From 25ab4ccd751eaa76fda8fa261c1061cb3c549a2a Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Mon, 18 Nov 2024 13:53:35 -0500 Subject: [PATCH] Add support for short-lived TLS certificates --- pkilint/cabf/serverauth/__init__.py | 5 + pkilint/cabf/serverauth/serverauth_ca.py | 2 +- .../cabf/serverauth/serverauth_constants.py | 2 +- .../cabf/serverauth/serverauth_subscriber.py | 106 +++++++++++++++++- pkilint/msft/msft_extension.py | 102 +++++++++++++++++ pkilint/pkix/certificate/__init__.py | 5 + .../long_lived_no_rev_info.crttest | 34 ++++++ ...g_lived_no_rev_info_issued_in_2026.crttest | 34 ++++++ ... => no_ocsp_pointer_but_has_crldp.crttest} | 1 - ..._no_rev_info_before_effective_date.crttest | 34 ++++++ ...t_lived_no_rev_info_issued_in_2024.crttest | 33 ++++++ ...t_lived_no_rev_info_issued_in_2026.crttest | 33 ++++++ .../tls_br/external_cross_ca/no_eku.crttest | 1 - .../external_subca_with_anypolicy.crttest | 1 - .../no_reserved_policy_oid.crttest | 1 - .../non_reserved_oid_first_policy.crttest | 1 - .../tls_br/internal_cross_ca/no_eku.crttest | 1 - .../certificate_policies_missing.crttest | 1 - .../no_aia_ocsp.crttest | 34 ------ .../rsa_modulus_too_short.crttest | 1 - 20 files changed, 386 insertions(+), 46 deletions(-) create mode 100644 pkilint/msft/msft_extension.py create mode 100644 tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info.crttest create mode 100644 tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info_issued_in_2026.crttest rename tests/integration_certificate/tls_br/dv_final_certificate/{no_ocsp_pointer.crttest => no_ocsp_pointer_but_has_crldp.crttest} (90%) create mode 100644 tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_before_effective_date.crttest create mode 100644 tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2024.crttest create mode 100644 tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2026.crttest delete mode 100644 tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/no_aia_ocsp.crttest diff --git a/pkilint/cabf/serverauth/__init__.py b/pkilint/cabf/serverauth/__init__.py index 1424a83..afc0cf1 100644 --- a/pkilint/cabf/serverauth/__init__.py +++ b/pkilint/cabf/serverauth/__init__.py @@ -22,6 +22,7 @@ serverauth_finding_filter, ) from pkilint.common import alternative_name +from pkilint.msft import msft_extension from pkilint.pkix import name, certificate from pkilint.pkix.certificate import certificate_validity @@ -358,6 +359,10 @@ def create_subscriber_extension_validator_container( serverauth_subscriber.SubscriberKeyUsageValidator(), serverauth_subscriber.SubscriberBasicConstraintsValidator(), serverauth_subscriber.SubscriberPoliciesValidator(certificate_type), + serverauth_subscriber.SubscriberRevocationInformationPresenceValidator( + validity_period_start_retriever + ), + msft_extension.EndEntityRevocationInformationPresenceValidator(), ] ) diff --git a/pkilint/cabf/serverauth/serverauth_ca.py b/pkilint/cabf/serverauth/serverauth_ca.py index ddf8c58..77f6cb6 100644 --- a/pkilint/cabf/serverauth/serverauth_ca.py +++ b/pkilint/cabf/serverauth/serverauth_ca.py @@ -323,7 +323,7 @@ class CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator( _CODE_CLASSIFIER = "cabf.serverauth.ca" _ACCESS_METHOD_ALLOWANCES = { - rfc5280.id_ad_ocsp: Rfc2119Word.SHOULD, + rfc5280.id_ad_ocsp: Rfc2119Word.MAY, rfc5280.id_ad_caIssuers: Rfc2119Word.MAY, } diff --git a/pkilint/cabf/serverauth/serverauth_constants.py b/pkilint/cabf/serverauth/serverauth_constants.py index 11dfc48..4e4ac81 100644 --- a/pkilint/cabf/serverauth/serverauth_constants.py +++ b/pkilint/cabf/serverauth/serverauth_constants.py @@ -3,7 +3,7 @@ from pyasn1.type.univ import ObjectIdentifier -BR_VERSION = "2.0.10" +BR_VERSION = "2.1.1" ID_POLICY_EV = ObjectIdentifier("2.23.140.1.1") diff --git a/pkilint/cabf/serverauth/serverauth_subscriber.py b/pkilint/cabf/serverauth/serverauth_subscriber.py index 54aca22..1fbdc46 100644 --- a/pkilint/cabf/serverauth/serverauth_subscriber.py +++ b/pkilint/cabf/serverauth/serverauth_subscriber.py @@ -1,3 +1,4 @@ +import datetime import operator from datetime import timedelta @@ -5,6 +6,7 @@ import pkilint.common from pkilint import validation, document, oid, common +from pkilint.pkix import certificate from pkilint.cabf import cabf_name from pkilint.cabf.asn1 import ev_guidelines from pkilint.cabf.serverauth import serverauth_constants @@ -645,12 +647,12 @@ def validate(self, node): class SubscriberAuthorityInformationAccessAccessMethodPresenceValidator( common.AuthorityInformationAccessAccessMethodPresenceValidator ): - """Validates that AIA access methods conform to BR 7.1.2.10.3.""" + """Validates that AIA access methods conform to BR 7.1.2.7.7.""" _CODE_CLASSIFIER = "cabf.serverauth.subscriber" _ACCESS_METHOD_ALLOWANCES = { - rfc5280.id_ad_ocsp: Rfc2119Word.MUST, + rfc5280.id_ad_ocsp: Rfc2119Word.MAY, rfc5280.id_ad_caIssuers: Rfc2119Word.SHOULD, } @@ -722,3 +724,103 @@ def validate(self, node): raise validation.ValidationFindingEncountered( self.VALIDATION_CABF_ORG_ID_MISMATCHED_VALUE, str(e) ) + + +class SubscriberRevocationInformationPresenceValidator(validation.Validator): + """ + TLS BR 7.1.2.11.2: + + The CRL Distribution Points extension MUST be present in: + ... + • Subscriber Certificates that 1) do not qualify as “Short‐lived Subscriber Certificates” and 2) do + not include an Authority Information Access extension with an id‐ad‐ocsp accessMethod. + """ + + VALIDATION_REVOCATION_INFORMATION_ABSENT = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "cabf.serverauth.subscriber.revocation_information_absent", + ) + + _SHORT_LIVED_CERTIFICATE_10_DAYS_START_DATETIME = datetime.datetime( + 2024, 3, 15, 0, 0, 0, tzinfo=datetime.timezone.utc + ) + _10_DAYS = datetime.timedelta(days=10) + + _SHORT_LIVED_CERTIFICATE_7_DAYS_START_DATETIME = datetime.datetime( + 2026, 3, 15, 0, 0, 0, tzinfo=datetime.timezone.utc + ) + _7_DAYS = datetime.timedelta(days=7) + + def __init__( + self, validity_period_start_retriever: document.ValidityPeriodStartRetriever + ): + super().__init__( + validations=[self.VALIDATION_REVOCATION_INFORMATION_ABSENT], + pdu_class=rfc5280.Extensions, + ) + + self._validity_period_start_retriever = validity_period_start_retriever + + @classmethod + def _has_ocsp_access_method(cls, cert: certificate.RFC5280Certificate): + aia_ext_and_idx = cert.get_extension_by_oid(rfc5280.id_pe_authorityInfoAccess) + + if aia_ext_and_idx is None: + return False + + aia_ext, _ = aia_ext_and_idx + + # ensure that the decoded value is present + try: + aia_ext_value = aia_ext.navigate("extnValue.authorityInfoAccessSyntax") + except document.PDUNavigationFailedError: + return False + + return any( + ( + ad.children["accessMethod"].pdu == rfc5280.id_ad_ocsp + for ad in aia_ext_value.children.values() + ) + ) + + @classmethod + def _is_short_lived_certificate( + cls, + cert: certificate.RFC5280Certificate, + validity_period_start_retriever: document.ValidityPeriodStartRetriever, + ) -> bool: + doc_validity_start = validity_period_start_retriever(cert) + + if doc_validity_start < cls._SHORT_LIVED_CERTIFICATE_10_DAYS_START_DATETIME: + return False + + validity_period = cert.validity_period + + if validity_period <= cls._7_DAYS: + return True + elif ( + validity_period <= cls._10_DAYS + and doc_validity_start < cls._SHORT_LIVED_CERTIFICATE_7_DAYS_START_DATETIME + ): + return True + else: + return False + + def validate(self, node): + cert_doc = node.document + + if self._is_short_lived_certificate( + cert_doc, self._validity_period_start_retriever + ): + return + + has_aia_ocsp = self._has_ocsp_access_method(cert_doc) + has_crldp = ( + cert_doc.get_extension_by_oid(rfc5280.id_ce_cRLDistributionPoints) + is not None + ) + + if not has_aia_ocsp and not has_crldp: + raise validation.ValidationFindingEncountered( + self.VALIDATION_REVOCATION_INFORMATION_ABSENT + ) diff --git a/pkilint/msft/msft_extension.py b/pkilint/msft/msft_extension.py new file mode 100644 index 0000000..cb6ed68 --- /dev/null +++ b/pkilint/msft/msft_extension.py @@ -0,0 +1,102 @@ +from pyasn1_alt_modules import rfc5280 + +from pkilint import validation, document +from pkilint.pkix import certificate, general_name + + +class EndEntityRevocationInformationPresenceValidator(validation.Validator): + """ + Microsoft Root Program Requirements, 3.A.5: + + An end-entity certificate may contain either an AIA extension with a valid OCSP URL and/or a CDP extension pointing + to a valid HTTP endpoint containing the CRL. + """ + + VALIDATION_REVOCATION_INFORMATION_ABSENT = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "msft.end_entity.revocation_information_absent", + ) + + def __init__(self): + super().__init__( + validations=[self.VALIDATION_REVOCATION_INFORMATION_ABSENT], + pdu_class=rfc5280.Extensions, + ) + + @classmethod + def _general_name_is_http_uri(cls, gn): + gn_type, gn_value = gn.child + + return ( + gn_type == general_name.GeneralNameTypeName.UNIFORM_RESOURCE_IDENTIFIER + and str(gn_value.pdu).lower().startswith("http://") + ) + + @classmethod + def _has_ocsp_http_uri(cls, cert: certificate.RFC5280Certificate): + aia_ext_and_idx = cert.get_extension_by_oid(rfc5280.id_pe_authorityInfoAccess) + + if aia_ext_and_idx is None: + return False + + aia_ext, _ = aia_ext_and_idx + + # ensure that the decoded value is present + try: + aia_ext_value = aia_ext.navigate("extnValue.authorityInfoAccessSyntax") + except document.PDUNavigationFailedError: + return False + + ocsp_gns = ( + ad.children["accessLocation"] + for ad in aia_ext_value.children.values() + if ad.children["accessMethod"].pdu == rfc5280.id_ad_ocsp + ) + + return any(cls._general_name_is_http_uri(gn) for gn in ocsp_gns) + + @classmethod + def _has_crldp_http_uri(cls, cert: certificate.RFC5280Certificate): + crldp_ext_and_idx = cert.get_extension_by_oid( + rfc5280.id_ce_cRLDistributionPoints + ) + + if crldp_ext_and_idx is None: + return False + + crldp_ext, _ = crldp_ext_and_idx + + # ensure that the decoded value is present + try: + crldp_ext_value = crldp_ext.navigate("extnValue.cRLDistributionPoints") + except document.PDUNavigationFailedError: + return False + + for dp in crldp_ext_value.children.values(): + dpn = dp.children.get("distributionPoint") + + if dpn is None: + continue + + full_name = dpn.children.get("fullName") + + if full_name is None: + continue + + if any( + cls._general_name_is_http_uri(gn) for gn in full_name.children.values() + ): + return True + + return False + + def validate(self, node): + cert_doc = node.document + + has_aia_ocsp_http_uri = self._has_ocsp_http_uri(cert_doc) + has_crldp_http_uri = self._has_crldp_http_uri(cert_doc) + + if not has_aia_ocsp_http_uri and not has_crldp_http_uri: + raise validation.ValidationFindingEncountered( + self.VALIDATION_REVOCATION_INFORMATION_ABSENT + ) diff --git a/pkilint/pkix/certificate/__init__.py b/pkilint/pkix/certificate/__init__.py index 9804807..b89e01a 100644 --- a/pkilint/pkix/certificate/__init__.py +++ b/pkilint/pkix/certificate/__init__.py @@ -1,3 +1,4 @@ +import datetime import functools import logging from typing import Set, Optional @@ -62,6 +63,10 @@ def not_after(self): except ValueError: return pkix.MAXIMUM_TIME_DATETIME + @property + def validity_period(self) -> datetime.timedelta: + return (self.not_after - self.not_before) + datetime.timedelta(seconds=1) + def _decode_and_append_extension( self, ext_oid: univ.ObjectIdentifier, ext_asn1_spec: Asn1Type ) -> Optional[document.PDUNode]: diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info.crttest new file mode 100644 index 0000000..4398ea5 --- /dev/null +++ b/tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info.crttest @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD +VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV +cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow +ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP +y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK +1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG +tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks +HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA +CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV +iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG +MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw +HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM +AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu +Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG +AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m +Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu +Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw +42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg +eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R +tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y +b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ +mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI +hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S +ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY +2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd +NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 +z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 +PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, +certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent, diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info_issued_in_2026.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info_issued_in_2026.crttest new file mode 100644 index 0000000..f78a401 --- /dev/null +++ b/tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info_issued_in_2026.crttest @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD +VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV +cyBJc3N1aW5nIENBIEcxMB4XDTI2MDMxNTAwMDAwMFoXDTI2MDMyMjAwMDAwMFow +ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP +y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK +1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG +tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks +HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA +CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV +iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG +MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw +HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM +AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu +Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG +AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m +Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu +Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw +42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg +eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R +tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y +b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ +mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI +hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S +ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY +2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd +NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 +z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 +PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent +certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer_but_has_crldp.crttest similarity index 90% rename from tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer.crttest rename to tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer_but_has_crldp.crttest index f4f0624..544a1fc 100644 --- a/tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer.crttest +++ b/tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer_but_has_crldp.crttest @@ -31,4 +31,3 @@ h6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRkEIV75k1Onw== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,SubscriberAuthorityInformationAccessAccessMethodPresenceValidator,ERROR,cabf.serverauth.subscriber.ocsp_aia_access_method_absent, diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_before_effective_date.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_before_effective_date.crttest new file mode 100644 index 0000000..d07a4e6 --- /dev/null +++ b/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_before_effective_date.crttest @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD +VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV +cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTIzMDYwMzIzNTk1OVow +ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP +y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK +1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG +tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks +HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA +CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV +iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG +MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw +HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM +AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu +Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG +AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m +Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu +Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw +42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg +eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R +tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y +b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ +mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI +hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S +ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY +2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd +NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 +z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 +PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent, +certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2024.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2024.crttest new file mode 100644 index 0000000..34b76f9 --- /dev/null +++ b/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2024.crttest @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD +VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV +cyBJc3N1aW5nIENBIEcxMB4XDTI0MDYwMjAwMDAwMFoXDTI0MDYxMDIzNTk1OVow +ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP +y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK +1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG +tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks +HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA +CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV +iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG +MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw +HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM +AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu +Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG +AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m +Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu +Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw +42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg +eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R +tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y +b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ +mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI +hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S +ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY +2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd +NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 +z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 +PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2026.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2026.crttest new file mode 100644 index 0000000..464514a --- /dev/null +++ b/tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2026.crttest @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD +VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV +cyBJc3N1aW5nIENBIEcxMB4XDTI2MDMxNTAwMDAwMFoXDTI2MDMyMTIzNTk1OVow +ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP +y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK +1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG +tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks +HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA +CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV +iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG +MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw +HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM +AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu +Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG +AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m +Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu +Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw +42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg +eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R +tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y +b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ +mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI +hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S +ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY +2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd +NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 +z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 +PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, diff --git a/tests/integration_certificate/tls_br/external_cross_ca/no_eku.crttest b/tests/integration_certificate/tls_br/external_cross_ca/no_eku.crttest index ab7f151..7d9cb95 100644 --- a/tests/integration_certificate/tls_br/external_cross_ca/no_eku.crttest +++ b/tests/integration_certificate/tls_br/external_cross_ca/no_eku.crttest @@ -29,4 +29,3 @@ node_path,validator,severity,code,message certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,ERROR,cabf.serverauth.cross_ca.extended_key_usage_extension_absent, certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_external_anypolicy, certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, -certificate.tbsCertificate.extensions.5.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, diff --git a/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/external_subca_with_anypolicy.crttest b/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/external_subca_with_anypolicy.crttest index c9ea3b8..0f792ef 100644 --- a/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/external_subca_with_anypolicy.crttest +++ b/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/external_subca_with_anypolicy.crttest @@ -17,6 +17,5 @@ ZftJooiIjmMh425+ -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, certificate.tbsCertificate.extensions.7.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_external_anypolicy, diff --git a/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/no_reserved_policy_oid.crttest b/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/no_reserved_policy_oid.crttest index 45cfc8e..433abec 100644 --- a/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/no_reserved_policy_oid.crttest +++ b/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/no_reserved_policy_oid.crttest @@ -17,6 +17,5 @@ ZftJooiIjmMh425+ -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, certificate.tbsCertificate.extensions.7.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_missing_reserved_policy_oid, diff --git a/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/non_reserved_oid_first_policy.crttest b/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/non_reserved_oid_first_policy.crttest index 75b97a0..f32f7c5 100644 --- a/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/non_reserved_oid_first_policy.crttest +++ b/tests/integration_certificate/tls_br/external_unconstrained_tls_ca/non_reserved_oid_first_policy.crttest @@ -18,5 +18,4 @@ ovGCuvsCiZ28ZftJooiIjmMh425+ node_path,validator,severity,code,message certificate.tbsCertificate.extensions.7.extnValue.certificatePolicies,CaCertificatePoliciesValidator,WARNING,cabf.serverauth.ca_first_policy_oid_not_reserved, -certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/tls_br/internal_cross_ca/no_eku.crttest b/tests/integration_certificate/tls_br/internal_cross_ca/no_eku.crttest index 4fa5942..b2fe7e7 100644 --- a/tests/integration_certificate/tls_br/internal_cross_ca/no_eku.crttest +++ b/tests/integration_certificate/tls_br/internal_cross_ca/no_eku.crttest @@ -28,4 +28,3 @@ d5cNAzPftw== node_path,validator,severity,code,message certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.cross_ca.extended_key_usage_extension_absent, -certificate.tbsCertificate.extensions.5.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, diff --git a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/certificate_policies_missing.crttest b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/certificate_policies_missing.crttest index 9e27db9..d997ea7 100644 --- a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/certificate_policies_missing.crttest +++ b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/certificate_policies_missing.crttest @@ -17,5 +17,4 @@ jyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0miiIiOYyHjbn4= node_path,validator,severity,code,message certificate.tbsCertificate.extensions,CaCertificateExtensionAllowanceValidator,ERROR,cabf.serverauth.ca.certificate_policies_extension_absent, -certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/no_aia_ocsp.crttest b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/no_aia_ocsp.crttest deleted file mode 100644 index 7a75d34..0000000 --- a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/no_aia_ocsp.crttest +++ /dev/null @@ -1,34 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFKDCCAxCgAwIBAgIRAOtFJ4ojquR1HTetA0VJyX4wDQYJKoZIhvcNAQELBQAw -PTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUNlcnRhaW5seTEaMBgGA1UEAxMRQ2Vy -dGFpbmx5IFJvb3QgUjEwHhcNMjEwNDAxMDAwMDAwWhcNMzEwNDAxMDAwMDAwWjBF -MQswCQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MSIwIAYDVQQDExlDZXJ0 -YWlubHkgSW50ZXJtZWRpYXRlIFIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAltJIZrGtZADK8OkOpD7Imei31l0HKXA57tfkJe/hWGMgSk98xUrI8fmU -yNskRtrBTsGwTHIbUH+TBlKEHzc50QDZalDV3VpTK5LKPdyW7q86gRKDRsvLrStE -zZ3qTG29cnOGLl5P5zEWWgTwNi4fLrcFBt7zLzUB7JYlePAkPuAibrTN+K7yPQHy -XiNgpHMQVJQsmGrRnANdp7wq+3RnchCnhuRuF8gWpOPOe9RbUKjapEpAkJapr/dy -1aDh6sxECnCVsPMz8WXNHZzkWVZoC5d1rP0JbQrCH+jk8kDnxh4vNXoa+j+I9SkO -ejH4FnKganXiADcVXG9GVVW90ohIUwIDAQABo4IBGTCCARUwDgYDVR0PAQH/BAQD -AgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAG -AQH/AgEAMB0GA1UdDgQWBBS9l53fodgbJZnjDAQGiWQS12UkxzAfBgNVHSMEGDAW -gBTgqj8ljZ9EXME66C6ud0yEPmcM9DA5BggrBgEFBQcBAQQtMCswKQYIKwYBBQUH -MAKGHWh0dHA6Ly9yb290LXIxLmNlcnRhaW5seS5jb20vMDIGA1UdHwQrMCkwJ6Al -oCOGIWh0dHA6Ly9jcmwucm9vdC1yMS5jZXJ0YWlubHkuY29tLzAhBgNVHSAEGjAY -MAgGBmeBDAECATAMBgorBgEEAYOGGQEBMA0GCSqGSIb3DQEBCwUAA4ICAQBDMEjX -2VcZq+4o3509O8FkJVPnSmH6SXw2/sa7VWxYttbqEqpSF9s9FBXPkD8pAclyTvTx -E8OkWkzSvU+e3i79sNEE+QXoEFsweFcRhD/4WAn42sVhuNIOjAwp1J1mPUSdrosj -guhlg0f+rGp0Ta4tWllpz7mG+IfDIUMzFfx/p5y7yh1RjZ/Fvu5HTgNS+VoOU1V2 -KI8tLk8bvuA9KR5GPI0nbEAwqiS+UuQvMeIK3syMW3+ZdkH7EqS+WgNJIubBzfnm -CBkvsSanxnic2paU1zdWyUcNvLK7x1JCLk6ERrsbJuDhk24kzmCTwCsGjBJjgEOo -n85ezEKhwmgTLW7kX0W+yvH11HBdm5J2eFw7EipWwIMW2cAVdTfFIAF3FThINc1o -1ogiyYMXdqSiuD2PGWFSW/lKQ7oufj4Vx43dMXYH/6qgqXk/pLTGQjA4ymgXckwX -GG55RbnQsgLCUqn2I0D9jOk5DS10PXd7llxD7ZuOX67C18zmhQtEMa3KFzQAZ4P3 -Q/bX9WRjUxu4KjQ08wFEvYns8A3FBYm+CvGeDGCR6qFt0tgIdvqy1BRMvDEo6eoN -uulYEgmZtqs6vlNQogVd8JjZcLE8t3LNdR4Xonu85U9TkDLAONrLCqJ4+FoTpfRY -qZUwYRmBMiNPuAqWjRDeDx6qzki2lS9FLExT9A== ------END CERTIFICATE----- - -node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, -certificate.tbsCertificate.extensions.5.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, diff --git a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/rsa_modulus_too_short.crttest b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/rsa_modulus_too_short.crttest index 7632123..be3e122 100644 --- a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/rsa_modulus_too_short.crttest +++ b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/rsa_modulus_too_short.crttest @@ -30,7 +30,6 @@ vKQS8+ldLKjUv7UYmsnOjK714QmWtIfEzw== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,WARNING,cabf.serverauth.ca.ocsp_aia_access_method_absent, certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.common_name_attribute_absent, certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_missing_reserved_policy_oid, certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,