Add support for SC-79

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project from version 0.9.3 onwards are documented in this file.
 
+## 0.12.4 - 2024-11-XX
+
+### New features/enhancements
+
+- Add support for TLS BR ballot SC-79 (#XXX)
+
 ## 0.12.3 - 2024-10-23
 
 ### New features/enhancements

VERSION.txt

@@ -1 +1 @@
-0.12.3
+0.12.4

pkilint/cabf/serverauth/serverauth_ca.py

@@ -86,15 +86,19 @@ def validate(self, node):
 
                     raise validation.ValidationFindingEncountered(
                         self.VALIDATION_NON_TLS_CA_HAS_SERVERAUTH_OID,
-                        f"Non-TLS CA has reserved policy OIDs: {oids}",
+                        f"Non-TLS CA has reserved policy OID(s): {oids}",
                     )
             else:
                 if not any(reserved_oids):
                     raise validation.ValidationFindingEncountered(
                         self.VALIDATION_NO_RESERVED_OID
                     )
 
-            if len(reserved_oids) > 1:
+            if (
+                len(reserved_oids) > 1
+                and self._certificate_type
+                not in serverauth_constants.ROOT_KEY_CROSS_CA_TYPES
+            ):
                 oids_str = oid.format_oids(reserved_oids)
 
                 raise validation.ValidationFindingEncountered(

pkilint/cabf/serverauth/serverauth_constants.py

@@ -3,7 +3,7 @@
 
 from pyasn1.type.univ import ObjectIdentifier
 
-BR_VERSION = "2.0.3"
+BR_VERSION = "2.0.10"
 
 
 ID_POLICY_EV = ObjectIdentifier("2.23.140.1.1")
@@ -24,6 +24,8 @@ class CertificateType(enum.IntEnum):
     ROOT_CA = auto()
     INTERNAL_CROSS_CA = auto()
     EXTERNAL_CROSS_CA = auto()
+    INTERNAL_SUBSCRIBER_ISSUING_CROSS_CA = auto()
+    EXTERNAL_SUBSCRIBER_ISSUING_CROSS_CA = auto()
     NON_TLS_CA = auto()
     PRECERT_SIGNING_CA = auto()
     INTERNAL_UNCONSTRAINED_TLS_CA = auto()
@@ -56,23 +58,30 @@ def from_option_str(value):
         return CertificateType[value]
 
 
-INTERMEDIATE_CERTIFICATE_TYPES = {
+INTERNAL_CROSS_CA_TYPES = {
+    CertificateType.INTERNAL_CROSS_CA,
+    CertificateType.INTERNAL_SUBSCRIBER_ISSUING_CROSS_CA,
+}
+
+
+EXTERNAL_CROSS_CA_TYPES = {
+    CertificateType.EXTERNAL_CROSS_CA,
+    CertificateType.EXTERNAL_SUBSCRIBER_ISSUING_CROSS_CA,
+}
+
+
+CROSS_CA_TYPES = INTERNAL_CROSS_CA_TYPES | EXTERNAL_CROSS_CA_TYPES
+
+
+ROOT_KEY_CROSS_CA_TYPES = {
     CertificateType.INTERNAL_CROSS_CA,
     CertificateType.EXTERNAL_CROSS_CA,
-    CertificateType.NON_TLS_CA,
-    CertificateType.PRECERT_SIGNING_CA,
-    CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA,
-    CertificateType.INTERNAL_CONSTRAINED_TLS_CA,
-    CertificateType.EXTERNAL_UNCONSTRAINED_TLS_CA,
-    CertificateType.EXTERNAL_UNCONSTRAINED_EV_TLS_CA,
-    CertificateType.EXTERNAL_CONSTRAINED_TLS_CA,
-    CertificateType.EXTERNAL_CONSTRAINED_EV_TLS_CA,
 }
 
-CROSS_CA_TYPES = {CertificateType.INTERNAL_CROSS_CA, CertificateType.EXTERNAL_CROSS_CA}
 
 INTERNAL_CA_TYPES = {
     CertificateType.INTERNAL_CROSS_CA,
+    CertificateType.INTERNAL_SUBSCRIBER_ISSUING_CROSS_CA,
     CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA,
     CertificateType.INTERNAL_CONSTRAINED_TLS_CA,
     CertificateType.NON_TLS_CA,
@@ -84,19 +93,27 @@ def from_option_str(value):
     CertificateType.EXTERNAL_UNCONSTRAINED_EV_TLS_CA,
     CertificateType.EXTERNAL_CONSTRAINED_TLS_CA,
     CertificateType.EXTERNAL_CROSS_CA,
+    CertificateType.EXTERNAL_SUBSCRIBER_ISSUING_CROSS_CA,
 }
 
+INTERMEDIATE_CERTIFICATE_TYPES = (
+    INTERNAL_CA_TYPES | EXTERNAL_CA_TYPES | {CertificateType.PRECERT_SIGNING_CA}
+)
+
 CONSTRAINED_TLS_CA_TYPES = {
     CertificateType.EXTERNAL_CONSTRAINED_EV_TLS_CA,
     CertificateType.EXTERNAL_CONSTRAINED_TLS_CA,
     CertificateType.INTERNAL_CONSTRAINED_TLS_CA,
 }
 
-TLS_CA_TYPES = {
-    CertificateType.INTERNAL_CROSS_CA,
-    CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA,
-    CertificateType.INTERNAL_CONSTRAINED_TLS_CA,
-} | EXTERNAL_CA_TYPES
+TLS_CA_TYPES = (
+    {
+        CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA,
+        CertificateType.INTERNAL_CONSTRAINED_TLS_CA,
+    }
+    | EXTERNAL_CA_TYPES
+    | INTERNAL_CROSS_CA_TYPES
+)
 
 SUBSCRIBER_FINAL_CERTIFICATE_TYPES = {
     CertificateType.DV_FINAL_CERTIFICATE,

pkilint/cabf/serverauth/serverauth_cross_ca.py

@@ -27,9 +27,9 @@ class CrossCertificateExtensionAllowanceValidator(
     def __init__(self, certificate_type):
         self._extension_allowances = self._EXTENSION_ALLOWANCES.copy()
 
-        if certificate_type == serverauth_constants.CertificateType.EXTERNAL_CROSS_CA:
+        if certificate_type in serverauth_constants.EXTERNAL_CROSS_CA_TYPES:
             eku_allowance_word = Rfc2119Word.MUST
-        elif certificate_type == serverauth_constants.CertificateType.INTERNAL_CROSS_CA:
+        elif certificate_type in serverauth_constants.INTERNAL_CROSS_CA_TYPES:
             eku_allowance_word = Rfc2119Word.SHOULD
         else:
             raise ValueError(f"Unsupported certificate type: {certificate_type}")
@@ -81,17 +81,11 @@ def validate(self, node):
         ekus = {n.pdu for n in node.children.values()}
 
         if rfc5280.anyExtendedKeyUsage in ekus:
-            if (
-                self._certificate_type
-                == serverauth_constants.CertificateType.EXTERNAL_CROSS_CA
-            ):
+            if self._certificate_type in serverauth_constants.EXTERNAL_CROSS_CA_TYPES:
                 raise validation.ValidationFindingEncountered(
                     self.VALIDATION_EXTERNAL_CROSS_CA_ANYEKU_PRESENT
                 )
-            elif (
-                self._certificate_type
-                == serverauth_constants.CertificateType.INTERNAL_CROSS_CA
-            ):
+            elif self._certificate_type in serverauth_constants.INTERNAL_CROSS_CA_TYPES:
                 if len(node.children) != 1:
                     raise validation.ValidationFindingEncountered(
                         self.VALIDATION_INTERNAL_CROSS_CA_ANYEKU_WITH_OTHER_EKU

tests/integration_certificate/tls_br/internal_cross_ca/multiple_reserved_policy_oids.crttest

@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIHdTCCBV2gAwIBAgIRAMrh9z78rFuxnIjBxy9vey8wDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVFcxIzAhBgNVBAoMGkNodW5naHdhIFRlbGVjb20gQ28uLCBM
+dGQuMS8wLQYDVQQDDCZlUEtJIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMjAeFw0xNTExMTcwODMxNDFaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYT
+AlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UE
+CwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEh
+ajfqhFAHSyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrB
+p0xtInAhijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2Y
+WEtgvM3XDZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7l
+SM2XgYI1TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SX
+Drkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0O
+WQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fq
+cde+S/uUWH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6
+ebClAZLSnT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iV
+BmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2bi
+nZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3
+pyKdVDECAwEAAaOCAicwggIjMB8GA1UdIwQYMBaAFHJbuqpyOO4lkCS1lCL6CYjK
+iwr7MB0GA1UdDgQWBBQeDPe2Z/LhkiYJRcBVOS53P0JKojAOBgNVHQ8BAf8EBAMC
+AQYwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2VjYS5oaW5ldC5uZXQvcmVwb3Np
+dG9yeS9DUkwyL0NBLmNybDCBiwYIKwYBBQUHAQEEfzB9MEQGCCsGAQUFBzAChjho
+dHRwOi8vZWNhLmhpbmV0Lm5ldC9yZXBvc2l0b3J5L0NlcnRzL0lzc3VlZFRvVGhp
+c0NBLnA3YjA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuZWNhLmhpbmV0Lm5ldC9P
+Q1NQL29jc3BHMnNoYTIwDwYDVR0TAQH/BAUwAwEB/zCB8wYDVR0gBIHrMIHoMA0G
+CysGAQQBgbcjZAABMA0GCysGAQQBgbcjZAACMA0GCysGAQQBgbcjZAADMA0GCysG
+AQQBgbcjZAAEMA0GCysGAQQBgbcjZAAJMA0GCysGAQQBgbcjZAAAMAkGB2CGdgFk
+AAEwCQYHYIZ2AWQAAjAJBgdghnYBZAADMAkGB2CGdgFkAAQwCQYHYIZ2AWQAADAI
+BgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzA3BgVngQwBATAuMCwGCCsGAQUF
+BwIBFiBodHRwczovL2VjYS5oaW5ldC5uZXQvcmVwb3NpdG9yeTANBgkqhkiG9w0B
+AQsFAAOCAgEAbvb5/9P544BlP4nZKjoQ/tzh5CZ/WUg+JAQgMblhtRa1Zmhpl2HD
+R1rzt/jRjxOhZMqtO1ogNI6KvESAt0pBBMZv9CTBvZv47p4HnuLxCxgFBk1s73vo
+uFc13OfAeV3EVAdzSrCZLfJHHfnuvPExW4SlmEzKp3seetbjH4DUSO6ZlwKUCTme
+p4DzbP82kDnwC7igowL0w+PKZYGiNvyjZr6/V1HLOn6Z6eBqVUeIgoJRxe49PbLc
+FFKXQdoMzAeElONPUpkv7/AX7CxflnbMWNwOCFrcT6pF3kLErgz8cA0PkW6gObjU
+zYs9Uk4dGI8AU4DSvamYe6abqPEBDjFec2EbycftofsqfGNF9T8HAZDAT7HnvKnT
+lRnQU66+IJo4Hw9LNjP/NwH+ZZJaRmyE870f+Lp+I6r/aS3yDARIqK6ZVrXh9VU4
+wWNoLRWpvuUIFbVpXl8cNTHgp7QEq6oUTgCDwy9LrinBiV44PGtEHC/2U1zrbuwk
+uIRo3Dgf+lMYOLbTAYiWm807/P0kJ/fzBO+/0cReN1n1blmMrl1WFJaPRehqL1YU
+2BAcJ3TM+E5yQJzQqHPXywTHPnRJO7Nn4iJmR3bSeW1w5GhVdeP69+IO0CM0Au1c
+U9jG7d32NlY1QTMUJo22nmCCAEJKAEomOyJJ+l7BFmnnYG/UQUWuKGs=
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.common_name_attribute_absent,
+certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies.14.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present,
+certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
+certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.cross_ca.extended_key_usage_extension_absent,
+certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.organizational_unit_name_attribute_present,
+certificate.tbsCertificate.extensions.2.extnValue.keyUsage,CaKeyUsageValidator,NOTICE,cabf.ca_certificate_no_digital_signature_bit,
+certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies,CaCertificatePoliciesValidator,WARNING,cabf.serverauth.ca_first_policy_oid_not_reserved,

tests/integration_certificate/tls_br/internal_subscriber_issuing_cross_ca/multiple_reserved_policy_oids.crttest

@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIHdTCCBV2gAwIBAgIRAMrh9z78rFuxnIjBxy9vey8wDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVFcxIzAhBgNVBAoMGkNodW5naHdhIFRlbGVjb20gQ28uLCBM
+dGQuMS8wLQYDVQQDDCZlUEtJIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMjAeFw0xNTExMTcwODMxNDFaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYT
+AlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UE
+CwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEh
+ajfqhFAHSyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrB
+p0xtInAhijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2Y
+WEtgvM3XDZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7l
+SM2XgYI1TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SX
+Drkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0O
+WQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fq
+cde+S/uUWH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6
+ebClAZLSnT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iV
+BmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2bi
+nZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3
+pyKdVDECAwEAAaOCAicwggIjMB8GA1UdIwQYMBaAFHJbuqpyOO4lkCS1lCL6CYjK
+iwr7MB0GA1UdDgQWBBQeDPe2Z/LhkiYJRcBVOS53P0JKojAOBgNVHQ8BAf8EBAMC
+AQYwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2VjYS5oaW5ldC5uZXQvcmVwb3Np
+dG9yeS9DUkwyL0NBLmNybDCBiwYIKwYBBQUHAQEEfzB9MEQGCCsGAQUFBzAChjho
+dHRwOi8vZWNhLmhpbmV0Lm5ldC9yZXBvc2l0b3J5L0NlcnRzL0lzc3VlZFRvVGhp
+c0NBLnA3YjA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuZWNhLmhpbmV0Lm5ldC9P
+Q1NQL29jc3BHMnNoYTIwDwYDVR0TAQH/BAUwAwEB/zCB8wYDVR0gBIHrMIHoMA0G
+CysGAQQBgbcjZAABMA0GCysGAQQBgbcjZAACMA0GCysGAQQBgbcjZAADMA0GCysG
+AQQBgbcjZAAEMA0GCysGAQQBgbcjZAAJMA0GCysGAQQBgbcjZAAAMAkGB2CGdgFk
+AAEwCQYHYIZ2AWQAAjAJBgdghnYBZAADMAkGB2CGdgFkAAQwCQYHYIZ2AWQAADAI
+BgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzA3BgVngQwBATAuMCwGCCsGAQUF
+BwIBFiBodHRwczovL2VjYS5oaW5ldC5uZXQvcmVwb3NpdG9yeTANBgkqhkiG9w0B
+AQsFAAOCAgEAbvb5/9P544BlP4nZKjoQ/tzh5CZ/WUg+JAQgMblhtRa1Zmhpl2HD
+R1rzt/jRjxOhZMqtO1ogNI6KvESAt0pBBMZv9CTBvZv47p4HnuLxCxgFBk1s73vo
+uFc13OfAeV3EVAdzSrCZLfJHHfnuvPExW4SlmEzKp3seetbjH4DUSO6ZlwKUCTme
+p4DzbP82kDnwC7igowL0w+PKZYGiNvyjZr6/V1HLOn6Z6eBqVUeIgoJRxe49PbLc
+FFKXQdoMzAeElONPUpkv7/AX7CxflnbMWNwOCFrcT6pF3kLErgz8cA0PkW6gObjU
+zYs9Uk4dGI8AU4DSvamYe6abqPEBDjFec2EbycftofsqfGNF9T8HAZDAT7HnvKnT
+lRnQU66+IJo4Hw9LNjP/NwH+ZZJaRmyE870f+Lp+I6r/aS3yDARIqK6ZVrXh9VU4
+wWNoLRWpvuUIFbVpXl8cNTHgp7QEq6oUTgCDwy9LrinBiV44PGtEHC/2U1zrbuwk
+uIRo3Dgf+lMYOLbTAYiWm807/P0kJ/fzBO+/0cReN1n1blmMrl1WFJaPRehqL1YU
+2BAcJ3TM+E5yQJzQqHPXywTHPnRJO7Nn4iJmR3bSeW1w5GhVdeP69+IO0CM0Au1c
+U9jG7d32NlY1QTMUJo22nmCCAEJKAEomOyJJ+l7BFmnnYG/UQUWuKGs=
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.common_name_attribute_absent,
+certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies.14.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present,
+certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
+certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.cross_ca.extended_key_usage_extension_absent,
+certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.organizational_unit_name_attribute_present,
+certificate.tbsCertificate.extensions.2.extnValue.keyUsage,CaKeyUsageValidator,NOTICE,cabf.ca_certificate_no_digital_signature_bit,
+certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_multiple_reserved_policy_oids,"Multiple reserved policy OIDs present: 2.23.140.1.1, 2.23.140.1.2.1, 2.23.140.1.2.2, 2.23.140.1.2.3"

tests/integration_certificate/tls_br/non_tls_ca/has_serverauth_policy_oid.crttest

@@ -41,7 +41,7 @@ node_path,validator,severity,code,message
 certificate.tbsCertificate.extensions.1.extnValue.extKeyUsageSyntax,NonTlsCaCertificateAllowedEkuValidator,ERROR,cabf.serverauth.non_tls_ca.ocspsigning_eku_present,
 certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present,
 certificate.tbsCertificate.extensions.6.extnValue.cRLDistributionPoints.1.distributionPoint.fullName.0.uniformResourceIdentifier,GeneralNameUriSyntaxValidator,NOTICE,pkix.ldap_uri_not_validated,"ldap://ldap-cpki.telekom.de/CN=T-TeleSec%20GlobalRoot%20Class%202,OU=T-TeleSec%20Trust%20Center,O=T-Systems%20Enterprise%20Services%20GmbH,C=DE?authorityRevocationList"
-certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_non_tls_has_reserved_policy_oid,Non-TLS CA has reserved policy OIDs: 2.23.140.1.2.2
+certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_non_tls_has_reserved_policy_oid,Non-TLS CA has reserved policy OID(s): 2.23.140.1.2.2
 certificate.tbsCertificate.extensions.6.extnValue.cRLDistributionPoints.1.distributionPoint,CrlDpDistributionPointNameValidator,ERROR,cabf.serverauth.crldp_dpname_prohibited_uri_scheme,"Prohibited URI scheme: ""ldap"""
 certificate.tbsCertificate.extensions.6.extnValue.cRLDistributionPoints,CrlDpDistributionPointCountValidator,WARNING,cabf.serverauth.crldp_multiple_distributionpoints_present,
 certificate.tbsCertificate.extensions.7.extnValue.authorityInfoAccessSyntax.2.accessLocation.uniformResourceIdentifier,GeneralNameUriSyntaxValidator,NOTICE,pkix.ldap_uri_not_validated,"ldap://ldap-cpki.telekom.de/CN=T-TeleSec%20GlobalRoot%20Class%202,OU=T-TeleSec%20Trust%20Center,O=T-Systems%20Enterprise%20Services%20GmbH,C=DE?cACertificate"