Skip to content

Commit

Permalink
STNDS-494: Add TS 119 312 public key validators (#39)
Browse files Browse the repository at this point in the history
* STNDS-494: Add TS 119 312 validators

* Fix RSA exponent upper bound check

* Fix RSA exponent lower bound check

* Clean up exponent check
  • Loading branch information
CBonnell authored May 3, 2024
1 parent 386908b commit 01c43fe
Show file tree
Hide file tree
Showing 6 changed files with 270 additions and 10 deletions.
20 changes: 11 additions & 9 deletions pkilint/cabf/serverauth/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ def _determine_subscriber_certificate_type(cert: certificate.RFC5280Certificate)
return (serverauth_constants.CertificateType.OV_PRE_CERTIFICATE if is_precert
else serverauth_constants.CertificateType.OV_FINAL_CERTIFICATE)
else:
# "unknown" certificate types are consider to be DV Subscriber certs
# "unknown" certificate types are considered to be DV Subscriber certs
return (serverauth_constants.CertificateType.DV_PRE_CERTIFICATE if is_precert
else serverauth_constants.CertificateType.DV_FINAL_CERTIFICATE)

Expand Down Expand Up @@ -130,14 +130,16 @@ def create_spki_validator_container(additional_validators=None):
if additional_validators is None:
additional_validators = []

return validation.ValidatorContainer(validators=[
serverauth_key.ServerauthAllowedPublicKeyAlgorithmEncodingValidator(
path='certificate.tbsCertificate.subjectPublicKeyInfo.algorithm'
),
cabf_key.RsaKeyValidator(),
cabf_key.EcdsaKeyValidator(),
] + additional_validators,
path='certificate.tbsCertificate.subjectPublicKeyInfo')
return validation.ValidatorContainer(
validators=[
serverauth_key.ServerauthAllowedPublicKeyAlgorithmEncodingValidator(
path='certificate.tbsCertificate.subjectPublicKeyInfo.algorithm'
),
cabf_key.RsaKeyValidator(),
cabf_key.EcdsaKeyValidator(),
] + additional_validators,
path='certificate.tbsCertificate.subjectPublicKeyInfo'
)


def create_subject_name_validators() -> List[validation.Validator]:
Expand Down
14 changes: 13 additions & 1 deletion pkilint/etsi/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
from pkilint.cabf import serverauth
from pkilint.cabf.serverauth import serverauth_constants
from pkilint.common import organization_id
from pkilint.etsi import etsi_constants, ts_119_495, en_319_412_5, en_319_412_1, en_319_412_2, en_319_412_3
from pkilint.etsi import etsi_constants, ts_119_495, en_319_412_5, en_319_412_1, en_319_412_2, en_319_412_3, ts_119_312
from pkilint.etsi.asn1 import (
en_319_412_1 as en_319_412_asn1, en_319_412_5 as en_319_412_5_asn1, ts_119_495 as ts_119_495_asn1
)
Expand Down Expand Up @@ -192,6 +192,11 @@ def create_validators(certificate_type: CertificateType) -> List[validation.Vali
qc_statements_validator_container
]

spki_validators = [
ts_119_312.RsaKeyValidator(),
ts_119_312.AllowedPublicKeyTypeValidator(),
]

if certificate_type in etsi_constants.LEGAL_PERSON_CERTIFICATE_TYPES:
# TODO: modify when eSig and eSeal support is added
extension_validators.append(en_319_412_3.LegalPersonKeyUsageValidator(is_content_commitment_type=None))
Expand All @@ -206,8 +211,14 @@ def create_validators(certificate_type: CertificateType) -> List[validation.Vali
serverauth_cert_type,
additional_name_validators=subject_validators,
additional_extension_validators=extension_validators,
additional_spki_validators=spki_validators
)
else:
spki_validator_container = validation.ValidatorContainer(
validators=spki_validators,
path='certificate.tbsCertificate.subjectPublicKeyInfo'
)

return [
certificate.create_issuer_validator_container(
[]
Expand All @@ -219,6 +230,7 @@ def create_validators(certificate_type: CertificateType) -> List[validation.Vali
certificate.create_extensions_validator_container(
extension_validators
),
spki_validator_container,
]


Expand Down
111 changes: 111 additions & 0 deletions pkilint/etsi/ts_119_312.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
from typing import Optional

from pyasn1.codec.der.encoder import encode
from pyasn1.type import univ, base
from pyasn1_alt_modules import rfc3279, rfc5280, rfc5480, rfc5639

from pkilint import validation
from pkilint.pkix.certificate import certificate_key


class RsaKeyValidator(validation.Validator):
"""
TS 119 312, clause 6.2.2.1:
The public exponent e shall be an odd positive integer such that 2^16 < e < 2^256.
"""
VALIDATION_RSA_EXPONENT_OUT_OF_RANGE = validation.ValidationFinding(
validation.ValidationFindingSeverity.NOTICE,
'ts_119_312.6.2.2.1.rsa_exponent_of_range'
)

VALIDATION_RSA_SMALL_MODULUS = validation.ValidationFinding(
validation.ValidationFindingSeverity.NOTICE,
'ts_119_312.8.4.rsa_small_modulus'
)

_MIN_MODULUS_LENGTH = 1900
_MIN_EXPONENT_EXCLUSIVE = 1 << 16
_MAX_EXPONENT_EXCLUSIVE = 1 << 256

def __init__(self):
super().__init__(
validations=[self.VALIDATION_RSA_EXPONENT_OUT_OF_RANGE, self.VALIDATION_RSA_SMALL_MODULUS],
pdu_class=rfc3279.RSAPublicKey
)

def validate(self, node):
modulus_len = int(node.children['modulus'].pdu).bit_length()
exponent_int = int(node.children['publicExponent'].pdu)

findings = []

if modulus_len < 1900:
findings.append(validation.ValidationFindingDescription(
self.VALIDATION_RSA_SMALL_MODULUS,
f'RSA public key has a modulus length of {modulus_len} bits'
))

if not self._MIN_EXPONENT_EXCLUSIVE < exponent_int < self._MAX_EXPONENT_EXCLUSIVE:
findings.append(validation.ValidationFindingDescription(
self.VALIDATION_RSA_EXPONENT_OUT_OF_RANGE,
f'RSA public key has an exponent of {exponent_int}'
))

return validation.ValidationResult(self, node, findings)


def _create_alg_id_der(o: univ.ObjectIdentifier, params: Optional[base.Asn1Type]) -> bytes:
alg_id = rfc5280.AlgorithmIdentifier()
alg_id['algorithm'] = o

if params is not None:
alg_id['parameters'] = encode(params)

return encode(alg_id)


_RSA_SPKI_ALG_ID_ENCODINGS = [
_create_alg_id_der(rfc5480.rsaEncryption, univ.Null(''))
]


# TODO: add DSA


_ECDSA_SPKI_ALG_ID_ENCODINGS = [
_create_alg_id_der(rfc5480.id_ecPublicKey, c) for c in (
univ.ObjectIdentifier('1.2.250.1.223.101.256.1'), # FRP256v1
rfc5639.brainpoolP256r1,
rfc5639.brainpoolP384r1,
rfc5639.brainpoolP512r1,
rfc5480.secp256r1,
rfc5480.secp384r1,
rfc5480.secp521r1,
)
]


_SPKI_ALG_ID_ENCODINGS = _RSA_SPKI_ALG_ID_ENCODINGS + _ECDSA_SPKI_ALG_ID_ENCODINGS


class AllowedPublicKeyTypeValidator(certificate_key.AllowedPublicKeyAlgorithmEncodingValidator):
"""
GEN-4.2.5-1
The subject public key should be selected according to ETSI TS 119 312 [i.7].
NOTE: Cryptographic suites recommendations defined in ETSI TS 119 312 [i.7] can be superseded by national
recommendations.
"""
VALIDATION_DISCOURAGED_PUBLIC_KEY_TYPE = validation.ValidationFinding(
validation.ValidationFindingSeverity.NOTICE,
'etsi.en_319_412_2.gen-4.2.5-1.discouraged_public_key_type'
)

def __init__(self):
super().__init__(
validation=self.VALIDATION_DISCOURAGED_PUBLIC_KEY_TYPE,
allowed_encodings=_SPKI_ALG_ID_ENCODINGS,
pdu_class=rfc5280.AlgorithmIdentifier
)
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
-----BEGIN CERTIFICATE-----
MIIF8DCCBZWgAwIBAgIOAn2jtGjQ0XIDSuG2eQowCgYIKoZIzj0EAwIwejELMAkG
A1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBM
dGQuMRcwFQYDVQRhDA5WQVRIVS0yMzU4NDQ5NzEnMCUGA1UEAwweZS1Temlnbm8g
UXVhbGlmaWVkIFRMUyBDQSAyMDE4MB4XDTI0MDQzMDE0MDAxMloXDTI0MDUxMDE0
MDAxMVowgasxEzARBgsrBgEEAYI3PAIBAxMCSFUxHTAbBgNVBA8MFFByaXZhdGUg
T3JnYW5pemF0aW9uMRUwEwYDVQQFEwwwMS0xMC0wNDcyMTgxCzAJBgNVBAYTAkhV
MREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRkLjEmMCQG
A1UEAwwdZXF0bHNjYTIwMTgtdmFsaWQuZS1zemlnbm8uaHUwWTATBgcqhkjOPQIB
BggqhkjOPQMBDANCAAT6WJ1pvxSfy8QSn2Soe3G8fB7If5XmEZyk6XxwVU2nMYTc
M8WHDNROTX19TCt0BtcAAUJ/krcWdx/GUKSdwnUGo4IDyzCCA8cwDgYDVR0PAQH/
BAQDAgOIMBMGCisGAQQB1nkCBAMBAf8EAgUAMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATBYBgNVHSAEUTBPMAcGBWeBDAEBMAkGBwQAi+xAAQQwOQYNKwYB
BAGBqBgCAQGBKjAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3AuZS1zemlnbm8uaHUv
cWNwczAdBgNVHQ4EFgQUbBS7vo72MFT0KTXHGiyafMbtdeswHwYDVR0jBBgwFoAU
2Y0YuKwjtjuMF8nrbrkXAGkNoIwwKAYDVR0RBCEwH4IdZXF0bHNjYTIwMTgtdmFs
aWQuZS1zemlnbm8uaHUwgbwGA1UdHwSBtDCBsTA5oDegNYYzaHR0cDovL2VxdGxz
Y2EyMDE4LWNybDEuZS1zemlnbm8uaHUvZXF0bHNjYTIwMTguY3JsMDmgN6A1hjNo
dHRwOi8vZXF0bHNjYTIwMTgtY3JsMi5lLXN6aWduby5odS9lcXRsc2NhMjAxOC5j
cmwwOaA3oDWGM2h0dHA6Ly9lcXRsc2NhMjAxOC1jcmwzLmUtc3ppZ25vLmh1L2Vx
dGxzY2EyMDE4LmNybDCCAWgGCCsGAQUFBwEBBIIBWjCCAVYwMAYIKwYBBQUHMAGG
JGh0dHA6Ly9lcXRsc2NhMjAxOC1vY3NwMS5lLXN6aWduby5odTAwBggrBgEFBQcw
AYYkaHR0cDovL2VxdGxzY2EyMDE4LW9jc3AyLmUtc3ppZ25vLmh1MDAGCCsGAQUF
BzABhiRodHRwOi8vZXF0bHNjYTIwMTgtb2NzcDMuZS1zemlnbm8uaHUwPgYIKwYB
BQUHMAKGMmh0dHA6Ly9lcXRsc2NhMjAxOC1jYTEuZS1zemlnbm8uaHUvZXF0bHNj
YTIwMTguY3J0MD4GCCsGAQUFBzAChjJodHRwOi8vZXF0bHNjYTIwMTgtY2EyLmUt
c3ppZ25vLmh1L2VxdGxzY2EyMDE4LmNydDA+BggrBgEFBQcwAoYyaHR0cDovL2Vx
dGxzY2EyMDE4LWNhMy5lLXN6aWduby5odS9lcXRsc2NhMjAxOC5jcnQwgZEGCCsG
AQUFBwEDBIGEMIGBMAgGBgQAjkYBATALBgYEAI5GAQMCAQowUwYGBACORgEFMEkw
JBYeaHR0cHM6Ly9jcC5lLXN6aWduby5odS9xY3BzX2VuEwJlbjAhFhtodHRwczov
L2NwLmUtc3ppZ25vLmh1L3FjcHMTAmh1MBMGBgQAjkYBBjAJBgcEAI5GAQYDMAoG
CCqGSM49BAMCA0kAMEYCIQDEeYuKo1y3nwSPY23+vVI/1uxCspzoZTgYuEoD2Fa1
DQIhAOdyCCGlfNPUNS7q+8JpiFFIPB1DEXUmydXmXBYshBHm
-----END CERTIFICATE-----

node_path,validator,severity,code,message
certificate.tbsCertificate.subject.rdnSequence,EvSubscriberAttributeAllowanceValidator,WARNING,cabf.ev_guidelines.common_name_attribute_present,
certificate.tbsCertificate.subject.rdnSequence,LegalPersonSubjectAttributeAllowanceValidator,ERROR,etsi.en_319_412_3.leg-4.2.1-2.organization_identifier_attribute_absent,
certificate.tbsCertificate.subjectPublicKeyInfo,EcdsaKeyValidator,WARNING,cabf.ecdsa_key_validation_failed,Unsupported key type
certificate.tbsCertificate.subjectPublicKeyInfo.algorithm,ServerauthAllowedPublicKeyAlgorithmEncodingValidator,ERROR,cabf.serverauth.prohibited_subject_public_key_algorithm_encoding,Prohibited encoding: 301306072a8648ce3d020106082a8648ce3d03010c
certificate.tbsCertificate.subjectPublicKeyInfo.algorithm,AllowedPublicKeyTypeValidator,NOTICE,etsi.en_319_412_2.gen-4.2.5-1.discouraged_public_key_type,Prohibited encoding: 301306072a8648ce3d020106082a8648ce3d03010c
certificate.tbsCertificate.extensions.0.extnValue.keyUsage,SubscriberKeyUsageValidator,WARNING,cabf.serverauth.subscriber_discouraged_ku_present,Discouraged KU present: keyAgreement
certificate.tbsCertificate.extensions.0.extnValue.keyUsage,LegalPersonKeyUsageValidator,WARNING,etsi.en_319_412_2.nat-4.3.2-1.mixed_key_usage_setting,
certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies.2.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present,
certificate.tbsCertificate.extensions.4.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
certificate.tbsCertificate.extensions.7.extnValue.cRLDistributionPoints,CrlDpDistributionPointCountValidator,WARNING,cabf.serverauth.crldp_multiple_distributionpoints_present,
certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.subject_key_identifier_extension_present,
certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 1.3.6.1.5.5.7.1.3
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
-----BEGIN CERTIFICATE-----
MIIF8DCCBZWgAwIBAgIOAn2jtGjQ0XIDSuG2eQowCgYIKoZIzj0EAwIwejELMAkG
A1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBM
dGQuMRcwFQYDVQRhDA5WQVRIVS0yMzU4NDQ5NzEnMCUGA1UEAwweZS1Temlnbm8g
UXVhbGlmaWVkIFRMUyBDQSAyMDE4MB4XDTI0MDQzMDE0MDAxMloXDTI0MDUxMDE0
MDAxMVowgasxEzARBgsrBgEEAYI3PAIBAxMCSFUxHTAbBgNVBA8MFFByaXZhdGUg
T3JnYW5pemF0aW9uMRUwEwYDVQQFEwwwMS0xMC0wNDcyMTgxCzAJBgNVBAYTAkhV
MREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRkLjEmMCQG
A1UEAwwdZXF0bHNjYTIwMTgtdmFsaWQuZS1zemlnbm8uaHUwWTATBgcqhkjOPQIB
BggqhkjOPQMBDANCAAT6WJ1pvxSfy8QSn2Soe3G8fB7If5XmEZyk6XxwVU2nMYTc
M8WHDNROTX19TCt0BtcAAUJ/krcWdx/GUKSdwnUGo4IDyzCCA8cwDgYDVR0PAQH/
BAQDAgOIMBMGCisGAQQB1nkCBAMBAf8EAgUAMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATBYBgNVHSAEUTBPMAcGBWeBDAEBMAkGBwQAi+xAAQQwOQYNKwYB
BAGBqBgCAQGBKjAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3AuZS1zemlnbm8uaHUv
cWNwczAdBgNVHQ4EFgQUbBS7vo72MFT0KTXHGiyafMbtdeswHwYDVR0jBBgwFoAU
2Y0YuKwjtjuMF8nrbrkXAGkNoIwwKAYDVR0RBCEwH4IdZXF0bHNjYTIwMTgtdmFs
aWQuZS1zemlnbm8uaHUwgbwGA1UdHwSBtDCBsTA5oDegNYYzaHR0cDovL2VxdGxz
Y2EyMDE4LWNybDEuZS1zemlnbm8uaHUvZXF0bHNjYTIwMTguY3JsMDmgN6A1hjNo
dHRwOi8vZXF0bHNjYTIwMTgtY3JsMi5lLXN6aWduby5odS9lcXRsc2NhMjAxOC5j
cmwwOaA3oDWGM2h0dHA6Ly9lcXRsc2NhMjAxOC1jcmwzLmUtc3ppZ25vLmh1L2Vx
dGxzY2EyMDE4LmNybDCCAWgGCCsGAQUFBwEBBIIBWjCCAVYwMAYIKwYBBQUHMAGG
JGh0dHA6Ly9lcXRsc2NhMjAxOC1vY3NwMS5lLXN6aWduby5odTAwBggrBgEFBQcw
AYYkaHR0cDovL2VxdGxzY2EyMDE4LW9jc3AyLmUtc3ppZ25vLmh1MDAGCCsGAQUF
BzABhiRodHRwOi8vZXF0bHNjYTIwMTgtb2NzcDMuZS1zemlnbm8uaHUwPgYIKwYB
BQUHMAKGMmh0dHA6Ly9lcXRsc2NhMjAxOC1jYTEuZS1zemlnbm8uaHUvZXF0bHNj
YTIwMTguY3J0MD4GCCsGAQUFBzAChjJodHRwOi8vZXF0bHNjYTIwMTgtY2EyLmUt
c3ppZ25vLmh1L2VxdGxzY2EyMDE4LmNydDA+BggrBgEFBQcwAoYyaHR0cDovL2Vx
dGxzY2EyMDE4LWNhMy5lLXN6aWduby5odS9lcXRsc2NhMjAxOC5jcnQwgZEGCCsG
AQUFBwEDBIGEMIGBMAgGBgQAjkYBATALBgYEAI5GAQMCAQowUwYGBACORgEFMEkw
JBYeaHR0cHM6Ly9jcC5lLXN6aWduby5odS9xY3BzX2VuEwJlbjAhFhtodHRwczov
L2NwLmUtc3ppZ25vLmh1L3FjcHMTAmh1MBMGBgQAjkYBBjAJBgcEAI5GAQYDMAoG
CCqGSM49BAMCA0kAMEYCIQDEeYuKo1y3nwSPY23+vVI/1uxCspzoZTgYuEoD2Fa1
DQIhAOdyCCGlfNPUNS7q+8JpiFFIPB1DEXUmydXmXBYshBHm
-----END CERTIFICATE-----

node_path,validator,severity,code,message
certificate.tbsCertificate.extensions.0.extnValue.keyUsage,LegalPersonKeyUsageValidator,WARNING,etsi.en_319_412_2.nat-4.3.2-1.mixed_key_usage_setting,
certificate.tbsCertificate.subject.rdnSequence,LegalPersonSubjectAttributeAllowanceValidator,ERROR,etsi.en_319_412_3.leg-4.2.1-2.organization_identifier_attribute_absent,
certificate.tbsCertificate.subjectPublicKeyInfo.algorithm,AllowedPublicKeyTypeValidator,NOTICE,etsi.en_319_412_2.gen-4.2.5-1.discouraged_public_key_type,Prohibited encoding: 301306072a8648ce3d020106082a8648ce3d03010c
certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies.2,CertificatePolicyQualifierValidator,NOTICE,pkix.certificate_policies_policy_has_qualifier,
certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies,CertificatePoliciesValidator,ERROR,etsi.en_319_412_2.qcs-5.2-2.mismatched_policy_identifier_for_certificate_type,"Certificate type is QNCP_W_GEN_LEGAL_PERSON_EIDAS_FINAL_CERTIFICATE (0.4.0.194112.1.6) but certificate contains certificate type policy identifier ""0.4.0.194112.1.4"""
certificate.tbsCertificate.extensions.4.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
-----BEGIN CERTIFICATE-----
MIIG7jCCBNagAwIBAgIQVZHNRxiZp9LoR1nlajD1DDANBgkqhkiG9w0BAQsFADCB
oTELMAkGA1UEBhMCR1IxNjA0BgNVBAoTLUhFTExFTklDIEVYQ0hBTkdFUyAtIEFU
SEVOUyBTVE9DSyBFWENIQU5HRSBTQTEvMC0GA1UEAxMmQVRIRVggUXVhbGlmaWVk
IFdFQiBDZXJ0aWZpY2F0ZXMgQ0EtRzMxDzANBgNVBAcTBkF0aGVuczEYMBYGA1UE
YRMPVkFURUwtMDk5NzU1MTA4MB4XDTI0MDQxMTE0MTY1NVoXDTI1MDQxMTE0MTY1
NVowgcMxCzAJBgNVBAYTAkdSMTYwNAYDVQQKEy1IRUxMRU5JQyBFWENIQU5HRVMg
LSBBVEhFTlMgU1RPQ0sgRVhDSEFOR0UgU0ExGDAWBgNVBGETD1ZBVEVMLTA5OTc1
NTEwODEdMBsGA1UEAxMUd2ViZHNzLmF0aGV4Z3JvdXAuZ3IxDzANBgNVBAcTBkF0
aGVuczETMBEGCysGAQQBgjc8AgEDEwJHUjEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh
bml6YXRpb24wgeAwDQYJKoZIhvcNAQEBBQADgc4AMIHKAoHEALghERHf5FJ0yQHz
iG1aHOatwVOonjvIm1kCC8PHDRpZhZW3JbZIy3KBVRlJ+nl7AT/vd344oIt7wbH+
ZxngUawkwWLPCCqqAgvmdllm8EQgenLfjg7Kmy8EcU+eFmPYk2gjXP+9a1JbyKN5
5Hfx9ezApKAXb+BHNzRtSaNfBZ5AE8jNdl84Xrflr78dMo3sEaxcWpP8BmeBhl9Q
88uMB37HHkIwLYmZNqFnJ9/5pOqFQNMpxdmv+Apk9TmYlhjk6jZ8UwIBA6OCAj8w
ggI7MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQi
mSRXBmxWdY7b6315ZZxTNanRkTAtBggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMG
BgQAjkYBBjAJBgcEAI5GAQYDMIGXBggrBgEFBQcBAQSBijCBhzA4BggrBgEFBQcw
AYYsaHR0cDovL29jc3AuYXRoZXhncm91cC5nci9BdGhleFF1YWxpZmllZENBRzMw
SwYIKwYBBQUHMAKGP2h0dHA6Ly9yZXBvLmF0aGV4Z3JvdXAuZ3IvQVRIRVhRdWFs
aWZpZWRXRUJDZXJ0aWZpY2F0ZXNDQUczLmNydDAlBgNVHSAEHjAcMA8GDSsGAQQB
geVaAQNkAQQwCQYHBACL7EABBjBPBgNVHR8ESDBGMESgQqBAhj5odHRwOi8vY3Js
LmF0aGV4Z3JvdXAuZ3IvQVRIRVhRdWFsaWZpZWRXRUJDZXJ0aWZpY2F0ZXNDQUcz
LmNybDAdBgNVHQ4EFgQU07VGL6HuADDUGfAmLWYcVX4vqG0wDgYDVR0PAQH/BAQD
AgeAMHsGA1UdEQR0MHKCFHdlYmRzcy5hdGhleGdyb3VwLmdyghh3ZWJkc3Ntb2Nr
LmF0aGV4Z3JvdXAuZ3KCGndlYmRzcy1ycHhyMS5pbmV0LmhlbGV4Lmdygg9kc3Mu
YXRoZXhuZXQuZ3KCE2Rzc21vY2suYXRoZXhuZXQuZ3IwDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQsFAAOCAgEAmXiG4SmvTWDGoaEXOQJuFlhbjwG/7MZCh18GeEhI
fkOP0ClvalQImI8gbLo1DecfKDLLXLZpb7UTGtnpkKa2bDb+KyTyr3Aprg9L+KnX
4jM6KfrteZgDP63TcxGXnr3C3Mf5Y8vaFvlmazACRM/r830mnUj1yvK8c7ZkIRhm
t5a2C8lBoMFD+q15QqdU0vK4mV72EBi+xYRuAg7GVZoPM+dZhiNm5dvKjAiaaOG5
8XKsnaeDDCDDWwjRJ7m8Y5ZaP6L8oGotvCmnXUjJcAmSE1MlXEjkHsGkCqgwY6Wp
/jDh4KpT8dQov1kg4dIKU9PNpdLjmmk/Jv7PMsG7i+3Q8lMCHfCe6NxFnc3GZ62x
6Gq6dKnIqDQzMvYUOnEPfVcfOaWmrmFAaBfVAXfRaXcgAPDknNPgCkdbi5ywuvbY
ckFOcVpv+1u+KqDYdxUMCSxSpls+o0J6c38FbcmuFfB7BYB8cTgucNAGUBur3ku6
KO8fHcxpO3zLvA9I6LNhOmvLX24dPRprFd8uK+FiciNxbA3CjDGNUtJUErRMG8RR
UXYPAM0tF9fZpKm3SurevG01yO8m/AcmsMuKjzJ9LIle7ioZtDc7C64ldoQ+IEA1
QRyRo8qDml25rgvC3vTyQ4bngTunPPfEsSO04NT71G7va3DyV/VGVbCnlkj7sIHI
PRY=
-----END CERTIFICATE-----

node_path,validator,severity,code,message
certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.rSAPublicKey,RsaKeyValidator,NOTICE,ts_119_312.8.4.rsa_small_modulus,RSA public key has a modulus length of 1560 bits
certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.rSAPublicKey,RsaKeyValidator,NOTICE,ts_119_312.6.2.2.1.rsa_exponent_of_range,RSA public key has an exponent of 3
certificate.tbsCertificate.extensions.6.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method,

0 comments on commit 01c43fe

Please sign in to comment.