From 24d58f9d73550a3578a59247ed3b3524bf2b6011 Mon Sep 17 00:00:00 2001 From: MTG <36234449+mtgag@users.noreply.github.com> Date: Sun, 23 Jun 2024 16:50:13 +0200 Subject: [PATCH 1/9] Subscriber aia lints (#860) * lint about the encoding of qcstatements for PSD2 * Revert "lint about the encoding of qcstatements for PSD2" This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC * always check and perform the operation in the execution * synchronised with project * synchronised with project * synchronised with project * synchronised with project * fixed merge error * synchronised with project * synchronised with project * Revert "synchronised with project" This reverts commit bad73ee2d5669394cde3053d300f285a91f75fd6. * Revert "synchronised with project" This reverts commit 2cd7d087f4a812d4ef3640560edf1d07cce2ea56. * adding lints for subscriber aia * updated integration data * goimports * goimports --------- Co-authored-by: mtg Co-authored-by: GitHub Co-authored-by: Christopher Henderson --- v3/integration/config.json | 3 + v3/integration/small.config.json | 3 + ...ia_must_contain_permitted_access_method.go | 113 ++++++++++++++++++ ...st_contain_permitted_access_method_test.go | 102 ++++++++++++++++ .../lint_aia_ocsp_must_have_http_only.go | 78 ++++++++++++ .../lint_aia_ocsp_must_have_http_only_test.go | 90 ++++++++++++++ v3/lints/cabf_br/lint_aia_unique_locations.go | 89 ++++++++++++++ .../cabf_br/lint_aia_unique_locations_test.go | 102 ++++++++++++++++ ...ert_aia_does_not_contain_issuing_ca_url.go | 8 +- ..._sub_cert_aia_does_not_contain_ocsp_url.go | 2 +- ...cert_aia_does_not_contain_ocsp_url_test.go | 8 ++ .../aiaDuplicateCaIssuerUrlUpperCase.pem | 51 ++++++++ v3/testdata/aiaDuplicateOCSPUrl.pem | 50 ++++++++ v3/testdata/aiaOCSPHttpOnlyNE.pem | 44 +++++++ v3/testdata/aiaOCSPOneHTTPOneLDAP.pem | 46 +++++++ v3/testdata/aiaOCSPWithHTTPSURL.pem | 44 +++++++ v3/testdata/aiaWrongGeneralName.pem | 44 +++++++ v3/testdata/caCertificateAfter15092023.pem | 43 +++++++ v3/testdata/unsupportedAccessMethod.pem | 44 +++++++ 19 files changed, 960 insertions(+), 4 deletions(-) create mode 100644 v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go create mode 100644 v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method_test.go create mode 100644 v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go create mode 100644 v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only_test.go create mode 100644 v3/lints/cabf_br/lint_aia_unique_locations.go create mode 100644 v3/lints/cabf_br/lint_aia_unique_locations_test.go create mode 100644 v3/testdata/aiaDuplicateCaIssuerUrlUpperCase.pem create mode 100644 v3/testdata/aiaDuplicateOCSPUrl.pem create mode 100644 v3/testdata/aiaOCSPHttpOnlyNE.pem create mode 100644 v3/testdata/aiaOCSPOneHTTPOneLDAP.pem create mode 100644 v3/testdata/aiaOCSPWithHTTPSURL.pem create mode 100644 v3/testdata/aiaWrongGeneralName.pem create mode 100644 v3/testdata/caCertificateAfter15092023.pem create mode 100644 v3/testdata/unsupportedAccessMethod.pem diff --git a/v3/integration/config.json b/v3/integration/config.json index a40b654c0..67337e2e7 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -817,6 +817,9 @@ "ErrCount": 23 }, "e_cab_dv_subject_invalid_values": {}, + "e_aia_must_contain_permitted_access_method": {}, + "e_aia_ocsp_must_have_http_only": {}, + "e_aia_unique_access_locations": {}, "n_ca_digital_signature_not_set": { "NoticeCount": 1405 }, diff --git a/v3/integration/small.config.json b/v3/integration/small.config.json index 7f85f0159..06c78dff2 100644 --- a/v3/integration/small.config.json +++ b/v3/integration/small.config.json @@ -329,6 +329,9 @@ "n_ca_digital_signature_not_set": { "NoticeCount": 29 }, + "e_aia_must_contain_permitted_access_method": {}, + "e_aia_ocsp_must_have_http_only": {}, + "e_aia_unique_access_locations": {}, "n_contains_redacted_dnsname": { "NoticeCount": 8 }, diff --git a/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go b/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go new file mode 100644 index 000000000..ca7412408 --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go @@ -0,0 +1,113 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAAccessMethodAllowed struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +Each AccessDescription MUST only contain a permitted accessMethod, as detailed below, +and each accessLocation MUST be encoded as the specified GeneralName type. + +This lint checks that only the id-ad-ocsp or id-ad-caIssuers accessMethod is present +and that the value is a uniformResourceIdentifier GeneralName. + +GeneralName ::= CHOICE { + otherName [0] AnotherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_must_contain_permitted_access_method", + Description: "The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAAccessMethodAllowed, + }) +} + +func NewBRAIAAccessMethodAllowed() lint.LintInterface { + return &bRAIAAccessMethodAllowed{} +} + +func (l *bRAIAAccessMethodAllowed) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) +} + +func (l *bRAIAAccessMethodAllowed) Execute(c *x509.Certificate) *lint.LintResult { + + // see x509.go + for _, ext := range c.Extensions { + if ext.Id.Equal(util.AiaOID) { + var aia []authorityInfoAccess + _, err := asn1.Unmarshal(ext.Value, &aia) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + for _, v := range aia { + if v.Location.Tag != 6 { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid GeneralName with tag %d in an accessLocation.", v.Location.Tag)} + } + + if !(v.Method.Equal(idAdCaIssuers) || v.Method.Equal(idAdOCSP)) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid accessMethod with OID %s.", v.Method)} + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +type authorityInfoAccess struct { + Method asn1.ObjectIdentifier + Location asn1.RawValue +} + +var ( + idAdOCSP = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1} + idAdCaIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2} +) diff --git a/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method_test.go b/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method_test.go new file mode 100644 index 000000000..b5269a4a3 --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method_test.go @@ -0,0 +1,102 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestBRAIAAccessMethodAllowed(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + + ExpectedResult lint.LintStatus + ExpectedDetails string + }{ + { + Name: "pass - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersHTTPOnly.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "NA - AIA is missing.", + InputFilename: "subjectOCorrectEncoding.pem", + + ExpectedResult: lint.NA, + }, + { + Name: "pass - AIA has one HTTP URL for id-ad-ocsp accessMethod.", + InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "pass - AIA has two HTTP URLs for id-ad-ocsp accessMethod, one is HTTP the other is LDAP.", + InputFilename: "aiaOCSPOneHTTPOneLDAP.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "pass - AIA has one HTTPS URL for id-ad-ocsp accessMethod.", + InputFilename: "aiaOCSPWithHTTPSURL.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "error - AIA has one unsupported access method (OID is the DV policy OID).", + InputFilename: "unsupportedAccessMethod.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Certificate has an invalid accessMethod with OID 2.23.140.1.2.1.", + }, + { + Name: "error - AIA has the id-ad-ocsp accessMethod with an rfc822Name as value.", + InputFilename: "aiaWrongGeneralName.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Certificate has an invalid GeneralName with tag 1 in an accessLocation.", + }, + { + Name: "NE - AIA has only one HTTP URI for id-ad-ocsp accessMethod and it is issued before September 15th 2023.", + InputFilename: "aiaOCSPHttpOnlyNE.pem", + + ExpectedResult: lint.NE, + }, + { + Name: "NA - CA certificate issued on September 15th 2023.", + InputFilename: "caCertificateAfter15092023.pem", + + ExpectedResult: lint.NA, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_aia_must_contain_permitted_access_method", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + + if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details { + t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go b/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go new file mode 100644 index 000000000..6b56e1779 --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go @@ -0,0 +1,78 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAOCSPHasHTTPOnly struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +id-ad-ocsp +1.3.6.1.5.5.7.48.1 uniformResourceIdentifier MUST A HTTP URL of the +Issuing CA’s OCSP responder. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_ocsp_must_have_http_only", + Description: "The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAOCSPHasHTTPOnly, + }) +} + +func NewBRAIAOCSPHasHTTPOnly() lint.LintInterface { + return &bRAIAOCSPHasHTTPOnly{} +} + +func (l *bRAIAOCSPHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return len(c.OCSPServer) > 0 && util.IsSubscriberCert(c) +} + +func (l *bRAIAOCSPHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error, Details: "Could not parse OCSP URL in AIA."} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in OCSP URL of AIA, which is not allowed.", purl.Scheme)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only_test.go b/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only_test.go new file mode 100644 index 000000000..12e109cde --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only_test.go @@ -0,0 +1,90 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestBRAIAOCSPHasHTTPOnly(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + + ExpectedResult lint.LintStatus + ExpectedDetails string + }{ + { + Name: "NA - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersHTTPOnly.pem", + + ExpectedResult: lint.NA, + }, + { + Name: "NA - AIA is missing", + InputFilename: "subjectOCorrectEncoding.pem", + + ExpectedResult: lint.NA, + }, + { + Name: "pass - AIA has one HTTP URL for id-ad-ocsp accessMethod.", + InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "error - AIA has two HTTP URLs for id-ad-ocsp accessMethod, one is HTTP the other is LDAP.", + InputFilename: "aiaOCSPOneHTTPOneLDAP.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Found scheme ldap in OCSP URL of AIA, which is not allowed.", + }, + { + Name: "error - AIA has one HTTPS URL for id-ad-ocsp accessMethod", + InputFilename: "aiaOCSPWithHTTPSURL.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Found scheme https in OCSP URL of AIA, which is not allowed.", + }, + { + Name: "NE - AIA has only one HTTP URI for id-ad-ocsp accessMethod and it is issued before September 15th 2023.", + InputFilename: "aiaOCSPHttpOnlyNE.pem", + + ExpectedResult: lint.NE, + }, + { + Name: "NA - CA certificate issued on September 15th 2023.", + InputFilename: "caCertificateAfter15092023.pem", + + ExpectedResult: lint.NA, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_aia_ocsp_must_have_http_only", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + + if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details { + t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_br/lint_aia_unique_locations.go b/v3/lints/cabf_br/lint_aia_unique_locations.go new file mode 100644 index 000000000..f176d35e4 --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_unique_locations.go @@ -0,0 +1,89 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAAccessLocationUnique struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +When multiple AccessDescriptions are present with the same accessMethod, +each accessLocation MUST be unique. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_unique_access_locations", + Description: "When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAAccessLocationUnique, + }) +} + +func NewBRAIAAccessLocationUnique() lint.LintInterface { + return &bRAIAAccessLocationUnique{} +} + +func (l *bRAIAAccessLocationUnique) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (len(c.IssuingCertificateURL) > 0 || len(c.OCSPServer) > 0) +} + +func (l *bRAIAAccessLocationUnique) Execute(c *x509.Certificate) *lint.LintResult { + + ocspURLs := make([]string, 0) + for _, url := range c.OCSPServer { + for _, foundURL := range ocspURLs { + if strings.EqualFold(url, foundURL) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in OCSP URLs", url)} + } + } + ocspURLs = append(ocspURLs, url) + } + + issuingCertificateURLs := make([]string, 0) + for _, url := range c.IssuingCertificateURL { + for _, foundURL := range issuingCertificateURLs { + if strings.EqualFold(url, foundURL) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in caIssuers URLs", url)} + } + } + issuingCertificateURLs = append(issuingCertificateURLs, url) + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_aia_unique_locations_test.go b/v3/lints/cabf_br/lint_aia_unique_locations_test.go new file mode 100644 index 000000000..9fa93697a --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_unique_locations_test.go @@ -0,0 +1,102 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestBRAIAAccessLocationUnique(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + + ExpectedResult lint.LintStatus + ExpectedDetails string + }{ + { + Name: "pass - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersHTTPOnly.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "NA - AIA is missing", + InputFilename: "subjectOCorrectEncoding.pem", + + ExpectedResult: lint.NA, + }, + { + Name: "pass - AIA has one HTTP URL for id-ad-ocsp accessMethod.", + InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "pass - AIA has two HTTP URLs for id-ad-ocsp accessMethod, one is HTTP the other is LDAP.", + InputFilename: "aiaOCSPOneHTTPOneLDAP.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "pass - AIA has one HTTPS URL for id-ad-ocsp accessMethod", + InputFilename: "aiaOCSPWithHTTPSURL.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "NE - AIA has only one HTTP URI for id-ad-ocsp accessMethod and it is issued before September 15th 2023.", + InputFilename: "aiaOCSPHttpOnlyNE.pem", + + ExpectedResult: lint.NE, + }, + { + Name: "NA - CA certificate issued on September 15th 2023.", + InputFilename: "caCertificateAfter15092023.pem", + + ExpectedResult: lint.NA, + }, + { + Name: "error - AIA has four OCSP URLs, two of them are case-sensitive the same.", + InputFilename: "aiaDuplicateOCSPUrl.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "accessLocation with URL http://ocsp1.example.com/ocsp is found more than once in OCSP URLs", + }, + { + Name: "error - AIA has four caIssuer URLs, two of them are case-insensitive the same.", + InputFilename: "aiaDuplicateCaIssuerUrlUpperCase.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "accessLocation with URL http://caissuer1.example.com/caIssuer is found more than once in caIssuers URLs", + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_aia_unique_access_locations", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + + if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details { + t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go b/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go index 9447ab920..3fa1f12c1 100644 --- a/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go +++ b/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go @@ -26,9 +26,11 @@ type subCertIssuerUrl struct{} /************************************************************************ BRs: 7.1.2.3 -cRLDistributionPoints -This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the -HTTP URL of the CA’s CRL service. +authorityInformationAccess +This extension MUST be present. It MUST NOT be marked critical, and it MUST contain +the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). +It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = +1.3.6.1.5.5.7.48.2). *************************************************************************/ func init() { diff --git a/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go b/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go index d007651de..290c1e6bc 100644 --- a/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go +++ b/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go @@ -37,7 +37,7 @@ func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ Name: "e_sub_cert_aia_does_not_contain_ocsp_url", - Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", + Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OCSP responder.", Citation: "BRs: 7.1.2.3", Source: lint.CABFBaselineRequirements, EffectiveDate: util.CABEffectiveDate, diff --git a/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url_test.go b/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url_test.go index f6172b4ef..a1735518e 100644 --- a/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url_test.go +++ b/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url_test.go @@ -38,3 +38,11 @@ func TestSubCertHasIssuerOcsp(t *testing.T) { t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) } } +func TestSubCertHasIssuerOcspWithHTTPAndLDAP(t *testing.T) { + inputPath := "aiaOCSPOneHTTPOneLDAP.pem" + expected := lint.Pass + out := test.TestLint("e_sub_cert_aia_does_not_contain_ocsp_url", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} diff --git a/v3/testdata/aiaDuplicateCaIssuerUrlUpperCase.pem b/v3/testdata/aiaDuplicateCaIssuerUrlUpperCase.pem new file mode 100644 index 000000000..9601b607b --- /dev/null +++ b/v3/testdata/aiaDuplicateCaIssuerUrlUpperCase.pem @@ -0,0 +1,51 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:0e:8f:1b:ac:b8:b6:65:c1:a1:c0:16 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:a9:93:ad:52:49:46:30:93:40:03:2e:4c:12:e3: + 8a:49:05:ae:04:88:c5:53:75:8d:2c:21:8c:99:60: + 16:7a:aa:f0:11:3b:87:82:d7:59:56:f7:65:2d:f6: + 8d:bd:d2:cb:9a:8e:6e:36:e1:be:0c:00:d8:cb:5d: + 02:3c:6e:9c:39 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - URI:http://caissuer1.example.com/caissuer + CA Issuers - URI:http://caissuer2.example.com/caIssuer + CA Issuers - URI:http://caissuer1.example.com/caIssuer + CA Issuers - URI:http://caissuer3.example.com/caIssuer + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:61:56:47:53:c0:91:04:8b:a9:88:ef:2f:78:71: + 91:91:79:7c:a2:c0:be:c1:ad:02:cc:1e:d7:e8:e8:04:28:36: + 02:20:38:40:5c:41:63:2a:22:cf:40:e8:36:5c:38:d4:76:d3: + 76:f5:2d:04:69:e5:87:84:97:7f:03:43:bf:81:3a:90 +-----BEGIN CERTIFICATE----- +MIICHzCCAcagAwIBAgIMCg6PG6y4tmXBocAWMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx +NTAwMDAwMFoXDTI0MDkxNTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABKmTrVJJRjCTQAMuTBLjikkFrgSIxVN1jSwhjJlgFnqq8BE7h4LXWVb3ZS32 +jb3Sy5qObjbhvgwA2MtdAjxunDmjgfcwgfQwEwYDVR0gBAwwCjAIBgZngQwBAgEw +gdwGCCsGAQUFBwEBBIHPMIHMMDEGCCsGAQUFBzAChiVodHRwOi8vY2Fpc3N1ZXIx +LmV4YW1wbGUuY29tL2NhaXNzdWVyMDEGCCsGAQUFBzAChiVodHRwOi8vY2Fpc3N1 +ZXIyLmV4YW1wbGUuY29tL2NhSXNzdWVyMDEGCCsGAQUFBzAChiVodHRwOi8vY2Fp +c3N1ZXIxLmV4YW1wbGUuY29tL2NhSXNzdWVyMDEGCCsGAQUFBzAChiVodHRwOi8v +Y2Fpc3N1ZXIzLmV4YW1wbGUuY29tL2NhSXNzdWVyMAoGCCqGSM49BAMCA0cAMEQC +IGFWR1PAkQSLqYjvL3hxkZF5fKLAvsGtAswe1+joBCg2AiA4QFxBYyoiz0DoNlw4 +1HbTdvUtBGnlh4SXfwNDv4E6kA== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaDuplicateOCSPUrl.pem b/v3/testdata/aiaDuplicateOCSPUrl.pem new file mode 100644 index 000000000..8cb92f7ac --- /dev/null +++ b/v3/testdata/aiaDuplicateOCSPUrl.pem @@ -0,0 +1,50 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + df:47:e2:39:97:ea:2a:8d:0d:60:84:29 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:05:a3:40:79:30:23:5b:6f:66:8e:cc:a1:08:56: + 74:7c:9a:02:3c:62:76:52:c4:e3:71:77:db:61:93: + b6:b4:a0:93:af:9d:f4:f8:0d:c0:2c:f3:84:15:4b: + 15:f9:cc:78:ce:cc:3e:29:50:e3:76:03:0f:22:cd: + 8f:9a:0b:ef:88 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + OCSP - URI:http://ocsp1.example.com/ocsp + OCSP - URI:http://ocsp2.example.com/ocsp + OCSP - URI:http://ocsp1.example.com/ocsp + OCSP - URI:http://ocsp3.example.com/ocsp + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:5a:3f:46:b5:83:ee:ae:9a:04:9f:e1:16:47:3e: + f1:d8:6f:1e:16:7b:44:e8:7f:e4:11:21:67:f9:62:9a:0f:bb: + 02:21:00:b1:af:32:60:41:6b:72:1a:e6:b1:94:96:af:0c:a4: + 3b:d8:70:7e:f1:26:04:e6:7c:5c:4f:fe:4b:1c:f8:f5:f7 +-----BEGIN CERTIFICATE----- +MIICATCCAaegAwIBAgINAN9H4jmX6iqNDWCEKTAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAAQFo0B5MCNbb2aOzKEIVnR8mgI8YnZSxONxd9thk7a0oJOvnfT4DcAs84QV +SxX5zHjOzD4pUON2Aw8izY+aC++Io4HXMIHUMBMGA1UdIAQMMAowCAYGZ4EMAQIB +MIG8BggrBgEFBQcBAQSBrzCBrDApBggrBgEFBQcwAYYdaHR0cDovL29jc3AxLmV4 +YW1wbGUuY29tL29jc3AwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwMi5leGFtcGxl +LmNvbS9vY3NwMCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcDEuZXhhbXBsZS5jb20v +b2NzcDApBggrBgEFBQcwAYYdaHR0cDovL29jc3AzLmV4YW1wbGUuY29tL29jc3Aw +CgYIKoZIzj0EAwIDSAAwRQIgWj9GtYPurpoEn+EWRz7x2G8eFntE6H/kESFn+WKa +D7sCIQCxrzJgQWtyGuaxlJavDKQ72HB+8SYE5nxcT/5LHPj19w== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaOCSPHttpOnlyNE.pem b/v3/testdata/aiaOCSPHttpOnlyNE.pem new file mode 100644 index 000000000..dac04535e --- /dev/null +++ b/v3/testdata/aiaOCSPHttpOnlyNE.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0f:b7:9c:7f:ae:82:d2:c0:9e:16:4a:9d + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 14 23:59:59 2023 GMT + Not After : Sep 14 23:59:59 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:ed:95:18:e6:ca:a4:bc:a4:06:69:dc:3c:a1:11: + 38:68:66:f1:c2:1e:b6:48:9f:4d:14:18:5d:12:9a: + 93:90:e8:3c:ba:ff:1f:a8:d6:03:e7:37:12:ff:d9: + 84:53:48:68:32:15:4e:13:62:8d:be:ca:78:0a:1a: + 19:ed:a2:c8:41 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + OCSP - URI:http://ocsp.example.com/ocsp + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:36:e5:80:bf:35:70:9b:a4:13:58:e4:78:0f:b5: + 58:7c:c2:9b:57:51:f4:66:9a:bb:f0:1e:46:b6:e8:b0:7c:07: + 02:21:00:97:77:49:c8:b6:c7:75:bb:34:10:a5:3e:48:c3:37: + 04:d3:5e:74:8c:91:c7:85:e5:9f:c4:bb:6d:9c:45:95:9f +-----BEGIN CERTIFICATE----- +MIIBeTCCAR+gAwIBAgIMD7ecf66C0sCeFkqdMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx +NDIzNTk1OVoXDTI0MDkxNDIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABO2VGObKpLykBmncPKEROGhm8cIetkifTRQYXRKak5DoPLr/H6jWA+c3Ev/Z +hFNIaDIVThNijb7KeAoaGe2iyEGjUTBPMBMGA1UdIAQMMAowCAYGZ4EMAQIBMDgG +CCsGAQUFBwEBBCwwKjAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AuZXhhbXBsZS5j +b20vb2NzcDAKBggqhkjOPQQDAgNIADBFAiA25YC/NXCbpBNY5HgPtVh8wptXUfRm +mrvwHka26LB8BwIhAJd3Sci2x3W7NBClPkjDNwTTXnSMkceF5Z/Eu22cRZWf +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaOCSPOneHTTPOneLDAP.pem b/v3/testdata/aiaOCSPOneHTTPOneLDAP.pem new file mode 100644 index 000000000..7100a2d3f --- /dev/null +++ b/v3/testdata/aiaOCSPOneHTTPOneLDAP.pem @@ -0,0 +1,46 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 96:91:37:c9:bd:b6:ca:30:d4:f2:9f:fd + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:88:6a:50:96:83:aa:12:8c:45:35:a9:06:61:fb: + 88:5c:ac:d2:01:11:0c:fd:b7:49:24:4a:66:9a:6c: + ff:32:d5:ca:c8:aa:6b:04:04:26:8d:77:21:ad:ff: + fc:05:13:f5:fb:c7:1d:44:d5:5e:ba:e2:90:8f:91: + 89:ba:a6:a5:45 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + OCSP - URI:http://ocsp.example.com/ocsp + OCSP - URI:ldap://ocsp.example.com/ocsp + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:f2:c4:22:fe:6f:db:a0:45:01:fb:18:df:2d: + ca:29:90:dc:98:58:da:87:f5:31:d6:83:ea:16:14:02:03:d7: + ba:02:20:63:6a:69:72:e9:f0:f7:fa:3e:00:0b:94:6b:ee:9e: + ef:99:0d:ce:62:21:6c:ed:f4:21:74:67:ef:70:e6:44:50 +-----BEGIN CERTIFICATE----- +MIIBpDCCAUqgAwIBAgINAJaRN8m9tsow1PKf/TAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAASIalCWg6oSjEU1qQZh+4hcrNIBEQz9t0kkSmaabP8y1crIqmsEBCaNdyGt +//wFE/X7xx1E1V664pCPkYm6pqVFo3sweTATBgNVHSAEDDAKMAgGBmeBDAECATBi +BggrBgEFBQcBAQRWMFQwKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmV4YW1wbGUu +Y29tL29jc3AwKAYIKwYBBQUHMAGGHGxkYXA6Ly9vY3NwLmV4YW1wbGUuY29tL29j +c3AwCgYIKoZIzj0EAwIDSAAwRQIhAPLEIv5v26BFAfsY3y3KKZDcmFjah/Ux1oPq +FhQCA9e6AiBjamly6fD3+j4AC5Rr7p7vmQ3OYiFs7fQhdGfvcOZEUA== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaOCSPWithHTTPSURL.pem b/v3/testdata/aiaOCSPWithHTTPSURL.pem new file mode 100644 index 000000000..366c694df --- /dev/null +++ b/v3/testdata/aiaOCSPWithHTTPSURL.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 34:a9:11:10:85:2d:cc:ed:5a:74:5c:52 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:27:1c:55:27:70:10:bd:c8:cc:84:d8:74:7a:c7: + 3a:4d:6f:b5:59:06:71:59:9b:13:28:34:bf:aa:81: + 3d:b0:74:90:f6:0d:b8:71:47:fe:80:66:49:0f:95: + 0a:9a:11:20:5d:ab:e4:4e:2d:46:6e:81:78:84:2f: + 0f:43:a7:07:22 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + OCSP - URI:https://ocsp.example.com/ocsp + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:f2:ff:52:3a:8b:f9:05:af:bd:fa:23:ba:f5: + cf:92:f0:6a:b4:b9:66:d1:c3:9e:9e:fb:4e:3e:cc:b9:89:c0: + cf:02:20:06:8f:f2:c4:14:75:74:56:51:be:b1:f1:11:bd:03: + 7e:59:85:8e:34:71:02:ed:13:4b:2f:14:4e:7b:42:90:23 +-----BEGIN CERTIFICATE----- +MIIBejCCASCgAwIBAgIMNKkREIUtzO1adFxSMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx +NTAwMDAwMFoXDTI0MDkxNTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABCccVSdwEL3IzITYdHrHOk1vtVkGcVmbEyg0v6qBPbB0kPYNuHFH/oBmSQ+V +CpoRIF2r5E4tRm6BeIQvD0OnByKjUjBQMBMGA1UdIAQMMAowCAYGZ4EMAQIBMDkG +CCsGAQUFBwEBBC0wKzApBggrBgEFBQcwAYYdaHR0cHM6Ly9vY3NwLmV4YW1wbGUu +Y29tL29jc3AwCgYIKoZIzj0EAwIDSAAwRQIhAPL/UjqL+QWvvfojuvXPkvBqtLlm +0cOenvtOPsy5icDPAiAGj/LEFHV0VlG+sfERvQN+WYWONHEC7RNLLxROe0KQIw== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaWrongGeneralName.pem b/v3/testdata/aiaWrongGeneralName.pem new file mode 100644 index 000000000..0f3f301f4 --- /dev/null +++ b/v3/testdata/aiaWrongGeneralName.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 25:95:c4:dd:89:f7:52:f4:52:9d:f8:5c + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:86:f4:f1:aa:3b:62:23:0d:14:7f:d1:d5:17:17: + 50:86:03:32:1d:31:89:13:51:53:e8:64:a5:f3:a7: + e8:1a:2d:e5:22:ae:4a:1b:9c:10:b3:41:9c:1d:81: + ce:f6:29:a5:19:d7:ef:ac:c9:4f:9d:2e:ba:e1:d6: + c1:8c:41:77:69 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - email:http://issuers.example.com/ + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:48:c9:7c:07:de:b0:fb:1f:f6:af:86:5a:88:74: + 4b:fd:51:57:64:c0:f0:d8:5c:7b:f6:80:21:55:a4:77:39:3a: + 02:20:15:c1:3b:f7:7c:e3:2e:ea:97:8b:ba:b3:16:25:ae:9a: + 2a:b4:c0:44:87:4e:60:23:d6:d0:25:68:aa:4d:a8:6a +-----BEGIN CERTIFICATE----- +MIIBdzCCAR6gAwIBAgIMJZXE3Yn3UvRSnfhcMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx +NTAwMDAwMFoXDTI0MDkxNTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABIb08ao7YiMNFH/R1RcXUIYDMh0xiRNRU+hkpfOn6Bot5SKuShucELNBnB2B +zvYppRnX76zJT50uuuHWwYxBd2mjUDBOMBMGA1UdIAQMMAowCAYGZ4EMAQIBMDcG +CCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAoEbaHR0cDovL2lzc3VlcnMuZXhhbXBs +ZS5jb20vMAoGCCqGSM49BAMCA0cAMEQCIEjJfAfesPsf9q+GWoh0S/1RV2TA8Nhc +e/aAIVWkdzk6AiAVwTv3fOMu6peLurMWJa6aKrTARIdOYCPW0CVoqk2oag== +-----END CERTIFICATE----- diff --git a/v3/testdata/caCertificateAfter15092023.pem b/v3/testdata/caCertificateAfter15092023.pem new file mode 100644 index 000000000..653b98915 --- /dev/null +++ b/v3/testdata/caCertificateAfter15092023.pem @@ -0,0 +1,43 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ba:f5:bc:4c:2c:96:a4:fd:9d:de:eb:01 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:81:de:80:8a:c8:be:60:a9:7d:9f:a8:e9:9d:61: + d0:f0:99:8f:aa:e8:b0:39:50:00:4f:73:76:98:16: + 13:64:a7:26:92:dc:bc:4c:56:0d:83:f4:35:45:0b: + 08:71:36:cb:0a:b0:d4:d4:f1:8b:b4:51:37:10:5d: + a3:33:df:d9:6a + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:08:4c:72:d9:47:2a:4e:d2:ff:50:31:73:78:bd: + 04:1b:3e:ad:fc:44:ca:31:24:b4:4c:fb:94:00:19:7d:e0:3d: + 02:21:00:a5:ed:31:8e:3f:77:92:0c:f2:f0:52:78:e3:80:15: + 8b:23:97:d0:30:d2:4e:26:c7:a5:24:33:3c:be:0c:e4:b1 +-----BEGIN CERTIFICATE----- +MIIBUDCB96ADAgECAg0AuvW8TCyWpP2d3usBMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx +NTAwMDAwMFoXDTI0MDkxNTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABIHegIrIvmCpfZ+o6Z1h0PCZj6rosDlQAE9zdpgWE2SnJpLcvExWDYP0NUUL +CHE2ywqw1NTxi7RRNxBdozPf2WqjKDAmMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA8G +A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgCExy2UcqTtL/UDFzeL0E +Gz6t/ETKMSS0TPuUABl94D0CIQCl7TGOP3eSDPLwUnjjgBWLI5fQMNJOJselJDM8 +vgzksQ== +-----END CERTIFICATE----- diff --git a/v3/testdata/unsupportedAccessMethod.pem b/v3/testdata/unsupportedAccessMethod.pem new file mode 100644 index 000000000..b746e3502 --- /dev/null +++ b/v3/testdata/unsupportedAccessMethod.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + bf:82:94:0e:35:fb:1e:26:bb:1f:04:22 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:08:6a:eb:89:5c:e8:2e:41:1f:55:5a:bb:dc:71: + 88:83:9d:7b:6a:cb:ea:f3:04:f0:ea:99:b0:32:b8: + a9:7b:70:99:0d:f0:82:29:ff:cf:40:49:16:be:72: + b6:71:ae:fe:b9:24:ca:18:0c:9d:dc:57:f4:98:db: + 34:0f:c7:ca:5a + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + 2.23.140.1.2.1 - URI:http://issuers.example.com/ + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:fe:95:48:35:22:81:f9:9f:b3:c3:e0:87:c0: + 6a:81:fb:9a:7f:19:85:b7:02:90:af:23:93:0f:ba:e4:8d:a9: + d3:02:20:62:cc:b4:65:c3:86:4f:86:d5:4b:e1:9a:2c:c3:5f: + c0:f1:4f:f9:c9:cb:4e:93:2d:0a:5d:f9:8c:2f:58:51:b6 +-----BEGIN CERTIFICATE----- +MIIBdzCCAR2gAwIBAgINAL+ClA41+x4mux8EIjAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAAQIauuJXOguQR9VWrvccYiDnXtqy+rzBPDqmbAyuKl7cJkN8IIp/89ASRa+ +crZxrv65JMoYDJ3cV/SY2zQPx8pao04wTDATBgNVHSAEDDAKMAgGBmeBDAECATA1 +BggrBgEFBQcBAQQpMCcwJQYGZ4EMAQIBhhtodHRwOi8vaXNzdWVycy5leGFtcGxl +LmNvbS8wCgYIKoZIzj0EAwIDSAAwRQIhAP6VSDUigfmfs8Pgh8BqgfuafxmFtwKQ +ryOTD7rkjanTAiBizLRlw4ZPhtVL4Zosw1/A8U/5yctOky0KXfmML1hRtg== +-----END CERTIFICATE----- From f7f6b51c1ed6eb5dabea524bb3e662e26f8f469d Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 23 Jun 2024 17:39:52 +0200 Subject: [PATCH 2/9] Add lint to check that the countryName attribute (C) is in uppercase (#859) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Update config.json --------- Co-authored-by: Christopher Henderson --- v3/integration/config.json | 5 +- .../lint_subj_country_not_uppercase.go | 62 +++++++++++ .../lint_subj_country_not_uppercase_test.go | 65 +++++++++++ v3/testdata/country_not_upcase_ko1.pem | 100 +++++++++++++++++ v3/testdata/country_not_upcase_ko2.pem | 100 +++++++++++++++++ v3/testdata/country_not_upcase_ko3.pem | 101 ++++++++++++++++++ v3/testdata/country_not_upcase_ok1.pem | 100 +++++++++++++++++ 7 files changed, 532 insertions(+), 1 deletion(-) create mode 100644 v3/lints/community/lint_subj_country_not_uppercase.go create mode 100644 v3/lints/community/lint_subj_country_not_uppercase_test.go create mode 100644 v3/testdata/country_not_upcase_ko1.pem create mode 100644 v3/testdata/country_not_upcase_ko2.pem create mode 100644 v3/testdata/country_not_upcase_ko3.pem create mode 100644 v3/testdata/country_not_upcase_ok1.pem diff --git a/v3/integration/config.json b/v3/integration/config.json index 67337e2e7..52343e4ff 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -970,6 +970,9 @@ }, "e_ca_invalid_eku": { "ErrCount": 1 - } + }, + "e_subj_country_not_uppercase": { + "ErrCount": 1303 + } } } diff --git a/v3/lints/community/lint_subj_country_not_uppercase.go b/v3/lints/community/lint_subj_country_not_uppercase.go new file mode 100644 index 000000000..2c3ccbe8b --- /dev/null +++ b/v3/lints/community/lint_subj_country_not_uppercase.go @@ -0,0 +1,62 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package community + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "regexp" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subj_country_not_uppercase", + Description: "Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z", + Citation: "ISO 3166-2:2020(E) section 5.1", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjCountryNotUppercase, + }) +} + +type subjCountryNotUppercase struct{} + +func NewSubjCountryNotUppercase() lint.LintInterface { + return &subjCountryNotUppercase{} +} + +func (l *subjCountryNotUppercase) CheckApplies(c *x509.Certificate) bool { + return true +} + +var re = regexp.MustCompile("^[A-Z]+$") + +func (l *subjCountryNotUppercase) Execute(c *x509.Certificate) *lint.LintResult { + // There should be only one countryName attribute in the Subject, normally, + // but checking this is not our business here, so let's scan them all + for _, cc := range c.Subject.Country { + if !re.MatchString(cc) { + return &lint.LintResult{ + Status: lint.Error, + Details: "Country codes must be comprised of uppercase A-Z letters", + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/community/lint_subj_country_not_uppercase_test.go b/v3/lints/community/lint_subj_country_not_uppercase_test.go new file mode 100644 index 000000000..894727371 --- /dev/null +++ b/v3/lints/community/lint_subj_country_not_uppercase_test.go @@ -0,0 +1,65 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package community + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + * Test cases: + * + * country_not_upcase_ok1.pem Normal + * country_not_upcase_ko1.pem Country code is in mixed case + * country_not_upcase_ko2.pem Country code is all lowercase + * country_not_upcase_ko3.pem Two country codes, one OK and one bad + */ + +func TestSubjCountryNotUppercase(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "country_not_upcase_ok1.pem", + want: lint.Pass, + }, + { + input: "country_not_upcase_ko1.pem", + want: lint.Error, + }, + { + input: "country_not_upcase_ko2.pem", + want: lint.Error, + }, + { + input: "country_not_upcase_ko3.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_subj_country_not_uppercase", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/testdata/country_not_upcase_ko1.pem b/v3/testdata/country_not_upcase_ko1.pem new file mode 100644 index 000000000..b525b7df4 --- /dev/null +++ b/v3/testdata/country_not_upcase_ko1.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 9e:87:87:03:f4:da:fc:d1:1b:7a:87:12:31:89:5a:7a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jun 17 12:54:36 2024 GMT + Not After : Jun 17 12:54:36 2025 GMT + Subject: C = de, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d2:85:c1:2c:56:53:86:a8:67:fa:1b:79:0d:b0: + 21:ec:a5:d7:cf:34:ab:f8:eb:bb:e9:a6:b7:5c:3b: + 36:6a:ed:9f:1f:b2:75:f1:70:03:fb:ca:01:dc:fb: + 52:aa:8d:47:65:6b:f7:b2:76:a7:0b:2b:5e:70:82: + f7:3e:58:1e:38:6e:f4:c5:e2:9b:b8:5d:9f:ad:b0: + 25:13:0f:e4:19:ac:08:12:cb:bd:1d:85:f6:11:d6: + 59:f8:db:a3:28:63:71:00:1d:19:38:d2:77:61:21: + 14:91:45:bc:a2:f9:e5:60:64:c8:4e:9a:f8:65:2c: + 09:86:77:20:ab:27:ee:b9:70:b0:35:0b:75:9b:7e: + d5:4f:a1:d9:46:ce:56:88:a3:02:2e:45:c3:84:09: + 5b:b7:60:5c:83:ae:b3:d7:a7:78:b8:db:dd:e8:44: + 83:70:b8:11:c8:a7:b0:75:3d:0d:f7:f6:f6:47:77: + 1e:df:05:5f:fc:c7:9d:0c:cb:71:4e:e2:ad:1f:b1: + ee:aa:36:87:5a:66:5b:c0:18:c6:8a:1d:95:11:66: + 10:dd:a2:12:96:7d:a8:6b:ae:06:7e:9e:2b:0e:d4: + 0c:ba:63:d7:06:c8:c5:57:38:7c:c8:8a:ac:1c:b3: + a7:dc:a3:a7:4d:24:45:2a:03:98:9e:40:b7:cd:00: + e1:79 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 14:9E:EF:23:D5:A1:C8:38:E9:DA:B8:A9:24:8A:DE:FA:A9:D9:1D:F6 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + a6:ef:ce:3a:34:72:d7:cb:55:26:fa:8f:34:3b:59:a7:c3:c5: + 9d:85:be:b5:05:9e:09:e4:54:66:0e:57:4f:e8:1c:5c:c0:19: + f9:8c:f5:d4:b8:84:cc:eb:59:49:c3:db:e8:a5:e5:47:c5:35: + 57:13:8e:0b:00:f2:05:c5:a3:0e:b3:87:f5:13:7f:26:79:90: + 8a:46:65:57:c0:8d:3e:ab:65:cc:71:d0:b1:b4:6d:d1:63:51: + 4a:ef:7b:d7:34:0c:67:52:93:c3:c7:e5:46:af:03:09:67:d3: + 24:23:df:ee:cd:29:3f:a8:13:5e:8f:93:dc:8a:7d:78:39:94: + 63:d9:bc:71:7b:08:1e:0f:22:61:50:9b:ad:4d:6e:26:33:6e: + 83:eb:43:6d:e8:85:b7:2b:d5:40:9e:ed:36:3d:7a:f6:94:e1: + b0:c1:92:e8:e7:7f:80:2d:1a:d0:93:3c:0d:e8:39:64:ae:25: + 9a:92:d7:44:06:cb:9f:4b:dd:80:fe:b6:d3:7a:ba:72:69:46: + 92:4f:07:ed:4f:eb:d1:f8:b1:3e:01:26:26:a2:ba:4f:f7:11: + dd:b9:eb:36:6e:b5:02:3c:50:1e:1c:b1:c3:0d:39:5b:f7:af: + 98:36:aa:02:0c:dc:c6:40:c5:6c:d8:ef:0d:87:ce:2f:9f:41: + 33:2d:9d:5d +-----BEGIN CERTIFICATE----- +MIIEeTCCA2GgAwIBAgIRAJ6HhwP02vzRG3qHEjGJWnowDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNjE3MTI1NDM2WhcNMjUwNjE3MTI1 +NDM2WjB0MQswCQYDVQQGEwJkZTEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDShcEsVlOGqGf6G3kNsCHspdfPNKv467vpprdcOzZq7Z8fsnXx +cAP7ygHc+1KqjUdla/eydqcLK15wgvc+WB44bvTF4pu4XZ+tsCUTD+QZrAgSy70d +hfYR1ln426MoY3EAHRk40ndhIRSRRbyi+eVgZMhOmvhlLAmGdyCrJ+65cLA1C3Wb +ftVPodlGzlaIowIuRcOECVu3YFyDrrPXp3i4293oRINwuBHIp7B1PQ339vZHdx7f +BV/8x50My3FO4q0fse6qNodaZlvAGMaKHZURZhDdohKWfahrrgZ+nisO1Ay6Y9cG +yMVXOHzIiqwcs6fco6dNJEUqA5ieQLfNAOF5AgMBAAGjggE1MIIBMTAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBQUnu8j1aHIOOnauKkkit76qdkd9jAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK +MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu +Yy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCm7846NHLXy1Um+o80O1mnw8Wd +hb61BZ4J5FRmDldP6BxcwBn5jPXUuITM61lJw9vopeVHxTVXE44LAPIFxaMOs4f1 +E38meZCKRmVXwI0+q2XMcdCxtG3RY1FK73vXNAxnUpPDx+VGrwMJZ9MkI9/uzSk/ +qBNej5Pcin14OZRj2bxxewgeDyJhUJutTW4mM26D60Nt6IW3K9VAnu02PXr2lOGw +wZLo53+ALRrQkzwN6DlkriWaktdEBsufS92A/rbTerpyaUaSTwftT+vR+LE+ASYm +orpP9xHdues2brUCPFAeHLHDDTlb96+YNqoCDNzGQMVs2O8Nh84vn0EzLZ1d +-----END CERTIFICATE----- diff --git a/v3/testdata/country_not_upcase_ko2.pem b/v3/testdata/country_not_upcase_ko2.pem new file mode 100644 index 000000000..96230a0cb --- /dev/null +++ b/v3/testdata/country_not_upcase_ko2.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ff:3b:e5:b4:87:c4:99:76:ec:d5:a6:83:eb:10:78:02 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jun 17 12:58:42 2024 GMT + Not After : Jun 17 12:58:42 2025 GMT + Subject: C = Es, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a9:a4:f9:fb:b5:ae:9f:61:c5:7c:af:67:b3:ae: + 06:7d:0f:1e:49:f8:c8:1c:fa:52:8b:57:5d:b7:a8: + a8:bc:39:f9:89:0b:fa:e4:f1:8a:45:bc:25:e6:b7: + 9b:c6:e4:95:9e:a3:59:01:1b:d7:f6:f3:b2:3f:14: + e0:2a:88:68:00:5a:29:00:9f:6a:5a:f8:b6:14:56: + 9b:5b:f6:2f:2a:ac:04:d3:e2:b7:1e:b0:92:b3:56: + ce:34:75:19:76:50:fd:4e:51:53:d5:83:76:09:d5: + 24:54:de:7c:20:3e:60:2c:c8:4f:8d:6e:a7:50:71: + ca:15:27:5e:fe:f2:f0:ca:a0:6a:c1:9e:03:f3:05: + 16:69:37:cf:84:60:8c:2b:10:53:af:bc:c9:0b:d3: + 78:c6:e6:3e:2e:48:a6:95:11:6e:78:ba:c3:61:3e: + f3:40:09:6d:b4:f0:9f:f0:f4:02:8f:84:fc:5d:cf: + c3:80:0b:22:0f:95:8a:7b:3e:d1:a1:b5:56:b6:9f: + 05:e0:99:1c:6d:a6:c9:9f:f8:82:aa:3e:27:02:bc: + 38:66:0f:20:07:cd:95:13:fe:d1:5a:99:e9:ff:b5: + 9a:d4:b4:d3:66:a1:ee:16:dd:f2:18:ae:d2:dc:0a: + f4:54:b7:30:69:39:8b:c7:c3:77:9b:b3:1a:69:96: + 78:a5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + B4:94:A3:B1:62:87:63:D7:7A:77:35:EA:52:FF:FA:49:2F:F3:76:71 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 26:f1:47:a3:cc:f9:cf:c2:b6:83:c4:f5:1e:74:f5:46:f5:d8: + 4a:75:e5:20:cd:f2:b1:3b:f7:b7:f7:39:ff:78:09:d4:bc:c8: + 4a:2b:45:8a:08:95:67:b7:9c:ca:61:65:f6:22:62:78:bd:1b: + 3d:6c:2a:2f:09:4d:f1:61:6a:d2:64:a1:59:87:c2:24:74:7f: + 6c:ad:f1:da:53:a7:3c:6a:2c:88:78:00:88:aa:33:51:d1:08: + 19:a4:7e:37:ee:85:a6:77:7d:15:83:a1:f8:b4:2f:26:fd:b4: + f4:d0:9b:7b:15:c0:ec:7a:20:ea:fb:49:ec:7c:32:86:38:51: + c6:6b:91:9a:c8:3a:a3:15:bc:0d:b2:ac:f7:b5:f6:9b:37:94: + 4d:71:2b:5a:b8:63:98:87:de:3e:a3:9a:8a:a3:12:d2:8a:f0: + 30:95:d1:33:09:99:67:e9:ec:a4:4f:19:ca:7f:f1:03:42:79: + 3c:52:19:b1:41:ab:b6:72:5b:2a:66:50:2c:13:dc:49:c3:26: + 39:7a:36:f0:1c:d2:3e:c1:43:da:bc:52:cc:4d:c6:bd:13:01: + 7e:f9:bf:d1:e5:0e:04:c8:0a:68:93:cb:f5:41:26:d3:f3:a0: + c4:65:9f:8a:e7:28:b6:11:b8:2e:b3:6c:0f:41:81:5c:26:c4: + d8:0f:fc:91 +-----BEGIN CERTIFICATE----- +MIIEeTCCA2GgAwIBAgIRAP875bSHxJl27NWmg+sQeAIwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNjE3MTI1ODQyWhcNMjUwNjE3MTI1 +ODQyWjB0MQswCQYDVQQGEwJFczEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCppPn7ta6fYcV8r2ezrgZ9Dx5J+Mgc+lKLV123qKi8OfmJC/rk +8YpFvCXmt5vG5JWeo1kBG9f287I/FOAqiGgAWikAn2pa+LYUVptb9i8qrATT4rce +sJKzVs40dRl2UP1OUVPVg3YJ1SRU3nwgPmAsyE+NbqdQccoVJ17+8vDKoGrBngPz +BRZpN8+EYIwrEFOvvMkL03jG5j4uSKaVEW54usNhPvNACW208J/w9AKPhPxdz8OA +CyIPlYp7PtGhtVa2nwXgmRxtpsmf+IKqPicCvDhmDyAHzZUT/tFamen/tZrUtNNm +oe4W3fIYrtLcCvRUtzBpOYvHw3ebsxpplnilAgMBAAGjggE1MIIBMTAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBS0lKOxYodj13p3NepS//pJL/N2cTAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK +MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu +Yy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAm8UejzPnPwraDxPUedPVG9dhK +deUgzfKxO/e39zn/eAnUvMhKK0WKCJVnt5zKYWX2ImJ4vRs9bCovCU3xYWrSZKFZ +h8IkdH9srfHaU6c8aiyIeACIqjNR0QgZpH437oWmd30Vg6H4tC8m/bT00Jt7FcDs +eiDq+0nsfDKGOFHGa5GayDqjFbwNsqz3tfabN5RNcStauGOYh94+o5qKoxLSivAw +ldEzCZln6eykTxnKf/EDQnk8UhmxQau2clsqZlAsE9xJwyY5ejbwHNI+wUPavFLM +Tca9EwF++b/R5Q4EyApok8v1QSbT86DEZZ+K5yi2Ebgus2wPQYFcJsTYD/yR +-----END CERTIFICATE----- diff --git a/v3/testdata/country_not_upcase_ko3.pem b/v3/testdata/country_not_upcase_ko3.pem new file mode 100644 index 000000000..58bd9dee8 --- /dev/null +++ b/v3/testdata/country_not_upcase_ko3.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + eb:3c:30:ad:90:93:75:f3:ae:75:d5:e9:47:77:d5:53 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jun 18 07:35:26 2024 GMT + Not After : Jun 18 07:35:26 2025 GMT + Subject: ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, C = SE, C = bg + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:de:89:e9:da:79:cc:25:0a:1b:b3:2a:d4:b0:6b: + 45:1f:97:a1:01:fa:31:78:01:bb:91:2c:7a:9a:82: + e0:97:38:35:ff:a2:32:38:11:1e:17:0b:ec:6f:52: + d7:7c:3c:15:9e:06:9e:5c:d8:85:3e:65:b6:9b:e5: + 0b:64:44:e8:45:51:56:36:6d:f4:2d:94:4f:e0:9b: + e3:e9:44:da:15:72:f2:c6:ca:2b:f1:0a:14:8a:70: + 22:f2:a9:8f:a6:b5:b4:a4:aa:e4:0b:b8:15:a9:7e: + 56:b0:85:e3:11:ff:83:6f:eb:ff:74:3e:3e:2a:9f: + 92:62:0c:0a:97:a2:ba:53:5f:94:ce:23:69:6f:1a: + 9e:40:e6:5a:07:d4:e2:c3:7d:9e:65:0e:4e:22:f9: + 7e:17:4e:8a:60:bf:0c:fa:78:7a:d0:d2:11:2b:03: + c8:86:2d:d5:a5:25:d5:37:57:bf:c4:d0:b1:0d:d5: + 36:b4:a3:44:d2:85:a9:fc:11:ed:a7:7b:53:43:20: + 56:3c:ec:c4:5d:dc:ba:75:f2:13:8d:e1:7b:ae:50: + 44:7b:57:53:6d:56:5e:e7:cc:12:43:dd:92:e3:88: + e0:89:46:e0:68:dc:66:4a:86:93:86:be:a8:31:e0: + 5d:50:a2:09:d8:1f:de:a2:1b:bc:a4:8c:c8:8a:b0: + 57:05 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 8F:F9:C5:BE:96:96:71:88:3A:00:8A:C2:AE:D8:21:31:16:DF:CE:D8 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 31:50:c5:0b:0c:ca:99:07:e1:45:aa:6e:47:35:73:88:17:7c: + 2e:db:7f:5e:0b:10:86:67:06:d5:17:74:a3:96:74:ac:a8:98: + 44:fe:8e:1b:cf:3e:68:7c:0a:24:21:3f:dc:ae:11:db:0d:b1: + 53:45:3f:73:65:b2:d3:8a:96:9f:bd:05:4d:83:74:ec:37:e8: + 21:43:6b:41:3b:ef:73:09:52:fa:fe:b1:99:b4:a2:21:f9:c8: + 4e:58:e5:86:7e:a1:ce:f7:69:10:7f:99:54:9e:86:61:32:9f: + e6:98:b8:62:80:d8:f4:09:35:8e:4e:96:76:43:46:34:d6:7f: + 30:87:97:b8:cc:d5:94:11:63:d6:83:87:88:62:46:64:f8:ac: + e8:37:fb:a0:85:6e:9f:b8:dc:ca:ca:df:3a:15:07:ba:47:83: + 3a:aa:4c:67:a6:c4:2d:0c:0c:5f:6e:6e:19:f3:a5:a1:52:3b: + f0:a0:c9:fb:a0:44:ee:ba:6a:8a:56:1f:9b:b8:19:c3:13:97: + 7d:79:20:37:6c:e8:ba:e7:74:6d:90:b4:93:10:b5:90:07:f4: + ba:57:55:20:42:c1:b8:df:44:e1:b8:5d:a9:99:f2:5c:54:77: + 7a:0a:a4:5c:bf:8f:9c:0f:32:34:59:a2:68:39:b0:4a:f5:c4: + a7:21:7e:39 +-----BEGIN CERTIFICATE----- +MIIEhzCCA2+gAwIBAgIRAOs8MK2Qk3XzrnXV6Ud31VMwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNjE4MDczNTI2WhcNMjUwNjE4MDcz +NTI2WjCBgTEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92aW5jZTESMBAGA1UE +BxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkgTHRkLjEUMBIGA1UE +AxMLZXhhbXBsZS5vcmcxCzAJBgNVBAYTAlNFMQswCQYDVQQGEwJiZzCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN6J6dp5zCUKG7Mq1LBrRR+XoQH6MXgB +u5EsepqC4Jc4Nf+iMjgRHhcL7G9S13w8FZ4GnlzYhT5ltpvlC2RE6EVRVjZt9C2U +T+Cb4+lE2hVy8sbKK/EKFIpwIvKpj6a1tKSq5Au4Fal+VrCF4xH/g2/r/3Q+Piqf +kmIMCpeiulNflM4jaW8ankDmWgfU4sN9nmUOTiL5fhdOimC/DPp4etDSESsDyIYt +1aUl1TdXv8TQsQ3VNrSjRNKFqfwR7ad7U0MgVjzsxF3cunXyE43he65QRHtXU21W +XufMEkPdkuOI4IlG4GjcZkqGk4a+qDHgXVCiCdgf3qIbvKSMyIqwVwUCAwEAAaOC +ATUwggExMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB +BQUHAwEwHQYDVR0OBBYEFI/5xb6WlnGIOgCKwq7YITEW387YMB8GA1UdIwQYMBaA +FOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcw +AYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0 +dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUu +b3JnMBMGA1UdIAQMMAowCAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6 +Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBADFQxQsM +ypkH4UWqbkc1c4gXfC7bf14LEIZnBtUXdKOWdKyomET+jhvPPmh8CiQhP9yuEdsN +sVNFP3NlstOKlp+9BU2DdOw36CFDa0E773MJUvr+sZm0oiH5yE5Y5YZ+oc73aRB/ +mVSehmEyn+aYuGKA2PQJNY5OlnZDRjTWfzCHl7jM1ZQRY9aDh4hiRmT4rOg3+6CF +bp+43MrK3zoVB7pHgzqqTGemxC0MDF9ubhnzpaFSO/CgyfugRO66aopWH5u4GcMT +l315IDds6LrndG2QtJMQtZAH9LpXVSBCwbjfROG4XamZ8lxUd3oKpFy/j5wPMjRZ +omg5sEr1xKchfjk= +-----END CERTIFICATE----- diff --git a/v3/testdata/country_not_upcase_ok1.pem b/v3/testdata/country_not_upcase_ok1.pem new file mode 100644 index 000000000..79680dc85 --- /dev/null +++ b/v3/testdata/country_not_upcase_ok1.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 39:af:b0:30:0c:15:a0:5e:c7:bd:ae:a5:9b:5b:ca:ea + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jun 17 12:51:02 2024 GMT + Not After : Jun 17 12:51:02 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e2:56:bb:2f:46:b0:0d:b2:04:c8:50:88:da:11: + 08:2e:2f:ea:f0:0a:77:9c:32:29:5f:12:72:65:69: + a7:10:8d:de:45:91:9d:0a:14:7e:88:ed:61:32:0b: + 01:c9:90:f2:53:57:61:85:76:24:f7:f1:ba:e9:d0: + f5:7f:16:0b:01:64:44:5d:b8:4d:7c:e5:c0:8b:e7: + f5:d0:71:d3:38:42:b8:39:ae:72:a3:2d:20:7e:5b: + 38:5c:4d:a2:bf:ee:86:4c:e2:69:ae:82:36:b6:f1: + 17:e5:bf:ca:c8:a5:ad:ef:1b:d6:1e:8f:20:84:61: + 34:17:81:02:06:67:aa:09:11:2e:c5:21:18:93:1b: + 8b:c5:23:24:f7:ec:98:9b:47:1b:51:52:2d:4a:b3: + ce:d3:13:3c:1a:dc:1f:b4:bc:3a:b8:a7:3b:0f:38: + 88:f7:95:4f:fd:42:0a:ee:aa:36:06:64:84:98:cf: + 1e:d7:26:b3:ad:93:8c:a5:8a:bf:48:24:a5:15:e4: + 42:03:5e:5f:ff:c5:38:0d:12:36:87:a7:72:68:13: + 82:27:19:7a:0a:f0:90:c4:7c:9c:03:f3:e2:a7:9f: + a9:f3:26:12:25:69:7c:f0:f2:cf:75:1c:3a:d9:a4: + cd:12:8b:0c:d5:69:8b:7b:e9:54:a8:57:00:ce:18: + 1d:5d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + EA:38:82:0F:72:B7:A1:71:EE:4E:09:9C:67:A8:8D:F7:B0:FD:69:D7 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + df:64:c2:68:c0:18:5e:3b:b5:8d:4c:b3:45:88:6c:1f:24:7c: + ea:1a:22:b7:a9:ae:c0:2b:5c:e7:9d:cc:92:73:1e:82:69:ef: + a8:38:b9:85:fe:c2:b5:a3:8b:46:85:b1:71:d1:e9:4a:13:8e: + 7b:8a:86:79:76:79:ab:2f:5f:8f:1d:96:fd:a2:81:27:b6:26: + d5:f5:4f:80:33:15:6f:9d:3a:5f:bd:15:09:96:07:d4:e5:cb: + bb:86:d8:40:a6:d2:54:e2:a7:1e:80:be:67:ef:0f:18:6b:00: + 91:31:d8:f1:06:2e:ec:0f:ec:35:ec:6a:80:a3:9a:a9:4b:db: + 71:86:f7:5e:3f:5e:32:dd:9f:da:30:3c:80:fc:91:db:08:81: + 78:c7:f7:e0:76:c8:a8:10:92:5c:45:14:13:68:97:99:b0:fa: + f3:5f:87:ed:95:75:dd:3c:5f:c7:08:d7:50:64:e0:3b:72:c2: + 64:6e:5a:10:5c:c2:c9:55:dc:0c:8e:15:9a:8b:76:1f:bf:bc: + 82:dc:2e:0c:8c:87:ec:93:12:9a:4d:06:c0:aa:52:e8:c4:5c: + 1b:3e:80:f2:b3:00:33:a8:9b:6b:e9:39:80:6a:9e:1e:c5:72: + 7f:6f:9c:19:d3:c9:5a:00:4f:8a:bc:80:ae:86:f1:4a:b6:6d: + 0b:21:c8:8e +-----BEGIN CERTIFICATE----- +MIIEeDCCA2CgAwIBAgIQOa+wMAwVoF7Hva6lm1vK6jANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA2MTcxMjUxMDJaFw0yNTA2MTcxMjUx +MDJaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAOJWuy9GsA2yBMhQiNoRCC4v6vAKd5wyKV8ScmVppxCN3kWRnQoU +fojtYTILAcmQ8lNXYYV2JPfxuunQ9X8WCwFkRF24TXzlwIvn9dBx0zhCuDmucqMt +IH5bOFxNor/uhkziaa6CNrbxF+W/ysilre8b1h6PIIRhNBeBAgZnqgkRLsUhGJMb +i8UjJPfsmJtHG1FSLUqzztMTPBrcH7S8OrinOw84iPeVT/1CCu6qNgZkhJjPHtcm +s62TjKWKv0gkpRXkQgNeX//FOA0SNoencmgTgicZegrwkMR8nAPz4qefqfMmEiVp +fPDyz3UcOtmkzRKLDNVpi3vpVKhXAM4YHV0CAwEAAaOCATUwggExMA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FOo4gg9yt6Fx7k4JnGeojfew/WnXMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBMGA1UdIAQMMAow +CAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBAN9kwmjAGF47tY1Ms0WIbB8kfOoa +IreprsArXOedzJJzHoJp76g4uYX+wrWji0aFsXHR6UoTjnuKhnl2easvX48dlv2i +gSe2JtX1T4AzFW+dOl+9FQmWB9Tly7uG2ECm0lTipx6AvmfvDxhrAJEx2PEGLuwP +7DXsaoCjmqlL23GG914/XjLdn9owPID8kdsIgXjH9+B2yKgQklxFFBNol5mw+vNf +h+2Vdd08X8cI11Bk4DtywmRuWhBcwslV3AyOFZqLdh+/vILcLgyMh+yTEppNBsCq +UujEXBs+gPKzADOom2vpOYBqnh7Fcn9vnBnTyVoAT4q8gK6G8Uq2bQshyI4= +-----END CERTIFICATE----- From f6d07ed309612e7341b39abd274f255cb101f72e Mon Sep 17 00:00:00 2001 From: Mathew Hodson Date: Sun, 23 Jun 2024 12:01:41 -0400 Subject: [PATCH 3/9] Improve util.IsEmailProtectionCert function (#858) Co-authored-by: Christopher Henderson --- v3/lint/base.go | 2 +- v3/util/ca.go | 21 ++++++++++++--------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/v3/lint/base.go b/v3/lint/base.go index 499810e74..c07d65a92 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -221,7 +221,7 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } - if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { + if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) { return &LintResult{Status: NA} } lint := l.Lint() diff --git a/v3/util/ca.go b/v3/util/ca.go index 8295ea4c1..c62421147 100644 --- a/v3/util/ca.go +++ b/v3/util/ca.go @@ -70,17 +70,20 @@ func IsServerAuthCert(cert *x509.Certificate) bool { } // IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. -// A certificate is for use protecting emails if it contains the Any Purpose or emailProtection -// EKUs or if the certificate contains no EKUs. This last point is a way of being overly cautious -// and choosing to prefer false positives over false negatives. +// The S/MIME BRs say the certificate can be identified by an EKU for id-kp-emailProtection +// and the inclusion of a rfc822Name SAN or an otherName of type id-on-SmtpUTF8Mailbox. +// As a way of being overly cautious and choosing to prefer false positives over false negatives, +// also include certificates that have no EKUs, the any purpose EKU, or one of the policy OIDs. func IsEmailProtectionCert(cert *x509.Certificate) bool { - if len(cert.ExtKeyUsage) == 0 { - return true - } - for _, eku := range cert.ExtKeyUsage { - if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + if HasEmailSAN(cert) { + if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { return true } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + return true + } + } } - return false + return IsSMIMEBRCertificate(cert) } From 672100d27702f1ddef95ecaa8977b3b1ea0f4b2e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 06:43:53 -0700 Subject: [PATCH 4/9] util: gtld_map autopull updates for 2024-07-13T13:20:09 UTC (#866) * util: gtld_map autopull updates for 2024-07-09T21:20:04 UTC * Trigger jobs --------- Co-authored-by: GitHub Co-authored-by: Christopher Henderson --- v3/util/gtld_map.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/util/gtld_map.go b/v3/util/gtld_map.go index 42be89385..99f7a4bfb 100644 --- a/v3/util/gtld_map.go +++ b/v3/util/gtld_map.go @@ -5701,7 +5701,7 @@ var tldMap = map[string]GTLDPeriod{ "shaw": { GTLD: "shaw", DelegationDate: "2016-03-22", - RemovalDate: "", + RemovalDate: "2024-07-09", }, "shell": { GTLD: "shell", From 2440571870f32ad14a73eb5f9e74b500c69ecda3 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 14 Jul 2024 16:30:18 +0200 Subject: [PATCH 5/9] Add lint to check that Root CA and TLS SubCA certificates do not contain the OU subject attribute (#864) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Update v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go Co-authored-by: Christopher Henderson * Update v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go Co-authored-by: Christopher Henderson --------- Co-authored-by: Christopher Henderson --- .../cabf_br/lint_subj_orgunit_in_ca_cert.go | 69 +++++++++ .../lint_subj_orgunit_in_ca_cert_test.go | 82 ++++++++++ v3/testdata/orgunit_in_ca_ko1.pem | 140 +++++++++++++++++ v3/testdata/orgunit_in_ca_ok1.pem | 144 ++++++++++++++++++ v3/testdata/orgunit_in_ca_ok2.pem | 143 +++++++++++++++++ v3/testdata/orgunit_in_ca_ok3.pem | 140 +++++++++++++++++ v3/testdata/orgunit_in_ca_ok4.pem | 142 +++++++++++++++++ 7 files changed, 860 insertions(+) create mode 100644 v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go create mode 100644 v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert_test.go create mode 100644 v3/testdata/orgunit_in_ca_ko1.pem create mode 100644 v3/testdata/orgunit_in_ca_ok1.pem create mode 100644 v3/testdata/orgunit_in_ca_ok2.pem create mode 100644 v3/testdata/orgunit_in_ca_ok3.pem create mode 100644 v3/testdata/orgunit_in_ca_ok4.pem diff --git a/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go b/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go new file mode 100644 index 000000000..c9aebb23a --- /dev/null +++ b/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go @@ -0,0 +1,69 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subj_orgunit_in_ca_cert", + Description: "The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.", + Citation: "CABF BR §7.1.2.10.2 (CA Certificate Naming)", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewSubjectOrgUnitInCACert, + }) +} + +type subjectOrgUnitInCACert struct { + CrossCert bool `comment:"Set this to true if the certificate to be linted is a cross-certificate"` +} + +func NewSubjectOrgUnitInCACert() lint.LintInterface { + return &subjectOrgUnitInCACert{ + CrossCert: false, + } +} + +func (l *subjectOrgUnitInCACert) Configure() interface{} { + return l +} + +func (l *subjectOrgUnitInCACert) CheckApplies(c *x509.Certificate) bool { + return util.IsCACert(c) +} + +func (l *subjectOrgUnitInCACert) Execute(c *x509.Certificate) *lint.LintResult { + if c.Subject.OrganizationalUnit != nil { + if !l.CrossCert { + return &lint.LintResult{ + Status: lint.Error, + Details: "The OU attribute in the Subject is prohibited in Root and TLS CA certificates", + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert_test.go b/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert_test.go new file mode 100644 index 000000000..0ab420c12 --- /dev/null +++ b/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert_test.go @@ -0,0 +1,82 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Test cases: + * + * Input file Config Want Description + * ========== ====== ==== =========== + * orgunit_in_ca_ok1.pem (none) NA Subscriber cert with OU, issued before effective date + * orgunit_in_ca_ok4.pem (none) NA Non-TLS CA cert with OU, issued before effective date + * orgunit_in_ca_ok2.pem (none) Pass TLS CA cert without OU + * orgunit_in_ca_ok3.pem (none) NE TLS CA cert with OU, issued before effective date + * orgunit_in_ca_ko1.pem (none) Error TLS CA cert with OU, issued after effective date + * orgunit_in_ca_ko1.pem CrossCert Pass TLS CA cert with OU, issued after effective date + */ + +package cabf_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestSubjectOrgUnitInCACert(t *testing.T) { + type Data struct { + input string + config string + want lint.LintStatus + } + data := []Data{ + { + input: "orgunit_in_ca_ok1.pem", + want: lint.NA, + }, + { + input: "orgunit_in_ca_ok2.pem", + want: lint.Pass, + }, + { + input: "orgunit_in_ca_ok3.pem", + want: lint.NE, + }, + { + input: "orgunit_in_ca_ok4.pem", + want: lint.NA, + }, + { + input: "orgunit_in_ca_ko1.pem", + want: lint.Error, + }, + { + input: "orgunit_in_ca_ko1.pem", + config: ` + [e_subj_orgunit_in_ca_cert] + CrossCert = true + `, + want: lint.Pass, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLintWithConfig("e_subj_orgunit_in_ca_cert", testData.input, testData.config) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/testdata/orgunit_in_ca_ko1.pem b/v3/testdata/orgunit_in_ca_ko1.pem new file mode 100644 index 000000000..0e003751e --- /dev/null +++ b/v3/testdata/orgunit_in_ca_ko1.pem @@ -0,0 +1,140 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 09:93:40:5a:5f:fb:60:58:3a:40:02:66:f3:2b:86:6a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Nov 19 00:00:00 2023 GMT + Not After : Nov 17 00:00:00 2028 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, OU = Some Department, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:a6:64:24:58:93:e6:28:0f:bd:31:90:f6:6e:7d: + a2:43:8c:3a:87:d6:aa:72:e6:7c:83:99:e7:43:10: + 70:2b:8b:cf:86:6b:c4:56:bd:d9:67:b0:49:c6:b9: + ee:ef:b6:32:c2:b4:4c:ea:dc:7e:40:05:72:3b:21: + 95:a2:56:fc:27:4b:c6:c2:83:1b:16:c3:a4:06:45: + 2a:af:54:80:9c:68:01:71:90:06:dd:91:ba:07:97: + b5:c9:7e:c7:73:a8:1c:02:d4:bb:1f:8a:b6:69:2d: + c9:b5:57:b1:48:5a:79:45:85:ad:80:38:5b:e1:67: + 0e:a8:b2:64:97:64:c1:19:4c:9c:a1:31:58:4b:43: + 81:5e:19:9a:ec:2a:17:fb:48:24:a0:d1:2e:34:d6: + 5c:77:f9:33:6c:f2:84:11:72:be:24:c1:e2:ca:86: + 90:41:cd:93:7c:73:c2:9a:cd:56:a1:72:1a:e5:39: + 5d:74:3d:3a:76:b9:d0:c3:9b:ea:31:4c:e5:38:80: + 45:8f:e3:d2:03:8d:5e:20:7d:d2:5a:2d:d6:35:6e: + bd:f1:46:f6:60:d3:00:76:53:c0:9f:01:d4:01:f7: + e0:13:eb:90:4c:d9:bf:9b:e0:8f:3c:f3:0e:04:b8: + 9c:af:6f:49:4b:8e:84:06:08:af:cb:b0:21:32:fc: + c3:95:1c:71:d9:ef:09:fd:04:31:71:88:3c:b6:f6: + 3e:7b:63:e5:21:9b:0f:00:da:05:fc:37:c6:ba:e4: + e6:c5:93:11:0e:29:f5:6f:a6:c9:e6:29:3a:9f:c0: + e4:f6:04:f3:a2:a8:07:d5:59:4b:b8:45:24:9c:c0: + 9a:dc:48:e1:93:17:03:d0:57:b1:b4:c8:36:5b:f5: + 98:66:9b:87:1b:3b:c4:74:b7:85:0a:80:ef:ad:ff: + 48:aa:31:b8:ca:a4:f1:7c:92:a1:6f:c4:e1:55:ca: + 6b:de:f9:7b:e7:2a:84:b7:57:f7:3f:de:80:96:2a: + ef:7e:9f:53:bd:53:a9:dd:86:83:cf:25:b6:7a:7b: + 9d:e3:22:7a:12:ac:a1:8e:aa:64:86:ba:e7:ce:85: + bd:d3:f4:b1:d5:fe:aa:ed:b3:c3:84:09:c5:58:ed: + ff:a3:e3:8b:54:09:9e:ae:95:af:aa:19:1f:9c:ba: + 2d:f6:73:20:5c:1d:49:cc:14:4e:50:75:69:8b:a9: + 11:a5:a0:39:0d:f3:a4:12:6c:66:1f:a3:40:84:66: + cf:50:db:57:f1:fd:15:e8:94:1d:7b:44:67:48:1f: + 37:1d:76:a6:8e:75:af:de:94:84:9f:0a:a6:a3:d8: + 0b:1d:ce:c1:f7:6e:0f:f8:31:ec:65:7e:83:1b:62: + c3:37:69 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 35:70:F6:A7:CE:CA:05:79:F3:0E:20:12:00:07:EB:B3:58:06:5A:BD + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 5f:ae:77:aa:9f:41:b1:e4:9d:56:ea:1b:1e:22:0f:d3:f3:61: + e7:71:4a:06:1b:bf:bb:41:8d:cf:ad:c9:26:42:b3:c7:8d:08: + 6b:2c:84:0b:18:6a:da:ba:0d:12:bc:fe:34:8a:8d:3e:de:7c: + a5:15:ca:8b:89:05:97:3a:77:01:ea:60:19:9d:72:db:74:1d: + 81:e8:8d:3d:35:ae:5d:04:bc:9f:c9:df:5c:7f:9d:f4:51:e1: + f1:37:cd:f0:c7:ed:cf:8f:a2:af:48:ec:3e:b1:1c:86:88:4b: + bf:30:21:b4:ca:99:b3:28:31:39:41:10:b8:09:96:60:fb:12: + 8d:fb:9d:cb:37:ed:52:d9:ad:2c:47:0a:89:06:cf:2a:d5:2b: + 3f:bc:b5:c6:5e:90:fd:d9:92:1b:db:2b:62:37:08:ed:f8:39: + 73:28:55:e7:7b:f1:e4:1d:29:4e:37:86:40:17:9b:67:43:ed: + 04:91:58:f4:53:89:c0:67:c9:4a:51:a5:10:a8:e5:27:91:5b: + 07:a6:c5:df:d0:2a:34:bd:6d:00:f5:95:5e:a6:21:99:30:8c: + a7:54:d1:7b:b7:40:aa:7e:be:45:b2:a7:46:03:d1:56:17:2b: + 6d:73:1f:f7:20:39:9b:25:5d:0f:5c:be:13:d3:90:59:5c:fb: + 61:86:b4:85:59:ca:5e:55:a8:73:38:3e:39:c9:a3:5c:c0:02: + 61:af:65:37:4e:6e:85:e1:58:01:1e:da:30:80:80:38:ac:91: + f0:1d:2c:df:8a:98:1f:b5:9e:c4:b2:3e:e4:df:fb:d6:84:7d: + 65:87:40:ae:38:6b:af:1b:fb:88:b8:51:d1:f5:8b:38:ac:6a: + cd:30:c7:11:95:b0:e4:75:ee:9a:2a:19:70:3a:49:8f:fb:04: + 79:8a:14:52:81:b0:7c:58:21:a4:50:b6:be:de:23:46:f5:b4: + 72:2a:04:a5:02:5b:04:d3:a7:c1:f9:9b:b5:a7:0b:14:28:73: + a5:3f:12:d4:bd:6c:30:a2:8e:d2:bf:74:03:6d:e4:f7:7d:38: + c9:07:51:8c:c5:9d:a9:d6:c4:00:b2:67:42:dd:83:ef:87:f2: + a7:a2:57:e5:a3:9f:00:ae:41:b5:1f:a4:db:91:55:aa:3f:62: + 83:9d:27:ca:58:57:dd:09:c5:ff:6d:d0:be:8e:bb:4a:77:20: + 80:03:11:86:e5:7c:ee:d7:a3:3e:0b:ca:e5:73:34:b9:46:40: + 91:64:a5:8b:00:9f:a3:45:f0:79:b1:d1:f4:d6:2e:ee:1d:5c: + e4:2c:ba:20:b1:07:7f:b3:c7:6a:20:a6:75:86:ad:a9:75:34: + f6:20:bf:ea:1b:ff:82:50 +-----BEGIN CERTIFICATE----- +MIIGbDCCBFSgAwIBAgIQCZNAWl/7YFg6QAJm8yuGajANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTIzMTExOTAwMDAwMFoXDTI4MTEx +NzAwMDAwMFowgYoxCzAJBgNVBAYTAlhYMRMwEQYDVQQIEwpTb21lIFN0YXRlMRYw +FAYDVQQHEw1Tb21lIExvY2FsaXR5MRAwDgYDVQQKEwdTb21lIENBMRgwFgYDVQQL +Ew9Tb21lIERlcGFydG1lbnQxIjAgBgNVBAMTGUZha2UgQ0EgZm9yIHpsaW50IHRl +c3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCmZCRYk+YoD70x +kPZufaJDjDqH1qpy5nyDmedDEHAri8+Ga8RWvdlnsEnGue7vtjLCtEzq3H5ABXI7 +IZWiVvwnS8bCgxsWw6QGRSqvVICcaAFxkAbdkboHl7XJfsdzqBwC1LsfirZpLcm1 +V7FIWnlFha2AOFvhZw6osmSXZMEZTJyhMVhLQ4FeGZrsKhf7SCSg0S401lx3+TNs +8oQRcr4kweLKhpBBzZN8c8KazVahchrlOV10PTp2udDDm+oxTOU4gEWP49IDjV4g +fdJaLdY1br3xRvZg0wB2U8CfAdQB9+AT65BM2b+b4I888w4EuJyvb0lLjoQGCK/L +sCEy/MOVHHHZ7wn9BDFxiDy29j57Y+Uhmw8A2gX8N8a65ObFkxEOKfVvpsnmKTqf +wOT2BPOiqAfVWUu4RSScwJrcSOGTFwPQV7G0yDZb9Zhmm4cbO8R0t4UKgO+t/0iq +MbjKpPF8kqFvxOFVymve+XvnKoS3V/c/3oCWKu9+n1O9U6ndhoPPJbZ6e53jInoS +rKGOqmSGuufOhb3T9LHV/qrts8OECcVY7f+j44tUCZ6ula+qGR+cui32cyBcHUnM +FE5QdWmLqRGloDkN86QSbGYfo0CEZs9Q21fx/RXolB17RGdIHzcddqaOda/elISf +Cqaj2AsdzsH3bg/4MexlfoMbYsM3aQIDAQABo4IBDTCCAQkwDgYDVR0PAQH/BAQD +AgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDVw9qfOygV58w4gEgAH67NY +Blq9MB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEB +BFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29jc3Aw +KQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBEGA1Ud +IAQKMAgwBgYEVR0gADAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNh +LWluYy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQBfrneqn0Gx5J1W6hseIg/T +82HncUoGG7+7QY3PrckmQrPHjQhrLIQLGGraug0SvP40io0+3nylFcqLiQWXOncB +6mAZnXLbdB2B6I09Na5dBLyfyd9cf530UeHxN83wx+3Pj6KvSOw+sRyGiEu/MCG0 +ypmzKDE5QRC4CZZg+xKN+53LN+1S2a0sRwqJBs8q1Ss/vLXGXpD92ZIb2ytiNwjt ++DlzKFXne/HkHSlON4ZAF5tnQ+0EkVj0U4nAZ8lKUaUQqOUnkVsHpsXf0Co0vW0A +9ZVepiGZMIynVNF7t0Cqfr5FsqdGA9FWFyttcx/3IDmbJV0PXL4T05BZXPthhrSF +WcpeVahzOD45yaNcwAJhr2U3Tm6F4VgBHtowgIA4rJHwHSzfipgftZ7Esj7k3/vW +hH1lh0CuOGuvG/uIuFHR9Ys4rGrNMMcRlbDkde6aKhlwOkmP+wR5ihRSgbB8WCGk +ULa+3iNG9bRyKgSlAlsE06fB+Zu1pwsUKHOlPxLUvWwwoo7Sv3QDbeT3fTjJB1GM +xZ2p1sQAsmdC3YPvh/Knolflo58ArkG1H6TbkVWqP2KDnSfKWFfdCcX/bdC+jrtK +dyCAAxGG5Xzu16M+C8rlczS5RkCRZKWLAJ+jRfB5sdH01i7uHVzkLLogsQd/s8dq +IKZ1hq2pdTT2IL/qG/+CUA== +-----END CERTIFICATE----- diff --git a/v3/testdata/orgunit_in_ca_ok1.pem b/v3/testdata/orgunit_in_ca_ok1.pem new file mode 100644 index 000000000..ea5e9349a --- /dev/null +++ b/v3/testdata/orgunit_in_ca_ok1.pem @@ -0,0 +1,144 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b9:70:28:7e:b0:e4:d4:15:b1:ec:a1:21:27:54:7e:c8 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, ST = Some State or Province, L = Somewhere, O = Some Company, CN = Some CA + Validity + Not Before: Oct 23 00:00:00 2022 GMT + Not After : Oct 23 00:00:00 2023 GMT + Subject: C = XX, ST = Some State or Province, L = Somewhere else, O = Some Other Company, OU = Some Department, CN = example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:b5:35:fb:47:0e:56:23:04:83:ec:d6:b1:33:d3: + 6d:78:87:ac:06:8b:71:33:3b:65:68:b6:fb:90:74: + 4f:d1:8e:a8:81:c7:3f:73:ce:56:00:44:85:d4:e9: + 3b:60:bb:08:85:61:36:d9:69:36:83:39:a9:06:19: + 3d:91:a9:9a:92:5a:80:a7:0c:13:0e:1c:58:7e:41: + 97:30:56:87:d7:74:5f:e2:f9:11:16:dc:7a:ce:0c: + 14:b1:94:da:a5:a1:e9:e9:65:e6:b8:54:fe:51:14: + 39:85:0f:89:7e:8d:b0:8d:3b:e5:a4:88:21:fe:0c: + db:81:f5:8b:fd:2f:bc:4c:7a:a9:2b:78:67:58:1f: + d8:ce:4b:8e:11:7d:fd:40:a9:eb:32:5e:91:2b:eb: + 51:59:df:97:32:8e:8a:a8:40:a6:de:30:a0:8e:ff: + b1:bd:ad:7b:ff:14:8b:8f:65:84:3e:3b:d2:be:51: + 1a:78:16:10:90:33:75:fb:13:21:b3:6f:cc:92:7b: + 56:4f:6d:e3:15:9c:5f:ce:45:f8:f5:1c:1f:d0:6e: + 49:4f:e5:31:a2:e5:15:39:ff:9e:f1:ca:4e:ce:7f: + 88:48:73:c3:59:61:c0:aa:bd:68:22:5e:96:bf:56: + 63:86:c9:2a:0b:95:85:a4:d4:2e:09:9f:5e:19:f4: + ba:a8:3b:41:de:83:eb:b1:db:ee:0f:f8:95:3b:e2: + bc:a2:9e:c2:72:62:1a:95:cf:14:6f:1b:26:4e:86: + 02:d3:29:d6:6e:e1:75:e0:2b:66:88:8c:5e:df:2b: + 99:1a:6c:5e:f6:cc:3d:e5:4b:ae:05:0e:b6:ff:d0: + 6a:d4:c1:74:3b:0b:b6:31:d6:99:64:f4:80:19:8f: + 4c:46:c9:5d:1a:2a:96:62:8c:05:4e:70:1b:19:f6: + ef:98:1f:01:6e:9f:fb:9f:e4:23:9c:97:c3:1a:30: + a0:0c:af:e1:e1:cd:36:fe:8e:d1:6f:87:90:8f:f0: + 84:ad:73:04:28:e5:fb:57:2d:1a:26:0d:7f:19:16: + ec:5d:d4:c9:d2:86:bc:23:6c:e9:bc:67:a5:d2:bf: + ba:fb:d0:1e:53:40:9d:f1:53:18:62:17:52:14:6e: + a2:ec:23:c4:89:63:f6:53:57:d9:cd:d1:68:32:95: + d1:e7:b8:2b:d4:71:f8:f3:1b:0b:9e:cd:42:36:c1: + a7:24:7d:3c:37:4f:60:a2:61:95:19:27:45:5b:57: + ac:65:a8:b3:d6:a6:7a:04:9c:eb:49:24:f6:ec:f9: + 0d:9c:b7:5a:fc:32:18:cf:fe:65:66:91:10:5e:7e: + c6:df:5a:9e:7e:fe:23:62:a7:b2:c3:c3:04:43:1b: + 9d:f1:11 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 3E:54:B0:A8:83:F0:73:FF:2B:FB:A9:B2:35:38:91:38:97:CD:27:EC + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + b3:f4:21:73:1e:e4:99:2a:82:9d:d7:ce:79:fc:a1:10:87:bf: + 53:8c:50:5a:09:8b:19:70:d0:a7:23:05:09:00:4d:51:3c:16: + f7:86:17:1b:d8:4c:fc:71:0d:74:82:e9:1b:21:ff:12:fb:80: + e9:2d:f0:ea:ff:9a:cd:0b:1a:2b:d9:ba:5b:17:32:21:fb:11: + b8:51:e6:b2:b6:bd:27:c9:26:e8:50:49:ca:2d:6e:aa:a7:9c: + a9:3f:eb:bd:06:dc:ea:5c:be:cf:7a:e6:83:72:03:f4:3a:2c: + d9:d0:cf:e9:72:bd:fd:cd:04:aa:af:ff:60:f4:86:69:08:52: + d6:24:7a:51:17:46:0c:52:6f:79:fc:10:2f:79:d4:04:d5:e9: + c5:d6:22:f4:97:d6:61:52:4f:c0:93:c4:03:47:6f:73:d2:0c: + b1:1e:e3:be:39:54:1d:86:2d:e9:37:76:91:b5:1e:51:e4:34: + ad:90:65:78:d9:31:2d:95:24:fd:a3:da:20:2b:b2:f4:cf:78: + 6a:4e:96:98:7a:f8:57:7b:e3:10:32:37:14:a6:90:17:c2:e5: + 98:7d:ee:d3:c5:c6:28:0c:1d:c6:a0:29:2f:af:cd:fa:90:87: + f1:1f:3d:fd:57:f2:41:23:70:6d:c5:61:59:2a:e1:53:4b:8c: + 29:9c:ce:0c:a9:c4:f4:8d:d9:54:82:4b:6a:4b:8a:97:38:b2: + af:43:88:a5:84:a0:6e:2c:10:0a:e4:a4:9d:e9:83:2e:e0:cc: + 80:58:de:1c:0f:4d:41:8c:b7:cc:1d:a8:0e:d2:15:d3:96:41: + 5e:d8:19:e4:84:77:f4:af:23:72:eb:5c:f7:55:24:39:ab:ec: + 83:59:eb:8d:60:a0:f6:d4:30:8b:79:6b:14:ea:8a:6f:2a:6e: + 6c:e0:85:35:1c:e6:ff:cf:3b:8d:ac:88:09:ad:57:2e:8a:13: + 74:c2:29:bb:a2:74:f9:34:70:46:8c:99:cb:31:95:d2:f3:dc: + 34:86:60:79:63:1f:cb:38:b9:bf:02:79:e4:12:f5:c5:ee:a1: + 15:24:39:b8:0e:69:f3:ed:38:ed:39:8a:01:0a:4c:e9:c1:67: + 4c:ef:dc:31:53:5e:a7:4e:6e:34:15:6f:f0:7f:ae:c4:72:db: + 63:37:bd:68:44:00:03:90:c7:33:66:12:35:d8:ee:9c:da:fc: + 91:de:07:45:ae:64:9c:b6:57:eb:39:48:87:f8:e6:92:c5:ba: + e6:49:42:6e:f3:62:ab:32:3e:33:4f:02:fb:9f:93:29:8e:e3: + 27:45:00:69:96:01:2b:3b:10:df:de:96:23:8a:da:1f:39:c3: + 40:a2:37:b3:a6:68:ed:08 +-----BEGIN CERTIFICATE----- +MIIGwjCCBKqgAwIBAgIRALlwKH6w5NQVseyhISdUfsgwDQYJKoZIhvcNAQELBQAw +azELMAkGA1UEBhMCWFgxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJvdmluY2Ux +EjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMU29tZSBDb21wYW55MRAwDgYD +VQQDEwdTb21lIENBMB4XDTIyMTAyMzAwMDAwMFoXDTIzMTAyMzAwMDAwMFowgZQx +CzAJBgNVBAYTAlhYMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3ZpbmNlMRcw +FQYDVQQHEw5Tb21ld2hlcmUgZWxzZTEbMBkGA1UEChMSU29tZSBPdGhlciBDb21w +YW55MRgwFgYDVQQLEw9Tb21lIERlcGFydG1lbnQxFDASBgNVBAMTC2V4YW1wbGUu +Y29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtTX7Rw5WIwSD7Nax +M9NteIesBotxMztlaLb7kHRP0Y6ogcc/c85WAESF1Ok7YLsIhWE22Wk2gzmpBhk9 +kamaklqApwwTDhxYfkGXMFaH13Rf4vkRFtx6zgwUsZTapaHp6WXmuFT+URQ5hQ+J +fo2wjTvlpIgh/gzbgfWL/S+8THqpK3hnWB/YzkuOEX39QKnrMl6RK+tRWd+XMo6K +qECm3jCgjv+xva17/xSLj2WEPjvSvlEaeBYQkDN1+xMhs2/MkntWT23jFZxfzkX4 +9Rwf0G5JT+UxouUVOf+e8cpOzn+ISHPDWWHAqr1oIl6Wv1ZjhskqC5WFpNQuCZ9e +GfS6qDtB3oPrsdvuD/iVO+K8op7CcmIalc8UbxsmToYC0ynWbuF14CtmiIxe3yuZ +Gmxe9sw95UuuBQ62/9Bq1MF0Owu2MdaZZPSAGY9MRsldGiqWYowFTnAbGfbvmB8B +bp/7n+QjnJfDGjCgDK/h4c02/o7Rb4eQj/CErXMEKOX7Vy0aJg1/GRbsXdTJ0oa8 +I2zpvGel0r+6+9AeU0Cd8VMYYhdSFG6i7CPEiWP2U1fZzdFoMpXR57gr1HH48xsL +ns1CNsGnJH08N09gomGVGSdFW1esZaiz1qZ6BJzrSST27PkNnLda/DIYz/5lZpEQ +Xn7G31qefv4jYqeyw8MEQxud8RECAwEAAaOCATUwggExMA4GA1UdDwEB/wQEAwIF +oDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFD5UsKiD +8HP/K/upsjU4kTiXzSfsMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+ +MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1p +bmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNv +bS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBMGA1UdIAQMMAowCAYGZ4EM +AQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9j +cmwwDQYJKoZIhvcNAQELBQADggIBALP0IXMe5Jkqgp3Xznn8oRCHv1OMUFoJixlw +0KcjBQkATVE8FveGFxvYTPxxDXSC6Rsh/xL7gOkt8Or/ms0LGivZulsXMiH7EbhR +5rK2vSfJJuhQScotbqqnnKk/670G3Opcvs965oNyA/Q6LNnQz+lyvf3NBKqv/2D0 +hmkIUtYkelEXRgxSb3n8EC951ATV6cXWIvSX1mFST8CTxANHb3PSDLEe4745VB2G +Lek3dpG1HlHkNK2QZXjZMS2VJP2j2iArsvTPeGpOlph6+Fd74xAyNxSmkBfC5Zh9 +7tPFxigMHcagKS+vzfqQh/EfPf1X8kEjcG3FYVkq4VNLjCmczgypxPSN2VSCS2pL +ipc4sq9DiKWEoG4sEArkpJ3pgy7gzIBY3hwPTUGMt8wdqA7SFdOWQV7YGeSEd/Sv +I3LrXPdVJDmr7INZ641goPbUMIt5axTqim8qbmzghTUc5v/PO42siAmtVy6KE3TC +KbuidPk0cEaMmcsxldLz3DSGYHljH8s4ub8CeeQS9cXuoRUkObgOafPtOO05igEK +TOnBZ0zv3DFTXqdObjQVb/B/rsRy22M3vWhEAAOQxzNmEjXY7pza/JHeB0WuZJy2 +V+s5SIf45pLFuuZJQm7zYqsyPjNPAvufkymO4ydFAGmWASs7EN/eliOK2h85w0Ci +N7OmaO0I +-----END CERTIFICATE----- diff --git a/v3/testdata/orgunit_in_ca_ok2.pem b/v3/testdata/orgunit_in_ca_ok2.pem new file mode 100644 index 000000000..0c02562a2 --- /dev/null +++ b/v3/testdata/orgunit_in_ca_ok2.pem @@ -0,0 +1,143 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 33:75:11:c3:a4:0f:ec:98:44:3d:3b:a4:82:f5:3d:c6 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: May 24 04:12:01 2024 GMT + Not After : May 23 04:12:01 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:c6:b4:69:32:22:ea:e3:2a:3a:46:0f:9f:7b:ff: + 76:c6:39:29:9b:19:d9:d3:9c:b8:c1:f4:03:6f:9f: + 87:d2:69:19:a9:15:3f:2d:47:47:d6:ea:c1:dc:5f: + f6:76:49:c4:c0:bd:c2:f3:57:da:93:a9:65:df:09: + 35:f8:53:f8:bb:1a:92:04:ab:c6:90:25:34:61:26: + ae:58:55:e0:70:61:d7:0e:c7:de:0e:89:d9:0f:ca: + 2e:cc:3a:99:42:51:4d:49:be:16:83:9d:b7:80:26: + cf:f5:bd:d8:cd:50:a6:2c:82:e6:53:5e:2b:5d:e8: + 12:16:e3:e1:ff:b8:3f:bb:39:dd:48:15:19:df:14: + 60:e1:54:8e:1d:4f:df:a2:29:5e:89:7c:fb:58:19: + e0:d2:58:c7:79:5e:b0:14:90:09:17:f6:2c:11:10: + 3a:c2:ba:ce:3a:93:85:83:41:3a:a8:13:01:b9:4b: + 33:09:ab:4b:4a:9a:e7:4f:24:36:c9:f6:1f:3c:b8: + a8:db:d1:93:37:f6:27:67:05:0b:40:7a:64:96:ec: + 3a:4b:b2:66:f4:c1:37:e2:99:a9:d0:bc:1e:c6:b0: + 04:43:37:52:53:20:27:9b:0b:43:07:0f:0f:39:cc: + 47:27:e8:8a:ec:5e:d3:f7:f5:b1:cc:45:4a:94:db: + 22:1d:9e:92:5d:0e:cd:8d:fb:1a:ab:c0:c2:18:1f: + 1f:33:2a:3e:92:f9:b8:49:7b:96:ac:9d:af:80:45: + cb:0d:66:f2:e6:26:ea:08:24:bf:82:1f:5a:52:e9: + 8b:d8:e9:f1:2a:da:28:02:ae:05:07:5b:a6:b7:19: + ef:b7:d8:16:e6:88:d6:03:f1:c9:cf:7b:0f:59:d5: + 33:cb:af:18:8a:a4:b2:a0:0c:78:fd:7d:50:5a:97: + cb:cb:0d:8a:3a:5f:fe:6b:88:8b:28:82:a8:1e:62: + 5c:d9:f4:37:af:25:e3:6b:9e:11:6d:7d:01:b1:8a: + ac:95:fd:f5:5e:b9:c4:ed:d6:39:da:b3:61:e2:d8: + 49:58:df:a5:c5:d0:17:c9:b2:ef:8c:e5:0b:6d:e9: + 26:50:14:a9:02:73:c9:be:72:b6:27:f7:63:c0:8b: + 9b:50:cf:a9:a4:f0:02:43:82:43:06:a9:b1:6d:1f: + da:f1:c2:30:a9:54:d2:a6:5d:bb:72:4d:36:e3:ab: + 92:e2:84:c4:85:5b:59:6b:1f:98:48:a8:74:27:c0: + 24:e5:81:e1:0b:2e:27:28:0c:c9:b0:6f:6a:46:8d: + 93:5a:ee:2f:3b:60:59:a1:57:4b:3b:dc:d3:dc:75: + 1b:ba:bc:e9:38:bf:99:74:12:85:fe:c0:40:cc:fe: + 04:05:df + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 41:14:32:79:7E:51:BB:07:76:5B:E6:73:F7:B6:09:3C:02:3C:57:C5 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 24:85:e2:83:95:e5:de:34:a3:b8:83:8e:22:87:23:b1:29:42: + 1b:c8:79:54:6a:e1:74:b1:6b:ef:c5:96:73:73:20:7d:a0:40: + 22:64:83:dd:d3:cd:5c:46:76:19:9f:b3:e8:5d:d6:85:5c:9a: + a4:ff:48:6e:3a:18:4a:a3:85:75:12:d1:85:c2:2c:da:c5:c9: + 3e:0c:26:54:ba:56:41:fa:7d:75:7a:96:68:70:98:fd:04:a6: + ed:25:35:60:a7:82:ed:cd:56:05:87:60:e2:03:57:01:28:ef: + 16:14:3e:a0:df:03:12:9b:cc:f5:dd:8c:c9:9f:cd:13:62:96: + 48:67:63:a6:93:0e:c6:6b:ce:71:af:18:01:29:82:9f:4d:d9: + 67:cc:3a:6e:e0:fe:2f:01:88:63:5e:c7:b1:ae:1d:a8:b2:32: + ca:ab:7f:bf:51:79:8c:8c:8b:1c:a7:3a:21:de:8d:cb:1c:3e: + f6:76:2c:cf:60:5c:06:a0:26:39:52:65:0c:bb:85:e9:d2:80: + 75:f4:2c:bc:2c:ef:5d:a3:b4:93:6e:97:78:5c:5d:9d:71:16: + 6c:29:ce:9c:0c:5b:ec:52:21:1b:77:f7:73:5e:81:80:12:3f: + 90:c6:b4:46:a5:78:dc:61:4f:0a:7a:c2:a1:57:8a:2e:cb:54: + 19:ec:71:9c:d6:12:cb:a3:56:b2:6f:46:ea:ac:ad:88:1e:96: + 65:54:17:32:69:de:84:48:76:2e:0f:4e:28:fa:07:ae:f9:50: + a4:22:6f:fc:79:72:dd:fa:94:36:5c:9c:c2:a0:31:8a:9a:1d: + 8e:ab:92:23:80:35:46:1a:f4:19:4d:fa:7f:8a:fc:5e:d0:c4: + 1c:ba:53:35:21:2c:bb:ac:0d:f2:de:49:0c:c6:53:04:78:d5: + bc:fa:69:5d:27:01:f7:05:31:cc:ef:cc:e9:a6:88:5a:66:9a: + a6:ae:56:13:7c:88:1b:60:90:37:c2:bd:04:44:7d:0e:43:92: + ed:24:29:59:82:18:62:d1:a0:25:71:93:fe:6c:f0:48:3f:21: + 2f:6e:06:20:6a:b1:64:6f:1e:18:72:f0:3a:32:e4:c6:0e:f0: + 82:19:f7:41:a6:1e:1d:b1:38:67:f6:72:f7:0f:34:8e:6e:7b: + ea:7e:3f:a8:ce:d5:10:93:a1:c6:51:48:da:5d:58:12:0b:c9: + c0:eb:d8:29:21:3b:42:68:13:75:f3:2f:0c:35:24:7b:d5:79: + 73:cf:d5:d9:87:c0:35:7e:5c:94:f6:91:cd:73:36:b6:42:ed: + 6e:32:6a:ce:07:5a:6e:d2:b6:d2:2c:b8:37:3a:d9:09:fe:59: + b3:0f:22:d2:80:9f:a1:14 +-----BEGIN CERTIFICATE----- +MIIGfDCCBGSgAwIBAgIQM3URw6QP7JhEPTukgvU9xjANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTI0MDUyNDA0MTIwMVoXDTI5MDUy +MzA0MTIwMVowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDGtGkyIurjKjpGD597/3bGOSmbGdnTnLjB9ANvn4fSaRmpFT8t +R0fW6sHcX/Z2ScTAvcLzV9qTqWXfCTX4U/i7GpIEq8aQJTRhJq5YVeBwYdcOx94O +idkPyi7MOplCUU1JvhaDnbeAJs/1vdjNUKYsguZTXitd6BIW4+H/uD+7Od1IFRnf +FGDhVI4dT9+iKV6JfPtYGeDSWMd5XrAUkAkX9iwREDrCus46k4WDQTqoEwG5SzMJ +q0tKmudPJDbJ9h88uKjb0ZM39idnBQtAemSW7DpLsmb0wTfimanQvB7GsARDN1JT +ICebC0MHDw85zEcn6IrsXtP39bHMRUqU2yIdnpJdDs2N+xqrwMIYHx8zKj6S+bhJ +e5asna+ARcsNZvLmJuoIJL+CH1pS6YvY6fEq2igCrgUHW6a3Ge+32BbmiNYD8cnP +ew9Z1TPLrxiKpLKgDHj9fVBal8vLDYo6X/5riIsogqgeYlzZ9DevJeNrnhFtfQGx +iqyV/fVeucTt1jnas2Hi2ElY36XF0BfJsu+M5Qtt6SZQFKkCc8m+crYn92PAi5tQ +z6mk8AJDgkMGqbFtH9rxwjCpVNKmXbtyTTbjq5LihMSFW1lrH5hIqHQnwCTlgeEL +LicoDMmwb2pGjZNa7i87YFmhV0s73NPcdRu6vOk4v5l0EoX+wEDM/gQF3wIDAQAB +o4IBODCCATQwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRBFDJ5flG7B3Zb5nP3 +tgk8AjxXxTAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAd +BgNVHSAEFjAUMAgGBmeBDAECATAIBgZngQwBAgIwLQYDVR0fBCYwJDAioCCgHoYc +aHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEA +JIXig5Xl3jSjuIOOIocjsSlCG8h5VGrhdLFr78WWc3MgfaBAImSD3dPNXEZ2GZ+z +6F3WhVyapP9IbjoYSqOFdRLRhcIs2sXJPgwmVLpWQfp9dXqWaHCY/QSm7SU1YKeC +7c1WBYdg4gNXASjvFhQ+oN8DEpvM9d2MyZ/NE2KWSGdjppMOxmvOca8YASmCn03Z +Z8w6buD+LwGIY17Hsa4dqLIyyqt/v1F5jIyLHKc6Id6Nyxw+9nYsz2BcBqAmOVJl +DLuF6dKAdfQsvCzvXaO0k26XeFxdnXEWbCnOnAxb7FIhG3f3c16BgBI/kMa0RqV4 +3GFPCnrCoVeKLstUGexxnNYSy6NWsm9G6qytiB6WZVQXMmnehEh2Lg9OKPoHrvlQ +pCJv/Hly3fqUNlycwqAxipodjquSI4A1Rhr0GU36f4r8XtDEHLpTNSEsu6wN8t5J +DMZTBHjVvPppXScB9wUxzO/M6aaIWmaapq5WE3yIG2CQN8K9BER9DkOS7SQpWYIY +YtGgJXGT/mzwSD8hL24GIGqxZG8eGHLwOjLkxg7wghn3QaYeHbE4Z/Zy9w80jm57 +6n4/qM7VEJOhxlFI2l1YEgvJwOvYKSE7QmgTdfMvDDUke9V5c8/V2YfANX5clPaR +zXM2tkLtbjJqzgdabtK20iy4NzrZCf5Zsw8i0oCfoRQ= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgunit_in_ca_ok3.pem b/v3/testdata/orgunit_in_ca_ok3.pem new file mode 100644 index 000000000..61fcea38d --- /dev/null +++ b/v3/testdata/orgunit_in_ca_ok3.pem @@ -0,0 +1,140 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + be:4d:f0:7e:b4:4e:12:a3:9f:3f:71:0c:9c:10:60:4e + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Apr 23 00:00:00 2022 GMT + Not After : Apr 22 00:00:00 2027 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, OU = Some Department, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:e4:0e:2d:27:b4:f2:50:7a:ff:78:e4:b0:6d:eb: + 03:af:34:b2:20:37:01:72:81:6b:7b:ac:40:3f:20: + c5:93:a3:e6:e3:c7:a0:33:68:24:1e:ad:31:de:d6: + e7:25:bb:d4:43:e7:95:87:d2:67:e3:8c:21:d0:ab: + e2:9c:e6:47:0b:91:2d:83:c1:c3:1b:68:85:88:07: + e5:9d:40:b9:17:84:c1:fb:37:8e:47:2a:cd:38:95: + 93:95:18:02:4d:90:52:1b:14:4d:4a:67:8d:fe:85: + 69:d1:60:63:bf:54:40:a9:7e:6c:df:9b:76:33:28: + b1:d9:51:b9:28:b5:db:b7:6f:dd:16:72:98:6f:59: + 3c:02:a7:fb:64:72:b1:23:e5:b2:fd:9d:a7:39:32: + e1:e0:36:a7:de:b0:70:28:46:76:36:27:65:ff:3d: + 49:db:09:ce:54:48:5b:2e:ac:31:46:40:33:1e:db: + f9:10:a4:19:d4:78:b4:81:e0:ee:aa:76:0b:a7:f0: + 32:be:f4:c1:b2:a5:dc:cb:69:45:a4:ed:34:be:80: + 67:f0:17:5f:0c:b8:94:74:a3:23:47:16:52:f9:e2: + a3:04:70:5b:1d:f1:a0:23:e5:a8:d7:53:ac:eb:5c: + 3c:94:ce:1e:24:db:8f:99:b9:a9:19:49:20:bd:a2: + 9e:b9:8e:68:cb:fd:19:a2:e6:7e:46:f0:d9:7d:b3: + 84:7b:c4:51:12:94:14:5d:a1:53:f4:21:51:52:df: + 3b:3c:70:62:d5:82:53:9b:74:ca:2a:5f:be:f3:09: + db:e9:86:94:f1:6f:cf:3c:c5:61:2b:a2:d0:90:b4: + 80:dd:45:54:b5:ba:a6:c2:a3:fe:7f:66:26:bd:dd: + c9:be:74:06:23:a9:e4:25:6f:05:8b:84:cb:50:ab: + c6:b0:ee:86:d8:4a:ce:d2:ff:f5:1e:c5:50:78:e1: + 0e:b0:6d:1e:60:bc:fd:16:16:2f:7f:1d:6b:fc:b5: + 5b:27:17:86:26:b0:08:49:85:ea:f9:35:fb:00:04: + be:72:fd:36:fe:e2:5b:9c:ea:3a:e4:02:04:fe:3f: + f3:d1:71:fc:de:c7:f2:c6:76:9e:e4:80:4f:41:c4: + 29:5a:d0:6f:11:24:89:a4:46:f0:c4:68:f7:c0:8a: + ad:12:fc:bb:65:d8:fe:73:d1:79:76:33:42:cf:8f: + 6a:e6:c4:44:d4:56:44:82:e5:dd:37:cd:cd:23:f6: + 9d:bc:24:80:e2:b0:e2:a1:8b:a3:a1:7e:eb:71:2c: + 4a:ed:b5:c1:f3:d1:62:d5:6f:31:da:41:6f:d3:e8: + 98:b9:d4:13:1f:68:e0:0d:7a:5c:e5:b8:64:0d:09: + 4a:44:e7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 02:D4:2D:4C:03:F1:75:0E:F7:81:A7:55:EB:FC:B5:CB:0F:4E:27:6D + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 4e:44:49:50:9a:ad:35:b9:59:50:00:55:50:81:97:7a:66:d9: + c5:15:a7:9f:18:8d:0b:26:08:3d:3d:40:72:bd:0d:be:b1:37: + 6d:83:2b:3f:c7:28:ef:0d:a8:7c:59:6f:b9:27:65:6b:62:42: + 8e:fd:04:b1:34:11:f0:d2:91:29:c0:ad:d7:6c:85:d4:e0:72: + 3b:f7:29:37:8b:99:dc:46:b6:24:35:53:f2:4a:45:24:e0:e7: + 80:a8:9c:02:26:c9:19:31:4a:57:4a:40:5c:a3:57:20:df:1c: + bb:30:76:4d:2c:f2:82:80:44:8c:e3:53:4b:a8:33:2a:22:17: + 7c:26:6a:28:5c:28:72:d6:d0:43:45:b6:1b:51:91:0b:ca:49: + 77:79:fa:ef:ed:92:55:0b:05:22:53:a2:dc:2f:97:86:d4:bd: + e1:35:a8:89:5e:56:fe:d6:e4:2e:ff:5c:ca:37:4d:4b:0b:77: + 63:ac:ad:78:62:76:75:b6:ee:42:c8:23:6a:1f:9c:5e:82:22: + a8:b0:03:1e:7d:85:91:3f:17:50:f3:14:85:a5:44:88:17:81: + c6:fb:08:54:87:7d:7a:70:63:d2:ae:d5:7c:80:36:19:cc:9b: + 55:13:47:28:da:a6:14:fe:e8:0a:55:67:43:9f:7d:ff:55:07: + 59:bd:37:f3:47:88:ad:17:fb:b5:8f:9b:45:3d:c3:b9:fc:80: + 7e:aa:4a:20:d0:ab:2b:25:44:cb:11:27:56:67:73:11:fd:c1: + 5c:e8:fb:f3:f7:25:64:7e:49:d3:06:69:05:6d:9c:64:d3:5c: + 94:f5:a9:b2:f8:74:a3:36:47:9f:17:46:f3:07:6e:06:50:68: + 79:e9:ad:a3:06:13:5b:6c:fd:9d:ab:ea:cb:6a:69:40:63:41: + 06:d5:22:a2:5c:6b:af:24:c1:f5:d0:0b:33:ce:e9:b0:fb:6c: + d8:ea:c5:0a:55:53:02:07:f5:0e:40:c9:11:cc:95:2b:e4:ea: + 64:1b:00:62:dd:5d:40:d0:08:68:cd:44:9d:40:9e:4a:59:9c: + d2:67:54:2d:bd:20:b5:7b:ab:a9:af:7e:31:09:07:12:75:83: + 6c:d3:53:ff:0f:2e:98:70:7b:6c:b8:6d:dc:68:f8:bc:a7:e0: + 78:84:e2:43:3e:7f:8f:30:c6:61:6e:6f:e2:f0:63:42:86:17: + 75:b8:49:e3:16:78:e5:f0:0b:8b:dd:60:8f:26:05:47:f3:5f: + cc:b4:c1:37:ec:bf:1b:d3:a4:bb:ef:d9:c9:1e:f8:4b:e4:bb: + 61:11:8e:b1:d2:cb:d0:c3:44:cb:90:46:6b:bb:bc:be:95:82: + c1:14:88:b3:a0:01:d5:b7 +-----BEGIN CERTIFICATE----- +MIIGbTCCBFWgAwIBAgIRAL5N8H60ThKjnz9xDJwQYE4wDQYJKoZIhvcNAQELBQAw +SDELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExJzAlBgNVBAMTHkZha2Ug +Um9vdCBDQSBmb3IgemxpbnQgdGVzdGluZzAeFw0yMjA0MjMwMDAwMDBaFw0yNzA0 +MjIwMDAwMDBaMIGKMQswCQYDVQQGEwJYWDETMBEGA1UECBMKU29tZSBTdGF0ZTEW +MBQGA1UEBxMNU29tZSBMb2NhbGl0eTEQMA4GA1UEChMHU29tZSBDQTEYMBYGA1UE +CxMPU29tZSBEZXBhcnRtZW50MSIwIAYDVQQDExlGYWtlIENBIGZvciB6bGludCB0 +ZXN0aW5nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5A4tJ7TyUHr/ +eOSwbesDrzSyIDcBcoFre6xAPyDFk6Pm48egM2gkHq0x3tbnJbvUQ+eVh9Jn44wh +0KvinOZHC5Etg8HDG2iFiAflnUC5F4TB+zeORyrNOJWTlRgCTZBSGxRNSmeN/oVp +0WBjv1RAqX5s35t2Myix2VG5KLXbt2/dFnKYb1k8Aqf7ZHKxI+Wy/Z2nOTLh4Dan +3rBwKEZ2Nidl/z1J2wnOVEhbLqwxRkAzHtv5EKQZ1Hi0geDuqnYLp/AyvvTBsqXc +y2lFpO00voBn8BdfDLiUdKMjRxZS+eKjBHBbHfGgI+Wo11Os61w8lM4eJNuPmbmp +GUkgvaKeuY5oy/0ZouZ+RvDZfbOEe8RREpQUXaFT9CFRUt87PHBi1YJTm3TKKl++ +8wnb6YaU8W/PPMVhK6LQkLSA3UVUtbqmwqP+f2Ymvd3JvnQGI6nkJW8Fi4TLUKvG +sO6G2ErO0v/1HsVQeOEOsG0eYLz9FhYvfx1r/LVbJxeGJrAISYXq+TX7AAS+cv02 +/uJbnOo65AIE/j/z0XH83sfyxnae5IBPQcQpWtBvESSJpEbwxGj3wIqtEvy7Zdj+ +c9F5djNCz49q5sRE1FZEguXdN83NI/advCSA4rDioYujoX7rcSxK7bXB89Fi1W8x +2kFv0+iYudQTH2jgDXpc5bhkDQlKROcCAwEAAaOCAQ0wggEJMA4GA1UdDwEB/wQE +AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQC1C1MA/F1DveBp1Xr/LXL +D04nbTAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEFBQcB +AQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9vY3Nw +MCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDARBgNV +HSAECjAIMAYGBFUdIAAwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEATkRJUJqtNblZUABVUIGX +embZxRWnnxiNCyYIPT1Acr0NvrE3bYMrP8co7w2ofFlvuSdla2JCjv0EsTQR8NKR +KcCt12yF1OByO/cpN4uZ3Ea2JDVT8kpFJODngKicAibJGTFKV0pAXKNXIN8cuzB2 +TSzygoBEjONTS6gzKiIXfCZqKFwoctbQQ0W2G1GRC8pJd3n67+2SVQsFIlOi3C+X +htS94TWoiV5W/tbkLv9cyjdNSwt3Y6yteGJ2dbbuQsgjah+cXoIiqLADHn2FkT8X +UPMUhaVEiBeBxvsIVId9enBj0q7VfIA2GcybVRNHKNqmFP7oClVnQ599/1UHWb03 +80eIrRf7tY+bRT3DufyAfqpKINCrKyVEyxEnVmdzEf3BXOj78/clZH5J0wZpBW2c +ZNNclPWpsvh0ozZHnxdG8wduBlBoeemtowYTW2z9navqy2ppQGNBBtUiolxrryTB +9dALM87psPts2OrFClVTAgf1DkDJEcyVK+TqZBsAYt1dQNAIaM1EnUCeSlmc0mdU +Lb0gtXurqa9+MQkHEnWDbNNT/w8umHB7bLht3Gj4vKfgeITiQz5/jzDGYW5v4vBj +QoYXdbhJ4xZ45fALi91gjyYFR/NfzLTBN+y/G9Oku+/ZyR74S+S7YRGOsdLL0MNE +y5BGa7u8vpWCwRSIs6AB1bc= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgunit_in_ca_ok4.pem b/v3/testdata/orgunit_in_ca_ok4.pem new file mode 100644 index 000000000..3267e1c24 --- /dev/null +++ b/v3/testdata/orgunit_in_ca_ok4.pem @@ -0,0 +1,142 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4f:5a:a5:a9:90:c8:26:0d:1f:b1:84:99:a5:96:f1:90 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Nov 19 00:00:00 2023 GMT + Not After : Nov 17 00:00:00 2028 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, OU = Some Department, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:b6:fd:a9:6d:3a:3f:28:d4:b7:de:de:7b:40:7b: + 4a:2b:3b:5e:a8:5a:e8:bb:09:cd:8d:0c:fa:8d:db: + e7:e0:c1:9e:90:ab:5f:c3:54:d3:ee:ec:76:ef:ba: + 03:b4:01:ac:82:23:12:34:df:15:32:a8:02:5f:0d: + 69:27:1e:79:4c:42:67:1f:12:5e:c4:12:cf:fd:b2: + a1:2e:ca:57:d6:f8:83:e9:33:0b:af:85:41:75:95: + 2c:11:18:a5:51:4f:bb:03:b2:46:01:e8:79:0b:ab: + 02:fd:18:37:b8:20:28:ad:bd:e8:e3:bf:27:58:ff: + c3:7c:c5:fa:0f:50:0b:3d:29:5f:ec:75:5e:13:6c: + 4f:42:64:6e:92:3e:07:87:db:d9:21:78:53:d3:d4: + a4:c6:e6:62:9b:cc:b3:4e:db:df:de:4a:da:70:47: + 2a:25:cf:da:2e:93:03:19:eb:0e:f2:fc:d3:84:02: + a1:43:81:75:1e:cb:a0:94:32:92:72:19:1b:84:37: + a2:5d:87:08:a9:d8:61:c7:7a:5c:1a:7f:08:21:bd: + 1d:b2:0c:07:28:dc:1f:c7:3a:18:a5:8f:a0:90:53: + 1c:a0:3f:06:37:a4:0e:33:53:79:8b:88:3c:36:96: + ff:e3:f6:e0:e2:09:1a:5e:fb:29:d6:f5:35:4d:3d: + b1:41:69:71:4e:80:12:ed:89:6b:6c:c7:ff:64:02: + 51:28:9b:26:cc:1b:3d:03:53:ab:c6:a6:87:14:5f: + ea:29:3c:89:b8:49:3f:9f:7a:b5:e4:d1:bc:b4:0e: + 7b:7f:e1:b4:46:9b:40:ad:d1:4d:cf:28:c9:82:03: + d6:4f:b1:25:10:d2:ec:83:07:c6:d1:d4:03:ca:b3: + f5:e4:1a:b1:f7:f1:40:03:23:9e:73:9e:f5:ba:c7: + 65:7d:7b:61:77:9d:25:28:fe:a9:a0:8a:03:07:df: + 72:e4:07:61:db:89:d5:de:1e:f7:0b:85:7e:23:05: + d3:96:f9:8c:24:42:69:36:7f:f8:30:df:e6:99:29: + 8c:29:19:41:b6:0c:64:ac:1b:3b:10:32:b9:8f:12: + 01:2c:7f:7b:f3:7a:bd:7e:2a:65:75:29:6a:b7:c2: + b0:74:f2:80:f3:0f:43:3c:50:98:b2:e8:36:e1:0b: + e6:f7:9d:90:c8:7b:80:c3:60:e2:f3:ec:a0:04:83: + 7a:a2:17:16:bb:7e:a6:9f:98:1c:99:c7:05:15:5d: + bb:2a:7e:74:e0:07:8e:95:f7:7b:61:da:99:8f:e9: + 42:93:8b:28:6f:77:f5:d7:31:49:19:bf:2b:c4:ac: + f5:72:8d:77:96:dc:ea:ec:3a:3f:2b:d4:1f:89:07: + 14:47:87 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, E-mail Protection + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 13:4F:0B:AC:7A:3B:90:09:EE:E4:23:26:54:57:88:23:22:89:B8:1F + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 2d:b7:bb:f6:8f:b6:63:2e:e1:b6:97:9e:81:22:33:32:3c:03: + f3:6c:14:1d:c1:44:7f:34:30:e5:01:47:5d:d2:b3:9d:34:cb: + 41:99:b2:c2:93:bc:5b:66:5e:99:08:f3:25:38:bf:1c:57:c8: + 2e:14:20:d8:6f:97:8c:f6:3c:b3:8a:53:e1:24:a4:c3:f8:38: + 1b:37:08:41:df:0d:1a:96:05:6f:15:12:a5:cf:4d:f0:08:4a: + 78:be:d1:c3:db:3c:de:e1:e7:91:a0:31:85:40:8c:ba:ab:c8: + a2:16:86:c7:0c:64:81:d4:c1:6d:e0:c3:64:83:c8:3a:04:17: + ab:6e:13:a1:f8:8d:e1:12:cf:f1:33:22:29:52:e0:a4:85:4e: + 69:97:45:8a:3f:75:4e:d3:4d:8f:18:f8:75:a2:6d:12:26:17: + 69:a4:c4:12:d3:c9:aa:cb:02:b6:aa:e8:1a:35:86:81:8d:cf: + 5f:41:e7:f0:e4:a8:fb:d4:35:51:8b:c5:4c:e8:a6:6a:28:a3: + ae:c9:db:16:e2:a4:aa:1e:52:83:50:b4:49:60:c7:71:4a:be: + 2b:11:33:75:fe:18:b6:37:36:c4:b5:d2:66:18:bd:ac:39:b8: + 3d:26:ad:93:53:dc:c0:be:0c:58:4d:e7:eb:ca:eb:27:13:ed: + 30:e2:35:83:30:61:c5:6c:58:1b:e2:7e:23:af:c3:25:b4:c8: + bc:fc:26:66:3a:a1:13:87:9b:94:c6:08:94:e5:80:a8:61:dc: + a5:93:7c:58:db:3b:89:b4:39:bb:fa:c0:50:36:a3:84:29:90: + e8:e7:63:39:2b:f1:d9:61:fb:29:09:09:32:e4:ce:30:b4:30: + 0d:a1:01:03:89:90:73:88:a5:e9:69:27:2e:d5:50:04:d9:aa: + 77:74:64:75:bb:3e:09:6c:2c:76:03:ad:49:69:24:57:ed:85: + 86:82:f4:8e:43:07:0e:67:b4:33:3b:af:c7:66:81:41:57:90: + 0d:c2:af:49:da:48:49:30:00:57:f8:32:ff:d0:6c:f2:fa:ea: + 5d:4e:0a:71:5a:d5:22:0a:65:78:72:28:64:6a:6d:bb:7a:72: + 84:af:05:92:35:d5:98:90:bd:3c:77:e6:32:cb:c4:a3:d9:a0: + 6b:cf:c5:f0:78:80:ac:4a:d5:05:e6:25:5c:68:9f:e2:ca:87: + 72:0d:e1:84:bd:10:46:dc:d8:8d:2d:5c:a6:13:d4:f6:0c:75: + fe:2e:3d:9e:c8:71:52:3b:28:b6:6a:2d:b2:28:f4:86:9f:b1: + 0e:16:4a:24:7a:4d:ba:ce:95:0b:e3:c8:6d:b6:cd:e6:c0:bd: + 5d:0b:59:b6:5d:f8:be:5d +-----BEGIN CERTIFICATE----- +MIIGizCCBHOgAwIBAgIQT1qlqZDIJg0fsYSZpZbxkDANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTIzMTExOTAwMDAwMFoXDTI4MTEx +NzAwMDAwMFowgYoxCzAJBgNVBAYTAlhYMRMwEQYDVQQIEwpTb21lIFN0YXRlMRYw +FAYDVQQHEw1Tb21lIExvY2FsaXR5MRAwDgYDVQQKEwdTb21lIENBMRgwFgYDVQQL +Ew9Tb21lIERlcGFydG1lbnQxIjAgBgNVBAMTGUZha2UgQ0EgZm9yIHpsaW50IHRl +c3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2/altOj8o1Lfe +3ntAe0orO16oWui7Cc2NDPqN2+fgwZ6Qq1/DVNPu7HbvugO0AayCIxI03xUyqAJf +DWknHnlMQmcfEl7EEs/9sqEuylfW+IPpMwuvhUF1lSwRGKVRT7sDskYB6HkLqwL9 +GDe4ICitvejjvydY/8N8xfoPUAs9KV/sdV4TbE9CZG6SPgeH29kheFPT1KTG5mKb +zLNO29/eStpwRyolz9oukwMZ6w7y/NOEAqFDgXUey6CUMpJyGRuEN6Jdhwip2GHH +elwafwghvR2yDAco3B/HOhilj6CQUxygPwY3pA4zU3mLiDw2lv/j9uDiCRpe+ynW +9TVNPbFBaXFOgBLtiWtsx/9kAlEomybMGz0DU6vGpocUX+opPIm4ST+ferXk0by0 +Dnt/4bRGm0Ct0U3PKMmCA9ZPsSUQ0uyDB8bR1APKs/XkGrH38UADI55znvW6x2V9 +e2F3nSUo/qmgigMH33LkB2HbidXeHvcLhX4jBdOW+YwkQmk2f/gw3+aZKYwpGUG2 +DGSsGzsQMrmPEgEsf3vzer1+KmV1KWq3wrB08oDzD0M8UJiy6DbhC+b3nZDIe4DD +YOLz7KAEg3qiFxa7fqafmByZxwUVXbsqfnTgB46V93th2pmP6UKTiyhvd/XXMUkZ +vyvErPVyjXeW3OrsOj8r1B+JBxRHhwIDAQABo4IBLDCCASgwDgYDVR0PAQH/BAQD +AgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAPBgNVHRMBAf8EBTAD +AQH/MB0GA1UdDgQWBBQTTwusejuQCe7kIyZUV4gjIom4HzAfBgNVHSMEGDAWgBTo +tvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGG +HWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRw +Oi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDARBgNVHSAECjAIMAYGBFUdIAAwLQYD +VR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDANBgkq +hkiG9w0BAQsFAAOCAgEALbe79o+2Yy7htpeegSIzMjwD82wUHcFEfzQw5QFHXdKz +nTTLQZmywpO8W2ZemQjzJTi/HFfILhQg2G+XjPY8s4pT4SSkw/g4GzcIQd8NGpYF +bxUSpc9N8AhKeL7Rw9s83uHnkaAxhUCMuqvIohaGxwxkgdTBbeDDZIPIOgQXq24T +ofiN4RLP8TMiKVLgpIVOaZdFij91TtNNjxj4daJtEiYXaaTEEtPJqssCtqroGjWG +gY3PX0Hn8OSo+9Q1UYvFTOimaiijrsnbFuKkqh5Sg1C0SWDHcUq+KxEzdf4Ytjc2 +xLXSZhi9rDm4PSatk1PcwL4MWE3n68rrJxPtMOI1gzBhxWxYG+J+I6/DJbTIvPwm +ZjqhE4eblMYIlOWAqGHcpZN8WNs7ibQ5u/rAUDajhCmQ6OdjOSvx2WH7KQkJMuTO +MLQwDaEBA4mQc4il6WknLtVQBNmqd3Rkdbs+CWwsdgOtSWkkV+2FhoL0jkMHDme0 +Mzuvx2aBQVeQDcKvSdpISTAAV/gy/9Bs8vrqXU4KcVrVIgpleHIoZGptu3pyhK8F +kjXVmJC9PHfmMsvEo9mga8/F8HiArErVBeYlXGif4sqHcg3hhL0QRtzYjS1cphPU +9gx1/i49nshxUjsotmotsij0hp+xDhZKJHpNus6VC+PIbbbN5sC9XQtZtl34vl0= +-----END CERTIFICATE----- From 015d2202056a6a35a3c2e4555426b942a50e1c23 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 14 Jul 2024 19:02:17 +0200 Subject: [PATCH 6/9] Add lint to check for a valid business category in EV certificates (#830) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Add files via upload * Update lint_ev_invalid_business_category.go * Add files via upload * Add files via upload * Set correct Error Count for new lint * Update config.json * Update config.json * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go * Delete v3/testdata/orgid_subj_and_ext_ko_01.pem * Delete v3/testdata/orgid_subj_and_ext_ko_02.pem * Delete v3/testdata/orgid_subj_and_ext_ko_03.pem * Delete v3/testdata/orgid_subj_and_ext_ok_01.pem * Delete v3/testdata/orgid_subj_and_ext_ok_02.pem * Delete v3/testdata/orgid_subj_and_ext_ok_03.pem * Delete v3/testdata/orgid_subj_and_ext_ok_04.pem * Delete v3/testdata/orgid_subj_and_ext_ok_05.pem * Update time.go * Update v3/lints/cabf_ev/lint_ev_invalid_business_category.go Co-authored-by: Martijn Katerbarg * Add files via upload * Update lint_ev_invalid_business_category.go * Update config.json --------- Co-authored-by: Christopher Henderson Co-authored-by: Martijn Katerbarg --- v3/integration/config.json | 3 + .../lint_ev_invalid_business_category.go | 69 ++++++++++++ .../lint_ev_invalid_business_category_test.go | 88 +++++++++++++++ v3/testdata/invalid_business_cat_ko_01.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ko_02.pem | 102 ++++++++++++++++++ v3/testdata/invalid_business_cat_ok_01.pem | 102 ++++++++++++++++++ v3/testdata/invalid_business_cat_ok_02.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_03.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_04.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_05.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_06.pem | 102 ++++++++++++++++++ 11 files changed, 971 insertions(+) create mode 100644 v3/lints/cabf_ev/lint_ev_invalid_business_category.go create mode 100644 v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go create mode 100644 v3/testdata/invalid_business_cat_ko_01.pem create mode 100644 v3/testdata/invalid_business_cat_ko_02.pem create mode 100644 v3/testdata/invalid_business_cat_ok_01.pem create mode 100644 v3/testdata/invalid_business_cat_ok_02.pem create mode 100644 v3/testdata/invalid_business_cat_ok_03.pem create mode 100644 v3/testdata/invalid_business_cat_ok_04.pem create mode 100644 v3/testdata/invalid_business_cat_ok_05.pem create mode 100644 v3/testdata/invalid_business_cat_ok_06.pem diff --git a/v3/integration/config.json b/v3/integration/config.json index 52343e4ff..c6a4baee9 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -426,6 +426,9 @@ "ErrCount": 2 }, "e_ev_country_name_missing": {}, + "e_ev_invalid_business_category": { + "ErrCount": 10957 + }, "e_ev_not_wildcard": { "ErrCount": 1 }, diff --git a/v3/lints/cabf_ev/lint_ev_invalid_business_category.go b/v3/lints/cabf_ev/lint_ev_invalid_business_category.go new file mode 100644 index 000000000..9e57c207d --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_invalid_business_category.go @@ -0,0 +1,69 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_invalid_business_category", + Description: "Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3", + Citation: "EVGs 7.1.4.2.3", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewInvalidBusinessCategory, + }) +} + +type invalidBusinessCategory struct{} + +func NewInvalidBusinessCategory() lint.LintInterface { + return &invalidBusinessCategory{} +} + +func (l *invalidBusinessCategory) CheckApplies(c *x509.Certificate) bool { + return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) +} + +func (l *invalidBusinessCategory) Execute(c *x509.Certificate) *lint.LintResult { + + for _, v := range c.Subject.Names { + if util.BusinessOID.Equal(v.Type) { + businessCategory := v.Value + if (businessCategory == "Private Organization") || + (businessCategory == "Government Entity") || + (businessCategory == "Business Entity") || + (businessCategory == "Non-Commercial Entity") { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} + } + } + } + + // businessCategory missing: that's an error, but is not this lint's business + return &lint.LintResult{Status: lint.NA} +} diff --git a/v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go b/v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go new file mode 100644 index 000000000..7b708e1dc --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go @@ -0,0 +1,88 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + === Pass test cases === + invalid_business_cat_ok_01.pem EV cert with valid businessCategory == "Private Organization" + invalid_business_cat_ok_04.pem EV cert with valid businessCategory == "Government Entity" + invalid_business_cat_ok_05.pem EV cert with valid businessCategory == "Business Entity" + invalid_business_cat_ok_06.pem EV cert with valid businessCategory == "Non‐Commercial Entity" + + === NA test cases === + invalid_business_cat_ok_02.pem EV cert without businessCategory + invalid_business_cat_ok_03.pem OV cert with invalid businessCategory + + === Fail test cases === + invalid_business_cat_ko_01.pem EV cert with slightly invalid businessCategory + invalid_business_cat_ko_02.pem EV cert with grossly invalid businessCategory +*/ + +package cabf_ev + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestInvalidBusinessCategory(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "invalid_business_cat_ok_01.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_04.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_05.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_06.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_02.pem", + want: lint.NA, + }, + { + input: "invalid_business_cat_ok_03.pem", + want: lint.NA, + }, + { + input: "invalid_business_cat_ko_01.pem", + want: lint.Error, + }, + { + input: "invalid_business_cat_ko_02.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_ev_invalid_business_category", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/testdata/invalid_business_cat_ko_01.pem b/v3/testdata/invalid_business_cat_ko_01.pem new file mode 100644 index 000000000..074c0a3d2 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ko_01.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2d:b9:12:bb:65:5d:81:3c:72:af:02:67:0f:05:5d:6b + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:59:35 2024 GMT + Not After : Apr 9 11:59:35 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organisation + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a3:e5:86:9a:c7:d8:f5:f7:84:22:0e:c7:e2:81: + 64:b3:9f:b6:8b:ab:30:be:50:64:be:60:a3:e5:e1: + 50:dc:36:e3:47:96:05:f0:01:60:9f:ea:de:19:b8: + 7f:8f:30:90:a3:98:8b:2f:d7:7a:f5:0b:30:16:07: + c0:15:54:08:fe:c7:20:41:f6:63:25:54:df:72:7f: + 2f:8f:10:a2:0c:f6:d7:c6:3a:a7:77:20:a1:5c:c1: + 98:fc:42:c4:8a:55:77:fc:b4:52:81:5c:eb:b6:00: + 79:21:ce:a8:7b:66:69:bc:b2:d5:8c:3f:a9:6d:4c: + 1b:6b:e1:85:cb:6f:3e:97:c7:79:f7:e7:00:6d:1a: + ca:98:e4:60:bc:fd:42:81:a9:ae:85:42:b2:1f:c2: + 32:32:5f:00:d2:ab:82:3a:03:52:7f:02:92:df:8b: + de:d1:05:cc:d7:27:2f:77:cd:e2:3e:37:a1:49:0c: + db:57:21:b4:9b:d1:0d:ae:00:e2:2c:d5:73:08:82: + 97:3d:d3:46:bc:4c:19:15:c9:b7:fe:70:95:47:71: + bc:b1:bc:61:22:e1:da:c6:38:fd:9c:f6:fd:bb:87: + ba:4c:94:c0:b9:cc:5d:fe:42:b3:aa:22:cb:bf:87: + e8:94:1e:f1:85:17:39:9c:e1:4c:98:69:94:96:53: + b1:49 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 97:F9:56:33:D9:8E:3E:D8:10:8F:7F:36:04:04:5E:73:04:F4:CE:F5 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 06:3d:2e:1a:b3:ea:07:bc:73:8c:fa:2d:37:ff:b7:93:d8:10: + a2:2e:3a:d7:f4:3a:8e:75:51:56:a2:9a:61:37:7b:15:80:1c: + 31:00:bc:27:35:8d:92:aa:54:5b:13:30:4a:76:65:3b:dd:0b: + 4d:8d:f3:df:76:54:97:fd:ec:e6:14:92:06:91:08:c5:6d:02: + ed:88:aa:c8:30:00:f8:12:9d:f9:4e:bc:f4:de:21:c5:ee:55: + e9:27:43:8c:13:a6:d2:a2:9a:cd:48:aa:e7:64:0a:88:91:78: + ae:f5:de:a2:b9:cd:6a:42:94:00:0c:49:3e:d9:8a:81:25:81: + d7:04:09:07:32:f9:dc:dd:76:e9:3c:1c:d7:65:74:b3:5c:fd: + b8:aa:f2:76:f8:59:97:a0:47:14:e7:8c:5e:ed:fd:af:41:dd: + d6:51:87:1e:0a:a7:35:d6:77:04:42:0a:b7:f2:aa:80:e9:62: + 27:0e:dd:b8:4d:7e:1a:af:75:1c:0a:f0:31:aa:c1:8e:cf:e7: + c6:bd:4a:7c:0a:c2:98:18:2e:a0:8d:76:a6:86:e2:0c:3f:4b: + bf:44:56:cf:2f:ad:02:6a:61:9e:0f:37:8a:91:1a:26:08:ca: + 31:ed:d1:78:fc:cf:fd:49:80:dc:64:fc:c0:53:9d:45:32:f4: + 6f:0d:07:f9 +-----BEGIN CERTIFICATE----- +MIIErDCCA5SgAwIBAgIQLbkSu2VdgTxyrwJnDwVdazANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MDkxMTU5MzVaFw0yNTA0MDkxMTU5 +MzVaMIGoMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pc2F0aW9uMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAo+WGmsfY9feEIg7H4oFks5+2i6swvlBkvmCj5eFQ3Dbj +R5YF8AFgn+reGbh/jzCQo5iLL9d69QswFgfAFVQI/scgQfZjJVTfcn8vjxCiDPbX +xjqndyChXMGY/ELEilV3/LRSgVzrtgB5Ic6oe2ZpvLLVjD+pbUwba+GFy28+l8d5 +9+cAbRrKmORgvP1CgamuhUKyH8IyMl8A0quCOgNSfwKS34ve0QXM1ycvd83iPjeh +SQzbVyG0m9ENrgDiLNVzCIKXPdNGvEwZFcm3/nCVR3G8sbxhIuHaxjj9nPb9u4e6 +TJTAucxd/kKzqiLLv4folB7xhRc5nOFMmGmUllOxSQIDAQABo4IBNDCCATAwDgYD +VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV +HQ4EFgQUl/lWM9mOPtgQj382BARecwT0zvUwHwYDVR0jBBgwFoAU6Lb2dkvQO+VG +pflU1H4Hs94NYD4wZAYIKwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8v +Y2Euc29tZWNhLWluYy5jb20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL3Jvb3QwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wEgYDVR0g +BAswCTAHBgVngQwBATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNh +LWluYy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAGPS4as+oHvHOM+i03/7eT +2BCiLjrX9DqOdVFWopphN3sVgBwxALwnNY2SqlRbEzBKdmU73QtNjfPfdlSX/ezm +FJIGkQjFbQLtiKrIMAD4Ep35Trz03iHF7lXpJ0OME6bSoprNSKrnZAqIkXiu9d6i +uc1qQpQADEk+2YqBJYHXBAkHMvnc3XbpPBzXZXSzXP24qvJ2+FmXoEcU54xe7f2v +Qd3WUYceCqc11ncEQgq38qqA6WInDt24TX4ar3UcCvAxqsGOz+fGvUp8CsKYGC6g +jXamhuIMP0u/RFbPL60CamGeDzeKkRomCMox7dF4/M/9SYDcZPzAU51FMvRvDQf5 +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ko_02.pem b/v3/testdata/invalid_business_cat_ko_02.pem new file mode 100644 index 000000000..efc6e93a4 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ko_02.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:ff:07:6c:93:bd:fe:38:fd:d7:97:f0:38:44:a3:41 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 12:02:34 2024 GMT + Not After : Apr 9 12:02:34 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Blasting & Demolition + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:3c:5c:aa:34:5e:88:e2:13:6d:46:11:7b:9b: + 76:b9:44:26:61:ca:a6:63:43:92:4f:3e:73:dd:f2: + 7d:92:ef:80:5f:26:44:ea:1f:69:58:5d:a9:f0:23: + 43:e5:2e:65:e9:2f:d9:5b:53:c9:13:ad:96:28:c6: + c3:6c:71:3c:56:3e:d6:c8:da:2e:a7:07:ca:da:51: + 0d:0f:13:2b:37:5c:1b:32:fd:55:d3:13:fb:83:db: + ca:23:0b:58:a0:ce:86:d1:77:7d:de:26:b1:61:93: + d8:d4:50:c4:63:ae:5e:74:3a:d6:73:a2:53:4c:22: + f0:74:e9:5d:6d:62:5b:be:cf:64:e8:cc:d0:0c:40: + a2:87:e0:af:eb:46:e1:70:91:ed:90:06:d9:8e:df: + 7f:f9:ab:e2:18:17:0a:9c:4a:7a:c1:f7:77:2e:91: + a0:f8:e2:89:d6:d1:46:33:a5:f7:39:1c:34:b3:08: + 04:b3:c7:ff:8d:f4:dc:83:cf:d4:ff:ca:7c:83:c8: + 38:0e:dc:9c:fe:e9:40:ba:86:bd:f0:61:2b:83:e2: + 45:e6:32:b3:40:17:64:0a:ca:be:c8:62:e2:69:af: + d5:28:76:86:d4:b4:19:fb:b9:47:24:18:67:dd:36: + ba:80:de:f6:4c:e8:30:1d:83:ce:d6:5e:d9:e8:e5: + ad:7b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 71:1E:1A:7E:6E:D5:EB:E3:B6:B4:C9:7B:B1:71:69:76:56:44:7E:4E + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 66:3b:aa:ff:45:a3:bf:0c:f0:53:f6:aa:f4:a3:8a:ca:73:1e: + d0:6e:92:63:19:9d:72:02:fe:a9:3c:1c:9e:2c:fb:54:3d:12: + ab:3e:fc:2b:3b:55:9b:3a:a9:97:85:df:a9:5c:b6:50:b8:af: + 52:f1:f7:8b:14:9f:db:87:7b:59:80:47:5d:e0:60:87:e9:1e: + 6c:a4:8a:76:6b:c4:13:e4:6e:55:32:c3:b6:47:d1:eb:cb:09: + 6e:01:54:c4:c2:3d:ea:db:c5:3b:d8:b3:04:42:81:d4:dc:c9: + cf:56:34:e5:d9:dd:01:a0:b4:04:37:e3:66:65:a6:27:a9:e6: + a1:61:e9:c3:94:a5:48:57:f7:7c:d7:7d:f9:e1:fb:6f:9b:65: + f3:3e:5f:86:bb:5a:d2:74:38:2b:23:b8:46:f1:75:50:fa:d0: + e5:e0:9b:35:06:a3:07:25:cd:78:43:30:a2:e0:96:96:93:a0: + 7c:ae:7d:55:34:11:d7:40:fc:2c:5f:eb:77:d6:17:65:cd:b7: + 11:53:b3:54:f0:03:f2:2c:ef:b0:09:b1:18:d5:c5:03:f3:3f: + be:93:33:c3:35:81:52:f1:93:db:01:5e:9b:c9:4e:fd:96:e3: + 73:29:da:44:b6:21:c5:92:27:d1:2d:e6:af:e5:74:e0:0f:76: + a7:a5:b9:d1 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIQCP8HbJO9/jj915fwOESjQTANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MDkxMjAyMzRaFw0yNTA0MDkxMjAy +MzRaMIGpMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HjAcBgNVBA8MFUJsYXN0aW5nICYgRGVtb2xpdGlvbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALw8XKo0XojiE21GEXubdrlEJmHKpmNDkk8+c93yfZLv +gF8mROofaVhdqfAjQ+UuZekv2VtTyROtlijGw2xxPFY+1sjaLqcHytpRDQ8TKzdc +GzL9VdMT+4PbyiMLWKDOhtF3fd4msWGT2NRQxGOuXnQ61nOiU0wi8HTpXW1iW77P +ZOjM0AxAoofgr+tG4XCR7ZAG2Y7ff/mr4hgXCpxKesH3dy6RoPjiidbRRjOl9zkc +NLMIBLPH/4303IPP1P/KfIPIOA7cnP7pQLqGvfBhK4PiReYys0AXZArKvshi4mmv +1Sh2htS0Gfu5RyQYZ902uoDe9kzoMB2DztZe2ejlrXsCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFHEeGn5u1evjtrTJe7FxaXZWRH5OMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAZjuq/0WjvwzwU/aq9KOK +ynMe0G6SYxmdcgL+qTwcniz7VD0Sqz78KztVmzqpl4XfqVy2ULivUvH3ixSf24d7 +WYBHXeBgh+kebKSKdmvEE+RuVTLDtkfR68sJbgFUxMI96tvFO9izBEKB1NzJz1Y0 +5dndAaC0BDfjZmWmJ6nmoWHpw5SlSFf3fNd9+eH7b5tl8z5fhrta0nQ4KyO4RvF1 +UPrQ5eCbNQajByXNeEMwouCWlpOgfK59VTQR10D8LF/rd9YXZc23EVOzVPAD8izv +sAmxGNXFA/M/vpMzwzWBUvGT2wFem8lO/ZbjcynaRLYhxZIn0S3mr+V04A92p6W5 +0Q== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_01.pem b/v3/testdata/invalid_business_cat_ok_01.pem new file mode 100644 index 000000000..78e1c92e4 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_01.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 93:9e:e2:63:3d:b5:42:c6:bd:a4:0b:4a:f3:d9:73:b2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:52:12 2024 GMT + Not After : Apr 9 11:52:12 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d0:20:3d:db:19:c5:19:75:8a:7d:ca:c3:cd:20: + 46:3d:de:f4:bc:c9:4b:e1:37:68:24:0d:9e:ed:6c: + f6:7a:b1:23:95:3b:56:60:75:09:bf:e7:dc:dd:c1: + 78:91:21:d7:dd:07:1b:c9:1e:e3:a3:ba:b9:0f:ee: + 15:84:95:a8:b0:b9:53:45:bc:ff:3d:e2:2a:1e:65: + 0b:59:43:e1:d7:76:7f:4e:e6:91:fb:23:34:6c:23: + 07:3b:45:52:eb:ee:8b:c2:58:ec:57:83:19:b5:dd: + f0:27:98:5d:c0:e4:a1:62:9f:66:a8:83:f1:8c:19: + f3:09:27:ad:93:e7:4a:51:7b:a1:10:48:68:bd:9d: + be:2c:05:0b:87:bb:e3:36:3c:54:b1:4a:85:10:98: + 11:9e:c9:05:b2:c1:d7:4d:e6:d9:9f:6b:b7:87:25: + 83:6e:5f:cb:2a:d1:f0:da:1e:69:fd:bf:1a:e5:af: + 75:0c:d3:ff:86:a6:72:19:a4:3a:15:b1:b6:44:87: + d0:a9:fd:1c:df:84:e0:38:55:74:32:dd:f4:ef:fd: + c2:64:ec:e1:ad:0f:8d:76:36:26:39:b7:cf:3b:ed: + 78:d1:8f:7b:65:42:8a:c5:cb:f8:83:59:6c:48:ff: + a7:f5:5b:c8:da:cb:57:b9:3f:de:9b:5e:f6:ae:c2: + d8:5f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 77:D2:6F:BF:CC:53:C5:ED:FA:3D:97:D8:E4:A5:36:7C:C7:FC:5D:9F + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 91:ad:45:08:34:ce:96:3f:40:fa:ac:e0:53:bf:f6:7a:9b:5b: + 45:91:44:13:d6:15:30:9f:20:8d:f8:60:1d:28:4d:7d:87:30: + 13:49:96:61:af:49:e1:9a:20:c4:2c:fd:23:ca:32:78:39:55: + fb:f9:91:07:c2:d9:c9:e5:37:4c:ab:d1:21:ab:ef:7e:d1:19: + 8c:cb:5d:ff:cd:07:65:34:49:90:35:35:69:cd:d7:e1:51:68: + 8c:70:ac:44:3f:0c:0d:16:f7:30:7e:22:d3:5b:64:89:13:20: + a5:db:7e:a8:05:04:47:0d:5a:23:29:06:61:71:af:a5:46:58: + 23:16:35:54:9b:de:33:06:d4:a4:f0:15:fb:ff:6c:d3:bb:bb: + 44:b3:a4:6c:08:ac:99:58:bc:54:70:43:7f:7a:7b:27:81:26: + 54:51:6b:49:a1:18:bb:d9:bf:8d:5e:02:3a:65:19:a8:18:da: + f1:d1:f7:58:bb:47:26:d9:5e:f0:00:81:1f:a6:5d:d4:75:92: + 7d:79:64:0f:6b:69:4c:4d:98:e3:6d:8d:6f:20:75:ff:00:fd: + 65:30:c5:15:26:1a:eb:9c:dc:16:7d:a9:25:d3:e5:ea:db:a6: + 94:29:cc:35:0c:71:a5:6a:61:a5:6c:6b:7f:30:a4:ee:36:18: + 58:8d:ba:66 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIRAJOe4mM9tULGvaQLSvPZc7IwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTE1MjEyWhcNMjUwNDA5MTE1 +MjEyWjCBqDELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANAgPdsZxRl1in3Kw80gRj3e9LzJS+E3aCQNnu1s9nqx +I5U7VmB1Cb/n3N3BeJEh190HG8ke46O6uQ/uFYSVqLC5U0W8/z3iKh5lC1lD4dd2 +f07mkfsjNGwjBztFUuvui8JY7FeDGbXd8CeYXcDkoWKfZqiD8YwZ8wknrZPnSlF7 +oRBIaL2dviwFC4e74zY8VLFKhRCYEZ7JBbLB103m2Z9rt4clg25fyyrR8Noeaf2/ +GuWvdQzT/4amchmkOhWxtkSH0Kn9HN+E4DhVdDLd9O/9wmTs4a0PjXY2Jjm3zzvt +eNGPe2VCisXL+INZbEj/p/VbyNrLV7k/3pte9q7C2F8CAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFHfSb7/MU8Xt+j2X2OSlNnzH/F2fMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAka1FCDTOlj9A+qzgU7/2 +eptbRZFEE9YVMJ8gjfhgHShNfYcwE0mWYa9J4ZogxCz9I8oyeDlV+/mRB8LZyeU3 +TKvRIavvftEZjMtd/80HZTRJkDU1ac3X4VFojHCsRD8MDRb3MH4i01tkiRMgpdt+ +qAUERw1aIykGYXGvpUZYIxY1VJveMwbUpPAV+/9s07u7RLOkbAismVi8VHBDf3p7 +J4EmVFFrSaEYu9m/jV4COmUZqBja8dH3WLtHJtle8ACBH6Zd1HWSfXlkD2tpTE2Y +422NbyB1/wD9ZTDFFSYa65zcFn2pJdPl6tumlCnMNQxxpWphpWxrfzCk7jYYWI26 +Zg== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_02.pem b/v3/testdata/invalid_business_cat_ok_02.pem new file mode 100644 index 000000000..0683e50e8 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_02.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:5d:0a:22:8a:49:d5:4c:d3:d2:b8:6a:7e:2d:11:bf + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:53:09 2024 GMT + Not After : Apr 9 11:53:09 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cd:b5:bf:94:0d:60:9d:3f:18:7b:ac:32:41:1e: + 7e:f3:4e:c4:5d:dd:a1:0a:4b:02:3b:3f:01:19:c7: + 56:10:c7:72:0c:db:5e:d9:2c:08:ea:47:c7:f6:e2: + 93:0f:f5:29:60:05:d0:65:dc:a9:99:b2:45:76:69: + 32:9e:e1:b4:f8:2b:12:38:9a:ae:48:e4:cc:74:bc: + 8b:d5:5c:49:2f:51:b6:27:78:98:46:ca:23:3f:f8: + 83:cb:86:6b:f2:1e:09:87:22:90:30:54:e7:bc:75: + 31:5c:42:5d:8a:e2:b7:30:1e:64:24:6e:40:a5:08: + 2b:d0:2e:8b:14:0a:28:00:06:6d:7a:e2:bf:e5:9e: + 9e:3d:6c:49:d9:13:e7:fe:4f:00:0c:e0:31:f8:cc: + 83:b0:56:79:f3:c1:3d:45:50:36:22:d2:02:b7:70: + c2:4b:28:05:98:bc:80:94:36:2a:3d:59:8b:f0:3c: + 20:06:54:1b:59:3b:a8:d7:7b:65:d5:7a:50:86:01: + a3:fd:71:1b:10:97:ed:8d:6d:1c:a4:91:c5:a8:db: + cf:d1:0a:b1:d4:aa:d2:bb:5c:44:cc:38:e6:51:9a: + 3c:a2:2e:be:0f:a1:fa:cc:51:ee:fc:f9:f3:e1:3f: + ce:51:54:5e:9c:10:8b:c9:16:bc:13:37:7b:8e:53: + 2d:59 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 73:22:B1:07:9F:AF:39:0C:31:A7:55:C1:DF:B0:D8:99:D4:A8:7D:F7 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + a9:42:c8:b9:43:d0:17:df:32:69:03:4d:e2:6a:73:19:63:e2: + ff:ac:93:ad:b0:dd:5b:b5:dc:4c:2f:47:3c:67:2b:b5:b2:bb: + 71:7a:4e:ee:9f:a3:3e:ab:a9:85:ac:bd:17:55:3d:0b:10:ff: + c0:2a:75:7d:23:81:91:db:17:9f:d0:20:a8:3a:cb:e6:dc:4f: + ba:15:cd:65:6b:80:6b:90:87:f0:b6:a6:32:f2:f3:e1:c8:54: + 0d:71:52:24:04:1c:e1:7a:07:53:ce:71:95:a4:6b:d6:16:d3: + 30:b3:74:48:f9:01:f0:9e:3c:d2:5b:59:48:81:7f:79:9a:54: + 99:43:80:29:99:10:3b:d2:45:d4:4b:29:fb:1e:33:c5:4a:20: + 4b:ad:74:87:de:6b:7c:c0:96:e8:d8:45:85:dc:45:68:31:9d: + d3:e2:5e:36:cd:df:7e:85:78:76:dc:7e:e8:ed:a8:5a:45:51: + 1a:2a:85:18:dc:a7:cd:ad:d7:fe:74:07:bc:1a:7c:74:00:79: + 21:68:1b:0b:ba:a6:b7:9a:1c:fd:f7:5c:19:ee:f4:d1:1a:b2: + 9e:16:da:67:99:f9:3b:94:00:a5:42:f8:82:96:53:c4:c6:74: + c4:5f:6f:5d:bc:0a:45:49:7d:63:c9:8c:2d:0f:24:62:f5:a0: + 6c:21:a7:6a +-----BEGIN CERTIFICATE----- +MIIEjTCCA3WgAwIBAgIQCl0KIopJ1UzT0rhqfi0RvzANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MDkxMTUzMDlaFw0yNTA0MDkxMTUz +MDlaMIGJMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNtb+UDWCdPxh7rDJBHn7z +TsRd3aEKSwI7PwEZx1YQx3IM217ZLAjqR8f24pMP9SlgBdBl3KmZskV2aTKe4bT4 +KxI4mq5I5Mx0vIvVXEkvUbYneJhGyiM/+IPLhmvyHgmHIpAwVOe8dTFcQl2K4rcw +HmQkbkClCCvQLosUCigABm164r/lnp49bEnZE+f+TwAM4DH4zIOwVnnzwT1FUDYi +0gK3cMJLKAWYvICUNio9WYvwPCAGVBtZO6jXe2XVelCGAaP9cRsQl+2NbRykkcWo +28/RCrHUqtK7XETMOOZRmjyiLr4PofrMUe78+fPhP85RVF6cEIvJFrwTN3uOUy1Z +AgMBAAGjggE0MIIBMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRzIrEHn685DDGnVcHfsNiZ1Kh99zAfBgNV +HSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYI +KwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUF +BzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAWBgNVHREEDzANggtl +eGFtcGxlLmNvbTASBgNVHSAECzAJMAcGBWeBDAEBMC0GA1UdHwQmMCQwIqAgoB6G +HGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEB +AKlCyLlD0BffMmkDTeJqcxlj4v+sk62w3Vu13EwvRzxnK7Wyu3F6Tu6foz6rqYWs +vRdVPQsQ/8AqdX0jgZHbF5/QIKg6y+bcT7oVzWVrgGuQh/C2pjLy8+HIVA1xUiQE +HOF6B1POcZWka9YW0zCzdEj5AfCePNJbWUiBf3maVJlDgCmZEDvSRdRLKfseM8VK +IEutdIfea3zAlujYRYXcRWgxndPiXjbN336FeHbcfujtqFpFURoqhRjcp82t1/50 +B7wafHQAeSFoGwu6preaHP33XBnu9NEasp4W2meZ+TuUAKVC+IKWU8TGdMRfb128 +CkVJfWPJjC0PJGL1oGwhp2o= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_03.pem b/v3/testdata/invalid_business_cat_ok_03.pem new file mode 100644 index 000000000..968b0d3fa --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_03.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e8:b9:b7:db:bd:e6:79:f2:f0:b3:2a:51:eb:ff:0f:a2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:56:08 2024 GMT + Not After : Apr 9 11:56:08 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Healthcare + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a3:73:4f:ed:5f:05:ff:8b:11:9e:a2:f7:a0:fb: + 86:39:50:cd:e6:7c:99:14:37:40:a2:43:46:9d:74: + ed:f9:6e:f3:c3:0a:68:20:11:1a:96:2a:70:89:6f: + 2a:cd:fb:af:f6:75:e0:8d:c0:fd:1d:4e:64:7a:66: + 81:c5:c3:34:fe:df:59:be:5c:56:0b:8f:8f:e7:4d: + 87:a5:b4:75:db:44:ea:0c:c9:fc:68:1d:00:b5:68: + 3b:83:47:6c:6b:23:dd:db:d0:b6:91:d6:e1:b8:6b: + d7:e5:4d:9e:7b:f6:c3:74:49:4a:59:bf:d9:60:30: + 39:b1:1b:fd:b3:74:e7:30:0a:18:ea:ef:d5:62:a8: + 35:3f:36:de:da:52:99:c8:18:27:f8:b0:5c:a5:3f: + f7:0b:89:8a:52:58:0c:85:cd:d6:29:0f:92:fc:7f: + 46:46:0f:4e:7d:8f:45:96:3f:8b:1a:6d:ca:47:5e: + 21:e9:9f:0a:1b:d2:a9:2f:37:0f:57:85:57:20:d9: + 58:b8:c3:79:4d:0d:a6:28:ba:a1:7f:39:fd:dc:d7: + 08:1d:91:f2:0d:79:e3:28:39:7f:19:3f:83:c0:4e: + cb:c8:9c:50:9a:04:4d:9d:f0:77:05:f3:75:77:2d: + 23:a9:fc:76:3e:97:ef:ae:99:5c:fa:43:15:82:26: + aa:e9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 35:8E:0E:FF:E7:6C:E2:31:A2:05:75:EF:DA:63:6C:1D:4F:CD:82:4C + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 0b:10:5f:47:66:d6:dc:58:c0:bb:41:95:c0:f0:fd:e0:4b:06: + 91:c5:ed:1b:25:02:de:d1:72:3a:da:96:fc:78:9a:62:e9:d6: + be:02:b7:30:1b:da:83:42:a9:99:f9:e3:df:fe:c2:0e:c1:71: + df:57:1f:2f:27:c3:57:4b:9d:aa:68:15:70:47:06:dd:0f:ef: + b9:40:49:50:47:63:a2:46:28:0c:93:5b:95:fb:23:12:85:5a: + 2a:8f:db:e9:7c:f3:0f:ec:ea:4b:3c:cf:e8:6c:cf:99:2e:16: + 2b:f2:71:26:fa:85:36:50:29:bc:06:45:c7:74:6b:2c:2a:10: + 0a:ec:ec:b4:12:57:0d:01:d8:38:bb:94:40:fe:f5:b9:3a:2f: + 63:fb:65:9c:ed:36:c2:45:63:08:b6:83:8c:85:92:17:20:3e: + 54:78:10:30:15:62:92:c2:a3:f4:00:6e:b3:b0:a6:68:de:1f: + de:73:25:6b:31:4c:8b:a6:44:39:f8:83:46:df:32:49:97:c2: + 51:ac:68:47:2b:c8:79:e3:de:92:f6:4a:33:78:32:31:e9:d3: + 33:34:d6:de:b6:d6:2e:00:e8:76:96:49:77:32:54:3c:f1:d0: + ff:8c:01:db:bd:80:0f:39:56:4f:a9:da:fc:c1:08:a6:ff:c9: + 9c:48:55:87 +-----BEGIN CERTIFICATE----- +MIIEpDCCA4ygAwIBAgIRAOi5t9u95nny8LMqUev/D6IwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTE1NjA4WhcNMjUwNDA5MTE1 +NjA4WjCBnjELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MRMwEQYDVQQPEwpIZWFsdGhjYXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAo3NP7V8F/4sRnqL3oPuGOVDN5nyZFDdAokNGnXTt+W7zwwpoIBEalipw +iW8qzfuv9nXgjcD9HU5kemaBxcM0/t9ZvlxWC4+P502HpbR120TqDMn8aB0AtWg7 +g0dsayPd29C2kdbhuGvX5U2ee/bDdElKWb/ZYDA5sRv9s3TnMAoY6u/VYqg1Pzbe +2lKZyBgn+LBcpT/3C4mKUlgMhc3WKQ+S/H9GRg9OfY9Flj+LGm3KR14h6Z8KG9Kp +LzcPV4VXINlYuMN5TQ2mKLqhfzn93NcIHZHyDXnjKDl/GT+DwE7LyJxQmgRNnfB3 +BfN1dy0jqfx2Ppfvrplc+kMVgiaq6QIDAQABo4IBNTCCATEwDgYDVR0PAQH/BAQD +AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUNY4O +/+ds4jGiBXXv2mNsHU/NgkwwHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94N +YD4wZAYIKwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMu +Y29tL3Jvb3QwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wEwYDVR0gBAwwCjAIBgZn +gQwBAgIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29t +L2NybDANBgkqhkiG9w0BAQsFAAOCAQEACxBfR2bW3FjAu0GVwPD94EsGkcXtGyUC +3tFyOtqW/HiaYunWvgK3MBvag0Kpmfnj3/7CDsFx31cfLyfDV0udqmgVcEcG3Q/v +uUBJUEdjokYoDJNblfsjEoVaKo/b6XzzD+zqSzzP6GzPmS4WK/JxJvqFNlApvAZF +x3RrLCoQCuzstBJXDQHYOLuUQP71uTovY/tlnO02wkVjCLaDjIWSFyA+VHgQMBVi +ksKj9ABus7CmaN4f3nMlazFMi6ZEOfiDRt8ySZfCUaxoRyvIeePekvZKM3gyMenT +MzTW3rbWLgDodpZJdzJUPPHQ/4wB272ADzlWT6na/MEIpv/JnEhVhw== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_04.pem b/v3/testdata/invalid_business_cat_ok_04.pem new file mode 100644 index 000000000..de1fc6517 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_04.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + f5:84:73:56:ba:ba:4f:ec:50:12:3d:e2:dc:d9:f3:41 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 15:58:07 2024 GMT + Not After : Apr 9 15:58:07 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Government Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c0:e4:64:9a:ae:8d:62:d8:41:48:49:bc:4a:3c: + 61:62:d8:cd:a2:ac:34:6d:f8:61:4a:ac:d2:28:d5: + 0e:31:10:cf:46:5a:4f:8d:36:4d:da:5b:30:c7:04: + 38:a3:45:44:28:ae:a8:7a:04:24:62:2c:75:c0:4b: + 39:c3:f2:73:27:8c:20:d4:93:d9:0b:92:85:61:77: + 56:88:69:a2:ce:ba:8c:48:2f:26:a8:07:1c:d7:b5: + 85:c3:96:5a:3b:c4:aa:e7:54:f1:54:c0:2a:0b:9d: + bf:e7:7f:2c:54:d6:23:e7:31:e6:4e:a3:4c:24:60: + 62:a6:53:5b:c1:b3:ea:92:23:dc:dc:0d:c1:24:27: + 66:d0:d9:47:fe:76:2c:e3:8e:98:66:78:69:26:2c: + 1c:c0:69:e1:84:31:8c:82:b8:71:3a:13:24:3e:c6: + 4b:ba:a0:bc:1d:de:e0:21:da:69:49:bd:06:e7:de: + 43:47:32:8c:c9:bf:b4:a9:41:6e:59:11:0b:ca:38: + 42:0c:2a:68:9c:f6:04:79:c3:02:d5:80:08:b0:69: + 76:a1:2d:eb:aa:6e:26:2e:52:66:a2:a5:c9:6d:69: + 30:3e:21:fe:b8:77:ab:03:7d:fe:74:2f:61:d3:c0: + 78:bb:91:b5:d3:b7:44:f0:b9:19:07:fc:eb:ea:04: + de:e9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 52:62:84:A0:C2:DF:01:00:50:94:AB:33:95:50:80:2E:14:86:F9:FD + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 3b:6a:06:c5:8c:53:40:a0:44:f4:9d:2e:91:00:f6:a0:8d:31: + 17:80:d4:92:c3:96:e2:eb:10:4b:bd:b2:f4:ed:6e:33:3e:eb: + fa:19:68:8e:06:d3:5c:ca:61:62:83:50:1b:76:b1:36:a2:1b: + af:54:1a:26:ac:54:ab:de:ef:cb:65:49:6d:04:82:2e:4b:17: + 98:f6:b4:28:eb:5d:5e:51:cd:ed:46:88:ae:a2:50:8b:71:15: + 95:af:55:d1:e1:68:5c:51:e6:76:3e:df:ca:75:98:11:68:ed: + 91:2f:d1:f7:e0:3e:03:2f:54:9f:31:eb:0c:ee:ee:ae:c4:83: + 5a:ff:9c:37:5e:17:82:ca:90:71:b7:ec:d1:11:93:a4:c2:f2: + 43:55:3d:e9:24:6b:7f:36:7f:c7:e1:54:b0:16:80:78:ea:f4: + 0b:44:2e:d2:6e:c8:f2:c8:24:9c:7f:7c:c8:42:76:d8:62:c7: + 98:ec:2e:65:8f:f1:b2:4b:4b:5a:7c:b3:c2:a7:8b:81:d3:f0: + bb:7b:43:af:dd:c5:87:fb:7c:44:02:9e:c0:30:3c:a8:ad:ee: + ba:50:f7:16:0d:68:b8:ce:0c:33:b0:f0:84:11:96:00:0e:e5: + 10:bf:ea:43:4c:8d:3e:3e:bc:e5:08:b4:6f:92:52:54:98:4e: + c9:fd:87:5a +-----BEGIN CERTIFICATE----- +MIIEqjCCA5KgAwIBAgIRAPWEc1a6uk/sUBI94tzZ80EwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTU1ODA3WhcNMjUwNDA5MTU1 +ODA3WjCBpTELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MRowGAYDVQQPExFHb3Zlcm5tZW50IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMDkZJqujWLYQUhJvEo8YWLYzaKsNG34YUqs0ijVDjEQz0Za +T402TdpbMMcEOKNFRCiuqHoEJGIsdcBLOcPycyeMINST2QuShWF3Vohpos66jEgv +JqgHHNe1hcOWWjvEqudU8VTAKgudv+d/LFTWI+cx5k6jTCRgYqZTW8Gz6pIj3NwN +wSQnZtDZR/52LOOOmGZ4aSYsHMBp4YQxjIK4cToTJD7GS7qgvB3e4CHaaUm9Bufe +Q0cyjMm/tKlBblkRC8o4QgwqaJz2BHnDAtWACLBpdqEt66puJi5SZqKlyW1pMD4h +/rh3qwN9/nQvYdPAeLuRtdO3RPC5GQf86+oE3ukCAwEAAaOCATQwggEwMA4GA1Ud +DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0O +BBYEFFJihKDC3wEAUJSrM5VQgC4Uhvn9MB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5 +VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2Nh +LnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21l +Y2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQL +MAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1p +bmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAO2oGxYxTQKBE9J0ukQD2oI0x +F4DUksOW4usQS72y9O1uMz7r+hlojgbTXMphYoNQG3axNqIbr1QaJqxUq97vy2VJ +bQSCLksXmPa0KOtdXlHN7UaIrqJQi3EVla9V0eFoXFHmdj7fynWYEWjtkS/R9+A+ +Ay9UnzHrDO7ursSDWv+cN14XgsqQcbfs0RGTpMLyQ1U96SRrfzZ/x+FUsBaAeOr0 +C0Qu0m7I8sgknH98yEJ22GLHmOwuZY/xsktLWnyzwqeLgdPwu3tDr93Fh/t8RAKe +wDA8qK3uulD3Fg1ouM4MM7DwhBGWAA7lEL/qQ0yNPj685Qi0b5JSVJhOyf2HWg== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_05.pem b/v3/testdata/invalid_business_cat_ok_05.pem new file mode 100644 index 000000000..62ae9bb9b --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_05.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ef:be:c6:73:71:37:14:07:6d:96:9a:13:02:d0:c1:f6 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 15:59:55 2024 GMT + Not After : Apr 9 15:59:55 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Business Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ac:a4:62:57:e7:a0:1e:db:bc:99:99:23:87:08: + 8d:04:ea:c6:e6:a8:ba:a5:22:20:52:de:3e:eb:70: + ae:3f:8f:51:02:c6:1e:a8:02:e2:a9:a7:50:b0:32: + 00:2c:16:9f:9a:06:76:33:68:14:eb:1e:69:c2:59: + dc:ee:58:cb:29:15:bc:5d:3c:7c:50:79:61:c0:fe: + 5d:f4:6e:33:79:21:bf:90:4a:9d:4f:75:7f:4f:89: + a3:1a:f7:48:c9:8f:d9:6d:59:d1:11:5e:8e:6b:74: + bf:02:0d:80:43:d4:8f:74:8c:12:2c:46:81:af:42: + 77:2a:e2:ae:3f:d8:2c:ed:5d:6a:24:2d:72:25:b9: + c5:ac:8b:84:8e:fe:76:98:db:77:97:80:a4:72:eb: + fe:f8:2c:7e:18:24:bf:fb:7f:11:ed:65:7e:cd:26: + 72:29:7b:0a:55:91:93:f0:a3:21:c5:70:46:f2:c0: + 60:fd:38:10:dc:78:7b:c2:8e:a6:2e:0e:64:e8:aa: + 4e:e8:ca:ed:31:75:e1:40:8b:8f:be:80:4a:e8:16: + 18:33:8c:c9:ea:81:41:c9:9f:77:4d:13:fb:94:d0: + cb:2e:45:4a:53:10:49:69:2b:9d:0c:ba:a6:40:04: + fd:5e:9d:d6:32:4b:bf:9a:25:57:d7:54:24:a1:96: + c1:bb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 81:03:DC:8F:0D:60:C9:8F:13:13:CF:5E:0E:28:DD:AD:7E:89:85:22 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 75:4a:48:5d:93:d1:b8:82:3f:69:85:3c:fe:9c:c8:25:eb:0b: + 31:0d:03:69:65:50:72:84:e1:b4:02:b1:87:87:be:84:ca:50: + 55:ef:03:88:b9:fb:c2:84:e8:06:c4:22:80:4d:7c:d7:a3:a4: + 02:03:67:66:f9:92:e3:f5:4a:30:ab:85:cd:90:52:80:63:b1: + 39:c7:24:6f:34:ce:92:71:41:6e:9b:11:c9:97:f8:00:12:bb: + b0:4f:65:c2:0b:7a:15:6c:ba:54:db:0a:ef:9f:d2:db:60:59: + 2c:07:71:29:a5:f0:48:c8:50:6c:1d:5e:bd:48:75:cf:a3:3d: + 84:92:ee:3c:f8:6e:f4:a2:d8:ec:30:35:df:90:55:f3:9b:99: + 22:ef:4d:a6:e3:b1:b7:bd:80:6b:f8:0c:b8:bc:c5:a8:31:75: + bc:62:f9:ed:6f:cf:8b:b7:c0:33:eb:43:57:81:9e:dc:1f:6b: + 63:1b:d9:d6:40:93:50:4b:f4:72:c9:e8:fa:37:6c:ab:95:e9: + 07:32:10:6a:b2:6d:fd:54:17:c2:83:fa:3a:05:17:fe:72:ea: + f2:cb:ab:eb:8a:3a:35:95:bb:12:77:ab:d6:bd:a0:93:b8:bd: + 08:e3:a0:a7:14:f9:08:bf:de:31:0f:74:05:86:f6:ac:28:58: + 88:82:d3:91 +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIRAO++xnNxNxQHbZaaEwLQwfYwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTU1OTU1WhcNMjUwNDA5MTU1 +OTU1WjCBozELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MRgwFgYDVQQPEw9CdXNpbmVzcyBFbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCspGJX56Ae27yZmSOHCI0E6sbmqLqlIiBS3j7rcK4/j1ECxh6o +AuKpp1CwMgAsFp+aBnYzaBTrHmnCWdzuWMspFbxdPHxQeWHA/l30bjN5Ib+QSp1P +dX9PiaMa90jJj9ltWdERXo5rdL8CDYBD1I90jBIsRoGvQncq4q4/2CztXWokLXIl +ucWsi4SO/naY23eXgKRy6/74LH4YJL/7fxHtZX7NJnIpewpVkZPwoyHFcEbywGD9 +OBDceHvCjqYuDmToqk7oyu0xdeFAi4++gEroFhgzjMnqgUHJn3dNE/uU0MsuRUpT +EElpK50MuqZABP1endYyS7+aJVfXVCShlsG7AgMBAAGjggE0MIIBMDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBSBA9yPDWDJjxMTz14OKN2tfomFIjAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLmNvbTASBgNVHSAECzAJ +MAcGBWeBDAEBMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBAHVKSF2T0biCP2mFPP6cyCXrCzEN +A2llUHKE4bQCsYeHvoTKUFXvA4i5+8KE6AbEIoBNfNejpAIDZ2b5kuP1SjCrhc2Q +UoBjsTnHJG80zpJxQW6bEcmX+AASu7BPZcILehVsulTbCu+f0ttgWSwHcSml8EjI +UGwdXr1Idc+jPYSS7jz4bvSi2OwwNd+QVfObmSLvTabjsbe9gGv4DLi8xagxdbxi ++e1vz4u3wDPrQ1eBntwfa2Mb2dZAk1BL9HLJ6Po3bKuV6QcyEGqybf1UF8KD+joF +F/5y6vLLq+uKOjWVuxJ3q9a9oJO4vQjjoKcU+Qi/3jEPdAWG9qwoWIiC05E= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_06.pem b/v3/testdata/invalid_business_cat_ok_06.pem new file mode 100644 index 000000000..4efb5273b --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_06.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 12:a2:26:01:04:14:ff:24:0a:b8:c7:04:9a:78:c9:0a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 22 06:56:29 2024 GMT + Not After : Apr 22 06:56:29 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Non-Commercial Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b5:d2:96:c7:09:5d:80:8f:ad:30:b0:3f:fb:ca: + 1d:09:0b:13:e5:e6:24:14:b2:91:5e:bc:42:15:7d: + 47:24:3e:0e:e6:60:4e:04:0d:5d:3a:78:eb:b5:e1: + fd:4f:d9:b5:13:a8:ea:c0:63:66:b1:f4:68:af:7a: + 9b:c5:9f:dd:3d:cc:13:1b:75:58:91:e5:01:a8:d8: + b0:bb:a7:e3:92:65:9a:96:58:6d:54:42:8c:92:c2: + 8b:92:9b:e4:52:8a:b2:42:60:26:32:b5:5a:01:9b: + 73:67:23:39:b0:2a:0f:dd:d8:81:62:53:84:40:5a: + 91:3a:55:27:70:d5:34:62:cc:fd:d3:03:15:a3:4b: + c4:bc:53:c7:2c:09:9b:c9:c8:1b:57:24:aa:26:fc: + 29:5f:db:bb:18:ac:d2:3d:20:ce:8c:64:10:8f:a2: + 59:92:3d:ca:03:d3:35:43:49:2e:bb:ec:f7:90:6d: + 72:10:88:9e:05:63:e7:8e:42:e5:6c:36:61:32:8f: + 9a:87:7e:44:aa:05:90:7a:b8:1d:2b:06:ab:ce:9e: + 06:29:66:97:1d:51:60:a5:59:07:54:0a:f3:c4:e5: + 17:75:a1:2f:ee:ac:53:59:08:f6:3e:fe:5c:c1:b4: + 17:aa:4a:28:e2:3c:e9:2a:59:25:59:a3:d2:23:6a: + fc:77 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 27:4C:59:23:A0:44:FE:B8:95:AB:E1:66:55:97:DB:2C:22:42:68:85 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 37:61:27:c7:b0:10:5b:9f:fe:7e:61:b4:a5:98:c3:8b:1c:3f: + 46:99:21:da:bc:c9:c0:8b:0f:30:18:0a:d2:c7:64:cc:32:3c: + 3e:13:f2:17:c4:fb:a8:47:f2:4b:f6:40:7b:2a:88:1d:ea:6d: + c1:07:6f:f4:f4:08:b9:31:ea:d2:97:c0:e8:a7:fa:97:1e:08: + 39:6a:c7:78:e6:6a:92:9b:dc:93:75:88:19:cb:0a:27:0f:16: + 0c:0e:bd:a3:2d:3e:c1:5c:5c:89:85:f6:b1:5d:fc:6c:82:3f: + fb:a4:45:67:a5:9d:43:f8:a1:85:cf:fe:5f:ff:c6:99:d6:da: + 2f:f3:b2:11:0b:80:46:3a:2f:8e:4e:66:b0:29:62:31:6b:ea: + 54:0a:2f:9b:b0:0c:a7:cf:06:9e:48:ee:5b:81:d8:0c:07:7f: + 58:d3:f0:5e:b4:da:99:93:7e:32:f6:d4:a5:af:da:5c:a0:71: + eb:91:4b:1c:80:22:ba:14:e0:db:65:50:8f:8e:da:76:90:94: + 68:45:43:7a:97:29:13:6e:a5:cf:ce:d3:64:c5:35:f6:32:f4: + d6:af:0c:ce:0f:e5:6e:08:7d:51:3e:92:3c:6f:80:4e:c7:38: + 3c:9f:68:b2:72:ca:98:f7:bd:e3:67:75:fb:16:e9:8e:84:db: + aa:a1:d5:09 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIQEqImAQQU/yQKuMcEmnjJCjANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MjIwNjU2MjlaFw0yNTA0MjIwNjU2 +MjlaMIGpMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HjAcBgNVBA8TFU5vbi1Db21tZXJjaWFsIEVudGl0eTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALXSlscJXYCPrTCwP/vKHQkLE+XmJBSykV68QhV9RyQ+ +DuZgTgQNXTp467Xh/U/ZtROo6sBjZrH0aK96m8Wf3T3MExt1WJHlAajYsLun45Jl +mpZYbVRCjJLCi5Kb5FKKskJgJjK1WgGbc2cjObAqD93YgWJThEBakTpVJ3DVNGLM +/dMDFaNLxLxTxywJm8nIG1ckqib8KV/buxis0j0gzoxkEI+iWZI9ygPTNUNJLrvs +95BtchCIngVj545C5Ww2YTKPmod+RKoFkHq4HSsGq86eBilmlx1RYKVZB1QK88Tl +F3WhL+6sU1kI9j7+XMG0F6pKKOI86SpZJVmj0iNq/HcCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFCdMWSOgRP64lavhZlWX2ywiQmiFMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAN2Enx7AQW5/+fmG0pZjD +ixw/Rpkh2rzJwIsPMBgK0sdkzDI8PhPyF8T7qEfyS/ZAeyqIHeptwQdv9PQIuTHq +0pfA6Kf6lx4IOWrHeOZqkpvck3WIGcsKJw8WDA69oy0+wVxciYX2sV38bII/+6RF +Z6WdQ/ihhc/+X//GmdbaL/OyEQuARjovjk5msCliMWvqVAovm7AMp88GnkjuW4HY +DAd/WNPwXrTamZN+MvbUpa/aXKBx65FLHIAiuhTg22VQj47adpCUaEVDepcpE26l +z87TZMU19jL01q8Mzg/lbgh9UT6SPG+ATsc4PJ9osnLKmPe942d1+xbpjoTbqqHV +CQ== +-----END CERTIFICATE----- From 13c40b2e74b1eb715a5af57f331efcf5f2f0acdd Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sat, 20 Jul 2024 10:50:31 -0700 Subject: [PATCH 7/9] Fix goreleaser to use the --clean flag rather than --rm-dist (#868) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6023b2135..bc7d9e19c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: uses: goreleaser/goreleaser-action@v2 with: version: latest - args: release --rm-dist + args: release --clean workdir: v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 33ee62a138fc62f3c2102cfc575c4738b0c1030a Mon Sep 17 00:00:00 2001 From: Ren Peterson <108283101+digirenpeter@users.noreply.github.com> Date: Sun, 21 Jul 2024 08:33:43 -0600 Subject: [PATCH 8/9] Add Code Signing lints for EKU, Key Usage, RSA Key Size and CRLDistributionPoints (#865) * Added lints for code signing * Added test data and code signing util function * Removed ev cs oid from isev check, at least 1 ev lint doesn't apply properly to ev cs certs * Update v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go Co-authored-by: Christopher Henderson * Update v3/lints/cabf_cs_br/lint_cs_eku_required.go Co-authored-by: Christopher Henderson * Update v3/lints/cabf_cs_br/lint_cs_key_usage_required.go Co-authored-by: Christopher Henderson * Split up ku/cdp nil and critical checks, added cs check to base.go * Update v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go Co-authored-by: Christopher Henderson * Update v3/lints/cabf_cs_br/lint_cs_eku_required.go Co-authored-by: Christopher Henderson * Update v3/lints/cabf_cs_br/lint_cs_key_usage_required.go Co-authored-by: Christopher Henderson * Update v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go Co-authored-by: Christopher Henderson * Added conditional prohibited EKU for subca --------- Co-authored-by: Christopher Henderson --- v3/lint/base.go | 3 + v3/lint/source.go | 1 + .../lint_cs_crl_distribution_points.go | 62 +++++++++++++ .../lint_cs_crl_distribution_points_test.go | 40 +++++++++ v3/lints/cabf_cs_br/lint_cs_eku_required.go | 87 +++++++++++++++++++ .../cabf_cs_br/lint_cs_eku_required_test.go | 40 +++++++++ .../cabf_cs_br/lint_cs_key_usage_required.go | 79 +++++++++++++++++ .../lint_cs_key_usage_required_test.go | 45 ++++++++++ v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go | 58 +++++++++++++ .../cabf_cs_br/lint_cs_rsa_key_size_test.go | 40 +++++++++ v3/profiles/profiles_test.go | 2 + .../code_signing/codeSigningWithECDSAKey.pem | 18 ++++ .../containsNotRecommendedKeyUsage.pem | 32 +++++++ .../code_signing/containsProhibitedEKU.pem | 31 +++++++ .../containsProhibitedKeyUsage.pem | 32 +++++++ v3/testdata/code_signing/crlDpNoHttp.pem | 32 +++++++ .../code_signing/lessThan3072RSAKeySize.pem | 29 +++++++ v3/testdata/code_signing/noCrldpIncluded.pem | 30 +++++++ .../noDigitalSignatureKeyUsage.pem | 32 +++++++ .../code_signing/noRequiredCodeSigningEKU.pem | 31 +++++++ .../validCodeSigningCertificate.pem | 32 +++++++ v3/util/cs.go | 18 ++++ v3/util/time.go | 1 + v3/zlint.go | 1 + 24 files changed, 776 insertions(+) create mode 100644 v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go create mode 100644 v3/lints/cabf_cs_br/lint_cs_crl_distribution_points_test.go create mode 100644 v3/lints/cabf_cs_br/lint_cs_eku_required.go create mode 100644 v3/lints/cabf_cs_br/lint_cs_eku_required_test.go create mode 100644 v3/lints/cabf_cs_br/lint_cs_key_usage_required.go create mode 100644 v3/lints/cabf_cs_br/lint_cs_key_usage_required_test.go create mode 100644 v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go create mode 100644 v3/lints/cabf_cs_br/lint_cs_rsa_key_size_test.go create mode 100644 v3/testdata/code_signing/codeSigningWithECDSAKey.pem create mode 100644 v3/testdata/code_signing/containsNotRecommendedKeyUsage.pem create mode 100644 v3/testdata/code_signing/containsProhibitedEKU.pem create mode 100644 v3/testdata/code_signing/containsProhibitedKeyUsage.pem create mode 100644 v3/testdata/code_signing/crlDpNoHttp.pem create mode 100644 v3/testdata/code_signing/lessThan3072RSAKeySize.pem create mode 100644 v3/testdata/code_signing/noCrldpIncluded.pem create mode 100644 v3/testdata/code_signing/noDigitalSignatureKeyUsage.pem create mode 100644 v3/testdata/code_signing/noRequiredCodeSigningEKU.pem create mode 100644 v3/testdata/code_signing/validCodeSigningCertificate.pem create mode 100644 v3/util/cs.go diff --git a/v3/lint/base.go b/v3/lint/base.go index c07d65a92..e572b27a5 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -224,6 +224,9 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) { return &LintResult{Status: NA} } + if l.Source == CABFCSBaselineRequirements && !util.IsCodeSigning(cert.PolicyIdentifiers) { + return &LintResult{Status: NA} + } lint := l.Lint() err := config.MaybeConfigure(lint, l.Name) if err != nil { diff --git a/v3/lint/source.go b/v3/lint/source.go index 48ad2be5f..42b17d519 100644 --- a/v3/lint/source.go +++ b/v3/lint/source.go @@ -35,6 +35,7 @@ const ( RFC6962 LintSource = "RFC6962" RFC8813 LintSource = "RFC8813" CABFBaselineRequirements LintSource = "CABF_BR" + CABFCSBaselineRequirements LintSource = "CABF_CS_BR" CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR" CABFEVGuidelines LintSource = "CABF_EV" MozillaRootStorePolicy LintSource = "Mozilla" diff --git a/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go b/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go new file mode 100644 index 000000000..dfda904f3 --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go @@ -0,0 +1,62 @@ +package cabf_cs_br + +import ( + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/*7.1.2.3 b. cRLDistributionPoints +This extension MUST be present. It MUST NOT be marked critical, and it MUST contain the +HTTP URL of the CA’s CRL service*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_crl_distribution_points", + Description: "This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service", + Citation: "CABF CS BRs 7.1.2.3.b", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCrlDistributionPoints, + }) +} + +type crlDistributionPoints struct{} + +func NewCrlDistributionPoints() lint.LintInterface { + return &crlDistributionPoints{} +} + +func (l *crlDistributionPoints) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) || util.IsSubCA(c) +} + +func (l *crlDistributionPoints) Execute(c *x509.Certificate) *lint.LintResult { + cdp := util.GetExtFromCert(c, util.CrlDistOID) + if cdp == nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "The cRLDistributionPoints extension MUST be present."} + } + + if cdp.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "The cRLDistributionPoints MUST NOT be marked critical."} + } + + // MUST contain the HTTP URL of the CA’s CRL service + for _, uri := range c.CRLDistributionPoints { + if !strings.HasPrefix(uri, "http://") { + return &lint.LintResult{Status: lint.Error, Details: "cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service"} + } + } + + return &lint.LintResult{ + Status: lint.Pass, + } +} diff --git a/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points_test.go b/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points_test.go new file mode 100644 index 000000000..583ec3a46 --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points_test.go @@ -0,0 +1,40 @@ +package cabf_cs_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestCsCrlDistributionPoints(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - code signing certificate with CRLDistributionPoints", + InputFilename: "code_signing/validCodeSigningCertificate.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "fail - code signing certificate without CRLDistributionPoints", + InputFilename: "code_signing/noCrldpIncluded.pem", + ExpectedResult: lint.Error, + }, + { + Name: "fail - code signing certificate with CRLDistributionPoints without http", + InputFilename: "code_signing/crlDpNoHttp.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_cs_crl_distribution_points", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_cs_br/lint_cs_eku_required.go b/v3/lints/cabf_cs_br/lint_cs_eku_required.go new file mode 100644 index 000000000..91ac67011 --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_eku_required.go @@ -0,0 +1,87 @@ +package cabf_cs_br + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/* 7.1.2.3 Code signing and Timestamp Certificate +f. extKeyUsage +If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present +and the following EKUs MAY be present: + • Lifetime Signing OID (1.3.6.1.4.1.311.10.3.13) + • id-kp-emailProtection + • Document Signing (1.3.6.1.4.1.311.3.10.3.12) + +If the Certificate is a Timestamp Certificate, then id-kp-timeStamping MUST be present +and MUST be marked critical. +Additionally, the following EKUs MUST NOT be present: + • anyExtendedKeyUsage + • id-kp-serverAuth + +Other values SHOULD NOT be present. If any other value is present, the CA MUST have a +business agreement with a Platform vendor requiring that EKU in order to issue a +Platform‐specific code signing certificate with that EKU. +*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_eku_required", + Description: "If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present.", + Citation: "CABF CS BRs 7.1.2.3.f", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsEKURequired, + }) +} + +type csEKURequired struct{} + +func NewCsEKURequired() lint.LintInterface { + return &csEKURequired{} +} + +func (l *csEKURequired) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) || util.IsSubCA(c) +} + +func (l *csEKURequired) Execute(c *x509.Certificate) *lint.LintResult { + prohibitedEKUs := map[x509.ExtKeyUsage]struct{}{ + x509.ExtKeyUsageAny: {}, + x509.ExtKeyUsageServerAuth: {}, + } + + if util.IsSubCA(c) { + prohibitedEKUs[x509.ExtKeyUsageEmailProtection] = struct{}{} + } + + hasCodeSigningEKU := false + + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageCodeSigning { + hasCodeSigningEKU = true + } + + if _, isProhibited := prohibitedEKUs[eku]; isProhibited { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("Code Signing certificate includes prohibited EKU: %v", eku), + } + } + } + + if !hasCodeSigningEKU { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing certificate missing required Code Signing EKU", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_cs_br/lint_cs_eku_required_test.go b/v3/lints/cabf_cs_br/lint_cs_eku_required_test.go new file mode 100644 index 000000000..dcdee0229 --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_eku_required_test.go @@ -0,0 +1,40 @@ +package cabf_cs_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestCsEKUCheck(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - valid code signing certificate with required EKU", + InputFilename: "code_signing/validCodeSigningCertificate.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "fail - code signing certificate without required EKU", + InputFilename: "code_signing/noRequiredCodeSigningEKU.pem", + ExpectedResult: lint.Error, + }, + { + Name: "fail - code signing certificate with prohibited EKU", + InputFilename: "code_signing/containsProhibitedEKU.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_cs_eku_required", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go b/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go new file mode 100644 index 000000000..686b4405b --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go @@ -0,0 +1,79 @@ +package cabf_cs_br + +import ( + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/* 7.1.2.3 Code signing and Timestamp Certificate +e. keyUsage +This extension MUST be present and MUST be marked critical. +The bit position for digitalSignature MUST be set. Bit positions for keyCertSign and +cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set. +*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_key_usage_required", + Description: "This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.", + Citation: "CABF CS BRs 7.1.2.3e", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsKeyUsageRequired, + }) +} + +type csKeyUsageRequired struct{} + +func NewCsKeyUsageRequired() lint.LintInterface { + return &csKeyUsageRequired{} +} + +func (l *csKeyUsageRequired) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *csKeyUsageRequired) Execute(c *x509.Certificate) *lint.LintResult { + ku := util.GetExtFromCert(c, util.KeyUsageOID) + if ku == nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "Key usage extension MUST be present.", + } + } + + if !ku.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "Key usage extension MUST be marked critical", + } + } + + if (c.KeyUsage & x509.KeyUsageDigitalSignature) == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing certificate must have digitalSignature key usage", + } + } + + // keyCertSign and cRLSign bits MUST NOT be set. + if (c.KeyUsage & (x509.KeyUsageCertSign | x509.KeyUsageCRLSign)) != 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "keyCertSign and cRLSign key usages MUST NOT be set", + } + } + + // All other bit positions SHOULD NOT be set. + if c.KeyUsage & ^x509.KeyUsageDigitalSignature != 0 { + return &lint.LintResult{ + Status: lint.Warn, + Details: "Only digitalSignature key usage is recommended. Other key usages SHOULD NOT be set."} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_cs_br/lint_cs_key_usage_required_test.go b/v3/lints/cabf_cs_br/lint_cs_key_usage_required_test.go new file mode 100644 index 000000000..43166edf2 --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_key_usage_required_test.go @@ -0,0 +1,45 @@ +package cabf_cs_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestCsKeyUsageCheck(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - valid code signing certificate with digital signature key usage", + InputFilename: "code_signing/validCodeSigningCertificate.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "fail - code signing certificate without required key usage", + InputFilename: "code_signing/noDigitalSignatureKeyUsage.pem", + ExpectedResult: lint.Error, + }, + { + Name: "fail - code signing certificate with prohibited key usage", + InputFilename: "code_signing/containsProhibitedKeyUsage.pem", + ExpectedResult: lint.Error, + }, + { + Name: "warn - code signing certificate with not recommended key usage", + InputFilename: "code_signing/containsNotRecommendedKeyUsage.pem", + ExpectedResult: lint.Warn, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_cs_key_usage_required", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go b/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go new file mode 100644 index 000000000..493e3793d --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go @@ -0,0 +1,58 @@ +package cabf_cs_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/*6.1.5.2 Code signing Certificate and Timestamp Authority key sizes +For Keys corresponding to Subscriber code signing and Timestamp Authority Certificates: +• If the Key is RSA, then the modulus MUST be at least 3072 bits in length. +• If the Key is ECDSA, then the curve MUST be one of NIST P‐256, P‐384, or P‐521. +• If the Key is DSA, then one of the following key parameter options MUST be used: +• Key length (L) of 2048 bits and modulus length (N) of 224 bits +• Key length (L) of 2048 bits and modulus length (N) of 256 bits*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_rsa_key_size", + Description: "If the Key is RSA, then the modulus MUST be at least 3072 bits in length", + Citation: "CABF CS BRs 6.1.5.2", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsRsaKeySize, + }) +} + +type csRsaKeySize struct{} + +func NewCsRsaKeySize() lint.CertificateLintInterface { + return &csRsaKeySize{} +} + +func (l *csRsaKeySize) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *csRsaKeySize) Execute(c *x509.Certificate) *lint.LintResult { + rsaKey, ok := c.PublicKey.(*rsa.PublicKey) + if !ok { + return &lint.LintResult{Status: lint.NA} + } + + // If the Key is RSA, then the modulus MUST be at least 3072 bits in length. + if rsaKey.N.BitLen() < 3072 { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing RSA key modulus MUST be at least 3072 bits in length.", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_cs_br/lint_cs_rsa_key_size_test.go b/v3/lints/cabf_cs_br/lint_cs_rsa_key_size_test.go new file mode 100644 index 000000000..41811a63d --- /dev/null +++ b/v3/lints/cabf_cs_br/lint_cs_rsa_key_size_test.go @@ -0,0 +1,40 @@ +package cabf_cs_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestCsRsaKeySize(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - code signing certificate with RSA key size >= 3072", + InputFilename: "code_signing/validCodeSigningCertificate.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "fail - code signing certificate a 2048 RSA key size", + InputFilename: "code_signing/lessThan3072RSAKeySize.pem", + ExpectedResult: lint.Error, + }, + { + Name: "NA - code signing certificate with an ECDSA key", + InputFilename: "code_signing/codeSigningWithECDSAKey.pem", + ExpectedResult: lint.NA, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_cs_rsa_key_size", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/profiles/profiles_test.go b/v3/profiles/profiles_test.go index 352a2de10..72ddd0d65 100644 --- a/v3/profiles/profiles_test.go +++ b/v3/profiles/profiles_test.go @@ -21,6 +21,7 @@ import ( "github.com/zmap/zlint/v3/lint" _ "github.com/zmap/zlint/v3/lints/apple" _ "github.com/zmap/zlint/v3/lints/cabf_br" + _ "github.com/zmap/zlint/v3/lints/cabf_cs_br" _ "github.com/zmap/zlint/v3/lints/cabf_ev" _ "github.com/zmap/zlint/v3/lints/cabf_smime_br" _ "github.com/zmap/zlint/v3/lints/community" @@ -48,6 +49,7 @@ func TestNotMissingAnyLintSources(t *testing.T) { expected := map[string]bool{ "apple": true, "cabf_br": true, + "cabf_cs_br": true, "cabf_ev": true, "cabf_smime_br": true, "community": true, diff --git a/v3/testdata/code_signing/codeSigningWithECDSAKey.pem b/v3/testdata/code_signing/codeSigningWithECDSAKey.pem new file mode 100644 index 000000000..3f9224c9f --- /dev/null +++ b/v3/testdata/code_signing/codeSigningWithECDSAKey.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCApCgAwIBAgIBATAKBggqhkjOPQQDAjBMMRswGQYDVQQDExJPViBDb2Rl +IFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENvMQsw +CQYDVQQGEwJVUzAeFw0yNDA3MDYwMzM2MTFaFw0yNTA3MDYwMzM2MTFaMIGYMRMw +EQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYDVQQH +Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQGEwJV +UzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6 +YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATygqNfraSNicrB7ZBvbdiD +xrcltb8PWCcFWeNb6exDv1Rdg2wPrXWx93ZAScbSlCBxGJPw9QjTLthlg57P/5hT +o4IBFDCCARAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwG +A1UdEwEB/wQCMAAwEAYDVR0jBAkwB4AFAQIDBAUwWwYIKwYBBQUHAQEETzBNMCMG +CCsGAQUFBzABhhdodHRwOi8vb2NzcC5leGFtcGxlLmNvbTAmBggrBgEFBQcwAoYa +aHR0cDovL2V4YW1wbGUuY29tL2NhMS5jcnQwEwYDVR0gBAwwCjAIBgZngQwBBAEw +VwYDVR0fBFAwTjAloCOgIYYfaHR0cDovL2NybDEuZXhhbXBsZS5jb20vY2ExLmNy +bDAloCOgIYYfaHR0cDovL2NybDIuZXhhbXBsZS5jb20vY2ExLmNybDAKBggqhkjO +PQQDAgNIADBFAiAttu5xMOUBVZ3mdxSNJESLrFqXfC+xuif8v8uM6YTlTwIhAJ5t +mocjjb81xfhnVri8aXFBLMfVQ8QEpAwl1H1D+Z21 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/containsNotRecommendedKeyUsage.pem b/v3/testdata/code_signing/containsNotRecommendedKeyUsage.pem new file mode 100644 index 000000000..3d026a11c --- /dev/null +++ b/v3/testdata/code_signing/containsNotRecommendedKeyUsage.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFdjCCA96gAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMzI2MDFaFw0yNTA3MDYwMzI2MDFaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC5bdIb2xZe +yfPeoK2cT/wf4QbwiKfXpACoKq38zxjzDO3YLfXSQ50Emk5KDb88wmXro+lDuaXw +tP9MCwqGco7zaxHkJH13AFCe73pLmR38rAVCurQXg4QPWYfeoGZIAk78TMh2d39r +MQyAQm7YoGOLBQD41CP4w8lijnk/dAjmH9EC+hzLCa3Su/Sadj5oHKGzPk80DndE +UWxb2OAFM5xQhCXh4iPMHy1z/l+2TXhEM3YhonFH0ZRErhu60NOKDceQ3XL2hhDm +h+lJgF3ebdr8LlJZYiNOKz7IYTsEhJP5vftGhZ1puN1P/4KzEO4cPyHJN/fBb0z8 +ltl8YTayf6IofNawrYdXF1EDvtFA9bTOqIfrFEwwjybVCU0ftZNi6x75WwLuQW2l +wl8QwziueN2W1eCBA3Ib0aCLbplmzQm146sawu4l0F+0mQwp/iOtt0wDC+bR391t +mHJU3DY0vswDxp9bH1dh+URF6FU+inEHVAhT8N202E5kTfePzXV6CdMCAwEAAaOC +ARQwggEQMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAzAMBgNV +HRMBAf8EAjAAMBAGA1UdIwQJMAeABQECAwQFMFsGCCsGAQUFBwEBBE8wTTAjBggr +BgEFBQcwAYYXaHR0cDovL29jc3AuZXhhbXBsZS5jb20wJgYIKwYBBQUHMAKGGmh0 +dHA6Ly9leGFtcGxlLmNvbS9jYTEuY3J0MBMGA1UdIAQMMAowCAYGZ4EMAQQBMFcG +A1UdHwRQME4wJaAjoCGGH2h0dHA6Ly9jcmwxLmV4YW1wbGUuY29tL2NhMS5jcmww +JaAjoCGGH2h0dHA6Ly9jcmwyLmV4YW1wbGUuY29tL2NhMS5jcmwwDQYJKoZIhvcN +AQELBQADggGBAJ1/Tur992NkjVgcKcbfouMBu/w2H9AXmCxickcN9B5nIaGU3ZHQ +stdceeaf96AjOow73WXcMhg6ar/0fxwALWIoqik5ctX/IfJulfY14VWcCmqWoio0 +ak5pC6ky5kpETIzr5WYBDZQBRSzj0XxPQ1Mg57x2NPj7RjE0ck5/q7fpepUa/yje +MTRYpDWAIu7YKk/SKk7VrkRSnOJuBzJEmieCbe8RHjXzBCQ1Ntmr2Mi6hoShuM/1 +LLC1Jcga/4HwZ/aUACuBt1vib0zk4YeY3Kv0OJDX8ADfSf+2aE8SeIGcWEAYOY9M +fuyxGIRZafBqP84cBBJpYskQUrdqZem2qn7Mx58YQy7x9ePpxOSJPqoicK29gqrN +yHUG54n9kuIbjm0/tkBNXJD6IGiilNr86D6xCgj9hAEro4BKQC1vjCBHyn/DOn1D +2X1mjwQlmMBPax1XCaoJnwirqS0nstVLbTWLyIYj2AGnzimEHQl+rLmE9Nq/JRoz +yG32KvxbhClEJg== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/containsProhibitedEKU.pem b/v3/testdata/code_signing/containsProhibitedEKU.pem new file mode 100644 index 000000000..5953bf3e4 --- /dev/null +++ b/v3/testdata/code_signing/containsProhibitedEKU.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXzCCA8egAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMjU3MjJaFw0yNTA3MDYwMjU3MjJaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCptmgrUHmJ +kAJSF9AepxgQCfiY6sD9+Y4sEtn5nzk7NMTsXI/xiEPyiP5UJhPwHJ9Ps1hFKqsW +v6ESeWdaNRNgAkoKY+FCKj6bPtHib0CbuQjkQlQpYY7ak/7jdBhPrXDg+Ahb1Br6 +eh3zPUPE7yucex8dr2eafE6G+BLgU9Ki9KY4JYt4CT+Xk0k8+arkZ/vO8nL/RUYB +SdzvJDGX7oxp49tMcOVA0KJtRIm8ZzB3Qbo9gF6OjJsjIEGN3k8zMaXJRIRUtSy6 +IzIfc3wdclpdjQv6e/ABh5ULYFp1kkcjW8qcEu4EF+UVb5i1mkRFUNaWVEjGc01D +VFD608FoeXm5yKXvVVs4RG9Y8IuU6THT2u+C35jSRxigwC/aCDraiSJLOMR3o+h8 +vFoNYXStCnxI6PQ6dUgl/rtuZ9eHv1Do5A28tLudZQEhvVePQTpIsRDMZDvKwis/ +xluLSeies1CFuncXQvSZeRdr+veeHKnm6tPYCWJXeyiAhQqdgaP+5LUCAwEAAaOB +/jCB+zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAQBgNVHSMECTAHgAUB +AgMEBTBbBggrBgEFBQcBAQRPME0wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmV4 +YW1wbGUuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZXhhbXBsZS5jb20vY2ExLmNy +dDATBgNVHSAEDDAKMAgGBmeBDAEEATBXBgNVHR8EUDBOMCWgI6Ahhh9odHRwOi8v +Y3JsMS5leGFtcGxlLmNvbS9jYTEuY3JsMCWgI6Ahhh9odHRwOi8vY3JsMi5leGFt +cGxlLmNvbS9jYTEuY3JsMA0GCSqGSIb3DQEBCwUAA4IBgQBgQIxlQAee54CrcOTx +vXy5nojaNZPwhIIbkt03xmFSM7cVHMJRvaoMJ91ZyyUawdWFtrunyVvu1lGEM8Og +gli4mJmjsNLhYMIyGNVPgCouv4q9aVgX7BwE8Wa2ZCJfjmFQqQAUPiyFHYPUVgB4 +5t7dfIsgPILTMOYE+POtuSZxgcL3zlCTqHcfmH9TtgIwemXUjweLOJR42eR5Y+9Z +jqsLqVz3GIox8/QAtoKDjwGkgQMQ3RAxre+fP5Muj4UJCZdrnqodsglIeR5vxkwY +gqHYr2RrGg+U49GAOScYRmAgx8f35HDCW4QT7HmpbPO/MA7KXFmoVBLU2skzmAaP +oEM+ebevNODoM1E5gOL2py+Zbm/GbVTpOCvsrDzXfPQGbq+6+7BghsTQM7d1d8Hz +ZUug6QIehC06/+Ye6VmyOPcWkFMDkiLKHwnRjF205B1sjyv6wVXj+OQDeCZ7vKnO +Wz1kgq1RZJDizuyhKHPxsMXmnpxTpWr0uJuEptVqjcyEj0M= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/containsProhibitedKeyUsage.pem b/v3/testdata/code_signing/containsProhibitedKeyUsage.pem new file mode 100644 index 000000000..1ede30c43 --- /dev/null +++ b/v3/testdata/code_signing/containsProhibitedKeyUsage.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFdjCCA96gAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMzI3MTlaFw0yNTA3MDYwMzI3MTlaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC70UpqXxfn +mNfA2ZZB0VBT7Je/RHRd1U5OwsFnF/qttittbJirtt9iuxSl4HR4r9uGZKwV8V68 +KNiBW+52hxU44B6rguiCoV8Oo3RCZVSsJFaQVglVl66Zv7L3zJrvTr/1YGDtAX6i +N8T9brs3uUi4FhXPWCcA34o8gBVZekuEcLLijiVpFr4qwzdfdwnyOrpMr0xmLu6H +FreZHlfBMCHQuQsVaRPac7JsbXJNWm2IjhoWEDF5JUlQ5WH0seArgZaGMfKpN7Lq +KTdQ3S3wxKPZeRYnpFNHEP47F3UWFLAuHfxKH+D26Xvr3WmkGYe6LQncUrFsg0E+ +WGwYRVMY16fJxxdALiNH8U1JBR/W0SfT/NZJFShke/INYJPox45stMRThipBoGIk +zcsYK7Txjh7DL+NsQPHVyO8wc//5VTPNfdfFyj2wiQPWB6QIrfItZGGc4LUKMBf8 +vtuVoiEyJNKXmJXDsPbiJgs132UhtQ5CCch+Ydkh5LqHhu8ztp+KHzcCAwEAAaOC +ARQwggEQMA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggrBgEFBQcDAzAMBgNV +HRMBAf8EAjAAMBAGA1UdIwQJMAeABQECAwQFMFsGCCsGAQUFBwEBBE8wTTAjBggr +BgEFBQcwAYYXaHR0cDovL29jc3AuZXhhbXBsZS5jb20wJgYIKwYBBQUHMAKGGmh0 +dHA6Ly9leGFtcGxlLmNvbS9jYTEuY3J0MBMGA1UdIAQMMAowCAYGZ4EMAQQBMFcG +A1UdHwRQME4wJaAjoCGGH2h0dHA6Ly9jcmwxLmV4YW1wbGUuY29tL2NhMS5jcmww +JaAjoCGGH2h0dHA6Ly9jcmwyLmV4YW1wbGUuY29tL2NhMS5jcmwwDQYJKoZIhvcN +AQELBQADggGBAHA04PsqBfia9WyZ38VUbeCq5+OstCGdPCXAPlmY7xnRpBF6IYIZ +wCym6Ck6uTRGBaN25HRTkLQbjoSFB2XjFWb3rBHb5kPmpvcK7dbodhdKYnz2xT9d +SPTeKoz3mD3uN37CB0ol0f93hq0+Uk9uecaC0+jgYs2LkOYPuWmvf/YDL6ys+ZHE +0pecQc6Jk+fvVNj0e1+N74fRZYlqjo4EGkt0Oai0cs8M975wkh5aFyjCs4CPyoPS +5476CD/sRW+cMKZ9+kM/QNtw35neQ7Mk1zmPhBtakwJxHZDazpsggmgT/rx+5fLC +zoK4WKX0vac0WcfmI//qWTnxOzJlZ7PdCDaSlCxUSzk4A4MtIqYc5LuQeuqv3m+A +3sfcY/xRwrcMl0N2Q6Uy90xE9q1rpn91Uftel+dcJF+oSzQo6bWlSHcgi8nOQ72R +mZcli91eirHsqf/FBseY3ZfoE0XQvhg9w1QjW/dZFduflfjdBVJ/AmvB27qe2+aK +1TbbT22c2nkjQA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/crlDpNoHttp.pem b/v3/testdata/code_signing/crlDpNoHttp.pem new file mode 100644 index 000000000..b01b0d3fd --- /dev/null +++ b/v3/testdata/code_signing/crlDpNoHttp.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFbzCCA9egAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMjIzMTlaFw0yNTA3MDYwMjIzMTlaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDknyQoYuzG +1LNyhyoK0ZilfNDmiAUakfGJuCNh/uJUfZNNtyuNyIajk3nY7h93BO4PgDClbPb4 +VpJHQAwpeEvtXIV5FgptQmPYTETxEUKrpK6+r12BCp2PEX6HfxYJgqKUXmgl7Lcx +ZdPm1in3xz1pfRetgv5bPwVmQUYMwU3BGXgm0SOMh/EgPYizRRtObQDW6uVlvLsn +Gs1aMIETZcfPkKaJ4sy2J1fpeztk3u26CbiBGoEUx2QCLQTAXEZ66oBfYBytOwJN +x79czM8h2BBlbSMvOpca1n7nFA/uyCoW5dhNIwTCLrkSRX3wFa0bay5NfKkIGoaT +bsss5H3lIw5DZOAteUdvTVy/TXxIpiOI/krArLBeUZeS4Tjv205vw+CMmiEtG1qL +WyqDM0btR+f0EwWd1pMKn1FdZAagOHAJa7rrZJVL/YWIQRAOL4+n0zqBCkAOWXA4 +uDdr1xpk55dagaMmtvVdmlFITNmp1Y8CL085YZ+4qLaznWyXZH3/u98CAwEAAaOC +AQ0wggEJMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAMBgNV +HRMBAf8EAjAAMBAGA1UdIwQJMAeABQECAwQFMFsGCCsGAQUFBwEBBE8wTTAjBggr +BgEFBQcwAYYXaHR0cDovL29jc3AuZXhhbXBsZS5jb20wJgYIKwYBBQUHMAKGGmh0 +dHA6Ly9leGFtcGxlLmNvbS9jYTEuY3J0MBMGA1UdIAQMMAowCAYGZ4EMAQQBMFAG +A1UdHwRJMEcwHqAcoBqGGGNybDEuZXhhbXBsZS5jb20vY2ExLmNybDAloCOgIYYf +aHR0cDovL2NybDIuZXhhbXBsZS5jb20vY2ExLmNybDANBgkqhkiG9w0BAQsFAAOC +AYEAvAJyjnnaX8xOyqerT1AhfASbm14x+HI9dErFTsG8DhVifOOPIK7dGknpQopQ +vRuqxu1k+JXN04LDuV4yVE5Tocey3Rr2VeZfZNmO236xxIZCL6xXyf1Cg3ggQWLL +t9xO7D12JQ0IqVbVgnRhLV3uQMRFOEI0stfEs10xvh/5K5Fl5B44yCCTzPZNW8JG +V43rBOYHtvlfgh2hrPWGnJV8NSIR0RpLI3QToxHIGtsOcvE01ie2OzyvIrws/hEE +LVZB/otcyStEhhiKH7puF8iXXHH/SWFxy6tmASarlqejNvMA//s+EYqLc6GdzEgE +UTkUvhpxIElEZYnMP6BlNpzPNkyQgN8dvGDEdyF/CaDsapD1pdm27As/+K+X+vJH +isoUM6F0GrxiXiwJKlDc+AwkcjNZNNXkGjXvfLVsF0NhAqsZhPXNKMc04iaqoAw0 +k4Tvcyf0zH0r35w84f95D0a1Tp2FNOunsIn+vdaXX5FTqricQDFvvFBureVBhgVL +QX4l +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/lessThan3072RSAKeySize.pem b/v3/testdata/code_signing/lessThan3072RSAKeySize.pem new file mode 100644 index 000000000..f729bc345 --- /dev/null +++ b/v3/testdata/code_signing/lessThan3072RSAKeySize.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE9jCCA16gAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMzMxNTRaFw0yNTA3MDYwMzMxNTRaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg5SkCM5qG +P4dyCvbcUSwrAN47BWnhJabSVRtywFptCPtHomZVT5y3kgfbS7m/c5UAxlYzebxa +uAf89pynTzGR7Fi79ymCjxE8fKw7+TMVKSmcz5SAUn0TaL95pA++sDuFMsV0vgkv +/XobquDtUDfg7V94OGAWcuOnibKqpoHMe5AW3d7JyboWZ5ZZuBnmVgDiXHdYq7B0 +XZrX7nlutSYGyOu9/CUlQf9+SDiTAduHP4BwYobUvgkwzlVNVeNbBTL3jQZqwwOR +ZeCyrwg5vN9igBB9XVg3A2+AeCXOJlHieVX4bbecZWzZcay4yE5z3CGNAB8ocaUA +aPsbF2bL1I3xAgMBAAGjggEUMIIBEDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAww +CgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAQBgNVHSMECTAHgAUBAgMEBTBbBggr +BgEFBQcBAQRPME0wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmV4YW1wbGUuY29t +MCYGCCsGAQUFBzAChhpodHRwOi8vZXhhbXBsZS5jb20vY2ExLmNydDATBgNVHSAE +DDAKMAgGBmeBDAEEATBXBgNVHR8EUDBOMCWgI6Ahhh9odHRwOi8vY3JsMS5leGFt +cGxlLmNvbS9jYTEuY3JsMCWgI6Ahhh9odHRwOi8vY3JsMi5leGFtcGxlLmNvbS9j +YTEuY3JsMA0GCSqGSIb3DQEBCwUAA4IBgQBpso1dW1op+zXuhHDEk3ZyEUP38bvI +Mlvcjg2Z+EDI3FdT6gWdwsS2HqIApd1Ukk0DxB+Zyf/WEwJjdDlf0/XTPwivuOJ3 +lywDSFpIPZhjBj1YIuxsY3oblyQ7mE7RDkZ8K6fUT+wP3/EE7IkvFTUKSt+laLhi +PV0T2hKSrKY6OWDASWcXUyEDS6zh58O2BACc5ZlNZe6LqdXgf3nAXKJZ6jvBC8Bj +JknYfyEpdAO4/4dTAMb0rN3cJuB43ds2W7yMwUtnUnlYFqsMmi0ZJwii7LMGIsjm +yYWEYS8jfemLnZ+rmw09zyFewt6zOiPyDkXVMIvWVeVRPIoWyOKUCOj0alMUZZhs +jQ3Bh5zfVO5u1LXIVLWb/XOd8i48TiWYy1yPUEFoaDLj0kRIUpnmYCVrKV9TPajp +7ypnmF0ovHI8u/B+q8P4MkNoLMMBk2D1Z8AFR4cmMewjgsE4K2Re25Z0za1JE4rE +1C8H5UXrMeyT41EZ5gyp4srNbxYRMe0fRTY= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/noCrldpIncluded.pem b/v3/testdata/code_signing/noCrldpIncluded.pem new file mode 100644 index 000000000..44e59466a --- /dev/null +++ b/v3/testdata/code_signing/noCrldpIncluded.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFGzCCA4OgAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMTQ3MTFaFw0yNTA3MDYwMTQ3MTFaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCxgRPUNFju +Q6rqOl6564wyYEQCq9H44nYZgRO3pw2QgJnAoq4MB28Va+1ElwEKU75jOBc+WCD+ +iYYGi6n8r3LGAeZnVmZzCJ9LVY/P/xsihQEfCkRM+o+GyarY5tjkSZO5PtBtDHDZ +ylcdCP4x02LM15cZNWUINbwQxKqrDuIB7HbUgCG/SF3TR4f47us7WUvBZ7MhXlnc +Pq/DTMg6+mXe5K5lOOrRf2kfzmfADdP7bUNVmHPq7JzapL1Cl2xLWJkhi4bG+aPu +mrjxf/+1NcomfMhVQVjtmB9gjFgCrix/qumlRRBua10c+XigewZAcL6V9xcWnkM1 +3hEa21K8VrJqHupsJPKwULBdB2PDA40/NT1zY/yspPW1BQS60ocJ3Ue+YI/bZwgw +958nFP8F24Tx8VMjfTVSThnPAotVPTd/P1XVLv/E+uI9NMSMAKPpYhn8VW4mPobr +4PQeHY08ULwZ2r8MIsGhNfBbVlS2eZOAo8aY+a4e81rNoGe/Tqf5NnsCAwEAAaOB +ujCBtzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0T +AQH/BAIwADAQBgNVHSMECTAHgAUBAgMEBTBbBggrBgEFBQcBAQRPME0wIwYIKwYB +BQUHMAGGF2h0dHA6Ly9vY3NwLmV4YW1wbGUuY29tMCYGCCsGAQUFBzAChhpodHRw +Oi8vZXhhbXBsZS5jb20vY2ExLmNydDATBgNVHSAEDDAKMAgGBmeBDAEEATANBgkq +hkiG9w0BAQsFAAOCAYEAIIyZRE9Gcnagdh+RnLyd2vl1Ty6Jzbqlh83R8N73x3pm +oDSMNM5SUFIxPHbIDuRubR5P5S+fn6SHsrMJkuYPCQxyJ8ftsdeLff6oAJ62+KM/ +ktCEh/wJ6E3TZsEe/w+d/x3grZTH7kBMtmd/84ty1cLjONv4TE/zDC8fIOl8sOl2 +Em/qx/QNPoWs7t5aURFqkfOTkIps7aegFyAEqC7Fml2O5dSX/Ih3GccpeK0EPG6Z +hwNFdTGu9A6m4nSPP5BF204QjM3Y1S6LlvfLW9QLH2K2zlGkqVsbY6wnjKfS0eQu ++uSINaJw5M3lOL9JFQeG7BTVP0Y/iK49r1n2UQu6Pq/YLDvQpIX3ONt2bIhW9plm +yCoB3pu5GZur9KDiwzcR8kQx2oAOTWdpfmuJZb9T+mg3hWD+Z41IOI9FyP29R3vp +G2UY4HCPir1N2hyFOFYm2whucjKqwlFCaIJXXPoKDVRAEq/CCHV+izWy5qyDkQQ+ +9Qhs6pEhIDAesr211k9W +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/noDigitalSignatureKeyUsage.pem b/v3/testdata/code_signing/noDigitalSignatureKeyUsage.pem new file mode 100644 index 000000000..57174e95f --- /dev/null +++ b/v3/testdata/code_signing/noDigitalSignatureKeyUsage.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFdjCCA96gAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMzE4NTNaFw0yNTA3MDYwMzE4NTNaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDPSyYeoBBV +5ixk7eL/7s3CI1h2eCJkGzNB0w5fVbWdUD4DPlOeW0mTmYCRi5ksANwMT9rDMEMo +Y+X8pbw2HLXkMi1j1Tk3QjRZiQqM/qef2Xjz9fbTwZ34YS1ZjMS5++E4R6lvW1Fo +KAYEq45TfsuXS9Pg+dntNMTSJqO+oZrkMRdIGQiK59gfhNevPWa2dWZ9WHii/qiC +nSZ54jk/ZPptdJo1RsJ4NQ2sfM2/Ul8t4XxXszkO0LxbTqUA4jLc/xp79WPbgLRj +Ip7i3Z+m3vTeKb9Gnxyo+oFKVYf57BEy+Fku8+HUh/rndG29au43bZNNlGxD4ivr +KuG0NDFLqdH3Op5pUniWRqyc9czjuiiCKAbLBcGaEXbcv5Zbs6pveLt0S5p8mAf1 +zIcbh9ZQmH2EzYDpHP6OaoPRmAHonxF90FfIb79y/Hn0dTATyt/miZxXPux3Cgck +aMlbzVfcZoRUBXPQKKj6X8TFPAA0S04cq6E/sjb4DCllH58xw2ZGlYECAwEAAaOC +ARQwggEQMA4GA1UdDwEB/wQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDAzAMBgNV +HRMBAf8EAjAAMBAGA1UdIwQJMAeABQECAwQFMFsGCCsGAQUFBwEBBE8wTTAjBggr +BgEFBQcwAYYXaHR0cDovL29jc3AuZXhhbXBsZS5jb20wJgYIKwYBBQUHMAKGGmh0 +dHA6Ly9leGFtcGxlLmNvbS9jYTEuY3J0MBMGA1UdIAQMMAowCAYGZ4EMAQQBMFcG +A1UdHwRQME4wJaAjoCGGH2h0dHA6Ly9jcmwxLmV4YW1wbGUuY29tL2NhMS5jcmww +JaAjoCGGH2h0dHA6Ly9jcmwyLmV4YW1wbGUuY29tL2NhMS5jcmwwDQYJKoZIhvcN +AQELBQADggGBAKYV/kgF2Kzxaje1jUC1jahknveviayeT7ZvHnes+bAl2pejRD07 +rJlJGdBelnUFeTF828SArsbaIcwxcRHI6aEsE9EhkEmIZtIFQxdRhRIxaJggZkNb +Z/OzKf3UvuRgcHmW73Y+TKptLjQJUJcqejkhYBWoyWvsRwpmAzTBKIfunmZ9Dbqy +rTd8vi2+/c3jwV17VP7ZCDkrAuiKd3dhLU3GzgrmRO9VjdrUNrMf6Bt2gbmjTHeh +VjCxVoLygV80EoF3hM5Sj2qEgQVtj7CWsrRMcv3ii2BsIT5PS3tkg0DusQ6XK8HK +u3G71FOkmVHnNoAslzZ6aG1OLUKr+OypqTBSL9sVLv41L5144qTlKqb57SR0fy63 +LKIiRiJlVje4sJtSZFJUkoPVi6pJL7lb21egvk+WvhNFJzsR7wb1DaDiBm0gSeab +nv7u0fIFY3Z3e8/bEIlM0A4GslCNI0PC0sQenx2RMVkh8afb8bm/la0Olln7N1kY +pB+xcp6w92ioWQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/noRequiredCodeSigningEKU.pem b/v3/testdata/code_signing/noRequiredCodeSigningEKU.pem new file mode 100644 index 000000000..5953bf3e4 --- /dev/null +++ b/v3/testdata/code_signing/noRequiredCodeSigningEKU.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXzCCA8egAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMjU3MjJaFw0yNTA3MDYwMjU3MjJaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCptmgrUHmJ +kAJSF9AepxgQCfiY6sD9+Y4sEtn5nzk7NMTsXI/xiEPyiP5UJhPwHJ9Ps1hFKqsW +v6ESeWdaNRNgAkoKY+FCKj6bPtHib0CbuQjkQlQpYY7ak/7jdBhPrXDg+Ahb1Br6 +eh3zPUPE7yucex8dr2eafE6G+BLgU9Ki9KY4JYt4CT+Xk0k8+arkZ/vO8nL/RUYB +SdzvJDGX7oxp49tMcOVA0KJtRIm8ZzB3Qbo9gF6OjJsjIEGN3k8zMaXJRIRUtSy6 +IzIfc3wdclpdjQv6e/ABh5ULYFp1kkcjW8qcEu4EF+UVb5i1mkRFUNaWVEjGc01D +VFD608FoeXm5yKXvVVs4RG9Y8IuU6THT2u+C35jSRxigwC/aCDraiSJLOMR3o+h8 +vFoNYXStCnxI6PQ6dUgl/rtuZ9eHv1Do5A28tLudZQEhvVePQTpIsRDMZDvKwis/ +xluLSeies1CFuncXQvSZeRdr+veeHKnm6tPYCWJXeyiAhQqdgaP+5LUCAwEAAaOB +/jCB+zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAQBgNVHSMECTAHgAUB +AgMEBTBbBggrBgEFBQcBAQRPME0wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmV4 +YW1wbGUuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZXhhbXBsZS5jb20vY2ExLmNy +dDATBgNVHSAEDDAKMAgGBmeBDAEEATBXBgNVHR8EUDBOMCWgI6Ahhh9odHRwOi8v +Y3JsMS5leGFtcGxlLmNvbS9jYTEuY3JsMCWgI6Ahhh9odHRwOi8vY3JsMi5leGFt +cGxlLmNvbS9jYTEuY3JsMA0GCSqGSIb3DQEBCwUAA4IBgQBgQIxlQAee54CrcOTx +vXy5nojaNZPwhIIbkt03xmFSM7cVHMJRvaoMJ91ZyyUawdWFtrunyVvu1lGEM8Og +gli4mJmjsNLhYMIyGNVPgCouv4q9aVgX7BwE8Wa2ZCJfjmFQqQAUPiyFHYPUVgB4 +5t7dfIsgPILTMOYE+POtuSZxgcL3zlCTqHcfmH9TtgIwemXUjweLOJR42eR5Y+9Z +jqsLqVz3GIox8/QAtoKDjwGkgQMQ3RAxre+fP5Muj4UJCZdrnqodsglIeR5vxkwY +gqHYr2RrGg+U49GAOScYRmAgx8f35HDCW4QT7HmpbPO/MA7KXFmoVBLU2skzmAaP +oEM+ebevNODoM1E5gOL2py+Zbm/GbVTpOCvsrDzXfPQGbq+6+7BghsTQM7d1d8Hz +ZUug6QIehC06/+Ye6VmyOPcWkFMDkiLKHwnRjF205B1sjyv6wVXj+OQDeCZ7vKnO +Wz1kgq1RZJDizuyhKHPxsMXmnpxTpWr0uJuEptVqjcyEj0M= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/code_signing/validCodeSigningCertificate.pem b/v3/testdata/code_signing/validCodeSigningCertificate.pem new file mode 100644 index 000000000..33519c680 --- /dev/null +++ b/v3/testdata/code_signing/validCodeSigningCertificate.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFdjCCA96gAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMRswGQYDVQQDExJPViBD +b2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYDVQQKEwpFeGFtcGxlIENv +MQswCQYDVQQGEwJVUzAeFw0yNDA3MDYwMjQ1MTZaFw0yNTA3MDYwMjQ1MTZaMIGY +MRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpFeGFtcGxlIENvMRYwFAYD +VQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQG +EwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh +bml6YXRpb24wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC6YBPRTm1x +VJF2OEOz4Wn6koejChFm6RCsA6iMYhupijFQk2nf/f9mnkE64LAHuHrDXvan5Zhj +8CJhvwk1bfGE0DCEt9BoGtYfNqRT99EsH4OkSjY4qvmTN0ZCOOHQBhA9Xj3jYr2U +Px3qtmGaJZwUjaXCQmP8oTtYVGJH53EY1AJpR1DDPuzVZNjz7UNJ06U09lpKyTB8 +VdvbBp5C2LAhmJXrGIjKUXAl8x4w12xjR6YRfR+uS7gj7VnUPLwO62+KRUGUYamu +ODlAkwhi9mlgKv04pPR2PBfY8dKMjeVpD0B4bkkzT2UEZPRrCwKKOV0fWhigDg9u +ZCfzyuelvhoQS90nOkgOshi9I+RWRO4KzwKKmuHQWnNURHPFYhqIlGPOD0ElxS73 +2OPUaaT7JNxGTjxLi86e9rmK3EYjrBuTmSzB7NY0brcR+0OE5pNRMlFxtNjkh0h2 +Vnod3+AMzisnn9g6qLMSZK89yFt0wBd8cvh1VwrQb+KzxZ4IRvDaBSsCAwEAAaOC +ARQwggEQMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAMBgNV +HRMBAf8EAjAAMBAGA1UdIwQJMAeABQECAwQFMFsGCCsGAQUFBwEBBE8wTTAjBggr +BgEFBQcwAYYXaHR0cDovL29jc3AuZXhhbXBsZS5jb20wJgYIKwYBBQUHMAKGGmh0 +dHA6Ly9leGFtcGxlLmNvbS9jYTEuY3J0MBMGA1UdIAQMMAowCAYGZ4EMAQQBMFcG +A1UdHwRQME4wJaAjoCGGH2h0dHA6Ly9jcmwxLmV4YW1wbGUuY29tL2NhMS5jcmww +JaAjoCGGH2h0dHA6Ly9jcmwyLmV4YW1wbGUuY29tL2NhMS5jcmwwDQYJKoZIhvcN +AQELBQADggGBAHPMqvS5AKx+r/uSkaRnWUiVk1hzPOfpHSHQjN2nUxnuM5xqeYsi +9pKFGQyD1/ZfSjJFXW29oxnTTZpejLx7rK7EIhF/9a218Mu60qiAUeMfwe6bdTT+ +2Fy9Z+XgFI83q3UXze/oVFmyVHY5q8z8eaRGHqYc2kZtXsN5YPIzzSNm+IDAQCeT ++59PCS1vXYBNt/3D/fKDeh+mbDSV9tWkfGFpwHjKBfmZ5fwzhzNO+uaz7wxJ+k+Z +pkkNLJnx+/5GCahikTSCg5Hj4PUVUjQZ09OSB2qUwgBIsQtj4QEyL5TKpxlNMGzW +0DeYC+Brfu3OSI53IKKyyTtnWU4mERRcrc3Pm4XI6znXVfnAuwzePUwYmvyzEd07 +qOt17M3+TvmmYsiRfcvYfJEt6LCqyz956Od3XsflgakcYfi3C50M+3EH3mDC0Avv +krqRQQ7kvGfeBM1Auzhd2UxsodDYDVpBA65ViF2dBZXHEOEe0XbXAkkEk6x3az0Y +4ASC/OntrDZxsQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/util/cs.go b/v3/util/cs.go new file mode 100644 index 000000000..5191ba285 --- /dev/null +++ b/v3/util/cs.go @@ -0,0 +1,18 @@ +package util + +import "github.com/zmap/zcrypto/encoding/asn1" + +const ( + evCodeSigningPolicy = "2.23.140.1.3" + codeSigningPolicy = "2.23.140.1.4.1" +) + +func IsCodeSigning(policies []asn1.ObjectIdentifier) bool { + for _, policy := range policies { + if policy.String() == evCodeSigningPolicy || policy.String() == codeSigningPolicy { + return true + } + } + + return false +} diff --git a/v3/util/time.go b/v3/util/time.go index 0f3a1948c..c0c9ee3e6 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -86,6 +86,7 @@ var ( SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) // Date when section 9.2.8 of CABF EVG became effective CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) + CABF_CS_BRs_1_2_Date = time.Date(2019, time.August, 13, 0, 0, 0, 0, time.UTC) ) var ( diff --git a/v3/zlint.go b/v3/zlint.go index c94bcb6c7..93c7a2e14 100644 --- a/v3/zlint.go +++ b/v3/zlint.go @@ -23,6 +23,7 @@ import ( "github.com/zmap/zlint/v3/lint" _ "github.com/zmap/zlint/v3/lints/apple" _ "github.com/zmap/zlint/v3/lints/cabf_br" + _ "github.com/zmap/zlint/v3/lints/cabf_cs_br" _ "github.com/zmap/zlint/v3/lints/cabf_ev" _ "github.com/zmap/zlint/v3/lints/cabf_smime_br" _ "github.com/zmap/zlint/v3/lints/community" From f83e4e2d27c56082d4ecdb4679d8b58ae6996c18 Mon Sep 17 00:00:00 2001 From: Rob Stradling Date: Wed, 31 Jul 2024 11:46:08 +0100 Subject: [PATCH 9/9] README: Add pkimetal to users list (#873) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4747c8599..92eb56e85 100644 --- a/README.md +++ b/README.md @@ -251,7 +251,7 @@ Here are some projects/CAs known to integrate with ZLint in some fashion: * [Microsoft](https://www.microsoft.com) * [Nexus Certificate Manager](https://doc.nexusgroup.com/display/PUB/Smart+ID+Certificate+Manager) * [QuoVadis](https://www.quovadisglobal.com/) -* [Sectigo](https://sectigo.com/) and [crt.sh](https://crt.sh) +* [Sectigo](https://sectigo.com/), [crt.sh](https://crt.sh/), and [pkimetal](https://github.com/pkimetal/pkimetal) * [Siemens](https://siemens.com/pki) * [SSL.com](https://www.ssl.com/) * [PKI Insights](https://www.codegic.com/pki-insights-health-monitoring-for-microsoft-ca/)