Add support for short-lived TLS certificates

pkilint/cabf/serverauth/__init__.py

@@ -22,6 +22,7 @@
     serverauth_finding_filter,
 )
 from pkilint.common import alternative_name
+from pkilint.msft import msft_extension
 from pkilint.pkix import name, certificate
 from pkilint.pkix.certificate import certificate_validity
 
@@ -358,6 +359,10 @@ def create_subscriber_extension_validator_container(
             serverauth_subscriber.SubscriberKeyUsageValidator(),
             serverauth_subscriber.SubscriberBasicConstraintsValidator(),
             serverauth_subscriber.SubscriberPoliciesValidator(certificate_type),
+            serverauth_subscriber.SubscriberRevocationInformationPresenceValidator(
+                validity_period_start_retriever
+            ),
+            msft_extension.EndEntityRevocationInformationPresenceValidator(),
         ]
     )
 

pkilint/cabf/serverauth/serverauth_ca.py

@@ -323,7 +323,7 @@ class CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator(
     _CODE_CLASSIFIER = "cabf.serverauth.ca"
 
     _ACCESS_METHOD_ALLOWANCES = {
-        rfc5280.id_ad_ocsp: Rfc2119Word.SHOULD,
+        rfc5280.id_ad_ocsp: Rfc2119Word.MAY,
         rfc5280.id_ad_caIssuers: Rfc2119Word.MAY,
     }
 

pkilint/cabf/serverauth/serverauth_constants.py

@@ -3,7 +3,7 @@
 
 from pyasn1.type.univ import ObjectIdentifier
 
-BR_VERSION = "2.0.10"
+BR_VERSION = "2.1.1"
 
 
 ID_POLICY_EV = ObjectIdentifier("2.23.140.1.1")

pkilint/cabf/serverauth/serverauth_subscriber.py

@@ -1,10 +1,12 @@
+import datetime
 import operator
 from datetime import timedelta
 
 from pyasn1_alt_modules import rfc5280, rfc6962, rfc5480
 
 import pkilint.common
 from pkilint import validation, document, oid, common
+from pkilint.pkix import certificate
 from pkilint.cabf import cabf_name
 from pkilint.cabf.asn1 import ev_guidelines
 from pkilint.cabf.serverauth import serverauth_constants
@@ -645,12 +647,12 @@ def validate(self, node):
 class SubscriberAuthorityInformationAccessAccessMethodPresenceValidator(
     common.AuthorityInformationAccessAccessMethodPresenceValidator
 ):
-    """Validates that AIA access methods conform to BR 7.1.2.10.3."""
+    """Validates that AIA access methods conform to BR 7.1.2.7.7."""
 
     _CODE_CLASSIFIER = "cabf.serverauth.subscriber"
 
     _ACCESS_METHOD_ALLOWANCES = {
-        rfc5280.id_ad_ocsp: Rfc2119Word.MUST,
+        rfc5280.id_ad_ocsp: Rfc2119Word.MAY,
         rfc5280.id_ad_caIssuers: Rfc2119Word.SHOULD,
     }
 
@@ -722,3 +724,103 @@ def validate(self, node):
             raise validation.ValidationFindingEncountered(
                 self.VALIDATION_CABF_ORG_ID_MISMATCHED_VALUE, str(e)
             )
+
+
+class SubscriberRevocationInformationPresenceValidator(validation.Validator):
+    """
+    TLS BR 7.1.2.11.2:
+
+    The CRL Distribution Points extension MUST be present in:
+    ...
+    • Subscriber Certificates that 1) do not qualify as “Short‐lived Subscriber Certificates” and 2) do
+        not include an Authority Information Access extension with an id‐ad‐ocsp accessMethod.
+    """
+
+    VALIDATION_REVOCATION_INFORMATION_ABSENT = validation.ValidationFinding(
+        validation.ValidationFindingSeverity.ERROR,
+        "cabf.serverauth.subscriber.revocation_information_absent",
+    )
+
+    _SHORT_LIVED_CERTIFICATE_10_DAYS_START_DATETIME = datetime.datetime(
+        2024, 3, 15, 0, 0, 0, tzinfo=datetime.timezone.utc
+    )
+    _10_DAYS = datetime.timedelta(days=10)
+
+    _SHORT_LIVED_CERTIFICATE_7_DAYS_START_DATETIME = datetime.datetime(
+        2026, 3, 15, 0, 0, 0, tzinfo=datetime.timezone.utc
+    )
+    _7_DAYS = datetime.timedelta(days=7)
+
+    def __init__(
+        self, validity_period_start_retriever: document.ValidityPeriodStartRetriever
+    ):
+        super().__init__(
+            validations=[self.VALIDATION_REVOCATION_INFORMATION_ABSENT],
+            pdu_class=rfc5280.Extensions,
+        )
+
+        self._validity_period_start_retriever = validity_period_start_retriever
+
+    @classmethod
+    def _has_ocsp_access_method(cls, cert: certificate.RFC5280Certificate):
+        aia_ext_and_idx = cert.get_extension_by_oid(rfc5280.id_pe_authorityInfoAccess)
+
+        if aia_ext_and_idx is None:
+            return False
+
+        aia_ext, _ = aia_ext_and_idx
+
+        # ensure that the decoded value is present
+        try:
+            aia_ext_value = aia_ext.navigate("extnValue.authorityInfoAccessSyntax")
+        except document.PDUNavigationFailedError:
+            return False
+
+        return any(
+            (
+                ad.children["accessMethod"].pdu == rfc5280.id_ad_ocsp
+                for ad in aia_ext_value.children.values()
+            )
+        )
+
+    @classmethod
+    def _is_short_lived_certificate(
+        cls,
+        cert: certificate.RFC5280Certificate,
+        validity_period_start_retriever: document.ValidityPeriodStartRetriever,
+    ) -> bool:
+        doc_validity_start = validity_period_start_retriever(cert)
+
+        if doc_validity_start < cls._SHORT_LIVED_CERTIFICATE_10_DAYS_START_DATETIME:
+            return False
+
+        validity_period = cert.validity_period
+
+        if validity_period <= cls._7_DAYS:
+            return True
+        elif (
+            validity_period <= cls._10_DAYS
+            and doc_validity_start < cls._SHORT_LIVED_CERTIFICATE_7_DAYS_START_DATETIME
+        ):
+            return True
+        else:
+            return False
+
+    def validate(self, node):
+        cert_doc = node.document
+
+        if self._is_short_lived_certificate(
+            cert_doc, self._validity_period_start_retriever
+        ):
+            return
+
+        has_aia_ocsp = self._has_ocsp_access_method(cert_doc)
+        has_crldp = (
+            cert_doc.get_extension_by_oid(rfc5280.id_ce_cRLDistributionPoints)
+            is not None
+        )
+
+        if not has_aia_ocsp and not has_crldp:
+            raise validation.ValidationFindingEncountered(
+                self.VALIDATION_REVOCATION_INFORMATION_ABSENT
+            )

pkilint/msft/msft_extension.py

@@ -0,0 +1,102 @@
+from pyasn1_alt_modules import rfc5280
+
+from pkilint import validation, document
+from pkilint.pkix import certificate, general_name
+
+
+class EndEntityRevocationInformationPresenceValidator(validation.Validator):
+    """
+    Microsoft Root Program Requirements, 3.A.5:
+
+    An end-entity certificate may contain either an AIA extension with a valid OCSP URL and/or a CDP extension pointing
+    to a valid HTTP endpoint containing the CRL.
+    """
+
+    VALIDATION_REVOCATION_INFORMATION_ABSENT = validation.ValidationFinding(
+        validation.ValidationFindingSeverity.ERROR,
+        "msft.end_entity.revocation_information_absent",
+    )
+
+    def __init__(self):
+        super().__init__(
+            validations=[self.VALIDATION_REVOCATION_INFORMATION_ABSENT],
+            pdu_class=rfc5280.Extensions,
+        )
+
+    @classmethod
+    def _general_name_is_http_uri(cls, gn):
+        gn_type, gn_value = gn.child
+
+        return (
+            gn_type == general_name.GeneralNameTypeName.UNIFORM_RESOURCE_IDENTIFIER
+            and str(gn_value.pdu).lower().startswith("http://")
+        )
+
+    @classmethod
+    def _has_ocsp_http_uri(cls, cert: certificate.RFC5280Certificate):
+        aia_ext_and_idx = cert.get_extension_by_oid(rfc5280.id_pe_authorityInfoAccess)
+
+        if aia_ext_and_idx is None:
+            return False
+
+        aia_ext, _ = aia_ext_and_idx
+
+        # ensure that the decoded value is present
+        try:
+            aia_ext_value = aia_ext.navigate("extnValue.authorityInfoAccessSyntax")
+        except document.PDUNavigationFailedError:
+            return False
+
+        ocsp_gns = (
+            ad.children["accessLocation"]
+            for ad in aia_ext_value.children.values()
+            if ad.children["accessMethod"].pdu == rfc5280.id_ad_ocsp
+        )
+
+        return any(cls._general_name_is_http_uri(gn) for gn in ocsp_gns)
+
+    @classmethod
+    def _has_crldp_http_uri(cls, cert: certificate.RFC5280Certificate):
+        crldp_ext_and_idx = cert.get_extension_by_oid(
+            rfc5280.id_ce_cRLDistributionPoints
+        )
+
+        if crldp_ext_and_idx is None:
+            return False
+
+        crldp_ext, _ = crldp_ext_and_idx
+
+        # ensure that the decoded value is present
+        try:
+            crldp_ext_value = crldp_ext.navigate("extnValue.cRLDistributionPoints")
+        except document.PDUNavigationFailedError:
+            return False
+
+        for dp in crldp_ext_value.children.values():
+            dpn = dp.children.get("distributionPoint")
+
+            if dpn is None:
+                continue
+
+            full_name = dpn.children.get("fullName")
+
+            if full_name is None:
+                continue
+
+            if any(
+                cls._general_name_is_http_uri(gn) for gn in full_name.children.values()
+            ):
+                return True
+
+        return False
+
+    def validate(self, node):
+        cert_doc = node.document
+
+        has_aia_ocsp_http_uri = self._has_ocsp_http_uri(cert_doc)
+        has_crldp_http_uri = self._has_crldp_http_uri(cert_doc)
+
+        if not has_aia_ocsp_http_uri and not has_crldp_http_uri:
+            raise validation.ValidationFindingEncountered(
+                self.VALIDATION_REVOCATION_INFORMATION_ABSENT
+            )

pkilint/pkix/certificate/__init__.py

@@ -1,3 +1,4 @@
+import datetime
 import functools
 import logging
 from typing import Set, Optional
@@ -62,6 +63,10 @@ def not_after(self):
         except ValueError:
             return pkix.MAXIMUM_TIME_DATETIME
 
+    @property
+    def validity_period(self) -> datetime.timedelta:
+        return (self.not_after - self.not_before) + datetime.timedelta(seconds=1)
+
     def _decode_and_append_extension(
         self, ext_oid: univ.ObjectIdentifier, ext_asn1_spec: Asn1Type
     ) -> Optional[document.PDUNode]:

tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info.crttest

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD
+VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV
+cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow
+ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP
+y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK
+1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG
+tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks
+HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA
+CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV
+iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG
+MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw
+HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM
+AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu
+Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG
+AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m
+Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu
+Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw
+42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg
+eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R
+tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y
+b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+
+mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI
+hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S
+ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY
+2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd
+NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3
+z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35
+PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8=
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent,
+certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent,

tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info_issued_in_2026.crttest

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD
+VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV
+cyBJc3N1aW5nIENBIEcxMB4XDTI2MDMxNTAwMDAwMFoXDTI2MDMyMjAwMDAwMFow
+ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP
+y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK
+1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG
+tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks
+HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA
+CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV
+iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG
+MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw
+HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM
+AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu
+Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG
+AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m
+Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu
+Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw
+42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg
+eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R
+tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y
+b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+
+mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI
+hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S
+ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY
+2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd
+NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3
+z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35
+PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8=
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent
+certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent,

tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer.crttest → tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer_but_has_crldp.crttest

@@ -31,4 +31,3 @@ h6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRkEIV75k1Onw==
 -----END CERTIFICATE-----
 
 node_path,validator,severity,code,message
-certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,SubscriberAuthorityInformationAccessAccessMethodPresenceValidator,ERROR,cabf.serverauth.subscriber.ocsp_aia_access_method_absent,

tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_before_effective_date.crttest

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD
+VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV
+cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTIzMDYwMzIzNTk1OVow
+ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP
+y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK
+1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG
+tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks
+HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA
+CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV
+iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG
+MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw
+HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM
+AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu
+Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG
+AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m
+Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu
+Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw
+42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg
+eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R
+tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y
+b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+
+mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI
+hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S
+ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY
+2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd
+NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3
+z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35
+PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8=
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent,
+certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent,