From fd8871c9ef59d44d9c4c6ebd68f11acd0f6d997a Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 24 Oct 2024 09:48:02 -0400 Subject: [PATCH] Add support for SC-79 --- CHANGELOG.md | 6 +++ VERSION.txt | 2 +- pkilint/cabf/serverauth/serverauth_ca.py | 8 ++- .../cabf/serverauth/serverauth_constants.py | 49 ++++++++++++------ .../cabf/serverauth/serverauth_cross_ca.py | 14 ++--- .../multiple_reserved_policy_oids.crttest | 51 +++++++++++++++++++ .../multiple_reserved_policy_oids.crttest | 51 +++++++++++++++++++ .../has_serverauth_policy_oid.crttest | 2 +- 8 files changed, 153 insertions(+), 30 deletions(-) create mode 100644 tests/integration_certificate/tls_br/internal_cross_ca/multiple_reserved_policy_oids.crttest create mode 100644 tests/integration_certificate/tls_br/internal_subscriber_issuing_cross_ca/multiple_reserved_policy_oids.crttest diff --git a/CHANGELOG.md b/CHANGELOG.md index 13496ff..ccd2354 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project from version 0.9.3 onwards are documented in this file. +## 0.12.4 - 2024-11-XX + +### New features/enhancements + +- Add support for TLS BR ballot SC-79 (#XXX) + ## 0.12.3 - 2024-10-23 ### New features/enhancements diff --git a/VERSION.txt b/VERSION.txt index d61567c..7fd0b1e 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -0.12.3 \ No newline at end of file +0.12.4 \ No newline at end of file diff --git a/pkilint/cabf/serverauth/serverauth_ca.py b/pkilint/cabf/serverauth/serverauth_ca.py index f24363e..ddf8c58 100644 --- a/pkilint/cabf/serverauth/serverauth_ca.py +++ b/pkilint/cabf/serverauth/serverauth_ca.py @@ -86,7 +86,7 @@ def validate(self, node): raise validation.ValidationFindingEncountered( self.VALIDATION_NON_TLS_CA_HAS_SERVERAUTH_OID, - f"Non-TLS CA has reserved policy OIDs: {oids}", + f"Non-TLS CA has reserved policy OID(s): {oids}", ) else: if not any(reserved_oids): @@ -94,7 +94,11 @@ def validate(self, node): self.VALIDATION_NO_RESERVED_OID ) - if len(reserved_oids) > 1: + if ( + len(reserved_oids) > 1 + and self._certificate_type + not in serverauth_constants.ROOT_KEY_CROSS_CA_TYPES + ): oids_str = oid.format_oids(reserved_oids) raise validation.ValidationFindingEncountered( diff --git a/pkilint/cabf/serverauth/serverauth_constants.py b/pkilint/cabf/serverauth/serverauth_constants.py index b03dbc0..11dfc48 100644 --- a/pkilint/cabf/serverauth/serverauth_constants.py +++ b/pkilint/cabf/serverauth/serverauth_constants.py @@ -3,7 +3,7 @@ from pyasn1.type.univ import ObjectIdentifier -BR_VERSION = "2.0.3" +BR_VERSION = "2.0.10" ID_POLICY_EV = ObjectIdentifier("2.23.140.1.1") @@ -24,6 +24,8 @@ class CertificateType(enum.IntEnum): ROOT_CA = auto() INTERNAL_CROSS_CA = auto() EXTERNAL_CROSS_CA = auto() + INTERNAL_SUBSCRIBER_ISSUING_CROSS_CA = auto() + EXTERNAL_SUBSCRIBER_ISSUING_CROSS_CA = auto() NON_TLS_CA = auto() PRECERT_SIGNING_CA = auto() INTERNAL_UNCONSTRAINED_TLS_CA = auto() @@ -56,23 +58,30 @@ def from_option_str(value): return CertificateType[value] -INTERMEDIATE_CERTIFICATE_TYPES = { +INTERNAL_CROSS_CA_TYPES = { + CertificateType.INTERNAL_CROSS_CA, + CertificateType.INTERNAL_SUBSCRIBER_ISSUING_CROSS_CA, +} + + +EXTERNAL_CROSS_CA_TYPES = { + CertificateType.EXTERNAL_CROSS_CA, + CertificateType.EXTERNAL_SUBSCRIBER_ISSUING_CROSS_CA, +} + + +CROSS_CA_TYPES = INTERNAL_CROSS_CA_TYPES | EXTERNAL_CROSS_CA_TYPES + + +ROOT_KEY_CROSS_CA_TYPES = { CertificateType.INTERNAL_CROSS_CA, CertificateType.EXTERNAL_CROSS_CA, - CertificateType.NON_TLS_CA, - CertificateType.PRECERT_SIGNING_CA, - CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA, - CertificateType.INTERNAL_CONSTRAINED_TLS_CA, - CertificateType.EXTERNAL_UNCONSTRAINED_TLS_CA, - CertificateType.EXTERNAL_UNCONSTRAINED_EV_TLS_CA, - CertificateType.EXTERNAL_CONSTRAINED_TLS_CA, - CertificateType.EXTERNAL_CONSTRAINED_EV_TLS_CA, } -CROSS_CA_TYPES = {CertificateType.INTERNAL_CROSS_CA, CertificateType.EXTERNAL_CROSS_CA} INTERNAL_CA_TYPES = { CertificateType.INTERNAL_CROSS_CA, + CertificateType.INTERNAL_SUBSCRIBER_ISSUING_CROSS_CA, CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA, CertificateType.INTERNAL_CONSTRAINED_TLS_CA, CertificateType.NON_TLS_CA, @@ -84,19 +93,27 @@ def from_option_str(value): CertificateType.EXTERNAL_UNCONSTRAINED_EV_TLS_CA, CertificateType.EXTERNAL_CONSTRAINED_TLS_CA, CertificateType.EXTERNAL_CROSS_CA, + CertificateType.EXTERNAL_SUBSCRIBER_ISSUING_CROSS_CA, } +INTERMEDIATE_CERTIFICATE_TYPES = ( + INTERNAL_CA_TYPES | EXTERNAL_CA_TYPES | {CertificateType.PRECERT_SIGNING_CA} +) + CONSTRAINED_TLS_CA_TYPES = { CertificateType.EXTERNAL_CONSTRAINED_EV_TLS_CA, CertificateType.EXTERNAL_CONSTRAINED_TLS_CA, CertificateType.INTERNAL_CONSTRAINED_TLS_CA, } -TLS_CA_TYPES = { - CertificateType.INTERNAL_CROSS_CA, - CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA, - CertificateType.INTERNAL_CONSTRAINED_TLS_CA, -} | EXTERNAL_CA_TYPES +TLS_CA_TYPES = ( + { + CertificateType.INTERNAL_UNCONSTRAINED_TLS_CA, + CertificateType.INTERNAL_CONSTRAINED_TLS_CA, + } + | EXTERNAL_CA_TYPES + | INTERNAL_CROSS_CA_TYPES +) SUBSCRIBER_FINAL_CERTIFICATE_TYPES = { CertificateType.DV_FINAL_CERTIFICATE, diff --git a/pkilint/cabf/serverauth/serverauth_cross_ca.py b/pkilint/cabf/serverauth/serverauth_cross_ca.py index 097ae7c..3e2c2e6 100644 --- a/pkilint/cabf/serverauth/serverauth_cross_ca.py +++ b/pkilint/cabf/serverauth/serverauth_cross_ca.py @@ -27,9 +27,9 @@ class CrossCertificateExtensionAllowanceValidator( def __init__(self, certificate_type): self._extension_allowances = self._EXTENSION_ALLOWANCES.copy() - if certificate_type == serverauth_constants.CertificateType.EXTERNAL_CROSS_CA: + if certificate_type in serverauth_constants.EXTERNAL_CROSS_CA_TYPES: eku_allowance_word = Rfc2119Word.MUST - elif certificate_type == serverauth_constants.CertificateType.INTERNAL_CROSS_CA: + elif certificate_type in serverauth_constants.INTERNAL_CROSS_CA_TYPES: eku_allowance_word = Rfc2119Word.SHOULD else: raise ValueError(f"Unsupported certificate type: {certificate_type}") @@ -81,17 +81,11 @@ def validate(self, node): ekus = {n.pdu for n in node.children.values()} if rfc5280.anyExtendedKeyUsage in ekus: - if ( - self._certificate_type - == serverauth_constants.CertificateType.EXTERNAL_CROSS_CA - ): + if self._certificate_type in serverauth_constants.EXTERNAL_CROSS_CA_TYPES: raise validation.ValidationFindingEncountered( self.VALIDATION_EXTERNAL_CROSS_CA_ANYEKU_PRESENT ) - elif ( - self._certificate_type - == serverauth_constants.CertificateType.INTERNAL_CROSS_CA - ): + elif self._certificate_type in serverauth_constants.INTERNAL_CROSS_CA_TYPES: if len(node.children) != 1: raise validation.ValidationFindingEncountered( self.VALIDATION_INTERNAL_CROSS_CA_ANYEKU_WITH_OTHER_EKU diff --git a/tests/integration_certificate/tls_br/internal_cross_ca/multiple_reserved_policy_oids.crttest b/tests/integration_certificate/tls_br/internal_cross_ca/multiple_reserved_policy_oids.crttest new file mode 100644 index 0000000..08ad6bc --- /dev/null +++ b/tests/integration_certificate/tls_br/internal_cross_ca/multiple_reserved_policy_oids.crttest @@ -0,0 +1,51 @@ +-----BEGIN CERTIFICATE----- +MIIHdTCCBV2gAwIBAgIRAMrh9z78rFuxnIjBxy9vey8wDQYJKoZIhvcNAQELBQAw +YzELMAkGA1UEBhMCVFcxIzAhBgNVBAoMGkNodW5naHdhIFRlbGVjb20gQ28uLCBM +dGQuMS8wLQYDVQQDDCZlUEtJIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMjAeFw0xNTExMTcwODMxNDFaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYT +AlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UE +CwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEh +ajfqhFAHSyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrB +p0xtInAhijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2Y +WEtgvM3XDZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7l +SM2XgYI1TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SX +Drkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0O +WQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fq +cde+S/uUWH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6 +ebClAZLSnT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iV +BmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2bi +nZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3 +pyKdVDECAwEAAaOCAicwggIjMB8GA1UdIwQYMBaAFHJbuqpyOO4lkCS1lCL6CYjK +iwr7MB0GA1UdDgQWBBQeDPe2Z/LhkiYJRcBVOS53P0JKojAOBgNVHQ8BAf8EBAMC +AQYwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2VjYS5oaW5ldC5uZXQvcmVwb3Np +dG9yeS9DUkwyL0NBLmNybDCBiwYIKwYBBQUHAQEEfzB9MEQGCCsGAQUFBzAChjho +dHRwOi8vZWNhLmhpbmV0Lm5ldC9yZXBvc2l0b3J5L0NlcnRzL0lzc3VlZFRvVGhp +c0NBLnA3YjA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuZWNhLmhpbmV0Lm5ldC9P +Q1NQL29jc3BHMnNoYTIwDwYDVR0TAQH/BAUwAwEB/zCB8wYDVR0gBIHrMIHoMA0G +CysGAQQBgbcjZAABMA0GCysGAQQBgbcjZAACMA0GCysGAQQBgbcjZAADMA0GCysG +AQQBgbcjZAAEMA0GCysGAQQBgbcjZAAJMA0GCysGAQQBgbcjZAAAMAkGB2CGdgFk +AAEwCQYHYIZ2AWQAAjAJBgdghnYBZAADMAkGB2CGdgFkAAQwCQYHYIZ2AWQAADAI +BgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzA3BgVngQwBATAuMCwGCCsGAQUF +BwIBFiBodHRwczovL2VjYS5oaW5ldC5uZXQvcmVwb3NpdG9yeTANBgkqhkiG9w0B +AQsFAAOCAgEAbvb5/9P544BlP4nZKjoQ/tzh5CZ/WUg+JAQgMblhtRa1Zmhpl2HD +R1rzt/jRjxOhZMqtO1ogNI6KvESAt0pBBMZv9CTBvZv47p4HnuLxCxgFBk1s73vo +uFc13OfAeV3EVAdzSrCZLfJHHfnuvPExW4SlmEzKp3seetbjH4DUSO6ZlwKUCTme +p4DzbP82kDnwC7igowL0w+PKZYGiNvyjZr6/V1HLOn6Z6eBqVUeIgoJRxe49PbLc +FFKXQdoMzAeElONPUpkv7/AX7CxflnbMWNwOCFrcT6pF3kLErgz8cA0PkW6gObjU +zYs9Uk4dGI8AU4DSvamYe6abqPEBDjFec2EbycftofsqfGNF9T8HAZDAT7HnvKnT +lRnQU66+IJo4Hw9LNjP/NwH+ZZJaRmyE870f+Lp+I6r/aS3yDARIqK6ZVrXh9VU4 +wWNoLRWpvuUIFbVpXl8cNTHgp7QEq6oUTgCDwy9LrinBiV44PGtEHC/2U1zrbuwk +uIRo3Dgf+lMYOLbTAYiWm807/P0kJ/fzBO+/0cReN1n1blmMrl1WFJaPRehqL1YU +2BAcJ3TM+E5yQJzQqHPXywTHPnRJO7Nn4iJmR3bSeW1w5GhVdeP69+IO0CM0Au1c +U9jG7d32NlY1QTMUJo22nmCCAEJKAEomOyJJ+l7BFmnnYG/UQUWuKGs= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.common_name_attribute_absent, +certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies.14.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, +certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, +certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.cross_ca.extended_key_usage_extension_absent, +certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.organizational_unit_name_attribute_present, +certificate.tbsCertificate.extensions.2.extnValue.keyUsage,CaKeyUsageValidator,NOTICE,cabf.ca_certificate_no_digital_signature_bit, +certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies,CaCertificatePoliciesValidator,WARNING,cabf.serverauth.ca_first_policy_oid_not_reserved, diff --git a/tests/integration_certificate/tls_br/internal_subscriber_issuing_cross_ca/multiple_reserved_policy_oids.crttest b/tests/integration_certificate/tls_br/internal_subscriber_issuing_cross_ca/multiple_reserved_policy_oids.crttest new file mode 100644 index 0000000..73fe62d --- /dev/null +++ b/tests/integration_certificate/tls_br/internal_subscriber_issuing_cross_ca/multiple_reserved_policy_oids.crttest @@ -0,0 +1,51 @@ +-----BEGIN CERTIFICATE----- +MIIHdTCCBV2gAwIBAgIRAMrh9z78rFuxnIjBxy9vey8wDQYJKoZIhvcNAQELBQAw +YzELMAkGA1UEBhMCVFcxIzAhBgNVBAoMGkNodW5naHdhIFRlbGVjb20gQ28uLCBM +dGQuMS8wLQYDVQQDDCZlUEtJIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMjAeFw0xNTExMTcwODMxNDFaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYT +AlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UE +CwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEh +ajfqhFAHSyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrB +p0xtInAhijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2Y +WEtgvM3XDZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7l +SM2XgYI1TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SX +Drkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0O +WQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fq +cde+S/uUWH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6 +ebClAZLSnT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iV +BmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2bi +nZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3 +pyKdVDECAwEAAaOCAicwggIjMB8GA1UdIwQYMBaAFHJbuqpyOO4lkCS1lCL6CYjK +iwr7MB0GA1UdDgQWBBQeDPe2Z/LhkiYJRcBVOS53P0JKojAOBgNVHQ8BAf8EBAMC +AQYwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2VjYS5oaW5ldC5uZXQvcmVwb3Np +dG9yeS9DUkwyL0NBLmNybDCBiwYIKwYBBQUHAQEEfzB9MEQGCCsGAQUFBzAChjho +dHRwOi8vZWNhLmhpbmV0Lm5ldC9yZXBvc2l0b3J5L0NlcnRzL0lzc3VlZFRvVGhp +c0NBLnA3YjA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuZWNhLmhpbmV0Lm5ldC9P +Q1NQL29jc3BHMnNoYTIwDwYDVR0TAQH/BAUwAwEB/zCB8wYDVR0gBIHrMIHoMA0G +CysGAQQBgbcjZAABMA0GCysGAQQBgbcjZAACMA0GCysGAQQBgbcjZAADMA0GCysG +AQQBgbcjZAAEMA0GCysGAQQBgbcjZAAJMA0GCysGAQQBgbcjZAAAMAkGB2CGdgFk +AAEwCQYHYIZ2AWQAAjAJBgdghnYBZAADMAkGB2CGdgFkAAQwCQYHYIZ2AWQAADAI +BgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzA3BgVngQwBATAuMCwGCCsGAQUF +BwIBFiBodHRwczovL2VjYS5oaW5ldC5uZXQvcmVwb3NpdG9yeTANBgkqhkiG9w0B +AQsFAAOCAgEAbvb5/9P544BlP4nZKjoQ/tzh5CZ/WUg+JAQgMblhtRa1Zmhpl2HD +R1rzt/jRjxOhZMqtO1ogNI6KvESAt0pBBMZv9CTBvZv47p4HnuLxCxgFBk1s73vo +uFc13OfAeV3EVAdzSrCZLfJHHfnuvPExW4SlmEzKp3seetbjH4DUSO6ZlwKUCTme +p4DzbP82kDnwC7igowL0w+PKZYGiNvyjZr6/V1HLOn6Z6eBqVUeIgoJRxe49PbLc +FFKXQdoMzAeElONPUpkv7/AX7CxflnbMWNwOCFrcT6pF3kLErgz8cA0PkW6gObjU +zYs9Uk4dGI8AU4DSvamYe6abqPEBDjFec2EbycftofsqfGNF9T8HAZDAT7HnvKnT +lRnQU66+IJo4Hw9LNjP/NwH+ZZJaRmyE870f+Lp+I6r/aS3yDARIqK6ZVrXh9VU4 +wWNoLRWpvuUIFbVpXl8cNTHgp7QEq6oUTgCDwy9LrinBiV44PGtEHC/2U1zrbuwk +uIRo3Dgf+lMYOLbTAYiWm807/P0kJ/fzBO+/0cReN1n1blmMrl1WFJaPRehqL1YU +2BAcJ3TM+E5yQJzQqHPXywTHPnRJO7Nn4iJmR3bSeW1w5GhVdeP69+IO0CM0Au1c +U9jG7d32NlY1QTMUJo22nmCCAEJKAEomOyJJ+l7BFmnnYG/UQUWuKGs= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.common_name_attribute_absent, +certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies.14.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, +certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, +certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.cross_ca.extended_key_usage_extension_absent, +certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.organizational_unit_name_attribute_present, +certificate.tbsCertificate.extensions.2.extnValue.keyUsage,CaKeyUsageValidator,NOTICE,cabf.ca_certificate_no_digital_signature_bit, +certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_multiple_reserved_policy_oids,"Multiple reserved policy OIDs present: 2.23.140.1.1, 2.23.140.1.2.1, 2.23.140.1.2.2, 2.23.140.1.2.3" diff --git a/tests/integration_certificate/tls_br/non_tls_ca/has_serverauth_policy_oid.crttest b/tests/integration_certificate/tls_br/non_tls_ca/has_serverauth_policy_oid.crttest index 5b807d2..a4b3140 100644 --- a/tests/integration_certificate/tls_br/non_tls_ca/has_serverauth_policy_oid.crttest +++ b/tests/integration_certificate/tls_br/non_tls_ca/has_serverauth_policy_oid.crttest @@ -41,7 +41,7 @@ node_path,validator,severity,code,message certificate.tbsCertificate.extensions.1.extnValue.extKeyUsageSyntax,NonTlsCaCertificateAllowedEkuValidator,ERROR,cabf.serverauth.non_tls_ca.ocspsigning_eku_present, certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, certificate.tbsCertificate.extensions.6.extnValue.cRLDistributionPoints.1.distributionPoint.fullName.0.uniformResourceIdentifier,GeneralNameUriSyntaxValidator,NOTICE,pkix.ldap_uri_not_validated,"ldap://ldap-cpki.telekom.de/CN=T-TeleSec%20GlobalRoot%20Class%202,OU=T-TeleSec%20Trust%20Center,O=T-Systems%20Enterprise%20Services%20GmbH,C=DE?authorityRevocationList" -certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_non_tls_has_reserved_policy_oid,Non-TLS CA has reserved policy OIDs: 2.23.140.1.2.2 +certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_non_tls_has_reserved_policy_oid,Non-TLS CA has reserved policy OID(s): 2.23.140.1.2.2 certificate.tbsCertificate.extensions.6.extnValue.cRLDistributionPoints.1.distributionPoint,CrlDpDistributionPointNameValidator,ERROR,cabf.serverauth.crldp_dpname_prohibited_uri_scheme,"Prohibited URI scheme: ""ldap""" certificate.tbsCertificate.extensions.6.extnValue.cRLDistributionPoints,CrlDpDistributionPointCountValidator,WARNING,cabf.serverauth.crldp_multiple_distributionpoints_present, certificate.tbsCertificate.extensions.7.extnValue.authorityInfoAccessSyntax.2.accessLocation.uniformResourceIdentifier,GeneralNameUriSyntaxValidator,NOTICE,pkix.ldap_uri_not_validated,"ldap://ldap-cpki.telekom.de/CN=T-TeleSec%20GlobalRoot%20Class%202,OU=T-TeleSec%20Trust%20Center,O=T-Systems%20Enterprise%20Services%20GmbH,C=DE?cACertificate"