-
Notifications
You must be signed in to change notification settings - Fork 23
Validations performed by SMIME end entity certificate linter
Corey Bonnell edited this page Aug 22, 2023
·
7 revisions
Current as of v0.9.0.
| severity | code | source | description |
|---|---|---|---|
| FATAL | base.unhandled_exception | This finding represents an unhandled error in pkilint. Encountering this finding means that there is likely a bug that needs to be fixed in pkilint. | |
| FATAL | itu.invalid_asn1_syntax | An error occurred when attempting to decode DER-encoded ASN.1 data. Encountering this finding means that the data is likely malformed. | |
| ERROR | adbe.invalid_timestamp_location_type | https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/oids.html#x-509-extension-oids | "In v1 GeneralName can be only uniformResourceIdentifier" |
| ERROR | cabf.aia_ca_issuers_has_no_http_uri | SMBR 7.1.2.3 (c) | Legacy: "When provided, at least one accessMethod SHALL have the URI scheme HTTP". MP and strict: "When provided, every accessMethod SHALL have the URI scheme HTTP" |
| ERROR | cabf.aia_ocsp_has_no_http_uri | SMBR 7.1.2.3 (c) | Legacy: "When provided, at least one accessMethod SHALL have the URI scheme HTTP". MP and strict: "When provided, every accessMethod SHALL have the URI scheme HTTP" |
| ERROR | cabf.authority_key_identifier_has_issuer_cert | SMBR 7.1.2.3 (g) | "authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present." |
| ERROR | cabf.crldp_extension_missing | SMBR 7.1.2.3 (b) | "SHALL be present" |
| ERROR | cabf.internal_domain_name | The use of an internal domain name (whose superior domain labels do not appear on the PSL) | |
| ERROR | cabf.invalid_country_code | The use of a country code that does not appear on ISO 3166. | |
| ERROR | cabf.invalid_subject_organization_identifier_country | SMBR 7.1.4.2.2 (d) | The use of a country code that is not allowed in the organizationIdentifier attribute |
| ERROR | cabf.invalid_subject_organization_identifier_encoding | SMBR 7.1.4.2.2 (d) | The use of a legacy encoding for new subject names (which all S/MIME certificates will have) |
| ERROR | cabf.invalid_subject_organization_identifier_format | SMBR 7.1.4.2.2 (d) | The inclusion of a value which does not adhere to the specified attribute format |
| ERROR | cabf.invalid_subject_organization_identifier_registration_scheme | SMBR 7.1.4.2.2 (d) | The inclusion of a scheme which is not recognized |
| ERROR | cabf.invalid_subject_organization_identifier_state_province_for_scheme | SMBR 7.1.4.2.2 (d) | The inclusion of a state/province value when the scheme does not permit such inclusion |
| ERROR | cabf.invalid_subject_organization_identifier_state_province_format | SMBR 7.1.4.2.2 (d) | The inclusion of a state/province value that violates " 2 character ISO 3166?2 identifier for the subdivision of the nation in which the Registration Scheme is operated" |
| ERROR | cabf.no_http_crldp_uri | SMBR 7.1.2.3 (b) | "At least one uniformResourceIdentifier SHALL have the URI scheme HTTP" |
| ERROR | cabf.rsa_exponent_prohibited_value | SMBR 6.1.6 | "For RSA key pairs: the CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more." |
| ERROR | cabf.rsa_modulus_invalid_length | SMBR 6.1.5 | "For RSA key pairs the CA SHALL: Ensure that the modulus size, when encoded, is at least 2048 bits; and Ensure that the modulus size, in bits, is evenly divisible by 8" |
| ERROR | cabf.smime.adobe_archive_revinfo_extension_critical | SMBR 7.1.2.3 (m) | "MAY be present and SHALL NOT be marked critical" |
| ERROR | cabf.smime.adobe_archive_revinfo_extension_prohibited | SMBR 7.1.2.3 (m) | "Strict: prohibited" |
| ERROR | cabf.smime.adobe_timestamp_extension_critical | SMBR 7.1.2.3 (m) | "MAY be present and SHALL NOT be marked critical" |
| ERROR | cabf.smime.adobe_timestamp_extension_prohibited | SMBR 7.1.2.3 (m) | "Strict: prohibited" |
| ERROR | cabf.smime.aia_prohibited_generalname_type | SMBR 7.1.2.3 (c) | "Allowed URI scheme" |
| ERROR | cabf.smime.aia_prohibited_uri_scheme | SMBR 7.1.2.3 (c) | Legacy: "When provided, at least one accessMethod SHALL have the URI scheme HTTP". MP and strict: "When provided, every accessMethod SHALL have the URI scheme HTTP" |
| ERROR | cabf.smime.certificate_policies_extension_missing | SMBR 7.1.2.3 (a) | "SHALL be present" |
| ERROR | cabf.smime.certificate_validity_period_exceeds_1185_days | SMBR 6.2.3 | "Legacy: 1185 days" |
| ERROR | cabf.smime.common_name_value_unknown_source | SMBR 7.1.4.2.2 (a) | Common name attribute contains a value that does not correspond to any allowed value in the table in 7.1.4.2.2 (a) |
| ERROR | cabf.smime.cps_uri_is_not_http | SMBR 7.1.2.3 (a) | "If the value of this extension includes a PolicyInformation which contains a qualifier of type id-qt-cps (OID: 1.3.6.1.5.5.7.2.1), then the value of the qualifier SHALL be a HTTP or HTTPS URL for the Issuing CA�s CP and/or CPS, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA" |
| ERROR | cabf.smime.crldp_fullname_prohibited_generalname_type | SMBR 7.1.2.3 (b) | "Allowed URI scheme" |
| ERROR | cabf.smime.crldp_fullname_prohibited_uri_scheme | SMBR 7.1.2.3 (b) | Legacy: "At least one uniformResourceIdentifier SHALL have the URI scheme HTTP". MP and strict: "Every uniformResourceIdentifier SHALL have the URI scheme HTTP" |
| ERROR | cabf.smime.email_address_in_common_name_not_in_san | SMBR 7.1.4.2.2 (a) | "If present, the Mailbox Address SHALL contain a rfc822Name or otherName value of type id-on-SmtpUTF8Mailbox from extensions:subjectAltName" |
| ERROR | cabf.smime.emailprotection_eku_missing | SMBR 7.1.2.3 (f) | "id-kp-emailProtection SHALL be present" |
| ERROR | cabf.smime.extended_key_usage_extension_missing | SMBR 7.1.2.3 (f) | "SHALL be present" |
| ERROR | cabf.smime.invalid_lei_scheme_format | SMBR 7.1.4.2.2 (d) and SMBR 7.1.2.3 (l) | LEI value does not conform to standard LEI format (20 alphanumeric characters) |
| ERROR | cabf.smime.is_ca_certificate | SMBR 7.1.2.3 (d) | "The cA field SHALL NOT be true" |
| ERROR | cabf.smime.key_usage_extension_missing | SMBR 7.1.2.3 (e) | "SHALL be present" |
| ERROR | cabf.smime.lei_extension_critical | SMBR 7.1.2.3 (l) | " SHALL NOT be marked critical" |
| ERROR | cabf.smime.lei_extension_prohibited | SMBR 7.1.2.3 (l) | Mailbox- and individual-validated: Prohibited |
| ERROR | cabf.smime.lei_role_extension_critical | SMBR 7.1.2.3 (l) | " SHALL NOT be marked critical" |
| ERROR | cabf.smime.lei_role_extension_prohibited | SMBR 7.1.2.3 (l) | Mailbox- and individual-validated: Prohibited |
| ERROR | cabf.smime.missing_required_attribute | SMBR 7.1.4.2.3, 7.1.4.2.4, 7.1.4.2.5, 7.1.4.2.6 | An SHALL-level attribute is not included in the DN |
| ERROR | cabf.smime.mixed_name_and_pseudonym_attributes | SMBR 7.1.4.2.2 (e) | "The subject:givenName and/or subject:surname SHALL NOT be present if the subject:pseudonym is present" |
| ERROR | cabf.smime.multiple_reserved_policy_oids | SMBR 7.1.2.3 (a) | "It SHALL include exactly one of the reserved policyIdentifiers listed in Section 7.1.6." |
| ERROR | cabf.smime.no_required_reserved_policy_oid | SMBR 7.1.2.3 (a) | "It SHALL include exactly one of the reserved policyIdentifiers listed in Section 7.1.6." |
| ERROR | cabf.smime.prohibited_attribute | SMBR 7.1.4.2.3, 7.1.4.2.4, 7.1.4.2.5, 7.1.4.2.6 | A SHALL NOT-level attribute is included in the DN |
| ERROR | cabf.smime.prohibited_eku_present | SMBR 7.1.2.3 (f) | Strict: "Other values SHALL NOT be present" |
| ERROR | cabf.smime.prohibited_generalname_type_present | SMBR 7.1.4.2.1 | "The CA SHALL NOT include GeneralName entries that do not conform to the requirements of this section." |
| ERROR | cabf.smime.prohibited_ku_present | SMBR 7.1.2.3 (e) | A KU bit not allowed in the table is asserted |
| ERROR | cabf.smime.prohibited_othername_type_present | SMBR 7.1.4.2 | "For Legacy and Multipurpose Generation profiles, then the CA MAY include otherName entries of any type, provided that the CA has validated the field value according to its CP and/or CPS." (Strict is disallowed) |
| ERROR | cabf.smime.prohibited_signature_algorithm_encoding | SMBR 7.1.3.2 | "No other encodings are permitted" |
| ERROR | cabf.smime.prohibited_spki_algorithm_encoding | SMBR 7.1.3.1 | "No other encodings are permitted" |
| ERROR | cabf.smime.qc_statements_extension_critical | SMBR 7.1.2.3 (k) | "SHALL NOT be marked critical" |
| ERROR | cabf.smime.required_ku_missing | SMBR 7.1.2.3 (e) | A KU bit required by the table is not asserted |
| ERROR | cabf.smime.san_does_not_contain_email_address | SMBR 7.1.4.2.1 | "This extension SHALL contain at least one GeneralName entry of the following types: Rfc822Name and/or otherName of type id-on-SmtpUTF8Mailbox, encoded in accordance with RFC 8398" |
| ERROR | cabf.smime.san_extension_missing | SMBR 7.1.4.2.1 | "SHALL be present" |
| ERROR | cabf.smime.subject_directory_attributes_extension_prohibited | SMBR 7.1.2.3 (j) | Strict and MP: "Prohibited" |
| ERROR | cabf.smime.unknown_certificate_key_usage_type | SMBR 7.1.2.3 (e) | Disallowed combination of asserted KU bits which does not correspond to a signing or key management certificate |
| ERROR | cabf.smime.unsupported_public_key_type | SMBR 7.1.3.1 | |
| ERROR | cabf.smime.usernotice_has_noticeref | SMBR 7.1.2.3 (a) | "If a qualifier of type id-qt-unotice (OID: 1.3.6.1.5.5.7.2.2) is included, then it SHALL contain explicitText and SHALL NOT contain noticeRef" |
| ERROR | iso.lei.invalid_lei_checksum | ISO 17442 | LEI checksum character is incorrect |
| ERROR | iso.lei.invalid_lei_format | ISO 17442 | LEI value format is not correct |
| ERROR | itu.bitstring_not_der_encoded | X.690 2002-07, clause 11.2.2 | "Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 21.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded" |
| ERROR | itu.invalid_printablestring_character | X.680 2002-07, clause 37.4 | "Table 8 lists the characters which can appear in the PrintableString type and PrintableString character abstract syntax" |
| ERROR | msft.invalid_user_principal_name_syntax | https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties | "A UPN is an Internet-style login name for a user based on the Internet standard RFC 822" |
| ERROR | pkix.aki_with_cert_issuer_but_serial_number_absent | RFC 5280 4.2.1.1 | "The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number" |
| ERROR | pkix.aki_with_serial_number_but_cert_issuer_absent | RFC 5280 4.2.1.1 | "The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number" |
| ERROR | pkix.authority_information_access_extension_critical | RFC 5280 4.2.2.1 | "Conforming CAs MUST mark this extension as non-critical." |
| ERROR | pkix.authority_key_identifier_critical | RFC 5280 4.2.1.1 | "Conforming CAs MUST mark this extension as non-critical." |
| ERROR | pkix.authority_key_identifier_extension_absent | RFC 5280 4.2.1.1 | "The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction" |
| ERROR | pkix.authority_key_identifier_keyid_missing | RFC 5280 4.2.1.1 | "The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction" |
| ERROR | pkix.basic_constraints.extension_not_critical | RFC 5280 4.2.1.9 | "Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates" |
| ERROR | pkix.basic_constraints.has_pathlen_for_non_ca | RFC 5280 4.2.1.9 | "CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit." |
| ERROR | pkix.both_encipheronly_and_decipheronly_ku_set | RFC 5280 4.2.1.3 | "When the encipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for enciphering data while performing key agreement." "When the decipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for deciphering data while performing key agreement.". Impossible to simultaneously permit both sets of operations. |
| ERROR | pkix.ca_certificate_keycertsign_keyusage_not_set | RFC 5280 4.2.1.3 | "Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs" |
| ERROR | pkix.ca_certificate_no_ku_extension | RFC 5280 4.2.1.3 | "Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs" |
| ERROR | pkix.certificate_name_constraints_extension_not_critical | RFC 5280 4.2.1.10 | "Conforming CAs MUST mark this extension as critical" |
| ERROR | pkix.certificate_negative_validity_period | RFC 5280 4.1.2.5 | "The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate". A notAfter value that is less than notBefore is non-sensical given this definition. |
| ERROR | pkix.certificate_policies_anypolicy_has_prohibited_qualifier | RFC 5280 4.2.1.4 | "When qualifiers are used with the special policy anyPolicy, they MUST be limited to the qualifiers identified in this section." |
| ERROR | pkix.certificate_serial_number_out_of_range | RFC 5280 4.1.2.2 | "The serial number MUST be a positive integer assigned by the CA to each certificate." "Conforming CAs MUST NOT use serialNumber values longer than 20 octets." |
| ERROR | pkix.certificate_signature_algorithm_match | RFC 5280 4.1.1.2 | "This field MUST contain the same algorithm identifier as the signature field in the sequence tbsCertificate" |
| ERROR | pkix.certificate_skid_ca_missing | RFC 5280 4.2.1.2 | "To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (Section 4.2.1.9) where the value of cA is TRUE" |
| ERROR | pkix.certificate_skid_extension_critical | RFC 5280 4.2.1.2 | "Conforming CAs MUST mark this extension as non-critical" |
| ERROR | pkix.certificate_version_is_not_v3 | RFC 5280 4.1.2.1 | "When extensions are used, as expected in this profile, version MUST be 3 (value is 2)." |
| ERROR | pkix.distribution_point_does_not_contain_name_or_issuer | RFC 5280 4.2.1.13 | " While each of these fields is optional, a DistributionPoint MUST NOT consist of only the reasons field; either distributionPoint or cRLIssuer MUST be present." |
| ERROR | pkix.duplicate_certificate_policy_oids | RFC 5280 4.2.1.4 | "A certificate policy OID MUST NOT appear more than once in a certificate policies extension" |
| ERROR | pkix.ee_certificate_keycertsign_keyusage_set | RFC 5280 4.2.1.9 | "If the cA boolean is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted" |
| ERROR | pkix.generalizedtime_incorect_syntax | RFC 5280 4.1.2.5.2 | |
| ERROR | pkix.invalid_domain_name_syntax | RFC 5280 4.2.1.6 | "The name MUST be in the "preferred name syntax", as specified by Section 3.5 of [RFC1034] and as modified by Section 2.1 of [RFC1123]." |
| ERROR | pkix.invalid_email_address_syntax | RFC 5280 4.2.1.6 | "The format of an rfc822Name is a "Mailbox" as defined in Section 4.1.2 of [RFC2821]." |
| ERROR | pkix.invalid_time_syntax | RFC 5280 4.1.2.5.1 and 4.1.2.5.2 | |
| ERROR | pkix.invalid_uri_syntax | RFC 5280 4.1.2.6 | "When the subjectAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String). The name MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in [RFC3986]. The name MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host." |
| ERROR | pkix.ip_address_name_constraint_invalid_cidr | RFC 5280 4.1.2.10 | "For IPv4 addresses, the iPAddress field of GeneralName MUST contain eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent an address range [RFC4632]. For IPv6 addresses, the iPAddress field MUST contain 32 octets similarly encoded." |
| ERROR | pkix.ip_address_name_constraint_wrong_length | RFC 5280 4.1.2.10 | "For IPv4 addresses, the iPAddress field of GeneralName MUST contain eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent an address range [RFC4632]. For IPv6 addresses, the iPAddress field MUST contain 32 octets similarly encoded." |
| ERROR | pkix.ip_address_wrong_length | RFC 5280 4.1.2.6 | "For IP version 4, as specified in [RFC791], the octet string MUST contain exactly four octets. For IP version 6, as specified in [RFC2460], the octet string MUST contain exactly sixteen octets." |
| ERROR | pkix.issuer_unique_id_present | RFC 5280 4.1.2.8 | "CAs conforming to this profile MUST NOT generate certificates with unique identifiers" |
| ERROR | pkix.name_constraints_in_ee_certificate | RFC 5280 4.2.1.10 | "The name constraints extension, which MUST be used only in a CA certificate�" |
| ERROR | pkix.name_constraints_maximum_specified | RFC 5280 4.2.1.10 | "Within this profile, the minimum and maximum fields are not used with any name forms, thus, the minimum MUST be zero, and maximum MUST be absent" |
| ERROR | pkix.name_constraints_no_subtrees | RFC 5280 4.2.1.10 | "Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence." |
| ERROR | pkix.name_constraints_non_default_minimum | RFC 5280 4.2.1.10 | "Within this profile, the minimum and maximum fields are not used with any name forms, thus, the minimum MUST be zero, and maximum MUST be absent" |
| ERROR | pkix.name_domain_components_invalid_domain_name | RFC 4519 2.4 | "The 'dc' ('domainComponent' in RFC 1274) attribute type is a string holding one component, a label, of a DNS domain name [RFC1034][RFC2181] naming a host [RFC1123]." The concatenation of all DC attributes yields an invalid domain name. |
| ERROR | pkix.name_empty | RFC 5280 4.1.2.4 | "The issuer field MUST contain a non-empty distinguished name (DN)." |
| ERROR | pkix.no_ku_bits_set | RFC 5280 4.2.1.3 | "When the keyUsage extension appears in a certificate, at least one of the bits MUST be set to 1." |
| ERROR | pkix.rdn_contains_unique_attribute_types | X.501 1997-08 9.3 | "The set that forms an RDN contains exactly one AttributeTypeAndDistinguishedValue for each attribute which contains distinguished values in the entry; that is, a given attribute type cannot appear twice in the same RDN." |
| ERROR | pkix.rfc5280_certificate_policies_invalid_explicit_text_encoding | RFC 5280 4.2.1.4 | "Conforming CAs MUST NOT encode explicitText as VisibleString or BMPString." |
| ERROR | pkix.rfc6818_certificate_policies_invalid_explicit_text_encoding | RFC 6818 3 | "Conforming CAs MUST NOT encode explicitText as IA5String" |
| ERROR | pkix.san_extension_not_critical | RFC 5280 4.2.1.6 | "If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical" |
| ERROR | pkix.smime_capabilities_extension_critical | RFC 4262 2 | "This extension MUST NOT be marked critical." |
| ERROR | pkix.smtp_utf8_mailbox_has_bom | RFC 8398 3 | "The UTF8String encoding MUST NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency across implementations, particularly for comparison." |
| ERROR | pkix.smtp_utf8_mailbox_has_uppercase | RFC 8398 3 | "In SmtpUTF8Mailbox, domain labels that solely use ASCII characters (meaning neither A- nor U-labels) SHALL use NR-LDH restrictions as specified by Section 2.3.1 of [RFC5890] and SHALL be restricted to lowercase letters." |
| ERROR | pkix.smtp_utf8_mailbox_invalid_syntax | RFC 8398 3 | Value does not contain "@" |
| ERROR | pkix.smtp_utf8_mailbox_is_ascii_only | RFC 8398 3 | "When the local- part is ASCII, rfc822Name subjectAltName MUST be used instead of SmtpUTF8Mailbox." |
| ERROR | pkix.subject_directory_attributes_extension_critical | RFC 5280 4.2.1.8 | "Conforming CAs MUST mark this extension as non-critical." |
| ERROR | pkix.subject_email_address_not_in_san | RFC 5280 4.1.2.6 | "Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities." |
| ERROR | pkix.subject_information_access_extension_critical | RFC 5280 4.2.2.2 | "Conforming CAs MUST mark this extension as non-critical." |
| ERROR | pkix.subject_unique_id_present | RFC 5280 4.1.2.8 | "CAs conforming to this profile MUST NOT generate certificates with unique identifiers" |
| ERROR | pkix.unique_extension | RFC 5280 4.2 | "A certificate MUST NOT include more than one instance of a particular extension" |
| ERROR | pkix.utctime_incorect_syntax | RFC 5280 4.1.2.5.1 | |
| ERROR | pkix.validity_period_end_value_missing | RFC 5280 4.1.2.5 | " The field is represented as a SEQUENCE of two dates: the date on which the certificate validity period begins (notBefore) and the date on which the certificate validity period ends (notAfter)." Seeing this error when linting certificates is not possible due required inclusion of notAfter, but may be seen when linting CRLs or OCSP responses. |
| ERROR | pkix.wrong_time_useful_type | RFC 5280 4.1.2.5 | "CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime." |
| WARNING | cabf.aia_ca_issuers_missing | SMBR 7.1.2.3 (c) | "The authorityInformationAccess extension SHOULD contain at least one accessMethod value of type id-ad-caIssuers�" |
| WARNING | cabf.aia_extension_missing | SMBR 7.1.2.3 (c) | "SHOULD be present" |
| WARNING | cabf.critical_certificate_policies_extension | SMBR 7.1.2.3 (a) | "This extension SHOULD NOT be marked critical" |
| WARNING | cabf.ecdsa_key_validation_failed | SMBR 6.1.6 | "For ECDSA key pairs: the CA SHOULD confirm the validity of all keys using either the ECC Full Public Key Validation Routine or the ECC Partial Public Key Validation Routine. " |
| WARNING | cabf.rsa_exponent_not_in_recommended_range | SMBR 6.1.6 | "Additionally, the public exponent SHOULD be in the range between 2^16 + 1 and 2^256 ? 1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752." |
| WARNING | cabf.rsa_modulus_has_small_prime_factor | SMBR 6.1.6 | "Additionally, the public exponent SHOULD be in the range between 2^16 + 1 and 2^256 ? 1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752." |
| WARNING | cabf.smime.certificate_validity_period_at_maximum | SMBR 6.3.2 | "For this reason, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by default, in order to account for such adjustments" |
| WARNING | cabf.smime.critical_crldp_extension | SMBR 7.1.2.3 (b) | "This extension SHOULD NOT be marked critical" |
| WARNING | cabf.smime.email_address_in_attribute_not_in_san | SMBR 7.1.4.2.1 | "All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension". Findings of this type are likely an ERROR, but this finding is marked at WARNING-level due to the possibility of false positives. |
| WARNING | cabf.smime.ku_extension_not_critical | SMBR 7.1.2.3 (e) | "This extension SHOULD be marked critical" |
| WARNING | pkix.certificate_crldp_extension_critical | RFC 5280 4.2.1.13 | "The extension SHOULD be non-critical" |
| WARNING | pkix.certificate_policies_explicit_text_has_control_character | RFC 5280 4.2.1.4 | "The explicitText string SHOULD NOT include any control characters (e.g., U+0000 to U+001F and U+007F to U+009F)" |
| WARNING | pkix.certificate_policies_explicit_text_not_nfc_normalized | RFC 5280 4.2.1.4 | "When the UTF8String encoding is used, all character sequences SHOULD be normalized according to Unicode normalization form C (NFC)" |
| WARNING | pkix.certificate_policies_usernotice_has_noticeRef | RFC 5280 4.2.1.4 | "Conforming CAs SHOULD NOT use the noticeRef option." |
| WARNING | pkix.certificate_skid_end_entity_missing | RFC 5280 4.2.1.2 | "To assist applications in identifying the appropriate end entity certificate, this extension SHOULD be included in all end entity certificates." |
| WARNING | pkix.key_usage_extension_not_critical | RFC 5280 4.2.1.2 | "When present, conforming CAs SHOULD mark this extension as critical." |
| WARNING | pkix.san_extension_is_critical | RFC 5280 4.2.1.6 | " When including the subjectAltName extension in a certificate that has a non-empty subject distinguished name, conforming CAs SHOULD mark the subjectAltName extension as non-critical." |
| NOTICE | cabf.rdn_contains_multiple_atvs | SC-62 bans multiple attribute values from appearing the same RDN | |
| NOTICE | cabf.smime.unparsed_attribute_value_encountered | A validator encountered an attribute value that was not decoded, so its validations could not performed | |
| NOTICE | cabf.smime.unparsed_common_name_value | A validator encountered a common name attribute value that was not decoded, so its validations could not performed | |
| NOTICE | googl.gmail.authority_info_access_ca_issuers_missing | https://support.google.com/a/answer/7300887?hl=en&ref_topic=9061730&sjid=12609481378327192584-NA | "caIssuers and, if present, ocsp, must contain at least one publicly accessible HTTP uniformResourceIdentifier." |
| NOTICE | googl.prohibited_rsa_modulus_length | https://support.google.com/a/answer/7300887?hl=en&ref_topic=9061730&sjid=12609481378327192584-NA | "rsaEncryption with an RSA modulus of 2048, 3072, or 4096" |
| NOTICE | pkix.certificate_policies_policy_has_qualifier | RFC 5280 4.2.1.4 | "To promote interoperability, this profile RECOMMENDS that policy information terms consist of only an OID. Where an OID alone is insufficient, this profile strongly recommends that the use of qualifiers be limited to those identified in this section" |
| NOTICE | pkix.ldap_uri_not_validated | Notice that the linter encountered a LDAP URI but did not validate the correctness of the URI, as support for LDAP validation has not (yet) been implemented. This NOTICE should probably be of a lower severity or supressed entirely. | |
| NOTICE | pkix.unknown_subject_key_identifier_calculation_method | RFC 5280 4.2.1.2 | The Subject key identifier was not calculated using one of the algorithms defined in RFC 5280 |
| INFO | pkix.subject_key_identifier_method_1_identified | RFC 5280 4.2.1.2 | The Subject key identifier was calculated using the first algorithm defined in RFC 5280 |
| INFO | pkix.subject_key_identifier_method_2_identified | RFC 5280 4.2.1.2 | The Subject key identifier was calculated using the second algorithm defined in RFC 5280 |