From 4c1c97dfec442df209c3fac38ce90cd659da68e2 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 22 Nov 2024 11:32:53 -0500 Subject: [PATCH] Add public key algorithm <-> Key Usage value consistency validator --- pkilint/cabf/serverauth/finding_metadata.csv | 8 +- pkilint/cabf/smime/finding_metadata.csv | 6 + pkilint/itu/bitstring.py | 4 + pkilint/pkix/certificate/__init__.py | 1 + pkilint/pkix/certificate/certificate_key.py | 179 +++++++++++++++++- .../pkix/ecdsa_with_null_sigalg_param.crttest | 1 + .../pkix/mldsa44_root.crttest | 90 +++++++++ .../rsa_kus_in_ecdsa_cert.crttest | 3 +- .../legacy/invalid_ku_for_ecdsa.crttest | 3 +- .../ecdsa_keyencipherment.crttest | 1 + .../prohibited_ku.crttest | 1 + .../ocsp_nocheck_missing.crttest | 1 + .../bad_rsa_exponent.crttest | 1 + 13 files changed, 295 insertions(+), 4 deletions(-) create mode 100644 tests/integration_certificate/pkix/mldsa44_root.crttest diff --git a/pkilint/cabf/serverauth/finding_metadata.csv b/pkilint/cabf/serverauth/finding_metadata.csv index b965e4e..78000c1 100644 --- a/pkilint/cabf/serverauth/finding_metadata.csv +++ b/pkilint/cabf/serverauth/finding_metadata.csv @@ -221,7 +221,12 @@ ERROR,pkix.ip_address_name_constraint_invalid_cidr,"RFC 5280 4.1.2.10: ""For IPv ERROR,pkix.ip_address_name_constraint_wrong_length,"RFC 5280 4.1.2.10: ""For IPv4 addresses, the iPAddress field of GeneralName MUST contain eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent an address range [RFC4632]. For IPv6 addresses, the iPAddress field MUST contain 32 octets similarly encoded.""" ERROR,pkix.ip_address_wrong_length,"RFC 5280 4.1.2.6: ""For IP version 4, as specified in [RFC791], the octet string MUST contain exactly four octets. For IP version 6, as specified in [RFC2460], the octet string MUST contain exactly sixteen octets.""" ERROR,pkix.issuer_unique_id_present,"RFC 5280 4.1.2.8: ""CAs conforming to this profile MUST NOT generate certificates with unique identifiers""" -ERROR,pkix.name_constraints_in_ee_certificate,"RFC 5280 4.2.1.10: ""The name constraints extension, which MUST be used only in a CA certificate�""" +ERROR,pkix.key_usage_value_prohibited_for_ec,"RFC 8813 3: If the keyUsage extension is present in a certificate that indicates id-ecPublicKey in SubjectPublicKeyInfo, then the following values MUST NOT be present..." +ERROR,pkix.key_usage_value_prohibited_for_edwards_curve,"RFC 9295 3: and any of the following MUST NOT be present..." +ERROR,pkix.key_usage_value_required_but_missing_for_edwards_curve,"RFC 9295 3: If the keyUsage extension is present in a certificate that indicates id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST be present..." +ERROR,pkix.key_usage_value_prohibited_for_rsa,"RFC 3279 2.3.1: If the keyUsage extension is present in an end entity/CRL issuer/CA certificate which conveys an RSA public key, any combination of the following values MAY be present..." +ERROR,pkix.key_usage_value_prohibited_for_signature_algorithm,"Various RFCs specify the allowed keyUsage values for signature algorithms" +ERROR,pkix.name_constraints_in_ee_certificate,"RFC 5280 4.2.1.10: ""The name constraints extension, which MUST be used only in a CA certificate""" ERROR,pkix.name_constraints_maximum_specified,"RFC 5280 4.2.1.10: ""Within this profile, the minimum and maximum fields are not used with any name forms, thus, the minimum MUST be zero, and maximum MUST be absent""" ERROR,pkix.name_constraints_no_subtrees,"RFC 5280 4.2.1.10: ""Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence.""" ERROR,pkix.name_constraints_non_default_minimum,"RFC 5280 4.2.1.10: ""Within this profile, the minimum and maximum fields are not used with any name forms, thus, the minimum MUST be zero, and maximum MUST be absent""" @@ -305,6 +310,7 @@ NOTICE,cabf.serverauth.unparsed_common_name_encountered,Validates that the conte NOTICE,cabf.serverauth.unparsed_san_extension_encountered,Validates that the content of the commonName attribute conforms to BR 7.1.4.3. NOTICE,pkix.aki_absent_self_issued_and_unsupported_public_key_algorithm,Authority Key Identifier extension is absent is a self-issued certificate and the certificate certifies a public key of an unsupported algorithm. NOTICE,pkix.certificate_policies_policy_has_qualifier,"RFC 5280 4.2.1.4: ""To promote interoperability, this profile RECOMMENDS that policy information terms consist of only an OID. Where an OID alone is insufficient, this profile strongly recommends that the use of qualifiers be limited to those identified in this section""" +NOTICE,pkix.public_key_algorithm_unsupported,"The algorithm of the certified public key is not supported" NOTICE,pkix.ldap_uri_not_validated,": Notice that the linter encountered a LDAP URI but did not validate the correctness of the URI, as support for LDAP validation has not (yet) been implemented. This NOTICE should probably be of a lower severity or supressed entirely." NOTICE,pkix.unknown_subject_key_identifier_calculation_method,RFC 5280 4.2.1.2: The Subject key identifier was not calculated using one of the algorithms defined in RFC 5280 INFO,pkix.subject_key_identifier_method_1_identified,RFC 5280 4.2.1.2: The Subject key identifier was calculated using the first algorithm defined in RFC 5280 diff --git a/pkilint/cabf/smime/finding_metadata.csv b/pkilint/cabf/smime/finding_metadata.csv index 44eb206..fdea8d3 100644 --- a/pkilint/cabf/smime/finding_metadata.csv +++ b/pkilint/cabf/smime/finding_metadata.csv @@ -97,6 +97,11 @@ ERROR,pkix.ip_address_name_constraint_invalid_cidr,RFC 5280 4.1.2.10,"""For IPv4 ERROR,pkix.ip_address_name_constraint_wrong_length,RFC 5280 4.1.2.10,"""For IPv4 addresses, the iPAddress field of GeneralName MUST contain eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent an address range [RFC4632]. For IPv6 addresses, the iPAddress field MUST contain 32 octets similarly encoded.""" ERROR,pkix.ip_address_wrong_length,RFC 5280 4.1.2.6,"""For IP version 4, as specified in [RFC791], the octet string MUST contain exactly four octets. For IP version 6, as specified in [RFC2460], the octet string MUST contain exactly sixteen octets.""" ERROR,pkix.issuer_unique_id_present,RFC 5280 4.1.2.8,"""CAs conforming to this profile MUST NOT generate certificates with unique identifiers""" +ERROR,pkix.key_usage_value_prohibited_for_ec,RFC 8813 3,"If the keyUsage extension is present in a certificate that indicates id-ecPublicKey in SubjectPublicKeyInfo, then the following values MUST NOT be present..." +ERROR,pkix.key_usage_value_prohibited_for_edwards_curve,RFC 9295 3,"... and any of the following MUST NOT be present..." +ERROR,pkix.key_usage_value_required_but_missing_for_edwards_curve,RFC 9295 3,"If the keyUsage extension is present in a certificate that indicates id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST be present..." +ERROR,pkix.key_usage_value_prohibited_for_rsa,RFC 3279 2.3.1,"If the keyUsage extension is present in an end entity/CRL issuer/CA certificate which conveys an RSA public key, any combination of the following values MAY be present..." +ERROR,pkix.key_usage_value_prohibited_for_signature_algorithm,,"Various RFCs specify the allowed keyUsage values for signature algorithms" ERROR,pkix.name_constraints_in_ee_certificate,RFC 5280 4.2.1.10,"""The name constraints extension, which MUST be used only in a CA certificate�""" ERROR,pkix.name_constraints_maximum_specified,RFC 5280 4.2.1.10,"""Within this profile, the minimum and maximum fields are not used with any name forms, thus, the minimum MUST be zero, and maximum MUST be absent""" ERROR,pkix.name_constraints_no_subtrees,RFC 5280 4.2.1.10,"""Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence.""" @@ -146,6 +151,7 @@ NOTICE,googl.gmail.authority_info_access_ca_issuers_missing,https://support.goog NOTICE,googl.prohibited_rsa_modulus_length,https://support.google.com/a/answer/7300887?hl=en&ref_topic=9061730&sjid=12609481378327192584-NA,"""rsaEncryption with an RSA modulus of 2048, 3072, or 4096""" NOTICE,pkix.aki_absent_self_issued_and_unsupported_public_key_algorithm,,Authority Key Identifier extension is absent is a self-issued certificate and the certificate certifies a public key of an unsupported algorithm. NOTICE,pkix.certificate_policies_policy_has_qualifier,RFC 5280 4.2.1.4,"""To promote interoperability, this profile RECOMMENDS that policy information terms consist of only an OID. Where an OID alone is insufficient, this profile strongly recommends that the use of qualifiers be limited to those identified in this section""" +NOTICE,pkix.public_key_algorithm_unsupported,,"The algorithm of the certified public key is not supported" NOTICE,pkix.ldap_uri_not_validated,,"Notice that the linter encountered a LDAP URI but did not validate the correctness of the URI, as support for LDAP validation has not (yet) been implemented. This NOTICE should probably be of a lower severity or supressed entirely." NOTICE,pkix.unknown_subject_key_identifier_calculation_method,RFC 5280 4.2.1.2,The Subject key identifier was not calculated using one of the algorithms defined in RFC 5280 INFO,pkix.subject_key_identifier_method_1_identified,RFC 5280 4.2.1.2,The Subject key identifier was calculated using the first algorithm defined in RFC 5280 diff --git a/pkilint/itu/bitstring.py b/pkilint/itu/bitstring.py index 7580345..ffafb4a 100644 --- a/pkilint/itu/bitstring.py +++ b/pkilint/itu/bitstring.py @@ -1,3 +1,7 @@ def has_named_bit(node, bit_name): bit = node.pdu.namedValues[bit_name] return len(node.pdu) > bit and node.pdu[bit] != 0 + + +def get_asserted_bit_set(node): + return {str(b) for b in node.pdu.namedValues if has_named_bit(node, str(b))} diff --git a/pkilint/pkix/certificate/__init__.py b/pkilint/pkix/certificate/__init__.py index 6abfcc4..9b7dced 100644 --- a/pkilint/pkix/certificate/__init__.py +++ b/pkilint/pkix/certificate/__init__.py @@ -306,6 +306,7 @@ def create_extensions_validator_container(additional_validators=None): certificate_extension.SubjectKeyIdentifierCriticalityValidator(), certificate_extension.KeyUsageCriticalityValidator(), certificate_extension.KeyUsageValidator(), + certificate_key.SpkiKeyUsageConsistencyValidator(), general_name.UriSyntaxValidator(pdu_class=rfc5280.CPSuri), general_name.GeneralNameValidatorContainer(), certificate_extension.DuplicatePolicyValidator(), diff --git a/pkilint/pkix/certificate/certificate_key.py b/pkilint/pkix/certificate/certificate_key.py index 5f00bdf..5c158e1 100644 --- a/pkilint/pkix/certificate/certificate_key.py +++ b/pkilint/pkix/certificate/certificate_key.py @@ -4,9 +4,11 @@ from pyasn1.codec.der.encoder import encode from pyasn1.error import PyAsn1Error from pyasn1.type import univ -from pyasn1_alt_modules import rfc5280 +from pyasn1_alt_modules import rfc5280, rfc8410, rfc3279, rfc5480 from pkilint import validation, util, document +from pkilint.itu import bitstring +from pkilint.pkix.certificate.certificate_extension import KeyUsageBitName from pkilint.pkix.key import verify_signature @@ -222,3 +224,178 @@ def validate(self, node): raise validation.ValidationFindingEncountered( self._validations[0], f"Prohibited encoding: {encoded_str}" ) + + +class SpkiKeyUsageConsistencyValidator(validation.Validator): + # all bits are allowed except for keyAgreement, see RFC 4055 section 1.2 + _RSA_ALLOWED_KEY_USAGES = { + KeyUsageBitName.DIGITAL_SIGNATURE, + KeyUsageBitName.NON_REPUDIATION, + KeyUsageBitName.KEY_CERT_SIGN, + KeyUsageBitName.CRL_SIGN, + KeyUsageBitName.KEY_ENCIPHERMENT, + KeyUsageBitName.DATA_ENCIPHERMENT, + KeyUsageBitName.DECIPHER_ONLY, + KeyUsageBitName.ENCIPHER_ONLY, + } + VALIDATION_RSA_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_rsa", + ) + + # all bits are allowed except for keyEncipherment and dataEncipherment, see RFC 8813 section 3 + _EC_ALLOWED_KEY_USAGES = { + KeyUsageBitName.DIGITAL_SIGNATURE, + KeyUsageBitName.NON_REPUDIATION, + KeyUsageBitName.KEY_CERT_SIGN, + KeyUsageBitName.CRL_SIGN, + KeyUsageBitName.KEY_AGREEMENT, + KeyUsageBitName.DECIPHER_ONLY, + KeyUsageBitName.ENCIPHER_ONLY, + } + VALIDATION_EC_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_ec", + ) + + # see RFC 9295, section 3 + _X448_AND_X25519_REQUIRED_KEY_USAGES = { + KeyUsageBitName.KEY_AGREEMENT, + } + VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_required_but_missing_for_edwards_curve", + ) + + _X448_AND_X25519_ALLOWED_KEY_USAGES = { + KeyUsageBitName.KEY_AGREEMENT, + KeyUsageBitName.DECIPHER_ONLY, + KeyUsageBitName.ENCIPHER_ONLY, + } + VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_edwards_curve", + ) + + _SIGNATURE_ALGORITHM_ALLOWED_KEY_USAGES = { + KeyUsageBitName.DIGITAL_SIGNATURE, + KeyUsageBitName.NON_REPUDIATION, + KeyUsageBitName.KEY_CERT_SIGN, + KeyUsageBitName.CRL_SIGN, + } + VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE = ( + validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_signature_algorithm", + ) + ) + + # _KEM_ALLOWED_KEY_USAGES = {KeyUsageBitName.KEY_ENCIPHERMENT} + # VALIDATION_KEM_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + # validation.ValidationFindingSeverity.ERROR, + # "pkix.prohibited_key_usage_value_kem", + # ) + + VALIDATION_UNSUPPORTED_PUBLIC_KEY_ALGORITHM = validation.ValidationFinding( + validation.ValidationFindingSeverity.NOTICE, + "pkix.public_key_algorithm_unsupported", + ) + + _KEY_USAGE_VALUE_ALLOWANCES = { + rfc3279.rsaEncryption: ( + (_RSA_ALLOWED_KEY_USAGES, VALIDATION_RSA_PROHIBITED_KEY_USAGE_VALUE), + None, + ), + rfc5480.id_ecPublicKey: ( + (_EC_ALLOWED_KEY_USAGES, VALIDATION_EC_PROHIBITED_KEY_USAGE_VALUE), + None, + ), + rfc8410.id_X448: ( + ( + _X448_AND_X25519_ALLOWED_KEY_USAGES, + VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, + ), + ( + _X448_AND_X25519_REQUIRED_KEY_USAGES, + VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE, + ), + ), + rfc8410.id_X25519: ( + ( + _X448_AND_X25519_ALLOWED_KEY_USAGES, + VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, + ), + ( + _X448_AND_X25519_REQUIRED_KEY_USAGES, + VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE, + ), + ), + rfc8410.id_Ed448: ( + ( + _SIGNATURE_ALGORITHM_ALLOWED_KEY_USAGES, + VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE, + ), + None, + ), + rfc8410.id_Ed25519: ( + ( + _SIGNATURE_ALGORITHM_ALLOWED_KEY_USAGES, + VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE, + ), + None, + ), + } + + def __init__(self): + super().__init__( + validations=[ + self.VALIDATION_UNSUPPORTED_PUBLIC_KEY_ALGORITHM, + self.VALIDATION_EC_PROHIBITED_KEY_USAGE_VALUE, + self.VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, + self.VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE, + self.VALIDATION_RSA_PROHIBITED_KEY_USAGE_VALUE, + self.VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE, + ], + pdu_class=rfc5280.KeyUsage, + ) + + def validate(self, node): + spki_alg_oid = node.navigate( + ":certificate.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm" + ).pdu + + allowances = self._KEY_USAGE_VALUE_ALLOWANCES.get(spki_alg_oid) + + if allowances is None: + raise validation.ValidationFindingEncountered( + self.VALIDATION_UNSUPPORTED_PUBLIC_KEY_ALGORITHM, + f"Unsupported public key algorithm: {str(spki_alg_oid)}", + ) + + allowed_values_and_finding, required_values_and_finding = allowances + allowed_values, prohibited_finding = allowed_values_and_finding + + bit_set = bitstring.get_asserted_bit_set(node) + + prohibited_bits = bit_set - allowed_values + + if any(prohibited_bits): + prohibited_ku_names = ", ".join(sorted(prohibited_bits)) + + raise validation.ValidationFindingEncountered( + prohibited_finding, + f"Prohibited key usage value(s) present: {prohibited_ku_names}", + ) + + if required_values_and_finding is not None: + required_values, missing_finding = required_values_and_finding + + missing_kus = required_values - bit_set + + if any(missing_kus): + missing_ku_names = ", ".join(sorted(missing_kus)) + + raise validation.ValidationFindingEncountered( + missing_finding, + f"Required key usage value(s) missing: {missing_ku_names}", + ) diff --git a/tests/integration_certificate/pkix/ecdsa_with_null_sigalg_param.crttest b/tests/integration_certificate/pkix/ecdsa_with_null_sigalg_param.crttest index 757ce27..3716483 100644 --- a/tests/integration_certificate/pkix/ecdsa_with_null_sigalg_param.crttest +++ b/tests/integration_certificate/pkix/ecdsa_with_null_sigalg_param.crttest @@ -26,3 +26,4 @@ node_path,validator,severity,code,message certificate.tbsCertificate.signature,AlgorithmIdentifierDecodingValidator,FATAL,itu.invalid_asn1_syntax,"Value node is present, but type OID 1.2.840.10045.4.3.3 specifies that it must be absent" certificate.tbsCertificate.extensions.7.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, certificate.signatureAlgorithm,SignatureAlgorithmMatchValidator,ERROR,pkix.certificate_signature_algorithm_mismatch,DER encoding of certificate.signatureAlgorithm and certificate.tbsCertificate.signature are not equal +certificate.tbsCertificate.extensions.8.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_ec,Prohibited key usage value(s) present: keyEncipherment diff --git a/tests/integration_certificate/pkix/mldsa44_root.crttest b/tests/integration_certificate/pkix/mldsa44_root.crttest new file mode 100644 index 0000000..ec0ef5f --- /dev/null +++ b/tests/integration_certificate/pkix/mldsa44_root.crttest @@ -0,0 +1,90 @@ +-----BEGIN CERTIFICATE----- +MIIPiDCCBf6gAwIBAgIUMMAaXou4x79YL5xY6GRJobexOUAwCwYJYIZIAWUDBAMR +MBwxGjAYBgNVBAMMEVJvb3QgTUxfRFNBXzQ0IENBMB4XDTI0MTEwMjE0MTAwMloX +DTI1MTEwMjE0MTAwMlowHDEaMBgGA1UEAwwRUm9vdCBNTF9EU0FfNDQgQ0EwggUy +MAsGCWCGSAFlAwQDEQOCBSEApWGih/ubYWcVrq7HbQLs87prh6NiJLqtRZjmc7jr +PiCW6qgyPOi4OmooavItB46vmhpHA3p8+whMjUUvKMGc/hlOkI6gjX/K9PQrQGNH +J0cjhK+1cmy1mb4Dr6CrSZWfFPrsTiml2+1jztCEl4TDOcjRW67KxtCrC3E+aUGx +z28/krHzXpIvCH5OQMwK6l+NTV987FQlfBXH8GDD/uhxpULkQN5RXe8FQ7moZqwy +gUxsAu/hbAk+qCWk8ixrkKuPqmosmQQgZIwwHwB2wfXUL+n5ICSumgQGZDoeJxbJ ++8FxhowSFbGAoadKUS6fir+k+UD7Ni83ULilUD6H2bSvxZC7Ctxfg5Spwovs6UWN +bOlqGK35A0A2Vx9aNZix0x1ktGVeJFKr70VL/53oE1H5T7SIO4/ehVjXHQ+7n//o +2t8pxDs1rT7jVduTGqoNuMbASBbmuPcRvPjQ8BM8fGI3FD570zjBqPB1ckuHxrm3 +FY3O8BYwe70aVkNvQBUPkT/AinqkrQ589AyEqoa8Z2p42OmYEE1wxfpxwT2xLHKI +nus76tTEJbUIg7AUqaD+SlB62Vk6hdHl0mXPM00co6RNX6r9q22Upx9Jc3/L8GgQ +8LsBK+G6/OFJznpJpuZ9RJj6h12nTuzaqRHhLo6MEn9vAWYxbo+eprvEQnDMBf6i +G8ex/6rijMox75LyVdb1ZpCHjd+MEu7OOvnxR7nP1vbz0a3Az5CGbNSgONbaPgMG +1o3AU630b7/RsB4m38llHAji/RQsjz94GXgpktI7rjhWhioiOAqP5rz69vDdWx04 +7sczAfG2YC59cNrmD95bBuVZ/HdpR/15OmMCBsG4PHrtZoMcBuLpjg9JHTU8paGy +1JmwzbmAlGNeAaV6363b8xSZX8kwb/a3pZazXMOiD6R1bzLYGrv2EHq093JN/6VA +5s/ERbIxBPLmhNBOsFjl16KizywhqSa513B4/OGBsdQngAFvP9nq2+KBLMUltSBz +z3Or3CptubY776pBKjeYDWBFN/kJoYF1JvCyQkJlMxdog2sLqe82p4t519E8dD5i +4e1MLTW2grY7YaOA0XhpuqeNUlF5sxLzO+owuAofDL9jW38cqw8baBxLrGKyFqFl +f8ONQhdJ57wEJ0827L8NGMVM+8ZZIli/YJacBW6hVIV0/PtaAB1Eh+vb1Ch5DV99 +yhcgWTdbeiuNPyL6awrLv5waCacQ/2dKrkY0AsZ9/oBWwnKfGhk2F8uR4qPJqV4Q +S8GsrIQ2HpVLRyyqV5ppQMrPfcV1oAOE0F9Ibrsu46gv4S6kk5ZfrLhhmUdzYFM/ +6l+GrR8atgHhtLQM7eyyiNsHehaofLRJ79QTI16pwyAQ9D2Y85dhqFXoQ32gVcLG +cDfK/JJ1wDz6gIOo13Ew+gCvcfVyzlbxqQtdGlG0/NeVHoriZgiNP58AlilD2u84 +5IeQ7mc4xoEt4FPVRiwweDkFX1lhXoPCTDVryU0jnF5T5JWayN7pSt/5c7Mmiwks +k+JHXK2zY2Lhna8VEmTnQfSvCHYLL59nlPRj9MNa8Jpe+Vxjm3JxpRbGgxmtv4EA +hR8i5EjlgrD8au0CtKMDUCwNbI/FQHCEj3GaIrj2BTsYJvfs+9zlKz99I9/pi/lY +mkFe7SdE3Ze7ly6scOuc118sZKixVBcl5nkVz7yYRanv0eqCvBDQEE98v3YfmTus +EUpqYh3RnwLxY2LAiLoi75bwMLoWdIE2DCyL6uj7T5+2VaNCMEAwHQYDVR0OBBYE +FI29U6PunbEUp2u+K3r+yaonBeNQMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ +BAQDAgGGMAsGCWCGSAFlAwQDEQOCCXUARJIaJJc/p+7IfGyr7LOq2VybiVZO3Jhn +IcEnpx1ob9Y3sKcD2TDBK2Tc7lKK/R9fzw3hhXktW0PBzFjZl/KxAzC2ORIBpGEI +mv3P9Bb0o8uD4yUnMYeXkZ2LHqbX+e8oIDqFgxzjIj5c5EMZZU9yrMEiJPQZOQsD +aL05mK/FNcxkrEESJHxjgqPfAJRKn9tWfb86WXOJF3KESCgiymAAcEBRKzA1IvcP +920qpI2CxbwtONcQj4e8EjMpHpF7Kw/N+kKf8cckwT5/oYqlixjlgxHEGEKMF2S4 +u6kwiREYG14/o4w8kljyTFngTanQ5rRDAWk3tde50I3s6WJvBKveGj1zY6A7Y/4L +IJddx2ldkXRzPLpmf062tqk1qbu3RrjfcLYObfg6c1SA/KzYrX9Yhmdp+ouO2dAw +fFsvhPx2O1sLaCQQ7DdSN8NVl2eSDtwMaIgOO9XwkAB9doI7nxg1fuOOE9RXD2Le +Teiyq+7r888e8LwxQAWXwqeC59sP3YmtOMKBQSPfCRqxeKBKhFAUplQ8LoX2CYG3 +dj1IhkV4wwBYqk2YI+9kIxoHXeHShhkQLHhsJjeb5tt1HqjLIsM2kd9agHT33q/Y +CsUIVW4kLDMkqrPNRdqNcQ+EpghTA6XRG0yE6OfJj48Vs6E7cDkhFmdYMpqbWKW5 +fETY5M5TGF2sRgUJGsrTT/9Zz4gkUlCw1v4mBXdHboxCxwCuJNEfmqOZw4u51+4h +IjfXfXot5isWE9DrDy8nN7oO6PQfFbzmOLz9ceaFW4bRVGaFK8HcCvZfdpGQTXeC +hFTux6My+VgUeSNeo0uDGNrvABeeIcYLPLY+TjGBM2+A/A+1DvK4+Giluhy6Cpor +BegunAB/hbvG8NLrgER9MLsHV67bQoUo9njTCdDXc8upfW49ij/j9RTHrqCTxpFh +iSYPUpq4aZLxks7wJT+cTJDIXfN6sc9/gd+/IKnKiry7bVcBoJJK2gmmXyeGk2EW +A2C6/rTdeOX+Mft9hPX0o+8LcZ413V/WToqT05u7bHKWl2q1pd5qfFH1Vl8/X8Pr +bJCqiNQf/K2Pk2ai7+RTiUAiQVZ++syth5Lj07MRzyfQbJ/VmK7IftVB4okZmbmK +CJYejcKdbzo5Jaxxq2/7wxplmv3i02rL8E7bdVYRbgn3EcvXkTAIL8uLmuwLoOrj +D2/RAgSaz6G27dFxDTcf1VGzAxSRh2RAw+AQud6hrEpShK/q5XdzQS7vk9FHUU1U +hOWbS0xIPH8fhG6YEztv1lUlRl5OY0a+QUQQNTNxZyKSPx7QJngZbEfJZegx6aQS +VVlqHy/WyNdM5iwOzovHSOY49Yo83SMNjYn8mxEmImQWVZt2Zxh8jh/iZNteQOuX +ys19qTJ0xBMHuUa366BkiqhtIN8LqM5XMqlj8T92vbLGvcJ8o1Zma9vQfNAXGx+Q +0VxbYkDYcug/cBO0phXWVUU0dZ/R7yDnl3n9kNgYYirTtGopoYhApw7Z8FxotCSJ +kC3Gk3OlwavMuK1UgAc1GU+3lLQ0QhaW6nL8JlJXolKuSb5EYoYbbowl61zh/18C +T1hUUra4i52ls8KOhKdXkorUa3ah+wwfic8lPSqb6iawGwPZrgmnY21WqUn4pMWo +5pu+/cdLvlSMTRBKl2GSA5GNa11keC8jodzVcaq3ZZ3PPpG9gPn8ACWWctBbVLJL +3WAYTL7l4es1XZ6s9rjVC1iaOxW/YM+i9HCdCyihAx0lIoXcmwUJ15lpB99A89VT +zwYAuxICy0HqAWbb3IgikFQ3X2sELUtglMrZifVKNig5EteJjVVTUGZa+6IHhyID +vfOfstJwG8xdX/TPOflbd/2uR8Hwa7S+oNQhM4FCBPF71fN8NqHTUIpVr3IWc9Bj +rdHHY9d30phWDyoHocu98qPWWxRlBaK1vtHJz3isQ2XGQQjppRBB7mqlSkYdUmQP +llb2TsG3fbX8SmRBEMnLSInlNk1CpUBWwixqTYNfmkiKGmj5VVL4tnhKxd8mhLN3 +n382+gSmXJgF7rascedPdvO69n9qb3hquLz1/7SU2H/oMpISHl0UqNnC1lz/ywPE +m3rTEAzWvBFqjmdKiCvUf1TcuvDNrIhfsquyb2ihdOHlHESUR8p8WI7DzCE9nOEu +vgQugFOhzKyPR60rscr+CFMT/mhExdRRlWMiaBRJL9vYieAYPO4y5/mWYVu0Rmg6 +gOpGMkB1WzSDoP+1qud3jF5ybIwbPIidKoyHiXGFygIX58tCmTNvE6/2oCtFH4nM +Rn/xolYfUEdUN1T6iO6ae041yoH4hCb/+9HKMPjJvXVdG4LuLjJOi2+hdWj7cbNn +PHV10UoPczOaBQCfuswN5UglUgp3PJbH26+OE69Wfem0tb/cZnhaLY5fg24EhzO/ +vESAFWoB+h9zo7RF+VhShLzBRWUXIyYzwzuVCuQWTjg1GWh2kytyiWjR5tvWSsAK +dW292RNJ/fNkC4BCL8X81Q+7wMroOU32QwncsD4rfdErymzlPAV/CzyicjcPSqWG +cOgrFeHteRoLwdz65y+Ntv2QQTxoqvWaLFsJU+gvQvApidf2CbdbmUSg00tr2o5a +NF3+RjfxB292ZblluDer61CcD9oofwZbj7CAhs1ObXJfzoaAqjs/RHbFz6Za3fky +oeDaS36qlzJKIXboXZnYTjKFL+6S5HCfTTI6APj6Mi6OBUFeppgxIRCwvPh/ny7U +GyudygoWbjo2S9U0lQYk2kCAldP7sSBtaNwdR8xVuc1Ozc7he/DC4I5zQaY1xVNB +On39dwibxRIq5gLIUvOSks3UMqZSrHpu/uETmBKMw4wNrVmzLRa40NZzqZ+oBHYk +anfvPTJHYf1HK14Vxa05s5rJrO/sSgnfBTL09OXfaLue7G3D4a/0WTiPkS1Fxs+l +ysirBEfSAIO2lxArXVhrmo1v28JzWynCAVDrzw1zQ5JwcbjU9DcXR2ka4q1eAkfY +mtW5ewDtMV3MCfrlFhAmsKNZZMv3LKaRm3lJExhSHrmqp4eIo4Jiwep0Hfh2PvQv +YNuixctKaeFUW6J1qIEi7SQ0n3wR0KM44FcCQ3LaZEYG7U/zVgI552D9+kJJENEB +2cf0wA+wFkgTGTtETV1gh4qLlZexusLT1dzd6+z5/xATHCVAUnJ+kpScssnW19jd +8iFPUmBxdn+RqrC6vsDGyc3f7fDx9PoCMVpmZ3J/hJ2lwd7yAAAAABcpP0w= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_public_key_algorithm,Self-issued certificate certifies a public key of unsupported algorithm: 2.16.840.1.101.3.4.3.17 +certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, +certificate.tbsCertificate.extensions.2.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,NOTICE,pkix.public_key_algorithm_unsupported,Unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 diff --git a/tests/integration_certificate/smime_br/individual/multipurpose/rsa_kus_in_ecdsa_cert.crttest b/tests/integration_certificate/smime_br/individual/multipurpose/rsa_kus_in_ecdsa_cert.crttest index 2e89882..984a30f 100644 --- a/tests/integration_certificate/smime_br/individual/multipurpose/rsa_kus_in_ecdsa_cert.crttest +++ b/tests/integration_certificate/smime_br/individual/multipurpose/rsa_kus_in_ecdsa_cert.crttest @@ -29,7 +29,8 @@ x6NMd5NzKaQBkxac7ZOe63+BXaDRpHr7TFoOqOQyOgkfLs8+XOtcHvAre+D2G05Z qgCUv3f4g2LbLJBywkhfzP27/MEmiVJZJT2CohNraBqsIM/e5Fm0ZyQGXqN9XZE1 +gZVoI9M9UZPJosgeY5TAeU= -----END CERTIFICATE----- + node_path,validator,severity,code,message certificate.tbsCertificate.extensions.1.extnValue.keyUsage,AllowedKeyUsageValidator,ERROR,cabf.smime.prohibited_ku_present,"Prohibited KUs present: dataEncipherment, keyEncipherment" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, - +certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_ec,"Prohibited key usage value(s) present: dataEncipherment, keyEncipherment" diff --git a/tests/integration_certificate/smime_br/mailbox/legacy/invalid_ku_for_ecdsa.crttest b/tests/integration_certificate/smime_br/mailbox/legacy/invalid_ku_for_ecdsa.crttest index 601fca5..c303928 100644 --- a/tests/integration_certificate/smime_br/mailbox/legacy/invalid_ku_for_ecdsa.crttest +++ b/tests/integration_certificate/smime_br/mailbox/legacy/invalid_ku_for_ecdsa.crttest @@ -24,6 +24,7 @@ dO/vCa5iFV9STu9T/leyoJoOjupGsidCjwWVuA4pbSJqAjTinUpVD7uhUObrvbRh bSvB2wsr/1F4LfQ9YGsZqzGEouB2mo/hkofrsfMmZ0efKzwl/ujrFWC0UgQ1IZNw VfoxrTkgOp+eSMsOOXw3yh4= -----END CERTIFICATE----- + node_path,validator,severity,code,message certificate.tbsCertificate.validity.notBefore,ValidityPeriodThresholdsValidator,ERROR,cabf.smime.certificate_validity_period_exceeds_1185_days,"Validity period of 1188 days, 0:00:01 exceeds maximum value of relativedelta(days=+1185)" certificate.tbsCertificate.subject.rdnSequence,SubscriberSubjectValidator,ERROR,cabf.smime.prohibited_attribute,Prohibited other attribute: 2.5.4.13 @@ -31,4 +32,4 @@ certificate.tbsCertificate.extensions.0.extnValue.keyUsage,AllowedKeyUsageValida certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, certificate.tbsCertificate.extensions.9.extnValue.certificatePolicies,RequiredPolicyIdentifierValidator,ERROR,cabf.smime.no_required_reserved_policy_oid,Required policy OID 2.23.140.1.5.1.1 is missing certificate.tbsCertificate.extensions.9.extnValue.certificatePolicies.0,CertificatePolicyQualifierValidator,NOTICE,pkix.certificate_policies_policy_has_qualifier, - +certificate.tbsCertificate.extensions.0.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_ec,Prohibited key usage value(s) present: keyEncipherment diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/ecdsa_keyencipherment.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/ecdsa_keyencipherment.crttest index acf247c..8dd26e5 100644 --- a/tests/integration_certificate/tls_br/dv_final_certificate/ecdsa_keyencipherment.crttest +++ b/tests/integration_certificate/tls_br/dv_final_certificate/ecdsa_keyencipherment.crttest @@ -38,3 +38,4 @@ certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARN certificate.tbsCertificate.subject.rdnSequence,DvSubcriberAttributeAllowanceValidator,WARNING,cabf.serverauth.dv.common_name_attribute_present, certificate.tbsCertificate.extensions.7.extnValue.keyUsage,SubscriberKeyUsageValidator,ERROR,cabf.serverauth.subscriber_prohibited_ku_present,Prohibited KU present: keyEncipherment certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, +certificate.tbsCertificate.extensions.7.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_ec,Prohibited key usage value(s) present: keyEncipherment diff --git a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/prohibited_ku.crttest b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/prohibited_ku.crttest index f84550f..b2cfba5 100644 --- a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/prohibited_ku.crttest +++ b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/prohibited_ku.crttest @@ -29,3 +29,4 @@ BgEFBQcDAjAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywywdWa node_path,validator,severity,code,message certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, certificate.tbsCertificate.extensions.1.extnValue.keyUsage,CaKeyUsageValidator,ERROR,cabf.ca_certificate_prohibited_ku_present,Prohibited KUs present: keyAgreement +certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_rsa,Prohibited key usage value(s) present: keyAgreement diff --git a/tests/integration_certificate/tls_br/ocsp_responder/ocsp_nocheck_missing.crttest b/tests/integration_certificate/tls_br/ocsp_responder/ocsp_nocheck_missing.crttest index e3ddb6b..8d15038 100644 --- a/tests/integration_certificate/tls_br/ocsp_responder/ocsp_nocheck_missing.crttest +++ b/tests/integration_certificate/tls_br/ocsp_responder/ocsp_nocheck_missing.crttest @@ -33,3 +33,4 @@ certificate.tbsCertificate.signature,ServerauthAllowedSignatureAlgorithmEncoding certificate,SubjectKeyIdentifierPresenceValidator,WARNING,pkix.certificate_skid_end_entity_missing, certificate.tbsCertificate.subject.rdnSequence.3.0.value.emailAddress,SubjectEmailAddressInSanValidator,ERROR,pkix.subject_email_address_not_in_san,Certificate does not have SAN extension certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,WARNING,cabf.serverauth.ca.unknown_attribute_present,Unknown attribute present: 1.2.840.113549.1.9.1 +certificate.tbsCertificate.extensions.0.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_rsa,Prohibited key usage value(s) present: keyAgreement diff --git a/tests/integration_certificate/tls_br/ov_final_certificate/bad_rsa_exponent.crttest b/tests/integration_certificate/tls_br/ov_final_certificate/bad_rsa_exponent.crttest index a03e8a4..f382a91 100644 --- a/tests/integration_certificate/tls_br/ov_final_certificate/bad_rsa_exponent.crttest +++ b/tests/integration_certificate/tls_br/ov_final_certificate/bad_rsa_exponent.crttest @@ -58,3 +58,4 @@ certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARN certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies.1.policyQualifiers.1.qualifier.userNotice,CertificatePoliciesUserNoticeValidator,ERROR,pkix.rfc5280_certificate_policies_invalid_explicit_text_encoding,Invalid encoding: visibleString certificate.tbsCertificate.extensions.1,SubscriberExtensionCriticalityValidator,ERROR,cabf.serverauth.subscriber.non_critical_key_usage_extension, certificate.tbsCertificate.subject.rdnSequence,OvSubscriberAttributeAllowanceValidator,WARNING,cabf.serverauth.ov.unknown_attribute_present,Unknown attribute present: 1.2.840.113549.1.9.1 +certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_rsa,Prohibited key usage value(s) present: keyAgreement