Provide the certificate chain as validated to SSLInfo.

Previously, SSLInfo was given the cert chain as served by the server. It is
more useful and correct to provide higher layers the cert chain as
validated.

BUG=77757, 87303, 115312
TEST=net_unittests SSLClientSocketTest.VerifyReturnChainProperlyOrdered

Review URL: http://codereview.chromium.org/9442001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@124804 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 762 insertions, 0 deletions

diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index 44c63c5..be9ded9 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -92,3 +92,15 @@ unit tests.
 - globalsign_orgv1_ca.pem
 - globalsign_root_ca_md5.pem : A certificate chain for the regression test
       of http://crbug.com/108514
+
+- redundant-validated-chain.pem
+- redundant-server-chain.pem
+- redundant-validated-chain-root.pem
+
+     Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same
+     public key) to test that SSLInfo gets the reconstructed, re-ordered
+     chain instead of the chain as served. See
+     SSLClientSocketTest.VerifyReturnChainProperlyOrdered in
+     net/socket/ssl_client_socket_unittest.cc. These chains are valid until
+     26 Feb 2022 and are generated by
+     net/data/ssl/scripts/generate-redundant-test-chains.sh.
diff --git a/net/data/ssl/certificates/redundant-server-chain.pem b/net/data/ssl/certificates/redundant-server-chain.pem
new file mode 100644
index 0000000..1411d1c
--- /dev/null
+++ b/net/data/ssl/certificates/redundant-server-chain.pem
@@ -0,0 +1,271 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA6NE6YtvtLz7IsraneD9Z/cQ+NURvx3bIYcdmCUvV4dklQnW4
+vpBqRioqElU9EyUY1cgTotOaliOIectRKGB7M9A5v4LWDeZHoifDcx+tpKms2EuY
+mm9AOs35Xbi4Q95CILTvV3OdHez6l++sz+8Ctc361ugd1gq+wKmRn91Qq7k90piC
+spanoHZEx+3BZJMkD5yVGX6c1KUcUQ2YkNH0sOKZ6Ed1v/TQFTQIIXPHs2WLQD/X
+lQEaFOnhKeBF2VGwML170j3xfF/2icoLzWGBNg2pRK9bOziSHfEvOOw7AQ4Ya5ys
+/XC/NuRHc1eGrGBv5rFH/1gu0xIoileLycCGDQIDAQABAoIBADnrU0sky2zlgah0
+KFWR7SFkoNU/oU9ODavFn2zQoPT+wHY4My21X7r04mKNMhSBNhx5Gel4Gw0e6eTi
+393bosrREozCT95FW6zLl6QcTWaZj5Z/uAczhhcbBt56Bd1cfbcFTEXFTWEUg4Mo
+7SUNoO75v12XgVSud6YWiVPsCxWtFmiE91pZINfOM0rBacASY7F+/jJwhlmt04Ru
+qwyG2bWmVB97cj2IcNFMwrH/3vbml5YttTKEb1wlKodrj8BqzOcP5VW3DgXbjbz8
+gZtP+pjpP5e9F6UcmwXek12dGwqp+9Mo8veidI8dXNSEiHpdFiTOolsLTGVXziVP
++spFbAECgYEA96mAIB4RidCH2wYtKoepiGisJmFvebGFpyBUWjKtDFKg0ufJ3S/3
+HFq5Pn8473ii8qVjBwlin/bs9dOEuwEI2lvM39QeoUASVdfLOHoYKsK8dyFo7rTX
+bQdwMQpSqYbJyi5OElHH/Z28celhF522Lt73uKVOFfiyGYlGzjApZV0CgYEA8KfJ
+QCxA27mWTzzHjYtTEGlYskbGpV0XNhjSoCueJvqE8+FYYylSpIB7+yUUI/5g5Iau
+aQlVFt+c2IyG5Fg+k7rc0arFkRm8HGp8df9aE7xdHwdw5BL/6wQDfFuP4sDIWVab
+IdJDUgdp+G4OGKcSgVCBbIfMrlKll/fMqBWxaHECgYEAv0mZH7V5wGNje2VC33WX
+GTgXtzFMw8a8v4A2BtDbXgg4FY5YGVJh3/Gm4MGs/THFUfsyCI5UMc+r6JduDm5X
+IykCjeMtoUh2oP0jBsUvA2AT50PT44OkXJ8BJa+edzgXheTMAlROTvJVSfqDNpVm
+0L8AwQpUzJ2hGh4wpTMH1jUCgYEAz+llqZeSAUL5ZUOxc8wm20roYj1baYpff1E6
+xz5nyG0vaDQL1L/islR+yJ9kIySmOUlSbVSuurA+Jahi8ex7Q85w8IOFZLLDHhmx
+pZATFnHqUeBv29u+ViCFkm7YhKLhdK2qITIzDy9wkj0i2JGfHzGaX1WDtCebAQwJ
+OD5lo0ECgYEA06/8JE1CBm3+NuwLzOEYMabfTUe9oe/2shP6SrGIGKf4s5vleDlk
+yXNIGLFCtx8C3BXQbyEXg3l44dTOFka/rTe3LSfIzw+ed/sRkyoJuJljdL4dAvB+
+EU6DmsPAHawRxNqGDdaIw7USUYQz0OVyKGLnOmmsQUJR1OgDTils9z8=
+-----END RSA PRIVATE KEY-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 236 (0xec)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=B CA
+        Validity
+            Not Before: Feb 29 19:15:59 2012 GMT
+            Not After : Feb 26 19:15:59 2022 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:e8:d1:3a:62:db:ed:2f:3e:c8:b2:b6:a7:78:3f:
+                    59:fd:c4:3e:35:44:6f:c7:76:c8:61:c7:66:09:4b:
+                    d5:e1:d9:25:42:75:b8:be:90:6a:46:2a:2a:12:55:
+                    3d:13:25:18:d5:c8:13:a2:d3:9a:96:23:88:79:cb:
+                    51:28:60:7b:33:d0:39:bf:82:d6:0d:e6:47:a2:27:
+                    c3:73:1f:ad:a4:a9:ac:d8:4b:98:9a:6f:40:3a:cd:
+                    f9:5d:b8:b8:43:de:42:20:b4:ef:57:73:9d:1d:ec:
+                    fa:97:ef:ac:cf:ef:02:b5:cd:fa:d6:e8:1d:d6:0a:
+                    be:c0:a9:91:9f:dd:50:ab:b9:3d:d2:98:82:b2:96:
+                    a7:a0:76:44:c7:ed:c1:64:93:24:0f:9c:95:19:7e:
+                    9c:d4:a5:1c:51:0d:98:90:d1:f4:b0:e2:99:e8:47:
+                    75:bf:f4:d0:15:34:08:21:73:c7:b3:65:8b:40:3f:
+                    d7:95:01:1a:14:e9:e1:29:e0:45:d9:51:b0:30:bd:
+                    7b:d2:3d:f1:7c:5f:f6:89:ca:0b:cd:61:81:36:0d:
+                    a9:44:af:5b:3b:38:92:1d:f1:2f:38:ec:3b:01:0e:
+                    18:6b:9c:ac:fd:70:bf:36:e4:47:73:57:86:ac:60:
+                    6f:e6:b1:47:ff:58:2e:d3:12:28:8a:57:8b:c9:c0:
+                    86:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                78:3F:CB:F8:30:EA:63:A3:6E:FE:86:22:50:DE:24:BD:22:C8:BE:9D
+            X509v3 Authority Key Identifier: 
+                keyid:4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+    Signature Algorithm: sha1WithRSAEncryption
+        aa:a9:e5:68:e2:e9:94:d5:7d:fd:f8:76:e8:e3:23:2e:b9:a6:
+        7c:0d:7a:d8:8b:9e:91:19:79:56:2d:1b:15:ad:90:1e:9a:d6:
+        47:c0:3f:28:f3:ec:88:dd:25:4c:68:73:b5:b2:27:21:50:f6:
+        a6:b0:81:16:13:0f:b7:18:4e:a2:ed:2d:fe:ad:af:19:c5:f4:
+        b6:68:b9:50:05:37:29:f1:2d:97:d8:9f:fe:59:a1:f5:f7:ec:
+        6c:18:18:7e:f4:e6:99:08:01:73:ab:60:98:51:4f:c3:ca:70:
+        e6:18:ab:90:04:7c:73:f2:84:0c:35:e5:1b:22:f1:50:ee:f4:
+        d8:24:7b:84:7b:39:21:a6:e4:53:04:7f:a5:38:58:da:29:86:
+        1e:40:f0:dc:6d:ec:92:1c:4b:da:af:79:e6:27:ce:3f:53:f8:
+        dc:f1:48:3a:f0:e8:7b:9d:81:8b:44:28:c6:d7:4f:23:98:09:
+        53:b8:68:db:76:0c:09:d8:59:4f:c8:34:bb:1b:b1:b4:09:59:
+        09:5d:53:b4:b9:9e:6d:4d:a3:f0:08:5d:2a:a0:b9:dd:9d:64:
+        37:13:d6:41:61:6c:a8:18:37:7b:a7:55:3c:e5:78:ba:c0:aa:
+        d1:a7:a0:d5:1e:65:e7:34:41:b0:da:b6:05:cc:d7:51:66:cc:
+        3a:00:c0:b1
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQiBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMGAxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
+DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDo0Tpi2+0vPsiytqd4P1n9xD41RG/Hdshhx2YJ
+S9Xh2SVCdbi+kGpGKioSVT0TJRjVyBOi05qWI4h5y1EoYHsz0Dm/gtYN5keiJ8Nz
+H62kqazYS5iab0A6zflduLhD3kIgtO9Xc50d7PqX76zP7wK1zfrW6B3WCr7AqZGf
+3VCruT3SmIKylqegdkTH7cFkkyQPnJUZfpzUpRxRDZiQ0fSw4pnoR3W/9NAVNAgh
+c8ezZYtAP9eVARoU6eEp4EXZUbAwvXvSPfF8X/aJygvNYYE2DalEr1s7OJId8S84
+7DsBDhhrnKz9cL825EdzV4asYG/msUf/WC7TEiiKV4vJwIYNAgMBAAGjbzBtMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHg/y/gw6mOjbv6GIlDeJL0iyL6dMB8GA1Ud
+IwQYMBaAFEwpAWq0dJj0sWZQ8I+DiPDDnVttMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAqqnlaOLplNV9/fh26OMjLrmm
+fA162IuekRl5Vi0bFa2QHprWR8A/KPPsiN0lTGhztbInIVD2prCBFhMPtxhOou0t
+/q2vGcX0tmi5UAU3KfEtl9if/lmh9ffsbBgYfvTmmQgBc6tgmFFPw8pw5hirkAR8
+c/KEDDXlGyLxUO702CR7hHs5IabkUwR/pThY2imGHkDw3G3skhxL2q955ifOP1P4
+3PFIOvDoe52Bi0QoxtdPI5gJU7ho23YMCdhZT8g0uxuxtAlZCV1TtLmebU2j8Ahd
+KqC53Z1kNxPWQWFsqBg3e6dVPOV4usCq0aeg1R5l5zRBsNq2BczXUWbMOgDAsQ==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 236 (0xec)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=C CA
+        Validity
+            Not Before: Feb 29 19:15:59 2012 GMT
+            Not After : Feb 26 19:15:59 2022 GMT
+        Subject: CN=B CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:d5:6d:be:6c:68:cd:70:e2:d6:02:3a:16:40:21:
+                    2c:93:56:de:74:88:61:ca:b4:0e:ab:cc:e9:bc:79:
+                    51:47:bf:a8:88:6d:3a:ad:93:db:43:f3:58:db:29:
+                    8a:47:21:4c:54:0e:e7:24:26:cc:83:aa:ec:ae:cc:
+                    d1:ce:14:c2:ce:56:c8:02:6a:4d:39:9f:6e:67:ff:
+                    b1:e2:fe:d6:99:9f:af:90:bb:87:08:c4:77:6e:e7:
+                    07:79:d4:72:cf:1c:20:51:54:1f:ef:bc:76:02:d4:
+                    9e:c7:27:a6:53:fb:62:2b:b8:b1:63:ba:f6:13:84:
+                    05:b3:aa:bb:33:81:66:8f:37:6d:b9:fb:30:56:a6:
+                    eb:69:fe:2f:a8:2a:ab:2f:f9:49:31:c1:d2:9c:9c:
+                    20:72:67:fd:35:37:bf:8e:f6:4c:58:52:f3:4c:ee:
+                    a4:c4:68:21:ef:42:e4:f2:ba:e1:84:d5:4a:86:2b:
+                    f2:25:11:07:52:6a:18:62:c9:ca:68:b8:d0:92:d9:
+                    09:d8:c0:16:8e:fd:56:c2:e3:63:8c:cd:49:23:ac:
+                    75:7d:24:19:c6:81:b3:a5:90:e3:56:78:7a:35:c8:
+                    35:97:3b:c5:e1:60:51:97:02:c3:1e:bb:33:68:8d:
+                    eb:37:f7:c4:62:b4:11:b9:e5:29:95:4e:a4:e3:14:
+                    66:c5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha1WithRSAEncryption
+        42:71:38:e7:27:f1:c4:3b:59:57:c3:68:99:1f:95:81:9c:2d:
+        8e:c8:91:85:40:31:24:d2:1c:92:8e:d5:22:95:80:55:7b:a9:
+        db:48:a5:fd:5e:a3:46:f6:a0:17:1b:13:79:79:f8:c3:c7:fe:
+        62:c2:c9:fa:fe:c4:59:97:19:12:92:98:c1:47:a4:5f:7c:d6:
+        25:b7:84:6e:08:6a:9f:77:e0:2b:62:fb:ee:23:f5:3d:d7:99:
+        d2:2e:92:47:cc:b3:c1:d5:4b:6d:92:3e:1a:6f:68:93:af:2d:
+        a7:f5:2f:a2:6a:27:d2:32:ab:39:53:1f:0a:1e:cc:4e:af:46:
+        77:a4:ed:b9:99:b3:13:06:f0:01:9d:db:ad:fd:0e:8b:53:ed:
+        90:3a:e6:c2:c5:fb:13:ce:e4:1a:51:f9:1b:f3:76:3d:e6:da:
+        dd:e2:77:6e:72:18:0b:b4:74:fa:bf:78:72:80:98:b3:3c:59:
+        2a:70:74:08:c5:73:0f:66:a6:1c:f6:79:f9:59:21:a8:0b:12:
+        f2:a7:6d:3b:18:e9:80:12:71:4c:2c:59:ac:fa:57:f4:e1:ab:
+        04:76:e3:ff:60:e1:7d:f5:bd:12:0c:01:54:46:e4:f3:ca:f2:
+        06:dd:5e:2f:87:07:cb:9a:04:6e:c5:33:dd:8e:52:c6:73:7a:
+        65:21:b9:a4
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQyBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVbb5saM1w4tYCOhZA
+ISyTVt50iGHKtA6rzOm8eVFHv6iIbTqtk9tD81jbKYpHIUxUDuckJsyDquyuzNHO
+FMLOVsgCak05n25n/7Hi/taZn6+Qu4cIxHdu5wd51HLPHCBRVB/vvHYC1J7HJ6ZT
++2IruLFjuvYThAWzqrszgWaPN225+zBWputp/i+oKqsv+UkxwdKcnCByZ/01N7+O
+9kxYUvNM7qTEaCHvQuTyuuGE1UqGK/IlEQdSahhiycpouNCS2QnYwBaO/VbC42OM
+zUkjrHV9JBnGgbOlkONWeHo1yDWXO8XhYFGXAsMeuzNojes398RitBG55SmVTqTj
+FGbFAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEwpAWq0dJj0
+sWZQ8I+DiPDDnVttMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEA
+QnE45yfxxDtZV8NomR+VgZwtjsiRhUAxJNIcko7VIpWAVXup20il/V6jRvagFxsT
+eXn4w8f+YsLJ+v7EWZcZEpKYwUekX3zWJbeEbghqn3fgK2L77iP1PdeZ0i6SR8yz
+wdVLbZI+Gm9ok68tp/Uvomon0jKrOVMfCh7MTq9Gd6TtuZmzEwbwAZ3brf0Oi1Pt
+kDrmwsX7E87kGlH5G/N2Peba3eJ3bnIYC7R0+r94coCYszxZKnB0CMVzD2amHPZ5
++VkhqAsS8qdtOxjpgBJxTCxZrPpX9OGrBHbj/2DhffW9EgwBVEbk88ryBt1eL4cH
+y5oEbsUz3Y5SxnN6ZSG5pA==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 236 (0xec)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=D Root CA
+        Validity
+            Not Before: Feb 29 19:15:59 2012 GMT
+            Not After : Feb 26 19:15:59 2022 GMT
+        Subject: CN=C CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:a5:fc:1e:cc:76:82:f7:6a:d2:ed:5c:6a:9d:5b:
+                    de:83:64:de:69:14:f6:54:8d:ce:01:ee:51:40:c4:
+                    cc:d6:73:4c:c5:73:ca:60:4d:64:dc:84:f9:08:90:
+                    ce:45:7a:84:4d:4b:3d:07:32:6b:95:6d:18:48:21:
+                    56:49:01:d0:11:75:54:c0:8c:a7:43:d8:33:bd:bf:
+                    d8:ef:89:a3:d9:43:2b:83:b6:7e:5a:e5:d9:53:58:
+                    3f:1c:40:56:dd:6b:6c:67:eb:83:27:69:7e:4f:ff:
+                    a4:23:6d:54:33:85:ed:d4:e3:01:47:29:2c:a7:91:
+                    b7:2b:89:cd:64:96:3b:6d:fb:b2:1b:80:a6:c2:ec:
+                    32:4c:79:ef:80:aa:84:3c:77:60:47:2e:3f:bd:71:
+                    67:c5:7a:f4:98:70:73:17:53:a3:43:ff:f9:a2:9c:
+                    d3:3b:69:61:99:eb:82:0d:fa:10:f0:68:3f:6f:3f:
+                    f5:d5:04:7e:ac:2f:4e:d1:74:5f:19:39:b8:57:5c:
+                    79:82:ac:95:e7:4c:d0:8b:fc:59:2e:0a:d4:bc:e8:
+                    1b:1f:70:b5:ae:07:b8:f4:e7:97:4f:0b:3c:90:03:
+                    e3:c3:b2:ed:5b:aa:ce:8f:cc:b9:e3:94:29:69:87:
+                    c5:fe:a7:29:a6:a9:59:c8:17:10:34:31:0c:a8:61:
+                    8c:ab
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                B7:9B:E7:1E:00:25:BE:D8:ED:12:69:0D:4B:73:6D:A1:3A:5E:F1:4C
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha1WithRSAEncryption
+        44:22:94:02:ad:82:a3:c8:6d:70:b6:20:42:d3:8f:29:62:3c:
+        b6:dd:e4:e7:9d:b2:77:2d:0f:e9:9c:8c:b3:61:4b:ca:1e:24:
+        da:0d:93:88:1f:c9:2d:3a:b1:24:3f:79:62:51:88:0a:66:49:
+        8c:95:a9:34:52:a5:b0:25:d6:41:f1:81:6b:26:93:dc:cc:29:
+        17:1f:ae:b8:27:18:40:00:2d:9c:de:e6:17:1d:29:52:f8:b1:
+        5e:3e:8a:f6:0a:06:e2:f6:3f:73:37:89:fe:af:ee:fb:81:7a:
+        c9:16:89:22:4d:81:ad:5a:73:17:d5:99:08:63:71:c0:c1:09:
+        5d:f6:66:04:73:5c:c6:16:b5:77:e0:3f:80:6b:08:18:4c:12:
+        98:07:97:ac:cb:92:b8:48:47:a6:ef:d1:c7:48:35:7c:cf:53:
+        c6:0d:28:c6:98:0c:d8:60:4e:99:f5:49:b3:3c:2c:34:60:0d:
+        bd:aa:98:c5:60:5a:b6:b1:28:ca:e2:53:55:e5:c2:31:43:f3:
+        bf:de:45:2c:d2:b4:a6:75:25:3f:2b:91:42:5b:57:a5:25:98:
+        39:30:71:d8:66:b8:35:c5:77:d8:f6:53:b3:9f:ee:1f:73:8d:
+        cc:31:11:76:bc:f3:65:4b:1a:59:60:04:7c:ec:76:9e:4b:8a:
+        fb:17:88:55
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAcmgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAwwJRCBS
+b290IENBMB4XDTEyMDIyOTE5MTU1OVoXDTIyMDIyNjE5MTU1OVowDzENMAsGA1UE
+AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKX8Hsx2gvdq
+0u1cap1b3oNk3mkU9lSNzgHuUUDEzNZzTMVzymBNZNyE+QiQzkV6hE1LPQcya5Vt
+GEghVkkB0BF1VMCMp0PYM72/2O+Jo9lDK4O2flrl2VNYPxxAVt1rbGfrgydpfk//
+pCNtVDOF7dTjAUcpLKeRtyuJzWSWO237shuApsLsMkx574CqhDx3YEcuP71xZ8V6
+9JhwcxdTo0P/+aKc0ztpYZnrgg36EPBoP28/9dUEfqwvTtF0Xxk5uFdceYKsledM
+0Iv8WS4K1LzoGx9wta4HuPTnl08LPJAD48Oy7Vuqzo/MueOUKWmHxf6nKaapWcgX
+EDQxDKhhjKsCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUt5vn
+HgAlvtjtEmkNS3NtoTpe8UwwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUA
+A4IBAQBEIpQCrYKjyG1wtiBC048pYjy23eTnnbJ3LQ/pnIyzYUvKHiTaDZOIH8kt
+OrEkP3liUYgKZkmMlak0UqWwJdZB8YFrJpPczCkXH664JxhAAC2c3uYXHSlS+LFe
+Por2Cgbi9j9zN4n+r+77gXrJFokiTYGtWnMX1ZkIY3HAwQld9mYEc1zGFrV34D+A
+awgYTBKYB5esy5K4SEem79HHSDV8z1PGDSjGmAzYYE6Z9UmzPCw0YA29qpjFYFq2
+sSjK4lNV5cIxQ/O/3kUs0rSmdSU/K5FCW1elJZg5MHHYZrg1xXfY9lOzn+4fc43M
+MRF2vPNlSxpZYAR87HaeS4r7F4hV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICpDCCAYwCCQCGninElsmhPzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAlE
+IFJvb3QgQ0EwHhcNMTIwMjI5MTkxNTU5WhcNMjIwMjI2MTkxNTU5WjAUMRIwEAYD
+VQQDDAlEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
+wxbkVPUSUZ/UyGiWSOgnvyJSFU0VIQMtbvmyy71XlCI21euFyVMTWukkJeHXV7lA
+2nsQ3XfC6FvsbxYPd5auSSM2sIWCNO49KEX/xJXL5zQswh+WcDTz079fhjOf/dz2
+TLDufP2IuFaIGRJennTlaNBCRUVJyPcdysfiw3UfnCwxG5V7bpF/Rfr5y0UdC2W5
+yhKUfe7U1NfYQwfJ058OgBydSNuNaVnFm7E09khsBjET3Z/EsNq4n/Q3SnE16I9G
+Bu+DrsrKiabKfh28bBzKLCHtbf+0FlAhAj/eSY3rVW23OushOeyFWWsxbmo5FM/V
+ACEHD3OzFwBgnoiJHNn1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAGZ0lFGL7+Et
+uuQcbDLkc3NWKtqISAJx/Bms8nigQ2J/IFHDVp19NjCj29wJi7Dy8+p0Thfy8O2F
+4/3aV3Ptl5Ay+1PVqVVhM4RkqLpuLHY2pHtjgREeflJEtcDGLX3v3zia7plHEGo5
+T22O6vLvFK/RbuAkFvmOjLif2JBnQQAaI+dUvrRtKGI0Ax1b8XkYD5p2Zalbbkd2
+uJOC0Mc7iyRkbUbP2e/fAzq9B/OXI2gD6uU25x4nskTptMvO6YNvTny8/zyhXdDc
+U8Ue+UDeZ6VFg8K02N1gF5e0WgIdiM8ndkNS6r1g+2DNEZfoCFYGW1Ta8D5+n+uV
+jFY6jvAVnlQ=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/redundant-validated-chain-root.pem b/net/data/ssl/certificates/redundant-validated-chain-root.pem
new file mode 100644
index 0000000..6acfc1e
--- /dev/null
+++ b/net/data/ssl/certificates/redundant-validated-chain-root.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmjCCAYICCQCjrv+JsRC02TANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARD
+IENBMB4XDTEyMDIyOTE5MTU1OVoXDTIyMDIyNjE5MTU1OVowDzENMAsGA1UEAwwE
+QyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKX8Hsx2gvdq0u1c
+ap1b3oNk3mkU9lSNzgHuUUDEzNZzTMVzymBNZNyE+QiQzkV6hE1LPQcya5VtGEgh
+VkkB0BF1VMCMp0PYM72/2O+Jo9lDK4O2flrl2VNYPxxAVt1rbGfrgydpfk//pCNt
+VDOF7dTjAUcpLKeRtyuJzWSWO237shuApsLsMkx574CqhDx3YEcuP71xZ8V69Jhw
+cxdTo0P/+aKc0ztpYZnrgg36EPBoP28/9dUEfqwvTtF0Xxk5uFdceYKsledM0Iv8
+WS4K1LzoGx9wta4HuPTnl08LPJAD48Oy7Vuqzo/MueOUKWmHxf6nKaapWcgXEDQx
+DKhhjKsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAcDhE2mVuhe8Z5IGzakzIRbN4
+5jQieOQhg+eO9h0ywr+Z0c1Ib88CoTQa3oJXwBojo86zn0aPoifRsOSj8mV1l9Te
+tGupoZwCjpPYHgL7j49ZY1nLMIQCmhiCaORXoJJTZWaQL79s4cnJ8bdIC3HPOtXF
+inhESDT3+B2vkozWIzUZytAfcu0PCubbQ2AmLT0GZgP9yhg8R90m81yF3ZYnIuJt
+bJSPo6at+aypb8NL//rVUAgzwMXn56DQ5+VcaPVVT8hgdpmQNXreCPTwbXWuXr1J
+56OQVe9KHKXlpScLmwDFdc+6Kh+AM9Oz/czpdJZmPMnsAtgOeBN2Ad0Sqq6BBQ==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/redundant-validated-chain.pem b/net/data/ssl/certificates/redundant-validated-chain.pem
new file mode 100644
index 0000000..211b5f6
--- /dev/null
+++ b/net/data/ssl/certificates/redundant-validated-chain.pem
@@ -0,0 +1,196 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA6NE6YtvtLz7IsraneD9Z/cQ+NURvx3bIYcdmCUvV4dklQnW4
+vpBqRioqElU9EyUY1cgTotOaliOIectRKGB7M9A5v4LWDeZHoifDcx+tpKms2EuY
+mm9AOs35Xbi4Q95CILTvV3OdHez6l++sz+8Ctc361ugd1gq+wKmRn91Qq7k90piC
+spanoHZEx+3BZJMkD5yVGX6c1KUcUQ2YkNH0sOKZ6Ed1v/TQFTQIIXPHs2WLQD/X
+lQEaFOnhKeBF2VGwML170j3xfF/2icoLzWGBNg2pRK9bOziSHfEvOOw7AQ4Ya5ys
+/XC/NuRHc1eGrGBv5rFH/1gu0xIoileLycCGDQIDAQABAoIBADnrU0sky2zlgah0
+KFWR7SFkoNU/oU9ODavFn2zQoPT+wHY4My21X7r04mKNMhSBNhx5Gel4Gw0e6eTi
+393bosrREozCT95FW6zLl6QcTWaZj5Z/uAczhhcbBt56Bd1cfbcFTEXFTWEUg4Mo
+7SUNoO75v12XgVSud6YWiVPsCxWtFmiE91pZINfOM0rBacASY7F+/jJwhlmt04Ru
+qwyG2bWmVB97cj2IcNFMwrH/3vbml5YttTKEb1wlKodrj8BqzOcP5VW3DgXbjbz8
+gZtP+pjpP5e9F6UcmwXek12dGwqp+9Mo8veidI8dXNSEiHpdFiTOolsLTGVXziVP
++spFbAECgYEA96mAIB4RidCH2wYtKoepiGisJmFvebGFpyBUWjKtDFKg0ufJ3S/3
+HFq5Pn8473ii8qVjBwlin/bs9dOEuwEI2lvM39QeoUASVdfLOHoYKsK8dyFo7rTX
+bQdwMQpSqYbJyi5OElHH/Z28celhF522Lt73uKVOFfiyGYlGzjApZV0CgYEA8KfJ
+QCxA27mWTzzHjYtTEGlYskbGpV0XNhjSoCueJvqE8+FYYylSpIB7+yUUI/5g5Iau
+aQlVFt+c2IyG5Fg+k7rc0arFkRm8HGp8df9aE7xdHwdw5BL/6wQDfFuP4sDIWVab
+IdJDUgdp+G4OGKcSgVCBbIfMrlKll/fMqBWxaHECgYEAv0mZH7V5wGNje2VC33WX
+GTgXtzFMw8a8v4A2BtDbXgg4FY5YGVJh3/Gm4MGs/THFUfsyCI5UMc+r6JduDm5X
+IykCjeMtoUh2oP0jBsUvA2AT50PT44OkXJ8BJa+edzgXheTMAlROTvJVSfqDNpVm
+0L8AwQpUzJ2hGh4wpTMH1jUCgYEAz+llqZeSAUL5ZUOxc8wm20roYj1baYpff1E6
+xz5nyG0vaDQL1L/islR+yJ9kIySmOUlSbVSuurA+Jahi8ex7Q85w8IOFZLLDHhmx
+pZATFnHqUeBv29u+ViCFkm7YhKLhdK2qITIzDy9wkj0i2JGfHzGaX1WDtCebAQwJ
+OD5lo0ECgYEA06/8JE1CBm3+NuwLzOEYMabfTUe9oe/2shP6SrGIGKf4s5vleDlk
+yXNIGLFCtx8C3BXQbyEXg3l44dTOFka/rTe3LSfIzw+ed/sRkyoJuJljdL4dAvB+
+EU6DmsPAHawRxNqGDdaIw7USUYQz0OVyKGLnOmmsQUJR1OgDTils9z8=
+-----END RSA PRIVATE KEY-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 236 (0xec)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=B CA
+        Validity
+            Not Before: Feb 29 19:15:59 2012 GMT
+            Not After : Feb 26 19:15:59 2022 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:e8:d1:3a:62:db:ed:2f:3e:c8:b2:b6:a7:78:3f:
+                    59:fd:c4:3e:35:44:6f:c7:76:c8:61:c7:66:09:4b:
+                    d5:e1:d9:25:42:75:b8:be:90:6a:46:2a:2a:12:55:
+                    3d:13:25:18:d5:c8:13:a2:d3:9a:96:23:88:79:cb:
+                    51:28:60:7b:33:d0:39:bf:82:d6:0d:e6:47:a2:27:
+                    c3:73:1f:ad:a4:a9:ac:d8:4b:98:9a:6f:40:3a:cd:
+                    f9:5d:b8:b8:43:de:42:20:b4:ef:57:73:9d:1d:ec:
+                    fa:97:ef:ac:cf:ef:02:b5:cd:fa:d6:e8:1d:d6:0a:
+                    be:c0:a9:91:9f:dd:50:ab:b9:3d:d2:98:82:b2:96:
+                    a7:a0:76:44:c7:ed:c1:64:93:24:0f:9c:95:19:7e:
+                    9c:d4:a5:1c:51:0d:98:90:d1:f4:b0:e2:99:e8:47:
+                    75:bf:f4:d0:15:34:08:21:73:c7:b3:65:8b:40:3f:
+                    d7:95:01:1a:14:e9:e1:29:e0:45:d9:51:b0:30:bd:
+                    7b:d2:3d:f1:7c:5f:f6:89:ca:0b:cd:61:81:36:0d:
+                    a9:44:af:5b:3b:38:92:1d:f1:2f:38:ec:3b:01:0e:
+                    18:6b:9c:ac:fd:70:bf:36:e4:47:73:57:86:ac:60:
+                    6f:e6:b1:47:ff:58:2e:d3:12:28:8a:57:8b:c9:c0:
+                    86:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                78:3F:CB:F8:30:EA:63:A3:6E:FE:86:22:50:DE:24:BD:22:C8:BE:9D
+            X509v3 Authority Key Identifier: 
+                keyid:4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+    Signature Algorithm: sha1WithRSAEncryption
+        aa:a9:e5:68:e2:e9:94:d5:7d:fd:f8:76:e8:e3:23:2e:b9:a6:
+        7c:0d:7a:d8:8b:9e:91:19:79:56:2d:1b:15:ad:90:1e:9a:d6:
+        47:c0:3f:28:f3:ec:88:dd:25:4c:68:73:b5:b2:27:21:50:f6:
+        a6:b0:81:16:13:0f:b7:18:4e:a2:ed:2d:fe:ad:af:19:c5:f4:
+        b6:68:b9:50:05:37:29:f1:2d:97:d8:9f:fe:59:a1:f5:f7:ec:
+        6c:18:18:7e:f4:e6:99:08:01:73:ab:60:98:51:4f:c3:ca:70:
+        e6:18:ab:90:04:7c:73:f2:84:0c:35:e5:1b:22:f1:50:ee:f4:
+        d8:24:7b:84:7b:39:21:a6:e4:53:04:7f:a5:38:58:da:29:86:
+        1e:40:f0:dc:6d:ec:92:1c:4b:da:af:79:e6:27:ce:3f:53:f8:
+        dc:f1:48:3a:f0:e8:7b:9d:81:8b:44:28:c6:d7:4f:23:98:09:
+        53:b8:68:db:76:0c:09:d8:59:4f:c8:34:bb:1b:b1:b4:09:59:
+        09:5d:53:b4:b9:9e:6d:4d:a3:f0:08:5d:2a:a0:b9:dd:9d:64:
+        37:13:d6:41:61:6c:a8:18:37:7b:a7:55:3c:e5:78:ba:c0:aa:
+        d1:a7:a0:d5:1e:65:e7:34:41:b0:da:b6:05:cc:d7:51:66:cc:
+        3a:00:c0:b1
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQiBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMGAxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
+DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDo0Tpi2+0vPsiytqd4P1n9xD41RG/Hdshhx2YJ
+S9Xh2SVCdbi+kGpGKioSVT0TJRjVyBOi05qWI4h5y1EoYHsz0Dm/gtYN5keiJ8Nz
+H62kqazYS5iab0A6zflduLhD3kIgtO9Xc50d7PqX76zP7wK1zfrW6B3WCr7AqZGf
+3VCruT3SmIKylqegdkTH7cFkkyQPnJUZfpzUpRxRDZiQ0fSw4pnoR3W/9NAVNAgh
+c8ezZYtAP9eVARoU6eEp4EXZUbAwvXvSPfF8X/aJygvNYYE2DalEr1s7OJId8S84
+7DsBDhhrnKz9cL825EdzV4asYG/msUf/WC7TEiiKV4vJwIYNAgMBAAGjbzBtMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHg/y/gw6mOjbv6GIlDeJL0iyL6dMB8GA1Ud
+IwQYMBaAFEwpAWq0dJj0sWZQ8I+DiPDDnVttMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAqqnlaOLplNV9/fh26OMjLrmm
+fA162IuekRl5Vi0bFa2QHprWR8A/KPPsiN0lTGhztbInIVD2prCBFhMPtxhOou0t
+/q2vGcX0tmi5UAU3KfEtl9if/lmh9ffsbBgYfvTmmQgBc6tgmFFPw8pw5hirkAR8
+c/KEDDXlGyLxUO702CR7hHs5IabkUwR/pThY2imGHkDw3G3skhxL2q955ifOP1P4
+3PFIOvDoe52Bi0QoxtdPI5gJU7ho23YMCdhZT8g0uxuxtAlZCV1TtLmebU2j8Ahd
+KqC53Z1kNxPWQWFsqBg3e6dVPOV4usCq0aeg1R5l5zRBsNq2BczXUWbMOgDAsQ==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 236 (0xec)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=C CA
+        Validity
+            Not Before: Feb 29 19:15:59 2012 GMT
+            Not After : Feb 26 19:15:59 2022 GMT
+        Subject: CN=B CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:d5:6d:be:6c:68:cd:70:e2:d6:02:3a:16:40:21:
+                    2c:93:56:de:74:88:61:ca:b4:0e:ab:cc:e9:bc:79:
+                    51:47:bf:a8:88:6d:3a:ad:93:db:43:f3:58:db:29:
+                    8a:47:21:4c:54:0e:e7:24:26:cc:83:aa:ec:ae:cc:
+                    d1:ce:14:c2:ce:56:c8:02:6a:4d:39:9f:6e:67:ff:
+                    b1:e2:fe:d6:99:9f:af:90:bb:87:08:c4:77:6e:e7:
+                    07:79:d4:72:cf:1c:20:51:54:1f:ef:bc:76:02:d4:
+                    9e:c7:27:a6:53:fb:62:2b:b8:b1:63:ba:f6:13:84:
+                    05:b3:aa:bb:33:81:66:8f:37:6d:b9:fb:30:56:a6:
+                    eb:69:fe:2f:a8:2a:ab:2f:f9:49:31:c1:d2:9c:9c:
+                    20:72:67:fd:35:37:bf:8e:f6:4c:58:52:f3:4c:ee:
+                    a4:c4:68:21:ef:42:e4:f2:ba:e1:84:d5:4a:86:2b:
+                    f2:25:11:07:52:6a:18:62:c9:ca:68:b8:d0:92:d9:
+                    09:d8:c0:16:8e:fd:56:c2:e3:63:8c:cd:49:23:ac:
+                    75:7d:24:19:c6:81:b3:a5:90:e3:56:78:7a:35:c8:
+                    35:97:3b:c5:e1:60:51:97:02:c3:1e:bb:33:68:8d:
+                    eb:37:f7:c4:62:b4:11:b9:e5:29:95:4e:a4:e3:14:
+                    66:c5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha1WithRSAEncryption
+        42:71:38:e7:27:f1:c4:3b:59:57:c3:68:99:1f:95:81:9c:2d:
+        8e:c8:91:85:40:31:24:d2:1c:92:8e:d5:22:95:80:55:7b:a9:
+        db:48:a5:fd:5e:a3:46:f6:a0:17:1b:13:79:79:f8:c3:c7:fe:
+        62:c2:c9:fa:fe:c4:59:97:19:12:92:98:c1:47:a4:5f:7c:d6:
+        25:b7:84:6e:08:6a:9f:77:e0:2b:62:fb:ee:23:f5:3d:d7:99:
+        d2:2e:92:47:cc:b3:c1:d5:4b:6d:92:3e:1a:6f:68:93:af:2d:
+        a7:f5:2f:a2:6a:27:d2:32:ab:39:53:1f:0a:1e:cc:4e:af:46:
+        77:a4:ed:b9:99:b3:13:06:f0:01:9d:db:ad:fd:0e:8b:53:ed:
+        90:3a:e6:c2:c5:fb:13:ce:e4:1a:51:f9:1b:f3:76:3d:e6:da:
+        dd:e2:77:6e:72:18:0b:b4:74:fa:bf:78:72:80:98:b3:3c:59:
+        2a:70:74:08:c5:73:0f:66:a6:1c:f6:79:f9:59:21:a8:0b:12:
+        f2:a7:6d:3b:18:e9:80:12:71:4c:2c:59:ac:fa:57:f4:e1:ab:
+        04:76:e3:ff:60:e1:7d:f5:bd:12:0c:01:54:46:e4:f3:ca:f2:
+        06:dd:5e:2f:87:07:cb:9a:04:6e:c5:33:dd:8e:52:c6:73:7a:
+        65:21:b9:a4
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQyBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVbb5saM1w4tYCOhZA
+ISyTVt50iGHKtA6rzOm8eVFHv6iIbTqtk9tD81jbKYpHIUxUDuckJsyDquyuzNHO
+FMLOVsgCak05n25n/7Hi/taZn6+Qu4cIxHdu5wd51HLPHCBRVB/vvHYC1J7HJ6ZT
++2IruLFjuvYThAWzqrszgWaPN225+zBWputp/i+oKqsv+UkxwdKcnCByZ/01N7+O
+9kxYUvNM7qTEaCHvQuTyuuGE1UqGK/IlEQdSahhiycpouNCS2QnYwBaO/VbC42OM
+zUkjrHV9JBnGgbOlkONWeHo1yDWXO8XhYFGXAsMeuzNojes398RitBG55SmVTqTj
+FGbFAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEwpAWq0dJj0
+sWZQ8I+DiPDDnVttMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEA
+QnE45yfxxDtZV8NomR+VgZwtjsiRhUAxJNIcko7VIpWAVXup20il/V6jRvagFxsT
+eXn4w8f+YsLJ+v7EWZcZEpKYwUekX3zWJbeEbghqn3fgK2L77iP1PdeZ0i6SR8yz
+wdVLbZI+Gm9ok68tp/Uvomon0jKrOVMfCh7MTq9Gd6TtuZmzEwbwAZ3brf0Oi1Pt
+kDrmwsX7E87kGlH5G/N2Peba3eJ3bnIYC7R0+r94coCYszxZKnB0CMVzD2amHPZ5
++VkhqAsS8qdtOxjpgBJxTCxZrPpX9OGrBHbj/2DhffW9EgwBVEbk88ryBt1eL4cH
+y5oEbsUz3Y5SxnN6ZSG5pA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICmjCCAYICCQCjrv+JsRC02TANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARD
+IENBMB4XDTEyMDIyOTE5MTU1OVoXDTIyMDIyNjE5MTU1OVowDzENMAsGA1UEAwwE
+QyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKX8Hsx2gvdq0u1c
+ap1b3oNk3mkU9lSNzgHuUUDEzNZzTMVzymBNZNyE+QiQzkV6hE1LPQcya5VtGEgh
+VkkB0BF1VMCMp0PYM72/2O+Jo9lDK4O2flrl2VNYPxxAVt1rbGfrgydpfk//pCNt
+VDOF7dTjAUcpLKeRtyuJzWSWO237shuApsLsMkx574CqhDx3YEcuP71xZ8V69Jhw
+cxdTo0P/+aKc0ztpYZnrgg36EPBoP28/9dUEfqwvTtF0Xxk5uFdceYKsledM0Iv8
+WS4K1LzoGx9wta4HuPTnl08LPJAD48Oy7Vuqzo/MueOUKWmHxf6nKaapWcgXEDQx
+DKhhjKsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAcDhE2mVuhe8Z5IGzakzIRbN4
+5jQieOQhg+eO9h0ywr+Z0c1Ib88CoTQa3oJXwBojo86zn0aPoifRsOSj8mV1l9Te
+tGupoZwCjpPYHgL7j49ZY1nLMIQCmhiCaORXoJJTZWaQL79s4cnJ8bdIC3HPOtXF
+inhESDT3+B2vkozWIzUZytAfcu0PCubbQ2AmLT0GZgP9yhg8R90m81yF3ZYnIuJt
+bJSPo6at+aypb8NL//rVUAgzwMXn56DQ5+VcaPVVT8hgdpmQNXreCPTwbXWuXr1J
+56OQVe9KHKXlpScLmwDFdc+6Kh+AM9Oz/czpdJZmPMnsAtgOeBN2Ad0Sqq6BBQ==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/generate-redundant-test-chains.sh b/net/data/ssl/scripts/generate-redundant-test-chains.sh
new file mode 100755
index 0000000..58768e8
--- /dev/null
+++ b/net/data/ssl/scripts/generate-redundant-test-chains.sh
@@ -0,0 +1,187 @@
+#!/bin/sh
+
+# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This script generates two chains of test certificates:
+#
+#     1. A (end-entity) -> B -> C -> D (self-signed root)
+#     2. A (end-entity) -> B -> C2 (self-signed root)
+#
+# in which A, B, C, and D have distinct keypairs. C2 is a self-signed root
+# certificate that uses the same keypair as C.
+#
+# We use these cert chains in
+# SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that
+# SSLInfo objects see the certificate chain as validated rather than as
+# served by the server. The server serves chain 1. The client has C2, NOT D,
+# installed as a trusted root. Therefore, the chain will validate as chain
+# 2, even though the server served chain 1.
+
+try () {
+  echo "$@"
+  $@ || exit 1
+}
+
+generate_key_command () {
+  case "$1" in
+    rsa)
+      echo genrsa
+      ;;
+    *)
+      exit 1
+  esac
+}
+
+try rm -rf out
+try mkdir out
+
+echo Create the serial number files.
+serial=100
+for i in B C C2 D
+do
+  try echo $serial > out/$i-serial
+  serial=$(expr $serial + 1)
+done
+
+echo Generate the keys.
+try openssl genrsa -out out/A.key 2048
+try openssl genrsa -out out/B.key 2048
+try openssl genrsa -out out/C.key 2048
+try openssl genrsa -out out/D.key 2048
+
+echo Generate the D CSR.
+CA_COMMON_NAME="D Root CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  KEY_SIZE=2048 \
+  ALGO=rsa \
+  CERT_TYPE=root \
+  TYPE=D CERTIFICATE=D \
+  try openssl req \
+    -new \
+    -key out/D.key \
+    -out out/D.csr \
+    -config redundant-ca.cnf
+
+echo D signs itself.
+CA_COMMON_NAME="D Root CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  try openssl x509 \
+    -req -days 3650 \
+    -in out/D.csr \
+    -extensions ca_cert \
+    -signkey out/D.key \
+    -out out/D.pem
+
+echo Generate the C2 root CSR.
+CA_COMMON_NAME="C CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  KEY_SIZE=2048 \
+  ALGO=rsa \
+  CERT_TYPE=root \
+  TYPE=C2 CERTIFICATE=C2 \
+  try openssl req \
+    -new \
+    -key out/C.key \
+    -out out/C2.csr \
+    -config redundant-ca.cnf
+
+echo C2 signs itself.
+CA_COMMON_NAME="C CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  try openssl x509 \
+    -req -days 3650 \
+    -in out/C2.csr \
+    -extensions ca_cert \
+    -signkey out/C.key \
+    -out out/C2.pem
+
+echo Generate the B and C intermediaries\' CSRs.
+for i in B C
+do
+  name="$i Intermediate CA"
+  CA_COMMON_NAME="$i CA" \
+    CA_DIR=out \
+    CA_NAME=req_env_dn \
+    KEY_SIZE=2048 \
+    ALGO=rsa \
+    CERT_TYPE=root \
+    TYPE=$i CERTIFICATE=$i \
+    try openssl req \
+      -new \
+      -key out/$i.key \
+      -out out/$i.csr \
+      -config redundant-ca.cnf
+done
+
+echo D signs the C intermediate.
+# Make sure the signer's DB file exists.
+touch out/D-index.txt
+CA_COMMON_NAME="D Root CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  KEY_SIZE=2048 \
+  ALGO=rsa \
+  CERT_TYPE=root \
+  TYPE=D CERTIFICATE=D \
+  try openssl ca \
+    -batch \
+    -extensions ca_cert \
+    -in out/C.csr \
+    -out out/C.pem \
+    -config redundant-ca.cnf
+
+echo C signs the B intermediate.
+touch out/C-index.txt
+CA_COMMON_NAME="C CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  KEY_SIZE=2048 \
+  ALGO=rsa \
+  CERT_TYPE=root \
+  TYPE=C CERTIFICATE=C \
+  try openssl ca \
+    -batch \
+    -extensions ca_cert \
+    -in out/B.csr \
+    -out out/B.pem \
+    -config redundant-ca.cnf
+
+echo Generate the A end-entity CSR.
+try openssl req \
+  -new \
+  -key out/A.key \
+  -out out/A.csr \
+  -config ee.cnf
+
+echo B signs A.
+touch out/B-index.txt
+CA_COMMON_NAME="B CA" \
+  CA_DIR=out \
+  CA_NAME=req_env_dn \
+  KEY_SIZE=$signer_key_size \
+  ALGO=$signer_algo \
+  CERT_TYPE=intermediate \
+  TYPE=B CERTIFICATE=B \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -in out/A.csr \
+    -out out/A.pem \
+    -config redundant-ca.cnf
+
+echo Create redundant-server-chain.pem
+cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
+    > redundant-server-chain.pem
+
+echo Create redundant-validated-chain.pem
+cat out/A.key out/A.pem out/B.pem out/C2.pem > redundant-validated-chain.pem
+
+echo Create redundant-validated-chain-root.pem
+cp out/C2.pem redundant-validated-chain-root.pem
+
diff --git a/net/data/ssl/scripts/redundant-ca.cnf b/net/data/ssl/scripts/redundant-ca.cnf
new file mode 100644
index 0000000..e1b24e0
--- /dev/null
+++ b/net/data/ssl/scripts/redundant-ca.cnf
@@ -0,0 +1,80 @@
+[ca]
+default_ca = CA_root
+preserve   = yes
+
+# The default test root, used to generate certificates and CRLs.
+[CA_root]
+dir           = $ENV::CA_DIR
+key_size      = $ENV::KEY_SIZE
+algo          = $ENV::ALGO
+cert_type     = $ENV::CERT_TYPE
+type          = $ENV::TYPE
+certificate   = $ENV::CERTIFICATE
+database      = $dir/$type-index.txt
+new_certs_dir = $dir
+serial        = $dir/$type-serial
+certificate   = $dir/$certificate.pem
+private_key   = $dir/$type.key
+RANDFILE      = $dir/rand
+default_days     = 3650
+default_crl_days = 30
+default_md       = sha1
+policy           = policy_anything
+unique_subject   = no
+
+[user_cert]
+# Extensions to add when signing a request for an EE cert
+basicConstraints       = critical, CA:false
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage       = serverAuth,clientAuth
+
+[ca_cert]
+# Extensions to add when signing a request for an intermediate/CA cert
+basicConstraints       = critical, CA:true
+subjectKeyIdentifier   = hash
+#authorityKeyIdentifier = keyid:always
+keyUsage               = critical, keyCertSign, cRLSign
+
+[crl_extensions]
+# Extensions to add when signing a CRL
+authorityKeyIdentifier = keyid:always
+
+[policy_anything]
+# Default signing policy
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = optional
+emailAddress           = optional
+
+[req]
+# The request section used to generate the root CA certificate. This should
+# not be used to generate end-entity certificates. For certificates other
+# than the root CA, see README to find the appropriate configuration file
+# (ie: openssl_cert.cnf).
+default_bits       = $ENV::KEY_SIZE
+default_md         = sha1
+string_mask        = utf8only
+prompt             = no
+encrypt_key        = no
+distinguished_name = $ENV::CA_NAME
+
+[req_ca_dn]
+C  = US
+ST = California
+L  = Mountain View
+O  = Test CA
+CN = Test Root 2 CA
+
+[req_intermediate_dn]
+C  = US
+ST = California
+L  = Mountain View
+O  = Test CA
+CN = Test Intermediate 2 CA
+
+[req_env_dn]
+CN = $ENV::CA_COMMON_NAME