPS 186-2 and FIPS 186-3 ECDSA test vectors from NIST CAVP.

DH and ECDH and ECDH+KDF(17.4) test vectors from NIST CAVP.

Ed25519 test vectors from the Ed25519 website.

OpenSSL PEM RSA serialization vectors from the OpenSSL example key and GnuTLS key parsing tests.

`asymmetric/PEM_Serialization/rsa-bad-1025-q-is-2.pem`

from badkeys.OpenSSL PEM DSA serialization vectors from the GnuTLS example keys.

PKCS #8 PEM serialization vectors from

GnuTLS: enc-rsa-pkcs8.pem, enc2-rsa-pkcs8.pem, unenc-rsa-pkcs8.pem, pkcs12_s2k_pem.c. The encoding error in unenc-rsa-pkcs8.pem was fixed, and the contents of enc-rsa-pkcs8.pem was re-encrypted to include it. The contents of enc2-rsa-pkcs8.pem was re-encrypted using a stronger PKCS#8 cipher.

asymmetric/public/PKCS1/dsa.pub.pem is a PKCS1 DSA public key from the Ruby test suite.

X25519 and X448 test vectors from

**RFC 7748**.RSA OAEP with custom label from the BoringSSL evp tests.

Ed448 test vectors from

**RFC 8032**.Deterministic ECDSA (

**RFC 6979**) from OpenSSL’s RFC 6979 test vectors.

### Custom asymmetric vectors

`asymmetric/PEM_Serialization/ec_private_key.pem`

and`asymmetric/DER_Serialization/ec_private_key.der`

- Contains an Elliptic Curve key generated by OpenSSL from the curve`secp256r1`

.`asymmetric/PEM_Serialization/ec_private_key_encrypted.pem`

and`asymmetric/DER_Serialization/ec_private_key_encrypted.der`

- Contains the same Elliptic Curve key as`ec_private_key.pem`

, except that it is encrypted with AES-128 with the password “123456”.`asymmetric/PEM_Serialization/ec_public_key.pem`

and`asymmetric/DER_Serialization/ec_public_key.der`

- Contains the public key corresponding to`ec_private_key.pem`

, generated using OpenSSL.`asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem`

- Contains the public key corresponding to`ec_private_key.pem`

, but with the wrong PEM delimiter (`RSA PUBLIC KEY`

when it should be`PUBLIC KEY`

).`asymmetric/PEM_Serialization/rsa_private_key.pem`

- Contains an RSA 2048 bit key generated using OpenSSL, protected by the secret “123456” with DES3 encryption.`asymmetric/PEM_Serialization/rsa_public_key.pem`

and`asymmetric/DER_Serialization/rsa_public_key.der`

- Contains an RSA 2048 bit public generated using OpenSSL from`rsa_private_key.pem`

.`asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem`

- Contains an RSA 2048 bit public key generated from`rsa_private_key.pem`

, but with the wrong PEM delimiter (`RSA PUBLIC KEY`

when it should be`PUBLIC KEY`

).`asymmetric/PEM_Serialization/dsa_4096.pem`

- Contains a 4096-bit DSA private key generated using OpenSSL.`asymmetric/PEM_Serialization/dsaparam.pem`

- Contains 2048-bit DSA parameters generated using OpenSSL; contains no keys.`asymmetric/PEM_Serialization/dsa_private_key.pem`

- Contains a DSA 2048 bit key generated using OpenSSL from the parameters in`dsaparam.pem`

, protected by the secret “123456” with DES3 encryption.`asymmetric/PEM_Serialization/dsa_public_key.pem`

and`asymmetric/DER_Serialization/dsa_public_key.der`

- Contains a DSA 2048 bit key generated using OpenSSL from`dsa_private_key.pem`

.`asymmetric/DER_Serialization/dsa_public_key_no_params.der`

- Contains a DSA public key with the optional parameters removed.`asymmetric/DER_Serialization/dsa_public_key_invalid_bit_string.der`

- Contains a DSA public key with the bit string padding value set to 2 rather than the required 0.`asymmetric/PKCS8/unenc-dsa-pkcs8.pem`

and`asymmetric/DER_Serialization/unenc-dsa-pkcs8.der`

- Contains a DSA 1024 bit key generated using OpenSSL.`asymmetric/PKCS8/unenc-dsa-pkcs8.pub.pem`

and`asymmetric/DER_Serialization/unenc-dsa-pkcs8.pub.der`

- Contains a DSA 2048 bit public key generated using OpenSSL from`unenc-dsa-pkcs8.pem`

.DER conversions of the GnuTLS example keys for DSA as well as the OpenSSL example key for RSA.

DER conversions of enc-rsa-pkcs8.pem, enc2-rsa-pkcs8.pem, and unenc-rsa-pkcs8.pem.

`asymmetric/public/PKCS1/rsa.pub.pem`

and`asymmetric/public/PKCS1/rsa.pub.der`

are PKCS1 conversions of the public key from`asymmetric/PKCS8/unenc-rsa-pkcs8.pem`

using PEM and DER encoding.`x509/custom/ca/ca_key.pem`

- An unencrypted PCKS8`secp256r1`

key. It is the private key for the certificate`x509/custom/ca/ca.pem`

.`pkcs12/ca/ca_key.pem`

- An unencrypted PCKS8`secp256r1`

key. It is the private key for the certificate`pkcs12/ca/ca.pem`

. This key is encoded in several of the PKCS12 custom vectors.`x509/custom/ca/rsa_key.pem`

- An unencrypted PCKS8 4096 bit RSA key. It is the private key for the certificate`x509/custom/ca/rsa_ca.pem`

.`asymmetric/EC/compressed_points.txt`

- Contains compressed public points generated using OpenSSL.`asymmetric/EC/explicit_parameters_private_key.pem`

- Contains an EC private key with an curve defined by explicit parameters.`asymmetric/EC/explicit_parameters_wap_wsg_idm_ecid_wtls11_private_key.pem`

- Contains an EC private key with over the`wap-wsg-idm-ecid-wtls11`

curve, encoded with explicit parameters.`asymmetric/EC/secp128r1_private_key.pem`

- Contains an EC private key on the curve`secp128r1`

.`asymmetric/EC/sect163k1-spki.pem`

- Contains an EC SPKI on the curve`sect163k1`

.`asymmetric/EC/sect163r2-spki.pem`

- Contains an EC SPKI on the curve`sect163r2`

.`asymmetric/EC/sect233k1-spki.pem`

- Contains an EC SPKI on the curve`sect233k1`

.`asymmetric/EC/sect233r1-spki.pem`

- Contains an EC SPKI on the curve`sect233r1`

.`asymmetric/X448/x448-pkcs8-enc.pem`

and`asymmetric/X448/x448-pkcs8-enc.der`

contain an X448 key encrypted with AES 256 CBC with the password`password`

.`asymmetric/X448/x448-pkcs8.pem`

and`asymmetric/X448/x448-pkcs8.der`

contain an unencrypted X448 key.`asymmetric/X448/x448-pub.pem`

and`asymmetric/X448/x448-pub.der`

contain an X448 public key.`asymmetric/Ed25519/ed25519-pkcs8-enc.pem`

and`asymmetric/Ed25519/ed25519-pkcs8-enc.der`

contain an Ed25519 key encrypted with AES 256 CBC with the password`password`

.`asymmetric/Ed25519/ed25519-pkcs8.pem`

and`asymmetric/Ed25519/ed25519-pkcs8.der`

contain an unencrypted Ed25519 key.`asymmetric/Ed25519/ed25519-pub.pem`

and`asymmetric/Ed25519/ed25519-pub.der`

contain an Ed25519 public key.`asymmetric/X25519/x25519-pkcs8-enc.pem`

and`asymmetric/X25519/x25519-pkcs8-enc.der`

contain an X25519 key encrypted with AES 256 CBC with the password`password`

.`asymmetric/X25519/x25519-pkcs8.pem`

and`asymmetric/X25519/x25519-pkcs8.der`

contain an unencrypted X25519 key.`asymmetric/X25519/x25519-pub.pem`

and`asymmetric/X25519/x25519-pub.der`

contain an X25519 public key.`asymmetric/Ed448/ed448-pkcs8-enc.pem`

and`asymmetric/Ed448/ed448-pkcs8-enc.der`

contain an Ed448 key encrypted with AES 256 CBC with the password`password`

.`asymmetric/Ed448/ed448-pkcs8.pem`

and`asymmetric/Ed448/ed448-pkcs8.der`

contain an unencrypted Ed448 key.`asymmetric/Ed448/ed448-pub.pem`

and`asymmetric/Ed448/ed448-pub.der`

contain an Ed448 public key.`asymmetric/PKCS8/rsa_pss_2048.pem`

- A 2048-bit RSA PSS key with no explicit parameters set.`asymmetric/PKCS8/rsa_pss_2048_pub.der`

- The public key corresponding to`asymmetric/PKCS8/rsa_pss_2048.pem`

.`asymmetric/PKCS8/rsa_pss_2048_hash.pem`

- A 2048-bit RSA PSS key with the hash algorithm PSS parameter set to SHA256.`asymmetric/PKCS8/rsa_pss_2048_hash_mask.pem`

- A 2048-bit RSA PSS key with with the hash (SHA256) and mask algorithm (SHA256) PSS parameters set.`asymmetric/PKCS8/rsa_pss_2048_hash_mask_diff.pem`

- A 2048-bit RSA PSS key with the hash (SHA256) and mask algorithm (SHA512) PSS parameters set.`asymmetric/PKCS8/rsa_pss_2048_hash_mask_salt.pem`

- A 2048-bit RSA PSS key with the hash (SHA256), mask algorithm (SHA256), and salt length (32) PSS parameters set.

### Key exchange

`vectors/cryptography_vectors/asymmetric/DH/rfc3526.txt`

contains several standardized Diffie-Hellman groups from**RFC 3526**.`vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt`

contains Diffie-Hellman examples from appendix A.1, A.2 and A.3 of**RFC 5114**.`vectors/cryptography_vectors/asymmetric/DH/vec.txt`

contains Diffie-Hellman examples from botan.`vectors/cryptography_vectors/asymmetric/DH/bad_exchange.txt`

contains Diffie-Hellman vector pairs that were generated using OpenSSL`DH_generate_parameters_ex`

and`DH_generate_key`

.`vectors/cryptography_vectors/asymmetric/DH/dhp.pem`

,`vectors/cryptography_vectors/asymmetric/DH/dhkey.pem`

and`vectors/cryptography_vectors/asymmetric/DH/dhpub.pem`

contains Diffie-Hellman parameters and key respectively. The keys were generated using OpenSSL following DHKE guide.`vectors/cryptography_vectors/asymmetric/DH/dhkey.txt`

contains all parameter in text.`vectors/cryptography_vectors/asymmetric/DH/dhp.der`

,`vectors/cryptography_vectors/asymmetric/DH/dhkey.der`

and`vectors/cryptography_vectors/asymmetric/DH/dhpub.der`

contains are the above parameters and keys in DER format.`vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.pem`

,`vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.pem`

and`vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.pem`

contains Diffie-Hellman parameters and key respectively. The keys were generated using OpenSSL following DHKE guide. When creating the parameters we added the -pkeyopt dh_rfc5114:2 option to use**RFC 5114**2048 bit DH parameters with 224 bit subgroup.`vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.txt`

contains all parameter in text.`vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.der`

,`vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.der`

and`vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.der`

contains are the above parameters and keys in DER format.`vectors/cryptography_vectors/asymmetric/DH/dh_key_256.pem`

contains a PEM PKCS8 encoded DH key with a 256-bit key size.`vectors/cryptoraphy_vectors/asymmetric/ECDH/brainpool.txt`

contains Brainpool vectors from**RFC 7027**.

### X.509

PKITS test suite from NIST PKI Testing.

`v1_cert.pem`

from the OpenSSL source tree (testx509.pem).`ecdsa_root.pem`

- DigiCert Global Root G3, a`secp384r1`

ECDSA root certificate.`verisign-md2-root.pem`

- A legacy Verisign public root signed using the MD2 algorithm. This is a PEM conversion of the root data in the NSS source tree.`cryptography.io.pem`

- A leaf certificate issued by RapidSSL for the cryptography website.`cryptography.io.old_header.pem`

- A leaf certificate issued by RapidSSL for the cryptography website. This certificate uses the`X509 CERTIFICATE`

legacy PEM header format.`cryptography.io.chain.pem`

- The same as`cryptography.io.pem`

, but`rapidssl_sha256_ca_g3.pem`

is concatenated to the end.`cryptography.io.with_headers.pem`

- The same as`cryptography.io.pem`

, but with an unrelated (encrypted) private key concatenated to the end.`cryptography.io.chain_with_garbage.pem`

- The same as`cryptography.io.chain.pem`

, but with other sections and text around it.`cryptography.io.with_garbage.pem`

- The same as`cryptography.io.pem`

, but with other sections and text around it.`rapidssl_sha256_ca_g3.pem`

- The intermediate CA that issued the`cryptography.io.pem`

certificate.`cryptography.io.precert.pem`

- A pre-certificate with the CT poison extension for the cryptography website.`cryptography-scts.pem`

- A leaf certificate issued by Let’s Encrypt for the cryptography website which contains signed certificate timestamps.`wildcard_san.pem`

- A leaf certificate issued by a public CA for`langui.sh`

that contains wildcard entries in the SAN extension.`san_edipartyname.der`

- A DSA certificate from a Mozilla bug containing a SAN extension with an`ediPartyName`

general name.`san_x400address.der`

- A DSA certificate from a Mozilla bug containing a SAN extension with an`x400Address`

general name.`department-of-state-root.pem`

- The intermediary CA for the Department of State, issued by the United States Federal Government’s Common Policy CA. Notably has a`critical`

policy constraints extensions.`e-trust.ru.der`

- A certificate from a Russian CA signed using the GOST cipher and containing numerous unusual encodings such as NUMERICSTRING in the subject DN.`alternate-rsa-sha1-oid.der`

- A certificate that uses an alternate signature OID for RSA with SHA1. This certificate has an invalid signature.`badssl-sct.pem`

- A certificate with the certificate transparency signed certificate timestamp extension.`badssl-sct-none-hash.der`

- The same as`badssl-sct.pem`

, but DER-encoded and with the SCT’s signature hash manually changed to “none” (`0x00`

).`badssl-sct-anonymous-sig.der`

- The same as`badssl-sct.pem`

, but DER-encoded and with the SCT’s signature algorithm manually changed to “anonymous” (`0x00`

).`bigoid.pem`

- A certificate with a rather long OID in the Certificate Policies extension. We need to make sure we can parse long OIDs.`wosign-bc-invalid.pem`

- A certificate issued by WoSign that contains a basic constraints extension with CA set to false and a path length of zero in violation of**RFC 5280**.`tls-feature-ocsp-staple.pem`

- A certificate issued by Let’s Encrypt that contains a TLS Feature extension with the`status_request`

feature (commonly known as OCSP Must-Staple).`unique-identifier.pem`

- A certificate containing a distinguished name with an`x500UniqueIdentifier`

.`utf8-dnsname.pem`

- A certificate containing non-ASCII characters in the DNS name entries of the SAN extension.`badasn1time.pem`

- A certificate containing an incorrectly specified UTCTime in its validity->not_after.`letsencryptx3.pem`

- A subordinate certificate used by Let’s Encrypt to issue end entity certificates.`ed25519-rfc8410.pem`

- A certificate containing an X25519 public key with an`ed25519`

signature taken from**RFC 8410**.`root-ed25519.pem`

- An`ed25519`

root certificate (`ed25519`

signature with`ed25519`

public key) from the OpenSSL test suite. (root-ed25519.pem)`server-ed25519-cert.pem`

- An`ed25519`

server certificate (RSA signature with`ed25519`

public key) from the OpenSSL test suite. (server-ed25519-cert.pem)`server-ed448-cert.pem`

- An`ed448`

server certificate (RSA signature with`ed448`

public key) from the OpenSSL test suite. (server-ed448-cert.pem)`accvraiz1.pem`

- An RSA root certificate that contains an`explicitText`

entry with a`BMPString`

type.`scottishpower-bitstring-dn.pem`

- An ECDSA certificate that contains a subject DN with a bit string type.`cryptography-scts-tbs-precert.der`

- The “to-be-signed” pre-certificate bytes from`cryptography-scts.pem`

, with the SCT list extension removed.`belgian-eid-invalid-visiblestring.pem`

- A certificate with UTF-8 bytes in a`VisibleString`

type.`ee-pss-sha1-cert.pem`

- An RSA PSS certificate using a SHA1 signature and SHA1 for MGF1 from the OpenSSL test suite.

### Custom X.509 Vectors

`invalid_version.pem`

- Contains an RSA 2048 bit certificate with the X.509 version field set to`0x7`

.`post2000utctime.pem`

- Contains an RSA 2048 bit certificate with the`notBefore`

and`notAfter`

fields encoded as post-2000`UTCTime`

.`dsa_selfsigned_ca.pem`

- Contains a DSA self-signed CA certificate generated using OpenSSL.`ec_no_named_curve.pem`

- Contains an ECDSA certificate that does not have an embedded OID defining the curve.`all_supported_names.pem`

- An RSA 2048 bit certificate generated using OpenSSL that contains a subject and issuer that have two of each supported attribute type from**RFC 5280**.`unsupported_subject_name.pem`

- An RSA 2048 bit self-signed CA certificate generated using OpenSSL that contains the unsupported “initials” name.`utf8_common_name.pem`

- An RSA 2048 bit self-signed CA certificate generated using OpenSSL that contains a UTF8String common name with the value “We heart UTF8!™”.`invalid_utf8_common_name.pem`

- A certificate that contains a`UTF8String`

common name with an invalid UTF-8 byte sequence.`two_basic_constraints.pem`

- An RSA 2048 bit self-signed certificate containing two basic constraints extensions.`basic_constraints_not_critical.pem`

- An RSA 2048 bit self-signed certificate containing a basic constraints extension that is not marked as critical.`bc_path_length_zero.pem`

- An RSA 2048 bit self-signed certificate containing a basic constraints extension with a path length of zero.`unsupported_extension.pem`

- An RSA 2048 bit self-signed certificate containing an unsupported extension type. The OID was encoded as “1.2.3.4” with an`extnValue`

of “value”.`unsupported_extension_2.pem`

- A`secp256r1`

certificate containing two unsupported extensions. The OIDs are`1.3.6.1.4.1.41482.2`

with an`extnValue`

of`1.3.6.1.4.1.41482.1.2`

and`1.3.6.1.4.1.45724.2.1.1`

with an`extnValue`

of`\x03\x02\x040`

`unsupported_extension_critical.pem`

- An RSA 2048 bit self-signed certificate containing an unsupported extension type marked critical. The OID was encoded as “1.2.3.4” with an`extnValue`

of “value”.`san_email_dns_ip_dirname_uri.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with the following general names:`rfc822Name`

,`dNSName`

,`iPAddress`

,`directoryName`

, and`uniformResourceIdentifier`

.`san_empty_hostname.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative extension with an empty`dNSName`

general name.`san_other_name.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with the`otherName`

general name.`san_registered_id.pem`

- An RSA 1024 bit certificate containing a subject alternative name extension with the`registeredID`

general name.`all_key_usages.pem`

- An RSA 2048 bit self-signed certificate containing a key usage extension with all nine purposes set to true.`extended_key_usage.pem`

- An RSA 2048 bit self-signed certificate containing an extended key usage extension with eight usages.`san_idna_names.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with`rfc822Name`

,`dNSName`

, and`uniformResourceIdentifier`

general names with IDNA (**RFC 5895**) encoding.`san_wildcard_idna.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with a`dNSName`

general name with a wildcard IDNA (**RFC 5895**) domain.`san_idna2003_dnsname.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with an IDNA 2003 (**RFC 3490**)`dNSName`

.`san_rfc822_names.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with various`rfc822Name`

values.`san_rfc822_idna.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with an IDNA`rfc822Name`

.`san_uri_with_port.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with various`uniformResourceIdentifier`

values.`san_ipaddr.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with an`iPAddress`

value.`san_dirname.pem`

- An RSA 2048 bit self-signed certificate containing a subject alternative name extension with a`directoryName`

value.`inhibit_any_policy_5.pem`

- An RSA 2048 bit self-signed certificate containing an inhibit any policy extension with the value 5.`inhibit_any_policy_negative.pem`

- An RSA 2048 bit self-signed certificate containing an inhibit any policy extension with the value -1.`authority_key_identifier.pem`

- An RSA 2048 bit self-signed certificate containing an authority key identifier extension with key identifier, authority certificate issuer, and authority certificate serial number fields.`authority_key_identifier_no_keyid.pem`

- An RSA 2048 bit self-signed certificate containing an authority key identifier extension with authority certificate issuer and authority certificate serial number fields.`aia_ocsp_ca_issuers.pem`

- An RSA 2048 bit self-signed certificate containing an authority information access extension with two OCSP and one CA issuers entry.`aia_ocsp.pem`

- An RSA 2048 bit self-signed certificate containing an authority information access extension with an OCSP entry.`aia_ca_issuers.pem`

- An RSA 2048 bit self-signed certificate containing an authority information access extension with a CA issuers entry.`cdp_empty_hostname.pem`

- An RSA 2048 bit self-signed certificate containing a CRL distribution point extension with`fullName`

URI without a hostname.`cdp_fullname_reasons_crl_issuer.pem`

- An RSA 1024 bit certificate containing a CRL distribution points extension with`fullName`

,`cRLIssuer`

, and`reasons`

data.`cdp_crl_issuer.pem`

- An RSA 1024 bit certificate containing a CRL distribution points extension with`cRLIssuer`

data.`cdp_all_reasons.pem`

- An RSA 1024 bit certificate containing a CRL distribution points extension with all`reasons`

bits set.`cdp_reason_aa_compromise.pem`

- An RSA 1024 bit certificate containing a CRL distribution points extension with the`AACompromise`

`reasons`

bit set.`nc_permitted_excluded.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with both permitted and excluded elements. Contains`IPv4`

and`IPv6`

addresses with network mask as well as`dNSName`

with a leading period.`nc_permitted_excluded_2.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with both permitted and excluded elements. Unlike`nc_permitted_excluded.pem`

, the general names do not contain any name constraints specific values.`nc_permitted.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with permitted elements.`nc_permitted_2.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with permitted elements that do not contain any name constraints specific values.`nc_excluded.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with excluded elements.`nc_invalid_ip_netmask.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with a permitted element that has an`IPv6`

IP and an invalid network mask.`nc_invalid_ip4_netmask.der`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with a permitted element that has an`IPv4`

IP and an invalid network mask. The signature on this certificate is invalid.`nc_single_ip_netmask.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with a permitted element that has two IPs with`/32`

and`/128`

network masks.`nc_ip_invalid_length.pem`

- An RSA 2048 bit self-signed certificate containing a name constraints extension with a permitted element that has an invalid length (33 bytes instead of 32) for an`IPv6`

address with network mask. The signature on this certificate is invalid.`cp_user_notice_with_notice_reference.pem`

- An RSA 2048 bit self-signed certificate containing a certificate policies extension with a notice reference in the user notice.`cp_user_notice_with_explicit_text.pem`

- An RSA 2048 bit self-signed certificate containing a certificate policies extension with explicit text and no notice reference.`cp_cps_uri.pem`

- An RSA 2048 bit self-signed certificate containing a certificate policies extension with a CPS URI and no user notice.`cp_user_notice_no_explicit_text.pem`

- An RSA 2048 bit self-signed certificate containing a certificate policies extension with a user notice with no explicit text.`cp_invalid.pem`

- An RSA 2048 bit self-signed certificate containing a certificate policies extension with invalid data. The`policyQualifierId`

is for`id-qt-unotice`

but the value is an`id-qt-cps`

ASN.1 structure.`cp_invalid2.der`

- An RSA 2048 bit self-signed certificate containing a certificate policies extension with invalid data. The`policyQualifierId`

is for`id-qt-cps`

but the value is an`id-qt-unotice`

ASN.1 structure. The signature on this certificate is invalid.`ian_uri.pem`

- An RSA 2048 bit certificate containing an issuer alternative name extension with a`URI`

general name.`ocsp_nocheck.pem`

- An RSA 2048 bit self-signed certificate containing an`OCSPNoCheck`

extension.`pc_inhibit_require.pem`

- An RSA 2048 bit self-signed certificate containing a policy constraints extension with both inhibit policy mapping and require explicit policy elements.`pc_inhibit.pem`

- An RSA 2048 bit self-signed certificate containing a policy constraints extension with an inhibit policy mapping element.`pc_require.pem`

- An RSA 2048 bit self-signed certificate containing a policy constraints extension with a require explicit policy element.`unsupported_subject_public_key_info.pem`

- A certificate whose public key is an unknown OID (`1.3.6.1.4.1.8432.1.1.2`

).`policy_constraints_explicit.pem`

- A self-signed certificate containing a`policyConstraints`

extension with a`requireExplicitPolicy`

value.`freshestcrl.pem`

- A self-signed certificate containing a`freshestCRL`

extension.`sia.pem`

- An RSA 2048 bit self-signed certificate containing a subject information access extension with both a CA repository entry and a custom OID entry.`ca/ca.pem`

- A self-signed certificate with`basicConstraints`

set to true. Its private key is`ca/ca_key.pem`

.`pkcs12/ca/ca.pem`

- A self-signed certificate with`basicConstraints`

set to true. Its private key is`pkcs12/ca/ca_key.pem`

. This key is encoded in several of the PKCS12 custom vectors.`negative_serial.pem`

- A certificate with a serial number that is a negative number.`rsa_pss.pem`

- A certificate with an RSA PSS signature.`root-ed448.pem`

- An`ed448`

self-signed CA certificate using`ed448-pkcs8.pem`

as key.`ca/rsa_ca.pem`

- A self-signed RSA certificate with`basicConstraints`

set to true. Its private key is`ca/rsa_key.pem`

.`ca/rsae_ca.pem`

- A self-signed RSA certificate using a (non-PSS) RSA public key and a RSA PSS signature. Its private key is`ca/rsa_key.pem`

.`invalid-sct-version.der`

- A certificate with an SCT with an unknown version.`invalid-sct-length.der`

- A certificate with an SCT with an internal length greater than the amount of data.`bad_country.pem`

- A certificate with country name and jurisdiction country name values in its subject and issuer distinguished names which are longer than 2 characters.`rsa_pss_cert.pem`

- A self-signed certificate with an RSA PSS signature with`asymmetric/PKCS8/rsa_pss_2048.pem`

as its key.`rsa_pss_cert_invalid_mgf.der`

- A self-signed certificate with an invalid RSA PSS signature that has a non-MGF1 OID for its mask generation function in the signature algorithm.`rsa_pss_cert_no_sig_params.der`

- A self-signed certificate with an invalid RSA PSS signature algorithm that is missing signature parameters for PSS.`rsa_pss_cert_unsupported_mgf_hash.der`

- A self-signed certificate with an unsupported MGF1 hash algorithm in the signature algorithm.`long-form-name-attribute.pem`

- A certificate with`subject`

and`issuer`

names containing attributes whose value’s tag is encoded in long-form.`mismatch_inner_outer_sig_algorithm.der`

- A leaf certificate derived from`x509/cryptography.io.pem`

but modifying the`tbs_cert.signature_algorithm`

OID to not match the outer signature algorithm OID.`ms-certificate-template.pem`

- A certificate with a`msCertificateTemplate`

extension.`rsa_pss_sha256_no_null.pem`

- A certificate with an RSA PSS signature with no encoded`NULL`

for the PSS hash algorithm parameters. This certificate was generated by LibreSSL.`ecdsa_null_alg.pem`

- A certificate with an ECDSA signature with`NULL`

algorithm parameters. This encoding is invalid, but was generated by Java 11.`dsa_null_alg_params.pem`

- A certificate with a DSA signature with`NULL`

algorithm parameters. This encoding is invalid, but was generated by Java 20.

### Custom X.509 Request Vectors

`dsa_sha1.pem`

and`dsa_sha1.der`

- Contain a certificate request using 1024-bit DSA parameters and SHA1 generated using OpenSSL.`rsa_md4.pem`

and`rsa_md4.der`

- Contain a certificate request using 2048 bit RSA and MD4 generated using OpenSSL.`rsa_sha1.pem`

and`rsa_sha1.der`

- Contain a certificate request using 2048 bit RSA and SHA1 generated using OpenSSL.`rsa_sha256.pem`

and`rsa_sha256.der`

- Contain a certificate request using 2048 bit RSA and SHA256 generated using OpenSSL.`ec_sha256.pem`

and`ec_sha256.der`

- Contain a certificate request using EC (`secp384r1`

) and SHA256 generated using OpenSSL.`ec_sha256_old_header.pem`

- Identical to`ec_sha256.pem`

, but uses the`-----BEGIN NEW CERTIFICATE REQUEST-----`

legacy PEM header format.`san_rsa_sha1.pem`

and`san_rsa_sha1.der`

- Contain a certificate request using RSA and SHA1 with a subject alternative name extension generated using OpenSSL.`two_basic_constraints.pem`

- A certificate signing request for an RSA 2048 bit key containing two basic constraints extensions. The signature on this CSR is invalid.`unsupported_extension.pem`

- A certificate signing request for an RSA 2048 bit key containing containing an unsupported extension type. The OID was encoded as “1.2.3.4” with an`extnValue`

of “value”. The signature on this CSR is invalid.`unsupported_extension_critical.pem`

- A certificate signing request for an RSA 2048 bit key containing containing an unsupported extension type marked critical. The OID was encoded as “1.2.3.4” with an`extnValue`

of “value”. The signature on this CSR is invalid.`basic_constraints.pem`

- A certificate signing request for an RSA 2048 bit key containing a basic constraints extension marked as critical. The signature on this CSR is invalid.`invalid_signature.pem`

- A certificate signing request for an RSA 1024 bit key containing an invalid signature with correct padding.`challenge.pem`

- A certificate signing request for an RSA 2048 bit key containing a challenge password.`challenge-invalid.der`

- A certificate signing request for an RSA 2048 bit key containing a challenge password attribute that has been encoded as an ASN.1 integer rather than a string.`challenge-unstructured.pem`

- A certificate signing request for an RSA 2048 bit key containing a challenge password attribute and an unstructured name attribute.`challenge-multi-valued.der`

- A certificate signing request for an RSA 2048 bit key containing a challenge password attribute with two values inside the ASN.1 set. The signature on this request is invalid.`freeipa-bad-critical.pem`

- A certificate signing request where the extensions value has a`critical`

value of`False`

explicitly encoded.`bad-version.pem`

- A certificate signing request where the version is invalid.`long-form-attribute.pem`

- A certificate signing request containing an attribute whose value’s tag is encoded in the long form.

### Custom X.509 Certificate Revocation List Vectors

`crl_all_reasons.pem`

- Contains a CRL with 12 revoked certificates, whose serials match their list position. It includes one revocation without any entry extensions, 10 revocations with every supported reason code and one revocation with an unsupported, non-critical entry extension with the OID value set to “1.2.3.4”. The signature on this CRL is invalid.`crl_dup_entry_ext.pem`

- Contains a CRL with one revocation which has a duplicate entry extension. The signature on this CRL is invalid.`crl_md2_unknown_crit_entry_ext.pem`

- Contains a CRL with one revocation which contains an unsupported critical entry extension with the OID value set to “1.2.3.4”. The CRL uses an unsupported MD2 signature algorithm, and the signature on this CRL is invalid.`crl_unsupported_reason.pem`

- Contains a CRL with one revocation which has an unsupported reason code. The signature on this CRL is invalid.`crl_inval_cert_issuer_entry_ext.pem`

- Contains a CRL with one revocation which has one entry extension for certificate issuer with an empty value. The signature on this CRL is invalid.`crl_empty.pem`

- Contains a CRL with no revoked certificates.`crl_empty_no_sequence.der`

- Contains a CRL with no revoked certificates and the optional ASN.1 sequence for revoked certificates is omitted.`crl_ian_aia_aki.pem`

- Contains a CRL with`IssuerAlternativeName`

,`AuthorityInformationAccess`

,`AuthorityKeyIdentifier`

and`CRLNumber`

extensions.`valid_signature_crl.pem`

- Contains a CRL with a valid signature.`valid_signature_cert.pem`

- Contains a cert whose public key corresponds to the private key that produced the signature for`valid_signature_crl.pem`

.`invalid_signature_crl.pem`

- Contains a CRL with the last signature byte incremented by 1 to produce an invalid signature.`invalid_signature_cert.pem`

- Contains a cert whose public key corresponds to the private key that produced the signature for`invalid_signature_crl.pem`

.`crl_delta_crl_indicator.pem`

- Contains a CRL with the`DeltaCRLIndicator`

extension.`crl_idp_fullname_only.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension with only a`fullname`

for the distribution point.`crl_idp_only_ca.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension that is only valid for CA certificate revocation.`crl_idp_fullname_only_aa.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension that sets a`fullname`

and is only valid for attribute certificate revocation.`crl_idp_fullname_only_user.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension that sets a`fullname`

and is only valid for user certificate revocation.`crl_idp_fullname_indirect_crl.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension that sets a`fullname`

and the indirect CRL flag.`crl_idp_reasons_only.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension that is only valid for revocations with the`keyCompromise`

reason.`crl_idp_relative_user_all_reasons.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension that sets all revocation reasons as allowed.`crl_idp_relativename_only.pem`

- Contains a CRL with an`IssuingDistributionPoints`

extension with only a`relativename`

for the distribution point.`crl_unrecognized_extension.der`

- Contains a CRL containing an unsupported extension type. The OID was encoded as “1.2.3.4.5” with an`extnValue`

of`abcdef`

.`crl_invalid_time.der`

- Contains a CRL with an invalid`UTCTime`

value in`thisUpdate`

. The signature on this CRL is invalid.`crl_no_next_time.pem`

- Contains a CRL with no`nextUpdate`

value. The signature on this CRL is invalid.`crl_bad_version.pem`

- Contains a CRL with an invalid version.`crl_almost_10k.pem`

- Contains a CRL with 9,999 entries.`crl_inner_outer_mismatch.der`

- A CRL created from`valid_signature_crl.pem`

but with a mismatched inner and outer signature algorithm. The signature on this CRL is invalid.

### X.509 OCSP Test Vectors

`x509/ocsp/resp-sha256.der`

- An OCSP response for`cryptography.io`

with a SHA256 signature.`x509/ocsp/resp-unauthorized.der`

- An OCSP response with an unauthorized status.`x509/ocsp/resp-revoked.der`

- An OCSP response for`revoked.badssl.com`

with a revoked status.`x509/ocsp/resp-delegate-unknown-cert.der`

- An OCSP response for an unknown cert from`AC Camerafirma`

. This response also contains a delegate certificate.`x509/ocsp/resp-responder-key-hash.der`

- An OCSP response from the`DigiCert`

OCSP responder that uses a key hash for the responder ID.`x509/ocsp/resp-revoked-reason.der`

- An OCSP response from the`QuoVadis`

OCSP responder that contains a revoked certificate with a revocation reason.`x509/ocsp/resp-revoked-no-next-update.der`

- An OCSP response that contains a revoked certificate and no`nextUpdate`

value.`x509/ocsp/resp-invalid-signature-oid.der`

- An OCSP response that was modified to contain an MD2 signature algorithm object identifier.`x509/ocsp/resp-single-extension-reason.der`

- An OCSP response that contains a`CRLReason`

single extension.`x509/ocsp/resp-sct-extension.der`

- An OCSP response containing a`CT Certificate SCTs`

single extension, from the SwissSign OCSP responder.`x509/ocsp/ocsp-army.deps.mil-resp.der`

- An OCSP response containing multiple`SINGLERESP`

values.`x509/ocsp/resp-response-type-unknown-oid.der`

- An OCSP response with an unknown OID for response type. The signature on this response is invalid.`x509/ocsp/resp-successful-no-response-bytes.der`

- An OCSP request with a successful response type but the response bytes are missing.`x509/ocsp/resp-unknown-response-status.der`

- An OCSP response with an unknown response status.

### Custom X.509 OCSP Test Vectors

`x509/ocsp/req-sha1.der`

- An OCSP request containing a single request and using SHA1 as the hash algorithm.`x509/ocsp/req-multi-sha1.der`

- An OCSP request containing multiple requests.`x509/ocsp/req-invalid-hash-alg.der`

- An OCSP request containing an invalid hash algorithm OID.`x509/ocsp/req-ext-nonce.der`

- An OCSP request containing a nonce extension.`x509/ocsp/req-ext-unknown-oid.der`

- An OCSP request containing an extension with an unknown OID.`x509/ocsp/req-duplicate-ext.der`

- An OCSP request with duplicate extensions.`x509/ocsp/resp-unknown-extension.der`

- An OCSP response containing an extension with an unknown OID.`x509/ocsp/resp-unknown-hash-alg.der`

- An OCSP response containing an invalid hash algorithm OID.`x509/ocsp/req-acceptable-responses.der`

- An OCSP request containing an acceptable responses extension.

### Custom PKCS12 Test Vectors

`pkcs12/cert-key-aes256cbc.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) both encrypted with AES 256 CBC with the password`cryptography`

.`pkcs12/cert-none-key-none.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with no encryption. The password (used for integrity checking only) is`cryptography`

.`pkcs12/cert-rc2-key-3des.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) encrypted with RC2 and key (`pkcs12/ca/ca_key.pem`

) encrypted via 3DES with the password`cryptography`

.`pkcs12/no-password.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with no encryption and no password.`pkcs12/no-cert-key-aes256cbc.p12`

- A PKCS12 file containing a key (`pkcs12/ca/ca_key.pem`

) encrypted via AES 256 CBC with the password`cryptography`

and no certificate.`pkcs12/cert-aes256cbc-no-key.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) encrypted via AES 256 CBC with the password`cryptography`

and no private key.`pkcs12/no-name-no-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

).`pkcs12/name-all-no-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with friendly name`name`

, as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`name2`

and`name3`

, respectively.`pkcs12/name-1-no-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with friendly name`name`

, as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

).`pkcs12/name-2-3-no-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`name2`

and`name3`

, respectively.`pkcs12/name-2-no-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the first having friendly name`name2`

.`pkcs12/name-3-no-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the latter having friendly name`name3`

.`pkcs12/name-unicode-no-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with friendly name`☺`

, as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`ä`

and`ç`

, respectively.`pkcs12/no-name-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/name-all-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with friendly name`name`

, as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`name2`

and`name3`

respectively, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/name-1-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with friendly name`name`

, as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/name-2-3-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`name2` and ``name3`

respectively, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/name-2-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the first having friendly name`name2`

, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/name-3-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

), as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the latter having friendly name`name2`

, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/name-unicode-pwd.p12`

- A PKCS12 file containing a cert (`pkcs12/ca/ca.pem`

) and key (`pkcs12/ca/ca_key.pem`

) with friendly name`☺`

, as well as two additional certificates (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`ä`

and`ç`

respectively, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/no-cert-no-name-no-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

).`pkcs12/no-cert-name-all-no-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`name2`

and`name3`

, respectively.`pkcs12/no-cert-name-2-no-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the first having friendly name`name2`

.`pkcs12/no-cert-name-3-no-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the second having friendly name`name3`

.`pkcs12/no-cert-name-unicode-no-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`☹`

and`ï`

, respectively.`pkcs12/no-cert-no-name-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/no-cert-name-all-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`name2`

and`name3`

, respectively, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/no-cert-name-2-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the first with friendly name`name2`

, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/no-cert-name-3-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

), the second with friendly name`name3`

, encrypted via AES 256 CBC with the password`cryptography`

.`pkcs12/no-cert-name-unicode-pwd.p12`

- A PKCS12 file containing two certs (`x509/cryptography.io.pem`

and`x509/letsencryptx3.pem`

) with friendly names`☹`

and`ï`

, respectively, encrypted via AES 256 CBC with the password`cryptography`

.

### Custom PKCS7 Test Vectors

`pkcs7/isrg.pem`

- A PEM encoded PKCS7 file containing the ISRG X1 root CA.`pkcs7/amazon-roots.p7b`

- A BER encoded PCKS7 file containing Amazon Root CA 2 and 3 generated by Apple Keychain.`pkcs7/amazon-roots.der`

- A DER encoded PCKS7 file containing Amazon Root CA 2 and 3 generated by OpenSSL.`pkcs7/enveloped.pem`

- A PEM encoded PKCS7 file with enveloped data.

### Custom OpenSSH Test Vectors

`ed25519-aesgcm-psw.key`

and`ed25519-aesgcm-psw.key.pub`

generated by exporting an Ed25519 key from`1password 8`

with the password “password”. This key is encrypted using the`aes256-gcm@openssh.com`

algorithm.

Generated by
`asymmetric/OpenSSH/gen.sh`

using command-line tools from OpenSSH_7.6p1 package.

`dsa-nopsw.key`

,`dsa-nopsw.key.pub`

,`dsa-nopsw.key-cert.pub`

- DSA-1024 private key; and corresponding public key in plain format and with self-signed certificate.`dsa-psw.key`

,`dsa-psw.key.pub`

- Password-protected DSA-1024 private key and corresponding public key. Password is “password”.`ecdsa-nopsw.key`

,`ecdsa-nopsw.key.pub`

,`ecdsa-nopsw.key-cert.pub`

- SECP256R1 private key; and corresponding public key in plain format and with self-signed certificate.`ecdsa-psw.key`

,`ecdsa-psw.key.pub`

- Password-protected SECP384R1 private key and corresponding public key. Password is “password”.`ed25519-nopsw.key`

,`ed25519-nopsw.key.pub`

,`ed25519-nopsw.key-cert.pub`

- Ed25519 private key; and corresponding public key in plain format and with self-signed certificate.`ed25519-psw.key`

,`ed25519-psw.key.pub`

- Password-protected Ed25519 private key and corresponding public key. Password is “password”.`rsa-nopsw.key`

,`rsa-nopsw.key.pub`

,`rsa-nopsw.key-cert.pub`

- RSA-2048 private key; and corresponding public key in plain format and with self-signed certificate.`rsa-psw.key`

,`rsa-psw.key.pub`

- Password-protected RSA-2048 private key and corresponding public key. Password is “password”.

### Custom OpenSSH Certificate Test Vectors

`p256-p256-duplicate-extension.pub`

- A certificate with a duplicate extension.`p256-p256-non-lexical-extensions.pub`

- A certificate with extensions in non-lexical order.`p256-p256-duplicate-crit-opts.pub`

- A certificate with a duplicate critical option.`p256-p256-non-lexical-crit-opts.pub`

- A certificate with critical options in non-lexical order.`p256-ed25519-non-singular-crit-opt-val.pub`

- A certificate with a critical option that contains more than one value.`p256-ed25519-non-singular-ext-val.pub`

- A certificate with an extension that contains more than one value.`dsa-p256.pub`

- A certificate with a DSA public key signed by a P256 CA.`p256-dsa.pub`

- A certificate with a P256 public key signed by a DSA CA.`p256-p256-broken-signature-key-type.pub`

- A certificate with a P256 public key signed by a P256 CA, but the signature key type is set to`rsa-sha2-512`

.`p256-p256-empty-principals.pub`

- A certificate with a P256 public key signed by a P256 CA with an empty valid principals list.`p256-p256-invalid-cert-type.pub`

- A certificate with a P256 public key signed by a P256 CA with an invalid certificate type.`p256-p384.pub`

- A certificate with a P256 public key signed by a P384 CA.`p256-p521.pub`

- A certificate with a P256 public key signed by a P521 CA.`p256-rsa-sha1.pub`

- A certificate with a P256 public key signed by a RSA CA using SHA1.`p256-rsa-sha256.pub`

- A certificate with a P256 public key signed by a RSA CA using SHA256.`p256-rsa-sha512.pub`

- A certificate with a P256 public key signed by a RSA CA using SHA512.

### Hashes

MD5 from

**RFC 1321**.RIPEMD160 from the RIPEMD website.

SHA1 from NIST CAVP.

SHA2 (224, 256, 384, 512, 512/224, 512/256) from NIST CAVP.

SHA3 (224, 256, 384, 512) from NIST CAVP.

SHAKE (128, 256) from NIST CAVP.

Blake2s and Blake2b from OpenSSL test/evptests.txt.

### HMAC

### Key derivation functions

### Key wrapping

AES key wrap (AESKW) and 3DES key wrap test vectors from NIST CAVP.

AES key wrap with padding vectors from Botan’s key wrap vectors.

### Recipes

Fernet from its specification repository.

### Symmetric ciphers

AES (CBC, CFB, ECB, GCM, OFB, CCM) from NIST CAVP.

AES CTR from

**RFC 3686**.AES-GCM-SIV (KEY-LENGTH: 128, 256) from OpenSSL’s evpciph_aes_gcm_siv.txt.

AES-GCM-SIV (KEY-LENGTH: 192) generated by this project. See AES-GCM-SIV vector creation

AES OCB3 from

**RFC 7253**, dkg’s additional OCB3 vectors, and OpenSSL’s OCB vectors.AES SIV from OpenSSL’s evpciph_aes_siv.txt.

3DES (CBC, CFB, ECB, OFB) from NIST CAVP.

ARC4 (KEY-LENGTH: 40, 56, 64, 80, 128, 192, 256) from

**RFC 6229**.ARC4 (KEY-LENGTH: 160) generated by this project. See: ARC4 vector creation

Blowfish (CBC, CFB, ECB, OFB) from Bruce Schneier’s vectors.

Camellia (ECB) from NTT’s Camellia page as linked by CRYPTREC.

Camellia (CBC, CFB, OFB) from OpenSSL’s test vectors.

CAST5 (ECB) from

**RFC 2144**.CAST5 (CBC, CFB, OFB) generated by this project. See: CAST5 vector creation

ChaCha20 from

**RFC 7539**and generated by this project. See: ChaCha20 vector creationChaCha20Poly1305 from

**RFC 7539**, OpenSSL’s evpciph.txt, and the BoringSSL ChaCha20Poly1305 tests.IDEA (ECB) from the NESSIE IDEA vectors created by NESSIE.

IDEA (CBC, CFB, OFB) generated by this project. See: IDEA vector creation

RC2-128-CBC generated by this project. See: RC2 vector creation

SEED (ECB) from

**RFC 4269**.SEED (CBC) from

**RFC 4196**.SEED (CFB, OFB) generated by this project. See: SEED vector creation

SM4 (CBC, CFB, CTR, ECB, OFB) from draft-ribose-cfrg-sm4-10.

SM4 (GCM) from

**RFC 8998**.

### Two factor authentication

### CMAC

AES-128, AES-192, AES-256, 3DES from NIST SP-800-38B

### Poly1305

Test vectors from

**RFC 7539**.

## Creating test vectors

When official vectors are unavailable `cryptography`

may choose to build
its own using existing vectors as source material.

### Created Vectors

If official test vectors appear in the future the custom generated vectors should be discarded.

Any vectors generated by this method must also be prefixed with the following header format (substituting the correct information):

```
# CAST5 CBC vectors built for https://github.com/pyca/cryptography
# Derived from the AESVS MMT test data for CBC
# Verified against the CommonCrypto and Go crypto packages
# Key Length : 128
```