From 5076b96e068e40b91970be859240d51997fc9c7c Mon Sep 17 00:00:00 2001
From: Corey Bonnell <corey.bonnell@digicert.com>
Date: Wed, 28 Aug 2024 09:24:29 -0400
Subject: [PATCH] Use pyasn1-fasder for ASN.1 DER decoding (#98)

* Use pyasn1-fasder decoding by default

* Delete references to removed validations

* Change update template

* Update CHANGELOG.md

* Add trailing newline
---
 CHANGELOG.md                                  |  6 ++
 README.md                                     |  1 +
 VERSION.txt                                   |  2 +-
 pkilint/cabf/serverauth/finding_metadata.csv  |  2 -
 pkilint/cabf/smime/finding_metadata.csv       |  2 -
 pkilint/document.py                           | 50 ++-----------
 pkilint/itu/bitstring.py                      | 38 ----------
 pkilint/itu/string.py                         | 27 -------
 pkilint/pkix/certificate/__init__.py          |  4 -
 pkilint/pkix/crl/__init__.py                  |  5 +-
 pkilint/pkix/crl/crl_validator.py             | 19 +++++
 pkilint/pkix/ocsp/__init__.py                 |  4 -
 setup.cfg                                     |  1 +
 .../bad_bc_extension_encoding.crttest         |  2 +-
 .../pkix/crldp_dp_reasons_not_der.crttest     |  7 +-
 .../pkix/old_lamps_smime_example.crttest      |  4 +-
 .../pkix/root_bad_ku_encoding.crttest         |  4 +-
 .../pkix/trailing_octet_in_ku_value.crttest   |  4 +-
 .../bad_qc_statementinfo_encoding.crttest     |  4 +-
 .../dv_final_certificate/bad_ku_der.crttest   |  2 +-
 .../cert_policies_not_der.crttest             |  2 +-
 .../prohibited_printablestring_char.crttest   |  2 +-
 tests/itu/__init__.py                         |  0
 tests/itu/test_bitstring.py                   | 53 -------------
 tests/itu/test_string.py                      | 74 -------------------
 tests/pkix/crl/test_pkix_crl.py               | 70 ++++++++++++++++++
 26 files changed, 120 insertions(+), 269 deletions(-)
 delete mode 100644 pkilint/itu/string.py
 delete mode 100644 tests/itu/__init__.py
 delete mode 100644 tests/itu/test_bitstring.py
 delete mode 100644 tests/itu/test_string.py
 create mode 100644 tests/pkix/crl/test_pkix_crl.py

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ff932a6..63d7fe6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project from version 0.9.3 onwards are documented in this file.
 
+## 0.11.4 - 2024-08-28
+
+### New features/enhancements
+
+- Use pyasn1-fasder for ASN.1 DER decoding by default (#98)
+
 ## 0.11.3 - 2024-07-17
 
 ### Fixes
diff --git a/README.md b/README.md
index e6948f1..36e34be 100644
--- a/README.md
+++ b/README.md
@@ -429,6 +429,7 @@ pkilint is built on several open source packages. In particular, these packages
 | publicsuffixlist   | Mozilla Public License 2.0 (MPL 2.0) | ko-zu                                                          | https://github.com/ko-zu/psl                      |
 | pyasn1             | BSD License                          | Christian Heimes and Simon Pichugin                            | https://github.com/pyasn1/pyasn1                  |
 | pyasn1-alt-modules | BSD License                          | Russ Housley                                                   | https://github.com/russhousley/pyasn1-alt-modules |
+| pyasn1-fasder      | MIT License                          | Corey Bonnell                                                  | https://github.com/cbonnell/pyasn1-fasder         |
 | python-dateutil    | Apache Software License; BSD License | Gustavo Niemeyer                                               | https://github.com/dateutil/dateutil              |
 | python-iso639      | Apache Software License              | Jackson L. Lee                                                 | https://github.com/jacksonllee/iso639             |
 | validators         | MIT License                          | Konsta Vesterinen                                              | https://github.com/kvesteri/validators            |
diff --git a/VERSION.txt b/VERSION.txt
index 2bb6a82..aa3545d 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-0.11.3
\ No newline at end of file
+0.11.4
\ No newline at end of file
diff --git a/pkilint/cabf/serverauth/finding_metadata.csv b/pkilint/cabf/serverauth/finding_metadata.csv
index f32129c..6d559bf 100644
--- a/pkilint/cabf/serverauth/finding_metadata.csv
+++ b/pkilint/cabf/serverauth/finding_metadata.csv
@@ -184,8 +184,6 @@ ERROR,cabf.serverauth.subscriber_missing_reserved_policy_oid,Validates that the
 ERROR,cabf.serverauth.subscriber_prohibited_ku_present,Validates that the content of the key usage extension conforms with BR 7.1.2.7.11.
 ERROR,cabf.serverauth.subscriber_required_ku_missing,Validates that the content of the key usage extension conforms with BR 7.1.2.7.11.
 ERROR,cabf.serverauth.subscriber_stateprovince_and_locality_missing,"Validates that the stateOrProvinceName and/or localityName subject attributes are present, as per EVG 9.2.6, BR 7.1.2.7.3, and BR 7.1.2.7.4."
-ERROR,itu.bitstring_not_der_encoded,"X.690 2002-07, clause 11.2.2: ""Where ITU-T Rec. X.680 &#124; ISO/IEC 8824-1, 21.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded"""
-ERROR,itu.invalid_printablestring_character,"X.680 2002-07, clause 37.4: ""Table 8 lists the characters which can appear in the PrintableString type and PrintableString character abstract syntax"""
 ERROR,pkix.aki_with_cert_issuer_but_serial_number_absent,"RFC 5280 4.2.1.1: ""The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number"""
 ERROR,pkix.aki_with_serial_number_but_cert_issuer_absent,"RFC 5280 4.2.1.1: ""The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number"""
 ERROR,pkix.authority_information_access_extension_critical,"RFC 5280 4.2.2.1: ""Conforming CAs MUST mark this extension as non-critical."""
diff --git a/pkilint/cabf/smime/finding_metadata.csv b/pkilint/cabf/smime/finding_metadata.csv
index 89f32fb..58144fe 100644
--- a/pkilint/cabf/smime/finding_metadata.csv
+++ b/pkilint/cabf/smime/finding_metadata.csv
@@ -63,8 +63,6 @@ ERROR,cabf.smime.unsupported_public_key_type,SMBR 7.1.3.1,
 ERROR,cabf.smime.usernotice_has_noticeref,SMBR 7.1.2.3 (a),"""If a qualifier of type id-qt-unotice (OID: 1.3.6.1.5.5.7.2.2) is included, then it SHALL contain explicitText and SHALL NOT contain noticeRef"""
 ERROR,iso.lei.invalid_lei_checksum,ISO 17442,LEI checksum character is incorrect
 ERROR,iso.lei.invalid_lei_format,ISO 17442,LEI value format is not correct
-ERROR,itu.bitstring_not_der_encoded,"X.690 2002-07, clause 11.2.2","""Where ITU-T Rec. X.680 &#124; ISO/IEC 8824-1, 21.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded"""
-ERROR,itu.invalid_printablestring_character,"X.680 2002-07, clause 37.4","""Table 8 lists the characters which can appear in the PrintableString type and PrintableString character abstract syntax"""
 ERROR,msft.invalid_user_principal_name_syntax,https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties,"""A UPN is an Internet-style login name for a user based on the Internet standard RFC 822"""
 ERROR,pkix.aki_with_cert_issuer_but_serial_number_absent,RFC 5280 4.2.1.1,"""The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number"""
 ERROR,pkix.aki_with_serial_number_but_cert_issuer_absent,RFC 5280 4.2.1.1,"""The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number"""
diff --git a/pkilint/document.py b/pkilint/document.py
index 9334155..c0db244 100644
--- a/pkilint/document.py
+++ b/pkilint/document.py
@@ -10,20 +10,12 @@
 from pyasn1.type.univ import (ObjectIdentifier, SequenceOfAndSetOfBase, SequenceAndSetBase,
                               Choice, BitString
                               )
+from pyasn1_fasder import decode_der
 
 logger = logging.getLogger(__name__)
 
 PATH_REGEX = re.compile(r'^((?P<doc_name>[^:]*):)?(?P<node_path>([^.]+\.)*[^.]+)?$')
 
-try:
-    # noinspection PyUnresolvedReferences
-    from pyasn1_fasder import decode_der
-
-    logging.info('Using pyasn1-fasder for ASN.1 DER decoding')
-    _USE_PYASN1_FASDER = True
-except ImportError:
-    _USE_PYASN1_FASDER = False
-
 
 class PDUNavigationFailedError(Exception):
     """Represents the failure to find the requested node in a document."""
@@ -299,42 +291,12 @@ def decode_substrate(source_document: Document, substrate: bytes,
                      )
         return next(iter(parent_node.children.values()))
 
-    if _USE_PYASN1_FASDER:
-        try:
-            decoded, _ = decode_der(substrate, asn1Spec=pdu_instance)
-        except (ValueError, PyAsn1Error) as e:
-            raise SubstrateDecodingFailedError(source_document, pdu_instance, parent_node, str(e)) from e
-
-        decoded_pdu_name = get_node_name_for_pdu(decoded)
-    else:
-        try:
-            decoded, rest = decode(substrate, asn1Spec=pdu_instance)
-        except (ValueError, PyAsn1Error) as e:
-            raise SubstrateDecodingFailedError(source_document, pdu_instance, parent_node, str(e)) from e
-
-        decoded_pdu_name = get_node_name_for_pdu(decoded)
-        type_name = decoded.__class__.__name__
+    try:
+        decoded, _ = decode_der(substrate, asn1Spec=pdu_instance)
+    except (ValueError, PyAsn1Error) as e:
+        raise SubstrateDecodingFailedError(source_document, pdu_instance, parent_node, str(e)) from e
 
-        if len(rest) > 0:
-            rest_hex = bytes(rest).hex()
-
-            raise SubstrateDecodingFailedError(
-                source_document, pdu_instance, parent_node,
-                f'{len(rest)} unexpected octet(s) following "{type_name}" TLV: "{rest_hex}"'
-            )
-
-        try:
-            encoded = encode(decoded)
-
-            substrate_is_der = encoded == substrate
-        except (ValueError, PyAsn1Error):
-            substrate_is_der = False
-
-        if not substrate_is_der:
-            raise SubstrateDecodingFailedError(
-                source_document, pdu_instance, parent_node,
-                f'Substrate of type "{type_name}" is not DER-encoded'
-            )
+    decoded_pdu_name = get_node_name_for_pdu(decoded)
 
     node = PDUNode(source_document, decoded_pdu_name, decoded, parent_node)
 
diff --git a/pkilint/itu/bitstring.py b/pkilint/itu/bitstring.py
index 4494251..7580345 100644
--- a/pkilint/itu/bitstring.py
+++ b/pkilint/itu/bitstring.py
@@ -1,41 +1,3 @@
-from pyasn1.codec.der.encoder import encode
-from pyasn1.type.univ import BitString
-
-from pkilint import validation
-
-
-class NamedBitStringMinimalEncodingValidator(validation.Validator):
-    VALIDATION_BIT_STRING_NOT_MINIMALLY_ENCODED = validation.ValidationFinding(
-        validation.ValidationFindingSeverity.ERROR,
-        'itu.bitstring_not_der_encoded'
-    )
-
-    def __init__(self):
-        super().__init__(
-            validations=[self.VALIDATION_BIT_STRING_NOT_MINIMALLY_ENCODED],
-            pdu_class=BitString,
-            predicate=lambda n: any(n.pdu.namedValues)
-        )
-
-    def validate(self, node):
-        # extract values then re-encode
-
-        asserted_values = ','.join((k for k in node.pdu.namedValues.keys() if has_named_bit(node, k)))
-
-        encoded = encode(node.pdu)
-
-        new_encoded = encode(type(node.pdu)(asserted_values), asn1Spec=node.pdu)
-
-        if encoded != new_encoded:
-            encoded_hex = encoded.hex()
-            new_encoded_hex = new_encoded.hex()
-
-            raise validation.ValidationFindingEncountered(
-                self.VALIDATION_BIT_STRING_NOT_MINIMALLY_ENCODED,
-                f'Expected: "{new_encoded_hex}", actual: "{encoded_hex}"'
-            )
-
-
 def has_named_bit(node, bit_name):
     bit = node.pdu.namedValues[bit_name]
     return len(node.pdu) > bit and node.pdu[bit] != 0
diff --git a/pkilint/itu/string.py b/pkilint/itu/string.py
deleted file mode 100644
index a4df71f..0000000
--- a/pkilint/itu/string.py
+++ /dev/null
@@ -1,27 +0,0 @@
-from pyasn1.type import constraint
-from pyasn1.type.char import PrintableString
-
-from pkilint import validation
-
-
-def _char_range(start, end):
-    return [chr(i) for i in range(ord(start), ord(end) + 1)]
-
-
-class PrintableStringConstraintValidator(validation.ASN1ConstraintValidator):
-
-    def __init__(self):
-        allowed_chars = (
-                _char_range('0', '9') +
-                _char_range('A', 'Z') +
-                _char_range('a', 'z') +
-                list(" '()+,-./:=?")
-        )
-        c = constraint.PermittedAlphabetConstraint(*allowed_chars)
-
-        super().__init__(pdu_class=PrintableString, constraint=c,
-                         validations=validation.ValidationFinding(
-                             validation.ValidationFindingSeverity.ERROR,
-                             'itu.invalid_printablestring_character'
-                         )
-                         )
diff --git a/pkilint/pkix/certificate/__init__.py b/pkilint/pkix/certificate/__init__.py
index 2f8578a..ab7cac4 100644
--- a/pkilint/pkix/certificate/__init__.py
+++ b/pkilint/pkix/certificate/__init__.py
@@ -13,8 +13,6 @@
 
 from pkilint import validation, pkix, document
 from pkilint.document import Document, ValueDecoder
-from pkilint.itu.bitstring import NamedBitStringMinimalEncodingValidator
-from pkilint.itu.string import PrintableStringConstraintValidator
 from pkilint.pkix import (extension, time, name,
                           create_name_validator_container, general_name, algorithm
                           )
@@ -339,7 +337,6 @@ def create_pkix_certificate_validator_container(
     ]
 
     validators += [
-        PrintableStringConstraintValidator(),
         certificate_validator.CorrectVersionValidator(),
         pkix.CertificateSerialNumberValidator(),
         certificate_validator.SignatureAlgorithmMatchValidator(),
@@ -348,7 +345,6 @@ def create_pkix_certificate_validator_container(
         certificate_extension.KeyUsagePresenceValidator(),
         time.UtcTimeCorrectSyntaxValidator(),
         time.GeneralizedTimeCorrectSyntaxValidator(),
-        NamedBitStringMinimalEncodingValidator(),
         certificate_validator.IssuerUniqueIdAbsenceValidator(),
         certificate_validator.SubjectUniqueIdAbsenceValidator(),
     ]
diff --git a/pkilint/pkix/crl/__init__.py b/pkilint/pkix/crl/__init__.py
index 4409808..1a46ec8 100644
--- a/pkilint/pkix/crl/__init__.py
+++ b/pkilint/pkix/crl/__init__.py
@@ -4,8 +4,6 @@
 
 from pkilint import validation, pkix, document
 from pkilint.document import Document
-from pkilint.itu.bitstring import NamedBitStringMinimalEncodingValidator
-from pkilint.itu.string import PrintableStringConstraintValidator
 from pkilint.pkix import name, extension, time, general_name
 from pkilint.pkix.crl import crl_validator, crl_extension, crl_validity
 
@@ -109,18 +107,17 @@ def create_pkix_crl_validator_container(
     ]
 
     validators += [
-        PrintableStringConstraintValidator(),
         crl_validator.VersionPresenceValidator(),
         crl_validator.CorrectVersionValidator(),
         crl_extension.CrlNumberPresenceValidator(),
         crl_extension.AuthorityKeyIdentifierPresenceValidator(),
         crl_validator.SignatureAlgorithmMatchValidator(),
+        crl_validator.RevokedCertificatesEmptyValidator(),
         crl_extension.CrlReasonCodeCriticalityValidator(),
         time.UtcTimeCorrectSyntaxValidator(),
         time.GeneralizedTimeCorrectSyntaxValidator(),
         pkix.CertificateSerialNumberValidator(),
         crl_extension.CrlNumberValueValidator(),
-        NamedBitStringMinimalEncodingValidator(),
         general_name.GeneralNameIpAddressSyntaxValidator(),
         general_name.GeneralNameMailboxAddressSyntaxValidator(),
         general_name.GeneralNameIpAddressSyntaxValidator(),
diff --git a/pkilint/pkix/crl/crl_validator.py b/pkilint/pkix/crl/crl_validator.py
index 9a6f0ff..152c71c 100644
--- a/pkilint/pkix/crl/crl_validator.py
+++ b/pkilint/pkix/crl/crl_validator.py
@@ -42,3 +42,22 @@ def __init__(self):
                 'pkix.crl_signature_algorithm_match'
             )
         )
+
+
+class RevokedCertificatesEmptyValidator(validation.Validator):
+    VALIDATION_REVOKED_CERTIFICATES_EMPTY = validation.ValidationFinding(
+        validation.ValidationFindingSeverity.ERROR,
+        'pkix.crl_revoked_certificates_empty'
+    )
+
+    def __init__(self):
+        super().__init__(
+            validations=[self.VALIDATION_REVOKED_CERTIFICATES_EMPTY],
+            pdu_class=rfc5280.TBSCertList
+        )
+
+    def validate(self, node):
+        revoked_certificates = node.children.get('revokedCertificates')
+
+        if revoked_certificates is not None and not any(revoked_certificates.pdu):
+            raise validation.ValidationFindingEncountered(self.VALIDATION_REVOKED_CERTIFICATES_EMPTY)
diff --git a/pkilint/pkix/ocsp/__init__.py b/pkilint/pkix/ocsp/__init__.py
index 6818431..7beb754 100644
--- a/pkilint/pkix/ocsp/__init__.py
+++ b/pkilint/pkix/ocsp/__init__.py
@@ -1,8 +1,6 @@
 from pyasn1_alt_modules import rfc6960
 
 from pkilint import document, validation
-from pkilint.itu.bitstring import NamedBitStringMinimalEncodingValidator
-from pkilint.itu.string import PrintableStringConstraintValidator
 from pkilint.pkix import time
 from pkilint.pkix.ocsp import ocsp_response, ocsp_basic_response, ocsp_validity
 
@@ -40,10 +38,8 @@ def create_pkix_ocsp_response_validator_container(
         ocsp_basic_response.OCSPBasicResponseCertsNotPresentValidator(),
         ocsp_basic_response.ResponderKeyHashIsSHA1HashValidator(),
         ocsp_validity.OCSPSaneValidityPeriodValidator(),
-        PrintableStringConstraintValidator(),
         time.UtcTimeCorrectSyntaxValidator(),
         time.GeneralizedTimeCorrectSyntaxValidator(),
-        NamedBitStringMinimalEncodingValidator(),
     ]
 
     return validation.ValidatorContainer(
diff --git a/setup.cfg b/setup.cfg
index f8d1862..85374f1 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -28,6 +28,7 @@ python_requires = >=3.9
 install_requires =
     pyasn1
     pyasn1-alt-modules >=0.4.3
+    pyasn1-fasder
     cryptography >=39
     iso3166
     # version is pinned due to https://github.com/python-validators/validators/issues/346
diff --git a/tests/integration_certificate/etsi/qncp_w_ov_eidas_pre_certificate/bad_bc_extension_encoding.crttest b/tests/integration_certificate/etsi/qncp_w_ov_eidas_pre_certificate/bad_bc_extension_encoding.crttest
index b105207..c3e4bb4 100644
--- a/tests/integration_certificate/etsi/qncp_w_ov_eidas_pre_certificate/bad_bc_extension_encoding.crttest
+++ b/tests/integration_certificate/etsi/qncp_w_ov_eidas_pre_certificate/bad_bc_extension_encoding.crttest
@@ -47,7 +47,7 @@ PMeG9uZkYykeSL8vGkuW7QwDUXmnQ5U6hHjM8Wen
 -----END CERTIFICATE-----
 
 node_path,validator,severity,code,message
-certificate.tbsCertificate.extensions.5,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.5.extnValue"" with schema ""BasicConstraints"" corresponding to type OID 2.5.29.19: Substrate of type ""BasicConstraints"" is not DER-encoded"
+certificate.tbsCertificate.extensions.5,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.5.extnValue"" with schema ""BasicConstraints"" corresponding to type OID 2.5.29.19: Error decoding ""BasicConstraints"" TLV near substrate offset 0: Explicitly encoded default value"
 certificate.tbsCertificate.subject.rdnSequence,OvSubscriberAttributeAllowanceValidator,WARNING,cabf.serverauth.ov.common_name_attribute_present,
 certificate.tbsCertificate.subject.rdnSequence,OvSubscriberAttributeAllowanceValidator,WARNING,cabf.serverauth.ov.unknown_attribute_present,Unknown attribute present: 2.5.4.5
 certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
diff --git a/tests/integration_certificate/pkix/crldp_dp_reasons_not_der.crttest b/tests/integration_certificate/pkix/crldp_dp_reasons_not_der.crttest
index b5e9260..d6c033b 100644
--- a/tests/integration_certificate/pkix/crldp_dp_reasons_not_der.crttest
+++ b/tests/integration_certificate/pkix/crldp_dp_reasons_not_der.crttest
@@ -13,7 +13,7 @@ zOQ9r8SRI+9NirupPTkF5AKNe6kUhKJ1luB7S27ZkvB3tSTT3P593VVJvnzOjaA1
 z6Cz+4+eRvcysqhrRgFlwI9TEwIDAQABo4IBrzCCAaswDAYDVR0TAQH/BAIwADAO
 BgNVHQ8BAf8EBAMCB4AwHwYDVR0jBBgwFoAU1kQAMnyoDf+sT2tm7rWumyzFOFQw
 HQYDVR0OBBYEFIkZWV4O8Wn1y71H4TT84pjMaTCRMBQGA1UdIAQNMAswCQYHZ4EM
-AQUEAjAQBgNVHR8ECTAHMAWBAwUAIDBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUH
+AQUEAjAQBgNVHR8ECTAHMAWBAwUAQDBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUH
 MAKGL2h0dHA6Ly9yZXBvc2l0b3J5LmNhLmV4YW1wbGUuY29tL2lzc3VpbmdfY2Eu
 ZGVyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjCBtgYDVR0RBIGuMIGr
 gRloYW5ha28ueWFtYWRhQGV4YW1wbGUuY29toCkGCisGAQQBgjcUAgOgGwwZaGFu
@@ -32,8 +32,7 @@ wGlaWz8x7WKMUf9+POXbTpOz1qlott9ODUkZNwWA6gFRxMWn2leMv/eYQwCNhAbT
 n+QDBx22AIECDkySEND7mAM1EpfaYajbVqZ6oM5nbtv4JsKPSbKEOQh7Rbs/7jqE
 V2zAlZQn7G0hl+EZvO+48fFzaSRN8jATyCcMsxLldw==
 -----END CERTIFICATE-----
+
 node_path,validator,severity,code,message
 certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
-certificate.tbsCertificate.extensions.5.extnValue.cRLDistributionPoints.0,DistributionPointValidator,ERROR,pkix.distribution_point_does_not_contain_name_or_issuer,
-certificate.tbsCertificate.extensions.5.extnValue.cRLDistributionPoints.0.reasons,NamedBitStringMinimalEncodingValidator,ERROR,itu.bitstring_not_der_encoded,"Expected: ""810100"", actual: ""8103050020"""
-
+certificate.tbsCertificate.extensions.5,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.5.extnValue"" with schema ""CRLDistributionPoints"" corresponding to type OID 2.5.29.31: Error decoding ""ReasonFlags"" TLV near substrate offset 4: Trailing zero bit in named BIT STRING"
diff --git a/tests/integration_certificate/pkix/old_lamps_smime_example.crttest b/tests/integration_certificate/pkix/old_lamps_smime_example.crttest
index 888956a..2ead9d0 100644
--- a/tests/integration_certificate/pkix/old_lamps_smime_example.crttest
+++ b/tests/integration_certificate/pkix/old_lamps_smime_example.crttest
@@ -19,8 +19,8 @@ ZGil0pxx9jdMS5qaTdjb66GvPpkQI1uH4E9xiYbJu5bD+SX0Sgzih79GEhaP8vjc
 w6+P//nJ3ExJkVT7OvIJmwGvV0ULtmsghoigcd2BBc/fOKdbyIBmJBe152dd02EW
 6FwMfHKDtHO8k+/XBeZcxF0=
 -----END CERTIFICATE-----
+
 node_path,validator,severity,code,message
 certificate.tbsCertificate.serialNumber,CertificateSerialNumberValidator,ERROR,pkix.certificate_serial_number_out_of_range,"ASN.1 constraint failed: Invalid value outside range 1 - 730750818665451459101842416358141509827966271487 on content ""-741604493682452113825656873529250578000121114"""
 certificate.tbsCertificate.extensions.4.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method,
-certificate.tbsCertificate.extensions.3.extnValue.keyUsage,NamedBitStringMinimalEncodingValidator,ERROR,itu.bitstring_not_der_encoded,"Expected: ""03020520"", actual: ""0303072000"""
-
+certificate.tbsCertificate.extensions.3,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.3.extnValue"" with schema ""KeyUsage"" corresponding to type OID 2.5.29.15: Error decoding ""KeyUsage"" TLV near substrate offset 0: Trailing zero bit in named BIT STRING"
diff --git a/tests/integration_certificate/pkix/root_bad_ku_encoding.crttest b/tests/integration_certificate/pkix/root_bad_ku_encoding.crttest
index 6d51ed9..1c70cdc 100644
--- a/tests/integration_certificate/pkix/root_bad_ku_encoding.crttest
+++ b/tests/integration_certificate/pkix/root_bad_ku_encoding.crttest
@@ -11,7 +11,7 @@ P62jQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt
 0UrrdaVKEJmzsaGLSvcwCgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjz
 RM4q3wghDDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7
 -----END CERTIFICATE-----
+
 node_path,validator,severity,code,message
 certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
-certificate.tbsCertificate.extensions.1.extnValue.keyUsage,NamedBitStringMinimalEncodingValidator,ERROR,itu.bitstring_not_der_encoded,"Expected: ""03020106"", actual: ""0303070600"""
-
+certificate.tbsCertificate.extensions.1,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.1.extnValue"" with schema ""KeyUsage"" corresponding to type OID 2.5.29.15: Error decoding ""KeyUsage"" TLV near substrate offset 0: Trailing zero bit in named BIT STRING"
diff --git a/tests/integration_certificate/pkix/trailing_octet_in_ku_value.crttest b/tests/integration_certificate/pkix/trailing_octet_in_ku_value.crttest
index 535bf95..1ec8bbc 100644
--- a/tests/integration_certificate/pkix/trailing_octet_in_ku_value.crttest
+++ b/tests/integration_certificate/pkix/trailing_octet_in_ku_value.crttest
@@ -39,5 +39,5 @@ ZF6TmlI5DUrO
 -----END CERTIFICATE-----
 
 node_path,validator,severity,code,message
-certificate.tbsCertificate.extensions.0,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.0.extnValue"" with schema ""KeyUsage"" corresponding to type OID 2.5.29.15: 1 unexpected octet(s) following ""KeyUsage"" TLV: ""41"""
-certificate,SubjectKeyIdentifierPresenceValidator,WARNING,pkix.certificate_skid_end_entity_missing,
\ No newline at end of file
+certificate.tbsCertificate.extensions.0,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.0.extnValue"" with schema ""KeyUsage"" corresponding to type OID 2.5.29.15: 1 trailing octet(s) after TLV near substrate offset 0"
+certificate,SubjectKeyIdentifierPresenceValidator,WARNING,pkix.certificate_skid_end_entity_missing,
diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/bad_qc_statementinfo_encoding.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/bad_qc_statementinfo_encoding.crttest
index 1667f15..b303937 100644
--- a/tests/integration_certificate/smime_br/organization/multipurpose/bad_qc_statementinfo_encoding.crttest
+++ b/tests/integration_certificate/smime_br/organization/multipurpose/bad_qc_statementinfo_encoding.crttest
@@ -37,7 +37,7 @@ dc/cJoXQwGGgAnmmBi4lTEiYa22/VHNLymJRYdizgxq4CKOJFbGOg1jrQcaukQbg
 xYO/BhaDlFN5MfHfgc+UK7kAqZClu8CRijbjGscXNiWccyokLuuRCZTf3o32GW7S
 4EOQP/DgjMZZ3oxhptjUgDMDGFI7JnQ5xJN+IRW2Xmiz2sTBvUrcvC/IBIA=
 -----END CERTIFICATE-----
+
 node_path,validator,severity,code,message
-certificate.tbsCertificate.extensions.10.extnValue.qCStatements.4,DecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.10.extnValue.qCStatements.4.statementInfo"" with schema ""QcEuPDS"" corresponding to type OID 0.4.0.1862.1.5: <TagSet object, tags 0:0:12> not in asn1Spec: <PrintableString schema object, tagSet <TagSet object, tags 0:0:19>, subtypeSpec <ConstraintsIntersection object, consts <ValueSizeConstraint object, consts 2, 2>>, encoding us-ascii>"
+certificate.tbsCertificate.extensions.10.extnValue.qCStatements.4,DecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.10.extnValue.qCStatements.4.statementInfo"" with schema ""QcEuPDS"" corresponding to type OID 0.4.0.1862.1.5: Error decoding ""PrintableString"" TLV near substrate offset 47: Substrate does not match ASN.1 specification"
 certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
-
diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/bad_ku_der.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/bad_ku_der.crttest
index ee243e3..5b08eeb 100644
--- a/tests/integration_certificate/tls_br/dv_final_certificate/bad_ku_der.crttest
+++ b/tests/integration_certificate/tls_br/dv_final_certificate/bad_ku_der.crttest
@@ -24,7 +24,7 @@ O3ZcACqwkmj6nVcHvvLbdTkomSPfZLB2vgigksh+
 -----END CERTIFICATE-----
 
 node_path,validator,severity,code,message
-certificate.tbsCertificate.extensions.2.extnValue.keyUsage,NamedBitStringMinimalEncodingValidator,ERROR,itu.bitstring_not_der_encoded,"Expected: ""03020780"", actual: ""03020580"""
+certificate.tbsCertificate.extensions.2,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.2.extnValue"" with schema ""KeyUsage"" corresponding to type OID 2.5.29.15: Error decoding ""KeyUsage"" TLV near substrate offset 0: Trailing zero bit in named BIT STRING"
 certificate.tbsCertificate.subject.rdnSequence,DvSubcriberAttributeAllowanceValidator,ERROR,cabf.serverauth.dv.unknown_attribute_present,Unknown attribute present: 2.5.4.11
 certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
 certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.subject_key_identifier_extension_present,
diff --git a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/cert_policies_not_der.crttest b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/cert_policies_not_der.crttest
index 38fb046..cb05648 100644
--- a/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/cert_policies_not_der.crttest
+++ b/tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/cert_policies_not_der.crttest
@@ -27,6 +27,6 @@ o3WH27OlZEKVZQw+QOvSOWv0
 -----END CERTIFICATE-----
 
 node_path,validator,severity,code,message
-certificate.tbsCertificate.extensions.7,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.7.extnValue"" with schema ""CertificatePolicies"" corresponding to type OID 2.5.29.32: Substrate of type ""CertificatePolicies"" is not DER-encoded"
+certificate.tbsCertificate.extensions.7,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.7.extnValue"" with schema ""CertificatePolicies"" corresponding to type OID 2.5.29.32: Error decoding ""SequenceOf"" TLV near substrate offset 15: <ConstraintsIntersection object, consts <ValueSizeConstraint object, consts 1, inf>> failed at: ValueConstraintError('<ValueSizeConstraint object, consts 1, inf> failed at: ValueConstraintError({})')"
 certificate.tbsCertificate.extensions.0.extnValue.keyUsage,CaKeyUsageValidator,NOTICE,cabf.ca_certificate_no_digital_signature_bit,
 certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
diff --git a/tests/integration_certificate/tls_br/ov_pre_certificate/prohibited_printablestring_char.crttest b/tests/integration_certificate/tls_br/ov_pre_certificate/prohibited_printablestring_char.crttest
index 9c4c85e..dee25d4 100644
--- a/tests/integration_certificate/tls_br/ov_pre_certificate/prohibited_printablestring_char.crttest
+++ b/tests/integration_certificate/tls_br/ov_pre_certificate/prohibited_printablestring_char.crttest
@@ -37,7 +37,7 @@ certificate.tbsCertificate.extensions.2.extnValue.keyUsage,SubscriberKeyUsageVal
 certificate.tbsCertificate.extensions.9,SubscriberExtensionCriticalityValidator,ERROR,cabf.serverauth.subscriber.non_critical_basic_constraints_extension,
 certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.subject_key_identifier_extension_present,
 certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present,
-certificate.tbsCertificate.subject.rdnSequence.2.0.value.x520OrganizationName.printableString,PrintableStringConstraintValidator,ERROR,itu.invalid_printablestring_character,"ASN.1 constraint failed: Invalid character outside permitted alphabet of ""0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz '()+,-./:=?"" on content ""CAMBODIA ASIA BANK LIMITED ""CAB"""""
+certificate.tbsCertificate.subject.rdnSequence.2.0,NameDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.subject.rdnSequence.2.0.value"" with schema ""X520OrganizationName"" corresponding to type OID 2.5.4.10: Error decoding ""PrintableString"" TLV near substrate offset 0: Error decoding PRINTABLESTRING: malformed ASN.1 DER value for PrintableString"
 certificate.tbsCertificate.subject.rdnSequence,OvSubscriberAttributeAllowanceValidator,WARNING,cabf.serverauth.ov.common_name_attribute_present,
 certificate.tbsCertificate.extensions.8.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
 certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,SubscriberPoliciesValidator,WARNING,cabf.serverauth.subscriber_first_policy_oid_not_reserved,
diff --git a/tests/itu/__init__.py b/tests/itu/__init__.py
deleted file mode 100644
index e69de29..0000000
diff --git a/tests/itu/test_bitstring.py b/tests/itu/test_bitstring.py
deleted file mode 100644
index a3dfc03..0000000
--- a/tests/itu/test_bitstring.py
+++ /dev/null
@@ -1,53 +0,0 @@
-from pyasn1.type.univ import BitString
-from pyasn1_alt_modules import rfc5280
-
-from pkilint import validation, pkix
-from pkilint.itu.bitstring import NamedBitStringMinimalEncodingValidator
-from tests import util
-
-
-def test_non_minimal_named_bitstring_encoding():
-    pem = """-----BEGIN CERTIFICATE-----
-MIIDbTCCAlWgAwIBAgIT3r7MRJB7qx35ms1tFWj7th3y5jANBgkqhkiG9w0BAQ0F
-ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
-MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5B
-bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqV
-KfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfID
-lB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdS
-NRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1
-ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv
-9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIB
-aVv4wPxAf1iPsIVKarUCAwEAAaOBlzCBlDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX
-MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDwYD
-VR0PAQH/BAUDAwcgADAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYD
-VR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEB
-AEi3/4eQPCAAbdgVMVbA7CplI+5LIV+7qUrORNdN8E53zu1oBkxktmDPWpQGiGYJ
-fsQD2Gu1sz0Ofpqzaw0QHo90ghEcz3GOb9/JFEBRwV8Ern1rHXKRis56PPdBAlTg
-3D7QKgwkGolETHH1TFv4mY/XC1CWzWq/wKPActIDt1cujjUKk2ILsa1kqYfbEQol
-ZGil0pxx9jdMS5qaTdjb66GvPpkQI1uH4E9xiYbJu5bD+SX0Sgzih79GEhaP8vjc
-w6+P//nJ3ExJkVT7OvIJmwGvV0ULtmsghoigcd2BBc/fOKdbyIBmJBe152dd02EW
-6FwMfHKDtHO8k+/XBeZcxF0=
------END CERTIFICATE-----
-"""
-
-    decoder = validation.ValidatorContainer(
-        validators=[
-            pkix.create_extension_decoder({
-                rfc5280.id_ce_keyUsage: rfc5280.KeyUsage()
-            })
-        ]
-    )
-
-    validator = NamedBitStringMinimalEncodingValidator()
-
-    util.certificate_test_harness(
-        pem,
-        validator,
-        [
-            util.ExpectedResult(
-                [validator.VALIDATION_BIT_STRING_NOT_MINIMALLY_ENCODED],
-                pdu_supertype=BitString()
-            )
-        ],
-        decoder
-    )
diff --git a/tests/itu/test_string.py b/tests/itu/test_string.py
deleted file mode 100644
index 4721bbe..0000000
--- a/tests/itu/test_string.py
+++ /dev/null
@@ -1,74 +0,0 @@
-from pyasn1.type.char import PrintableString
-from pyasn1_alt_modules import rfc5280
-
-from pkilint import validation, pkix
-from pkilint.itu.string import PrintableStringConstraintValidator
-from tests import util
-
-
-def test_printablestring_has_bad_char():
-    pem = """-----BEGIN CERTIFICATE-----
-MIIHUDCCBjigAwIBAgIIPyNLlX99xSAwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
-BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
-GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
-LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
-cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTcxMTAzMTY0NjAxWhcN
-MTkxMTAzMTY0NjAxWjCBzzETMBEGCysGAQQBgjc8AgEDEwJDSDEXMBUGCysGAQQB
-gjc8AgECEwZUaWNpbm8xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRgw
-FgYDVQQFEw9DSEURMTAxLjAzMy4xNjExCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZU
-aWNpbm8xEDAOBgNVBAcTB0NoaWFzc28xFTATBgNVBAoTDFRpY3l3ZWIgU2FnbDEf
-MB0GA1UEAxMWd3d3Lm5vbnNvbG9ob3N0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBALxY4Gw4eLCcOYJnh3eKZUsxOsvMtvf8zKgSlEtzLt2B
-o7nZvXy9ShhbMq+K5NP8SFahGom0uYi2CpBGYaVAue2zy+l1CvY6hlmq7moi2/rD
-e9Fr4H+i41b5UIQPLAnkd4lpn58LopENbNNkRmCYcjtRtt4/sLYDL6SnB6FK0myO
-+6EihOUbLc/qrh7ZLwocNehNxahAnF4/q5Hr7Y40J6UzdtC1Lsi2YGxvkWdiF7BZ
-Ri/VR8hILWPiIlnpP/hrm1rBACCeG+C8ogG8CQApnKd2cc7JvzMftDkISjsp9jqq
-XbKhsP2g83/h12G+td/aRluYwcuCUfzfMo8aCW07le0CAwEAAaOCA0cwggNDMAwG
-A1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1Ud
-DwEB/wQEAwIFoDA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY3JsLmdvZGFkZHku
-Y29tL2dkaWcyczMtOS5jcmwwXAYDVR0gBFUwUzBIBgtghkgBhv1tAQcXAzA5MDcG
-CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
-aXRvcnkvMAcGBWeBDAEBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0
-cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlm
-aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQY
-MBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDUGA1UdEQQuMCyCFnd3dy5ub25zb2xv
-aG9zdGluZy5jb22CEm5vbnNvbG9ob3N0aW5nLmNvbTAdBgNVHQ4EFgQUDm4BZh4/
-CAhChTtse+YRQT24ymAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AFYUBpov
-18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABX4LHrxQAAAQDAEcwRQIhALng
-Lec9C13c3N+Z77DM2BD1P3V7XVPfIwMjWd0/Pjy0AiAu6qZMsPzkp2Wa3N9gEciL
-YN5v06zCPqGLlzOeFavGfgB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
-qP3LAAABX4LHs3sAAAQDAEcwRQIgNxnA7ynB3grPmgkTU3DIzvgoV4RaxUbJzb0H
-aDrVOt4CIQCDM4nXEZwOS9+d+NPiVytb9haRcONmM7Xq0+lN9lLNpAB2AKS5CZC0
-GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABX4LHta4AAAQDAEcwRQIhAO+i
-nki1t0TKUXvxPCz2dKyopkXs1Fm32+zPbeFtqDCcAiBFaF7iieuC5NKwmiKjaPuL
-eIuxnWcRYNpemxGVJhXu2TANBgkqhkiG9w0BAQsFAAOCAQEAqajFKL39kE6b6VWl
-z5Kf3zAW2fDhlO0J6fegiJdn1aQYLHHfsAYOLVXVsXTdyEHVEP/uZKI/MeNA9ql0
-rNj6JHr0RyPOYlRDYmI+o6wvfgO0kUm9aU2pgZJKJ/gcUplUasomPvmMqfw1d5SJ
-KfyMa4XW6i/uZtNaDU4qc0coB4ks5VK8xbecgRuxJkCy9PANea35rNz+b5xmNNz3
-E7peMK/1ye4OcGrAqa/94RLdqTSvNpk3zbBA4zvSmgOlxKVs3hP87LLneo+B79OC
-kRApOcuCyiebYdizN0D7PhNmqsnWvo9cmuMG6hPGvCroAOyEKJAHX5P1WmLYgrrz
-C9m2dA==
------END CERTIFICATE-----
-"""
-
-    decoder = validation.ValidatorContainer(
-        validators=[
-            pkix.create_attribute_decoder({
-                rfc5280.id_at_serialNumber: rfc5280.X520SerialNumber()
-            }, False)
-        ]
-    )
-
-    validator = PrintableStringConstraintValidator()
-
-    util.certificate_test_harness(
-        pem,
-        validator,
-        [
-            util.ExpectedResult(
-                [validator.validations[0]],
-                pdu_supertype=PrintableString()
-            )
-        ],
-        decoder
-    )
diff --git a/tests/pkix/crl/test_pkix_crl.py b/tests/pkix/crl/test_pkix_crl.py
new file mode 100644
index 0000000..6e0e365
--- /dev/null
+++ b/tests/pkix/crl/test_pkix_crl.py
@@ -0,0 +1,70 @@
+from pkilint import pkix, loader
+from pkilint.pkix import crl, name, extension
+from pkilint.pkix.crl import crl_validator
+
+
+def _create_crl_validator():
+    return crl.create_pkix_crl_validator_container(
+        [
+            pkix.create_attribute_decoder(name.ATTRIBUTE_TYPE_MAPPINGS),
+            pkix.create_extension_decoder(extension.EXTENSION_MAPPINGS),
+        ],
+        [
+            crl.create_issuer_validator_container(
+                []
+            ),
+            crl.create_validity_validator_container(),
+            crl.create_extensions_validator_container(
+                []
+            ),
+        ]
+    )
+
+
+def test_revoked_certificates_empty():
+    pem = '''-----BEGIN X509 CRL-----
+MIIBYDBKAgEBMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAoTC0NlcnRzICdyIFVz
+Fw0yNDA0MTUxNDMzMDBaFw0yNDA1MTUxNDMzMDBaMAAwDQYJKoZIhvcNAQELBQAD
+ggEBAGhq9yTTM2ZjzAxyNvXpVbOI4xQhC0L6pdjsZ13d3QFi41QvRFib13fHgcBm
++hWXFSmOT8qgMlIk74y01DBCmrVyn6mTznr49Vy9k6eBEs34F9EtQrJ5MlYNghX2
+8UNNTMbQS/T7aYQuVWp4VRZsM2ZFRC1XxDdj85qraRhhc6fDGS3PS6m5vnRuZlVv
+3wVB2N2zutQeZcxHDbAa68rSS3fK8jdKjC8uzbYhCvWYIc/ZUB0c+o9clwbZdkl4
+eC6gxZ1/uD98+GilFUdX9JNVsi6Il1x9Upm+Oz6JZ43Ly2+yuQZu2rohZNxEzv/f
+rzDRkyHn2a+5mqqc2J9asb6RFUs=
+-----END X509 CRL-----'''
+
+    doc_validator = _create_crl_validator()
+
+    crl = loader.load_pem_crl(pem, None, None, None)
+
+    results = doc_validator.validate(crl.root)
+
+    assert any(
+        r for r in results
+        if any(r.finding_descriptions) and
+        (r.finding_descriptions[0].finding ==
+         crl_validator.RevokedCertificatesEmptyValidator.VALIDATION_REVOKED_CERTIFICATES_EMPTY)
+    )
+
+
+def test_clean_no_revoked_certificates():
+    pem = '''-----BEGIN X509 CRL-----
+MIIBzTCBtgIBATANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJYWDETMBEGA1UE
+CgwKQ1JMcyAnciBVcxcNMjQwMzI1MTg0NzAwWhcNMjQwNDAxMTg0NzAwWqBgMF4w
+CgYDVR0UBAMCAQEwHwYDVR0jBBgwFoAU/NE0t8uklbG2WeoLBWIe6JqPtDowLwYD
+VR0cAQH/BCUwI6AeoByGGmh0dHA6Ly9mb28uZXhhbXBsZS9jcmwuZGxshAH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQAN8oDSvWsg3JvUJ4MkXvczaFb72VH0J/VL5PV2cBSm
+MfaVBKnUsNr1IcxT06KF8gNrDTpKqJ9fetO290swZfcPt9sEVUBVQUpdlQc3tya1
+jYWmFkA3tkpqH5rBCQa3CBm1Cg8cbFBtwWgWr70NsVvfD6etjAEP9Ze+MSXnGV0p
+w9EeOV07HnSD/PGQwqCiaSn5DdIDVoH8eFSGmgNLw+b4SwUjmz8PqsZwvHxJvleV
+1D8cj7zdR4ywgRMjEfJZ8Bp+Tdu64Gv0doDS0iEJIshLHYkcW1okpq/tPm8kKAbD
+reparePNQwhScVcDiSL73eEBIPokgG3QhohiucP5MeF1
+-----END X509 CRL-----'''
+
+    doc_validator = _create_crl_validator()
+
+    crl = loader.load_pem_crl(pem, None, None, None)
+
+    results = doc_validator.validate(crl.root)
+
+    assert not any(r for r in results if any(r.finding_descriptions))