From 3dc91318d38ec3ae7bea3eed1fdbb00735f01ada Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 9 Jan 2025 17:02:53 -0500 Subject: [PATCH 1/8] Initial PQC algorithm support --- pkilint/bin/lint_pkix_cert.py | 1 + pkilint/cabf/serverauth/__init__.py | 7 +- pkilint/cabf/smime/__init__.py | 7 +- pkilint/etsi/__init__.py | 5 +- pkilint/nist/__init__.py | 0 pkilint/nist/asn1/__init__.py | 0 pkilint/nist/asn1/csor.py | 134 ++++++ pkilint/nist/asn1/fips_203.py | 40 ++ pkilint/nist/asn1/fips_204.py | 39 ++ pkilint/nist/asn1/fips_205.py | 131 ++++++ pkilint/pkix/algorithm.py | 4 + pkilint/pkix/certificate/__init__.py | 14 + .../pkix/certificate/certificate_extension.py | 22 +- pkilint/pkix/certificate/certificate_key.py | 398 +++++++++++++----- pkilint/pkix/key.py | 7 + pkilint/rest/pkix.py | 1 + .../pkix/dilithium_ipd_root.crttest | 78 ++++ .../pkix/dilithium_round3.crttest | 91 ++++ .../pkix/ed25519_bad_ku.crttest | 17 + .../pkix/hash_mldsa_ca.crttest | 92 ++++ .../pkix/hash_mldsa_ee_bad_ku.crttest | 90 ++++ .../pkix/mldsa44_root.crttest | 3 +- .../pkix/mldsa_44_bad_keylength.crttest | 91 ++++ .../pkix/mldsa_44_root_clean.crttest | 90 ++++ .../pkix/mldsa_bad_ku.crttest | 91 ++++ .../pkix/mlkem_512_clean.crttest | 78 ++++ .../pkix/mlkem_bad_ku.crttest | 79 ++++ .../pkix/slhsa_root_clean.crttest | 177 ++++++++ ...nknown_key_type_self_issued_no_aki.crttest | 2 +- .../pkix/v1_root_signed_with_md2.crttest | 2 +- .../pkix/x25519_bad_ku.crttest | 18 + .../integration_certificate/test_pkix_cert.py | 1 + 32 files changed, 1697 insertions(+), 113 deletions(-) create mode 100644 pkilint/nist/__init__.py create mode 100644 pkilint/nist/asn1/__init__.py create mode 100644 pkilint/nist/asn1/csor.py create mode 100644 pkilint/nist/asn1/fips_203.py create mode 100644 pkilint/nist/asn1/fips_204.py create mode 100644 pkilint/nist/asn1/fips_205.py create mode 100644 tests/integration_certificate/pkix/dilithium_ipd_root.crttest create mode 100644 tests/integration_certificate/pkix/dilithium_round3.crttest create mode 100644 tests/integration_certificate/pkix/ed25519_bad_ku.crttest create mode 100644 tests/integration_certificate/pkix/hash_mldsa_ca.crttest create mode 100644 tests/integration_certificate/pkix/hash_mldsa_ee_bad_ku.crttest create mode 100644 tests/integration_certificate/pkix/mldsa_44_bad_keylength.crttest create mode 100644 tests/integration_certificate/pkix/mldsa_44_root_clean.crttest create mode 100644 tests/integration_certificate/pkix/mldsa_bad_ku.crttest create mode 100644 tests/integration_certificate/pkix/mlkem_512_clean.crttest create mode 100644 tests/integration_certificate/pkix/mlkem_bad_ku.crttest create mode 100644 tests/integration_certificate/pkix/slhsa_root_clean.crttest create mode 100644 tests/integration_certificate/pkix/x25519_bad_ku.crttest diff --git a/pkilint/bin/lint_pkix_cert.py b/pkilint/bin/lint_pkix_cert.py index c0ca034..fbb8d09 100644 --- a/pkilint/bin/lint_pkix_cert.py +++ b/pkilint/bin/lint_pkix_cert.py @@ -34,6 +34,7 @@ def main(cli_args=None) -> int: certificate.create_validity_validator_container(), certificate.create_subject_validator_container([]), certificate.create_extensions_validator_container([]), + certificate.create_spki_validator_container([]), ], ) diff --git a/pkilint/cabf/serverauth/__init__.py b/pkilint/cabf/serverauth/__init__.py index afc0cf1..cde51e9 100644 --- a/pkilint/cabf/serverauth/__init__.py +++ b/pkilint/cabf/serverauth/__init__.py @@ -162,16 +162,15 @@ def create_spki_validator_container(additional_validators=None): if additional_validators is None: additional_validators = [] - return validation.ValidatorContainer( - validators=[ + return certificate.create_spki_validator_container( + [ serverauth_key.ServerauthAllowedPublicKeyAlgorithmEncodingValidator( path="certificate.tbsCertificate.subjectPublicKeyInfo.algorithm" ), cabf_key.RsaKeyValidator(), cabf_key.EcdsaKeyValidator(), ] - + additional_validators, - path="certificate.tbsCertificate.subjectPublicKeyInfo", + + additional_validators ) diff --git a/pkilint/cabf/smime/__init__.py b/pkilint/cabf/smime/__init__.py index a6099a9..5dd5df7 100644 --- a/pkilint/cabf/smime/__init__.py +++ b/pkilint/cabf/smime/__init__.py @@ -146,16 +146,15 @@ def create_decoding_validators(): def create_spki_validation_container(): - return validation.ValidatorContainer( - validators=[ + return certificate.create_spki_validator_container( + [ smime_key.SmimeAllowedPublicKeyAlgorithmEncodingValidator( path="certificate.tbsCertificate.subjectPublicKeyInfo.algorithm" ), cabf_key.RsaKeyValidator(), cabf_key.EcdsaKeyValidator(), smime_key.GmailAllowedModulusLengthValidator(), - ], - path="certificate.tbsCertificate.subjectPublicKeyInfo", + ] ) diff --git a/pkilint/etsi/__init__.py b/pkilint/etsi/__init__.py index 148b1e2..d42b3ac 100644 --- a/pkilint/etsi/__init__.py +++ b/pkilint/etsi/__init__.py @@ -384,9 +384,8 @@ def create_validators( additional_spki_validators=spki_validators, ) else: - spki_validator_container = validation.ValidatorContainer( - validators=spki_validators, - path="certificate.tbsCertificate.subjectPublicKeyInfo", + spki_validator_container = certificate.create_spki_validator_container( + spki_validators ) top_level_container = validation.ValidatorContainer( diff --git a/pkilint/nist/__init__.py b/pkilint/nist/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/pkilint/nist/asn1/__init__.py b/pkilint/nist/asn1/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/pkilint/nist/asn1/csor.py b/pkilint/nist/asn1/csor.py new file mode 100644 index 0000000..4a6d7b9 --- /dev/null +++ b/pkilint/nist/asn1/csor.py @@ -0,0 +1,134 @@ +from pyasn1.type.univ import ObjectIdentifier + + +# top-level OID arcs + +nistAlgorithms = ObjectIdentifier("2.16.840.1.101.3.4") + +sigAlgs = nistAlgorithms + (3,) + +kems = nistAlgorithms + (4,) + +# ML-DSA + +id_ml_dsa_44 = sigAlgs + (17,) + +id_ml_dsa_65 = sigAlgs + (18,) + +id_ml_dsa_87 = sigAlgs + (19,) + +MLDSA_OIDS = { + id_ml_dsa_44, + id_ml_dsa_65, + id_ml_dsa_87, +} + +# HashML-DSA + +id_hash_ml_dsa_44_with_sha512 = sigAlgs + (32,) + +id_hash_ml_dsa_65_with_sha512 = sigAlgs + (33,) + +id_hash_ml_dsa_87_with_sha512 = sigAlgs + (34,) + +HASH_MLDSA_OIDS = { + id_hash_ml_dsa_44_with_sha512, + id_hash_ml_dsa_65_with_sha512, + id_hash_ml_dsa_87_with_sha512, +} + +# SLH-DSA + +id_slh_dsa_sha2_128s = sigAlgs + (20,) + +id_slh_dsa_sha2_128f = sigAlgs + (21,) + +id_slh_dsa_sha2_192s = sigAlgs + (22,) + +id_slh_dsa_sha2_192f = sigAlgs + (23,) + +id_slh_dsa_sha2_256s = sigAlgs + (24,) + +id_slh_dsa_sha2_256f = sigAlgs + (25,) + +id_slh_dsa_shake_128s = sigAlgs + (26,) + +id_slh_dsa_shake_128f = sigAlgs + (27,) + +id_slh_dsa_shake_192s = sigAlgs + (28,) + +id_slh_dsa_shake_192f = sigAlgs + (29,) + +id_slh_dsa_shake_256s = sigAlgs + (30,) + +id_slh_dsa_shake_256f = sigAlgs + (31,) + +SLHDSA_OIDS = { + id_slh_dsa_sha2_128s, + id_slh_dsa_sha2_128f, + id_slh_dsa_sha2_192s, + id_slh_dsa_sha2_192f, + id_slh_dsa_sha2_256s, + id_slh_dsa_sha2_256f, + id_slh_dsa_shake_128s, + id_slh_dsa_shake_128f, + id_slh_dsa_shake_192s, + id_slh_dsa_shake_192f, + id_slh_dsa_shake_256s, + id_slh_dsa_shake_256f, +} + +# HashSLH-DSA + +id_hash_slh_dsa_sha2_128s_with_sha256 = sigAlgs + (35,) + +id_hash_slh_dsa_sha2_128f_with_sha256 = sigAlgs + (36,) + +id_hash_slh_dsa_sha2_192s_with_sha512 = sigAlgs + (37,) + +id_hash_slh_dsa_sha2_192f_with_sha512 = sigAlgs + (38,) + +id_hash_slh_dsa_sha2_256s_with_sha512 = sigAlgs + (39,) + +id_hash_slh_dsa_sha2_256f_with_sha512 = sigAlgs + (40,) + +id_hash_slh_dsa_shake_128s_with_shake128 = sigAlgs + (41,) + +id_hash_slh_dsa_shake_128f_with_shake128 = sigAlgs + (42,) + +id_hash_slh_dsa_shake_192s_with_shake256 = sigAlgs + (43,) + +id_hash_slh_dsa_shake_192f_with_shake256 = sigAlgs + (44,) + +id_hash_slh_dsa_shake_256s_with_shake256 = sigAlgs + (45,) + +id_hash_slh_dsa_shake_256f_with_shake256 = sigAlgs + (46,) + +HASH_SLHDSA_OIDS = { + id_hash_slh_dsa_sha2_128s_with_sha256, + id_hash_slh_dsa_sha2_128f_with_sha256, + id_hash_slh_dsa_sha2_192s_with_sha512, + id_hash_slh_dsa_sha2_192f_with_sha512, + id_hash_slh_dsa_sha2_256s_with_sha512, + id_hash_slh_dsa_sha2_256f_with_sha512, + id_hash_slh_dsa_shake_128s_with_shake128, + id_hash_slh_dsa_shake_128f_with_shake128, + id_hash_slh_dsa_shake_192s_with_shake256, + id_hash_slh_dsa_shake_192f_with_shake256, + id_hash_slh_dsa_shake_256s_with_shake256, + id_hash_slh_dsa_shake_256f_with_shake256, +} + +# ML-KEM + +id_alg_ml_kem_512 = kems + (1,) + +id_alg_ml_kem_768 = kems + (2,) + +id_alg_ml_kem_1024 = kems + (3,) + +MLKEM_OIDS = { + id_alg_ml_kem_512, + id_alg_ml_kem_768, + id_alg_ml_kem_1024, +} diff --git a/pkilint/nist/asn1/fips_203.py b/pkilint/nist/asn1/fips_203.py new file mode 100644 index 0000000..87f08db --- /dev/null +++ b/pkilint/nist/asn1/fips_203.py @@ -0,0 +1,40 @@ +from pyasn1.type import univ +from pyasn1.type.constraint import ValueSizeConstraint + +from pkilint import document +from pkilint.nist.asn1 import csor + + +ML_KEM_512_PublicKeySize = 800 +ML_KEM_768_PublicKeySize = 1184 +ML_KEM_1024_PublicKeySize = 1568 + + +class MlKem512PublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + ML_KEM_512_PublicKeySize, ML_KEM_512_PublicKeySize + ) + + +class MlKem768PublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + ML_KEM_768_PublicKeySize, ML_KEM_768_PublicKeySize + ) + + +class MlKem1024PublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + ML_KEM_1024_PublicKeySize, ML_KEM_1024_PublicKeySize + ) + + +ALGORITHM_OID_TO_KEY_MAPPINGS = { + csor.id_alg_ml_kem_512: MlKem512PublicKey(), + csor.id_alg_ml_kem_768: MlKem768PublicKey(), + csor.id_alg_ml_kem_1024: MlKem1024PublicKey(), +} + +ALGORITHM_OID_TO_PARAMETER_MAPPINGS = { + k: document.ValueDecoder.VALUE_NODE_ABSENT + for k in ALGORITHM_OID_TO_KEY_MAPPINGS.keys() +} diff --git a/pkilint/nist/asn1/fips_204.py b/pkilint/nist/asn1/fips_204.py new file mode 100644 index 0000000..d0a2b63 --- /dev/null +++ b/pkilint/nist/asn1/fips_204.py @@ -0,0 +1,39 @@ +from pyasn1.type import univ +from pyasn1.type.constraint import ValueSizeConstraint + +from pkilint import document +from pkilint.nist.asn1 import csor + + +ML_DSA_44_PublicKeySize = 1312 +ML_DSA_65_PublicKeySize = 1952 +ML_DSA_87_PublicKeySize = 2592 + + +class MlDsa44PublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint(ML_DSA_44_PublicKeySize, ML_DSA_44_PublicKeySize) + + +class MlDsa65PublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint(ML_DSA_65_PublicKeySize, ML_DSA_65_PublicKeySize) + + +class MlDsa87PublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint(ML_DSA_87_PublicKeySize, ML_DSA_87_PublicKeySize) + + +ALGORITHM_OID_TO_KEY_MAPPINGS = { + # pure + csor.id_ml_dsa_44: MlDsa44PublicKey(), + csor.id_ml_dsa_65: MlDsa65PublicKey(), + csor.id_ml_dsa_87: MlDsa87PublicKey(), + # pre-hashed + csor.id_hash_ml_dsa_44_with_sha512: MlDsa44PublicKey(), + csor.id_hash_ml_dsa_65_with_sha512: MlDsa65PublicKey(), + csor.id_hash_ml_dsa_87_with_sha512: MlDsa87PublicKey(), +} + +ALGORITHM_OID_TO_PARAMETER_MAPPINGS = { + k: document.ValueDecoder.VALUE_NODE_ABSENT + for k in ALGORITHM_OID_TO_KEY_MAPPINGS.keys() +} diff --git a/pkilint/nist/asn1/fips_205.py b/pkilint/nist/asn1/fips_205.py new file mode 100644 index 0000000..784fcae --- /dev/null +++ b/pkilint/nist/asn1/fips_205.py @@ -0,0 +1,131 @@ +from pyasn1.type import univ +from pyasn1.type.constraint import ValueSizeConstraint + +from pkilint import document +from pkilint.nist.asn1 import csor + + +SlhDsaShaTwo128sPublicKeySize = 32 +SlhDsaShaTwo128fPublicKeySize = 32 + +SlhDsaShaTwo192sPublicKeySize = 48 +SlhDsaShaTwo192fPublicKeySize = 48 + +SlhDsaShaTwo256sPublicKeySize = 64 +SlhDsaShaTwo256fPublicKeySize = 64 + +SlhDsaShake128sPublicKeySize = 32 +SlhDsaShake128fPublicKeySize = 32 + +SlhDsaShake192sPublicKeySize = 48 +SlhDsaShake192fPublicKeySize = 48 + +SlhDsaShake256sPublicKeySize = 64 +SlhDsaShake256fPublicKeySize = 64 + + +class SlhDsaShaTwo128sPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShaTwo128sPublicKeySize, SlhDsaShake128sPublicKeySize + ) + + +class SlhDsaShaTwo128fPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShaTwo128fPublicKeySize, SlhDsaShake128fPublicKeySize + ) + + +class SlhDsaShaTwo192sPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShaTwo192sPublicKeySize, SlhDsaShake192sPublicKeySize + ) + + +class SlhDsaShaTwo192fPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShaTwo192fPublicKeySize, SlhDsaShake192fPublicKeySize + ) + + +class SlhDsaShaTwo256sPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShaTwo256sPublicKeySize, SlhDsaShake256sPublicKeySize + ) + + +class SlhDsaShaTwo256fPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShaTwo256fPublicKeySize, SlhDsaShake256fPublicKeySize + ) + + +class SlhDsaShake128sPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShake128sPublicKeySize, SlhDsaShake128sPublicKeySize + ) + + +class SlhDsaShake128fPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShake128fPublicKeySize, SlhDsaShake128fPublicKeySize + ) + + +class SlhDsaShake192sPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShake192sPublicKeySize, SlhDsaShake192sPublicKeySize + ) + + +class SlhDsaShake192fPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShake192fPublicKeySize, SlhDsaShake192fPublicKeySize + ) + + +class SlhDsaShake256sPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShake256sPublicKeySize, SlhDsaShake256sPublicKeySize + ) + + +class SlhDsaShake256fPublicKey(univ.OctetString): + subtypeSpec = ValueSizeConstraint( + SlhDsaShake256fPublicKeySize, SlhDsaShake256fPublicKeySize + ) + + +ALGORITHM_OID_TO_KEY_MAPPINGS = { + # pure + csor.id_slh_dsa_sha2_128f: SlhDsaShaTwo128fPublicKey(), + csor.id_slh_dsa_sha2_128s: SlhDsaShaTwo128sPublicKey(), + csor.id_slh_dsa_sha2_192f: SlhDsaShaTwo192fPublicKey(), + csor.id_slh_dsa_sha2_192s: SlhDsaShaTwo192sPublicKey(), + csor.id_slh_dsa_sha2_256f: SlhDsaShaTwo256fPublicKey(), + csor.id_slh_dsa_sha2_256s: SlhDsaShaTwo256sPublicKey(), + csor.id_slh_dsa_shake_128f: SlhDsaShake128fPublicKey(), + csor.id_slh_dsa_shake_128s: SlhDsaShake128sPublicKey(), + csor.id_slh_dsa_shake_192f: SlhDsaShake192fPublicKey(), + csor.id_slh_dsa_shake_192s: SlhDsaShake192sPublicKey(), + csor.id_slh_dsa_shake_256f: SlhDsaShake256fPublicKey(), + csor.id_slh_dsa_shake_256s: SlhDsaShake256sPublicKey(), + # pre-hashed + csor.id_hash_slh_dsa_sha2_128f_with_sha256: SlhDsaShaTwo128fPublicKey(), + csor.id_hash_slh_dsa_sha2_128s_with_sha256: SlhDsaShaTwo128sPublicKey(), + csor.id_hash_slh_dsa_sha2_192f_with_sha512: SlhDsaShaTwo192fPublicKey(), + csor.id_hash_slh_dsa_sha2_192s_with_sha512: SlhDsaShaTwo192sPublicKey(), + csor.id_hash_slh_dsa_sha2_256f_with_sha512: SlhDsaShaTwo256fPublicKey(), + csor.id_hash_slh_dsa_sha2_256s_with_sha512: SlhDsaShaTwo256sPublicKey(), + csor.id_hash_slh_dsa_shake_128f_with_shake128: SlhDsaShake128fPublicKey(), + csor.id_hash_slh_dsa_shake_128s_with_shake128: SlhDsaShake128sPublicKey(), + csor.id_hash_slh_dsa_shake_192f_with_shake256: SlhDsaShake192fPublicKey(), + csor.id_hash_slh_dsa_shake_192s_with_shake256: SlhDsaShake192sPublicKey(), + csor.id_hash_slh_dsa_shake_256f_with_shake256: SlhDsaShake256fPublicKey(), + csor.id_hash_slh_dsa_shake_256s_with_shake256: SlhDsaShake256sPublicKey(), +} + +ALGORITHM_OID_TO_PARAMETER_MAPPINGS = { + k: document.ValueDecoder.VALUE_NODE_ABSENT + for k in ALGORITHM_OID_TO_KEY_MAPPINGS.keys() +} diff --git a/pkilint/pkix/algorithm.py b/pkilint/pkix/algorithm.py index ca60780..10f3e8e 100644 --- a/pkilint/pkix/algorithm.py +++ b/pkilint/pkix/algorithm.py @@ -5,6 +5,7 @@ from pyasn1_alt_modules import rfc4055, rfc5280, rfc5480, rfc8410 from pkilint import validation, document +from pkilint.nist.asn1 import fips_203, fips_204, fips_205 SIGNATURE_ALGORITHM_IDENTIFIER_MAPPINGS = { **{ @@ -36,6 +37,9 @@ rfc4055.sha512WithRSAEncryption, ) }, + **fips_203.ALGORITHM_OID_TO_PARAMETER_MAPPINGS, + **fips_204.ALGORITHM_OID_TO_PARAMETER_MAPPINGS, + **fips_205.ALGORITHM_OID_TO_PARAMETER_MAPPINGS, rfc4055.id_RSASSA_PSS: rfc4055.RSASSA_PSS_params(), } diff --git a/pkilint/pkix/certificate/__init__.py b/pkilint/pkix/certificate/__init__.py index d654e4c..3febc02 100644 --- a/pkilint/pkix/certificate/__init__.py +++ b/pkilint/pkix/certificate/__init__.py @@ -318,6 +318,20 @@ def create_validity_validator_container(additional_validators=None): ) +def create_spki_validator_container(additional_validators=None): + if additional_validators is None: + additional_validators = [] + + return validation.ValidatorContainer( + validators=[ + certificate_key.CaPrehashPublicKeyValidator(), + certificate_key.ObsoletePublicKeyAlgorithmValidator(), + ] + + additional_validators, + path="certificate.tbsCertificate.subjectPublicKeyInfo", + ) + + def create_extensions_validator_container(additional_validators=None): if additional_validators is None: additional_validators = [] diff --git a/pkilint/pkix/certificate/certificate_extension.py b/pkilint/pkix/certificate/certificate_extension.py index cd28bb8..ba7e0d7 100644 --- a/pkilint/pkix/certificate/certificate_extension.py +++ b/pkilint/pkix/certificate/certificate_extension.py @@ -1,4 +1,4 @@ -from typing import NamedTuple, Set +from typing import NamedTuple, Set, List import unicodedata from cryptography import exceptions @@ -565,6 +565,22 @@ class KeyUsageBitName: ENCIPHER_ONLY = "encipherOnly" DECIPHER_ONLY = "decipherOnly" + _ALL_BITS = { + DIGITAL_SIGNATURE, + NON_REPUDIATION, + KEY_ENCIPHERMENT, + DATA_ENCIPHERMENT, + KEY_AGREEMENT, + KEY_CERT_SIGN, + CRL_SIGN, + ENCIPHER_ONLY, + DECIPHER_ONLY, + } + + @staticmethod + def all_bits() -> Set[str]: + return KeyUsageBitName._ALL_BITS + class KeyUsageValidator(validation.Validator): VALIDATION_NO_BITS_SET = validation.ValidationFinding( @@ -651,7 +667,7 @@ def validate(self, node): if ext is not None: return - if cert_doc.is_self_issued: + if cert_doc.is_ca and cert_doc.is_self_issued: public_key = cert_doc.public_key_object if public_key is None: @@ -663,7 +679,7 @@ def validate(self, node): raise validation.ValidationFindingEncountered( self.VALIDATION_UNSUPPORTED_ALGORITHM, - f"Self-issued certificate uses unsupported public key algorithm: {key_oid}", + f"Self-issued CA certificate uses unsupported public key algorithm: {key_oid}", ) try: diff --git a/pkilint/pkix/certificate/certificate_key.py b/pkilint/pkix/certificate/certificate_key.py index aa17fe1..3b260e3 100644 --- a/pkilint/pkix/certificate/certificate_key.py +++ b/pkilint/pkix/certificate/certificate_key.py @@ -1,4 +1,5 @@ import binascii +from typing import NamedTuple, Set, Optional from cryptography import exceptions from cryptography.hazmat.primitives import hashes @@ -9,6 +10,7 @@ from pkilint import validation, util, document from pkilint.itu import bitstring +from pkilint.nist.asn1 import csor from pkilint.pkix.certificate.certificate_extension import KeyUsageBitName from pkilint.pkix.key import verify_signature @@ -233,135 +235,212 @@ def validate(self, node): class SpkiKeyUsageConsistencyValidator(validation.Validator): - # all bits are allowed except for keyAgreement, see RFC 4055 section 1.2 - _RSA_ALLOWED_KEY_USAGES = { - KeyUsageBitName.DIGITAL_SIGNATURE, - KeyUsageBitName.NON_REPUDIATION, - KeyUsageBitName.KEY_CERT_SIGN, - KeyUsageBitName.CRL_SIGN, - KeyUsageBitName.KEY_ENCIPHERMENT, - KeyUsageBitName.DATA_ENCIPHERMENT, - KeyUsageBitName.DECIPHER_ONLY, - KeyUsageBitName.ENCIPHER_ONLY, - } + class KeyUsageBitsAndValidationFindingPair(NamedTuple): + key_usage_bits: Set[str] + validation_finding: validation.ValidationFinding + + class AlgorithmKeyUsageRequirement(NamedTuple): + allowed: "SpkiKeyUsageConsistencyValidator.KeyUsageBitsAndValidationFindingPair" + required: Optional[ + "SpkiKeyUsageConsistencyValidator.KeyUsageBitsAndValidationFindingPair" + ] + VALIDATION_RSA_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( validation.ValidationFindingSeverity.ERROR, "pkix.key_usage_value_prohibited_for_rsa", ) - # all bits are allowed except for keyEncipherment and dataEncipherment, see RFC 8813 section 3 - _EC_ALLOWED_KEY_USAGES = { - KeyUsageBitName.DIGITAL_SIGNATURE, - KeyUsageBitName.NON_REPUDIATION, - KeyUsageBitName.KEY_CERT_SIGN, - KeyUsageBitName.CRL_SIGN, - KeyUsageBitName.KEY_AGREEMENT, - KeyUsageBitName.DECIPHER_ONLY, - KeyUsageBitName.ENCIPHER_ONLY, - } VALIDATION_EC_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( validation.ValidationFindingSeverity.ERROR, "pkix.key_usage_value_prohibited_for_ec", ) - # see RFC 9295, section 3 - _X448_AND_X25519_REQUIRED_KEY_USAGES = { - KeyUsageBitName.KEY_AGREEMENT, - } VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE = validation.ValidationFinding( validation.ValidationFindingSeverity.ERROR, "pkix.key_usage_value_required_but_missing_for_edwards_curve", ) - _X448_AND_X25519_ALLOWED_KEY_USAGES = { - KeyUsageBitName.KEY_AGREEMENT, - KeyUsageBitName.DECIPHER_ONLY, - KeyUsageBitName.ENCIPHER_ONLY, - } VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( validation.ValidationFindingSeverity.ERROR, "pkix.key_usage_value_prohibited_for_edwards_curve", ) - _SIGNATURE_ALGORITHM_ALLOWED_KEY_USAGES = { - KeyUsageBitName.DIGITAL_SIGNATURE, - KeyUsageBitName.NON_REPUDIATION, - KeyUsageBitName.KEY_CERT_SIGN, - KeyUsageBitName.CRL_SIGN, - } - VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE = ( - validation.ValidationFinding( - validation.ValidationFindingSeverity.ERROR, - "pkix.key_usage_value_prohibited_for_signature_algorithm", - ) + VALIDATION_MLDSA_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_mldsa", + ) + + VALIDATION_HASH_MLDSA_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_hash_mldsa", ) - # _KEM_ALLOWED_KEY_USAGES = {KeyUsageBitName.KEY_ENCIPHERMENT} - # VALIDATION_KEM_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( - # validation.ValidationFindingSeverity.ERROR, - # "pkix.prohibited_key_usage_value_kem", - # ) + VALIDATION_SLHDSA_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_slhdsa", + ) + + VALIDATION_HASH_SLHDSA_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_hash_slhdsa", + ) + + VALIDATION_MLKEM_PROHIBITED_KEY_USAGE_VALUE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.key_usage_value_prohibited_for_mlkem", + ) VALIDATION_UNSUPPORTED_PUBLIC_KEY_ALGORITHM = validation.ValidationFinding( validation.ValidationFindingSeverity.NOTICE, "pkix.public_key_algorithm_unsupported", ) - _KEY_USAGE_VALUE_ALLOWANCES = { - rfc3279.rsaEncryption: ( - (_RSA_ALLOWED_KEY_USAGES, VALIDATION_RSA_PROHIBITED_KEY_USAGE_VALUE), - None, + _RSA = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # all bits are allowed except for keyAgreement, see RFC 4055 section 1.2 + key_usage_bits=KeyUsageBitName.all_bits() - {KeyUsageBitName.KEY_AGREEMENT}, + validation_finding=VALIDATION_RSA_PROHIBITED_KEY_USAGE_VALUE, + ), + required=None, + ) + + _EC = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # all bits are allowed except for keyEncipherment and dataEncipherment, see RFC 8813 section 3 + key_usage_bits=KeyUsageBitName.all_bits() + - {KeyUsageBitName.KEY_ENCIPHERMENT, KeyUsageBitName.DATA_ENCIPHERMENT}, + validation_finding=VALIDATION_EC_PROHIBITED_KEY_USAGE_VALUE, + ), + required=None, + ) + + _EDWARDS_KEY_AGREEMENT = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # see RFC 9295, section 3 + key_usage_bits={ + KeyUsageBitName.KEY_AGREEMENT, + KeyUsageBitName.DECIPHER_ONLY, + KeyUsageBitName.ENCIPHER_ONLY, + }, + validation_finding=VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, ), - rfc5480.id_ecPublicKey: ( - (_EC_ALLOWED_KEY_USAGES, VALIDATION_EC_PROHIBITED_KEY_USAGE_VALUE), - None, + required=KeyUsageBitsAndValidationFindingPair( + # see RFC 9295, section 3 + key_usage_bits={ + KeyUsageBitName.KEY_AGREEMENT, + }, + validation_finding=VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE, + ), + ) + + _DIGITAL_SIGNATURE_ALGORITHM_BITS = { + KeyUsageBitName.DIGITAL_SIGNATURE, + KeyUsageBitName.NON_REPUDIATION, + KeyUsageBitName.KEY_CERT_SIGN, + KeyUsageBitName.CRL_SIGN, + } + + _EDWARDS_DIGITAL_SIGNATURE = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # see RFC 9295, section 3 + key_usage_bits=_DIGITAL_SIGNATURE_ALGORITHM_BITS, + validation_finding=VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, ), - rfc8410.id_X448: ( - ( - _X448_AND_X25519_ALLOWED_KEY_USAGES, - VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, - ), - ( - _X448_AND_X25519_REQUIRED_KEY_USAGES, - VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE, - ), + required=None, + ) + + _MLDSA = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # see + # https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-05.html#name-key-usage-bits + key_usage_bits=_DIGITAL_SIGNATURE_ALGORITHM_BITS, + validation_finding=VALIDATION_MLDSA_PROHIBITED_KEY_USAGE_VALUE, ), - rfc8410.id_X25519: ( - ( - _X448_AND_X25519_ALLOWED_KEY_USAGES, - VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, - ), - ( - _X448_AND_X25519_REQUIRED_KEY_USAGES, - VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE, - ), + required=None, + ) + + _HASH_MLDSA = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # see + # https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-05.html#name-key-usage-bits + key_usage_bits={ + KeyUsageBitName.DIGITAL_SIGNATURE, + KeyUsageBitName.NON_REPUDIATION, + }, + validation_finding=VALIDATION_HASH_MLDSA_PROHIBITED_KEY_USAGE_VALUE, ), - rfc8410.id_Ed448: ( - ( - _SIGNATURE_ALGORITHM_ALLOWED_KEY_USAGES, - VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE, - ), - None, + required=None, + ) + + _SLHDSA = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # see https://www.ietf.org/archive/id/draft-ietf-lamps-x509-slhdsa-03.html#name-key-usage-bits + key_usage_bits=_DIGITAL_SIGNATURE_ALGORITHM_BITS, + validation_finding=VALIDATION_SLHDSA_PROHIBITED_KEY_USAGE_VALUE, ), - rfc8410.id_Ed25519: ( - ( - _SIGNATURE_ALGORITHM_ALLOWED_KEY_USAGES, - VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE, - ), - None, + required=None, + ) + + _HASH_SLHDSA = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # see https://www.ietf.org/archive/id/draft-ietf-lamps-x509-slhdsa-03.html#name-key-usage-bits + key_usage_bits={ + KeyUsageBitName.DIGITAL_SIGNATURE, + KeyUsageBitName.NON_REPUDIATION, + }, + validation_finding=VALIDATION_HASH_SLHDSA_PROHIBITED_KEY_USAGE_VALUE, ), - } + required=None, + ) + + _MLKEM = AlgorithmKeyUsageRequirement( + allowed=KeyUsageBitsAndValidationFindingPair( + # see https://datatracker.ietf.org/doc/html/draft-ietf-lamps-kyber-certificates-07#section-3 + key_usage_bits={KeyUsageBitName.KEY_ENCIPHERMENT}, + validation_finding=VALIDATION_MLKEM_PROHIBITED_KEY_USAGE_VALUE, + ), + required=None, + ) + + _KEY_USAGE_VALUE_ALLOWANCES = {} def __init__(self): + validations = {self.VALIDATION_UNSUPPORTED_PUBLIC_KEY_ALGORITHM} + + for alg_allowance in self._KEY_USAGE_VALUE_ALLOWANCES.values(): + validations.add(alg_allowance.allowed.validation_finding) + + if alg_allowance.required: + validations.add(alg_allowance.required.validation_finding) + + self._KEY_USAGE_VALUE_ALLOWANCES.update( + { + rfc3279.rsaEncryption: self._RSA, + rfc5480.id_ecPublicKey: self._EC, + **{ + k: self._EDWARDS_KEY_AGREEMENT + for k in ( + rfc8410.id_X448, + rfc8410.id_X25519, + ) + }, + **{ + k: self._EDWARDS_DIGITAL_SIGNATURE + for k in ( + rfc8410.id_Ed448, + rfc8410.id_Ed25519, + ) + }, + **{k: self._MLDSA for k in csor.MLDSA_OIDS}, + **{k: self._HASH_MLDSA for k in csor.HASH_MLDSA_OIDS}, + **{k: self._SLHDSA for k in csor.SLHDSA_OIDS}, + **{k: self._HASH_SLHDSA for k in csor.HASH_SLHDSA_OIDS}, + **{k: self._MLKEM for k in csor.MLKEM_OIDS}, + } + ) + super().__init__( - validations=[ - self.VALIDATION_UNSUPPORTED_PUBLIC_KEY_ALGORITHM, - self.VALIDATION_EC_PROHIBITED_KEY_USAGE_VALUE, - self.VALIDATION_EDWARDS_PROHIBITED_KEY_USAGE_VALUE, - self.VALIDATION_EDWARDS_MISSING_REQUIRED_KEY_USAGE_VALUE, - self.VALIDATION_RSA_PROHIBITED_KEY_USAGE_VALUE, - self.VALIDATION_SIGNATURE_ALGORITHM_PROHIBITED_KEY_USAGE_VALUE, - ], + validations=list(validations), pdu_class=rfc5280.KeyUsage, ) @@ -370,15 +449,15 @@ def validate(self, node): ":certificate.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm" ).pdu - allowances = self._KEY_USAGE_VALUE_ALLOWANCES.get(spki_alg_oid) + alg_allowances = self._KEY_USAGE_VALUE_ALLOWANCES.get(spki_alg_oid) - if allowances is None: + if alg_allowances is None: raise validation.ValidationFindingEncountered( self.VALIDATION_UNSUPPORTED_PUBLIC_KEY_ALGORITHM, f"Unsupported public key algorithm: {str(spki_alg_oid)}", ) - allowed_values_and_finding, required_values_and_finding = allowances + allowed_values_and_finding, required_values_and_finding = alg_allowances allowed_values, prohibited_finding = allowed_values_and_finding bit_set = bitstring.get_asserted_bit_set(node) @@ -405,3 +484,132 @@ def validate(self, node): missing_finding, f"Required key usage value(s) missing: {missing_ku_names}", ) + + +class CaPrehashPublicKeyValidator(validation.Validator): + VALIDATION_HASH_MLDSA_PROHIBITED_IN_CA_CERTIFICATE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, "pkix.hash_mldsa_ca_key_prohibited" + ) + + VALIDATION_HASH_SLHDSA_PROHIBITED_IN_CA_CERTIFICATE = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, "pkix.hash_slhdsa_ca_key_prohibited" + ) + + _PROHIBITED_ALG_OID_TO_FINDING_MAPPINGS = {} + + def __init__(self): + self._PROHIBITED_ALG_OID_TO_FINDING_MAPPINGS.update( + { + **{ + k: self.VALIDATION_HASH_MLDSA_PROHIBITED_IN_CA_CERTIFICATE + for k in csor.HASH_MLDSA_OIDS + }, + **{ + k: self.VALIDATION_HASH_SLHDSA_PROHIBITED_IN_CA_CERTIFICATE + for k in csor.HASH_SLHDSA_OIDS + }, + } + ) + + super().__init__( + validations=[ + self.VALIDATION_HASH_MLDSA_PROHIBITED_IN_CA_CERTIFICATE, + self.VALIDATION_HASH_SLHDSA_PROHIBITED_IN_CA_CERTIFICATE, + ], + pdu_class=rfc5280.SubjectPublicKeyInfo, + predicate=lambda n: n.document.is_ca, + ) + + def validate(self, node): + spki_alg_oid = node.navigate("algorithm.algorithm").pdu + + finding = self._PROHIBITED_ALG_OID_TO_FINDING_MAPPINGS.get(spki_alg_oid) + + if finding: + raise validation.ValidationFindingEncountered( + finding, + f"Prohibited public key algorithm in CA certificate: {str(spki_alg_oid)}", + ) + + +class ObsoletePublicKeyAlgorithmValidator(validation.Validator): + VALIDATION_IPD_ALGORITHM_PRESENT = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.public_key_nist_ipd_algorithm_present", + ) + + VALIDATION_ROUND3_ALGORITHM_PRESENT = validation.ValidationFinding( + validation.ValidationFindingSeverity.ERROR, + "pkix.public_key_nist_round3_algorithm_present", + ) + + _IPD_ALG_OIDS = { + univ.ObjectIdentifier("1.3.6.1.4.1.2.267.12.4.4"), # ML-DSA-44-ipd + univ.ObjectIdentifier("1.1.4.1.2.267.12.6.5"), # ML-DSA-65-ipd + univ.ObjectIdentifier("1.1.4.1.2.267.12.8.7"), # ML-DSA-87-ipd + univ.ObjectIdentifier("1.3.9999.6.4.16"), # SLH-DSA-SHA2-128s-ipd + univ.ObjectIdentifier("1.3.9999.6.7.16"), # SLH-DSA-SHAKE-128s-ipd + univ.ObjectIdentifier("1.3.9999.6.4.13"), # SLH-DSA-SHA2-128f-ipd + univ.ObjectIdentifier("1.3.9999.6.7.13"), # SLH-DSA-SHAKE-128f-ipd + univ.ObjectIdentifier("1.3.9999.6.5.12"), # SLH-DSA-SHA2-192s-ipd + univ.ObjectIdentifier("1.3.9999.6.8.12"), # SLH-DSA-SHAKE-192s-ipd + univ.ObjectIdentifier("1.3.9999.6.5.10"), # SLH-DSA-SHA2-192f-ipd + univ.ObjectIdentifier("1.3.9999.6.8.10"), # SLH-DSA-SHAKE-192f-ipd + univ.ObjectIdentifier("1.3.9999.6.6.12"), # SLH-DSA-SHA2-256s-ipd + univ.ObjectIdentifier("1.3.9999.6.9.12"), # SLH-DSA-SHAKE-256s-ipd + univ.ObjectIdentifier("1.3.9999.6.6.10"), # SLH-DSA-SHA2-256f-ipd + univ.ObjectIdentifier("1.3.9999.6.9.10"), # SLH-DSA-SHAKE-256f-ipd + univ.ObjectIdentifier("1.3.6.1.4.1.22554.5.6.1"), # ML-KEM-512-ipd + univ.ObjectIdentifier("1.3.6.1.4.1.22554.5.6.2"), # ML-KEM-768-ipd + univ.ObjectIdentifier("1.3.6.1.4.1.22554.5.6.3"), # ML-KEM-1024-ipd + } + + _ROUND3_ALG_OIDS = { + univ.ObjectIdentifier("1.3.6.1.4.1.2.267.7.4.4"), # Dilithium2 + univ.ObjectIdentifier("1.3.6.1.4.1.2.267.7.6.5"), # Dilithium3 + univ.ObjectIdentifier("1.3.6.1.4.1.2.267.7.8.7"), # Dilithium5 + univ.ObjectIdentifier("1.3.6.1.4.1.2.267.11.4.4"), # DilithiumAES2 + univ.ObjectIdentifier("1.3.6.1.4.1.2.267.11.6.5"), # DilithiumAES3 + univ.ObjectIdentifier("1.3.6.1.4.1.2.267.11.8.7"), # DilithiumAES5 + univ.ObjectIdentifier("1.3.9999.3.1"), # Falcon-512 + univ.ObjectIdentifier("1.3.9999.3.4"), # Falcon-1024 + univ.ObjectIdentifier("1.3.9999.6.4.1"), # SPHINCS+-SHA256-128f-robust + univ.ObjectIdentifier("1.3.9999.6.4.4"), # SPHINCS+-SHA256-128f-simple + univ.ObjectIdentifier("1.3.9999.6.4.7"), # SPHINCS+-SHA256-128s-robust + univ.ObjectIdentifier("1.3.9999.6.4.10"), # SPHINCS+-SHA256-128s-simple + univ.ObjectIdentifier("1.3.9999.6.5.1"), # SPHINCS+-SHA256-192f-robust + univ.ObjectIdentifier("1.3.9999.6.5.3"), # SPHINCS+-SHA256-192f-simple + univ.ObjectIdentifier("1.3.9999.6.5.5"), # SPHINCS+-SHA256-192s-robust + univ.ObjectIdentifier("1.3.9999.6.5.7"), # SPHINCS+-SHA256-192s-simple + univ.ObjectIdentifier("1.3.9999.6.6.1"), # SPHINCS+-SHA256-256f-robust + univ.ObjectIdentifier("1.3.9999.6.6.3"), # SPHINCS+-SHA256-256f-simple + univ.ObjectIdentifier("1.3.9999.6.6.5"), # SPHINCS+-SHA256-256s-robust + univ.ObjectIdentifier("1.3.9999.6.6.7"), # SPHINCS+-SHA256-256s-simple + univ.ObjectIdentifier("1.3.6.1.4.1.22554.5.6.4"), # kyber512_aes + univ.ObjectIdentifier("1.3.6.1.4.1.22554.5.6.5"), # kyber768_aes + univ.ObjectIdentifier("1.3.6.1.4.1.22554.5.6.6"), # kyber1024_aes + } + + def __init__(self): + super().__init__( + validations=[ + self.VALIDATION_IPD_ALGORITHM_PRESENT, + self.VALIDATION_ROUND3_ALGORITHM_PRESENT, + ], + pdu_class=rfc5280.SubjectPublicKeyInfo, + ) + + def validate(self, node): + spki_alg_oid = node.navigate("algorithm.algorithm").pdu + + if spki_alg_oid in self._IPD_ALG_OIDS: + raise validation.ValidationFindingEncountered( + self.VALIDATION_IPD_ALGORITHM_PRESENT, + f"Obsolete NIST IPD public key algorithm: {str(spki_alg_oid)}", + ) + + if spki_alg_oid in self._ROUND3_ALG_OIDS: + raise validation.ValidationFindingEncountered( + self.VALIDATION_ROUND3_ALGORITHM_PRESENT, + f"Obsolete NIST Round 3 public key algorithm: {str(spki_alg_oid)}", + ) diff --git a/pkilint/pkix/key.py b/pkilint/pkix/key.py index 581d8ff..01af119 100644 --- a/pkilint/pkix/key.py +++ b/pkilint/pkix/key.py @@ -12,6 +12,7 @@ from pkilint import document from pkilint.document import PDUNode +from pkilint.nist.asn1 import fips_203, fips_204, fips_205 SUBJECT_PUBLIC_KEY_ALGORITHM_IDENTIFIER_MAPPINGS = { rfc3279.rsaEncryption: rfc5480.RSAPublicKey(), @@ -22,6 +23,9 @@ rfc8410.id_Ed25519: univ.OctetString(), rfc8410.id_X448: univ.OctetString(), rfc8410.id_X25519: univ.OctetString(), + **fips_203.ALGORITHM_OID_TO_KEY_MAPPINGS, + **fips_204.ALGORITHM_OID_TO_KEY_MAPPINGS, + **fips_205.ALGORITHM_OID_TO_KEY_MAPPINGS, } SUBJECT_KEY_PARAMETER_ALGORITHM_IDENTIFIER_MAPPINGS = { @@ -38,6 +42,9 @@ rfc8410.id_X25519, ) }, + **fips_203.ALGORITHM_OID_TO_PARAMETER_MAPPINGS, + **fips_204.ALGORITHM_OID_TO_PARAMETER_MAPPINGS, + **fips_205.ALGORITHM_OID_TO_PARAMETER_MAPPINGS, } EC_CURVE_OID_TO_OBJECT_MAPPINGS = { diff --git a/pkilint/rest/pkix.py b/pkilint/rest/pkix.py index cb4fa49..e3f6ced 100644 --- a/pkilint/rest/pkix.py +++ b/pkilint/rest/pkix.py @@ -23,6 +23,7 @@ def create_linter_group_instance(): certificate.create_validity_validator_container(), certificate.create_subject_validator_container([]), certificate.create_extensions_validator_container([]), + certificate.create_spki_validator_container([]), ], ), name="certificate", diff --git a/tests/integration_certificate/pkix/dilithium_ipd_root.crttest b/tests/integration_certificate/pkix/dilithium_ipd_root.crttest new file mode 100644 index 0000000..1a5a131 --- /dev/null +++ b/tests/integration_certificate/pkix/dilithium_ipd_root.crttest @@ -0,0 +1,78 @@ +-----BEGIN CERTIFICATE----- +MIIPqzCCBh+gAwIBAgIUCLOgqxeYL1eMaDSl0TmIydD9Uz4wDQYLKwYBBAECggsMBAQwGjEYMBYG +A1UECAwPRGlsaXRoaXVtMiBSb290MB4XDTIzMTEwNzAwMDAwMFoXDTI0MTEwMTIzNTk1OVowGjEY +MBYGA1UECAwPRGlsaXRoaXVtMiBSb290MIIFNDANBgsrBgEEAQKCCwwEBAOCBSEA31AfvPymr6kN +mRdXDyxyoW32DDASOEdjonSOdIDgpSK6qeHZgVH4y1rMPvfOwTzW/v4agNMxqnTb9aQzgb9y9Elx +RIpwpheQZg7g2yh13iwlXl01OQ/seXXqWNuyf5te9p7r8M8HSB6PfPJw3DzJKPXxg3rcwDrEAcy+ +azQhifKS2W1J79THVikw4GKmu+cS/g3k8ySips0W5mdGCrQ+3mI/wZivCROx+HhXjWiXcGfHbuyE +QoOTrpl7S8hWaQLxOgyo8Er1P68oScxkFDySzBQmwmBGIrqQhHaXqfNoNj4/0ZG/QRwHCac1Nk8q +SutL5UJBSJxxmU0ENt22LnejajHqrgyNIV3ZHDocDNrrveJvtRQGApTpfjytJ5Ajv+3Sr6qYtj+5 +Na2puFuXbagQIS96CMlqe4qNkcbvPD7//NQROV5YP4dYBpA9cD30WHeUfY6yko5kUaW/7LB/vKut +rrdZ6djKl7kgOsuOOvRMSr8THwJBQA5j/ujwXVik2EIVr1fsuZCq2tyBjZzAcDVNmd7e2SEIrf0Y +gusTcYVvHpvdGdPiyosWuDLi68Ulf8SjOUgbVZ6IiDB7ViwPasrwPEZkaQh7P3+DdthhkwLb0Vo1 +5oAGW3l4woedN/3VYm6Z7uCX0MLyO79tvQq3zcaNLga1bsXbZYalj/5zX9upqKr5h1Mb6/LaN/YU +hvNaHeD0aWYDlYos/mvQ0Azc+1as2ibeDBzc8ZKLlQsqbtcoIutk+j6qA3ZdCX+rovGq8W/uruRC +yuRKxAkznQHCqVZ8aUA4lrXzeN2XF4tezsUOLqXOIERlLBZZk9Jh22W7ZOJryK2K12c4w49gnn9Q +qQGMPhENgq55LnhN44AgFQEfhLv/UjWJM7yupHuRGn3beXrwFRdINGIzemR0GKNt7xfto3q+HPjq +9ovznt8P7ojeN+Uabw5eBEqivanAs0dYIU39wpUWgGCLMfPu5LfCUgrH5t8ubhVtPZUJPhD7YJEz +VL2t+Kx7lqARwG8wRlhdAtqS40ZGSPDUZztzHIUOhx7xr4k3teKr7YlXwox+FiQsR4CAUs/iVeXV +CrX4/KcmZ22pQ82+AnQeD+cu/MiykrXIERIqZcaBCGQ3zkUUs5fAKu/n9Q7Qycu+GcovwBgLEalU +0aU8r8QBnIeQ0AQy9BjlbHUC9atfZeG4AxkpoGASZLteH29jE4cmkOUV4GPgOuqb3dugqlruKUX5 +kY23jah9obcydAkveJhsPD3tFi4b0JNGWWY4Iwut/7fA4QK24jGDRQebdUH+qWdinUtVovmNCyJ0 +0Sl6rMrN9nnwvlg/O4ISLY1iWAaGshlAW6K+J3+9XJ5zFiScNfF69YMb23U/z5JNLMYne/JYyIKY +uvK96yZPrtzoPgOJWXizPGR+VMlVFoIPPbm/p7v19r+Ng7o3Z0Hwm5njBBRCFTKOfIj19hkKYz3g +hKOfjytNO+R94T3fEhRw25dkf9zGxu/9FNV2rA3eXqZpkbQlHiBPPIQXeLjby6VBUlaMk+EpF4ZU +V+FEGNb1pqOoIwrcwePPNuPuu3F2Ltxh+1zQptuL/LsH2kjJqAm4XnZGDK7rKN9ZEoO1LS/RwHSl +gXjx7woMtTmqlUVFi0fWfNNcLE1gXaQzEMDsrgejVogQm+UjVLDd1Sy0kOvGk0phz0Uib8kkX9eL +BMoqOPG3/HwR4Tn//peTc+kfa/Whl7mfwvaX7LOxeVJwVrxKDW09kACbPauxXmIzQaNjMGEwDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUAWNPKxw8aq8rlHh4vWdH +lb+LzOMwHQYDVR0OBBYEFAFjTyscPGqvK5R4eL1nR5W/i8zjMA0GCysGAQQBAoILDAQEA4IJdQAC +gIIohmbQNj3lyTQseVoxNCwUCGJHkNKzByc+cETqSm55fddz1MX7S5N4pUCzaPbGw4v/TOG46tAe +2b9rrtc69ZLhcMJyXIC/nXx2VAq/3wE9JIO/xF9PEA6wKOAfEarSVf9gm/JQrbuEW8vdHxvSEKx+ +fmd1qovgjUJlBe8zq51sxs0V/coXK6ZNg2V2rdOSG7ZrTUcoe3p7SuvZMoiqfgtnHThuX24oNAeo +7ddamwGgwe5GKhx1nbEy8nAYZX1e59cP9BZjw6u1z/S09gcebKKHrH3ntg9ZQoYR+PAufmP4uJWm +6IdNaJzg3TJiRNGnbzBEDuOwc3AlIiODjU0RcXRzsUNPtGuR7zzm6eRlsMwoPXy2R3/eW5P32+kO +REgUF5eLHQctmNItSyNW4lSClG2XvvpGWmEP7WAz+etEWE1bWY+eMM/ViDq/XJEUA8+YnZyzOFAp +bT+KluyYic4Ls6il1kjYDBt3zQPoOYSlOupgMi2BBVPqghV070Fblb8j9hx/hBipYeCIa6ZTs1WH +ZRvDGb3DkNJ+LD4sTx8s+JxTEsu+XZf+ID8K/EWBdHDxcCtlyfoIWOYRGUvvnIANVuXnyhL1fpXd +qHPfh3bzQdd63XAZZ1rFWxzSR3L0pg7jvRovw+231nzzMFDyPOXCQpOKeMTo3qHV33B6v9t2fCfv +TSZ9KUsp+Dbc6SOa4gufypVfoE4UGy7mSkGp8b1GUIywA9LAcX3DWkAMUlsaBrQztoU/035y8LZN +MQnEB2qn5MekVRsT7zI9M2Kjnog41/FgdYfAxJH8iFVbvDh+Lsxgtj/V3GocOCCjqyk6xMRwOS4+ +w8OFHfSCkymfo10p3LxA4/GEfAJjJBmaNvFwcGFJWhHP7tbHvrCFJIn4PSMyYsmWZL7olKAF6C1A +RbXPs1aOHgyBPNKh1gYuxQ9BP5Efr6G9SudXXKtOrgPS+HN2mUtwwabotpglx2SP+w/fAaq2inJ3 +RFswGwu7dzjeguok/NWoyRg1Tpq0Zj+mrm0FBCZZI6kwcXDi/+f6WHuDnLGFzTs34kZnDlwbdGnA +Tc8VMq8lMr/Njc0RaJMbrdlRqPoGyt2LUSmmNe/uyGRkpYAl9UOOrOZRp4EGFqlFis7xBZW80naT +02OO1ITC8I5LqJSEqe0ni4fS3eaFTDIOGCdcQcScEjt9OWCzNkYWnbInrHlZP2WyVNlgT1TAVeSg +rTVeB2mz5TDBLukIpnpyOgE0K8eHWddzPii/QqT0+5eCuEPP0dlawQ3geIO6cg39bmQXh1/WJAIN +F+buU97TOwSbOPA2TVKdIOUApedHeebqfXeuOgryYFWv94mffVMdP/w2QlID4nUq2k15qutyYirq +6V1Gm1Yq8G0cWHbQAQXddbRH7U8K8dqyFcWQeUZIvNrjMU4vVhhsptLWYpw96gHzOuw/qBPokYiw +gFRfqyvYkGE9KMctwCNtDbBaLHXpfrtMXPzBfLOuY8qAa1vO41ZiAJ9iTW07TUVgcfJr8HcBzapV +uaAG43ZPgGM4GJzCJHl1AT0XZUtWY6LxJvip4oyxGRftQ+MpBbBhn19OXECWf8cuEmpGbWhpMiKJ +X60IJD88wrb/iRJd4VhSGcN7a9t2quv1wywYOu2kHlAwpTjGSEVSEvLFT6zxvaaySqIqqpvuAROg +jr1u4oZG1rcEiMUDVx0t6DeG2u0gWWu0xCv0PiLJ0IWhugwDt1raBYUzVyNJgnwEAct3iEnh+LM3 +WqNmhwt/chjSyurAENlbtoWkBjPa0fQWsePRJfGesbQsudGp5KRihj7CBqnzs64Ee3dB9Hzt01wR +0JnMiDAoZn/G4WbTWDI+U2zJmMhYYXe8P2T/XkdhrPpnn3vlsgIxMkD+K1Y9JkEd2BIHEn/r8G7R +Psew1u/dew42GOdl3/r27q2CngwrwgSQubIcWrNR79K7KzWiOXArYBqCFYL1ZLMUBRuH8Hf4Qbgu +S6elKgCWrI7wmVuspA+JKZ5LLc6Tb0U3n9bVOjli4TevWhmumc7KkKp0K3bA6WFzX0Qbhf+WF/1p +ZWkm3/OcQzwsJWWDZTUTm4MXAdAXzY0W3yibURDhsQrEpzgoRNR+0/gclBNWmw/mWIn25ah5CeFj +iJGHscxT/HDOUVAxTUJyqqCGVbkPZSNNTLbb3YiXSbZEgqgQ69ZqMCdweqlKfiPeVo/J1x1YPIrP +1VFv92HcC5UcWDyh1a/o2NJRSwgUQ1/p2oGSBNGyFzihzpAz4biaHWaYS4X1Cv4GsEfxx8jwOgTZ +oLIdpa1Z7mqbK0Za4bG2s1jOmYWup9XiXejg7YRMQ/iwm6aglYaHT7tA4mK51YnAnUxiFUk1NuVI +HZOVtfa/hpKbg0pNvVvdlvJqyVk0iHX91npjLnFzFKQBeLxxe1BUX3YSFDWksPlVm9/ENLEL8jpj +bS2QnHQWOgMrSf3wXbxT2uFZuXjBlCcCVB+c1elGVKqyolKruYCCTi14vmQiqUdRhIVccW+MJ7Hd +YzFYznz8wpOzGb40VFFiLj/IpDm4Te7a/lQBoAi8MXL59rgH9fBeVv49uKLAgW3U51jY28SGx2M1 +KeeIUgzciAhoKMZoAE06PHR5wXPGRH32SxilIf/4r9x5g51KjSF42cod6NZPAM1r1hetlh2fuLyd +NTRr9HrSvYQWtKKoR8o42+AZIFYDaVDJr4MQwGuXhzzKHiSuAyLc8xnrvRe73idtOUlxOkPS3NHR +AU5QqMwEdtbyK2ARWz1z9n2/+VQnsbwVvFADp+l5AvWPsGAB3Ka1xbSmT+ScI0dhfPN1v9ehQ1/p +ck7Cn2dFYoXxzitDP2lQQSZK+SrTUOSKjvvqxn+JNhuq76mptKYVRhk+CkUi5BSZH0PGMIz/lbDS +OEed80+aWUAfnltgaRbzxRHHmxdxU+Oa2YiG9PcVHz/DJRoOBrzM8LnuuuTITPsWV/dyxhvH6BvE +Z8OHkXgzGAPYgLFUkgNr0ta8qQUk0+bH7ySfVSurWX3f4okJMfXHk4POCUhA5Vdxdw833LOKSis3 +zpQUZb3/r798hK82o/vDhWh5Cnu2eQYnI5m+3FvrQ0SArujgFuZS5rzDl8pjxuDO1+kHD1GjjgcO +DxIiJlFVWH+Omq+1v9Tk5vpIX2tse5WYs8LIAw8wRVRwxtHa7TZsgI2TmKbDyc/wAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAEx0nMg== +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subjectPublicKeyInfo,ObsoletePublicKeyAlgorithmValidator,ERROR,pkix.public_key_nist_ipd_algorithm_present,Obsolete NIST IPD public key algorithm: 1.3.6.1.4.1.2.267.12.4.4 +certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,NOTICE,pkix.public_key_algorithm_unsupported,Unsupported public key algorithm: 1.3.6.1.4.1.2.267.12.4.4 +certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/pkix/dilithium_round3.crttest b/tests/integration_certificate/pkix/dilithium_round3.crttest new file mode 100644 index 0000000..c2256fe --- /dev/null +++ b/tests/integration_certificate/pkix/dilithium_round3.crttest @@ -0,0 +1,91 @@ +-----BEGIN CERTIFICATE----- +MIIPqzCCBh+gAwIBAgIUWFoqt61eVbTSf7TjtM8RbWhDrO4wDQYLKwYBBAECggsH +BAQwGjEYMBYGA1UECAwPRGlsaXRoaXVtMiBSb290MB4XDTIzMDcyNTAwMDAwMFoX +DTI0MDcxOTIzNTk1OVowGjEYMBYGA1UECAwPRGlsaXRoaXVtMiBSb290MIIFNDAN +BgsrBgEEAQKCCwcEBAOCBSEAoRyQB3OEk7/L/+XkEQ40mYaKjDFozn8KjjUoaphr +CwAP6rBHA6f8I68rIBI0691kDI8InBu98zWnCd+MsljwWZsK6+10jwAVdsE9UqIR +c2fC8tJ6qy7t6hZi9VsSaf1UPSNaO1rOpiPBiTn+1GqWuH1z3Rl+zRfTHLSxoZ+D +oJC3o8tXVZ5Cjakc9furBfFzbxFuwlOHW/gUoovicRZS229cqESpbX/UpTiFCQfZ +MZaV/yaIVslJ+75tfnRJE7MVtJ4Pcud2Ptx8JVEauFXD6k2tVlQoF8LKfhfJlVoe +cCiWSXQPuu8l6G4mL3eCB4CvzzyJxv2auv6WOCnOdSPdbOAPE7ZBdfmguo41/1nL +Ty8Z8LsqvPgYqLMGEFnals2vSdW+GcQCREk3Fc4tTUJjKR/gatrFlSMk2t+oMcu+ +FU6lvJMOE1+Ox5UC4sCAOewvqTRO2uW17sxVIeonkVsRCGnjbjWE8TZ83Y/EAlB1 +c74nKZBQ2e2q+YoRuh+7SexPv7Xb2hpEecYOHAloPCIbaUOeUp8rR9TuUZmyv7tv +LUhF1v4I0UV7pJHFG+zXCLngOmywSQb7iNgEWbvkHhLuzZRSDIUURvUtNgrO8hBR +uJ+wpnzs172olyNH6TVo3MpdY4sP3+8roOOYzF04W2kSwvzQJ+uoJDMd9xbrROwF +SqUhZOQJI6wFUiIJEsKkk1862fs9Mjmww2MhWM6EEsqSLAOHWz1Ne83ZwhSnvyWV +cHI2FlSE7u+Ee2KTNF/lQWv75YPZ9gcVbIYHI8Vaj1Oj8Zd0XSLbIrhwWzKbtjTR +J3rBoCmSzlCHSZ1XmiVq3lZ13KfOaNxPJ+MRTVHILuFeeI5V3OH35X4iSrSlxTY0 +Zka8k6ANhKpHJYar6e0iVuSzqzdjQJBMTPvuEFUyG3lnj7m+fk35QUbfjirvqlLr +QyZF4mzUSG5Iyi4ZdmoN4BJMsYmnxStbjKCwf7EwemFFNd6fqsKNIfeLv0CmYDM7 +DPBpy4XLaM4k25L7VNIjKLb+E/CshJKZpULvo6GwLLKJ2ubKEQbLimpdi9o7oCHb +GZi3zuYfIP1stvCohnViyDO+xLTcXD7Luxsn27Fi9VfMIBI3LaQlmdXkc/AHQYHB +B0wNlfAsh3o0l4UOOMCmNt77Qkk4kV2Qq997A8qAVC0L66lwyuZFZHkoqDz3T+1+ +EFAXMyDETSypEXGQXafepGMjhzqCm1iH1JjZtyg3TUZnquCrBy/icgoWbHi+v2sc +njovldGl5p9Pix38yYf9N3x86dCzZxqEN4cjjqh7rRvvtEgKUJijX/2mFWRNqtWR +mFRxgJXeYrL+sFurdKj3OoCuW5l4n0WyAlLmqyf0W8N/4FuNvbeJP2aAlYah5Lgd +lm1Q1CC6QNpIjed8YNZH6gMHwtjGRlxIGAJL9kRn5DJmTTBWTGmnnb5+pYtICTTk +Dv2rR41TCVA/ScOh0Dieg6vNK8K0aNf513TaCj78bOF7gFlpxghljZE7rcjTfi2a +/6NXe/EYPChSo3gfrnsL4dVByCE9XsAJ29YIQMuMF3ZQOGUq5l6Hcbc8WNnTabiL +9W7hjKSpaIho+mg1EfII55GDafUQzd14tji7a4/RpA4MAgbdxzGqWJNRR3zykG4M +b/bX/vSVJh2Mn9f424/Dn7ZfhLLrXhO7JUzjNnPH3VkEBdScMz/IH3hlR5LLqEdk +ZWT5eRQhikHTpwUCx33lSIG931NNZIfhXN4Orr4mhRD486NjMGEwDwYDVR0TAQH/ +BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAU4yIBpS3GXaJZ18cY +QvluoO2z8XAwHQYDVR0OBBYEFOMiAaUtxl2iWdfHGEL5bqDts/FwMA0GCysGAQQB +AoILBwQEA4IJdQALOOw2fH2WTsblC8O/qtL28zu8V+Js+HF7YBABRYZ7tvqPAhWG +lTa+EAgzyC1VVCJ3DCf31sTSBOlBetLJebB4JZjH8eNzxC8qYypGv8tciNyw9dpu +egu8DJgzVGhCtFg54PKjqm5LdlHx7Ao2aBAhBKjmgGmY1gcdYfpmVWD4iQjP9j2C +wkZnN/ad8cX3tdZfVBV+8oECzjMozBqBFBOVLizZvq+z6977kcUv1H1mebOptanT +wKthqCG0KxYOnyKZU74hH8s6hfQJWWsH0dwTX8bEP0H9XET7ZSegtSC00Zato0dg +lcoWXFIVsLHIa8Lkx+18N2j7LXuztGrvJqVUfrARHKSBAnxdTx/gwxBC/VobUi6q +FqVDeB9hnEukFABayXt6pSZzcaSHI/8YeUl3UjmHCPdCKZOrfekjPs6C+Fu4haEB +0+2AuK62r4j8IjTmOPQcM+JMBgrQhWjTCkj7OXN81r5K3Kh5DIC86keBT496XZ02 +LBm7GFaRDh30AXuTDmnvViePd6KPxHBKNHp46S/s6/Fpj2mSTlkdfHWAeqt3fDDm +BhTZCCRGPoM5NBu0vecAT2J8b4OBHgu48bwriWjydkDrUhxV7DQl00cGmwiDvVS4 +6OOMs7uFiWgYGLLEJFrFfuQQ6CAGBb42UZx4z+6oasSgvOfqRQ8LldeEDGZLWcwd +ObheLmvrMDqQryvOY8ujn3qMEIbcXtMx6e3wDJWmnYQKwxHYC3cDOXokm/05yWCD +MQdAZqyI2+hB8fknJWwxqKECxj17+SlsRjUw7CePwKbL60kkqgHesSSGbV2bVclM +bmnec303Y+QU6TTGgy8LSnQK5ePteBcmt5eiSvxIUrcLtMHop9vjACS3+SwTBT3G +tZpOopYK3dHF0J7FWmYeO0hlzwu7S/NQwE/YXavKmzHUx7bl9dZu/OApOSHDreZU +pom2AQHZbsQ6+a8WT39NlD3QSIOQcXIoCancwenrBA1DlFL6xXCZBmohMYouooOj +47hDIhY7BT2L/Kr7ZkHHoKHtbJPUWqf+Lf7+BkXRcC+Fy7cjryNjGhfK2GgJDjyz +qTlOKnpkPt+9kQvFbP91TUWuvfODQorWIqx2NCHZZa5yg11HrtPpv5gc5W/IhxJu +ZnF/J9gWrXWi3YDlWwqmqrht6D4yFOfyDnwFlQpA0WPNhwdYyhoLIK/fbv8GAN3J +2I4Je/f9vt8gfLH44bDwpjA7xy0pf9jOBhkL1nMPE6AC7V/QrpWy+GicJzrf1SJ/ +Z0qCPDH+fJp6LIQkz1MswCnqRJK05dItiWja5o2FJcHs/zYqdIvVZGDubaQLOgyN +2qZoz679/Yl8Jjbxgd1xVHbRsp2oNxXvh/bz839t2yd+38DGtjUJhh57QquBp9BJ +MEWaoAEEevBF42uu7xiQszAKENPeJ3s7p5IAHTu7cFbH9Lm3BYmrdE4GxaQofHFC ++6xG3rQkS494MStMhw6fmRdBJEHMGWUnE3tqlezmrVrKEmY8WK2YCNDHYifOosym +ifDrGKdk+D8TqTTgNmDdoWPKWKBEKjlQnjfwGfn/4a0gOAqT05DZQ0VvGUpWlavQ +D2Q/LhyEwrT3nHa9XLY0RiTWqFjXIDDjqSaTprCVZQt53LqRhXP9Ti+0B2vgi0Ls +g8fZAWz5k89VgU6gKGgeWu6JAMjX7yBBL2AiSKBdHkWU+4Dg/CR70S1gp8d/oDdq +scd0TF9aOX2lM4WwjPgXwZzDintCzsCOYc5IqTxrunbgwIa+zHCS8BE+iYSL2R/Q +fF783eceq05ux5aMmdTo+vHZMq5cQDz0orqtoOXNtetOdiBdEyDRwVzLj0mhuNHR +w8ExmeWqhXgaNJRqDUaCmEuGPMxSZpAHqE5LR1TKBFrsJce/NfZjcyAMNDDQpu1H +8VJPoAHvE8Xai7/k7N7GKtiQypk3vednJ5BeLb+2BPEADyFyEPeAFTiog4oewsrU +2k2Y8aRl05xB5xI3NUTJjyWJs3fxNMJTCY9UPSF1TXmoWvLcL3QFw94xx9sCN5N2 +sdgL2O5Nva136FMG/oskqZkUpTZeXUC+A/SmY+UTAe8IlMvA0z1yrWTmOYmzgLXZ +2MWD4vd0iv5YvaNUKymbqfiG+Cg1sTW6Wbfct4jjfB8igMdWgXkB9q1+biiNsekQ +2npnDeDs2QScRstfoOJkRXDskwsuK5z4xrXQJw2iiELReGg0FisehsvqGocDG53K +7tU7A9afkbWmkCXoGHxr2XFJjKMK68zIYJ9pLlBG7VGqIpy+B99vnr4RNiUIapnN +A+VlOwziyID/8R/otVWVqx57P8KYbD1SnMk32f4HdCmJd+gPsaRHGwrNIJ8nU5YO +9AbRDbzF1D/Oevg5Qdj7NQn6t/FZIStdjMv4Pd3Wrl2kOXOYMYBjnodlOAcx0JjI +BQOqraYPLYpzlqH3z3jzOEu/+PGmKaNJRMYzwZe6rlwDmwmNNRwQVNzV33s9jP1y +xS92dUVqiJi3YrL8n4G0e2Qq9c+o2snXONHVj7DiI5LduqXO2cK4NLPYCJ1lH80o +4CVVfXOAQRTy0JiQKhXsQBP1gFHJgHyans7eYNqNTlfDoMOqy9aJt9LXV2I9ZZ0e +usu98b2TfgvaDxhW+KvFGwg8QkNo1TiRZKw1/G5z9hrV6w5D1kZtxFSQ3Jmc2GcA +i7XtuzeT+3sIGyn9jzWaMSr+qP9BWIivmkQqHeObNHDkqY4j2Yl7R2ZMCTQCfqCe +Qd+AvUHSyZtVvyGktmNO/IvMEzNS3Ts/xPqmftGUpZ53M6iDY8C7wa9EOgdRKhsM +2J7fVplNI7Of9hfkg1ZzBrli2bwO90ClJ4DEtv+SiTwgPAVoV6QHiU/SmgNauZd+ +12m66feuKQQDkSo4EdJs2lwc49fCa5TBAPQxsZeMojNBhe6zT9s+ncLAZxwIItwT +Gfk0MZj8beLtcIYkqob9kvkVdVFLxZ9lByKXDQpVTFRxKN56w+XXQmZeKmjl6rYz +q5u/4OKZ3Jn8Vg6iDud6d2wQ6yhRFAOMeRtSlHGPo8sceonwiUutu+Vx0OsDXGBg +7zQVTx6i10bkfEaznov53oMCgNqJk3mROm5Yo54PaEUpb6LE8bRcEWS8mQ0pLi9D +q662x+f+AwYRLzA3RH2dsbS/7g0nKixFY2xzeYWJkJSsxdbY7u8HDhc0bXeAhJGS +mpyiqL7T2QAAAAAAAAAAAAAAAAAAAAAAAAAACxgrPA== +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subjectPublicKeyInfo,ObsoletePublicKeyAlgorithmValidator,ERROR,pkix.public_key_nist_round3_algorithm_present,Obsolete NIST Round 3 public key algorithm: 1.3.6.1.4.1.2.267.7.4.4 +certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,NOTICE,pkix.public_key_algorithm_unsupported,Unsupported public key algorithm: 1.3.6.1.4.1.2.267.7.4.4 +certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/pkix/ed25519_bad_ku.crttest b/tests/integration_certificate/pkix/ed25519_bad_ku.crttest new file mode 100644 index 0000000..8efed09 --- /dev/null +++ b/tests/integration_certificate/pkix/ed25519_bad_ku.crttest @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIIBtzCCAWmgAwIBAgITH59R65FuWGNFHoyc0N3iWesrXzAFBgMrZXAwWTENMAsG +A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM +QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx +MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjBZMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL +EwhMQU1QUyBXRzE1MDMGA1UEAxMsU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlm +aWNhdGlvbiBBdXRob3JpdHkwKjAFBgMrZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+ +RKE3URyp+eN2TxJDBKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +ARYwHQYDVR0OBBYEFGuilX26FJvkLQTRB6TRguQua4y1MAUGAytlcANBAFAJrlWo +QjzwT0ph7rXe023x3GaLPMXMwQI2Of+apkdG2mH9ID6PE1bu3gRRqIH5w2tyS+xF +Jw0ouxcJyAyXEQ4= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, +certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_edwards_curve,Prohibited key usage value(s) present: dataEncipherment +certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, diff --git a/tests/integration_certificate/pkix/hash_mldsa_ca.crttest b/tests/integration_certificate/pkix/hash_mldsa_ca.crttest new file mode 100644 index 0000000..6223792 --- /dev/null +++ b/tests/integration_certificate/pkix/hash_mldsa_ca.crttest @@ -0,0 +1,92 @@ +-----BEGIN CERTIFICATE----- +MIIPkjCCBgigAwIBAgIUat7VZjmGhJGOGqHyVeLRWD2Cy3AwCwYJYIZIAWUDBAMg +MCExHzAdBgNVBAMMFlJvb3QgSEFTSF9NTF9EU0FfNDQgQ0EwHhcNMjQxMTAyMTQx +MDAzWhcNMjUxMTAyMTQxMDAzWjAhMR8wHQYDVQQDDBZSb290IEhBU0hfTUxfRFNB +XzQ0IENBMIIFMjALBglghkgBZQMEAyADggUhANeBwmWzjWUmGoiA9rB8GZr6T4xI +YofYkgM98/8/v5H7s5YyY1cK6D/5kNaXaggogeeUqey/ap/hrbxCKG4iO/c8gk4E +RUAARVU2kOJGuOtovZGO5x0K4duPOtCJNXdFCGLyZNwt3vq+HN5ddUB+ATwbvOf+ +fXpUzwz9Ow7mlmaQI973nhHDch82dXJcUHrqX6odCSEhnim9FgP3RHEX7Paj38Oe +JEwkW3EMBFuPIC9IBbZylP1TjEEw5ZYDLmI2wSWBVpNdB7OiQMFay8Q3kBZ8U0un +dcmXPXiU4A34WtT0cPqsOL+CxsqPe1UMKw6z77hd1Vi96EUt7o+hwTprT2N8KVF7 +f0zk9HTOc2bcyz6y4vCnEoi5pZDSEfvJoVDCNxxNmayng26oVb4JyP0ewsL5GVdF +1IkghdPrXgBXOURfRGU03yXIX+KylXImrB90i7JLsi5cafnTOfRTi11PhCL90oC4 +qynfYrDnJf3iA/+9rt0LVJuBaUj1xByXeNrUxK+0ut2ZFC+3FrsQJgcVgoWHl7yM +UoL4ww/TgVci/XYhex7gjq4Tnoos7Gy4ej8yh4/jVu/m2+gmrSBULW/2i5sxZnhJ +5rM+hYGzPIGjvdboUDojys9VrSXB9eIpiwtBe8/pwvCaJAOt0egVK4+4Yxn57PiF +b0tuKkj0oqbI569xjLtyIqAgWq7OvtnQBedX3Sa5oKZumGi9KBCAi0qJ1Wzfh4Cy +7ciUXTdJ5AGybBt2/3z3N2Rh+3qXGLNW3RfO0Y4PVl2B4U8RWwk7o8w+NqvWKt3h +P4UtD7jHLdpSuXDP10tgwN8ybvJM4gcWuPzqtu6Be2aYFMRWQeVSkd8mLOn/jyGU +W6Iiq1shG6GYcQrnNc1O2zmcL72XlXrjXe8l81jyWV/KPXdocNE12Qd+4nCb82e1 +rU9c4bagixO/tqPIBezCErEiUeRkoroiwtacauMFfgi7WzVJqpVgpHUPMaEc7ONI +umOYwV1NfF2zUXINMEEDehQINtN8JlXpSYjFtM/VXjmPWn0RAl6Ja9+OmZ5m3gks +Twzf51BF+Cof/0neD6oiXFZnb6VyRVYSJvDg9eZpXbzG7c3gObV4Gt6HjKkz27De +jhFbORG9jtE1LouzWKS+Hro3zJXRegdiAJIUNTp/FERgeJlsQthN6/gk4zas+izc +wMvofhGlyOWdEolcqdhHCF10siYsgI43TUix4Be7ejQ4lPKXh0wQPTnLAyrjD4Ws +FDJSrlilNVDj94JRb0nIGpcGE2G8JUJ6tl/ITEi16OjlxH6q2lwK4R85s570o2UP +RsyNfSefESTf5JbNNVqLCmeEpbOOYcb4+y4v6plRWth0uG23lxoCcSfoAddEO+73 +azyHh+4UMHkMtPUrXWGIvajTVKbxrse/WP1g+DkqI/4vtbaB3n9FZ2tNfxrrS7by +wnTmGVBupW7pwX8leUvo0Q9KioJHSdoIDp1YwArtfCO3oEe5x2wVqFDO+wiTg9K6 +uX3+k9YHGuz2bk663fGI1TcOgF7rMv0o+Oib9AmYQl+rni0stnT1gtP9V2x+M8VP +Jx/3rTXqpT2pU3BSqKI/ezIi5w4RvYV1wScCurJNQqlVWEIKIdYLs8fxNbDE86hk +19a0m0jIWcYBs0h8mpjKI8+mxaWsw7tRm+y3tLx4tHiu6mBDgbE5zBbJrbDmokmn +PAV7FJOtRMii1ItRCOuW26w8X9+1AIwhwrYReGB84PmGFZqUnxzmP/lB9kyjQjBA +MB0GA1UdDgQWBBRidypxmt/Y5ejWC/hhY92T3WXydjAPBgNVHRMBAf8EBTADAQH/ +MA4GA1UdDwEB/wQEAwIBhjALBglghkgBZQMEAyADggl1ACiAMUk0XXVdZSnxfld/ +XzcloKLUtm4U4ZbhzPhm3T+Yfa+JtflO2BywWU6SEv1tGgwy29HzC7m0vTwmnO+v +mWVqbbiw5Z4jWy1TO6leYPH+2B7q3rRLOf3YV1oKtLpOlmPJh6Fh7m8LUlQFEeW2 +arABpj/41eDEP5E7Bg7RuQY+NgyXNTjQ5P+/T1+DFwI2+ejbnLQdzdlWDJNJrEkI +dpI0r8mWF80/l5TX53+1bOT/F022uMR5PBYcPQpsbAdo3lUrdK1dFKCZIrMnvxvp +f0sZPOd+DKLbVXGFbMUM3cNfsddy9QQy1/yCTlbWZM4ZCtiEnlra2fce3+ezilMg +nDhLN4YOZwCLQMc1DYbrJG/31K7xN1NCVd8acqrubV1VROAj4z+fIM2/tQYMoT8h +nEYfLucKqOWTaYg2X6VKnHmmx8NUYGZffubqaxQ04eaDvgVRfxYG3vZk/ur00FVr +Bmr2cjohBXiSIDghuVm3ZlZ2FCG8krFQakLnJNpbzrCybZebpq2QaZ/XBWGAPPTD +vCO0iUZdsCS3k9EStdCnZas/VhtbWTEode4tX2f4BTKZbuo1zLYr0MCFYJrwuk4D +5ZDmmxBTlVGEbL54aTOGJXxFMthIiF2S97TCEMASgU0AXuBUZn4Avt99f0kDhy4Z +hHI0uRW1TXQdbFfyBDOF9VryV7uH/t7umGu274uTdnVHTUPsVDLcc4zO9oleuubq +1jwcMUecApogACnFWf/GNGn0CGQCGIj+zTWX9WyX42LWVg6iF6qB9uaRvQ+xQQwx +uadrxshhzhETv5eSJDfMvhIPE9RuNenAEwVFF4Qf2TUnYEFaTUEcmSp4nO+DmPur +hWCCYpE1CGQaO/Cl0HIM1FImXEwVxWMGhqwuI/+u9VLmFFpMLWaTb5798UJ/kAgj +1IM3lGks/+oSNL2cQZtbG6tIKrJhvXDSTt427A+lSwfFxs9XmjwbHhGcTxouQxaC +W/RFwBu1189K4r538ERvStyJMBeG6AIckaW9EGQL8yI8/xpoXOEfE/broX+UytGk +7amE18YF2rrRA4TrKZaP0cu/FN/gHoNWRYBoNlbZxTxZBHrlH7gQ9zCBxDJ+axmq +6mUc+JafYKGDJH6AY4azW2RiBm7Es5e5ezerBm1LWiOyand2PRUh78ZbD7p5wplx +uey/l5dIMrbKn1soCmmPSXboznDBykfKJqoKh9GsGFPjIAO2Dbijvm7qgu4MRLFc +ZfSRkoQTnZT029vtBFf/VQljlhQ+FixoGRyZauJOvzyXHW4AIOwVLbScijd+i+sT +LThFt6jFy6IKEHwmAFAfXT5zpVdgavptC2K/vRXkfWbBGnwgZ6i71FAY7Khx5O1l +CLKj68DtmUVF+xlWt0KbIEeQFIElGMdJDiaaLAKhIeZE3g9SQMxN4zLA1UvK6Twx +bNvcgyKln38KezpaQjBGfjRrrj6ajui6ZCr/Oorx2kb2z7M4IlzCoWs34zi0cCIj +1Jiy8vojBJ1RLOEv5FwvxQFsf8kPs1OK8mv32QU7E5waIkQpOfXEYd5tCKW6vim2 +lH18nqBSVdE5nbDGg3awonlojm9HJy0Y4ukBDdSTuXcNhUK6fYhTRtumly4xxl4+ +zO+C35tsJZzJcLyBWNRT7CFOTcrcyVjKtzuahf7/SjWUQeDS8QXqZ3InzkrtdT6F +Nu9G/iY7clZN1gPy3PTnlMsyUXygB5x/9W6malw/Moa9Cwq2ORY5at3z+hvzO2sz +4jnUQpCwCJ9baMdp/R2FU0qVfXfQsbgJa7pIRLKIp7Y/lf07dJY0YtWMfrRR8T2C +OLZKOARwqWKESZ6vKL/W7l/Vl/3OYwaPm6phxCda/gAVBz8DdzdxoTsd9q7SHZ1C +lV2y4Akm0uV0h2mNp5iGUukEnOevYK9gBjq94SvkwdZQO7066TzsNbBlQ+ZgT2hV +blIJBfbnssuRijxl44MoqJYkzYs3hO38T6Jk7gsBm/x5bnkireu8ldC/1Do4lG9g +pgtwwuHPIYlxtVM3qQk0cq9ndMLsR6Jppese4HeTxCVtJ4xoj4pzgDnwj20sK2jp +SvOCXj8z8TYkj8cn5ivnFpp9KCEm97My9FSmVaphMUX15lYMw9wNsPuQsZwRbU/n +qjvmK/sa8OFE+mXHgBxtlo8ptAdRXnxOZ2jLsN9ufqAB0oWjERM5w2er6NOqds7m +gIuD3A/3tjGyT8sVYoD4VOodREOcPQpSGLgZhAt3oZ7sZ2mJo8f+Npz5ro2QIQGD +N1Xlhjo87/CWF554Q6oBVVA+VAUH/gXao+P/+x6UIHzUfB9B1h1WYeCMgfvczY6n +jbwgUChddaw5I2HJxgoJm/o+PwuS37p+iU6NJGbrTQWjC6uvKNqD4hS0aeSaPKQC +eb6SaVZvOZ4xBdwtBevJ7Dlh1M9b0iTWNe8BD9JthhjGQxiVCYTuMLJASmwMkKwS +7BlQps5qXiYNgJva51ivjhIFs/8tvIaXFTib5IdwmsYumESbrf1ftzuP4AIaOBXh +8WzW9b0D9/1r8zVCXO4SWqhERXmUX35Y9MsZyC9tyi2ewKilsAbgWhMzNuCwbBK3 +485U3l3rzR2QOdZpc2uLeabeVQv6DN8MXAtQKalyl+OViXF52EJzSvMLcpq9Gs+v +RTis+UD7iwzAkRJMcQp/QMrhQXurjUz9wj8+rW2Tb6nPswc6xcgXaP9GYTcoLmJk +q5vhH4MHEkQzFCSfwy9rO3pOG2pvAr1Sefsz9U/q7mNxgHGO79PbNyd+CUKVMFXs +TU5MdZXhenJTXwdZznlxHUNio97OCur+IJ7/K/qi4Qa5snnuYjOp2b+Rcs8cIrpx +en5PF9qaXv5BK6nugRaAcB9uYkPoz8RHuWRDZcY3P6ISbqDwIA64RkKOqEF/qgn6 +xlAsiQjGpoI9Tu7CdsD1UenTBtAqCG3HAz0DDVw69cOW3vIjyAozT+Jn3aA0OSuY +2wdbBE8yHu1DUpAMPURwya34JdA9dDJbTrsGu8ml7R7Dm3JFPTrAeboFKXWsBHoN +75QbnQsh9w0FWDB0x2acaEGP8Xetr7K9nj6pueZIP7O1eQqdWEmLv9gH9apuTF7n +srJuhQyIeA3+Blo918/+0BGRN0BNZ4OH6e/yCTE+VVhecH+GmrvAxdDg5uz5/wsO +Gx8pYGl4eXyAlKu8ydTa4uXvKCw6TlZ7fYKdrK27x9LT8PkAAAAAAAAAAAAAAAAA +AAAJHDBB +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.32 +certificate.tbsCertificate.subjectPublicKeyInfo,CaPrehashPublicKeyValidator,ERROR,pkix.hash_mldsa_ca_key_prohibited,Prohibited public key algorithm in CA certificate: 2.16.840.1.101.3.4.3.32 +certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, +certificate.tbsCertificate.extensions.2.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_hash_mldsa,"Prohibited key usage value(s) present: cRLSign, keyCertSign" diff --git a/tests/integration_certificate/pkix/hash_mldsa_ee_bad_ku.crttest b/tests/integration_certificate/pkix/hash_mldsa_ee_bad_ku.crttest new file mode 100644 index 0000000..c1b20bc --- /dev/null +++ b/tests/integration_certificate/pkix/hash_mldsa_ee_bad_ku.crttest @@ -0,0 +1,90 @@ +-----BEGIN CERTIFICATE----- +MIIPgTCCBfegAwIBAgIUat7VZjmGhJGOGqHyVeLRWD2Cy3AwCwYJYIZIAWUDBAMg +MCExHzAdBgNVBAMMFlJvb3QgSEFTSF9NTF9EU0FfNDQgQ0EwHhcNMjQxMTAyMTQx +MDAzWhcNMjUxMTAyMTQxMDAzWjAhMR8wHQYDVQQDDBZSb290IEhBU0hfTUxfRFNB +XzQ0IENBMIIFMjALBglghkgBZQMEAyADggUhANeBwmWzjWUmGoiA9rB8GZr6T4xI +YofYkgM98/8/v5H7s5YyY1cK6D/5kNaXaggogeeUqey/ap/hrbxCKG4iO/c8gk4E +RUAARVU2kOJGuOtovZGO5x0K4duPOtCJNXdFCGLyZNwt3vq+HN5ddUB+ATwbvOf+ +fXpUzwz9Ow7mlmaQI973nhHDch82dXJcUHrqX6odCSEhnim9FgP3RHEX7Paj38Oe +JEwkW3EMBFuPIC9IBbZylP1TjEEw5ZYDLmI2wSWBVpNdB7OiQMFay8Q3kBZ8U0un +dcmXPXiU4A34WtT0cPqsOL+CxsqPe1UMKw6z77hd1Vi96EUt7o+hwTprT2N8KVF7 +f0zk9HTOc2bcyz6y4vCnEoi5pZDSEfvJoVDCNxxNmayng26oVb4JyP0ewsL5GVdF +1IkghdPrXgBXOURfRGU03yXIX+KylXImrB90i7JLsi5cafnTOfRTi11PhCL90oC4 +qynfYrDnJf3iA/+9rt0LVJuBaUj1xByXeNrUxK+0ut2ZFC+3FrsQJgcVgoWHl7yM +UoL4ww/TgVci/XYhex7gjq4Tnoos7Gy4ej8yh4/jVu/m2+gmrSBULW/2i5sxZnhJ +5rM+hYGzPIGjvdboUDojys9VrSXB9eIpiwtBe8/pwvCaJAOt0egVK4+4Yxn57PiF +b0tuKkj0oqbI569xjLtyIqAgWq7OvtnQBedX3Sa5oKZumGi9KBCAi0qJ1Wzfh4Cy +7ciUXTdJ5AGybBt2/3z3N2Rh+3qXGLNW3RfO0Y4PVl2B4U8RWwk7o8w+NqvWKt3h +P4UtD7jHLdpSuXDP10tgwN8ybvJM4gcWuPzqtu6Be2aYFMRWQeVSkd8mLOn/jyGU +W6Iiq1shG6GYcQrnNc1O2zmcL72XlXrjXe8l81jyWV/KPXdocNE12Qd+4nCb82e1 +rU9c4bagixO/tqPIBezCErEiUeRkoroiwtacauMFfgi7WzVJqpVgpHUPMaEc7ONI +umOYwV1NfF2zUXINMEEDehQINtN8JlXpSYjFtM/VXjmPWn0RAl6Ja9+OmZ5m3gks +Twzf51BF+Cof/0neD6oiXFZnb6VyRVYSJvDg9eZpXbzG7c3gObV4Gt6HjKkz27De +jhFbORG9jtE1LouzWKS+Hro3zJXRegdiAJIUNTp/FERgeJlsQthN6/gk4zas+izc +wMvofhGlyOWdEolcqdhHCF10siYsgI43TUix4Be7ejQ4lPKXh0wQPTnLAyrjD4Ws +FDJSrlilNVDj94JRb0nIGpcGE2G8JUJ6tl/ITEi16OjlxH6q2lwK4R85s570o2UP +RsyNfSefESTf5JbNNVqLCmeEpbOOYcb4+y4v6plRWth0uG23lxoCcSfoAddEO+73 +azyHh+4UMHkMtPUrXWGIvajTVKbxrse/WP1g+DkqI/4vtbaB3n9FZ2tNfxrrS7by +wnTmGVBupW7pwX8leUvo0Q9KioJHSdoIDp1YwArtfCO3oEe5x2wVqFDO+wiTg9K6 +uX3+k9YHGuz2bk663fGI1TcOgF7rMv0o+Oib9AmYQl+rni0stnT1gtP9V2x+M8VP +Jx/3rTXqpT2pU3BSqKI/ezIi5w4RvYV1wScCurJNQqlVWEIKIdYLs8fxNbDE86hk +19a0m0jIWcYBs0h8mpjKI8+mxaWsw7tRm+y3tLx4tHiu6mBDgbE5zBbJrbDmokmn +PAV7FJOtRMii1ItRCOuW26w8X9+1AIwhwrYReGB84PmGFZqUnxzmP/lB9kyjMTAv +MB0GA1UdDgQWBBRidypxmt/Y5ejWC/hhY92T3WXydjAOBgNVHQ8BAf8EBAMCBSAw +CwYJYIZIAWUDBAMgA4IJdQAogDFJNF11XWUp8X5Xf183JaCi1LZuFOGW4cz4Zt0/ +mH2vibX5TtgcsFlOkhL9bRoMMtvR8wu5tL08Jpzvr5llam24sOWeI1stUzupXmDx +/tge6t60Szn92FdaCrS6TpZjyYehYe5vC1JUBRHltmqwAaY/+NXgxD+ROwYO0bkG +PjYMlzU40OT/v09fgxcCNvno25y0Hc3ZVgyTSaxJCHaSNK/JlhfNP5eU1+d/tWzk +/xdNtrjEeTwWHD0KbGwHaN5VK3StXRSgmSKzJ78b6X9LGTznfgyi21VxhWzFDN3D +X7HXcvUEMtf8gk5W1mTOGQrYhJ5a2tn3Ht/ns4pTIJw4SzeGDmcAi0DHNQ2G6yRv +99Su8TdTQlXfGnKq7m1dVUTgI+M/nyDNv7UGDKE/IZxGHy7nCqjlk2mINl+lSpx5 +psfDVGBmX37m6msUNOHmg74FUX8WBt72ZP7q9NBVawZq9nI6IQV4kiA4IblZt2ZW +dhQhvJKxUGpC5yTaW86wsm2Xm6atkGmf1wVhgDz0w7wjtIlGXbAkt5PRErXQp2Wr +P1YbW1kxKHXuLV9n+AUymW7qNcy2K9DAhWCa8LpOA+WQ5psQU5VRhGy+eGkzhiV8 +RTLYSIhdkve0whDAEoFNAF7gVGZ+AL7ffX9JA4cuGYRyNLkVtU10HWxX8gQzhfVa +8le7h/7e7phrtu+Lk3Z1R01D7FQy3HOMzvaJXrrm6tY8HDFHnAKaIAApxVn/xjRp +9AhkAhiI/s01l/Vsl+Ni1lYOoheqgfbmkb0PsUEMMbmna8bIYc4RE7+XkiQ3zL4S +DxPUbjXpwBMFRReEH9k1J2BBWk1BHJkqeJzvg5j7q4VggmKRNQhkGjvwpdByDNRS +JlxMFcVjBoasLiP/rvVS5hRaTC1mk2+e/fFCf5AII9SDN5RpLP/qEjS9nEGbWxur +SCqyYb1w0k7eNuwPpUsHxcbPV5o8Gx4RnE8aLkMWglv0RcAbtdfPSuK+d/BEb0rc +iTAXhugCHJGlvRBkC/MiPP8aaFzhHxP266F/lMrRpO2phNfGBdq60QOE6ymWj9HL +vxTf4B6DVkWAaDZW2cU8WQR65R+4EPcwgcQyfmsZquplHPiWn2ChgyR+gGOGs1tk +YgZuxLOXuXs3qwZtS1ojsmp3dj0VIe/GWw+6ecKZcbnsv5eXSDK2yp9bKAppj0l2 +6M5wwcpHyiaqCofRrBhT4yADtg24o75u6oLuDESxXGX0kZKEE52U9Nvb7QRX/1UJ +Y5YUPhYsaBkcmWriTr88lx1uACDsFS20nIo3fovrEy04RbeoxcuiChB8JgBQH10+ +c6VXYGr6bQtiv70V5H1mwRp8IGeou9RQGOyoceTtZQiyo+vA7ZlFRfsZVrdCmyBH +kBSBJRjHSQ4mmiwCoSHmRN4PUkDMTeMywNVLyuk8MWzb3IMipZ9/Cns6WkIwRn40 +a64+mo7oumQq/zqK8dpG9s+zOCJcwqFrN+M4tHAiI9SYsvL6IwSdUSzhL+RcL8UB +bH/JD7NTivJr99kFOxOcGiJEKTn1xGHebQilur4ptpR9fJ6gUlXROZ2wxoN2sKJ5 +aI5vRyctGOLpAQ3Uk7l3DYVCun2IU0bbppcuMcZePszvgt+bbCWcyXC8gVjUU+wh +Tk3K3MlYyrc7moX+/0o1lEHg0vEF6mdyJ85K7XU+hTbvRv4mO3JWTdYD8tz055TL +MlF8oAecf/VupmpcPzKGvQsKtjkWOWrd8/ob8ztrM+I51EKQsAifW2jHaf0dhVNK +lX130LG4CWu6SESyiKe2P5X9O3SWNGLVjH60UfE9gji2SjgEcKlihEmeryi/1u5f +1Zf9zmMGj5uqYcQnWv4AFQc/A3c3caE7Hfau0h2dQpVdsuAJJtLldIdpjaeYhlLp +BJznr2CvYAY6veEr5MHWUDu9Ouk87DWwZUPmYE9oVW5SCQX257LLkYo8ZeODKKiW +JM2LN4Tt/E+iZO4LAZv8eW55Iq3rvJXQv9Q6OJRvYKYLcMLhzyGJcbVTN6kJNHKv +Z3TC7EeiaaXrHuB3k8QlbSeMaI+Kc4A58I9tLCto6Urzgl4/M/E2JI/HJ+Yr5xaa +fSghJvezMvRUplWqYTFF9eZWDMPcDbD7kLGcEW1P56o75iv7GvDhRPplx4AcbZaP +KbQHUV58Tmdoy7Dfbn6gAdKFoxETOcNnq+jTqnbO5oCLg9wP97Yxsk/LFWKA+FTq +HURDnD0KUhi4GYQLd6Ge7GdpiaPH/jac+a6NkCEBgzdV5YY6PO/wlheeeEOqAVVQ +PlQFB/4F2qPj//selCB81HwfQdYdVmHgjIH73M2Op428IFAoXXWsOSNhycYKCZv6 +Pj8Lkt+6folOjSRm600Fowurryjag+IUtGnkmjykAnm+kmlWbzmeMQXcLQXryew5 +YdTPW9Ik1jXvAQ/SbYYYxkMYlQmE7jCyQEpsDJCsEuwZUKbOal4mDYCb2udYr44S +BbP/LbyGlxU4m+SHcJrGLphEm639X7c7j+ACGjgV4fFs1vW9A/f9a/M1QlzuElqo +REV5lF9+WPTLGcgvbcotnsCopbAG4FoTMzbgsGwSt+POVN5d680dkDnWaXNri3mm +3lUL+gzfDFwLUCmpcpfjlYlxedhCc0rzC3KavRrPr0U4rPlA+4sMwJESTHEKf0DK +4UF7q41M/cI/Pq1tk2+pz7MHOsXIF2j/RmE3KC5iZKub4R+DBxJEMxQkn8Mvazt6 +ThtqbwK9Unn7M/VP6u5jcYBxju/T2zcnfglClTBV7E1OTHWV4XpyU18HWc55cR1D +YqPezgrq/iCe/yv6ouEGubJ57mIzqdm/kXLPHCK6cXp+Txfaml7+QSup7oEWgHAf +bmJD6M/ER7lkQ2XGNz+iEm6g8CAOuEZCjqhBf6oJ+sZQLIkIxqaCPU7uwnbA9VHp +0wbQKghtxwM9Aw1cOvXDlt7yI8gKM0/iZ92gNDkrmNsHWwRPMh7tQ1KQDD1EcMmt ++CXQPXQyW067BrvJpe0ew5tyRT06wHm6BSl1rAR6De+UG50LIfcNBVgwdMdmnGhB +j/F3ra+yvZ4+qbnmSD+ztXkKnVhJi7/YB/Wqbkxe57KyboUMiHgN/gZaPdfP/tAR +kTdATWeDh+nv8gkxPlVYXnB/hpq7wMXQ4Obs+f8LDhsfKWBpeHl8gJSrvMnU2uLl +7ygsOk5We32Cnaytu8fS0/D5AAAAAAAAAAAAAAAAAAAACRwwQQ== +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, +certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, +certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_hash_mldsa,Prohibited key usage value(s) present: keyEncipherment diff --git a/tests/integration_certificate/pkix/mldsa44_root.crttest b/tests/integration_certificate/pkix/mldsa44_root.crttest index e191fd9..3c6a6c2 100644 --- a/tests/integration_certificate/pkix/mldsa44_root.crttest +++ b/tests/integration_certificate/pkix/mldsa44_root.crttest @@ -85,6 +85,5 @@ YNuixctKaeFUW6J1qIEi7SQ0n3wR0KM44FcCQ3LaZEYG7U/zVgI552D9+kJJENEB -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, -certificate.tbsCertificate.extensions.2.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,NOTICE,pkix.public_key_algorithm_unsupported,Unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 diff --git a/tests/integration_certificate/pkix/mldsa_44_bad_keylength.crttest b/tests/integration_certificate/pkix/mldsa_44_bad_keylength.crttest new file mode 100644 index 0000000..213f12f --- /dev/null +++ b/tests/integration_certificate/pkix/mldsa_44_bad_keylength.crttest @@ -0,0 +1,91 @@ +-----BEGIN CERTIFICATE----- +MIIPlTCCBgugAwIBAgIUFZ/+byL9XMQsUk32/V4o0N44804wCwYJYIZIAWUDBAMR +MCIxDTALBgNVBAoTBElFVEYxETAPBgNVBAMTCExBTVBTIFdHMB4XDTIwMDIwMzA0 +MzIxMFoXDTQwMDEyOTA0MzIxMFowIjENMAsGA1UEChMESUVURjERMA8GA1UEAxMI +TEFNUFMgV0cwggUzMAsGCWCGSAFlAwQDEQOCBSIA17K0clSq4NtF55MNSpjSyX2P +E5fReJ2voXAksxbpvslPyZRtQvGbeadBO7qjPnFJy0LtURVpOsBB+suYit61/g4d +hjEYSZW1ksOX0ilOLhT5CqQUujgmiZrEP0zMrLwm6agyuVEY1ctDPL75ZgsAE44I +F/YediyidMNq1VTrIqrBFi5KsBrLoeOMTv2PgLZbMz0PcuVd/nHOnB67mInnxWEG +wP1zgDoq7P6v3teqPLLO2lTRK9jNNqeM+XWUO0er0l6ICsRS5XQu0ejRqCr6huWQ +x1jBWuTShA2SvKGlCQ9ASWWX/KfYuVE/GhvabpUKqpjeRnUH1KT1pPBZkhZYLDVy +9i7aiQWrNYFnDEoCd3oz4Mpylf2PT/bRoKOnaD1l9fX3/GDaAj6CbF+SFEwC99G6 +EHWYdVPqk2f8122ZC3+pnNRa/biDbUPkWfUYffBYR5cJoB6mg1k1+nBGCZDNPcG6 +QBupS6sd3kGsZ6szGdysoGBI1MTu8n7hOpwX0FOPQw8tZC3CQVZg3niHfY2KvHJS +OXjAQuQoX0MZhGxEEmJCl2hEwQ5Va6IVtacZ5Z0MayqW05hZBx/cws3nUkp77a5U +6FsxjoVOj+Ky8+36yXGRKCcKr9HlBEw6T9r9n/MfkHhLjo5FlhRKDa9YZRHT2ZYr +nqla8Ze05fxg8rHtFd46W+9fib3HnZEFHZsoFudPpUUx79wcvnTUSIV/R2vNWPIc +C2U7O3ak4HamVZowJxhVXMY/dIWaq6uSXwI4YcqM0Pe62yhx9n1VMm10URNa1F9K +G6aRGPuyyKMO7JOS7z+XcGbJrdXHEMxkexUU0hfZWMcBfD6Q/SDATmdLkEhuk3Cj +GgAdMvRzl55JBnSefkd/oLdFCPil8jeDErg8Jb04jKCw//dHi69CtxZn7arJfEax +KWQ+WG5bBVoMIRlG1PNuZ1vtWGD6BCoxXZgmFk1qkjfDWl+/SVSQpb1N8ki5XEqu +d4S2BWcxZqxCRbW0sIKgnpMj5i8geMW3Z4NEbe/XNq06NwLUmwiYRJAKYYMzl7xE +GbMNepegs4fBkRR0xNQbU+Mql3rLbw6nXbZbs55Z5wHnaVfe9vLURVnDGncSK1IE +47XCGfFoixTtC8C4AbPm6C3NQ+nA6fQXRM2YFb0byIINi7Ej8E+s0bG2hd1aKxuN +u/PtkzZw8JWhgLTxktCLELj6u9/MKyRRjjLuoKXgyQTKhEeACD87DNLQuLavZ7w1 +W5SUAl3HsKePqA46Lb/rUTKIUdYHgZjpSTZRrnh+wCUfkiujDp9R32Km1yeEzz3S +BTkxdt+jJKUSvZSXCjbdNKUUqGeR8Os28BRbCatkZRtKAxOymWEaKhxIiRYnWYdo +oxFAYLpEQ0ht9RUioc6IswmFwhb45u0XjdVnswSg1Mr7qIKig0LxepqiauWNtjAI +PSw1j99WbD9dYqQoVnvJ6ozpXKoPNUdLC/qPM5olCrTfzyCDvo7vvBBV4Y/hU3Du +yyYFZtg/8GshGq7EPKKbVMzQD4gVokZe8LRlFcx+QfMSTwnv/3OTCatYspoUWaAL +zlA46TjJZ49y6w5O5f2q5m2fhXP8l/xCtJWfS/i2HXhDPoawM11ukZHE2L9IezkF +wQjP1qwksM633LfPUfhNDtaHuV6uscUzwG8NlwI9kqcIJYN7Wbpst9TlawqHwgOG +KujzFbpZJejt76Z5NpoiAnZhUfFqll+fgeznbMBwtVhp5NuXhM8FyDCzJCyDEmWj +QjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQy +mgex+rtI9SownxGhiY+EjiMi/zALBglghkgBZQMEAxEDggl1APyxLe/BMZz+LGrN +DML/+bjicFGjTacX3SyeAb0LdqHG62Bv+GeCu+ceymz/cNpc1J5E3ooZNYaz0yvq +JEHxvypzgA4/kilchkb0HnErp7/mXu+1Jv1CUWPiKzLG8CobRvYaF/rDxG0GcBeG +DyoG+hwaJ7TNMzLO3hlloHGtFgUYGciti8H2YUTt5Ueccbrazf5xfcCrWtpkYNSf +IxrsGex+hN5aJdDSQ9kxXOQnDthAOzVfoVW+P/FvSC5u9ViMIiwKZ9GCiO0YxvNS +KMz69044Ck70U5MXY61YypnpY/EeO7v1DHtRmu7okkKCLnWEM4lz6XsZrwSklMsB +e8lPtHDFUyLqjeokyG3k8dK81jMDKOAUxd94q6LXqPv34RNMdL5CD8pz6ltCF5bg ++GsIsGZGTcjC/vBrhwj83EhpChut2Af45oj1kKaVLODylm41/lrK9qW77FE9Idm9 +sSwdCv+4y6hHFsw2bxGArISjYkOoYV4RcsQ6rhpi862LTec3SamUkVNocX2LrXpu +olrzy/3IrAx8yGNwE5HQAS8C6thVDMOjhmy8djZZWEUVdb5ILxyKTm+j4lLZNcoe +z8gGA0hNVMYyxXmJo5QgAWFhJUoWNJDczNpLZZCbM3CUmO3uET5Z5XUnkhielU01 +ssulxKdX/9MamA5yex3QQJDRNrflePojTD4Wqd/jA7UjbfjTzS6x9u4/u0nXArUy +iymXZPFXEwfyCI9XiZzcLS5n+MNxbObbzmMW8KRKUoDhYWoWA9e/viune7u5spBX +eYGTe8nQOGEQf3xTiUvJrC45ubWvE2Fg7lNbfUSxQXe0uqjUjoPxgzSeQsslAL/3 +w9voLX4rlVrVeyKFDcpjTSvFq4bdn+S5b1qxiUAISpvyXFI8MAHRDaGYBbVAlR1v +VlLlrd5YuE2uvalylZ9RHczbjwHauQG2ckJhJeRh8k/rr+VVfXnRiuhuXQEsAE3G +tDTli/5DVm+k+MZKbwYI+ciNvkr5nx2colKPrPIY9yJLflPpusyyqeMQdcd+whXT +8if+/sjnJnpbGXzY6/Q6bNDcZ4o77vn74SNCpKFb8xxvckeoe2F1p/1Tns7fFy+L +xAXEHLggo/gc+ea3JV9YAhiRA+mYYkDucbxw4KbTM222JJriuj2ScwjM1rRXGK6z +oozRywYbcZ44Bu9T8oGBpqCkVRtHy0uDAHFywJfdOn0Q5fbHiPdmN/yYAiOVYC/w +N94XBb/322KNsAcnGD2Jqb2agiOOfeLGrPdp2cMipapXCHmFYZbtYG1/RylGUJB/ +MfCeoe5dtPG93AOfUXAewWB5Tq4n7Qs8r6tST3DkUhL7JN7x1+4mQPA5ilO966Rk +PIgEvuG2xJggHyhJCrLNrm+bhZH4qfsdwt+P27U/5rCjq/7dLE08LUiOIaZpZ+Ti +ST9JMA8Hfd7yTvY1Is7RfH+mvHrQoPzagPbHUc/uwRj74sAGcAzmvo2dFb7KCZEm +sYq+WfNROq0fePWcynq8ttPEMyQ/HpqFx8JFp4Mq2c6j4LmLzwdXzQzS43ZGZdwJ +0Qy/9GocoDiEaxMqxHRywzz0s6GWIO7O4luNBNRbOtfxDDXhg8VlpnF8EnkbCb9b +raSsZI56HxxZHPYvUSYYWMeSTwZ/STQVBvaG68C5xUxfg1HRCcEW8jMCxFh82aG1 +PKb2F7rMS4HHftIJ9LPrIkDSQAJUZ4irItGLrUkdu5PJ0Mi9LPCYJe28m0ofymzS +hk/+uN83xqwTHzrRqOc9vArF7M6Q5cYRIqWEvImqIncJ41Ea53QkIEe7pHGL9dOb +pStb/Fd0uZrMlm+FE53cyuciuqMKkX7LZlAOkuh3MyfqpKMA6W9rd5zBqkOfgU88 +MKaMzP2501UpixTBjYnPuzZbVs0ckm8Rs3N3cUhx35cuJEqHJq+d7xHsCtg6Ysaz +NyyTGGWIr1ERDGh3eAQqFM42yvWhbNxF3Juv0PLWxc3eJPag2oaKVXHKok5mieBx +m7M3k6qZuYhiSvaJLy8ucOI/N6DYRz3fyer8PGarX2GGzBOBmF1bRUW9OxqZz0Gu +hGhK5AILVUyqbTkMiWjtPWGixGx5wIGBYWdcEHjdDXoJ9WKpAQuBQXtcgTHTDq3u +5cVdBYZKTGjtsFNID5fSKwnvZvGi0U+M3IoSHSS1QET7LnXi7+jopt2qNufYHLpt +Mj9Sg9XccFAv4+swLc9kI7dkNdXS38aijwOuxqNg54Pv7mlL22SNJbD68dpF9AA7 +EzX+SqIqVy7LC8MqKM9xmtHXMI6U79DRON8E/MMfzirgAt3BwEv7Puz5PsZMqWxV +yG2vGegLuw6uK9N5NHz6YC9yh6qQwVjbsbox/fkTe6BhgI6aXBn6uCObX+4uZjY2 +UFvkgRu6YLFVomw4nQm3+wn1sGOqFou9fMLUoTmBQCyM7GAKnl6nYu62jEBpdU+N +wFoso218YdGnRt7KpsFYY7b3rBUsGfb9HzBtAjA0AZd3z+hV5jDGldTtBlm9es8V +SuELSBUUH0BpIV1jQLwT5uBdsW+hdriVFh5zrPYPFroX5N6QbY7XxVicJGjgDrL6 +dnf9VLbGKKddM8FtRDMmMYlGdek8L0m9zpuKtJhsR0BGNVZAjKLgWOvNG1sTH8Og +uK0b/fIrRajgBz9THNbSggrVDiP2tTA0K5yNKC47McU5zl9rlM68dg57loTxMd/8 +NfgcSl2RXAx2prlpep2z1sKzsWzaKwumqxjEEsuoeNH+nX4sZbAqRIfpQY7nERu+ +EkyZfLDPNs+mpKhPCQzn98lP7CLbszi37zVyAm5KDBtBAcTD2uk2sTzbXKOFIijr +mJ5M8iDpx+SxjTkDUAhMZMRxUcqGa/EzARKCHCAp2a7sNa/IGLQfpBYIryLKiqbV +wrQDIUBf73bLOGKsGHAleWw1bPdPiDJUmpa37nnFdKXcFM715+kB1ZvuEpCpTBML +mMMkIosD2r+NEvayDubROYEfwQZ3T36NNqRr8V0ff72Y4UVUZCa92WgvpVR0qrbI +3G1X04f5yupZC2CfwMHACv93eEikiIx5k7nI9iiA8LOIt0EkNaodQAAaboDVeMyY +JifPKqgO6C5jRZMiC0FtINAjm+dNAwwXIz5GZG96e4uco628xMfy+AUJChobLXZ5 +jp7C2PD+BQcQGSkyRUZUhoqXoqa9xxonLDE6TWd3iqmyuMLE0d3wAAAAAAAAAAAA +AAAAAAATITFC +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.subjectPublicKeyInfo,SubjectPublicKeyDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey"" with schema ""MlDsa44PublicKey"" corresponding to type OID 2.16.840.1.101.3.4.3.17: failed at: ValueConstraintError(b'\xd7\xb2\xb4rT\xaa\xe0\xdbE\xe7\x93\rJ\x98\xd2\xc9}\x8f\x13\x97\xd1x\x9d\xaf\xa1p$\xb3\x16\xe9\xbe\xc9O\xc9\x94mB\xf1\x9by\xa7A;\xba\xa3>qI\xcbB\xedQ\x15i:\xc0A\xfa\xcb\x98\x8a\xde\xb5\xfe\x0e\x1d\x861\x18I\x95\xb5\x92\xc3\x97\xd2)N.\x14\xf9\n\xa4\x14\xba8&\x89\x9a\xc4?L\xcc\xac\xbc&\xe9\xa82\xb9Q\x18\xd5\xcbC<\xbe\xf9f\x0b\x00\x13\x8e\x08\x17\xf6\x1ev,\xa2t\xc3j\xd5T\xeb""\xaa\xc1\x16.J\xb0\x1a\xcb\xa1\xe3\x8cN\xfd\x8f\x80\xb6[3=\x0fr\xe5]\xfeq\xce\x9c\x1e\xbb\x98\x89\xe7\xc5a\x06\xc0\xfds\x80:*\xec\xfe\xaf\xde\xd7\xaa<\xb2\xce\xdaT\xd1+\xd8\xcd6\xa7\x8c\xf9u\x94;G\xab\xd2^\x88\n\xc4R\xe5t.\xd1\xe8\xd1\xa8*\xfa\x86\xe5\x90\xc7X\xc1Z\xe4\xd2\x84\r\x92\xbc\xa1\xa5\t\x0f@Ie\x97\xfc\xa7\xd8\xb9Q?\x1a\x1b\xdan\x95\n\xaa\x98\xdeFu\x07\xd4\xa4\xf5\xa4\xf0Y\x92\x16X,5r\xf6.\xda\x89\x05\xab5\x81g\x0cJ\x02wz3\xe0\xcar\x95\xfd\x8fO\xf6\xd1\xa0\xa3\xa7h=e\xf5\xf5\xf7\xfc`\xda\x02>\x82l_\x92\x14L\x02\xf7\xd1\xba\x10u\x98uS\xea\x93g\xfc\xd7m\x99\x0b\x7f\xa9\x9c\xd4Z\xfd\xb8\x83mC\xe4Y\xf5\x18}\xf0XG\x97\t\xa0\x1e\xa6\x83Y5\xfapF\t\x90\xcd=\xc1\xba@\x1b\xa9K\xab\x1d\xdeA\xacg\xab3\x19\xdc\xac\xa0`H\xd4\xc4\xee\xf2~\xe1:\x9c\x17\xd0S\x8fC\x0f-d-\xc2AV`\xdex\x87}\x8d\x8a\xbcrR9x\xc0B\xe4(_C\x19\x84lD\x12bB\x97hD\xc1\x0eUk\xa2\x15\xb5\xa7\x19\xe5\x9d\x0ck*\x96\xd3\x98Y\x07\x1f\xdc\xc2\xcd\xe7RJ{\xed\xaeT\xe8[1\x8e\x85N\x8f\xe2\xb2\xf3\xed\xfa\xc9q\x91(\'\n\xaf\xd1\xe5\x04L:O\xda\xfd\x9f\xf3\x1f\x90xK\x8e\x8eE\x96\x14J\r\xafXe\x11\xd3\xd9\x96+\x9e\xa9Z\xf1\x97\xb4\xe5\xfc`\xf2\xb1\xed\x15\xde:[\xef_\x89\xbd\xc7\x9d\x91\x05\x1d\x9b(\x16\xe7O\xa5E1\xef\xdc\x1c\xbet\xd4H\x85\x7fGk\xcdX\xf2\x1c\x0be;;v\xa4\xe0v\xa6U\x9a0\'\x18U\\\xc6?t\x85\x9a\xab\xab\x92_\x028a\xca\x8c\xd0\xf7\xba\xdb(q\xf6}U2mtQ\x13Z\xd4_J\x1b\xa6\x91\x18\xfb\xb2\xc8\xa3\x0e\xec\x93\x92\xef?\x97pf\xc9\xad\xd5\xc7\x10\xccd{\x15\x14\xd2\x17\xd9X\xc7\x01|>\x90\xfd \xc0NgK\x90Hn\x93p\xa3\x1a\x00\x1d2\xf4s\x97\x9eI\x06t\x9e~G\x7f\xa0\xb7E\x08\xf8\xa5\xf27\x83\x12\xb8<%\xbd8\x8c\xa0\xb0\xff\xf7G\x8b\xafB\xb7\x16g\xed\xaa\xc9|F\xb1)d>Xn[\x05Z\x0c!\x19F\xd4\xf3ng[\xedX`\xfa\x04*1]\x98&\x16Mj\x927\xc3Z_\xbfIT\x90\xa5\xbdM\xf2H\xb9\\J\xaew\x84\xb6\x05g1f\xacBE\xb5\xb4\xb0\x82\xa0\x9e\x93#\xe6/ x\xc5\xb7g\x83Dm\xef\xd76\xad:7\x02\xd4\x9b\x08\x98D\x90\na\x833\x97\xbcD\x19\xb3\rz\x97\xa0\xb3\x87\xc1\x91\x14t\xc4\xd4\x1bS\xe3*\x97z\xcbo\x0e\xa7]\xb6[\xb3\x9eY\xe7\x01\xe7iW\xde\xf6\xf2\xd4EY\xc3\x1aw\x12+R\x04\xe3\xb5\xc2\x19\xf1h\x8b\x14\xed\x0b\xc0\xb8\x01\xb3\xe6\xe8-\xcdC\xe9\xc0\xe9\xf4\x17D\xcd\x98\x15\xbd\x1b\xc8\x82\r\x8b\xb1#\xf0O\xac\xd1\xb1\xb6\x85\xddZ+\x1b\x8d\xbb\xf3\xed\x936p\xf0\x95\xa1\x80\xb4\xf1\x92\xd0\x8b\x10\xb8\xfa\xbb\xdf\xcc+$Q\x8e2\xee\xa0\xa5\xe0\xc9\x04\xca\x84G\x80\x08?;\x0c\xd2\xd0\xb8\xb6\xafg\xbc5[\x94\x94\x02]\xc7\xb0\xa7\x8f\xa8\x0e:-\xbf\xebQ2\x88Q\xd6\x07\x81\x98\xe9I6Q\xaex~\xc0%\x1f\x92+\xa3\x0e\x9fQ\xdfb\xa6\xd7\'\x84\xcf=\xd2\x0591v\xdf\xa3$\xa5\x12\xbd\x94\x97\n6\xdd4\xa5\x14\xa8g\x91\xf0\xeb6\xf0\x14[\t\xabde\x1bJ\x03\x13\xb2\x99a\x1a*\x1cH\x89\x16\'Y\x87h\xa3\x11@`\xbaDCHm\xf5\x15""\xa1\xce\x88\xb3\t\x85\xc2\x16\xf8\xe6\xed\x17\x8d\xd5g\xb3\x04\xa0\xd4\xca\xfb\xa8\x82\xa2\x83B\xf1z\x9a\xa2j\xe5\x8d\xb60\x08=,5\x8f\xdfVl?]b\xa4(V{\xc9\xea\x8c\xe9\\\xaa\x0f5GK\x0b\xfa\x8f3\x9a%\n\xb4\xdf\xcf \x83\xbe\x8e\xef\xbc\x10U\xe1\x8f\xe1Sp\xee\xcb&\x05f\xd8?\xf0k!\x1a\xae\xc4<\xa2\x9bT\xcc\xd0\x0f\x88\x15\xa2F^\xf0\xb4e\x15\xcc~A\xf3\x12O\t\xef\xffs\x93\t\xabX\xb2\x9a\x14Y\xa0\x0b\xceP8\xe98\xc9g\x8fr\xeb\x0eN\xe5\xfd\xaa\xe6m\x9f\x85s\xfc\x97\xfcB\xb4\x95\x9fK\xf8\xb6\x1dxC>\x86\xb03]n\x91\x91\xc4\xd8\xbfH{9\x05\xc1\x08\xcf\xd6\xac$\xb0\xce\xb7\xdc\xb7\xcfQ\xf8M\x0e\xd6\x87\xb9^\xae\xb1\xc53\xc0o\r\x97\x02=\x92\xa7\x08%\x83{Y\xbal\xb7\xd4\xe5k\n\x87\xc2\x03\x86*\xe8\xf3\x15\xbaY%\xe8\xed\xef\xa6y6\x9a""\x02vaQ\xf1j\x96_\x9f\x81\xec\xe7l\xc0p\xb5Xi\xe4\xdb\x97\x84\xcf\x05\xc80\xb3$,\x83\x12e') at MlDsa44PublicKey" +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 +certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, diff --git a/tests/integration_certificate/pkix/mldsa_44_root_clean.crttest b/tests/integration_certificate/pkix/mldsa_44_root_clean.crttest new file mode 100644 index 0000000..63da522 --- /dev/null +++ b/tests/integration_certificate/pkix/mldsa_44_root_clean.crttest @@ -0,0 +1,90 @@ +-----BEGIN CERTIFICATE----- +MIIPlDCCBgqgAwIBAgIUFZ/+byL9XMQsUk32/V4o0N44804wCwYJYIZIAWUDBAMR +MCIxDTALBgNVBAoTBElFVEYxETAPBgNVBAMTCExBTVBTIFdHMB4XDTIwMDIwMzA0 +MzIxMFoXDTQwMDEyOTA0MzIxMFowIjENMAsGA1UEChMESUVURjERMA8GA1UEAxMI +TEFNUFMgV0cwggUyMAsGCWCGSAFlAwQDEQOCBSEA17K0clSq4NtF55MNSpjSyX2P +E5fReJ2voXAksxbpvslPyZRtQvGbeadBO7qjPnFJy0LtURVpOsBB+suYit61/g4d +hjEYSZW1ksOX0ilOLhT5CqQUujgmiZrEP0zMrLwm6agyuVEY1ctDPL75ZgsAE44I +F/YediyidMNq1VTrIqrBFi5KsBrLoeOMTv2PgLZbMz0PcuVd/nHOnB67mInnxWEG +wP1zgDoq7P6v3teqPLLO2lTRK9jNNqeM+XWUO0er0l6ICsRS5XQu0ejRqCr6huWQ +x1jBWuTShA2SvKGlCQ9ASWWX/KfYuVE/GhvabpUKqpjeRnUH1KT1pPBZkhZYLDVy +9i7aiQWrNYFnDEoCd3oz4Mpylf2PT/bRoKOnaD1l9fX3/GDaAj6CbF+SFEwC99G6 +EHWYdVPqk2f8122ZC3+pnNRa/biDbUPkWfUYffBYR5cJoB6mg1k1+nBGCZDNPcG6 +QBupS6sd3kGsZ6szGdysoGBI1MTu8n7hOpwX0FOPQw8tZC3CQVZg3niHfY2KvHJS +OXjAQuQoX0MZhGxEEmJCl2hEwQ5Va6IVtacZ5Z0MayqW05hZBx/cws3nUkp77a5U +6FsxjoVOj+Ky8+36yXGRKCcKr9HlBEw6T9r9n/MfkHhLjo5FlhRKDa9YZRHT2ZYr +nqla8Ze05fxg8rHtFd46W+9fib3HnZEFHZsoFudPpUUx79wcvnTUSIV/R2vNWPIc +C2U7O3ak4HamVZowJxhVXMY/dIWaq6uSXwI4YcqM0Pe62yhx9n1VMm10URNa1F9K +G6aRGPuyyKMO7JOS7z+XcGbJrdXHEMxkexUU0hfZWMcBfD6Q/SDATmdLkEhuk3Cj +GgAdMvRzl55JBnSefkd/oLdFCPil8jeDErg8Jb04jKCw//dHi69CtxZn7arJfEax +KWQ+WG5bBVoMIRlG1PNuZ1vtWGD6BCoxXZgmFk1qkjfDWl+/SVSQpb1N8ki5XEqu +d4S2BWcxZqxCRbW0sIKgnpMj5i8geMW3Z4NEbe/XNq06NwLUmwiYRJAKYYMzl7xE +GbMNepegs4fBkRR0xNQbU+Mql3rLbw6nXbZbs55Z5wHnaVfe9vLURVnDGncSK1IE +47XCGfFoixTtC8C4AbPm6C3NQ+nA6fQXRM2YFb0byIINi7Ej8E+s0bG2hd1aKxuN +u/PtkzZw8JWhgLTxktCLELj6u9/MKyRRjjLuoKXgyQTKhEeACD87DNLQuLavZ7w1 +W5SUAl3HsKePqA46Lb/rUTKIUdYHgZjpSTZRrnh+wCUfkiujDp9R32Km1yeEzz3S +BTkxdt+jJKUSvZSXCjbdNKUUqGeR8Os28BRbCatkZRtKAxOymWEaKhxIiRYnWYdo +oxFAYLpEQ0ht9RUioc6IswmFwhb45u0XjdVnswSg1Mr7qIKig0LxepqiauWNtjAI +PSw1j99WbD9dYqQoVnvJ6ozpXKoPNUdLC/qPM5olCrTfzyCDvo7vvBBV4Y/hU3Du +yyYFZtg/8GshGq7EPKKbVMzQD4gVokZe8LRlFcx+QfMSTwnv/3OTCatYspoUWaAL +zlA46TjJZ49y6w5O5f2q5m2fhXP8l/xCtJWfS/i2HXhDPoawM11ukZHE2L9IezkF +wQjP1qwksM633LfPUfhNDtaHuV6uscUzwG8NlwI9kqcIJYN7Wbpst9TlawqHwgOG +KujzFbpZJejt76Z5NpoiAnZhUfFqll+fgeznbMBwtVhp5NuXhM8FyDCzJCyDEqNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDKa +B7H6u0j1KjCfEaGJj4SOIyL/MAsGCWCGSAFlAwQDEQOCCXUA/LEt78ExnP4sas0M +wv/5uOJwUaNNpxfdLJ4BvQt2ocbrYG/4Z4K75x7KbP9w2lzUnkTeihk1hrPTK+ok +QfG/KnOADj+SKVyGRvQecSunv+Ze77Um/UJRY+IrMsbwKhtG9hoX+sPEbQZwF4YP +Kgb6HBontM0zMs7eGWWgca0WBRgZyK2LwfZhRO3lR5xxutrN/nF9wKta2mRg1J8j +GuwZ7H6E3lol0NJD2TFc5CcO2EA7NV+hVb4/8W9ILm71WIwiLApn0YKI7RjG81Io +zPr3TjgKTvRTkxdjrVjKmelj8R47u/UMe1Ga7uiSQoIudYQziXPpexmvBKSUywF7 +yU+0cMVTIuqN6iTIbeTx0rzWMwMo4BTF33iroteo+/fhE0x0vkIPynPqW0IXluD4 +awiwZkZNyML+8GuHCPzcSGkKG63YB/jmiPWQppUs4PKWbjX+Wsr2pbvsUT0h2b2x +LB0K/7jLqEcWzDZvEYCshKNiQ6hhXhFyxDquGmLzrYtN5zdJqZSRU2hxfYutem6i +WvPL/cisDHzIY3ATkdABLwLq2FUMw6OGbLx2NllYRRV1vkgvHIpOb6PiUtk1yh7P +yAYDSE1UxjLFeYmjlCABYWElShY0kNzM2ktlkJszcJSY7e4RPlnldSeSGJ6VTTWy +y6XEp1f/0xqYDnJ7HdBAkNE2t+V4+iNMPhap3+MDtSNt+NPNLrH27j+7SdcCtTKL +KZdk8VcTB/IIj1eJnNwtLmf4w3Fs5tvOYxbwpEpSgOFhahYD17++K6d7u7mykFd5 +gZN7ydA4YRB/fFOJS8msLjm5ta8TYWDuU1t9RLFBd7S6qNSOg/GDNJ5CyyUAv/fD +2+gtfiuVWtV7IoUNymNNK8Wrht2f5LlvWrGJQAhKm/JcUjwwAdENoZgFtUCVHW9W +UuWt3li4Ta69qXKVn1EdzNuPAdq5AbZyQmEl5GHyT+uv5VV9edGK6G5dASwATca0 +NOWL/kNWb6T4xkpvBgj5yI2+SvmfHZyiUo+s8hj3Ikt+U+m6zLKp4xB1x37CFdPy +J/7+yOcmelsZfNjr9Dps0Nxnijvu+fvhI0KkoVvzHG9yR6h7YXWn/VOezt8XL4vE +BcQcuCCj+Bz55rclX1gCGJED6ZhiQO5xvHDgptMzbbYkmuK6PZJzCMzWtFcYrrOi +jNHLBhtxnjgG71PygYGmoKRVG0fLS4MAcXLAl906fRDl9seI92Y3/JgCI5VgL/A3 +3hcFv/fbYo2wBycYPYmpvZqCI4594sas92nZwyKlqlcIeYVhlu1gbX9HKUZQkH8x +8J6h7l208b3cA59RcB7BYHlOriftCzyvq1JPcORSEvsk3vHX7iZA8DmKU73rpGQ8 +iAS+4bbEmCAfKEkKss2ub5uFkfip+x3C34/btT/msKOr/t0sTTwtSI4hpmln5OJJ +P0kwDwd93vJO9jUiztF8f6a8etCg/NqA9sdRz+7BGPviwAZwDOa+jZ0VvsoJkSax +ir5Z81E6rR949ZzKery208QzJD8emoXHwkWngyrZzqPguYvPB1fNDNLjdkZl3AnR +DL/0ahygOIRrEyrEdHLDPPSzoZYg7s7iW40E1Fs61/EMNeGDxWWmcXwSeRsJv1ut +pKxkjnofHFkc9i9RJhhYx5JPBn9JNBUG9obrwLnFTF+DUdEJwRbyMwLEWHzZobU8 +pvYXusxLgcd+0gn0s+siQNJAAlRniKsi0YutSR27k8nQyL0s8Jgl7bybSh/KbNKG +T/643zfGrBMfOtGo5z28CsXszpDlxhEipYS8iaoidwnjURrndCQgR7ukcYv105ul +K1v8V3S5msyWb4UTndzK5yK6owqRfstmUA6S6HczJ+qkowDpb2t3nMGqQ5+BTzww +pozM/bnTVSmLFMGNic+7NltWzRySbxGzc3dxSHHfly4kSocmr53vEewK2DpixrM3 +LJMYZYivUREMaHd4BCoUzjbK9aFs3EXcm6/Q8tbFzd4k9qDahopVccqiTmaJ4HGb +szeTqpm5iGJK9okvLy5w4j83oNhHPd/J6vw8ZqtfYYbME4GYXVtFRb07GpnPQa6E +aErkAgtVTKptOQyJaO09YaLEbHnAgYFhZ1wQeN0Negn1YqkBC4FBe1yBMdMOre7l +xV0FhkpMaO2wU0gPl9IrCe9m8aLRT4zcihIdJLVARPsudeLv6Oim3ao259gcum0y +P1KD1dxwUC/j6zAtz2Qjt2Q11dLfxqKPA67Go2Dng+/uaUvbZI0lsPrx2kX0ADsT +Nf5KoipXLssLwyooz3Ga0dcwjpTv0NE43wT8wx/OKuAC3cHAS/s+7Pk+xkypbFXI +ba8Z6Au7Dq4r03k0fPpgL3KHqpDBWNuxujH9+RN7oGGAjppcGfq4I5tf7i5mNjZQ +W+SBG7pgsVWibDidCbf7CfWwY6oWi718wtShOYFALIzsYAqeXqdi7raMQGl1T43A +WiyjbXxh0adG3sqmwVhjtvesFSwZ9v0fMG0CMDQBl3fP6FXmMMaV1O0GWb16zxVK +4QtIFRQfQGkhXWNAvBPm4F2xb6F2uJUWHnOs9g8Wuhfk3pBtjtfFWJwkaOAOsvp2 +d/1UtsYop10zwW1EMyYxiUZ16TwvSb3Om4q0mGxHQEY1VkCMouBY680bWxMfw6C4 +rRv98itFqOAHP1Mc1tKCCtUOI/a1MDQrnI0oLjsxxTnOX2uUzrx2DnuWhPEx3/w1 ++BxKXZFcDHamuWl6nbPWwrOxbNorC6arGMQSy6h40f6dfixlsCpEh+lBjucRG74S +TJl8sM82z6akqE8JDOf3yU/sItuzOLfvNXICbkoMG0EBxMPa6TaxPNtco4UiKOuY +nkzyIOnH5LGNOQNQCExkxHFRyoZr8TMBEoIcICnZruw1r8gYtB+kFgivIsqKptXC +tAMhQF/vdss4YqwYcCV5bDVs90+IMlSalrfuecV0pdwUzvXn6QHVm+4SkKlMEwuY +wyQiiwPav40S9rIO5tE5gR/BBndPfo02pGvxXR9/vZjhRVRkJr3ZaC+lVHSqtsjc +bVfTh/nK6lkLYJ/AwcAK/3d4SKSIjHmTucj2KIDws4i3QSQ1qh1AABpugNV4zJgm +J88qqA7oLmNFkyILQW0g0COb500DDBcjPkZkb3p7i5yjrbzEx/L4BQkKGhstdnmO +nsLY8P4FBxAZKTJFRlSGipeipr3HGicsMTpNZ3eKqbK4wsTR3fAAAAAAAAAAAAAA +AAAAABMhMUI= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 +certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, diff --git a/tests/integration_certificate/pkix/mldsa_bad_ku.crttest b/tests/integration_certificate/pkix/mldsa_bad_ku.crttest new file mode 100644 index 0000000..6072ef8 --- /dev/null +++ b/tests/integration_certificate/pkix/mldsa_bad_ku.crttest @@ -0,0 +1,91 @@ +-----BEGIN CERTIFICATE----- +MIIPlDCCBgqgAwIBAgIUFZ/+byL9XMQsUk32/V4o0N44804wCwYJYIZIAWUDBAMR +MCIxDTALBgNVBAoTBElFVEYxETAPBgNVBAMTCExBTVBTIFdHMB4XDTIwMDIwMzA0 +MzIxMFoXDTQwMDEyOTA0MzIxMFowIjENMAsGA1UEChMESUVURjERMA8GA1UEAxMI +TEFNUFMgV0cwggUyMAsGCWCGSAFlAwQDEQOCBSEA17K0clSq4NtF55MNSpjSyX2P +E5fReJ2voXAksxbpvslPyZRtQvGbeadBO7qjPnFJy0LtURVpOsBB+suYit61/g4d +hjEYSZW1ksOX0ilOLhT5CqQUujgmiZrEP0zMrLwm6agyuVEY1ctDPL75ZgsAE44I +F/YediyidMNq1VTrIqrBFi5KsBrLoeOMTv2PgLZbMz0PcuVd/nHOnB67mInnxWEG +wP1zgDoq7P6v3teqPLLO2lTRK9jNNqeM+XWUO0er0l6ICsRS5XQu0ejRqCr6huWQ +x1jBWuTShA2SvKGlCQ9ASWWX/KfYuVE/GhvabpUKqpjeRnUH1KT1pPBZkhZYLDVy +9i7aiQWrNYFnDEoCd3oz4Mpylf2PT/bRoKOnaD1l9fX3/GDaAj6CbF+SFEwC99G6 +EHWYdVPqk2f8122ZC3+pnNRa/biDbUPkWfUYffBYR5cJoB6mg1k1+nBGCZDNPcG6 +QBupS6sd3kGsZ6szGdysoGBI1MTu8n7hOpwX0FOPQw8tZC3CQVZg3niHfY2KvHJS +OXjAQuQoX0MZhGxEEmJCl2hEwQ5Va6IVtacZ5Z0MayqW05hZBx/cws3nUkp77a5U +6FsxjoVOj+Ky8+36yXGRKCcKr9HlBEw6T9r9n/MfkHhLjo5FlhRKDa9YZRHT2ZYr +nqla8Ze05fxg8rHtFd46W+9fib3HnZEFHZsoFudPpUUx79wcvnTUSIV/R2vNWPIc +C2U7O3ak4HamVZowJxhVXMY/dIWaq6uSXwI4YcqM0Pe62yhx9n1VMm10URNa1F9K +G6aRGPuyyKMO7JOS7z+XcGbJrdXHEMxkexUU0hfZWMcBfD6Q/SDATmdLkEhuk3Cj +GgAdMvRzl55JBnSefkd/oLdFCPil8jeDErg8Jb04jKCw//dHi69CtxZn7arJfEax +KWQ+WG5bBVoMIRlG1PNuZ1vtWGD6BCoxXZgmFk1qkjfDWl+/SVSQpb1N8ki5XEqu +d4S2BWcxZqxCRbW0sIKgnpMj5i8geMW3Z4NEbe/XNq06NwLUmwiYRJAKYYMzl7xE +GbMNepegs4fBkRR0xNQbU+Mql3rLbw6nXbZbs55Z5wHnaVfe9vLURVnDGncSK1IE +47XCGfFoixTtC8C4AbPm6C3NQ+nA6fQXRM2YFb0byIINi7Ej8E+s0bG2hd1aKxuN +u/PtkzZw8JWhgLTxktCLELj6u9/MKyRRjjLuoKXgyQTKhEeACD87DNLQuLavZ7w1 +W5SUAl3HsKePqA46Lb/rUTKIUdYHgZjpSTZRrnh+wCUfkiujDp9R32Km1yeEzz3S +BTkxdt+jJKUSvZSXCjbdNKUUqGeR8Os28BRbCatkZRtKAxOymWEaKhxIiRYnWYdo +oxFAYLpEQ0ht9RUioc6IswmFwhb45u0XjdVnswSg1Mr7qIKig0LxepqiauWNtjAI +PSw1j99WbD9dYqQoVnvJ6ozpXKoPNUdLC/qPM5olCrTfzyCDvo7vvBBV4Y/hU3Du +yyYFZtg/8GshGq7EPKKbVMzQD4gVokZe8LRlFcx+QfMSTwnv/3OTCatYspoUWaAL +zlA46TjJZ49y6w5O5f2q5m2fhXP8l/xCtJWfS/i2HXhDPoawM11ukZHE2L9IezkF +wQjP1qwksM633LfPUfhNDtaHuV6uscUzwG8NlwI9kqcIJYN7Wbpst9TlawqHwgOG +KujzFbpZJejt76Z5NpoiAnZhUfFqll+fgeznbMBwtVhp5NuXhM8FyDCzJCyDEqNC +MEAwDgYDVR0PAQH/BAQDAgFmMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDKa +B7H6u0j1KjCfEaGJj4SOIyL/MAsGCWCGSAFlAwQDEQOCCXUA/LEt78ExnP4sas0M +wv/5uOJwUaNNpxfdLJ4BvQt2ocbrYG/4Z4K75x7KbP9w2lzUnkTeihk1hrPTK+ok +QfG/KnOADj+SKVyGRvQecSunv+Ze77Um/UJRY+IrMsbwKhtG9hoX+sPEbQZwF4YP +Kgb6HBontM0zMs7eGWWgca0WBRgZyK2LwfZhRO3lR5xxutrN/nF9wKta2mRg1J8j +GuwZ7H6E3lol0NJD2TFc5CcO2EA7NV+hVb4/8W9ILm71WIwiLApn0YKI7RjG81Io +zPr3TjgKTvRTkxdjrVjKmelj8R47u/UMe1Ga7uiSQoIudYQziXPpexmvBKSUywF7 +yU+0cMVTIuqN6iTIbeTx0rzWMwMo4BTF33iroteo+/fhE0x0vkIPynPqW0IXluD4 +awiwZkZNyML+8GuHCPzcSGkKG63YB/jmiPWQppUs4PKWbjX+Wsr2pbvsUT0h2b2x +LB0K/7jLqEcWzDZvEYCshKNiQ6hhXhFyxDquGmLzrYtN5zdJqZSRU2hxfYutem6i +WvPL/cisDHzIY3ATkdABLwLq2FUMw6OGbLx2NllYRRV1vkgvHIpOb6PiUtk1yh7P +yAYDSE1UxjLFeYmjlCABYWElShY0kNzM2ktlkJszcJSY7e4RPlnldSeSGJ6VTTWy +y6XEp1f/0xqYDnJ7HdBAkNE2t+V4+iNMPhap3+MDtSNt+NPNLrH27j+7SdcCtTKL +KZdk8VcTB/IIj1eJnNwtLmf4w3Fs5tvOYxbwpEpSgOFhahYD17++K6d7u7mykFd5 +gZN7ydA4YRB/fFOJS8msLjm5ta8TYWDuU1t9RLFBd7S6qNSOg/GDNJ5CyyUAv/fD +2+gtfiuVWtV7IoUNymNNK8Wrht2f5LlvWrGJQAhKm/JcUjwwAdENoZgFtUCVHW9W +UuWt3li4Ta69qXKVn1EdzNuPAdq5AbZyQmEl5GHyT+uv5VV9edGK6G5dASwATca0 +NOWL/kNWb6T4xkpvBgj5yI2+SvmfHZyiUo+s8hj3Ikt+U+m6zLKp4xB1x37CFdPy +J/7+yOcmelsZfNjr9Dps0Nxnijvu+fvhI0KkoVvzHG9yR6h7YXWn/VOezt8XL4vE +BcQcuCCj+Bz55rclX1gCGJED6ZhiQO5xvHDgptMzbbYkmuK6PZJzCMzWtFcYrrOi +jNHLBhtxnjgG71PygYGmoKRVG0fLS4MAcXLAl906fRDl9seI92Y3/JgCI5VgL/A3 +3hcFv/fbYo2wBycYPYmpvZqCI4594sas92nZwyKlqlcIeYVhlu1gbX9HKUZQkH8x +8J6h7l208b3cA59RcB7BYHlOriftCzyvq1JPcORSEvsk3vHX7iZA8DmKU73rpGQ8 +iAS+4bbEmCAfKEkKss2ub5uFkfip+x3C34/btT/msKOr/t0sTTwtSI4hpmln5OJJ +P0kwDwd93vJO9jUiztF8f6a8etCg/NqA9sdRz+7BGPviwAZwDOa+jZ0VvsoJkSax +ir5Z81E6rR949ZzKery208QzJD8emoXHwkWngyrZzqPguYvPB1fNDNLjdkZl3AnR +DL/0ahygOIRrEyrEdHLDPPSzoZYg7s7iW40E1Fs61/EMNeGDxWWmcXwSeRsJv1ut +pKxkjnofHFkc9i9RJhhYx5JPBn9JNBUG9obrwLnFTF+DUdEJwRbyMwLEWHzZobU8 +pvYXusxLgcd+0gn0s+siQNJAAlRniKsi0YutSR27k8nQyL0s8Jgl7bybSh/KbNKG +T/643zfGrBMfOtGo5z28CsXszpDlxhEipYS8iaoidwnjURrndCQgR7ukcYv105ul +K1v8V3S5msyWb4UTndzK5yK6owqRfstmUA6S6HczJ+qkowDpb2t3nMGqQ5+BTzww +pozM/bnTVSmLFMGNic+7NltWzRySbxGzc3dxSHHfly4kSocmr53vEewK2DpixrM3 +LJMYZYivUREMaHd4BCoUzjbK9aFs3EXcm6/Q8tbFzd4k9qDahopVccqiTmaJ4HGb +szeTqpm5iGJK9okvLy5w4j83oNhHPd/J6vw8ZqtfYYbME4GYXVtFRb07GpnPQa6E +aErkAgtVTKptOQyJaO09YaLEbHnAgYFhZ1wQeN0Negn1YqkBC4FBe1yBMdMOre7l +xV0FhkpMaO2wU0gPl9IrCe9m8aLRT4zcihIdJLVARPsudeLv6Oim3ao259gcum0y +P1KD1dxwUC/j6zAtz2Qjt2Q11dLfxqKPA67Go2Dng+/uaUvbZI0lsPrx2kX0ADsT +Nf5KoipXLssLwyooz3Ga0dcwjpTv0NE43wT8wx/OKuAC3cHAS/s+7Pk+xkypbFXI +ba8Z6Au7Dq4r03k0fPpgL3KHqpDBWNuxujH9+RN7oGGAjppcGfq4I5tf7i5mNjZQ +W+SBG7pgsVWibDidCbf7CfWwY6oWi718wtShOYFALIzsYAqeXqdi7raMQGl1T43A +WiyjbXxh0adG3sqmwVhjtvesFSwZ9v0fMG0CMDQBl3fP6FXmMMaV1O0GWb16zxVK +4QtIFRQfQGkhXWNAvBPm4F2xb6F2uJUWHnOs9g8Wuhfk3pBtjtfFWJwkaOAOsvp2 +d/1UtsYop10zwW1EMyYxiUZ16TwvSb3Om4q0mGxHQEY1VkCMouBY680bWxMfw6C4 +rRv98itFqOAHP1Mc1tKCCtUOI/a1MDQrnI0oLjsxxTnOX2uUzrx2DnuWhPEx3/w1 ++BxKXZFcDHamuWl6nbPWwrOxbNorC6arGMQSy6h40f6dfixlsCpEh+lBjucRG74S +TJl8sM82z6akqE8JDOf3yU/sItuzOLfvNXICbkoMG0EBxMPa6TaxPNtco4UiKOuY +nkzyIOnH5LGNOQNQCExkxHFRyoZr8TMBEoIcICnZruw1r8gYtB+kFgivIsqKptXC +tAMhQF/vdss4YqwYcCV5bDVs90+IMlSalrfuecV0pdwUzvXn6QHVm+4SkKlMEwuY +wyQiiwPav40S9rIO5tE5gR/BBndPfo02pGvxXR9/vZjhRVRkJr3ZaC+lVHSqtsjc +bVfTh/nK6lkLYJ/AwcAK/3d4SKSIjHmTucj2KIDws4i3QSQ1qh1AABpugNV4zJgm +J88qqA7oLmNFkyILQW0g0COb500DDBcjPkZkb3p7i5yjrbzEx/L4BQkKGhstdnmO +nsLY8P4FBxAZKTJFRlSGipeipr3HGicsMTpNZ3eKqbK4wsTR3fAAAAAAAAAAAAAA +AAAAABMhMUI= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 +certificate.tbsCertificate.extensions.0.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_mldsa,Prohibited key usage value(s) present: keyEncipherment +certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, \ No newline at end of file diff --git a/tests/integration_certificate/pkix/mlkem_512_clean.crttest b/tests/integration_certificate/pkix/mlkem_512_clean.crttest new file mode 100644 index 0000000..563d56f --- /dev/null +++ b/tests/integration_certificate/pkix/mlkem_512_clean.crttest @@ -0,0 +1,78 @@ +-----BEGIN CERTIFICATE----- +MIINpDCCBBqgAwIBAgIUFZ/+byL9XMQsUk32/V4o0N44808wCwYJYIZIAWUDBAMR +MCIxDTALBgNVBAoTBElFVEYxETAPBgNVBAMTCExBTVBTIFdHMB4XDTIwMDIwMzA0 +MzIxMFoXDTQwMDEyOTA0MzIxMFowIjENMAsGA1UEChMESUVURjERMA8GA1UEAxMI +TEFNUFMgV0cwggMyMAsGCWCGSAFlAwQEAQOCAyEAOZWBXll9EENVzymqUzPJMlGG +nVvNvkhxJPYCuLambBbEdhZIrXZc9dgAa1FekFp/CsB2sMYu+jKBU+fKVwFpnxMF +8ea8b5Cw5JtpNRK2zpkqi4AW3fwaZix+P5YZy9hp3Xca8wiWzNWRisbLd0ZsXneZ +ltZ/+aq8l1A/LHt+LQANhkUPsYB8pMq9pGWCWjHHiaG3pJGrOHJ2XTINC3GSD6IT +yUCTQWuDuBJOafZeYstQANzDeqmg//c5cMR3LzV9JBicpvUwVWjA4jdqN2KmjGBe +VjxdIJVy4Px1MsopRylTVWe1/EE8XoeS0kZFNsyAj5it10Zk8UFWb5AWqQpUGCmp +igRkzkGou0TC1Po8LCCUYHKO8UoafEybmNEiA7TMNSkWCpqy14OPf/a1OuBaoxp9 +ZGt6+mxFkyUmo8N1Vhm+mUwhHCoxwFs0R4NsshUL4YKdrmsExVNc/1RuOSunl0EX +IPkk9JClrFSV8hNW1VC3gqZMFoi2tlW8x4Qhl6Q0wvZWO1t/CaeLzEiCMng1YdFv +TLq2dVQABQeBVwxmYEuBetElIpRzbosBhhpLWnRRm4tv5RSJpQcjkuWHYmxxN3ZX +XTOAahyOJzKvl8JoD1FmYzHE64u8BDHE+Wgy2vGzxFUo+6FT9seLHBmHApR8zTN3 +J6RvtTuhHeXLQZE0aFlRbLatckAPPPIJsjau81pYCsh+s+MPr9Zpc8qKfdJnWvQf +ehe2FDPNGvgPdwiGn2ZUiEl5gLGsEKDNy2NqAO2GgbNeQpEkyoA1ByW4X4Ol6sOk +o8wWAJA+ZSk1YLmzNuWvDVKdrBoEgRkwLLepvMEQuUhRvwIRfxmdxIWoUrdHPwm4 +MaaDHVtUwLeQ0iXPa7ktlGKibNsz3aUSPHqvDiaguDZV7qKL86gHRyUBj9a65LYB +z2G6q3Gno9NRl6ND50tKJywSXVQIlkJthbeVjTs4prqYfsNyJce0TNsS3eRTm0qw +gjY2g/BL96CcxcQd/oMKGxYuCzJDNDYvCEoURncjNEut0AD42MU3xI+ZjwUwfOvR +7eC4HDvFmgZaG21jsmyjUjBQMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUDsWS +pZcefo2geKhuRnTy+xH26NcwHwYDVR0jBBgwFoAUMpoHsfq7SPUqMJ8RoYmPhI4j +Iv8wCwYJYIZIAWUDBAMRA4IJdQDcV8LA/De8Ss6UL3tMcHXKc0iTXaBPPLyoCimW +KG/BhZ299qdyg6Qv/hWMxXfuQLvBIJUiE9boIUvDJH1Bv5q+wBXDM4Pcb585a972 +fB7Lj7rTYwGezp4QRGsn4bMOUHtOS/9MaD9LAw8XlEDSl69KgN+jN+Cak+PS1Q3O +u+TpeM2fo304+3vTfHlNiePSNOqkd1pzs2nwVIbQGIWctpF1rIHC7NJ/XOO3ZsN3 +Cr758OLyAotCdGCRnj16Fhxh1rJ976b6y+Yo96CDMgl22lYPJoihlBekuKc4ugkE +g4vJEwAtPlMoaogn7XJcWkKIhGKp1M7nG9KvgQxCRvIfRURuDyHaiOAkOayK+Hp6 +4AV02pbYX/w1X9bW1KOeId42EUQpF2iFu3ilOJi1JmMFyMP8lZZYq/8fPv3KGZPF +YJpd6yaA7ReIQaNiFgCMqx7nw/Zti7sa2a5dor3YqYRjZ8UlJUuYUKxNDde/u46W +mIEGSYcynpOiEYbyeWmXW4ye7qhT1Q7bmFPV8Mjzn3rXytzUzUZfrK8j9cHxAozY +sF7RDuBmauliYfV1jaroCcHrohVTnSSiSMQKV4q6HjKPIpf4qENs4SVh9xkWXdbB +OaiGgFhsI+sxlDGPRwbKrj6gVcbyFuJIPRL1LylJ2qFXzpzHyfAS3fHFvgv+S0AJ +DnfNk3OcT7G9jQhESQOkTXA4LqxPI+0c6asvauXlICnN8RdOjraY4+DQL8cYidEi +SAnXsOKNSzj+b225zdPvfBB/4eJTtV7VdnQOhETJErofxEWbpA8zobl/+bu2smdY +Pg1a83hwVo+HxfkSz1iHW9WT9+iwhnm28RqzLdmmzZGJSfgEFkADriwXUEr+LIkX +0xeMGvyXxdxv9S6Y6y+n0Al0ql0tzGviVoDqA0xNLU+Mupou5ftDTJj7U1oxIUHj +HlFeE06+JRoTPbDcl+cBil31SlxuZ1u7cOE33nbPOw0jWDXeA8M5uE3aMQah5VRf +tZXmdijH4zEN1/++Q5oJAF1SCTsnTkZ0lk3ZlIfpO0H1sJpINzLlBO04dLlQx2Nc +NFIExuPsVO7kW1rDLqkh8srBKrdUa/8ngD3kppXW7iaBhSnUE0N6lrwi5g/fJbNU +H0W7r0b31u0KDQ8cNKlK8PZL5pu/ulJTGZ5Dz4HORwVt2aXQojZfGQ0rashKxes8 +F+Ewgse7NUAt3HqX94+0SWpfpNCVlZknK5XfhZJV08XVZ2TkTDoJ6aBLqua/a5Xg +jWTwroAJuB84jx2B1eCeYxjt+3cEaB274XU++H6m5kP/1QtJ3L1r545NaRQAylZF +MwCtCTVyAavhrTcrQwhl8rVGAKOlXaCfHSln8y9u26qMHeL9BIP7JeMeZxCYQQ5b +QxN0WvGmK11W6XG2CTc0qQ0RdUOvfrXTfl5A+I6DS4T2Z26APgkoq2JSQihO3JEg +S7zknl2NoAummhweGU/qSPzX+4/KlxwcCCs8mD8ZkkwhdB5poU4uTES/eCO+rrm3 +wxLmiIcv2RwNdN8bRkxm35SQCCfc6riit4AxkaRKz5b27FWedfkH9bOgQaQGxm/v +5IwGHsFGeQFJyV1pNvo0aB9vvMTL3VZOsoXooxrdlc0kv7jJ9Q6eF8ZAFYXvxnaS +D+/OsH1b1+6WCVZIDRzRsMauvaifYUZNMQQ/CKSkDkFPjBDY5Xca9yZkGl+S+Pzz +7ODu6y3lvvUk+V6sPKEAS4ejZOocriV75SPfz0WlRZoljJXOm3tKCo6L2e56ntVs +hRiIBaLG5stQf2EihTSZUf21zNjb15E7KcdbTtr8TE0iJAuVYxBtNRWsVhExOMO/ +QqXWnHL015pv8Dubwt6iDr8ObCDNOItPtszlNjCz4yN51aGTrHGZ0CJcbcUWqxOm +W1wrQmnYWUaz1eDahmbnowXshqI8RcGqvzUlZ0/g6nEbAJZgbk7jozC1VlwOKMM4 +erhkw5mrrpicX3cvP3wl3JyhB6vbAfK4XQH3CfrnK12BhpgG0+9V5DKxTL02f+5m +ckJI9cZqSYx8rhlDlNbR33kSOY0Ba2RwvmMxhdypd38l5S8oSwTRu5eJ4VrrSeeM +wiW3gIxLA+o+SD2iFKyafsWLeu+Axx5/HlIVB+g82dGKkZrrESEvO9LpdlaS+AMW +9BccbDD2SGE2UZKlK4zx2QwYvnFG/ZDRjmvQV0dQOxiy0j2l7WHmbedlTTUUd5FU +0cfSG+cJHnToa/VRU4mDHvFpnV+AF0dA1s0oemhN5vOqhDzHnKasFFpUDH88mS7K +gbXELYiHTQEB/s/Hr0crjwVQQCbJFe4bBJzhcnwuOcdNUKLmF7MidvoyKYYu20oE +P6F0/RoDwS2FW3RyrKeSzlLWnuarfTq84iMaPgKrOl8XNfaSgGRsG3kxGe0s3rVs +iwzaO8THoCLp6WpEebfucmSCMXtKfVG/28u/dvQkz1D0oqTcWqhQiDLqZI3HjdDr +io44DARVGKAsEvq75Jq91GXP+1R8yejpP1lZU4onX1i0E8DMuVEU85JN+kFXbS83 +6nZHmYhgwj93IvetNiK5cJs2M19LnJj5GrONmPMizoXCIBjzDx0MO/3CoRF5achF +p598lYloyvlS1VYhwmLrpFmz0BB9OEepvdq0ZX11XM532I6WIF4lAUh0YEx1FInO +XJ74LC2uMxa92W6nceJAjiraJKhi4VnURhPa7MUt/2oA5WY8zzmVGn94UlPsEmPj +/nl7vXBVLb9Nojt9AkIO637bT+1wszCvOH8nelnzNDsCBi9B8+mdgzizEN08UKSk +dCaNbCB86LVeo+umyY5abmgr2NOI7XaSTqWMs7ezemR5AkIUka35LgVIKvZw2WEz +G3KxZImSviV+XMsakqGTdXof7k1usEcmbJ/EJLi9ecaxMZKuLjT9sFtNo8uvE/m1 +1pf4bGnGXgBERGpZsqnm+JNxDDTbD1WntdPpyeF8/6iXd/eNiHboV830Olj0dXJ4 +YbTrQBcWbfUeZ8+8gGJ0bgshMtPCrOdYVMAfWfcu7DyFi0tQdtS1pmo5Co+OwLxe +IyKgwlIYOghCE3r6SBCrx0+sTP0sixV5Refu2JIBkjoywPavmK3+109l1F0BkzST +fQ1pAwENGx0oLVFdZHB1f4CSlZaiq8Te7AtOfX6Qtba4w8bP1+j2FSVCWGt4goSv +s7TAwcrR1drv9BRiaH2qytnr8PcAAAAAAAAAAAAAAAAAAAAAFSM2QA== +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, \ No newline at end of file diff --git a/tests/integration_certificate/pkix/mlkem_bad_ku.crttest b/tests/integration_certificate/pkix/mlkem_bad_ku.crttest new file mode 100644 index 0000000..5c3d0eb --- /dev/null +++ b/tests/integration_certificate/pkix/mlkem_bad_ku.crttest @@ -0,0 +1,79 @@ +-----BEGIN CERTIFICATE----- +MIINpDCCBBqgAwIBAgIUFZ/+byL9XMQsUk32/V4o0N44808wCwYJYIZIAWUDBAMR +MCIxDTALBgNVBAoTBElFVEYxETAPBgNVBAMTCExBTVBTIFdHMB4XDTIwMDIwMzA0 +MzIxMFoXDTQwMDEyOTA0MzIxMFowIjENMAsGA1UEChMESUVURjERMA8GA1UEAxMI +TEFNUFMgV0cwggMyMAsGCWCGSAFlAwQEAQOCAyEAOZWBXll9EENVzymqUzPJMlGG +nVvNvkhxJPYCuLambBbEdhZIrXZc9dgAa1FekFp/CsB2sMYu+jKBU+fKVwFpnxMF +8ea8b5Cw5JtpNRK2zpkqi4AW3fwaZix+P5YZy9hp3Xca8wiWzNWRisbLd0ZsXneZ +ltZ/+aq8l1A/LHt+LQANhkUPsYB8pMq9pGWCWjHHiaG3pJGrOHJ2XTINC3GSD6IT +yUCTQWuDuBJOafZeYstQANzDeqmg//c5cMR3LzV9JBicpvUwVWjA4jdqN2KmjGBe +VjxdIJVy4Px1MsopRylTVWe1/EE8XoeS0kZFNsyAj5it10Zk8UFWb5AWqQpUGCmp +igRkzkGou0TC1Po8LCCUYHKO8UoafEybmNEiA7TMNSkWCpqy14OPf/a1OuBaoxp9 +ZGt6+mxFkyUmo8N1Vhm+mUwhHCoxwFs0R4NsshUL4YKdrmsExVNc/1RuOSunl0EX +IPkk9JClrFSV8hNW1VC3gqZMFoi2tlW8x4Qhl6Q0wvZWO1t/CaeLzEiCMng1YdFv +TLq2dVQABQeBVwxmYEuBetElIpRzbosBhhpLWnRRm4tv5RSJpQcjkuWHYmxxN3ZX +XTOAahyOJzKvl8JoD1FmYzHE64u8BDHE+Wgy2vGzxFUo+6FT9seLHBmHApR8zTN3 +J6RvtTuhHeXLQZE0aFlRbLatckAPPPIJsjau81pYCsh+s+MPr9Zpc8qKfdJnWvQf +ehe2FDPNGvgPdwiGn2ZUiEl5gLGsEKDNy2NqAO2GgbNeQpEkyoA1ByW4X4Ol6sOk +o8wWAJA+ZSk1YLmzNuWvDVKdrBoEgRkwLLepvMEQuUhRvwIRfxmdxIWoUrdHPwm4 +MaaDHVtUwLeQ0iXPa7ktlGKibNsz3aUSPHqvDiaguDZV7qKL86gHRyUBj9a65LYB +z2G6q3Gno9NRl6ND50tKJywSXVQIlkJthbeVjTs4prqYfsNyJce0TNsS3eRTm0qw +gjY2g/BL96CcxcQd/oMKGxYuCzJDNDYvCEoURncjNEut0AD42MU3xI+ZjwUwfOvR +7eC4HDvFmgZaG21jsmyjUjBQMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUDsWS +pZcefo2geKhuRnTy+xH26NcwHwYDVR0jBBgwFoAUMpoHsfq7SPUqMJ8RoYmPhI4j +Iv8wCwYJYIZIAWUDBAMRA4IJdQDcV8LA/De8Ss6UL3tMcHXKc0iTXaBPPLyoCimW +KG/BhZ299qdyg6Qv/hWMxXfuQLvBIJUiE9boIUvDJH1Bv5q+wBXDM4Pcb585a972 +fB7Lj7rTYwGezp4QRGsn4bMOUHtOS/9MaD9LAw8XlEDSl69KgN+jN+Cak+PS1Q3O +u+TpeM2fo304+3vTfHlNiePSNOqkd1pzs2nwVIbQGIWctpF1rIHC7NJ/XOO3ZsN3 +Cr758OLyAotCdGCRnj16Fhxh1rJ976b6y+Yo96CDMgl22lYPJoihlBekuKc4ugkE +g4vJEwAtPlMoaogn7XJcWkKIhGKp1M7nG9KvgQxCRvIfRURuDyHaiOAkOayK+Hp6 +4AV02pbYX/w1X9bW1KOeId42EUQpF2iFu3ilOJi1JmMFyMP8lZZYq/8fPv3KGZPF +YJpd6yaA7ReIQaNiFgCMqx7nw/Zti7sa2a5dor3YqYRjZ8UlJUuYUKxNDde/u46W +mIEGSYcynpOiEYbyeWmXW4ye7qhT1Q7bmFPV8Mjzn3rXytzUzUZfrK8j9cHxAozY +sF7RDuBmauliYfV1jaroCcHrohVTnSSiSMQKV4q6HjKPIpf4qENs4SVh9xkWXdbB +OaiGgFhsI+sxlDGPRwbKrj6gVcbyFuJIPRL1LylJ2qFXzpzHyfAS3fHFvgv+S0AJ +DnfNk3OcT7G9jQhESQOkTXA4LqxPI+0c6asvauXlICnN8RdOjraY4+DQL8cYidEi +SAnXsOKNSzj+b225zdPvfBB/4eJTtV7VdnQOhETJErofxEWbpA8zobl/+bu2smdY +Pg1a83hwVo+HxfkSz1iHW9WT9+iwhnm28RqzLdmmzZGJSfgEFkADriwXUEr+LIkX +0xeMGvyXxdxv9S6Y6y+n0Al0ql0tzGviVoDqA0xNLU+Mupou5ftDTJj7U1oxIUHj +HlFeE06+JRoTPbDcl+cBil31SlxuZ1u7cOE33nbPOw0jWDXeA8M5uE3aMQah5VRf +tZXmdijH4zEN1/++Q5oJAF1SCTsnTkZ0lk3ZlIfpO0H1sJpINzLlBO04dLlQx2Nc +NFIExuPsVO7kW1rDLqkh8srBKrdUa/8ngD3kppXW7iaBhSnUE0N6lrwi5g/fJbNU +H0W7r0b31u0KDQ8cNKlK8PZL5pu/ulJTGZ5Dz4HORwVt2aXQojZfGQ0rashKxes8 +F+Ewgse7NUAt3HqX94+0SWpfpNCVlZknK5XfhZJV08XVZ2TkTDoJ6aBLqua/a5Xg +jWTwroAJuB84jx2B1eCeYxjt+3cEaB274XU++H6m5kP/1QtJ3L1r545NaRQAylZF +MwCtCTVyAavhrTcrQwhl8rVGAKOlXaCfHSln8y9u26qMHeL9BIP7JeMeZxCYQQ5b +QxN0WvGmK11W6XG2CTc0qQ0RdUOvfrXTfl5A+I6DS4T2Z26APgkoq2JSQihO3JEg +S7zknl2NoAummhweGU/qSPzX+4/KlxwcCCs8mD8ZkkwhdB5poU4uTES/eCO+rrm3 +wxLmiIcv2RwNdN8bRkxm35SQCCfc6riit4AxkaRKz5b27FWedfkH9bOgQaQGxm/v +5IwGHsFGeQFJyV1pNvo0aB9vvMTL3VZOsoXooxrdlc0kv7jJ9Q6eF8ZAFYXvxnaS +D+/OsH1b1+6WCVZIDRzRsMauvaifYUZNMQQ/CKSkDkFPjBDY5Xca9yZkGl+S+Pzz +7ODu6y3lvvUk+V6sPKEAS4ejZOocriV75SPfz0WlRZoljJXOm3tKCo6L2e56ntVs +hRiIBaLG5stQf2EihTSZUf21zNjb15E7KcdbTtr8TE0iJAuVYxBtNRWsVhExOMO/ +QqXWnHL015pv8Dubwt6iDr8ObCDNOItPtszlNjCz4yN51aGTrHGZ0CJcbcUWqxOm +W1wrQmnYWUaz1eDahmbnowXshqI8RcGqvzUlZ0/g6nEbAJZgbk7jozC1VlwOKMM4 +erhkw5mrrpicX3cvP3wl3JyhB6vbAfK4XQH3CfrnK12BhpgG0+9V5DKxTL02f+5m +ckJI9cZqSYx8rhlDlNbR33kSOY0Ba2RwvmMxhdypd38l5S8oSwTRu5eJ4VrrSeeM +wiW3gIxLA+o+SD2iFKyafsWLeu+Axx5/HlIVB+g82dGKkZrrESEvO9LpdlaS+AMW +9BccbDD2SGE2UZKlK4zx2QwYvnFG/ZDRjmvQV0dQOxiy0j2l7WHmbedlTTUUd5FU +0cfSG+cJHnToa/VRU4mDHvFpnV+AF0dA1s0oemhN5vOqhDzHnKasFFpUDH88mS7K +gbXELYiHTQEB/s/Hr0crjwVQQCbJFe4bBJzhcnwuOcdNUKLmF7MidvoyKYYu20oE +P6F0/RoDwS2FW3RyrKeSzlLWnuarfTq84iMaPgKrOl8XNfaSgGRsG3kxGe0s3rVs +iwzaO8THoCLp6WpEebfucmSCMXtKfVG/28u/dvQkz1D0oqTcWqhQiDLqZI3HjdDr +io44DARVGKAsEvq75Jq91GXP+1R8yejpP1lZU4onX1i0E8DMuVEU85JN+kFXbS83 +6nZHmYhgwj93IvetNiK5cJs2M19LnJj5GrONmPMizoXCIBjzDx0MO/3CoRF5achF +p598lYloyvlS1VYhwmLrpFmz0BB9OEepvdq0ZX11XM532I6WIF4lAUh0YEx1FInO +XJ74LC2uMxa92W6nceJAjiraJKhi4VnURhPa7MUt/2oA5WY8zzmVGn94UlPsEmPj +/nl7vXBVLb9Nojt9AkIO637bT+1wszCvOH8nelnzNDsCBi9B8+mdgzizEN08UKSk +dCaNbCB86LVeo+umyY5abmgr2NOI7XaSTqWMs7ezemR5AkIUka35LgVIKvZw2WEz +G3KxZImSviV+XMsakqGTdXof7k1usEcmbJ/EJLi9ecaxMZKuLjT9sFtNo8uvE/m1 +1pf4bGnGXgBERGpZsqnm+JNxDDTbD1WntdPpyeF8/6iXd/eNiHboV830Olj0dXJ4 +YbTrQBcWbfUeZ8+8gGJ0bgshMtPCrOdYVMAfWfcu7DyFi0tQdtS1pmo5Co+OwLxe +IyKgwlIYOghCE3r6SBCrx0+sTP0sixV5Refu2JIBkjoywPavmK3+109l1F0BkzST +fQ1pAwENGx0oLVFdZHB1f4CSlZaiq8Te7AtOfX6Qtba4w8bP1+j2FSVCWGt4goSv +s7TAwcrR1drv9BRiaH2qytnr8PcAAAAAAAAAAAAAAAAAAAAAFSM2QA== +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.0.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_mlkem,Prohibited key usage value(s) present: digitalSignature +certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, \ No newline at end of file diff --git a/tests/integration_certificate/pkix/slhsa_root_clean.crttest b/tests/integration_certificate/pkix/slhsa_root_clean.crttest new file mode 100644 index 0000000..81f7181 --- /dev/null +++ b/tests/integration_certificate/pkix/slhsa_root_clean.crttest @@ -0,0 +1,177 @@ +-----BEGIN CERTIFICATE----- +MIIgLTCCAWegAwIBAgIUQ4VjomkBmSw5z7xAVxtfo8zHiEUwCwYJYIZIAWUDBAMU +MEIxCzAJBgNVBAYTAkZSMQ4wDAYDVQQHDAVQYXJpczEjMCEGA1UECgwaQm9ndXMg +U0xILURTQS1TSEEyLTEyOHMgQ0EwHhcNMjQxMDE2MTM0MjEyWhcNMzQxMDE0MTM0 +MjEyWjBCMQswCQYDVQQGEwJGUjEOMAwGA1UEBwwFUGFyaXMxIzAhBgNVBAoMGkJv +Z3VzIFNMSC1EU0EtU0hBMi0xMjhzIENBMDAwCwYJYIZIAWUDBAMUAyEAK4EJ7Hd8 +qk4fAkzPz5SX2ZGAUJKA9CVq8rB6+AKJtJSjYzBhMB0GA1UdDgQWBBTNWTaq/sQR +x6RyaT8L6LOLIXsZ7TAfBgNVHSMEGDAWgBTNWTaq/sQRx6RyaT8L6LOLIXsZ7TAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjALBglghkgBZQMEAxQDgh6x +AKqgUd6wwxTQzfsSRqIxIMntqz/cV6X7RfbwO3/jWoy1hx4fCxWfqlZoQ37qIwUh +0TPLhGFVfjl0GDzqjgGkjZr7NXRpyWI1fw40ARyQQZcT/8WkZa4Pv5sy0iosl4Yt +Seu6rppw5zVnPwp+Ot0LZk74RbLm2HCr+3Jg64WuYjykvzx65d1KJOJO0LU7w6zp +JvhsyjvhRhV/GMVBQJBzuRljhiM6sn8SOl+7wxBsTrJi7jtLxeJpJHQ+boHiaEjI +JyW8sqzaqK51WlwJIhy+lQoLXgwISUI6DS37iTuzFd7u57JeH6bwSvZlwV1eBXpt +KufCwyA3zqsPbOrJOfMo0XWBMX8B4gnIVoFQz076ghpgPoe/YcqgQCeVv/hPBLH9 +H3/OKfoVXO+UmvbwDH8Jf+y2NiaDaaotaZ4XehWqm1FDwZB8yWk6WrHud8ko5yHY +kwqAGZxet2FfFGyaACKqTbiGA7WDSunzWnbMozvkE5T3VpZWM90Z2T2NVauZ5QAk +9//07ghHjUOz9OM61RLvBACZYqFezV+fkPPCjjWbikbsVE4TIFlfY9lhseLENtLl +J1YfU1mcJOxqeSsdavKTONjres3XisiY1Idhv3k8KmRCD1sVtL3Ax8TeIEy72A9h +Lqpn4af/DbfdBc9cywxGJuDZSMtFdieIUUnfTBZljBqEggnz1O7EKhepe8B3JP1P +AJgS7RDnZ8N9VHgPyGd/9PKAKxs0DPpfxBKFHF/mhI3OEueu9e/rll9ib4c6NWfK +2K21VQsNBpHTnRqWLmfYsQ6PBz971v61dmIZg/bSCDU7nx0K9xTSRVBwXJHMtQ9L +73nv08e9Anr6i4PNMQew94p5xGgZ3gH4cxptisdUyEuaQFPjS+S9OlJQxt7eGdee +qIhw8XCmEVWwRl5AN7KQXJF2vSAdJNtxM4G4R+/sfnjSJStL4m4BgdQS/0D/4NeQ +KYWA5kr1WzJstwUcICfgmFeA56KXy5HO2cGjX9wkf7j1XNqRg+WujGVzhGpbyT+X +UX3MP9Y54XHxVI0fTzNwzAf4A3C+jIHhXXPBnL58PWnAzHKQz2U4NXEWrh3ipgjI +e93AMPS0KkX8BeYc76/zUwMvdrV78al9FjOxtcJPm1V7DSL2CEs4smdO2fjxZQPW +Wh8fi8vaePx7UqXXGzWyzQZ+Hh2LYECRdC+RycbHxAH1LxDC6quE9vYu/HfBhSiQ +pRHc7Qd4wnScYIZpQDwXmzrl6GUiwn/ZiL5DajGQ1SM365Nw5Lw0lE+vpMFv8zAb +xuH18dh7pE5uab6C0ICorplE4db6ReUFpVIKXWAXOh4u3S60hpMxkw/KXwVSjjEV +6IswiDPX2pFSQDzXGLxyjYiyZcX+CnxQRH4PtlJTiyj8W/qTVDbK4cFrf0YT3gV9 +vjONZ1K6ba9L7gELx1YhfRa9GYOQyBRRi/uDwaXKaVqu2fGn3PdTn/ajQ5T7OIYf +Kg9Qz428NlHOjq+A/rWA+ENz6jrXoqS2czpaa0inMaPTQjr8LrAp0meKmtEmlQgL +YT9x7rGW9EkM1ztQYWwVyjEx3A382F+hJtPiQ80TOUpQLWRXvwKoXFRK1DdF8gn9 +z1NnGemSpM0bggksTSkwgMEji8ocOMYRj6I8LH+GJcn+oxr8gqtp6bU3sQ6amRDN +p7ZSn8bkbgjxkM0UuMLgqVguikxS39XuilfOglemiQ90IEwiHQLJBFJoePNZycNg +hZIBMHWg6ykrZlW3SErfj7rfqLzZRVzrBKjDlLa7HQUZSJuujWMtutbTXuV6QLYF +dKGwerfXtGfW1qz1BW9TRabt4AyzDDLGiftCexF0lCXcAXy7Tk9Pl1QosPtIZoc6 +0NoYv6oTDGrTxz4RJkPoQLNXKQBwAK9YsHWDnrlLWznxfz+JjR0LGnhN5YzmB4Z1 +IxsUH80ETZjRzfVPHQBV+/jHkvXuXsXzJIQi7hFIkUtR94eonKCaSLyT9Twcftms +FRwft/m5Zp/05VhK+X5cP6NaIFS+V3R0ZYAN9DCpDVPmcVL5fvQCJOW0IQu8Ey5n +AL1kVIuCtGT4Ukay8jddMkmKvhlOIafMmhkpyVeq/ttK7+ChBhpfWEyXrv6sFqDj +p2Dvtr+AZzXIbP4RFhi9BJAytnVkE1WyLsbfL7c11jzxq0we2sJP/CTyks5k3e9w +eq4mBwFhn+Yu/uQ1jNXu4r79O4/E3FxQTFouqhTEDrWBE1XQhYEWPc4D8CslObb5 +zv/A9U13YIYDJf/dV8v9KP3ijrt8+0lGnCwONHTP0rhFvv3BKmuOMEjDp0FnBHho +nYEcNfSTWh9Hqzo0Xk4tQyv0UrxYNFIVUzYZybC8V3yVs4bufmifc7IJME/4kK4L +jfT00Ucb6NEDhZItimCrMPPqJl436ZC2LfYIH7z9E1r9qSl8q1gQ2W07J3Ux9HSo +6HAAo2PxjLSXIivQ+OCybk9KltXwPf5z4ci6+6iWvwHCY3D63ZflyY8ABF36wDlo +uuXcqns9vSWqQ+ICoVcreHSA+NbqokR/HjVGy30vg9x6JYfgJ87fEhWDtiYq+U4i +GMppfeNohghA+kUbpT1joaoZyoM9LksTTVgmYvLvPGsTzJmVIcLH9a8I76AhGkvp +9BxNRnKIIouqtdz+O+aNuVGNRfRwE2iiKwqcghZk/DpaKhmm/pI0ZeJqnKWTJCG0 +tlC4BDECHN9PuJy2OxlmJqrAM/2b+wIvyAeMH2aK9vPFC3TOdcSUNIBgU8FCCS0h ++yW0/8EAMPHIrc5ixh3XlMwPeyoAvrPzyD/liK9tGZAxcZbWjFs0uIW1QvL7F6CD +u2phhvDvH9vOAC+Qqu4Hl1lWhZYcl2vK1H2avdwBUt0cvIJegQiRNoV/PhJjWaoD +ELMDLa0XfWGR1uG5LjlUJ4qkkYe6M1QoUg1G8OdjQG0VdhFRKBtflOowbwA0pthC +xDKgNhtVBJCHji4ER/ElyPvUWHk2XLmBGMX/Fqv+uAEK+0qTPZvFgtUfv5Xqqjbv +xfjYq/fKyEncMPs0nYHifGwGeDSpqkR0n0KlxZGfQcTxeX4NzTbVITJdgk2zgA1y +GasqDt70Is5It7JEAvGZsb953UkLvz74uaXjKI2PibPYvJfLLvjAj/AQzQAv37y7 +q+B33tlEF45w8AfhncWl+5HuPe70mJ1nEAQ6pvID/OgFU+4AKTyE/zX035N0ghbs +WCVDgQGyaNKnUe2X7cIGHuuNdc8RMLD3D8HSwfFDXUJw+sH5KuuirwAHy5nKy5pQ +hcNjdtOt9e/U8Ml1pEuISzKBw0OXv6gLwFojtChGTARwNoju6/UmspkFzGsKDvkG +c/3DvjfHJikRYtQg4AbyaMNX27+F5i/L8YGWiHCeompCAvx5kPbJsPuzbqVoxO67 +jIdsgSAVqH8buvcusvdfo8ADRM7iJ/IE0MCyfb6zEU7pd3y+g5QDE3UvxNSK6byj ++m1ccvpihhfi25eIymxMrWgrV8/1tpIuAi6C0VyfO47p5Y12fGWdV+Ur38nKsYzs +hucJld5zV07sr2JHRXnG/Qky2Vtz3mdEOSij/x2PImEESIT78EQEDwEbrb+f/zQs +gz3WhTybgu9Hx6ui4p6scevWXqfY4HlTOSkVDqa5VjmTFn8KSABtNgoqShHvgNdD +xPAG4qJJmuYtxf1GlqiDRSK1x1Xczz+EjgtpfNzgMBofphTWQtMPkUtsPy/5ZCW7 +5IO5RICzbMfyPlijYXoaBGHYooznQ9fr9JBIkDDcwVWz60toCa9iedf2CWGJt2s3 +PglO1dfjBbFL8OUfaz7wa+sqjR2u9ofGcPJ0+pJGHdZ+1qsa094Rcb7woeMFgk46 +oS7SK8SSDqNwED/fxMxSl/dMplp7zOh0WkcSQnPYWwl+MaloM3f20XJyoyLi2W7F +/PIw1YXFwlB5EKafFVAxpIfXy9q5Xzer/n8JJeXDHsDWeCCgISAQbzzQvUb+vK3f +JSeN9A0MTbIwsXCOqiWfgLlgt3myJb6l3+7tjKyHyWk/6uXPTdFEc3+nTptpZN/a +ildTEQ5U/a/KTG3grVYff8UHAIvkswlTr6Tb4aHE4cDWcNQt6NS9OJTHkzlkcVBt +pTB9/h5h0KEmu2r4MmMFN2W7I5cGE8bWRrWD/dObo5TsZ46cu56vC9/oKO1F/6SM +2fnjMN0g8j2tT9C5Kxe/0EqOA42iHxb6/ofrPFd9+Hj5LXTUgthT4JG2g29zecrZ +yoPthHUQ4F76pw+hm2ch0JqwkINoPJmXaUIRLFG5b1wDHy7ueLc6FNvYnRdpmq2e +gNXX3v47GO6mfZ87bzBndKH0//toreTsj39bAkZiJhBqiLGnidGHAKSVhJaetB+/ +8W9ntj/VwlwfQRDNBqXo/uIeUuNcRrnE6RiqeOBLeIJ4rD1Z/SRARAHWrWuHvRGh +wb3yqcy+rgVSe72GY9aevVI8Jdyku3O8DAQEwQzpbtEmw1CsmPtLScVp7dgwu3zS +btN2WhMMgijPQFwOFiTogl0q8IeJI5ktfmqFod2reBvmz3a8/iayJqWn4dREo/8g +rYRzWyayOhXJxAKd+7Irz7Xyo36Z3vnZk/eLFuMET8S8TWebP7oteXpH8erYNs9d +6/ezrgzgYvj2LNApkYr6aL8gV+95DXFi96clx3fyA0gtlXN7usD1Ynu7DQa2iHSk +tH5IuaZtkng9h05oRNZFI8l7BAJ+x0B/oEH8JI7lQxn0ZbKl53MnA7RSDt4zEmLt +tsMrGc2gaQvLY+uFg6EWqStywefGY3+kQW4ZYTt4uttqGFz0sV2lXd84/V+Az8/w +leGxvHouLP8EAF7HeRxH4KdX3hvmaRN6O8+g2GkW8p5F5rF9n/dHJdkfUApu3dpT +4E1SkTOHij8373rrGpigVeD55fIDH+Lr5TBsDEt1pM9Ah9owSSXhJf04zkQg43V/ +JSt73bIC1+IPlqS7zwzfFudbkUYxvE0YtsozoVvmcJUDQHmpEqkdCeg419R9w6gl +bMKqC3gZWxbLiiRPsnrKh2iFmyIXUOr9KK5F97a6dt5Jzp+kSLG78br4iI4UHi8t +U3m/Mg78GSCxuhJoXYzYPDzWY4oui+R8dQUnqOngW76Hd9WziHTbzV9ZEFycROHU +fb827Ptwlb+nG9mo7v3XkU1ysdFyhwsCWCIjy7FyNgRHM6Y5mTT6c2rhuSEXegRb +I2Rln78U5o1OcBueGa+bmD5vEy41pZCnxiSKttAKoWDrQM97xQOH4qd2ihBbTnXB +Pq03Hv9GWaixbsT+ZYFhZ22DUZ8iWB+i4Tnd1DN0IpDLk79lplqNktuemmAell9d +ZhO484L7E1rqPOkfXde0fxiZONMeSYMmqOzAE5ivos8tKkpKfjL8ILWEwC/WDEBa +rTTb/NXzjF7OzRX7aNRgxA76nPF+C8KVz+Efa0u0i30bBUWOZWLYJE/JMfWeGzrT +zUcFk+CRiZ9+h1CpCkso3wBVAX9Y9tSKF8JgGlYqSZyNESV+QudgkCD3PhIle4IF +SdUviM9z2wl+D/F9xqQP3D1fJaQr4XR9cFqltGdsZnTEhgEwr9Xp+klyODsAld77 +xq7uyNCvshSPndoyX57nhXapGnzTaYsCSzz/UTuggGnwlQEQrrqUqVnOoJCvjfXb +RWMLT4r7ltsmZtq44s9+FUfIEANGjDu/Rgwp5n2AQjrCjTi0SC0slqE3cROccgAC +/6R5/3RaMbqmOiQIv45BtEhvvEOFMX25ygZgdvun0aOvrdCnywcCCLq3zqsGVihd +MXks2xBSVUxlUxDOHl8O5RUlxOB4EjzSDInzYN3x74vsfoqbLFibH3vw091H10lf +EfrtenIchGwGD3ZEqOYvJBs/ZkY858Z/4wYbXnzm1mcINPNkLP0wndjidRSVkdAP +TNnwlUNCshXbTz0Vy2BsIvj74MRDHNBxnRCb9nbD1Ojx2GKzs4/04mml/eMKI+ZO +mw+lLKEJAc4nJpSnkMDoDoKYQ0SHnTRXc7W3Nfqjr0fPCUgnedPGGwR6CN+meA9q +LlzlxqYWrE9NbQbWRd5oOizyIjJhjObQ5WKpSf66hq3Lxr4pawtLzUxZTr0XbJvJ +1tnNn6oBjMmj3a9rX+n1GCRtkOEUnlaGBC47okIh+AruBXExVfdWmV9yGIci/21P +fMLCMoRdTB3aWRJxSJg3aMhsFIy2jNRJ5fYrDwSsZhv3xNAYbeNdEk2dNMZMNs+W +K12u17F0yfBEtvDGRTJOt0JC0/m1w1FUPrhKcA6CLjkHvGapkZND8n/tpGHyNfrg +n4YAyYdbaX47+NH653jm0EYn1YDUNA+PvxwnR2A/p7XE7bPCFTc3s4vRwacbRyRz +ziJ02vvIP6FlTXln0YrbcXnUXX2hrgWTeDGY0/bMo0KT4REGUSw8TLdrXQf6qAhy +TJomC68oHHBVsR3Igpg9pbRi/3cHE4SwEH7zMzchQS7NO9pO5vqtP+7zBTmNZSDc +lEmY5OmhJrM6PclpH+ScKX0bkQJwJ4t33xh+UFBYBhv8N2tMAHHq7oJM4oukp4H4 +h1cHUNnQv/SFx0+bz+RR7tFrCqOneal/5Grrg1mC+OUyxmuTVxhh54mx/6f3MYtU +Md8wyAsvflxNHZnizWGXtSgUNj82DrQnOMhhaOCVjSY81INdlp+mN5ZZ2xCkX5C2 +RPF+bIZEJUAK/O/XXJe6G0yVnuOekLkCWDAdYLeUMPV4taTqN4J69XNsDdOBynLM +jM2/b/p/yzknGlmacVHY87NA09pmg/TylKWPtaB/csLI5xtBNv77bYHYq4ozQRi/ +QskaiiL6JZ7gt0VG7qs7VzqPZJZReh9mlflSlUB3UWn1br08l5VTkAmw/F+MytUt +QKspwiExgHW5DMlXRvl+4fyVY8GRrRCQry2ihQJV0aEQdtskrDcdNb+KCSkht9rV +Jm0Abnc/ZOCIawk36YL4x628BeoddaS6w9T7Q66ZKDoZ/YRTS4SKs3aupt2pu/5W +wn0UBWI6pK99O82AxN2HWFQhniHyYKNCpt5VMY7JfAGu/YdnUkO6eqTuI59vClLb +OBJBGMQtSoWENlmmI544jlHCiCOFOtxgUlZ5mYSwpamzG6wnyF1Ngo087ueExw1y +rIDIglW7BXseM/SjDDlbK+2k9s+lFY9YvqC7mzUnzHt4qu6rD/reqruVlDe2RP8h +4WRBc0Yi2bCJYSS0UwGZF0t56d3gPQrJPdUCHElOvSbZm7AyLmoiuHD1xu1RT+6g +Nyl18xddNdKmO3FDi28imxp9oMX3f34kepNnuQtMhGHy3W1vYHtjVkfGzRyuJRip +zyGqvNVwSHU4pxBevLyh4CdPbBi0QPiAAXQf/NKCWLPE8xzx5WZhwGxjTDu2YXoV +nb51S8MENaOnA/nMUGLQOHTB4sjORht2QqA7/1w8BMdzPas2tBzvR36ZeQyHnVTJ +RUphKUM0ck6m2SQsMHR1PRaHkQNYPnk789GLahCHGJLJDeWqY0UKYIPCgRE4tsPN ++LBx2OBbBMVXKlU82z+CJuvbCbcL8miQNL55QSWXndGXDq9MrkAhYV7zvpnao4Ix +mJZbHIYgSGuvkt/nLfUNl1UESz1vEEeYafMGi6CaiHwKooSNcUpfI3Qu7bsoMtIz +NKt3QOf41Bb+sHPkFKX1PD6g8OBCHc/Dw/i7B1pWIG1Pjqxj9jz99hErlyyGZmYR +FutRwikGMIS65IGYVmhwQzFdwu/r5uWGy5vjN46j+q1GzWOd0qFtXd9lz3w5zSSu +hkCwP9N3HVhUShG5fSXAiHnXNseqLNg/24aC//kPItBacYxbsiPqysvutlEtXkPa +/RiERyKVMeDlaC1law/5lEDoRU0W0GusVyTe4sHrmWWRnnpsbG7HN6suToCACWDV +EAtRmyR/ILJ9d7XhM6IuwHpi+6q8qLoH7yfEacBL2v+JgBOCHyVZO0DcEfRd3sWk +oNVHwBntHtNnSrB224Ut30/rbhesnsxnDXQDEFuI097H4AVVSAG8vnqCLPtePffK +LEIg7VD/PCsHxI3RE1eqJmeDAht5iATF7wpuyPikzZNXu0o5S57BF2dUn4Vei6QV +84G6LYVkqJnqEQybg1KAAxjAHXKe0gvUjOVZCCilz4tG7+mCm1Tw4glwtC30MdHx +6tpXHBu73rOFR/QZ5MQGhYdUI3Zs4T0owcAlALM001Gv2d8Pi7i1bchT/o1ZuvEO +AAVOv1GbWRBZBw9fJ5mffGujFEAy2uSJjbXG0z/t4/ktFazRqBFBLSxyq6TV9Jyu +1699OeIcj6j/PpJ95HY41P6imW4daxFw497yTR9N5cxEQ/hCyJkRxiki7vkT1QgV +cfwOyoKXsRH7uYwnPL6k19hPPA08gl3PGAEJKMod8Pe6cYDrdnpY6ZG4hnHQcdIT +PLdl58T/J/cv8j8k1cbfbNDdCu7eSxZmb2jOlLH5aWcMxBkgLCl0+KfiAAYTyS0d +T3Z0AyhGebeAstrSOQpWR1/DgZruF5ENSfQjPzbbVUjYFkP/bG/6yqwXyqNiTd5g +XO31o5YzNVMkBpmPMNakuAc94dnKB5tUcFDGDtJLk5wHFreeHtdCjMb9Qc2qTvws +ERpuANtbJW6WyClDrGi+wNMsPBvUtpwqoJ+bFqMq3e0ALLmdk1llgd6pqbiWrMRD +MJMhTDxCBo6r+jeWcsjsIhkbi8oic74I32od1+8TC0Ou/aDWoRCK914T5V2hgcCB +Bj9f6rPheJn1LRxWC9/DHU4f9uointgzEyu76T+xF88zDoCFcnJywK1wtIGb2FfW +pJ/3khXjctDuIqFHsJDj8RS2mf/8w8s0A/gAdt19xE0dwutIc01BQJ3hgFw3zGWn +aoqwmjXVLMzzo81D9+dcRnrhX7Kgk9cAyp46FUxhq/xi5Dl51iIq2X6PpGUa6R2J +K5zv1z82/JOc7OWmk87sMpFIRrAKsuMzGd+h+3gg4xNUE/P7ilrynro04f7rWOLE +r7ZjVjJCz+N9xfDVb/ZkU0AXwIjwVI2cBY1SOWNoI4aGkTTynKTdF7omWn9zdxlb +k1osiQdfJ0UrqoYamJhZKkbIjk91MNw66fYfwDPvChMwXDJFiBlnTk2o8fqJsO/k +Qj4mYICTIXtGufRsvp/Gf8ZJyeFJyC0HNpNpFBjj+ztreTcAvfLh9gZ7LAfqhuIe +YmRIQ1l9L/0kyKFPlKyNHn0VoTIBJbo/NdYWVyQo9mg104AhzJF2vRV/oUJrjqWQ +e/pdAXouAiG0MfksQIg0dQHLgzkbPDiiwl0z44NVf/rw18/JZJ8GObIY80GBYP9Q +XVASNw6CwNovavj8Fl+7IimDFEakAcr42Cx57c9AN0aoSH9mfQ6g/y8HwKNY7Cw6 +JzPjP1KslJkQKxWEEelxwDXDefclv/NbQkYXRF3BxKz8AWBqaV3MZQjgMcDbAe14 +cBgbk6/3sSwLH7Volrj5aZ/l5jXLvAZlZBHVq9Tm03kxobDi04B4wvaHdOM0SKuL +XjBS1jsCcs0+pPnaym3abFkHOXPaCPDQPJ35UoN3YGdYn2cRJBP0hoaNKYnFToYi +EoYRlA70xiY+D44GjVpgMNCpqL92P4g0eajaeBtxn4wzWY37a8+WRU++VOUVxtOb +ferZYVN1kT3FEH2iXQDNSne6lmxRV6RodUMn7AtJSk0lyTj9zDMb2nC/G8PUWd2K +Bf6HxY5ZFu8zS4gU9I4/ZUPr6qOcXOvcgdffe6UeTYRczTHiAqY3z4FPtZFBhwSS +88FdYi5S8YaujRO/tsdWNu/ml7YFzDnbSa+1PuzKNy6kUcbXAy3IaTtY95Ht1IgO +nAV//oxfDBgxOUutPCVNJiRCRZkY3w6sk0cLR2BYU2MPC7BnpQcSyqFk6aO+Ft72 +cI4jjWHXjUsxb3lIjLC+AUjyTj0qT+BVkHI+0wxc9/gVReQQ362c0CPDu6NScAji ++q66sHQ13aZL+5q3PCgXhwhwR0JeWDqmhKyUNEFcPNGsCrS/ocbawlmjIsym4+nV +khWAuy4kkdOKAhPlUQX1VUp4QdXnYh231R/lNPexrsYP7DjCqCOO/122h4pPv3fW +wa6hyIjVZuF3BsqRENsUIEygj9iLG3FmuJYJCGrs38FL1pEDjGbiyB3JDvOZPgq0 +YIOKvD3KGQCz/bBehGG3IwTbZDUGmqtKA0eieWzYC57Jd7tHXttm5PMz64ziSaTW +oclhl0rmOqsWZLPfFlre5fm6XX3rBPX08PB95Bp0/H0DFqTK9uAFleD6nYAHWLQS +XjRDBK2Qnz++Mco908nQt5HHXNArgXM0v8qlbiNPs/O0vwP0va/91wmLZaMMdtwe +fJfSvoXUZW35PW6ubFf0EEAh1gQtm5vllZCcUqitYYvNsBLBEybDTY4igoKb/m0B +5zxlebR5n56wEN1ealdDjGtB1earlLrHZ6W0QdgQDP0pd+ILzSmALq5epYWjogkx +UYKYCyx6a5bvjcD1H5i09iK2IW4247sY2h0kRg1lKLZq +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, \ No newline at end of file diff --git a/tests/integration_certificate/pkix/unknown_key_type_self_issued_no_aki.crttest b/tests/integration_certificate/pkix/unknown_key_type_self_issued_no_aki.crttest index ea27923..49ec670 100644 --- a/tests/integration_certificate/pkix/unknown_key_type_self_issued_no_aki.crttest +++ b/tests/integration_certificate/pkix/unknown_key_type_self_issued_no_aki.crttest @@ -26,5 +26,5 @@ AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbAd5cNAzPftw== node_path,validator,severity,code,message certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, -certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued certificate uses unsupported public key algorithm: 1.2.840.113549.1.1.1.999 +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 1.2.840.113549.1.1.1.999 certificate.tbsCertificate.extensions,KeyUsagePresenceValidator,ERROR,pkix.ca_certificate_no_ku_extension, diff --git a/tests/integration_certificate/pkix/v1_root_signed_with_md2.crttest b/tests/integration_certificate/pkix/v1_root_signed_with_md2.crttest index 4b43552..88a809e 100644 --- a/tests/integration_certificate/pkix/v1_root_signed_with_md2.crttest +++ b/tests/integration_certificate/pkix/v1_root_signed_with_md2.crttest @@ -16,4 +16,4 @@ AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k node_path,validator,severity,code,message certificate,SubjectKeyIdentifierPresenceValidator,WARNING,pkix.certificate_skid_end_entity_missing, certificate.tbsCertificate.version,CorrectVersionValidator,ERROR,pkix.certificate_version_is_not_v3,"Expected=""2"", actual=""v1""" -certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued certificate uses unsupported signature algorithm: 1.2.840.113549.1.1.2 +certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, diff --git a/tests/integration_certificate/pkix/x25519_bad_ku.crttest b/tests/integration_certificate/pkix/x25519_bad_ku.crttest new file mode 100644 index 0000000..5825f25 --- /dev/null +++ b/tests/integration_certificate/pkix/x25519_bad_ku.crttest @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICNDCCAeagAwIBAgITfz0Bv+b1OMAT79aCh3arViNvhDAFBgMrZXAwWTENMAsG +A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM +QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx +MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA6MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL +EwhMQU1QUyBXRzEWMBQGA1UEAxMNQ2FybG9zIFR1cmluZzAqMAUGAytlbgMhAC5o +MczTIMiddTUYTc/WymEqXw8hZm1QbIz2xX2gFDx0o4HdMIHaMCsGCSqGSIb3DQEJ +DwQeMBwwGgYLKoZIhvcNAQkQAxMwCwYJYIZIAWUDBAEFMAwGA1UdEwEB/wQCMAAw +FwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB8GA1UdEQQYMBaBFGNhcmxvc0BzbWlt +ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIDyDAd +BgNVHQ4EFgQUgSmg+iOgSyCMDXgA3u3aFss0JbkwHwYDVR0jBBgwFoAUa6KVfboU +m+QtBNEHpNGC5C5rjLUwBQYDK2VwA0EAzss75UzFuADPfd4hQdo5jyAQ3GvkyyvI +BdBGnWtJ1eT1WuMaIMhi1rH4vPGPd9scwW+sqd9fG+pv3MShl+zKAQ== +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.5.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_edwards_curve,"Prohibited key usage value(s) present: digitalSignature, nonRepudiation" +certificate.tbsCertificate.extensions.6.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, diff --git a/tests/integration_certificate/test_pkix_cert.py b/tests/integration_certificate/test_pkix_cert.py index 668b8d1..964bfc2 100644 --- a/tests/integration_certificate/test_pkix_cert.py +++ b/tests/integration_certificate/test_pkix_cert.py @@ -21,6 +21,7 @@ certificate.create_validity_validator_container(), certificate.create_subject_validator_container([]), certificate.create_extensions_validator_container([]), + certificate.create_spki_validator_container([]), ], ) From 78e4dfbb7bd61411d21d7bc55ddb4da932ee0488 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 9 Jan 2025 17:53:52 -0500 Subject: [PATCH 2/8] Fix typo in filename, add EOF newlines --- tests/integration_certificate/pkix/mldsa_bad_ku.crttest | 2 +- tests/integration_certificate/pkix/mlkem_512_clean.crttest | 2 +- tests/integration_certificate/pkix/mlkem_bad_ku.crttest | 2 +- .../{slhsa_root_clean.crttest => slhdsa_root_clean.crttest} | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) rename tests/integration_certificate/pkix/{slhsa_root_clean.crttest => slhdsa_root_clean.crttest} (99%) diff --git a/tests/integration_certificate/pkix/mldsa_bad_ku.crttest b/tests/integration_certificate/pkix/mldsa_bad_ku.crttest index 6072ef8..ffa5a10 100644 --- a/tests/integration_certificate/pkix/mldsa_bad_ku.crttest +++ b/tests/integration_certificate/pkix/mldsa_bad_ku.crttest @@ -88,4 +88,4 @@ AAAAABMhMUI= node_path,validator,severity,code,message certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 certificate.tbsCertificate.extensions.0.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_mldsa,Prohibited key usage value(s) present: keyEncipherment -certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, \ No newline at end of file +certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, diff --git a/tests/integration_certificate/pkix/mlkem_512_clean.crttest b/tests/integration_certificate/pkix/mlkem_512_clean.crttest index 563d56f..a5db9ab 100644 --- a/tests/integration_certificate/pkix/mlkem_512_clean.crttest +++ b/tests/integration_certificate/pkix/mlkem_512_clean.crttest @@ -75,4 +75,4 @@ s7TAwcrR1drv9BRiaH2qytnr8PcAAAAAAAAAAAAAAAAAAAAAFSM2QA== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, \ No newline at end of file +certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, diff --git a/tests/integration_certificate/pkix/mlkem_bad_ku.crttest b/tests/integration_certificate/pkix/mlkem_bad_ku.crttest index 5c3d0eb..7cad585 100644 --- a/tests/integration_certificate/pkix/mlkem_bad_ku.crttest +++ b/tests/integration_certificate/pkix/mlkem_bad_ku.crttest @@ -76,4 +76,4 @@ s7TAwcrR1drv9BRiaH2qytnr8PcAAAAAAAAAAAAAAAAAAAAAFSM2QA== node_path,validator,severity,code,message certificate.tbsCertificate.extensions.0.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_mlkem,Prohibited key usage value(s) present: digitalSignature -certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, \ No newline at end of file +certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, diff --git a/tests/integration_certificate/pkix/slhsa_root_clean.crttest b/tests/integration_certificate/pkix/slhdsa_root_clean.crttest similarity index 99% rename from tests/integration_certificate/pkix/slhsa_root_clean.crttest rename to tests/integration_certificate/pkix/slhdsa_root_clean.crttest index 81f7181..d5a245a 100644 --- a/tests/integration_certificate/pkix/slhsa_root_clean.crttest +++ b/tests/integration_certificate/pkix/slhdsa_root_clean.crttest @@ -174,4 +174,4 @@ UYKYCyx6a5bvjcD1H5i09iK2IW4247sY2h0kRg1lKLZq -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, \ No newline at end of file +certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, From 028e2428de1651dced761a64b2cc278b3609df82 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 9 Jan 2025 18:00:47 -0500 Subject: [PATCH 3/8] Remove unused import --- pkilint/pkix/certificate/certificate_extension.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkilint/pkix/certificate/certificate_extension.py b/pkilint/pkix/certificate/certificate_extension.py index ba7e0d7..f1241b8 100644 --- a/pkilint/pkix/certificate/certificate_extension.py +++ b/pkilint/pkix/certificate/certificate_extension.py @@ -1,4 +1,4 @@ -from typing import NamedTuple, Set, List +from typing import NamedTuple, Set import unicodedata from cryptography import exceptions From dfd71c6d602b9bab855628782865dcb4d67068f3 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 10 Jan 2025 08:26:58 -0500 Subject: [PATCH 4/8] Add test case for NULL params --- .../pkix/mldsa_null_param.crttest | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 tests/integration_certificate/pkix/mldsa_null_param.crttest diff --git a/tests/integration_certificate/pkix/mldsa_null_param.crttest b/tests/integration_certificate/pkix/mldsa_null_param.crttest new file mode 100644 index 0000000..db393bb --- /dev/null +++ b/tests/integration_certificate/pkix/mldsa_null_param.crttest @@ -0,0 +1,92 @@ +-----BEGIN CERTIFICATE----- +MIIPjjCCBgKgAwIBAgIUMMAaXou4x79YL5xY6GRJobexOUAwDQYJYIZIAWUDBAMR +BQAwHDEaMBgGA1UEAwwRUm9vdCBNTF9EU0FfNDQgQ0EwHhcNMjQxMTAyMTQxMDAy +WhcNMjUxMTAyMTQxMDAyWjAcMRowGAYDVQQDDBFSb290IE1MX0RTQV80NCBDQTCC +BTQwDQYJYIZIAWUDBAMRBQADggUhAKVhoof7m2FnFa6ux20C7PO6a4ejYiS6rUWY +5nO46z4gluqoMjzouDpqKGryLQeOr5oaRwN6fPsITI1FLyjBnP4ZTpCOoI1/yvT0 +K0BjRydHI4SvtXJstZm+A6+gq0mVnxT67E4ppdvtY87QhJeEwznI0VuuysbQqwtx +PmlBsc9vP5Kx816SLwh+TkDMCupfjU1ffOxUJXwVx/Bgw/7ocaVC5EDeUV3vBUO5 +qGasMoFMbALv4WwJPqglpPIsa5Crj6pqLJkEIGSMMB8AdsH11C/p+SAkrpoEBmQ6 +HicWyfvBcYaMEhWxgKGnSlEun4q/pPlA+zYvN1C4pVA+h9m0r8WQuwrcX4OUqcKL +7OlFjWzpahit+QNANlcfWjWYsdMdZLRlXiRSq+9FS/+d6BNR+U+0iDuP3oVY1x0P +u5//6NrfKcQ7Na0+41XbkxqqDbjGwEgW5rj3Ebz40PATPHxiNxQ+e9M4wajwdXJL +h8a5txWNzvAWMHu9GlZDb0AVD5E/wIp6pK0OfPQMhKqGvGdqeNjpmBBNcMX6ccE9 +sSxyiJ7rO+rUxCW1CIOwFKmg/kpQetlZOoXR5dJlzzNNHKOkTV+q/attlKcfSXN/ +y/BoEPC7ASvhuvzhSc56SabmfUSY+oddp07s2qkR4S6OjBJ/bwFmMW6Pnqa7xEJw +zAX+ohvHsf+q4ozKMe+S8lXW9WaQh43fjBLuzjr58Ue5z9b289GtwM+QhmzUoDjW +2j4DBtaNwFOt9G+/0bAeJt/JZRwI4v0ULI8/eBl4KZLSO644VoYqIjgKj+a8+vbw +3VsdOO7HMwHxtmAufXDa5g/eWwblWfx3aUf9eTpjAgbBuDx67WaDHAbi6Y4PSR01 +PKWhstSZsM25gJRjXgGlet+t2/MUmV/JMG/2t6WWs1zDog+kdW8y2Bq79hB6tPdy +Tf+lQObPxEWyMQTy5oTQTrBY5deios8sIakmuddwePzhgbHUJ4ABbz/Z6tvigSzF +JbUgc89zq9wqbbm2O++qQSo3mA1gRTf5CaGBdSbwskJCZTMXaINrC6nvNqeLedfR +PHQ+YuHtTC01toK2O2GjgNF4abqnjVJRebMS8zvqMLgKHwy/Y1t/HKsPG2gcS6xi +shahZX/DjUIXSee8BCdPNuy/DRjFTPvGWSJYv2CWnAVuoVSFdPz7WgAdRIfr29Qo +eQ1ffcoXIFk3W3orjT8i+msKy7+cGgmnEP9nSq5GNALGff6AVsJynxoZNhfLkeKj +yaleEEvBrKyENh6VS0csqleaaUDKz33FdaADhNBfSG67LuOoL+EupJOWX6y4YZlH +c2BTP+pfhq0fGrYB4bS0DO3ssojbB3oWqHy0Se/UEyNeqcMgEPQ9mPOXYahV6EN9 +oFXCxnA3yvySdcA8+oCDqNdxMPoAr3H1cs5W8akLXRpRtPzXlR6K4mYIjT+fAJYp +Q9rvOOSHkO5nOMaBLeBT1UYsMHg5BV9ZYV6Dwkw1a8lNI5xeU+SVmsje6Urf+XOz +JosJLJPiR1yts2Ni4Z2vFRJk50H0rwh2Cy+fZ5T0Y/TDWvCaXvlcY5tycaUWxoMZ +rb+BAIUfIuRI5YKw/GrtArSjA1AsDWyPxUBwhI9xmiK49gU7GCb37Pvc5Ss/fSPf +6Yv5WJpBXu0nRN2Xu5curHDrnNdfLGSosVQXJeZ5Fc+8mEWp79HqgrwQ0BBPfL92 +H5k7rBFKamId0Z8C8WNiwIi6Iu+W8DC6FnSBNgwsi+ro+0+ftlWjQjBAMB0GA1Ud +DgQWBBSNvVOj7p2xFKdrvit6/smqJwXjUDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud +DwEB/wQEAwIBhjANBglghkgBZQMEAxEFAAOCCXUARJIaJJc/p+7IfGyr7LOq2Vyb +iVZO3JhnIcEnpx1ob9Y3sKcD2TDBK2Tc7lKK/R9fzw3hhXktW0PBzFjZl/KxAzC2 +ORIBpGEImv3P9Bb0o8uD4yUnMYeXkZ2LHqbX+e8oIDqFgxzjIj5c5EMZZU9yrMEi +JPQZOQsDaL05mK/FNcxkrEESJHxjgqPfAJRKn9tWfb86WXOJF3KESCgiymAAcEBR +KzA1IvcP920qpI2CxbwtONcQj4e8EjMpHpF7Kw/N+kKf8cckwT5/oYqlixjlgxHE +GEKMF2S4u6kwiREYG14/o4w8kljyTFngTanQ5rRDAWk3tde50I3s6WJvBKveGj1z +Y6A7Y/4LIJddx2ldkXRzPLpmf062tqk1qbu3RrjfcLYObfg6c1SA/KzYrX9Yhmdp ++ouO2dAwfFsvhPx2O1sLaCQQ7DdSN8NVl2eSDtwMaIgOO9XwkAB9doI7nxg1fuOO +E9RXD2LeTeiyq+7r888e8LwxQAWXwqeC59sP3YmtOMKBQSPfCRqxeKBKhFAUplQ8 +LoX2CYG3dj1IhkV4wwBYqk2YI+9kIxoHXeHShhkQLHhsJjeb5tt1HqjLIsM2kd9a +gHT33q/YCsUIVW4kLDMkqrPNRdqNcQ+EpghTA6XRG0yE6OfJj48Vs6E7cDkhFmdY +MpqbWKW5fETY5M5TGF2sRgUJGsrTT/9Zz4gkUlCw1v4mBXdHboxCxwCuJNEfmqOZ +w4u51+4hIjfXfXot5isWE9DrDy8nN7oO6PQfFbzmOLz9ceaFW4bRVGaFK8HcCvZf +dpGQTXeChFTux6My+VgUeSNeo0uDGNrvABeeIcYLPLY+TjGBM2+A/A+1DvK4+Gil +uhy6CporBegunAB/hbvG8NLrgER9MLsHV67bQoUo9njTCdDXc8upfW49ij/j9RTH +rqCTxpFhiSYPUpq4aZLxks7wJT+cTJDIXfN6sc9/gd+/IKnKiry7bVcBoJJK2gmm +XyeGk2EWA2C6/rTdeOX+Mft9hPX0o+8LcZ413V/WToqT05u7bHKWl2q1pd5qfFH1 +Vl8/X8PrbJCqiNQf/K2Pk2ai7+RTiUAiQVZ++syth5Lj07MRzyfQbJ/VmK7IftVB +4okZmbmKCJYejcKdbzo5Jaxxq2/7wxplmv3i02rL8E7bdVYRbgn3EcvXkTAIL8uL +muwLoOrjD2/RAgSaz6G27dFxDTcf1VGzAxSRh2RAw+AQud6hrEpShK/q5XdzQS7v +k9FHUU1UhOWbS0xIPH8fhG6YEztv1lUlRl5OY0a+QUQQNTNxZyKSPx7QJngZbEfJ +Zegx6aQSVVlqHy/WyNdM5iwOzovHSOY49Yo83SMNjYn8mxEmImQWVZt2Zxh8jh/i +ZNteQOuXys19qTJ0xBMHuUa366BkiqhtIN8LqM5XMqlj8T92vbLGvcJ8o1Zma9vQ +fNAXGx+Q0VxbYkDYcug/cBO0phXWVUU0dZ/R7yDnl3n9kNgYYirTtGopoYhApw7Z +8FxotCSJkC3Gk3OlwavMuK1UgAc1GU+3lLQ0QhaW6nL8JlJXolKuSb5EYoYbbowl +61zh/18CT1hUUra4i52ls8KOhKdXkorUa3ah+wwfic8lPSqb6iawGwPZrgmnY21W +qUn4pMWo5pu+/cdLvlSMTRBKl2GSA5GNa11keC8jodzVcaq3ZZ3PPpG9gPn8ACWW +ctBbVLJL3WAYTL7l4es1XZ6s9rjVC1iaOxW/YM+i9HCdCyihAx0lIoXcmwUJ15lp +B99A89VTzwYAuxICy0HqAWbb3IgikFQ3X2sELUtglMrZifVKNig5EteJjVVTUGZa ++6IHhyIDvfOfstJwG8xdX/TPOflbd/2uR8Hwa7S+oNQhM4FCBPF71fN8NqHTUIpV +r3IWc9BjrdHHY9d30phWDyoHocu98qPWWxRlBaK1vtHJz3isQ2XGQQjppRBB7mql +SkYdUmQPllb2TsG3fbX8SmRBEMnLSInlNk1CpUBWwixqTYNfmkiKGmj5VVL4tnhK +xd8mhLN3n382+gSmXJgF7rascedPdvO69n9qb3hquLz1/7SU2H/oMpISHl0UqNnC +1lz/ywPEm3rTEAzWvBFqjmdKiCvUf1TcuvDNrIhfsquyb2ihdOHlHESUR8p8WI7D +zCE9nOEuvgQugFOhzKyPR60rscr+CFMT/mhExdRRlWMiaBRJL9vYieAYPO4y5/mW +YVu0Rmg6gOpGMkB1WzSDoP+1qud3jF5ybIwbPIidKoyHiXGFygIX58tCmTNvE6/2 +oCtFH4nMRn/xolYfUEdUN1T6iO6ae041yoH4hCb/+9HKMPjJvXVdG4LuLjJOi2+h +dWj7cbNnPHV10UoPczOaBQCfuswN5UglUgp3PJbH26+OE69Wfem0tb/cZnhaLY5f +g24EhzO/vESAFWoB+h9zo7RF+VhShLzBRWUXIyYzwzuVCuQWTjg1GWh2kytyiWjR +5tvWSsAKdW292RNJ/fNkC4BCL8X81Q+7wMroOU32QwncsD4rfdErymzlPAV/Czyi +cjcPSqWGcOgrFeHteRoLwdz65y+Ntv2QQTxoqvWaLFsJU+gvQvApidf2CbdbmUSg +00tr2o5aNF3+RjfxB292ZblluDer61CcD9oofwZbj7CAhs1ObXJfzoaAqjs/RHbF +z6Za3fkyoeDaS36qlzJKIXboXZnYTjKFL+6S5HCfTTI6APj6Mi6OBUFeppgxIRCw +vPh/ny7UGyudygoWbjo2S9U0lQYk2kCAldP7sSBtaNwdR8xVuc1Ozc7he/DC4I5z +QaY1xVNBOn39dwibxRIq5gLIUvOSks3UMqZSrHpu/uETmBKMw4wNrVmzLRa40NZz +qZ+oBHYkanfvPTJHYf1HK14Vxa05s5rJrO/sSgnfBTL09OXfaLue7G3D4a/0WTiP +kS1Fxs+lysirBEfSAIO2lxArXVhrmo1v28JzWynCAVDrzw1zQ5JwcbjU9DcXR2ka +4q1eAkfYmtW5ewDtMV3MCfrlFhAmsKNZZMv3LKaRm3lJExhSHrmqp4eIo4Jiwep0 +Hfh2PvQvYNuixctKaeFUW6J1qIEi7SQ0n3wR0KM44FcCQ3LaZEYG7U/zVgI552D9 ++kJJENEB2cf0wA+wFkgTGTtETV1gh4qLlZexusLT1dzd6+z5/xATHCVAUnJ+kpSc +ssnW19jd8iFPUmBxdn+RqrC6vsDGyc3f7fDx9PoCMVpmZ3J/hJ2lwd7yAAAAABcp +P0w= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.signature,AlgorithmIdentifierDecodingValidator,FATAL,itu.invalid_asn1_syntax,"Value node is present, but type OID 2.16.840.1.101.3.4.3.17 specifies that it must be absent" +certificate.tbsCertificate.subjectPublicKeyInfo,SubjectPublicKeyParametersDecodingValidator,FATAL,itu.invalid_asn1_syntax,"Value node is present, but type OID 2.16.840.1.101.3.4.3.17 specifies that it must be absent" +certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 2.16.840.1.101.3.4.3.17 +certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, From 1212eea6d0c192999947deae98a2b17ade7a4a91 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 10 Jan 2025 12:17:57 -0500 Subject: [PATCH 5/8] Update changelog --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b916fd..73c7a78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project from version 0.9.3 onwards are documented in this file. +## 0.12.6 - 2025-01-13 + +### Fixes + +- Gracefully handle SAN decoding errors when subject emailAddress attribute is present (#143) + +### New features/enhancements + +- Support for ML-DSA, SLH-DSA, and ML-KEM algorithms (#145) + ## 0.12.5 - 2024-11-27 ### Fixes From 7c5ac97e263b52d2768c21dbd6ce4f682a65b9c8 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 10 Jan 2025 12:18:32 -0500 Subject: [PATCH 6/8] Fix changelog order --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 73c7a78..06b3e87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,14 +4,14 @@ All notable changes to this project from version 0.9.3 onwards are documented in ## 0.12.6 - 2025-01-13 -### Fixes - -- Gracefully handle SAN decoding errors when subject emailAddress attribute is present (#143) - ### New features/enhancements - Support for ML-DSA, SLH-DSA, and ML-KEM algorithms (#145) +### Fixes + +- Gracefully handle SAN decoding errors when subject emailAddress attribute is present (#143) + ## 0.12.5 - 2024-11-27 ### Fixes From 4225d0adb8e1e2b37439875d81769b4dcf785c7d Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 10 Jan 2025 12:19:04 -0500 Subject: [PATCH 7/8] Fix changelog grammar --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06b3e87..7176a7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project from version 0.9.3 onwards are documented in ### New features/enhancements -- Support for ML-DSA, SLH-DSA, and ML-KEM algorithms (#145) +- Add support for ML-DSA, SLH-DSA, and ML-KEM algorithms (#145) ### Fixes From 1506b172441943454e7d6e02c557535c03ea3cf4 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 10 Jan 2025 14:57:37 -0500 Subject: [PATCH 8/8] Switch to issue number for new feature --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7176a7e..3cdc89e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project from version 0.9.3 onwards are documented in ### New features/enhancements -- Add support for ML-DSA, SLH-DSA, and ML-KEM algorithms (#145) +- Add support for ML-DSA, SLH-DSA, and ML-KEM algorithms (#132) ### Fixes