diff --git a/VERSION.txt b/VERSION.txt index 6f060dc..ea8f4fd 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -0.9.9 \ No newline at end of file +0.9.10 \ No newline at end of file diff --git a/pkilint/cabf/cabf_name.py b/pkilint/cabf/cabf_name.py index f0a4faf..2d929a5 100644 --- a/pkilint/cabf/cabf_name.py +++ b/pkilint/cabf/cabf_name.py @@ -85,8 +85,14 @@ class OrganizationIdentifierAttributeValidator(validation.TypeMatchingValidator) 'cabf.invalid_subject_organization_identifier_state_province_format' ) - def __init__(self, relax_stateprovince_syntax=False, additional_schemes: typing.Optional[ - typing.Mapping[str, cabf_constants.RegistrationSchemeNamingConvention]] = None): + _ISO3166_AND_ARTICLE_215_COUNTRY_CODES = set(countries_by_alpha2.keys()) | {'EL', 'XI'} + + def __init__( + self, + relax_stateprovince_syntax=False, + additional_schemes: typing.Optional[ + typing.Mapping[str, cabf_constants.RegistrationSchemeNamingConvention]] = None + ): super().__init__(type_oid=x520_name.id_at_organizationIdentifier, type_path='type', value_path='value.x520OrganizationIdentifier', pdu_class=rfc5280.AttributeTypeAndValue, @@ -148,7 +154,15 @@ def validate_with_value(self, node, choice_node): elif scheme_info.country_identifier_type == cabf_constants.RegistrationSchemeCountryIdentifierType.XG: valid_country_code = (country_code == 'XG') elif scheme_info.country_identifier_type == cabf_constants.RegistrationSchemeCountryIdentifierType.ISO3166: - valid_country_code = (country_code in countries_by_alpha2) + # HACK: this comparison with "_relax_stateprovince_syntax" is a hack to differentiate between SMBR and + # TLSBR validators. The EVGs don't allow the relaxed state/province syntax, so we can use that to + # determine whether to allow the "EL" and "XI" country codes permitted by the amended Article 215 of + # Council Directive 2006/112/EC. This is dirty, but this logic is getting replaced by the (much + # improved) OrgId validation logic when the QWAC linter is released in a few months + if m['scheme'] == 'VAT' and not self._relax_stateprovince_syntax: + valid_country_code = (country_code in self._ISO3166_AND_ARTICLE_215_COUNTRY_CODES) + else: + valid_country_code = (country_code in countries_by_alpha2) else: raise ValueError(f'Unknown country identifier type for scheme "{m["scheme"]}": ' f'{scheme_info.country_identifier_type}') diff --git a/pkilint/cabf/serverauth/serverauth_constants.py b/pkilint/cabf/serverauth/serverauth_constants.py index 902d895..d70a7f5 100644 --- a/pkilint/cabf/serverauth/serverauth_constants.py +++ b/pkilint/cabf/serverauth/serverauth_constants.py @@ -2,7 +2,7 @@ from pyasn1.type.univ import ObjectIdentifier -BR_VERSION = '2.0.0' +BR_VERSION = '2.0.3' ID_POLICY_EV = ObjectIdentifier('2.23.140.1.1') diff --git a/pkilint/cabf/serverauth/serverauth_subscriber.py b/pkilint/cabf/serverauth/serverauth_subscriber.py index 836389a..4753308 100644 --- a/pkilint/cabf/serverauth/serverauth_subscriber.py +++ b/pkilint/cabf/serverauth/serverauth_subscriber.py @@ -33,6 +33,8 @@ class CABFOrganizationIdentifierExtensionValidator(validation.Validator): 'cabf.serverauth.organization_identifier_ext_invalid_state_province_for_scheme' ) + _ISO3166_AND_ARTICLE_215_COUNTRY_CODES = set(countries_by_alpha2.keys()) | {'EL', 'XI'} + def __init__(self): super().__init__( pdu_class=ev_guidelines.CABFOrganizationIdentifier, @@ -63,7 +65,10 @@ def validate(self, node): elif scheme_info.country_identifier_type == cabf_constants.RegistrationSchemeCountryIdentifierType.XG: valid_country_code = (country == 'XG') elif scheme_info.country_identifier_type == cabf_constants.RegistrationSchemeCountryIdentifierType.ISO3166: - valid_country_code = country in countries_by_alpha2 + if scheme == 'VAT': + valid_country_code = (country in self._ISO3166_AND_ARTICLE_215_COUNTRY_CODES) + else: + valid_country_code = country in countries_by_alpha2 else: raise ValueError(f'Unknown country identifier type for scheme "{scheme}": ' f'{scheme_info.country_identifier_type}') diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/vat_el_org_id.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/vat_el_org_id.crttest new file mode 100644 index 0000000..9f4e853 --- /dev/null +++ b/tests/integration_certificate/smime_br/organization/multipurpose/vat_el_org_id.crttest @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIGSTCCBDGgAwIBAgIUT0nGRo909AMp7EmYVoILmgwKMsQwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 +ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MjgwMDAwMDBaFw0y +MzA3MjcyMzU5NTlaMF4xEjAQBgNVBGETCVZBVEVMLTEyMzEeMBwGA1UEChMVQWNt +ZSBJbmR1c3RyaWVzLCBMdGQuMSgwJgYJKoZIhvcNAQkBFhloYW5ha28ueWFtYWRh +QGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPno +GUOnrpiSqt4XynxA+HRP7S+BSObI6qJ7fQAVSPtRkqsotWxQYLEYzNEx5ZSHTGyp +ibVsJylvCfuToDTfMul8b/CZjP2Ob0LdpYrNH6l5hvFE89FU1nZQF15oVLOpUgA7 +wGiHuEVawrGfey92UE68mOyUVXGweJIVDdxqdMoPvNNUl86BU02vlBiESxOuox+d +WmuVV7vfYZ79Toh/LUK43YvJh+rhv4nKuF7iHjVjBd9sB6iDjj70HFldzOQ9r8SR +I+9NirupPTkF5AKNe6kUhKJ1luB7S27ZkvB3tSTT3P593VVJvnzOjaA1z6Cz+4+e +RvcysqhrRgFlwI9TEwIDAQABo4ICEzCCAg8wDAYDVR0TAQH/BAIwADAOBgNVHQ8B +Af8EBAMCB4AwHwYDVR0jBBgwFoAU1kQAMnyoDf+sT2tm7rWumyzFOFQwHQYDVR0O +BBYEFIkZWV4O8Wn1y71H4TT84pjMaTCRMBQGA1UdIAQNMAswCQYHZ4EMAQUCAjA9 +BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLmNhLmV4YW1wbGUuY29tL2lzc3Vp +bmdfY2FfY3JsLmNybDBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6 +Ly9yZXBvc2l0b3J5LmNhLmV4YW1wbGUuY29tL2lzc3VpbmdfY2EuZGVyMB0GA1Ud +JQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjCByAYDVR0RBIHAMIG9gRloYW5ha28u +eWFtYWRhQGV4YW1wbGUuY29toCkGCisGAQQBgjcUAgOgGwwZaGFuYWtvLnlhbWFk +YUBleGFtcGxlLmNvbaAmBggrBgEFBQcICaAaDBjlsbHnlLDoirHlrZBAZXhhbXBs +ZS5jb22kTTBLMSMwIQYDVQRhExpMRUlYRy1BRVlFMDBFS1hFU1ZaVVVFQlA2NzEk +MCIGA1UECgwb44Ki44Kv44Of5bel5qWt5qCq5byP5Lya56S+MCMGCSsGAQQBg5gq +AQQWExRBRVlFMDBFS1hFU1ZaVVVFQlA2NzANBgkqhkiG9w0BAQsFAAOCAgEAALJ+ +FR219frGJUfrL8xWFfRuFCnLdyzM78Ey0qJqZES199XlYozXhMzCUKYN/zbmery9 +0uWNyuJtYGJYl0lhfzBxMmMHk88gCDkLyj8h4a+r2NiQsiN2bXXp1t5CStQeoalj +ZL9r2IIERGB+MigR1Rz7g1ECvVo7+llr3/EwqV9aa88OtnmQoroSlk86hTGjdEUu +ixhR2T+/VMEpdlxmimg88E8afa05yc+GBGnxhyk2zk+nbusC1TrEnMsF2zIaMGlH +jMP/v3Gsl1VucFutU06xhItWmWYcHeVr0wLO/gMDdSbIUgsxobvWynh52D4D1gJs +Hpnelc5EyGCxhLp7X9tjIy7pSXQAA9fy63cdSk6xbpYtlCU/S0PGm+gMMKAydAun +L2WgqEwpFB0TwuE+obw3jJI2eO15YFJU5qEt5eNM2H7KzO0R5lZE0wnbmhgggYGr +c6SFsVzgCocwHOtG9hETci6imtbQ8XoiY86KLUaxYcR4ilXoFj3yhKy8qP7LHdg+ +sI3/2sIVkoohmnIEidKmO4lhGqavh8bSVLy00PiebItEVoD4hgMtrcl3c8yM7C/c +pXtmlRvk49RnJJiSPnSS+34I2DKmhS7ZCqHRPyUdE6ebULW+ZCNc3vG4yleapzJQ +iFdUbWgLm8XfBNHSAWs3NvdzV/MqQUERWI3VEdQ= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""VAT"": ""EL""" +certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/tls_br/ev_final_certificate/ntr_el_org_id.crttest b/tests/integration_certificate/tls_br/ev_final_certificate/ntr_el_org_id.crttest new file mode 100644 index 0000000..f41bbd3 --- /dev/null +++ b/tests/integration_certificate/tls_br/ev_final_certificate/ntr_el_org_id.crttest @@ -0,0 +1,64 @@ +-----BEGIN CERTIFICATE----- +MIIJhjCCB26gAwIBAgIQcK2Vs8415AzSapDFAmsllDANBgkqhkiG9w0BAQsFADCB +wTELMAkGA1UEBhMCR1IxDzANBgNVBAcMBkF0aGVuczErMCkGA1UECgwiR3JlZWsg +VW5pdmVyc2l0aWVzIE5ldHdvcmsgKEdVbmV0KTEYMBYGA1UEYQwPVkFUR1ItMDk5 +MDI4MjIwMTcwNQYDVQQLDC5IZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2gg +SW5zdGl0dXRpb25zIENBMSEwHwYDVQQDDBhIQVJJQ0EgUVdBQyBSU0EgU3ViQ0Eg +UjEwHhcNMjIxMTI0MTAwNjM3WhcNMjMxMjI2MTAwNjE5WjCB9TELMAkGA1UEBhMC +R1IxDzANBgNVBAcMBkF0aGVuczEjMCEGA1UECgwaR3JlZWsgVW5pdmVyc2l0aWVz +IE5ldHdvcmsxGDAWBgNVBGEMD05UUkVMLTA5OTAyODIyMDEYMBYGA1UEBRMPMTMz +OTIvMjgtOS0yMDAwMRYwFAYDVQQDDA13d3cuaGFyaWNhLmdyMR0wGwYDVQQPDBRQ +cml2YXRlIE9yZ2FuaXphdGlvbjEXMBUGCysGAQQBgjc8AgEBDAZBdGhlbnMxFzAV +BgsrBgEEAYI3PAIBAgwGQXR0aWNhMRMwEQYLKwYBBAGCNzwCAQMTAkdSMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3wgeqDa+A4QIOrtYkcn18Pv5VVXc +7z2s5O8YlUY8bfzDowehM+X5vCiq0OwUzNnagxDUyAcMNvAaeEcngO6Zca46dmpQ +PaKNYqVVHU1EQXunxFfYze2dvAwg0I12pGQ0hUqQzzgcg3FJ0IeVdB/KeRbiervu +rwgu5oO71ukF2jLM/jiq0rAwYWXBi8G7oEO9HrDP/1B4NXVqU/00ctEcfOjqYx6K +ZqAi7qgS9fIPuaOj1CFuk3zi3jjEiBxv7rOWKGeqA3vXcaO9Qe+a09APdvZxbOsn +crmmpVosEYal2DwzzCorvLY1zpQismHTK8htO8/NMHYxJv6FQNOLTFJIwwIDAQAB +o4IEQjCCBD4wHwYDVR0jBBgwFoAUSDLHqH5iSp4FAN7Ol/pTG+CjTPwwcAYIKwYB +BQUHAQEEZDBiMD0GCCsGAQUFBzAChjFodHRwOi8vcmVwby5oYXJpY2EuZ3IvY2Vy +dHMvSGFyaWNhUVdBQ1N1YkNBUjEuY3J0MCEGCCsGAQUFBzABhhVodHRwOi8vb2Nz +cC5oYXJpY2EuZ3IwPQYDVR0RBDYwNIINd3d3LmhhcmljYS5ncoIJaGFyaWNhLmdy +gg13d3cuaGFyaWNhLmV1ggloYXJpY2EuZXUwYQYDVR0gBFowWDAHBgVngQwBATAJ +BgcEAIvsQAEEMEIGDCsGAQQBgc8RAQEBBTAyMDAGCCsGAQUFBwIBFiRodHRwczov +L3JlcG8uaGFyaWNhLmdyL2RvY3VtZW50cy9DUFMwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMIHWBggrBgEFBQcBAwSByTCBxjAVBggrBgEFBQcLAjAJBgcE +AIvsSQECMAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzCBjQYGBACORgEF +MIGCMD8WOWh0dHBzOi8vcmVwby5oYXJpY2EuZ3IvZG9jdW1lbnRzL1F1YWxpZmll +ZExlZ2FsUERTLUVOLnBkZhMCZW4wPxY5aHR0cHM6Ly9yZXBvLmhhcmljYS5nci9k +b2N1bWVudHMvUXVhbGlmaWVkTGVnYWxQRFMtRUwucGRmEwJlbDAfBgVngQwDAQQW +MBQTA05UUhMCRUwMCTA5OTAyODIyMDA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8v +Y3JsLmhhcmljYS5nci9IYXJpY2FRV0FDU3ViQ0FSMS5jcmwwHQYDVR0OBBYEFGq8 +9pLNjYE4iUWT5w2NJF0RYaVIMA4GA1UdDwEB/wQEAwIFoDCCAYAGCisGAQQB1nkC +BAIEggFwBIIBbAFqAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooA +AAGEqSO8NQAABAMARzBFAiAGm1yqRqcofGHJqUA9JNh50J2hE3GIY3HnGdsAF+Up +RwIhALG58OWVBbDTNUhqA0nJzDJXXGrqdVAiMOeH3JN3TzPRAHcAb1N2rDHwMRnY +mQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAGEqSO81wAABAMASDBGAiEAtmYL7A6l +rNjnTRReHuw6EXyuHSorxt46C6T1GnC4OfsCIQDEP6wQkuZBPmYZMlSf9ghqwFEz +XaMkPiIhDkZ/nSd2SQB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS +AAABhKkjvG0AAAQDAEgwRgIhAJdbfRRzlYOjsYH/QvNQPhxGX4w1Vj11hmcUy2Vy +Y0DmAiEA5ngwHaGHHnpt1bLU/d+Izr4tNgwSH5HhDOAvaZcR2aMwDQYJKoZIhvcN +AQELBQADggIBABWJGHjgwYhITbNid039xuQNdPPEjaP6dv+b2nzbxL66KZz2NejU +Idyey8Cd6YHwiq+9Xlvn/06u8JYe+hn23E5FaVJXkmf0FagFgKNF2dHWNVrn9I6L +/xWKpuOUQ473iXX2FnyFMkE6rTA4GGDvy8YQdhaVWXKkBeOKwgVgy/X5+cxuWuiX +XaD/EEu72CR2qMhO2nd9HK+g+IVR+stBQnmzPvPLFKryVqpeO5N1EMCOEqhgavNQ +KIn36V1WJ0VYcXstgZIm3uDYql/KaFZxDT2cCnsaJK1IV/jCVlq+87ANG/Cf7tAQ +Z1caPtInO59nqVSfN4XOvwddT2WiEnzfGhX3EBVdV0QSN2UA8ppzjx3V02BSOjGT +CBVQMbfS+Bdof250I3Vrp+8EbY48y0x+K3eHuBT+01ak1za0T2rxfvhFCgIZ1S/h +CJ/yvz1stk2UrfuPchRudSuhPkFwcEtCg7uYetAVt+yAFHaFmH6xywAnRxwvvf7D +RGbEa8ONm+pgjJYGyd51+LdyzMj46gsEIpuoOztz7xES9RDNtO1D8BStq+kdlpM2 +PYROMJzfvTcMYjsh0UwyRXgiUoSZmn25qRAjuCVWNPzKyK+IdNoRwsrBTVUsYMrQ +JDnDZXVvIY2ad6X9iQdpLTAWND6QPpmIEEg9RDIMUoq6z8qSwMnCXUS0 +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subject.rdnSequence,EvSubscriberAttributeAllowanceValidator,WARNING,cabf.ev_guidelines.common_name_attribute_present, +certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 2.23.140.3.1 +certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 1.3.6.1.5.5.7.1.3 +certificate.tbsCertificate.extensions.9.extnValue.keyUsage,SubscriberKeyUsageValidator,WARNING,cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present, +certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.subject_key_identifier_extension_present, +certificate.tbsCertificate.extensions.8.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, +certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies.2.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, +certificate.tbsCertificate.extensions.6.extnValue.cABFOrganizationIdentifier,CABFOrganizationIdentifierExtensionValidator,ERROR,cabf.serverauth.organization_identifier_ext_invalid_country,"Invalid country code for scheme ""NTR"": ""EL""" +certificate.tbsCertificate.subject.rdnSequence.3.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""NTR"": ""EL""" diff --git a/tests/integration_certificate/tls_br/ev_final_certificate/vat_el_org_id.crttest b/tests/integration_certificate/tls_br/ev_final_certificate/vat_el_org_id.crttest new file mode 100644 index 0000000..f09db10 --- /dev/null +++ b/tests/integration_certificate/tls_br/ev_final_certificate/vat_el_org_id.crttest @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIIJhjCCB26gAwIBAgIQcK2Vs8415AzSapDFAmsllDANBgkqhkiG9w0BAQsFADCB +wTELMAkGA1UEBhMCR1IxDzANBgNVBAcMBkF0aGVuczErMCkGA1UECgwiR3JlZWsg +VW5pdmVyc2l0aWVzIE5ldHdvcmsgKEdVbmV0KTEYMBYGA1UEYQwPVkFUR1ItMDk5 +MDI4MjIwMTcwNQYDVQQLDC5IZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2gg +SW5zdGl0dXRpb25zIENBMSEwHwYDVQQDDBhIQVJJQ0EgUVdBQyBSU0EgU3ViQ0Eg +UjEwHhcNMjIxMTI0MTAwNjM3WhcNMjMxMjI2MTAwNjE5WjCB9TELMAkGA1UEBhMC +R1IxDzANBgNVBAcMBkF0aGVuczEjMCEGA1UECgwaR3JlZWsgVW5pdmVyc2l0aWVz +IE5ldHdvcmsxGDAWBgNVBGEMD1ZBVEVMLTA5OTAyODIyMDEYMBYGA1UEBRMPMTMz +OTIvMjgtOS0yMDAwMRYwFAYDVQQDDA13d3cuaGFyaWNhLmdyMR0wGwYDVQQPDBRQ +cml2YXRlIE9yZ2FuaXphdGlvbjEXMBUGCysGAQQBgjc8AgEBDAZBdGhlbnMxFzAV +BgsrBgEEAYI3PAIBAgwGQXR0aWNhMRMwEQYLKwYBBAGCNzwCAQMTAkdSMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3wgeqDa+A4QIOrtYkcn18Pv5VVXc +7z2s5O8YlUY8bfzDowehM+X5vCiq0OwUzNnagxDUyAcMNvAaeEcngO6Zca46dmpQ +PaKNYqVVHU1EQXunxFfYze2dvAwg0I12pGQ0hUqQzzgcg3FJ0IeVdB/KeRbiervu +rwgu5oO71ukF2jLM/jiq0rAwYWXBi8G7oEO9HrDP/1B4NXVqU/00ctEcfOjqYx6K +ZqAi7qgS9fIPuaOj1CFuk3zi3jjEiBxv7rOWKGeqA3vXcaO9Qe+a09APdvZxbOsn +crmmpVosEYal2DwzzCorvLY1zpQismHTK8htO8/NMHYxJv6FQNOLTFJIwwIDAQAB +o4IEQjCCBD4wHwYDVR0jBBgwFoAUSDLHqH5iSp4FAN7Ol/pTG+CjTPwwcAYIKwYB +BQUHAQEEZDBiMD0GCCsGAQUFBzAChjFodHRwOi8vcmVwby5oYXJpY2EuZ3IvY2Vy +dHMvSGFyaWNhUVdBQ1N1YkNBUjEuY3J0MCEGCCsGAQUFBzABhhVodHRwOi8vb2Nz +cC5oYXJpY2EuZ3IwPQYDVR0RBDYwNIINd3d3LmhhcmljYS5ncoIJaGFyaWNhLmdy +gg13d3cuaGFyaWNhLmV1ggloYXJpY2EuZXUwYQYDVR0gBFowWDAHBgVngQwBATAJ +BgcEAIvsQAEEMEIGDCsGAQQBgc8RAQEBBTAyMDAGCCsGAQUFBwIBFiRodHRwczov +L3JlcG8uaGFyaWNhLmdyL2RvY3VtZW50cy9DUFMwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMIHWBggrBgEFBQcBAwSByTCBxjAVBggrBgEFBQcLAjAJBgcE +AIvsSQECMAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzCBjQYGBACORgEF +MIGCMD8WOWh0dHBzOi8vcmVwby5oYXJpY2EuZ3IvZG9jdW1lbnRzL1F1YWxpZmll +ZExlZ2FsUERTLUVOLnBkZhMCZW4wPxY5aHR0cHM6Ly9yZXBvLmhhcmljYS5nci9k +b2N1bWVudHMvUXVhbGlmaWVkTGVnYWxQRFMtRUwucGRmEwJlbDAfBgVngQwDAQQW +MBQTA1ZBVBMCRUwMCTA5OTAyODIyMDA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8v +Y3JsLmhhcmljYS5nci9IYXJpY2FRV0FDU3ViQ0FSMS5jcmwwHQYDVR0OBBYEFGq8 +9pLNjYE4iUWT5w2NJF0RYaVIMA4GA1UdDwEB/wQEAwIFoDCCAYAGCisGAQQB1nkC +BAIEggFwBIIBbAFqAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooA +AAGEqSO8NQAABAMARzBFAiAGm1yqRqcofGHJqUA9JNh50J2hE3GIY3HnGdsAF+Up +RwIhALG58OWVBbDTNUhqA0nJzDJXXGrqdVAiMOeH3JN3TzPRAHcAb1N2rDHwMRnY +mQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAGEqSO81wAABAMASDBGAiEAtmYL7A6l +rNjnTRReHuw6EXyuHSorxt46C6T1GnC4OfsCIQDEP6wQkuZBPmYZMlSf9ghqwFEz +XaMkPiIhDkZ/nSd2SQB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS +AAABhKkjvG0AAAQDAEgwRgIhAJdbfRRzlYOjsYH/QvNQPhxGX4w1Vj11hmcUy2Vy +Y0DmAiEA5ngwHaGHHnpt1bLU/d+Izr4tNgwSH5HhDOAvaZcR2aMwDQYJKoZIhvcN +AQELBQADggIBABWJGHjgwYhITbNid039xuQNdPPEjaP6dv+b2nzbxL66KZz2NejU +Idyey8Cd6YHwiq+9Xlvn/06u8JYe+hn23E5FaVJXkmf0FagFgKNF2dHWNVrn9I6L +/xWKpuOUQ473iXX2FnyFMkE6rTA4GGDvy8YQdhaVWXKkBeOKwgVgy/X5+cxuWuiX +XaD/EEu72CR2qMhO2nd9HK+g+IVR+stBQnmzPvPLFKryVqpeO5N1EMCOEqhgavNQ +KIn36V1WJ0VYcXstgZIm3uDYql/KaFZxDT2cCnsaJK1IV/jCVlq+87ANG/Cf7tAQ +Z1caPtInO59nqVSfN4XOvwddT2WiEnzfGhX3EBVdV0QSN2UA8ppzjx3V02BSOjGT +CBVQMbfS+Bdof250I3Vrp+8EbY48y0x+K3eHuBT+01ak1za0T2rxfvhFCgIZ1S/h +CJ/yvz1stk2UrfuPchRudSuhPkFwcEtCg7uYetAVt+yAFHaFmH6xywAnRxwvvf7D +RGbEa8ONm+pgjJYGyd51+LdyzMj46gsEIpuoOztz7xES9RDNtO1D8BStq+kdlpM2 +PYROMJzfvTcMYjsh0UwyRXgiUoSZmn25qRAjuCVWNPzKyK+IdNoRwsrBTVUsYMrQ +JDnDZXVvIY2ad6X9iQdpLTAWND6QPpmIEEg9RDIMUoq6z8qSwMnCXUS0 +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subject.rdnSequence,EvSubscriberAttributeAllowanceValidator,WARNING,cabf.ev_guidelines.common_name_attribute_present, +certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 2.23.140.3.1 +certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 1.3.6.1.5.5.7.1.3 +certificate.tbsCertificate.extensions.9.extnValue.keyUsage,SubscriberKeyUsageValidator,WARNING,cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present, +certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.subject_key_identifier_extension_present, +certificate.tbsCertificate.extensions.8.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, +certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies.2.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present,