diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..c114b82 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,18 @@ +# Changelog + +ALl notable changes to this project from version 0.9.3 onwards are documented in this file. + +## 0.9.3 - 2023-09-20 + +### New features/enhancements + +- Explicitly support Python 3.12 (#34) +- Add REST endpoint that returns the set of possible findings for a specific linter (#36) +- Surround document-sourced string values with double quotes in finding messages (#41) + +### Fixes + +- Suppress `ValueError` stack trace when `lint_cabf_smime_cert` can't determine certificate type (#37) +- `OrganizationIdentifierCountryNameConsistentValidator` should perform a case-insensitive country comparison (#38) +- Change severity of `cabf.smime.email_address_in_attribute_not_in_san` from WARNING to ERROR (#39) +- Decoding error when determining certificate type returns HTTP 500 (#40) diff --git a/VERSION.txt b/VERSION.txt index f76f913..b3ec163 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -0.9.2 \ No newline at end of file +0.9.3 \ No newline at end of file diff --git a/pkilint/bin/lint_cabf_smime_cert.py b/pkilint/bin/lint_cabf_smime_cert.py index 2bd1b1a..b7b96f7 100644 --- a/pkilint/bin/lint_cabf_smime_cert.py +++ b/pkilint/bin/lint_cabf_smime_cert.py @@ -122,7 +122,9 @@ def main(cli_args=None) -> int: v_g = smime.determine_validation_level_and_generation(cert, args.mapping) if v_g is None: - raise ValueError('Could not determine validation level and generation') + print('Could not determine validation level and generation', file=sys.stderr) + + return 1 else: validation_level, generation = v_g elif args.guess: diff --git a/pkilint/cabf/cabf_name.py b/pkilint/cabf/cabf_name.py index 5e67580..f0a4faf 100644 --- a/pkilint/cabf/cabf_name.py +++ b/pkilint/cabf/cabf_name.py @@ -119,7 +119,7 @@ def validate_with_value(self, node, choice_node): if m is None: raise validation.ValidationFindingEncountered( self.VALIDATION_ORGANIZATION_ID_INVALID_FORMAT, - f'Invalid format: {value_node.pdu}' + f'Invalid format: "{value_node.pdu}"' ) scheme_info = self._allowed_schemes.get(m['scheme']) @@ -127,18 +127,18 @@ def validate_with_value(self, node, choice_node): if scheme_info is None: raise validation.ValidationFindingEncountered( self.VALIDATION_ORGANIZATION_ID_INVALID_SCHEME, - f'Invalid registration scheme: {m["scheme"]}' + f'Invalid registration scheme: "{m["scheme"]}"' ) if scheme_info.require_registration_reference and m['reference'] is None: raise validation.ValidationFindingEncountered( self.VALIDATION_ORGANIZATION_ID_INVALID_FORMAT, - f'Missing Registration Reference: {value_node.pdu}' + f'Missing Registration Reference: "{value_node.pdu}"' ) elif not scheme_info.require_registration_reference and m['reference']: raise validation.ValidationFindingEncountered( self.VALIDATION_ORGANIZATION_ID_INVALID_FORMAT, - f'Prohibited Registration Reference is present: {value_node.pdu}' + f'Prohibited Registration Reference is present: "{value_node.pdu}"' ) country_code = '' if m['country'] is None else m['country'].upper() @@ -156,7 +156,7 @@ def validate_with_value(self, node, choice_node): if not valid_country_code: raise validation.ValidationFindingEncountered( self.VALIDATION_ORGANIZATION_ID_INVALID_COUNTRY, - f'Invalid country code for scheme "{m["scheme"]}": {country_code}' + f'Invalid country code for scheme "{m["scheme"]}": "{country_code}"' ) if m['sp'] is not None and not scheme_info.allow_state_province: diff --git a/pkilint/cabf/serverauth/serverauth_extension.py b/pkilint/cabf/serverauth/serverauth_extension.py index e0685d4..719cb90 100644 --- a/pkilint/cabf/serverauth/serverauth_extension.py +++ b/pkilint/cabf/serverauth/serverauth_extension.py @@ -152,7 +152,7 @@ def validate(self, node): raise validation.ValidationFindingEncountered( self.VALIDATION_DUPLICATE_LOCATION_URI, - f'Duplicate AIA access locations: {dup_locations_str}' + f'Duplicate AIA access locations: "{dup_locations_str}"' ) diff --git a/pkilint/cabf/serverauth/serverauth_name.py b/pkilint/cabf/serverauth/serverauth_name.py index 4734641..2d2f7cc 100644 --- a/pkilint/cabf/serverauth/serverauth_name.py +++ b/pkilint/cabf/serverauth/serverauth_name.py @@ -57,7 +57,7 @@ def validate(self, node): if business_category not in self._ALLOWED_VALUES: raise validation.ValidationFindingEncountered( self.VALIDATION_INVALID_BUSINESS_CATEGORY, - f'Invalid business category: {business_category}' + f'Invalid business category: "{business_category}"' ) @@ -131,7 +131,7 @@ def validate(self, node): if m is None: raise validation.ValidationFindingEncountered( self.VALIDATION_CABF_ORG_ID_INVALID_SYNTAX, - f'Invalid syntax: {attr_value}' + f'Invalid syntax: "{attr_value}"' ) findings = [] diff --git a/pkilint/cabf/serverauth/serverauth_subscriber.py b/pkilint/cabf/serverauth/serverauth_subscriber.py index 4333d9b..836389a 100644 --- a/pkilint/cabf/serverauth/serverauth_subscriber.py +++ b/pkilint/cabf/serverauth/serverauth_subscriber.py @@ -55,7 +55,7 @@ def validate(self, node): if scheme_info is None: raise validation.ValidationFindingEncountered( self.VALIDATION_ORGANIZATION_ID_INVALID_SCHEME, - f'Invalid registration scheme: {scheme}' + f'Invalid registration scheme: "{scheme}"' ) if scheme_info.country_identifier_type == cabf_constants.RegistrationSchemeCountryIdentifierType.NONE: @@ -71,7 +71,7 @@ def validate(self, node): if not valid_country_code: raise validation.ValidationFindingEncountered( self.VALIDATION_ORGANIZATION_ID_INVALID_COUNTRY, - f'Invalid country code for scheme "{scheme}": {country}' + f'Invalid country code for scheme "{scheme}": "{country}"' ) if sp is not None and not scheme_info.allow_state_province: diff --git a/pkilint/cabf/smime/finding_metadata.csv b/pkilint/cabf/smime/finding_metadata.csv index bf28da0..cff5049 100644 --- a/pkilint/cabf/smime/finding_metadata.csv +++ b/pkilint/cabf/smime/finding_metadata.csv @@ -30,7 +30,7 @@ ERROR,cabf.smime.common_name_value_unknown_source,SMBR 7.1.4.2.2 (a),Common name ERROR,cabf.smime.cps_uri_is_not_http,SMBR 7.1.2.3 (a),"""If the value of this extension includes a PolicyInformation which contains a qualifier of type id-qt-cps (OID: 1.3.6.1.5.5.7.2.1), then the value of the qualifier SHALL be a HTTP or HTTPS URL for the Issuing CA�s CP and/or CPS, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA""" ERROR,cabf.smime.crldp_fullname_prohibited_generalname_type,SMBR 7.1.2.3 (b),"""Allowed URI scheme""" ERROR,cabf.smime.crldp_fullname_prohibited_uri_scheme,SMBR 7.1.2.3 (b),"Legacy: ""At least one uniformResourceIdentifier SHALL have the URI scheme HTTP"". MP and strict: ""Every uniformResourceIdentifier SHALL have the URI scheme HTTP""" -ERROR,cabf.smime.email_address_in_common_name_not_in_san,SMBR 7.1.4.2.2 (a),"""If present, the Mailbox Address SHALL contain a rfc822Name or otherName value of type id-on-SmtpUTF8Mailbox from extensions:subjectAltName""" +ERROR,cabf.smime.email_address_in_attribute_not_in_san,SMBR 7.1.4.2.1,"""All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension""" ERROR,cabf.smime.emailprotection_eku_missing,SMBR 7.1.2.3 (f),"""id-kp-emailProtection SHALL be present""" ERROR,cabf.smime.extended_key_usage_extension_missing,SMBR 7.1.2.3 (f),"""SHALL be present""" ERROR,cabf.smime.invalid_lei_scheme_format,SMBR 7.1.4.2.2 (d) and SMBR 7.1.2.3 (l),LEI value does not conform to standard LEI format (20 alphanumeric characters) @@ -129,7 +129,6 @@ WARNING,cabf.rsa_exponent_not_in_recommended_range,SMBR 6.1.6,"""Additionally, t WARNING,cabf.rsa_modulus_has_small_prime_factor,SMBR 6.1.6,"""Additionally, the public exponent SHOULD be in the range between 2^16 + 1 and 2^256 ? 1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752.""" WARNING,cabf.smime.certificate_validity_period_at_maximum,SMBR 6.3.2,"""For this reason, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by default, in order to account for such adjustments""" WARNING,cabf.smime.critical_crldp_extension,SMBR 7.1.2.3 (b),"""This extension SHOULD NOT be marked critical""" -WARNING,cabf.smime.email_address_in_attribute_not_in_san,SMBR 7.1.4.2.1,"""All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension"". Findings of this type are likely an ERROR, but this finding is marked at WARNING-level due to the possibility of false positives." WARNING,cabf.smime.ku_extension_not_critical,SMBR 7.1.2.3 (e),"""This extension SHOULD be marked critical""" WARNING,pkix.certificate_crldp_extension_critical,RFC 5280 4.2.1.13,"""The extension SHOULD be non-critical""" WARNING,pkix.certificate_policies_explicit_text_has_control_character,RFC 5280 4.2.1.4,"""The explicitText string SHOULD NOT include any control characters (e.g., U+0000 to U+001F and U+007F to U+009F)""" diff --git a/pkilint/cabf/smime/smime_name.py b/pkilint/cabf/smime/smime_name.py index 95c5968..bbdf28a 100644 --- a/pkilint/cabf/smime/smime_name.py +++ b/pkilint/cabf/smime/smime_name.py @@ -234,13 +234,8 @@ def create_subscriber_certificate_subject_validator_container( class SubjectAlternativeNameContainsSubjectEmailAddressesValidator( validation.Validator ): - VALIDATION_EMAIL_ADDRESS_IN_CN_MISSING_FROM_SAN = validation.ValidationFinding( - validation.ValidationFindingSeverity.ERROR, - 'cabf.smime.email_address_in_common_name_not_in_san' - ) - VALIDATION_EMAIL_ADDRESS_IN_ATTRIBUTE_MISSING_FROM_SAN = validation.ValidationFinding( - validation.ValidationFindingSeverity.WARNING, + validation.ValidationFindingSeverity.ERROR, 'cabf.smime.email_address_in_attribute_not_in_san' ) @@ -252,7 +247,6 @@ class SubjectAlternativeNameContainsSubjectEmailAddressesValidator( def __init__(self): super().__init__( validations=[ - self.VALIDATION_EMAIL_ADDRESS_IN_CN_MISSING_FROM_SAN, self.VALIDATION_EMAIL_ADDRESS_IN_ATTRIBUTE_MISSING_FROM_SAN, self.VALIDATION_UNPARSED_ATTRIBUTE, ], @@ -285,29 +279,13 @@ def validate(self, node): value_str = str(value.pdu) if bool(validators.email(value_str)): - san_ext = node.document.get_extension_by_oid( - rfc5280.id_ce_subjectAltName - ) - if san_ext is None: - email_sans = set() - else: - email_sans = set(( - str(gn.child[1].pdu) - for gn in san_ext[0].navigate('extnValue.subjectAltName').children.values() - if gn.child[0] == 'rfc822Name' - )) - - if value_str not in email_sans: - if oid == rfc5280.id_at_commonName: - raise validation.ValidationFindingEncountered( - self.VALIDATION_EMAIL_ADDRESS_IN_CN_MISSING_FROM_SAN, - value_str - ) - else: - raise validation.ValidationFindingEncountered( - self.VALIDATION_EMAIL_ADDRESS_IN_ATTRIBUTE_MISSING_FROM_SAN, - f'Attribute {str(oid)} with value "{value_str}" not found in SAN' - ) + san_email_addresses = get_email_addresses_from_san(node.document) + + if value_str not in san_email_addresses: + raise validation.ValidationFindingEncountered( + self.VALIDATION_EMAIL_ADDRESS_IN_ATTRIBUTE_MISSING_FROM_SAN, + f'Attribute {str(oid)} with value "{value_str}" not found in SAN' + ) class CommonNameValidator(validation.Validator): @@ -411,7 +389,7 @@ def validate(self, node): if not value.startswith(self._LEI_PREFIX): raise validation.ValidationFindingEncountered( self.VALIDATION_INVALID_ORGID_LEI_FORMAT, - f'Invalid Organization Identifier format: {value}' + f'Invalid Organization Identifier format: "{value}"' ) lei_value = value[len(self._LEI_PREFIX):] @@ -455,7 +433,7 @@ def validate(self, node): if not orgid_country_name or orgid_country_name.upper() == 'XG': continue - if orgid_country_name != country_name_value: + if orgid_country_name.casefold() != country_name_value.casefold(): raise validation.ValidationFindingEncountered( self.VALIDATION_ORGID_COUNTRYNAME_INCONSISTENT, f'CountryName attribute value: "{country_name_value}", ' diff --git a/pkilint/iso/lei.py b/pkilint/iso/lei.py index 8aef20b..bb322d2 100644 --- a/pkilint/iso/lei.py +++ b/pkilint/iso/lei.py @@ -61,7 +61,7 @@ def validate_lei(lei: str): if m is None: raise validation.ValidationFindingEncountered( - VALIDATION_INVALID_LEI_FORMAT, f'Invalid LEI format: {lei}' + VALIDATION_INVALID_LEI_FORMAT, f'Invalid LEI format: "{lei}"' ) value_part = m.group('value') diff --git a/pkilint/pkix/name.py b/pkilint/pkix/name.py index f0fd5a6..1f66f55 100644 --- a/pkilint/pkix/name.py +++ b/pkilint/pkix/name.py @@ -199,7 +199,7 @@ def validate(self, node): if not isinstance(ret, bool) or not ret: raise validation.ValidationFindingEncountered( self.VALIDATION_NAME_DC_NOT_A_VALID_DOMAIN_NAME, - f'Invalid domain name in domainComponents: {domain_name}' + f'Invalid domain name in domainComponents: "{domain_name}"' ) diff --git a/pkilint/report.py b/pkilint/report.py index 37131f5..0ef817c 100644 --- a/pkilint/report.py +++ b/pkilint/report.py @@ -1,8 +1,9 @@ import csv import io import json -from typing import Iterable, Optional, Any +from typing import Iterable, Optional, Any, List +from pkilint import validation from pkilint.validation import ValidationFindingSeverity, ValidationResult, ValidationFindingDescription @@ -143,17 +144,21 @@ def report_wrapper(report_generator_cls, *args, **kwargs): _VALIDATION_LIST_CSV_FIELDNAMES = ['severity', 'code'] -def report_included_validations(*args): +def get_included_validations(*args) -> List[validation.ValidationFinding]: + all_validations = set() + for validator in args: + all_validations.update(validator.validations) + + return sorted(all_validations, key=lambda v: f'{int(v.severity)}-{v.code}') + + +def report_included_validations(*args) -> str: s = io.StringIO() c = csv.DictWriter(s, fieldnames=_VALIDATION_LIST_CSV_FIELDNAMES) c.writeheader() - all_validations = set() - for validator in args: - all_validations.update(validator.validations) - - validations = sorted(all_validations, key=lambda v: f'{int(v.severity)}-{v.code}') + validations = get_included_validations(*args) for v in validations: c.writerow({'severity': str(v.severity), 'code': v.code}) diff --git a/pkilint/rest/__init__.py b/pkilint/rest/__init__.py index 809fdad..e8fe7c2 100644 --- a/pkilint/rest/__init__.py +++ b/pkilint/rest/__init__.py @@ -7,7 +7,7 @@ from pkilint.rest import model _PKILINT_VERSION = version('pkilint') -_API_VERSION = 'v1' +_API_VERSION = 'v1.1' app = FastAPI( title='pkilint API', @@ -74,6 +74,16 @@ def certificate_determine_type(linter_group_name: str, doc: model.CertificateMod return linter_group_instance.determine_linter(parsed_doc) +@app.get('/certificate/{linter_group_name}/{linter_name}') +def linter_validations(linter_group_name: str, linter_name: str) -> List[model.Validation]: + """Returns the set of validations performed by the specified linter""" + linter_group_instance = _get_linter_group_by_name(linter_group_name) + + linter_instance = linter_group_instance.get_linter_by_name(linter_name) + + return linter_instance.validations + + @app.post('/certificate/{linter_group_name}/{linter_name}') def certificate_lint(linter_group_name: str, linter_name: str, doc: model.CertificateModel) -> model.LintResultList: """Lints the specified certificate with the specified linter""" diff --git a/pkilint/rest/cabf_serverauth.py b/pkilint/rest/cabf_serverauth.py index 303750f..30d2bc3 100644 --- a/pkilint/rest/cabf_serverauth.py +++ b/pkilint/rest/cabf_serverauth.py @@ -1,4 +1,5 @@ from fastapi import HTTPException +from pyasn1.error import PyAsn1Error from pkilint.cabf import serverauth from pkilint.cabf.serverauth import serverauth_constants @@ -11,7 +12,12 @@ def __init__(self, linters): super().__init__(name='cabf-serverauth', linters=linters) def determine_linter(self, doc): - cert_type = serverauth.determine_certificate_type(doc) + try: + cert_type = serverauth.determine_certificate_type(doc) + except (ValueError, PyAsn1Error) as e: + message = f'Parsing error occurred: {e}' + + raise HTTPException(status_code=422, detail=message) # this doesn't fail, so we don't need to guard against not being able to determine the certificate type return next((l for l in self.linters if l.name.casefold() == cert_type.to_option_str.casefold())) diff --git a/pkilint/rest/cabf_smime.py b/pkilint/rest/cabf_smime.py index 0cba430..6c5b241 100644 --- a/pkilint/rest/cabf_smime.py +++ b/pkilint/rest/cabf_smime.py @@ -1,4 +1,5 @@ from fastapi import HTTPException +from pyasn1.error import PyAsn1Error from pkilint.cabf import smime from pkilint.cabf.smime import smime_constants @@ -11,7 +12,12 @@ def __init__(self, linters): super().__init__(name='cabf-smime', linters=linters) def determine_linter(self, doc): - v_g = smime.determine_validation_level_and_generation(doc) + try: + v_g = smime.determine_validation_level_and_generation(doc) + except (ValueError, PyAsn1Error) as e: + message = f'Parsing error occurred: {e}' + + raise HTTPException(status_code=422, detail=message) if v_g is None: raise HTTPException(status_code=422, detail='Could not determine certificate type') diff --git a/pkilint/rest/model.py b/pkilint/rest/model.py index f20f09e..271a279 100644 --- a/pkilint/rest/model.py +++ b/pkilint/rest/model.py @@ -16,6 +16,11 @@ class Version(BaseModel): _SEVERITY_DESCRIPTION = f'The severity of the finding ({", ".join(map(str, validation.ValidationFindingSeverity))})' +class Validation(BaseModel): + severity: Annotated[str, Field(description=_SEVERITY_DESCRIPTION)] + code: Annotated[str, Field(description='The code that identifies the type of validation')] + + class FindingDescription(BaseModel): severity: Annotated[str, Field(description=_SEVERITY_DESCRIPTION)] code: Annotated[str, Field(description='The code that identifies the type of finding')] @@ -45,6 +50,13 @@ def __init__(self, validator, finding_filters=None, **kwargs): self._validator = validator self._finding_filters = finding_filters + @property + def validations(self) -> List[Validation]: + return [ + Validation(severity=str(v.severity), code=v.code) + for v in report.get_included_validations(self._validator) + ] + def lint(self, doc) -> LintResultList: results = self._validator.validate(doc.root) diff --git a/pkilint/validation.py b/pkilint/validation.py index 018125a..bccb5ca 100644 --- a/pkilint/validation.py +++ b/pkilint/validation.py @@ -115,18 +115,18 @@ def validate(self, node: PDUNode) -> 'ValidationResult': pass @property - def tags(self): + def tags(self) -> List[str]: return ['static'] @property - def validations(self): + def validations(self) -> List[ValidationFinding]: return self._validations + [self.VALIDATION_FINDING_UNHANDLED_EXCEPTION] @property - def name(self): + def name(self) -> str: return self.__class__.__name__ - def __repr__(self): + def __repr__(self) -> str: return self.name diff --git a/setup.cfg b/setup.cfg index e5e04f8..9fb3431 100644 --- a/setup.cfg +++ b/setup.cfg @@ -19,6 +19,7 @@ classifiers = Programming Language :: Python :: 3.9 Programming Language :: Python :: 3.10 Programming Language :: Python :: 3.11 + Programming Language :: Python :: 3.12 [options] zip_safe = True diff --git a/tests/integration_certificate/smime_br/individual/legacy/subject_email_not_in_san.crttest b/tests/integration_certificate/smime_br/individual/legacy/subject_email_not_in_san.crttest index 37c8a7b..1225145 100644 --- a/tests/integration_certificate/smime_br/individual/legacy/subject_email_not_in_san.crttest +++ b/tests/integration_certificate/smime_br/individual/legacy/subject_email_not_in_san.crttest @@ -33,6 +33,6 @@ fvIxRAYBvTkh/dWMDVr06pxeZgQW685QDDOFno9Ev4YCQFu6paaJ2Pz/5hJeMzMC +KIDg6NtlaijbvLmwVnK5xh4KOJ5Tiac -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,SubjectAlternativeNameContainsSubjectEmailAddressesValidator,ERROR,cabf.smime.email_address_in_common_name_not_in_san,hanako.yamada+alt@example.com +certificate.tbsCertificate.subject.rdnSequence.0.0,SubjectAlternativeNameContainsSubjectEmailAddressesValidator,ERROR,cabf.smime.email_address_in_attribute_not_in_san,"Attribute 2.5.4.3 with value ""hanako.yamada+alt@example.com"" not found in SAN" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_invalid_country.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_invalid_country.crttest index 05ecaba..9417fdf 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_invalid_country.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_invalid_country.crttest @@ -35,6 +35,6 @@ G+Tj1GckmJI+dJL7fgjYMqaFLtkKodE/JR0Tp5tQtb5kI1ze8bjKV5qnMlCIV1Rt aAubxd8E0dIBazc293NX8ypBQRFYjdUR1A== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""GOV"": XG" +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""GOV"": ""XG""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_no_country.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_no_country.crttest index fc49c9b..48ece79 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_no_country.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/gov_orgid_no_country.crttest @@ -35,6 +35,6 @@ koohmnIEidKmO4lhGqavh8bSVLy00PiebItEVoD4hgMtrcl3c8yM7C/cpXtmlRvk m8XfBNHSAWs3NvdzV/MqQUERWI3VEdQ= -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""GOV"": " +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""GOV"": """"" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/int_orgid_with_reference.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/int_orgid_with_reference.crttest index b6c2efb..58d9e5c 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/int_orgid_with_reference.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/int_orgid_with_reference.crttest @@ -35,6 +35,6 @@ pXtmlRvk49RnJJiSPnSS+34I2DKmhS7ZCqHRPyUdE6ebULW+ZCNc3vG4yleapzJQ iFdUbWgLm8XfBNHSAWs3NvdzV/MqQUERWI3VEdQ= -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,Prohibited Registration Reference is present: INTXG-123 +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,"Prohibited Registration Reference is present: ""INTXG-123""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/int_with_country.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/int_with_country.crttest index be1566e..63c679c 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/int_with_country.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/int_with_country.crttest @@ -35,6 +35,6 @@ G+Tj1GckmJI+dJL7fgjYMqaFLtkKodE/JR0Tp5tQtb5kI1ze8bjKV5qnMlCIV1Rt aAubxd8E0dIBazc293NX8ypBQRFYjdUR1A== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""INT"": US" +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""INT"": ""US""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/lei_orgid_with_no_reference.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/lei_orgid_with_no_reference.crttest index c1720aa..9062904 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/lei_orgid_with_no_reference.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/lei_orgid_with_no_reference.crttest @@ -35,7 +35,7 @@ G+Tj1GckmJI+dJL7fgjYMqaFLtkKodE/JR0Tp5tQtb5kI1ze8bjKV5qnMlCIV1Rt aAubxd8E0dIBazc293NX8ypBQRFYjdUR1A== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,Missing Registration Reference: LEIXG -certificate.tbsCertificate.subject.rdnSequence.0.0.value.x520OrganizationIdentifier,OrganizationIdentifierLeiValidator,ERROR,cabf.smime.invalid_lei_scheme_format,Invalid Organization Identifier format: LEIXG +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,"Missing Registration Reference: ""LEIXG""" +certificate.tbsCertificate.subject.rdnSequence.0.0.value.x520OrganizationIdentifier,OrganizationIdentifierLeiValidator,ERROR,cabf.smime.invalid_lei_scheme_format,"Invalid Organization Identifier format: ""LEIXG""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/ntr_orgid_with_no_reference.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/ntr_orgid_with_no_reference.crttest index 168b534..9cdcb31 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/ntr_orgid_with_no_reference.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/ntr_orgid_with_no_reference.crttest @@ -35,6 +35,6 @@ e2aVG+Tj1GckmJI+dJL7fgjYMqaFLtkKodE/JR0Tp5tQtb5kI1ze8bjKV5qnMlCI V1RtaAubxd8E0dIBazc293NX8ypBQRFYjdUR1A== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,Missing Registration Reference: NTRUS+PA +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,"Missing Registration Reference: ""NTRUS+PA""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_and_countryname_same_different_case.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_and_countryname_same_different_case.crttest new file mode 100644 index 0000000..3a4974b --- /dev/null +++ b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_and_countryname_same_different_case.crttest @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIGajCCBFKgAwIBAgIUT0nGRo909AMp7EmYVoILmgwKMsQwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 +ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MjgwMDAwMDBaFw0y +MzA3MjcyMzU5NTlaMH8xCzAJBgNVBAYTAnVzMSYwJAYDVQRhEx1OVFJVUytQQS1B +RVlFMDBFS1hFU1ZaVVVFQlA2NzEeMBwGA1UEChMVQWNtZSBJbmR1c3RyaWVzLCBM +dGQuMSgwJgYJKoZIhvcNAQkBFhloYW5ha28ueWFtYWRhQGV4YW1wbGUuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPnoGUOnrpiSqt4XynxA+HRP +7S+BSObI6qJ7fQAVSPtRkqsotWxQYLEYzNEx5ZSHTGypibVsJylvCfuToDTfMul8 +b/CZjP2Ob0LdpYrNH6l5hvFE89FU1nZQF15oVLOpUgA7wGiHuEVawrGfey92UE68 +mOyUVXGweJIVDdxqdMoPvNNUl86BU02vlBiESxOuox+dWmuVV7vfYZ79Toh/LUK4 +3YvJh+rhv4nKuF7iHjVjBd9sB6iDjj70HFldzOQ9r8SRI+9NirupPTkF5AKNe6kU +hKJ1luB7S27ZkvB3tSTT3P593VVJvnzOjaA1z6Cz+4+eRvcysqhrRgFlwI9TEwID +AQABo4ICEzCCAg8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwHwYDVR0j +BBgwFoAU1kQAMnyoDf+sT2tm7rWumyzFOFQwHQYDVR0OBBYEFIkZWV4O8Wn1y71H +4TT84pjMaTCRMBQGA1UdIAQNMAswCQYHZ4EMAQUCAjA9BgNVHR8ENjA0MDKgMKAu +hixodHRwOi8vY3JsLmNhLmV4YW1wbGUuY29tL2lzc3VpbmdfY2FfY3JsLmNybDBL +BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9yZXBvc2l0b3J5LmNh +LmV4YW1wbGUuY29tL2lzc3VpbmdfY2EuZGVyMB0GA1UdJQQWMBQGCCsGAQUFBwME +BggrBgEFBQcDAjCByAYDVR0RBIHAMIG9gRloYW5ha28ueWFtYWRhQGV4YW1wbGUu +Y29toCkGCisGAQQBgjcUAgOgGwwZaGFuYWtvLnlhbWFkYUBleGFtcGxlLmNvbaAm +BggrBgEFBQcICaAaDBjlsbHnlLDoirHlrZBAZXhhbXBsZS5jb22kTTBLMSMwIQYD +VQRhExpMRUlYRy1BRVlFMDBFS1hFU1ZaVVVFQlA2NzEkMCIGA1UECgwb44Ki44Kv +44Of5bel5qWt5qCq5byP5Lya56S+MCMGCSsGAQQBg5gqAQQWExRBRVlFMDBFS1hF +U1ZaVVVFQlA2NzANBgkqhkiG9w0BAQsFAAOCAgEAALJ+FR219frGJUfrL8xWFfRu +FCnLdyzM78Ey0qJqZES199XlYozXhMzCUKYN/zbmery90uWNyuJtYGJYl0lhfzBx +MmMHk88gCDkLyj8h4a+r2NiQsiN2bXXp1t5CStQeoaljZL9r2IIERGB+MigR1Rz7 +g1ECvVo7+llr3/EwqV9aa88OtnmQoroSlk86hTGjdEUuixhR2T+/VMEpdlxmimg8 +8E8afa05yc+GBGnxhyk2zk+nbusC1TrEnMsF2zIaMGlHjMP/v3Gsl1VucFutU06x +hItWmWYcHeVr0wLO/gMDdSbIUgsxobvWynh52D4D1gJsHpnelc5EyGCxhLp7X9tj +Iy7pSXQAA9fy63cdSk6xbpYtlCU/S0PGm+gMMKAydAunL2WgqEwpFB0TwuE+obw3 +jJI2eO15YFJU5qEt5eNM2H7KzO0R5lZE0wnbmhgggYGrc6SFsVzgCocwHOtG9hET +ci6imtbQ8XoiY86KLUaxYcR4ilXoFj3yhKy8qP7LHdg+sI3/2sIVkoohmnIEidKm +O4lhGqavh8bSVLy00PiebItEVoD4hgMtrcl3c8yM7C/cpXtmlRvk49RnJJiSPnSS ++34I2DKmhS7ZCqHRPyUdE6ebULW+ZCNc3vG4yleapzJQiFdUbWgLm8XfBNHSAWs3 +NvdzV/MqQUERWI3VEdQ= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, \ No newline at end of file diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_has_unknown_scheme.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_has_unknown_scheme.crttest index c29e649..efc7c46 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_has_unknown_scheme.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_has_unknown_scheme.crttest @@ -35,6 +35,6 @@ i0RWgPiGAy2tyXdzzIzsL9yle2aVG+Tj1GckmJI+dJL7fgjYMqaFLtkKodE/JR0T p5tQtb5kI1ze8bjKV5qnMlCIV1RtaAubxd8E0dIBazc293NX8ypBQRFYjdUR1A== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_registration_scheme,Invalid registration scheme: TAX +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_registration_scheme,"Invalid registration scheme: ""TAX""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_state.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_state.crttest index d217b96..854314a 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_state.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_state.crttest @@ -37,6 +37,6 @@ JR0Tp5tQtb5kI1ze8bjKV5qnMlCIV1RtaAubxd8E0dIBazc293NX8ypBQRFYjdUR -----END CERTIFICATE----- node_path,validator,severity,code,message certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_state_province_for_scheme,"Scheme ""LEI"" does not allow state/province values" -certificate.tbsCertificate.subject.rdnSequence.0.0.value.x520OrganizationIdentifier,OrganizationIdentifierLeiValidator,ERROR,cabf.smime.invalid_lei_scheme_format,Invalid Organization Identifier format: LEIXG+PA-AEYE00EKXESVZUUEBP67 +certificate.tbsCertificate.subject.rdnSequence.0.0.value.x520OrganizationIdentifier,OrganizationIdentifierLeiValidator,ERROR,cabf.smime.invalid_lei_scheme_format,"Invalid Organization Identifier format: ""LEIXG+PA-AEYE00EKXESVZUUEBP67""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_wrong_country_code.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_wrong_country_code.crttest index 2cce0bf..e555b15 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_wrong_country_code.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_lei_has_wrong_country_code.crttest @@ -35,6 +35,6 @@ i0RWgPiGAy2tyXdzzIzsL9yle2aVG+Tj1GckmJI+dJL7fgjYMqaFLtkKodE/JR0T p5tQtb5kI1ze8bjKV5qnMlCIV1RtaAubxd8E0dIBazc293NX8ypBQRFYjdUR1A== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""LEI"": US" -certificate.tbsCertificate.subject.rdnSequence.0.0.value.x520OrganizationIdentifier,OrganizationIdentifierLeiValidator,ERROR,cabf.smime.invalid_lei_scheme_format,Invalid Organization Identifier format: LEIUS-AEYE00EKXESVZUUEBP67 +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""LEI"": ""US""" +certificate.tbsCertificate.subject.rdnSequence.0.0.value.x520OrganizationIdentifier,OrganizationIdentifierLeiValidator,ERROR,cabf.smime.invalid_lei_scheme_format,"Invalid Organization Identifier format: ""LEIUS-AEYE00EKXESVZUUEBP67""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_ntr_with_4letter_state.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_ntr_with_4letter_state.crttest index 436fff3..90c0807 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_ntr_with_4letter_state.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_ntr_with_4letter_state.crttest @@ -38,4 +38,4 @@ tND4nmyLRFaA+IYDLa3Jd3PMjOwv3KV7ZpUb5OPUZySYkj50kvt+CNgypoUu2Qqh node_path,validator,severity,code,message certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,Invalid format: NTRFR+PARI-AEYE00EKXESVZUUEBP67 +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,"Invalid format: ""NTRFR+PARI-AEYE00EKXESVZUUEBP67""" diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_unknown_country.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_unknown_country.crttest index 8fc3faf..d2fe39e 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/orgid_unknown_country.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/orgid_unknown_country.crttest @@ -35,6 +35,6 @@ i0RWgPiGAy2tyXdzzIzsL9yle2aVG+Tj1GckmJI+dJL7fgjYMqaFLtkKodE/JR0T p5tQtb5kI1ze8bjKV5qnMlCIV1RtaAubxd8E0dIBazc293NX8ypBQRFYjdUR1A== -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""NTR"": ZZ" +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""NTR"": ""ZZ""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/organization/multipurpose/vat_invalid_country.crttest b/tests/integration_certificate/smime_br/organization/multipurpose/vat_invalid_country.crttest index 28345ff..02a557d 100644 --- a/tests/integration_certificate/smime_br/organization/multipurpose/vat_invalid_country.crttest +++ b/tests/integration_certificate/smime_br/organization/multipurpose/vat_invalid_country.crttest @@ -35,6 +35,6 @@ pXtmlRvk49RnJJiSPnSS+34I2DKmhS7ZCqHRPyUdE6ebULW+ZCNc3vG4yleapzJQ iFdUbWgLm8XfBNHSAWs3NvdzV/MqQUERWI3VEdQ= -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""VAT"": XG" +certificate.tbsCertificate.subject.rdnSequence.0.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""VAT"": ""XG""" certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/integration_certificate/smime_br/sponsored/strict/san_dirname_attribute_with_email_not_in_san.crttest b/tests/integration_certificate/smime_br/sponsored/strict/san_dirname_attribute_with_email_not_in_san.crttest new file mode 100644 index 0000000..e1b498b --- /dev/null +++ b/tests/integration_certificate/smime_br/sponsored/strict/san_dirname_attribute_with_email_not_in_san.crttest @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIGuDCCBKCgAwIBAgIUYsQ+Fan+RfQ1ToEaA+PeZh43OTEwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 +ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MTkwMDAwMDBaFw0y +MzA3MTgyMzU5NTlaMIGpMSMwIQYDVQRhExpMRUlYRy1BRVlFMDBFS1hFU1ZaVVVF +QlA2NzEeMBwGA1UEChMVQWNtZSBJbmR1c3RyaWVzLCBMdGQuMQ8wDQYDVQQEDAZZ +YW1hZGExDzANBgNVBCoMBkhhbmFrbzEWMBQGA1UEAwwNWUFNQURBIEhhbmFrbzEo +MCYGCSqGSIb3DQEJARYZaGFuYWtvLnlhbWFkYUBleGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALD56BlDp66YkqreF8p8QPh0T+0vgUjm +yOqie30AFUj7UZKrKLVsUGCxGMzRMeWUh0xsqYm1bCcpbwn7k6A03zLpfG/wmYz9 +jm9C3aWKzR+peYbxRPPRVNZ2UBdeaFSzqVIAO8Boh7hFWsKxn3svdlBOvJjslFVx +sHiSFQ3canTKD7zTVJfOgVNNr5QYhEsTrqMfnVprlVe732Ge/U6Ify1CuN2LyYfq +4b+Jyrhe4h41YwXfbAeog44+9BxZXczkPa/EkSPvTYq7qT05BeQCjXupFISidZbg +e0tu2ZLwd7Uk09z+fd1VSb58zo2gNc+gs/uPnkb3MrKoa0YBZcCPUxMCAwEAAaOC +AjYwggIyMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB8GA1UdIwQYMBaA +FNZEADJ8qA3/rE9rZu61rpssxThUMB0GA1UdDgQWBBSJGVleDvFp9cu9R+E0/OKY +zGkwkTAUBgNVHSAEDTALMAkGB2eBDAEFAwMwPQYDVR0fBDYwNDAyoDCgLoYsaHR0 +cDovL2NybC5jYS5leGFtcGxlLmNvbS9pc3N1aW5nX2NhX2NybC5jcmwwSwYIKwYB +BQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vcmVwb3NpdG9yeS5jYS5leGFt +cGxlLmNvbS9pc3N1aW5nX2NhLmRlcjATBgNVHSUEDDAKBggrBgEFBQcDBDCB4QYD +VR0RBIHZMIHWgRloYW5ha28ueWFtYWRhQGV4YW1wbGUuY29toCYGCCsGAQUFBwgJ +oBoMGOWxseeUsOiKseWtkEBleGFtcGxlLmNvbaSBkDCBjTEjMCEGA1UEYRMaTEVJ +WEctQUVZRTAwRUtYRVNWWlVVRUJQNjcxJDAiBgNVBAoMG+OCouOCr+ODn+W3peal +reagquW8j+S8muekvjEYMBYGA1UEBAwPZm9vQGV4YW1wbGUuY29tMQ8wDQYDVQQq +DAboirHlrZAxFTATBgNVBAMMDOWxseeUsOiKseWtkDAjBgkrBgEEAYOYKgEEFhMU +QUVZRTAwRUtYRVNWWlVVRUJQNjcwEgYJKwYBBAGDmCoCBAUTA0NFTzANBgkqhkiG +9w0BAQsFAAOCAgEAE/8rQdESC9lQcnw5TnIj/DhzWqrE6S4I1F7LFgUNQB5GJUSU +bnFdeExwfV+tbjloht4frY7oJvvYyjT2t5/nv2Hrfpe95KmRhliEkEfs3ri5J/pM +Ha5ju1Kox49nm8OjKkon9HMK6c7IJy2Ow1yrwDYDflVeMmZUvMr+EmUk6BdRtF40 +ljNwLw8xJZfhxUzo1OjaTKu7gtYqzrFhEqijpVoxtWIBLgL7IAujPYONrxeffJ7D +Y6vWzBVG4C+7iuqlrf6Y2f25yfEp0Hs9kBD26xEZUg43Zl7BxaBbJLesUk2FRD1B +/N5DYZecTc7WF1a1YUW5N15wskn8SZAXIz9xx8OThu9v7eP3qpUNaU+iaTqbjxTP +GiSUYa3Jrm1yAbh4XCOUfb4UJo23uHsNZyoLOX8lVOsesLOE/BGvlKHzT0x49uNK +Zq0O6lU9fxFtiM4MRNqmNZTN9jZ1yu06cuI8nr8AEWt7Hp5OTldj5KXZFd945DqW +yZHx01Uv/w5ZU8/E3Jf1bDTbf5OLWqombrgLIWL+A/SrRvnqyLpyDv2PHJ0Igbsy +lDRalxeGHa1Q3egwHqkYRzYOy3LYRphJITSGCnqRGshySonks4osE7KbXFwMEEmE +WlF1S7S+VDkqEqpda1II90v7ae6kNwIPK+140WOhkKilZ526OHvetaZ9XUc= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified +certificate.tbsCertificate.extensions.8.extnValue.subjectAltName.2.directoryName.rdnSequence.2.0,SubjectAlternativeNameContainsSubjectEmailAddressesValidator,ERROR,cabf.smime.email_address_in_attribute_not_in_san,"Attribute 2.5.4.4 with value ""foo@example.com"" not found in SAN" diff --git a/tests/integration_certificate/smime_br/sponsored/strict/subject_attribute_with_email_not_in_san.crttest b/tests/integration_certificate/smime_br/sponsored/strict/subject_attribute_with_email_not_in_san.crttest new file mode 100644 index 0000000..b14d657 --- /dev/null +++ b/tests/integration_certificate/smime_br/sponsored/strict/subject_attribute_with_email_not_in_san.crttest @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIGuzCCBKOgAwIBAgIUYsQ+Fan+RfQ1ToEaA+PeZh43OTEwDQYJKoZIhvcNAQEL +BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 +ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MTkwMDAwMDBaFw0y +MzA3MTgyMzU5NTlaMIG1MSMwIQYDVQRhExpMRUlYRy1BRVlFMDBFS1hFU1ZaVVVF +QlA2NzEeMBwGA1UEChMVQWNtZSBJbmR1c3RyaWVzLCBMdGQuMRswGQYDVQQEDBJZ +YW1hZGFAZXhhbXBsZS5jb20xDzANBgNVBCoMBkhhbmFrbzEWMBQGA1UEAwwNWUFN +QURBIEhhbmFrbzEoMCYGCSqGSIb3DQEJARYZaGFuYWtvLnlhbWFkYUBleGFtcGxl +LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALD56BlDp66Ykqre +F8p8QPh0T+0vgUjmyOqie30AFUj7UZKrKLVsUGCxGMzRMeWUh0xsqYm1bCcpbwn7 +k6A03zLpfG/wmYz9jm9C3aWKzR+peYbxRPPRVNZ2UBdeaFSzqVIAO8Boh7hFWsKx +n3svdlBOvJjslFVxsHiSFQ3canTKD7zTVJfOgVNNr5QYhEsTrqMfnVprlVe732Ge +/U6Ify1CuN2LyYfq4b+Jyrhe4h41YwXfbAeog44+9BxZXczkPa/EkSPvTYq7qT05 +BeQCjXupFISidZbge0tu2ZLwd7Uk09z+fd1VSb58zo2gNc+gs/uPnkb3MrKoa0YB +ZcCPUxMCAwEAAaOCAi0wggIpMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeA +MB8GA1UdIwQYMBaAFNZEADJ8qA3/rE9rZu61rpssxThUMB0GA1UdDgQWBBSJGVle +DvFp9cu9R+E0/OKYzGkwkTAUBgNVHSAEDTALMAkGB2eBDAEFAwMwPQYDVR0fBDYw +NDAyoDCgLoYsaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9pc3N1aW5nX2NhX2Ny +bC5jcmwwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vcmVwb3Np +dG9yeS5jYS5leGFtcGxlLmNvbS9pc3N1aW5nX2NhLmRlcjATBgNVHSUEDDAKBggr +BgEFBQcDBDCB2AYDVR0RBIHQMIHNgRloYW5ha28ueWFtYWRhQGV4YW1wbGUuY29t +oCYGCCsGAQUFBwgJoBoMGOWxseeUsOiKseWtkEBleGFtcGxlLmNvbaSBhzCBhDEj +MCEGA1UEYRMaTEVJWEctQUVZRTAwRUtYRVNWWlVVRUJQNjcxJDAiBgNVBAoMG+OC +ouOCr+ODn+W3pealreagquW8j+S8muekvjEPMA0GA1UEBAwG5bGx55SwMQ8wDQYD +VQQqDAboirHlrZAxFTATBgNVBAMMDOWxseeUsOiKseWtkDAjBgkrBgEEAYOYKgEE +FhMUQUVZRTAwRUtYRVNWWlVVRUJQNjcwEgYJKwYBBAGDmCoCBAUTA0NFTzANBgkq +hkiG9w0BAQsFAAOCAgEAE/8rQdESC9lQcnw5TnIj/DhzWqrE6S4I1F7LFgUNQB5G +JUSUbnFdeExwfV+tbjloht4frY7oJvvYyjT2t5/nv2Hrfpe95KmRhliEkEfs3ri5 +J/pMHa5ju1Kox49nm8OjKkon9HMK6c7IJy2Ow1yrwDYDflVeMmZUvMr+EmUk6BdR +tF40ljNwLw8xJZfhxUzo1OjaTKu7gtYqzrFhEqijpVoxtWIBLgL7IAujPYONrxef +fJ7DY6vWzBVG4C+7iuqlrf6Y2f25yfEp0Hs9kBD26xEZUg43Zl7BxaBbJLesUk2F +RD1B/N5DYZecTc7WF1a1YUW5N15wskn8SZAXIz9xx8OThu9v7eP3qpUNaU+iaTqb +jxTPGiSUYa3Jrm1yAbh4XCOUfb4UJo23uHsNZyoLOX8lVOsesLOE/BGvlKHzT0x4 +9uNKZq0O6lU9fxFtiM4MRNqmNZTN9jZ1yu06cuI8nr8AEWt7Hp5OTldj5KXZFd94 +5DqWyZHx01Uv/w5ZU8/E3Jf1bDTbf5OLWqombrgLIWL+A/SrRvnqyLpyDv2PHJ0I +gbsylDRalxeGHa1Q3egwHqkYRzYOy3LYRphJITSGCnqRGshySonks4osE7KbXFwM +EEmEWlF1S7S+VDkqEqpda1II90v7ae6kNwIPK+140WOhkKilZ526OHvetaZ9XUc= +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified +certificate.tbsCertificate.subject.rdnSequence.2.0,SubjectAlternativeNameContainsSubjectEmailAddressesValidator,ERROR,cabf.smime.email_address_in_attribute_not_in_san,"Attribute 2.5.4.4 with value ""Yamada@example.com"" not found in SAN" diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/duplicate_aia_location_uri.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/duplicate_aia_location_uri.crttest index 28d58dc..24dba7d 100644 --- a/tests/integration_certificate/tls_br/dv_final_certificate/duplicate_aia_location_uri.crttest +++ b/tests/integration_certificate/tls_br/dv_final_certificate/duplicate_aia_location_uri.crttest @@ -33,4 +33,5 @@ neAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35PG7dfEKrx6fD -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,AuthorityInformationAccessUniqueLocationValidator,ERROR,cabf.serverauth.aia_duplicate_location,Duplicate AIA access locations: http://ocsp.certsrus.com +certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,AuthorityInformationAccessUniqueLocationValidator,ERROR,cabf.serverauth.aia_duplicate_location,"Duplicate AIA access locations: ""http://ocsp.certsrus.com""" + diff --git a/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_country.crttest b/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_country.crttest index 3fbf858..eaecec4 100644 --- a/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_country.crttest +++ b/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_country.crttest @@ -43,5 +43,5 @@ k5pSOQ1Kzg== node_path,validator,severity,code,message certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 2.23.140.3.1 -certificate.tbsCertificate.extensions.4.extnValue.cABFOrganizationIdentifier,CABFOrganizationIdentifierExtensionValidator,ERROR,cabf.serverauth.organization_identifier_ext_invalid_country,"Invalid country code for scheme ""NTR"": ZZ" +certificate.tbsCertificate.extensions.4.extnValue.cABFOrganizationIdentifier,CABFOrganizationIdentifierExtensionValidator,ERROR,cabf.serverauth.organization_identifier_ext_invalid_country,"Invalid country code for scheme ""NTR"": ""ZZ""" certificate.tbsCertificate.extensions.2.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, diff --git a/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_scheme.crttest b/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_scheme.crttest index f15aa2a..17f9ed5 100644 --- a/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_scheme.crttest +++ b/tests/integration_certificate/tls_br/ev_final_certificate/cabf_orgid_bad_scheme.crttest @@ -44,4 +44,4 @@ k5pSOQ1Kzg== node_path,validator,severity,code,message certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 2.23.140.3.1 certificate.tbsCertificate.extensions.2.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, -certificate.tbsCertificate.extensions.4.extnValue.cABFOrganizationIdentifier,CABFOrganizationIdentifierExtensionValidator,ERROR,cabf.serverauth.organization_identifier_ext_invalid_registration_scheme,Invalid registration scheme: FOO +certificate.tbsCertificate.extensions.4.extnValue.cABFOrganizationIdentifier,CABFOrganizationIdentifierExtensionValidator,ERROR,cabf.serverauth.organization_identifier_ext_invalid_registration_scheme,"Invalid registration scheme: ""FOO""" diff --git a/tests/integration_certificate/tls_br/ev_final_certificate/invalid_business_category.crttest b/tests/integration_certificate/tls_br/ev_final_certificate/invalid_business_category.crttest index 8c916cb..6bfdd30 100644 --- a/tests/integration_certificate/tls_br/ev_final_certificate/invalid_business_category.crttest +++ b/tests/integration_certificate/tls_br/ev_final_certificate/invalid_business_category.crttest @@ -45,7 +45,7 @@ certificate.tbsCertificate.extensions.4.extnValue.certificatePolicies,Subscriber certificate.tbsCertificate.extensions.0,SubscriberExtensionCriticalityValidator,ERROR,cabf.serverauth.subscriber.non_critical_basic_constraints_extension, certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.subject_key_identifier_extension_present, certificate.tbsCertificate.extensions.7.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, -certificate.tbsCertificate.subject.rdnSequence.5.0.value.x520BusinessCategory,ValidBusinessCategoryValidator,ERROR,cabf.ev_guidelines.invalid_business_category,Invalid business category: Private Organtization +certificate.tbsCertificate.subject.rdnSequence.5.0.value.x520BusinessCategory,ValidBusinessCategoryValidator,ERROR,cabf.ev_guidelines.invalid_business_category,"Invalid business category: ""Private Organtization""" certificate.tbsCertificate.extensions.4.extnValue.certificatePolicies.1.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, certificate.tbsCertificate.subject.rdnSequence,AttributeOrderEncodingValidator,ERROR,cabf.serverauth.invalid_rdn_order,Invalid RDN order: 2.5.4.8 follows 2.5.4.3 certificate.tbsCertificate.extensions.6.extnValue.cRLDistributionPoints,CrlDpDistributionPointCountValidator,WARNING,cabf.serverauth.crldp_multiple_distributionpoints_present, diff --git a/tests/integration_certificate/tls_br/ev_final_certificate/invalid_subject_orgid_country.crttest b/tests/integration_certificate/tls_br/ev_final_certificate/invalid_subject_orgid_country.crttest index 0622c78..b98b928 100644 --- a/tests/integration_certificate/tls_br/ev_final_certificate/invalid_subject_orgid_country.crttest +++ b/tests/integration_certificate/tls_br/ev_final_certificate/invalid_subject_orgid_country.crttest @@ -45,4 +45,4 @@ node_path,validator,severity,code,message certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 2.23.140.3.1 certificate.tbsCertificate.subject.rdnSequence.7.0.value.x520OrganizationIdentifier,OrganizationIdentifierConsistentSubjectAndExtensionValidator,ERROR,cabf.serverauth.organization_identifier_mismatched_country_code,"Mismatched country: subject: ""ZZ"", extension: ""FR""" certificate.tbsCertificate.extensions.2.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, -certificate.tbsCertificate.subject.rdnSequence.7.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""VAT"": ZZ" +certificate.tbsCertificate.subject.rdnSequence.7.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_country,"Invalid country code for scheme ""VAT"": ""ZZ""" diff --git a/tests/integration_certificate/tls_br/ev_pre_certificate/invalid_orgid_syntax.crttest b/tests/integration_certificate/tls_br/ev_pre_certificate/invalid_orgid_syntax.crttest index 183f770..1e72ac8 100644 --- a/tests/integration_certificate/tls_br/ev_pre_certificate/invalid_orgid_syntax.crttest +++ b/tests/integration_certificate/tls_br/ev_pre_certificate/invalid_orgid_syntax.crttest @@ -50,11 +50,11 @@ DTHXDizrL/M/BMECisiJJQWFSquktLz+8w== node_path,validator,severity,code,message certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 1.3.6.1.5.5.7.1.3 certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies,SubscriberPoliciesValidator,WARNING,cabf.serverauth.subscriber_first_policy_oid_not_reserved, -certificate.tbsCertificate.subject.rdnSequence.6.0.value.x520OrganizationIdentifier,OrganizationIdentifierConsistentSubjectAndExtensionValidator,FATAL,cabf.serverauth.organization_identifier_invalid_syntax,Invalid syntax: NTR@NL-27380834 +certificate.tbsCertificate.subject.rdnSequence.6.0.value.x520OrganizationIdentifier,OrganizationIdentifierConsistentSubjectAndExtensionValidator,FATAL,cabf.serverauth.organization_identifier_invalid_syntax,"Invalid syntax: ""NTR@NL-27380834""" certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.subject_key_identifier_extension_present, certificate.tbsCertificate.extensions.9.extnValue.keyUsage,SubscriberKeyUsageValidator,WARNING,cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present, certificate.tbsCertificate.extensions.8.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, -certificate.tbsCertificate.subject.rdnSequence.6.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,Invalid format: NTR@NL-27380834 +certificate.tbsCertificate.subject.rdnSequence.6.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_format,"Invalid format: ""NTR@NL-27380834""" certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies.2.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, certificate.tbsCertificate.extensions,SubscriberExtensionAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_extension_present,Unknown extension present: 2.23.140.3.1 certificate.tbsCertificate.subject.rdnSequence,EvSubscriberAttributeAllowanceValidator,WARNING,cabf.ev_guidelines.common_name_attribute_present, diff --git a/tests/integration_certificate/tls_br/non_tls_ca/unknown_orgid_registration_scheme.crttest b/tests/integration_certificate/tls_br/non_tls_ca/unknown_orgid_registration_scheme.crttest index 9c941f8..95caf10 100644 --- a/tests/integration_certificate/tls_br/non_tls_ca/unknown_orgid_registration_scheme.crttest +++ b/tests/integration_certificate/tls_br/non_tls_ca/unknown_orgid_registration_scheme.crttest @@ -52,6 +52,6 @@ certificate.tbsCertificate.extensions.7.extnValue.cRLDistributionPoints,CrlDpDis certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,WARNING,cabf.serverauth.ca.unknown_attribute_present,Unknown attribute present: 2.5.4.97 certificate.tbsCertificate.extensions.6.extnValue.certificatePolicies.0.policyQualifiers.0,CertificatePolicyQualifierValidator,WARNING,cabf.serverauth.certificate_policy_qualifier_present, certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,WARNING,cabf.serverauth.ca.unknown_attribute_present,Unknown attribute present: 2.5.4.5 -certificate.tbsCertificate.subject.rdnSequence.2.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_registration_scheme,Invalid registration scheme: NIT +certificate.tbsCertificate.subject.rdnSequence.2.0,OrganizationIdentifierAttributeValidator,ERROR,cabf.invalid_subject_organization_identifier_registration_scheme,"Invalid registration scheme: ""NIT""" certificate.tbsCertificate.extensions.4.extnValue.keyUsage,CaKeyUsageValidator,NOTICE,cabf.ca_certificate_no_digital_signature_bit, certificate.tbsCertificate.subject.rdnSequence,AttributeOrderEncodingValidator,ERROR,cabf.serverauth.invalid_rdn_order,Invalid RDN order: 2.5.4.8 follows 2.5.4.10 diff --git a/tests/integration_certificate/tls_br/ov_final_certificate/subject_dc_value_too_long.crttest b/tests/integration_certificate/tls_br/ov_final_certificate/subject_dc_value_too_long.crttest index 1161afd..94dc220 100644 --- a/tests/integration_certificate/tls_br/ov_final_certificate/subject_dc_value_too_long.crttest +++ b/tests/integration_certificate/tls_br/ov_final_certificate/subject_dc_value_too_long.crttest @@ -40,7 +40,7 @@ kvIV90kakpKC -----END CERTIFICATE----- node_path,validator,severity,code,message -certificate.tbsCertificate.subject,DomainComponentValidDomainNameValidator,ERROR,pkix.name_domain_components_invalid_domain_name,Invalid domain name in domainComponents: incommonaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.org +certificate.tbsCertificate.subject,DomainComponentValidDomainNameValidator,ERROR,pkix.name_domain_components_invalid_domain_name,"Invalid domain name in domainComponents: ""incommonaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.org""" certificate.tbsCertificate.subject.rdnSequence.1.0.value.domainComponent,DomainComponentAttributeValueLengthValidator,ERROR,cabf.serverauth.domain_component_attribute_value_length_too_long, certificate.tbsCertificate.extensions.2.extnValue.keyUsage,SubscriberKeyUsageValidator,WARNING,cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present, certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, diff --git a/tests/test_server.py b/tests/test_server.py index 1853a4f..3653f41 100644 --- a/tests/test_server.py +++ b/tests/test_server.py @@ -4,8 +4,11 @@ from fastapi.testclient import TestClient +from pkilint import report +from pkilint.cabf import serverauth from pkilint.cabf.serverauth import serverauth_constants from pkilint.cabf.smime import smime_constants +from pkilint.pkix import certificate from pkilint.rest import app as web_app @@ -103,6 +106,41 @@ def test_version(client): XpOaUjkNSs4= -----END CERTIFICATE-----''' +_BAD_CERT_POLICIES_DER_PEM = '''-----BEGIN CERTIFICATE----- +MIIFxjCCBK6gAwIBAgIQAROrI6zwQH6igXlKWdEvgjANBgkqhkiG9w0BAQsFADBP +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE +aWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMjExMDcwMDAwMDBa +Fw0yMzEyMDcyMzU5NTlaMG4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y +bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgwFgYDVQQKEw9BdGxhc3NpYW4s +IEluYy4xGDAWBgNVBAMMDyouYXRsYXNzaWFuLm5ldDBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABAA5f4xySbL2RYn5iN2hWUkfiN1P4SUDSRnXJEUQHXpF8l/END0J +OeR35O6YsNujZ1K4v1jgd9A0IUjZiSv5v0yjggNIMIIDRDAfBgNVHSMEGDAWgBS3 +a6LqqKqEjHnqtNoPmLLFlXa59DAdBgNVHQ4EFgQU+mkBUo1ciX5KgAIDvHbxaU2f +7uQwKQYDVR0RBCIwIIIPKi5hdGxhc3NpYW4ubmV0gg1hdGxhc3NpYW4ubmV0MA4G +A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY8G +A1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lD +ZXJ0VExTUlNBU0hBMjU2MjAyMENBMS00LmNybDBAoD6gPIY6aHR0cDovL2NybDQu +ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS00LmNybDAJ +BgNVHSAEAjAAMH8GCCsGAQUFBwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29j +c3AuZGlnaWNlcnQuY29tMEkGCCsGAQUFBzAChj1odHRwOi8vY2FjZXJ0cy5kaWdp +Y2VydC5jb20vRGlnaUNlcnRUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAkGA1Ud +EwQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AOg+0No+9QY1MudXKLyJ +a8kD08vREWvs62nhd31tBr1uAAABhFR4zfEAAAQDAEYwRAIgc6t8bZ2KunnZ69sG +tr1FwJNkUnziV4paMfwCcUlLt+gCIDQmxKSdxplZkpSC44oGd8ELazQ/pcdt6Cd8 +DwGvYHZ6AHYAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAGEVHjO +GQAABAMARzBFAiBCp50y65Mv9ywP1ZEmtOU5RCaoZnj6FHCYCKRCLiiZhQIhAMVi +1/hXezSaBvGupxA9YK+U+nUvMI9WfNCsF1SCTJkZAHYAtz77JN+cTbp18jnFulj0 +bF38Qs96nzXEnh0JgSXttJkAAAGEVHjN0AAABAMARzBFAiBOrjjpLggkFE0tTvs3 +sYYMtOnD2hBCtVdrLVkCNggTBQIhAPV5tvqy9MkgEZxT01TCs13BhHfHf+PAAMSI +bqNorCSMMA0GCSqGSIb3DQEBCwUAA4IBAQCSYtQLKmsr3Mm1MiXSrcx5ZLYmNjbV +ngYf1T8+eQWIdSLdHYJwJ4hE44XsRS4F/HBJWldKJyqZ5RUP0fL5KxnH3/7wKD1F +ZjFu9ITmHjNz/55f5BwD7SHi5ZqbT8wYEN1Oy+duFTpeZgJzZFYw8cEIrEYVGrNn +TcujtM2w710EQ+DXIPlXMpMJmtCzzrLzVYdPmIGwiIUoj9BwhgMtBtPInxe7qjm6 +B0iBclRQb246wAEPjF/sWAUS+LgmJL2u1CclSWu3h/Ae+yIMKAbdL6Vn5GeLHfCD +kJePcGspl/I0jGLIvpG34YRy9mLrgiWskyETVNFDPIzddBDAqWu2JkDK +-----END CERTIFICATE----- +''' + def test_groups(client): resp = client.get('/certificate') @@ -157,6 +195,11 @@ def test_smime_detect(client): assert j['linter']['name'] == f'{smime_constants.ValidationLevel.SPONSORED}-{smime_constants.Generation.STRICT}' +def test_smime_detect_bad_extension_der(client): + resp = client.post('/certificate/cabf-smime', json={'pem': _BAD_CERT_POLICIES_DER_PEM}) + assert resp.status_code == HTTPStatus.UNPROCESSABLE_ENTITY + + def test_smime_detect_not_smime(client): resp = client.post('/certificate/cabf-smime', json={'pem': _OV_FINAL_CLEAN_PEM}) assert resp.status_code == HTTPStatus.UNPROCESSABLE_ENTITY @@ -241,6 +284,11 @@ def test_serverauth_detect_not_serverauth(client): assert j['linter']['name'] == serverauth_constants.CertificateType.DV_FINAL_CERTIFICATE.to_option_str +def test_serverauth_detect_bad_extension_der(client): + resp = client.post('/certificate/cabf-serverauth', json={'pem': _BAD_CERT_POLICIES_DER_PEM}) + assert resp.status_code == HTTPStatus.UNPROCESSABLE_ENTITY + + def test_lint_serverauth_unknown_linter(client): resp = client.post('/certificate/cabf-serverauth/FOOMASTER-BAR', json={'pem': _OV_FINAL_CLEAN_PEM}) assert resp.status_code == HTTPStatus.NOT_FOUND @@ -273,3 +321,19 @@ def test_detect_and_lint_serverauth_with_smime(client): j = resp.json() assert j['linter']['name'] == serverauth_constants.CertificateType.DV_FINAL_CERTIFICATE.to_option_str + + +def test_validations_list(client): + resp = client.get('/certificate/cabf-serverauth/root-ca') + assert resp.status_code == HTTPStatus.OK + + j = resp.json() + + v = certificate.create_pkix_certificate_validator_container( + serverauth.create_decoding_validators(), + serverauth.create_validators(serverauth_constants.CertificateType.ROOT_CA) + ) + + for actual, expected in zip(j, report.get_included_validations(v)): + assert actual['code'] == expected.code + assert actual['severity'] == str(expected.severity)