diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index bbf31c9f0..9d0161e9e 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -21,8 +21,8 @@ jobs: go-version: ^1.20 - name: Install golangci-lint run: | - wget https://github.com/golangci/golangci-lint/releases/download/v1.55.2/golangci-lint-1.55.2-linux-amd64.deb - sudo apt install -y ./golangci-lint-1.55.2-linux-amd64.deb + wget https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-amd64.deb + sudo apt install -y ./golangci-lint-1.61.0-linux-amd64.deb - name: Run golangci-lint run: | cd v3 diff --git a/.golangci.yaml b/.golangci.yaml index e89bdfbcc..8f4379485 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -54,6 +54,7 @@ linters: - forcetypeassert - tagliatelle - nilnil + - mnd issues: exclude-rules: diff --git a/v3/cmd/zlint-gtld-update/main.go b/v3/cmd/zlint-gtld-update/main.go index dde518d10..708f906aa 100644 --- a/v3/cmd/zlint-gtld-update/main.go +++ b/v3/cmd/zlint-gtld-update/main.go @@ -185,10 +185,10 @@ func getGTLDData() ([]util.GTLDPeriod, error) { return nil, fmt.Errorf("error getting ICANN gTLD JSON : %s", err) } - //nolint:musttag var results struct { GTLDs []util.GTLDPeriod } + //nolint:musttag if err := json.Unmarshal(respBody, &results); err != nil { return nil, fmt.Errorf("unexpected error unmarshaling ICANN gTLD JSON response "+ "body from %q : %s", diff --git a/v3/go.mod b/v3/go.mod index fd1168523..fb2c1c354 100644 --- a/v3/go.mod +++ b/v3/go.mod @@ -5,14 +5,14 @@ go 1.18 require ( github.com/kr/text v0.2.0 // indirect github.com/pelletier/go-toml v1.9.3 - github.com/sirupsen/logrus v1.9.0 - github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 - golang.org/x/crypto v0.21.0 - golang.org/x/net v0.23.0 - golang.org/x/text v0.14.0 + github.com/sirupsen/logrus v1.9.3 + github.com/zmap/zcrypto v0.0.0-20240803002437-3a861682ac77 + golang.org/x/crypto v0.25.0 + golang.org/x/net v0.27.0 + golang.org/x/text v0.16.0 ) require ( - github.com/weppos/publicsuffix-go v0.30.0 // indirect - golang.org/x/sys v0.18.0 // indirect + github.com/weppos/publicsuffix-go v0.40.2 // indirect + golang.org/x/sys v0.22.0 // indirect ) diff --git a/v3/go.sum b/v3/go.sum index e4c06379f..aeba0daa6 100644 --- a/v3/go.sum +++ b/v3/go.sum @@ -1,11 +1,22 @@ +cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g= +github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= -github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-github/v50 v50.2.0/go.mod h1:VBY8FB6yPIjrtKhozXv4FQupxKLS6H4m6xFZlT43q8Q= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -21,19 +32,17 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/weppos/publicsuffix-go v0.12.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= github.com/weppos/publicsuffix-go v0.13.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= -github.com/weppos/publicsuffix-go v0.30.0 h1:QHPZ2GRu/YE7cvejH9iyavPOkVCB4dNxp2ZvtT+vQLY= -github.com/weppos/publicsuffix-go v0.30.0/go.mod h1:kBi8zwYnR0zrbm8RcuN1o9Fzgpnnn+btVN8uWPMyXAY= -github.com/weppos/publicsuffix-go/publicsuffix/generator v0.0.0-20220927085643-dc0d00c92642/go.mod h1:GHfoeIdZLdZmLjMlzBftbTDntahTttUMWjxZwQJhULE= +github.com/weppos/publicsuffix-go v0.40.2 h1:LlnoSH0Eqbsi3ReXZWBKCK5lHyzf3sc1JEHH1cnlfho= +github.com/weppos/publicsuffix-go v0.40.2/go.mod h1:XsLZnULC3EJ1Gvk9GVjuCTZ8QUu9ufE4TZpOizDShko= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE= github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE= @@ -41,8 +50,8 @@ github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54t github.com/zmap/zcertificate v0.0.1/go.mod h1:q0dlN54Jm4NVSSuzisusQY0hqDWvu92C+TWveAxiVWk= github.com/zmap/zcrypto v0.0.0-20201128221613-3719af1573cf/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ= github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ= -github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 h1:DZH5n7L3L8RxKdSyJHZt7WePgwdhHnPhQFdQSJaHF+o= -github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300/go.mod h1:mOd4yUMgn2fe2nV9KXsa9AyQBFZGzygVPovsZR+Rl5w= +github.com/zmap/zcrypto v0.0.0-20240803002437-3a861682ac77 h1:DCz0McWRVJNICkHdu2XpETqeLvPtZXs315OZyUs1BDk= +github.com/zmap/zcrypto v0.0.0-20240803002437-3a861682ac77/go.mod h1:aSvf+uTU222mUYq/KQj3oiEU7ajhCZe8RRSLHIoM4EM= github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -51,25 +60,38 @@ golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= +golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -78,35 +100,58 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/v3/integration/lints/lints/not_committing_genTestCerts.go b/v3/integration/lints/lints/not_committing_genTestCerts.go index 3adcca5fc..43c5be9ed 100644 --- a/v3/integration/lints/lints/not_committing_genTestCerts.go +++ b/v3/integration/lints/lints/not_committing_genTestCerts.go @@ -17,7 +17,6 @@ package lints import ( "crypto/sha256" "encoding/hex" - "fmt" "go/ast" "os" "strings" @@ -36,18 +35,18 @@ func (i *NotCommittingGenTestCerts) CheckApplies(tree *ast.File, file *lint.File func (i *NotCommittingGenTestCerts) Lint(tree *ast.File, file *lint.File) *lint.Result { contents, err := os.ReadFile(file.Path) if err != nil { - return lint.NewResult(fmt.Sprintf("failed to open %s", file.Name)) + return lint.NewResult("failed to open " + file.Name) } hasher := sha256.New() _, err = hasher.Write(contents) if err != nil { - return lint.NewResult(fmt.Sprintf("failed to hash the contents of %s", file.Name)) + return lint.NewResult("failed to hash the contents of " + file.Name) } got := hex.EncodeToString(hasher.Sum([]byte{})) if got == want { return nil } - return lint.NewResult(fmt.Sprintf(`%s appears to have been modified and committed + return lint.NewResult(file.Path + ` appears to have been modified and committed as a part of your change. This file is intended to be changed at your leisure, however we ask that these changed not be committed to the repo. @@ -55,5 +54,5 @@ If you intended to submit changes to this file, then please run the following... sha256sum cmd/genTestCerts/genTestCerts.go -...and update the "want" constant in v3/integration/lints/lints/not_committing_genTestCerts.go`, file.Path)) +...and update the "want" constant in v3/integration/lints/lints/not_committing_genTestCerts.go`) } diff --git a/v3/lint/configuration_test.go b/v3/lint/configuration_test.go index 4994d7fdd..5d2c0d46f 100644 --- a/v3/lint/configuration_test.go +++ b/v3/lint/configuration_test.go @@ -16,7 +16,6 @@ package lint import ( "io" - "io/ioutil" "os" "reflect" "sync" @@ -389,7 +388,7 @@ func TestSmokeExamplePrinting(t *testing.T) { if err != nil { t.Fatal(err) } - b, err := ioutil.ReadAll(rr) + b, err := io.ReadAll(rr) if err != nil { t.Fatal(err) } diff --git a/v3/lint/source_test.go b/v3/lint/source_test.go index 3797f2fcf..ae6d1ef59 100644 --- a/v3/lint/source_test.go +++ b/v3/lint/source_test.go @@ -24,13 +24,13 @@ import ( // TestLintSourceMarshal tests that a LintSource can be correctly marshaled and // unmarshalled. func TestLintSourceMarshal(t *testing.T) { - //nolint:musttag throwAway := struct { Source LintSource }{ Source: Community, } + //nolint:musttag jsonBytes, err := json.Marshal(&throwAway) if err != nil { t.Fatalf("failed to marshal LintSource: %v", err) @@ -41,6 +41,7 @@ func TestLintSourceMarshal(t *testing.T) { t.Fatalf("expected JSON %q got %q", expectedJSON, string(jsonBytes)) } + //nolint:musttag err = json.Unmarshal(jsonBytes, &throwAway) if err != nil { t.Fatalf("err unmarshalling prev. marshaled LintSource: %v", err) @@ -50,6 +51,7 @@ func TestLintSourceMarshal(t *testing.T) { } badJSON := []byte(`{"Source":"cpu"}`) + //nolint:musttag err = json.Unmarshal(badJSON, &throwAway) if err == nil { t.Fatalf("expected err unmarshalling bad LintSource value. Got nil") diff --git a/v3/lints/cabf_br/lint_ca_invalid_eku.go b/v3/lints/cabf_br/lint_ca_invalid_eku.go index d6b8ddea1..239f022b1 100644 --- a/v3/lints/cabf_br/lint_ca_invalid_eku.go +++ b/v3/lints/cabf_br/lint_ca_invalid_eku.go @@ -22,8 +22,6 @@ import ( "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" - - "fmt" ) func init() { @@ -72,7 +70,7 @@ func (l *caInvalidEKU) Execute(c *x509.Certificate) *lint.LintResult { return &lint.LintResult{ Status: lint.Error, - Details: fmt.Sprintf("%s MUST not be present together with serverAuth in the EKU extension", util.GetEKUString(eku)), + Details: util.GetEKUString(eku) + "%s MUST not be present together with serverAuth in the EKU extension", } } } diff --git a/v3/lints/cabf_br/lint_invalid_ca_certificate_policies.go b/v3/lints/cabf_br/lint_invalid_ca_certificate_policies.go new file mode 100644 index 000000000..c4fd713a9 --- /dev/null +++ b/v3/lints/cabf_br/lint_invalid_ca_certificate_policies.go @@ -0,0 +1,96 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by asantoni64@gmail.com + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_ca_certificate_policies", + Description: "Checks that the Policy OIDs in the CertificatePolicies extension of a SubCA certificate comply with CABF requirements", + Citation: "CABF BRs §7.1.2.10.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidCACertificatePolicies, + }) +} + +type invalidCACertificatePolicies struct{} + +func NewInvalidCACertificatePolicies() lint.LintInterface { + return &invalidCACertificatePolicies{} +} + +func (l *invalidCACertificatePolicies) CheckApplies(c *x509.Certificate) bool { + return util.IsCACert(c) && !util.IsRootCA(c) +} + +func (l *invalidCACertificatePolicies) Execute(c *x509.Certificate) *lint.LintResult { + + // Any type of TLS subordinate CA must have the CP extension, + // as can be seen from the entire chapter 7 of the BR + if !util.IsExtInCert(c, util.CertPolicyOID) { + return &lint.LintResult{ + Status: lint.Error, + Details: "In a TLS subordinate CA certificate, the CertificatePolicies extension is mandatory", + } + } + + anyPolicyOIDFound := false + reservedOIDFound := false + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(util.AnyPolicyOID) { + anyPolicyOIDFound = true + } + if oid.Equal(util.BROrganizationValidatedOID) || + oid.Equal(util.BRExtendedValidatedOID) || + oid.Equal(util.BRDomainValidatedOID) || + oid.Equal(util.BRIndividualValidatedOID) { + reservedOIDFound = true + } + } + + if anyPolicyOIDFound { + if len(c.PolicyIdentifiers) > 1 { + // See the BR, Table 69: No Policy Restrictions + return &lint.LintResult{ + Status: lint.Error, + Details: "The AnyPolicy OID must not be accompanied by any other policy OIDs", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } + } + + if !reservedOIDFound { + // See the BR, Table 70: Policy Restricted + return &lint.LintResult{ + Status: lint.Error, + Details: "At least one CABF reserved policy OIDs MUST be present in a policy-restricted CA cert", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_invalid_ca_certificate_policies_test.go b/v3/lints/cabf_br/lint_invalid_ca_certificate_policies_test.go new file mode 100644 index 000000000..1be4cb08a --- /dev/null +++ b/v3/lints/cabf_br/lint_invalid_ca_certificate_policies_test.go @@ -0,0 +1,93 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + * Test file naming convention: (cacp_cXrXpXmXaXbXeX.pem) + * X = 0/1 for no/yes + * c = CA certificate + * r = Root CA (self-signed) + * p = CertificatePolicies is present + * m = Multiple OIDs in CertificatePolicies + * a = The AnyPolicy OID is present + * b = At least one CABF policy OID is present + * e = Certificate issued after effective date + */ + +func TestInvalidCACertificatePolicies(t *testing.T) { + + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "cacp_c0r0p0m0a0b0e0.pem", + want: lint.NA, + }, + { + input: "cacp_c1r1p0m0a0b0e0.pem", + want: lint.NA, + }, + { + input: "cacp_c1r0p0m0a0b0e0.pem", + want: lint.Error, + }, + { + input: "cacp_c1r0p1m0a0b0e1.pem", + want: lint.Error, + }, + { + input: "cacp_c1r0p1m0a0b1e1.pem", + want: lint.Pass, + }, + { + input: "cacp_c1r0p1m0a1b0e1.pem", + want: lint.Pass, + }, + { + input: "cacp_c1r0p1m1a1b0e0.pem", + want: lint.Error, + }, + { + input: "cacp_c1r0p1m1a0b0e0.pem", + want: lint.NE, + }, + { + input: "cacp_c1r0p1m1a0b0e1.pem", + want: lint.Error, + }, + { + input: "cacp_c1r0p1m1a0b1e1.pem", + want: lint.Pass, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_invalid_ca_certificate_policies", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/lints/cabf_br/lint_sub_cert_eku_check.go b/v3/lints/cabf_br/lint_sub_cert_eku_check.go index c5ef84c39..831da109d 100644 --- a/v3/lints/cabf_br/lint_sub_cert_eku_check.go +++ b/v3/lints/cabf_br/lint_sub_cert_eku_check.go @@ -15,8 +15,6 @@ package cabf_br */ import ( - "fmt" - "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" @@ -59,7 +57,7 @@ func (l *subExtKeyUsageCheck) Execute(c *x509.Certificate) *lint.LintResult { case x509.ExtKeyUsageAny, x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageTimeStamping, x509.ExtKeyUsageOcspSigning, x509.ExtKeyUsageEmailProtection: - return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("%s MUST NOT be present", util.GetEKUString(eku))} + return &lint.LintResult{Status: lint.Error, Details: util.GetEKUString(eku) + " MUST NOT be present"} } } diff --git a/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go b/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go index b5a2d24d3..5edef3726 100644 --- a/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go +++ b/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go @@ -15,7 +15,7 @@ package cabf_smime_br import ( - "fmt" + "errors" "regexp" "github.com/zmap/zcrypto/x509" @@ -99,7 +99,7 @@ func verifySMIMEOrganizationIdentifierContainsSubjectNameCountry(id string, coun identifierCountry := submatches[2] if identifierCountry != country { - return fmt.Errorf("the country code used in the Registration Scheme identifier SHALL match that of the subject:countryName") + return errors.New("the country code used in the Registration Scheme identifier SHALL match that of the subject:countryName") } return nil diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index 64ce52bd7..8dcad5ae5 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -91,7 +91,7 @@ func (l *mailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certif if fieldName, knownField := l.forbiddenSubjectFields[oidStr]; knownField { return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s (%s)", fieldName, oidStr)} } - return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s", oidStr)} + return &lint.LintResult{Status: lint.Error, Details: "subject DN contains forbidden field: " + oidStr} } } } diff --git a/v3/lints/community/lint_crl_unique_revoked_certificate.go b/v3/lints/community/lint_crl_unique_revoked_certificate.go new file mode 100644 index 000000000..370a30cac --- /dev/null +++ b/v3/lints/community/lint_crl_unique_revoked_certificate.go @@ -0,0 +1,59 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package community + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_unique_revoked_certificate", + Description: "The CRL must not include duplicate serial numbers in its revoked certificates list.", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewUniqueRevokedCertificate, + }) +} + +type uniqueRevokedCertificate struct{} + +func NewUniqueRevokedCertificate() lint.RevocationListLintInterface { + return &uniqueRevokedCertificate{} +} + +func (l *uniqueRevokedCertificate) CheckApplies(c *x509.RevocationList) bool { + return true +} + +func (l *uniqueRevokedCertificate) Execute(c *x509.RevocationList) *lint.LintResult { + serials := make(map[string]bool) + for _, rc := range c.RevokedCertificates { + if serials[rc.SerialNumber.String()] { + return &lint.LintResult{ + Status: lint.Warn, + Details: fmt.Sprintf("Revoked certificates list contains duplicate serial number: %x", rc.SerialNumber), + } + } + serials[rc.SerialNumber.String()] = true + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/community/lint_crl_unique_revoked_certificate_test.go b/v3/lints/community/lint_crl_unique_revoked_certificate_test.go new file mode 100644 index 000000000..1038b0f60 --- /dev/null +++ b/v3/lints/community/lint_crl_unique_revoked_certificate_test.go @@ -0,0 +1,57 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package community + +import ( + "strings" + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestUniqueRevokedCertificate(t *testing.T) { + t.Parallel() + testCases := []struct { + name string + path string + want lint.LintStatus + wantSubStr string + }{ + { + name: "CRL with duplicates in revoked certificates list", + path: "crlWithDuplicatesInRevokedCertificateList.pem", + want: lint.Warn, + }, + { + name: "CRL with no duplicates in revoked certificates list", + path: "crlWithNoDuplicatesInRevokedCertificateList.pem", + want: lint.Pass, + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + gotStatus := test.TestRevocationListLint(t, "e_crl_unique_revoked_certificate", tc.path) + if tc.want != gotStatus.Status { + t.Errorf("%s: expected %s, got %s", tc.path, tc.want, gotStatus.Status) + } + if !strings.Contains(gotStatus.Details, tc.wantSubStr) { + t.Errorf("%s: expected %s, got %s", tc.path, tc.wantSubStr, gotStatus.Details) + } + }) + } +} diff --git a/v3/lints/community/lint_rsa_fermat_factorization.go b/v3/lints/community/lint_rsa_fermat_factorization.go index 1bca73c21..1d6ac0a7c 100644 --- a/v3/lints/community/lint_rsa_fermat_factorization.go +++ b/v3/lints/community/lint_rsa_fermat_factorization.go @@ -61,7 +61,7 @@ func (l *fermatFactorization) Execute(c *x509.Certificate) *lint.LintResult { if err != nil { return &lint.LintResult{ Status: lint.Error, - Details: fmt.Sprintf("this certificate's RSA key pair is susceptible to Fermat factorization, %s", err.Error())} + Details: "this certificate's RSA key pair is susceptible to Fermat factorization, " + err.Error()} } else { return &lint.LintResult{Status: lint.Pass} } diff --git a/v3/lints/etsi/lint_qcstatem_qctype_web.go b/v3/lints/etsi/lint_qcstatem_qctype_web.go index 680820c9e..27a5a4880 100644 --- a/v3/lints/etsi/lint_qcstatem_qctype_web.go +++ b/v3/lints/etsi/lint_qcstatem_qctype_web.go @@ -15,8 +15,6 @@ package etsi import ( - "fmt" - "github.com/zmap/zcrypto/encoding/asn1" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" @@ -76,7 +74,7 @@ func (l *qcStatemQctypeWeb) Execute(c *x509.Certificate) *lint.LintResult { } } if !found { - wrnString += fmt.Sprintf("etsi Type does not indicate certificate as a 'web' certificate") + wrnString += "etsi Type does not indicate certificate as a 'web' certificate" } } diff --git a/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go b/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go index f170e2747..ecf72f9cb 100644 --- a/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go +++ b/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go @@ -86,5 +86,5 @@ func (l *ecdsaPubKeyAidEncoding) Execute(c *x509.Certificate) *lint.LintResult { } } - return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Wrong encoding of ECC public key. Got the unsupported %s", hex.EncodeToString(encodedPublicKeyAid))} + return &lint.LintResult{Status: lint.Error, Details: "Wrong encoding of ECC public key. Got the unsupported " + hex.EncodeToString(encodedPublicKeyAid)} } diff --git a/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go b/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go index 0a86abe87..0a1c7db1f 100644 --- a/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go +++ b/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go @@ -103,7 +103,7 @@ func (l *ecdsaSignatureAidEncoding) Execute(c *x509.Certificate) *lint.LintResul } return &lint.LintResult{ Status: lint.Error, - Details: fmt.Sprintf("Encoding of signature algorithm does not match signing key on P-256 curve. Got the unsupported %s", hex.EncodeToString(encoded)), + Details: "Encoding of signature algorithm does not match signing key on P-256 curve. Got the unsupported " + hex.EncodeToString(encoded), } } else if signatureSize <= maxP384SigByteLen { expectedEncoding := []byte{0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03} @@ -113,7 +113,7 @@ func (l *ecdsaSignatureAidEncoding) Execute(c *x509.Certificate) *lint.LintResul } return &lint.LintResult{ Status: lint.Error, - Details: fmt.Sprintf("Encoding of signature algorithm does not match signing key on P-384 curve. Got the unsupported %s", hex.EncodeToString(encoded)), + Details: "Encoding of signature algorithm does not match signing key on P-384 curve. Got the unsupported " + hex.EncodeToString(encoded), } } return &lint.LintResult{ diff --git a/v3/lints/rfc/lint_crl_has_authority_key_identifier.go b/v3/lints/rfc/lint_crl_has_authority_key_identifier.go new file mode 100644 index 000000000..cdb0d5aee --- /dev/null +++ b/v3/lints/rfc/lint_crl_has_authority_key_identifier.go @@ -0,0 +1,54 @@ +package rfc + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_has_authority_key_identifier", + Description: "The CRL must include Authority Key Identifier extension.", + Citation: "RFC5280 §5.2.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: func() lint.RevocationListLintInterface { return &crlAuthKeyID{} }, + }) +} + +type crlAuthKeyID struct{} + +func (l *crlAuthKeyID) CheckApplies(_ *x509.RevocationList) bool { + return true +} + +func (l *crlAuthKeyID) Execute(c *x509.RevocationList) *lint.LintResult { + for _, ext := range c.Extensions { + if ext.Id.Equal(util.AuthkeyOID) { + return &lint.LintResult{Status: lint.Pass} + } + } + return &lint.LintResult{Status: lint.Error, Details: "The CRL lacks the mandatory Authority Key Identifier extension."} +} diff --git a/v3/lints/rfc/lint_crl_has_authority_key_identifier_test.go b/v3/lints/rfc/lint_crl_has_authority_key_identifier_test.go new file mode 100644 index 000000000..a3303fef0 --- /dev/null +++ b/v3/lints/rfc/lint_crl_has_authority_key_identifier_test.go @@ -0,0 +1,49 @@ +package rfc + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestExecute(t *testing.T) { + tests := []struct { + name string + path string + want lint.LintStatus + }{ + { + name: "crlWithMissingAuthKeyID", + path: "crlWithMissingAuthKeyID.pem", + want: lint.Error, + }, + { + name: "crlWithAuthKeyID", + path: "crlWithAuthKeyID.pem", + want: lint.Pass, + }, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + got := test.TestRevocationListLint(t, "e_crl_has_authority_key_identifier", tc.path) + if got.Status != tc.want { + t.Errorf("Execute() = %v, want %v", got.Status, tc.want) + } + }) + } +} diff --git a/v3/lints/rfc/lint_ecdsa_allowed_ku.go b/v3/lints/rfc/lint_ecdsa_allowed_ku.go index a2e89f71f..f811738ec 100644 --- a/v3/lints/rfc/lint_ecdsa_allowed_ku.go +++ b/v3/lints/rfc/lint_ecdsa_allowed_ku.go @@ -15,7 +15,6 @@ package rfc import ( - "fmt" "sort" "strings" @@ -89,7 +88,7 @@ func (l *ecdsaAllowedKU) Execute(c *x509.Certificate) *lint.LintResult { sort.Strings(invalidKUs) return &lint.LintResult{ Status: lint.Error, - Details: fmt.Sprintf("Certificate contains invalid key usage(s): %s", strings.Join(invalidKUs, ", ")), + Details: "Certificate contains invalid key usage(s): " + strings.Join(invalidKUs, ", "), } } diff --git a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go index 2400115e9..7adebe042 100644 --- a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go +++ b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go @@ -15,7 +15,6 @@ package rfc import ( - "fmt" "sort" "strings" @@ -90,9 +89,8 @@ func (l *ecdsaInvalidKU) Execute(c *x509.Certificate) *lint.LintResult { sort.Strings(invalidKUs) return &lint.LintResult{ Status: lint.Notice, - Details: fmt.Sprintf( - "Certificate had unexpected key usage(s): %s", - strings.Join(invalidKUs, ", ")), + Details: "Certificate had unexpected key usage(s): " + + strings.Join(invalidKUs, ", "), } } diff --git a/v3/lints/rfc/lint_ext_duplicate_extension.go b/v3/lints/rfc/lint_ext_duplicate_extension.go index 431f19aad..52c356a7e 100644 --- a/v3/lints/rfc/lint_ext_duplicate_extension.go +++ b/v3/lints/rfc/lint_ext_duplicate_extension.go @@ -15,7 +15,6 @@ package rfc */ import ( - "fmt" "strings" "github.com/zmap/zcrypto/x509" @@ -82,9 +81,7 @@ func (l *extDuplicateExtension) Execute(cert *x509.Certificate) *lint.LintResult } return &lint.LintResult{ - Status: lint.Error, - Details: fmt.Sprintf( - "The following extensions are duplicated: %s", - strings.Join(duplicateOIDsList, ", ")), + Status: lint.Error, + Details: "The following extensions are duplicated: " + strings.Join(duplicateOIDsList, ", "), } } diff --git a/v3/lints/rfc/lint_rsa_allowed_ku_ca.go b/v3/lints/rfc/lint_rsa_allowed_ku_ca.go index 9e9677ad6..58275096f 100644 --- a/v3/lints/rfc/lint_rsa_allowed_ku_ca.go +++ b/v3/lints/rfc/lint_rsa_allowed_ku_ca.go @@ -15,7 +15,6 @@ package rfc import ( - "fmt" "sort" "strings" @@ -88,7 +87,7 @@ func (l *rsaAllowedKUCa) Execute(c *x509.Certificate) *lint.LintResult { sort.Strings(invalidKUs) return &lint.LintResult{ Status: lint.Error, - Details: fmt.Sprintf("CA certificate with an RSA key contains invalid key usage(s): %s", strings.Join(invalidKUs, ", ")), + Details: "CA certificate with an RSA key contains invalid key usage(s): " + strings.Join(invalidKUs, ", "), } } diff --git a/v3/lints/rfc/lint_rsa_allowed_ku_ee.go b/v3/lints/rfc/lint_rsa_allowed_ku_ee.go index 45c9e137e..cec99d4d6 100644 --- a/v3/lints/rfc/lint_rsa_allowed_ku_ee.go +++ b/v3/lints/rfc/lint_rsa_allowed_ku_ee.go @@ -15,7 +15,6 @@ package rfc import ( - "fmt" "sort" "strings" @@ -86,7 +85,7 @@ func (l *rsaAllowedKUEe) Execute(c *x509.Certificate) *lint.LintResult { sort.Strings(invalidKUs) return &lint.LintResult{ Status: lint.Error, - Details: fmt.Sprintf("Subscriber certificate with an RSA key contains invalid key usage(s): %s", strings.Join(invalidKUs, ", ")), + Details: "Subscriber certificate with an RSA key contains invalid key usage(s): " + strings.Join(invalidKUs, ", "), } } diff --git a/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go b/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go index a55ada9d7..36070d19a 100644 --- a/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go +++ b/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go @@ -61,7 +61,7 @@ func (l *rsaSPKIEncryptionParamNotNULL) Execute(c *x509.Certificate) *lint.LintR } if err := util.CheckAlgorithmIDParamNotNULL(encodedPublicKeyAid, util.OidRSAEncryption); err != nil { - return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("certificate pkixPublicKey %s", err.Error())} + return &lint.LintResult{Status: lint.Error, Details: "certificate pkixPublicKey " + err.Error()} } return &lint.LintResult{Status: lint.Pass} diff --git a/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go b/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go index 4731106e8..5692b8e4e 100644 --- a/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go +++ b/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go @@ -15,8 +15,6 @@ package rfc */ import ( - "fmt" - "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" @@ -77,7 +75,7 @@ func (l *rsaTBSSignatureEncryptionParamNotNULL) Execute(c *x509.Certificate) *li } if err := util.CheckAlgorithmIDParamNotNULL(signatureAlgoID, c.SignatureAlgorithmOID); err != nil { - return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("certificate tbsCertificate.signature %s", err.Error())} + return &lint.LintResult{Status: lint.Error, Details: "certificate tbsCertificate.signature " + err.Error()} } return &lint.LintResult{Status: lint.Pass} diff --git a/v3/profiles/profiles_test.go b/v3/profiles/profiles_test.go index 72ddd0d65..e3b27bb5e 100644 --- a/v3/profiles/profiles_test.go +++ b/v3/profiles/profiles_test.go @@ -15,7 +15,7 @@ package profiles import ( - "io/ioutil" + "os" "testing" "github.com/zmap/zlint/v3/lint" @@ -57,7 +57,7 @@ func TestNotMissingAnyLintSources(t *testing.T) { "mozilla": true, "rfc": true, } - dir, err := ioutil.ReadDir("../lints") + dir, err := os.ReadDir("../lints") if err != nil { t.Fatal(err) } diff --git a/v3/test/helpers.go b/v3/test/helpers.go index e560cfcff..799591352 100644 --- a/v3/test/helpers.go +++ b/v3/test/helpers.go @@ -124,7 +124,7 @@ func TestLintRevocationList(tb testing.TB, lintName string, crl *x509.Revocation // Important: ReadTestCert is only appropriate for unit tests. It will panic if // the inPath file can not be loaded. func ReadTestCert(inPath string) *x509.Certificate { - fullPath := fmt.Sprintf("../../testdata/%s", inPath) + fullPath := "../../testdata/" + inPath data, err := os.ReadFile(fullPath) if err != nil { panic(fmt.Sprintf( @@ -162,7 +162,7 @@ func ReadTestCert(inPath string) *x509.Certificate { // the inPath file can not be loaded. func ReadTestRevocationList(tb testing.TB, inPath string) *x509.RevocationList { tb.Helper() - fullPath := fmt.Sprintf("../../testdata/%s", inPath) + fullPath := "../../testdata/" + inPath data, err := os.ReadFile(fullPath) if err != nil { tb.Fatalf( diff --git a/v3/testdata/cacp_c0r0p0m0a0b0e0.pem b/v3/testdata/cacp_c0r0p0m0a0b0e0.pem new file mode 100644 index 000000000..96eb8fd70 --- /dev/null +++ b/v3/testdata/cacp_c0r0p0m0a0b0e0.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 1c:0a:02:4e:4c:9b:c4:4d:b6:fa:4c:5c:65:77:13:13 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jul 26 12:27:20 2024 GMT + Not After : Jul 26 12:27:20 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, businessCategory = Non-Commercial Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b4:e3:b6:07:99:6a:ac:3c:17:36:26:06:f3:0c: + f0:17:64:08:f1:73:da:a7:8b:7e:aa:3d:2c:4a:6a: + 9f:72:2d:6d:40:0e:ff:36:e1:79:29:0d:18:6a:2b: + 5b:76:ca:c6:ee:db:ae:e9:6d:9b:0e:0e:41:d7:5b: + 6d:a1:10:85:6a:e8:7c:3f:ea:3e:98:c6:50:36:61: + df:be:24:fd:02:7e:bc:1a:43:d5:8f:b6:39:69:4e: + cb:cb:b3:48:c5:6b:a0:55:00:b2:92:ef:29:16:12: + 6e:12:16:af:5a:89:7d:bb:81:de:ac:fb:34:ce:9a: + 88:5b:aa:41:01:0f:7c:e2:29:2a:65:c4:ce:a7:7c: + 01:ce:95:a9:eb:8b:a9:e5:10:5d:f5:51:d6:87:9e: + 54:30:cf:71:1b:84:51:f7:98:29:e0:b7:14:95:2d: + be:7c:db:7c:5a:53:84:4f:41:f3:7b:e0:88:e4:64: + 9a:6c:2f:e0:71:7d:73:df:f6:44:1e:a4:b8:c0:03: + 23:b2:1b:fa:ed:72:28:7e:5d:ca:55:07:18:94:a6: + c2:c0:00:9c:4f:3b:e6:64:0d:ad:92:10:72:52:8d: + fd:1b:ba:ba:7e:a8:03:27:33:35:2d:c7:00:ae:00: + 55:dd:04:dc:21:54:7f:07:32:28:d0:d4:47:9c:1b: + 11:59 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 91:F2:01:FC:F4:49:02:5F:02:0D:BB:71:BD:C1:18:39:C4:CD:E4:9B + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 86:4f:6f:56:69:af:d2:92:48:62:e0:cb:4e:95:a3:e4:0e:62: + 42:92:78:6b:74:eb:ad:86:3a:95:28:12:d6:91:e7:9f:0d:56: + c4:32:3e:21:b6:9b:27:73:4d:8c:eb:4e:b0:73:bf:9e:1f:f2: + 83:3b:c6:1f:0b:19:38:eb:36:65:c7:9a:a0:9c:39:80:30:c7: + 61:8a:ab:a3:7c:90:3e:c2:7e:cf:27:10:a1:bd:1a:fb:ef:72: + c1:da:37:72:17:cf:60:de:77:60:e9:3a:53:1c:43:75:cc:6a: + 64:a2:28:cb:a4:a5:26:73:45:86:04:94:94:a4:72:32:1e:7c: + a4:a3:7c:b5:a7:28:b2:c3:f0:d3:3c:2f:42:7f:e5:98:ca:d1: + 15:ba:73:45:bb:a4:6b:a2:04:e4:09:74:78:11:e5:37:ce:88: + 95:04:6f:02:8b:91:9a:1b:ce:cc:31:ae:aa:01:8c:fc:91:49: + 8f:35:a7:34:ac:90:16:10:cf:92:a0:8d:fa:96:2b:38:07:3e: + 51:30:ff:12:02:99:2a:d9:71:e6:f8:33:e2:94:54:f0:fd:7b: + f8:3b:50:64:73:8c:55:86:cf:0f:ff:0f:d7:9d:05:0f:b7:8c: + 7e:a3:d0:a4:b0:b3:ab:84:99:dc:81:31:08:13:11:6d:a9:c6: + 1c:84:42:f0 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIQHAoCTkybxE22+kxcZXcTEzANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MjYxMjI3MjBaFw0yNTA3MjYxMjI3 +MjBaMIGpMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HjAcBgNVBA8TFU5vbi1Db21tZXJjaWFsIEVudGl0eTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALTjtgeZaqw8FzYmBvMM8BdkCPFz2qeLfqo9LEpqn3It +bUAO/zbheSkNGGorW3bKxu7brultmw4OQddbbaEQhWrofD/qPpjGUDZh374k/QJ+ +vBpD1Y+2OWlOy8uzSMVroFUAspLvKRYSbhIWr1qJfbuB3qz7NM6aiFuqQQEPfOIp +KmXEzqd8Ac6VqeuLqeUQXfVR1oeeVDDPcRuEUfeYKeC3FJUtvnzbfFpThE9B83vg +iORkmmwv4HF9c9/2RB6kuMADI7Ib+u1yKH5dylUHGJSmwsAAnE875mQNrZIQclKN +/Ru6un6oAyczNS3HAK4AVd0E3CFUfwcyKNDUR5wbEVkCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFJHyAfz0SQJfAg27cb3BGDnEzeSbMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAhk9vVmmv0pJIYuDLTpWj +5A5iQpJ4a3TrrYY6lSgS1pHnnw1WxDI+IbabJ3NNjOtOsHO/nh/ygzvGHwsZOOs2 +ZceaoJw5gDDHYYqro3yQPsJ+zycQob0a++9ywdo3chfPYN53YOk6UxxDdcxqZKIo +y6SlJnNFhgSUlKRyMh58pKN8tacossPw0zwvQn/lmMrRFbpzRbuka6IE5Al0eBHl +N86IlQRvAouRmhvOzDGuqgGM/JFJjzWnNKyQFhDPkqCN+pYrOAc+UTD/EgKZKtlx +5vgz4pRU8P17+DtQZHOMVYbPD/8P150FD7eMfqPQpLCzq4SZ3IExCBMRbanGHIRC +8A== +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p0m0a0b0e0.pem b/v3/testdata/cacp_c1r0p0m0a0b0e0.pem new file mode 100644 index 000000000..df7bfaac5 --- /dev/null +++ b/v3/testdata/cacp_c1r0p0m0a0b0e0.pem @@ -0,0 +1,139 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0d:bc:53:53:f1:a4:58:83:6e:23:c3:db:97:33:16:99 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Sep 30 13:33:14 2024 GMT + Not After : Sep 29 13:33:14 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:97:0e:5e:ce:69:be:e6:b1:a1:63:17:30:f6:ce: + 39:82:89:85:f6:8f:0a:e4:e1:eb:8f:b0:04:8f:17: + ba:bd:7d:db:9d:9d:0c:a3:a3:66:bc:07:b1:52:96: + 17:57:19:b0:49:d2:78:7f:be:e4:0d:27:83:f6:8b: + 77:f0:16:f3:4e:08:f1:a0:1a:1c:21:4c:88:01:76: + 17:2c:d7:fd:7e:3b:82:ff:b4:8c:58:c3:2d:ea:83: + e1:9f:e8:5d:d7:6d:c8:0a:8d:79:64:4f:86:08:71: + c3:48:1d:85:49:61:63:7b:ea:be:60:37:aa:f3:00: + e8:f9:7e:af:2e:11:e7:3b:8b:f7:69:d8:5b:f1:9d: + e5:4b:70:6d:e1:5e:1a:d8:da:57:54:4d:6b:3b:10: + 0f:25:c7:d9:e3:1b:1a:bd:c9:91:10:57:aa:3c:93: + 1f:10:0b:b1:6e:82:b4:7b:64:76:63:42:9c:62:ad: + 81:d6:a3:51:1d:bf:24:5a:15:b7:e2:38:9b:f9:c9: + 7e:35:f3:e3:4c:7f:d6:4c:c2:21:41:27:46:37:74: + c8:09:c1:ae:15:51:80:5b:b8:67:55:f7:93:0b:7b: + 4c:bb:56:7a:13:ef:3c:ca:1d:97:12:7a:89:7f:91: + f6:e0:aa:52:bf:7d:8d:e4:8e:ff:49:3b:52:cb:c1: + 3c:82:05:d3:ef:96:23:70:35:85:3a:82:d9:82:fd: + ff:b0:c0:bf:07:89:a8:48:85:63:f2:93:e3:fa:6a: + e3:13:23:c6:4e:0a:61:6f:f4:10:77:58:2b:4a:ac: + d7:df:ab:e5:c9:16:fc:75:dd:09:37:23:20:28:8d: + 4f:1a:a8:98:59:3b:55:26:d2:43:d9:27:4a:1d:39: + e2:c5:ff:2c:97:80:2d:87:5f:2b:4e:e2:a9:5a:bb: + c4:39:1c:67:e6:97:2a:2a:ab:fd:27:a9:13:dd:68: + 2e:f7:67:5d:16:1b:8c:ac:cb:71:f8:cc:89:8c:14: + 49:be:cd:d5:51:d9:00:23:6f:ee:de:00:94:09:99: + 44:15:43:d4:03:b0:13:c6:ce:dc:8d:7c:e3:8c:c4: + 16:53:24:8f:5e:9b:a8:73:6b:a9:7d:b2:f7:bc:aa: + e1:fe:3a:62:6f:c0:a3:96:18:03:25:4b:ce:7e:76: + ea:5c:88:56:6d:21:e0:63:00:2c:1e:ac:2f:24:d5: + 51:a0:3e:24:b4:ce:52:12:92:3c:30:81:cc:a7:c1: + b5:5e:e9:3e:43:31:a0:51:08:32:14:77:91:49:f5: + 46:34:9a:09:b1:88:af:f6:0b:80:6b:99:76:c8:f5: + 03:c0:52:31:c8:29:c4:6a:7c:88:10:6a:9c:54:c4: + 87:71:17 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 5C:4A:CC:83:9A:B2:BD:6F:5F:D0:4E:D2:43:33:08:00:2B:70:49:CE + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 87:a7:af:ce:eb:59:0b:a2:29:dd:1e:ea:87:8f:44:ea:d2:c9: + cb:e6:74:81:73:22:69:c1:2f:8d:81:b3:84:6a:a2:d2:dc:a6: + 38:33:bc:34:6a:e0:b1:49:06:ed:07:13:10:43:23:d7:54:26: + 7f:76:98:24:b2:64:84:81:48:55:1a:8a:43:9f:68:8e:f3:ea: + d1:99:fe:f1:39:6a:ae:c2:12:cc:a2:50:80:d4:18:74:17:88: + d8:9a:d5:a9:2c:1b:b2:23:3a:d8:df:f1:36:00:9f:86:bb:7c: + 11:07:b0:da:8d:43:b6:9b:dd:22:2b:d6:ed:3b:c2:cb:57:53: + 4a:c6:66:99:40:bf:d3:8a:ed:50:36:43:31:af:b9:cd:f8:0f: + 6e:fe:ac:62:ad:99:11:9b:14:4b:36:c9:b2:8e:ce:cc:db:1f: + 4a:10:f2:d2:0e:a0:f6:a0:db:11:34:af:9a:44:58:cd:52:29: + 2c:09:18:0f:9d:e8:e9:5c:da:75:12:3c:e0:64:5f:26:33:87: + a4:56:78:ad:bc:18:c5:0a:1a:e1:20:87:d5:94:15:14:f9:f7: + 26:a6:52:9a:99:92:d7:98:ef:7a:6b:35:f6:29:14:a2:e9:0f: + 45:27:09:dd:4e:79:ce:93:6b:35:7e:75:5f:1e:22:b6:da:32: + 03:ff:3f:0c:6c:d1:0c:b8:d7:61:0f:cb:b7:de:df:e0:4b:10: + bd:c5:50:50:d4:e9:ce:6c:82:54:ff:e2:53:d7:2a:b6:eb:22: + 8d:41:8f:68:f1:b7:b5:6f:f2:64:f1:40:5a:e1:fc:b1:e5:9a: + f5:a7:3a:5f:62:0b:44:e2:47:e0:0a:a1:38:6a:17:f0:60:72: + 2f:53:b9:0b:14:35:cf:c2:45:71:7d:88:9f:64:df:8b:64:fe: + 76:36:51:40:09:d2:8f:73:96:6e:73:31:29:95:95:6e:dd:3a: + d1:84:8e:07:1c:54:1e:a1:e0:17:2f:0f:a5:36:a3:32:de:6f: + 3d:ea:59:25:77:22:8b:09:2e:1f:3a:17:f6:98:1a:82:8a:36: + 26:90:af:e6:61:99:e0:49:9d:7d:a2:e5:dc:f7:04:0f:6c:4a: + dc:61:b6:95:8a:84:b8:2c:62:05:2e:bd:87:ac:4e:87:17:bc: + b2:a8:05:4b:85:ae:61:43:3b:be:0a:7c:00:4e:33:30:d0:0d: + dd:82:1f:99:d6:73:3d:a2:d0:55:de:ca:09:85:44:f9:8c:ec: + f9:71:2c:21:36:a0:67:fe:43:af:9b:cf:33:d4:2c:9a:6c:e3: + 5e:ba:82:4b:86:3f:78:f7:fc:0d:8a:79:3e:c8:65:9e:b5:0e: + b0:57:fe:2c:85:48:ce:7f +-----BEGIN CERTIFICATE----- +MIIGXTCCBEWgAwIBAgIQDbxTU/GkWINuI8PblzMWmTANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTI0MDkzMDEzMzMxNFoXDTI5MDky +OTEzMzMxNFowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQCXDl7Oab7msaFjFzD2zjmCiYX2jwrk4euPsASPF7q9fdudnQyj +o2a8B7FSlhdXGbBJ0nh/vuQNJ4P2i3fwFvNOCPGgGhwhTIgBdhcs1/1+O4L/tIxY +wy3qg+Gf6F3XbcgKjXlkT4YIccNIHYVJYWN76r5gN6rzAOj5fq8uEec7i/dp2Fvx +neVLcG3hXhrY2ldUTWs7EA8lx9njGxq9yZEQV6o8kx8QC7FugrR7ZHZjQpxirYHW +o1EdvyRaFbfiOJv5yX418+NMf9ZMwiFBJ0Y3dMgJwa4VUYBbuGdV95MLe0y7VnoT +7zzKHZcSeol/kfbgqlK/fY3kjv9JO1LLwTyCBdPvliNwNYU6gtmC/f+wwL8HiahI +hWPyk+P6auMTI8ZOCmFv9BB3WCtKrNffq+XJFvx13Qk3IyAojU8aqJhZO1Um0kPZ +J0odOeLF/yyXgC2HXytO4qlau8Q5HGfmlyoqq/0nqRPdaC73Z10WG4ysy3H4zImM +FEm+zdVR2QAjb+7eAJQJmUQVQ9QDsBPGztyNfOOMxBZTJI9em6hza6l9sve8quH+ +OmJvwKOWGAMlS85+dupciFZtIeBjACwerC8k1VGgPiS0zlISkjwwgcynwbVe6T5D +MaBRCDIUd5FJ9UY0mgmxiK/2C4BrmXbI9QPAUjHIKcRqfIgQapxUxIdxFwIDAQAB +o4IBGTCCARUwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRcSsyDmrK9b1/QTtJD +MwgAK3BJzjAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAt +BgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMA0G +CSqGSIb3DQEBCwUAA4ICAQCHp6/O61kLoindHuqHj0Tq0snL5nSBcyJpwS+NgbOE +aqLS3KY4M7w0auCxSQbtBxMQQyPXVCZ/dpgksmSEgUhVGopDn2iO8+rRmf7xOWqu +whLMolCA1Bh0F4jYmtWpLBuyIzrY3/E2AJ+Gu3wRB7DajUO2m90iK9btO8LLV1NK +xmaZQL/Tiu1QNkMxr7nN+A9u/qxirZkRmxRLNsmyjs7M2x9KEPLSDqD2oNsRNK+a +RFjNUiksCRgPnejpXNp1EjzgZF8mM4ekVnitvBjFChrhIIfVlBUU+fcmplKamZLX +mO96azX2KRSi6Q9FJwndTnnOk2s1fnVfHiK22jID/z8MbNEMuNdhD8u33t/gSxC9 +xVBQ1OnObIJU/+JT1yq26yKNQY9o8be1b/Jk8UBa4fyx5Zr1pzpfYgtE4kfgCqE4 +ahfwYHIvU7kLFDXPwkVxfYifZN+LZP52NlFACdKPc5ZuczEplZVu3TrRhI4HHFQe +oeAXLw+lNqMy3m896lkldyKLCS4fOhf2mBqCijYmkK/mYZngSZ19ouXc9wQPbErc +YbaVioS4LGIFLr2HrE6HF7yyqAVLha5hQzu+CnwATjMw0A3dgh+Z1nM9otBV3soJ +hUT5jOz5cSwhNqBn/kOvm88z1CyabONeuoJLhj949/wNink+yGWetQ6wV/4shUjO +fw== +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p1m0a0b0e1.pem b/v3/testdata/cacp_c1r0p1m0a0b0e1.pem new file mode 100644 index 000000000..6f5d09ed7 --- /dev/null +++ b/v3/testdata/cacp_c1r0p1m0a0b0e1.pem @@ -0,0 +1,142 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 38:17:a3:f9:44:08:20:83:01:93:08:c7:32:58:2f:c3 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Sep 30 13:37:15 2024 GMT + Not After : Sep 29 13:37:15 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:95:76:96:65:af:e9:2e:e2:b6:c9:11:4b:43:72: + 04:c5:4d:75:40:d9:05:3e:67:9e:a2:31:b5:b9:91: + 82:e4:f8:d5:dd:e8:af:e6:45:c4:af:57:54:2c:bb: + 28:1e:c8:df:9f:86:da:2b:80:79:12:99:3c:41:cf: + 6d:85:73:fa:71:9c:77:8f:1d:93:b4:2b:40:60:60: + e4:90:61:bc:6b:9f:01:1e:53:4b:eb:a9:c0:cd:91: + a8:12:c4:e9:41:21:3c:18:d9:df:49:0d:ca:ee:49: + f0:11:1e:eb:87:7e:e7:ac:dc:8e:ee:aa:a8:a8:4d: + a1:6d:48:02:11:d3:7f:17:59:4c:4f:d8:7d:b9:be: + 9c:5e:3d:ec:c7:85:fd:c7:41:e5:c4:91:db:fc:23: + b4:79:7b:41:68:f2:ab:04:f9:13:19:e5:e7:f3:cc: + 20:c8:99:39:24:8b:ed:b8:12:42:3f:7e:1c:41:c1: + 8f:21:f2:81:90:4b:b2:58:6c:a9:ad:1f:cc:87:f3: + eb:b4:a5:ca:53:a2:a9:1a:e6:03:b3:e3:47:8b:e8: + 1f:9e:4b:30:64:79:21:7f:0e:b2:74:93:b2:ca:83: + 13:4f:03:f3:c8:e7:a1:6e:ea:90:30:e7:57:18:aa: + ea:8f:9e:b9:0d:32:2b:2c:54:6b:a1:fd:ad:21:49: + 2a:49:26:aa:54:f3:48:50:5c:c7:47:c0:57:1a:cb: + af:12:34:19:58:dc:cf:3a:77:01:bd:44:a7:a0:04: + 0f:dc:05:8e:0e:b1:5c:8c:91:cf:0d:04:37:e7:e8: + aa:7b:c0:c8:96:16:91:a0:ed:cc:cf:0e:92:4e:74: + 1b:32:ab:63:ba:2a:6d:e8:a8:27:87:ea:36:59:a6: + 80:15:d8:83:d5:0d:14:3a:01:8f:a7:4f:0d:0a:fd: + 28:77:c9:b8:96:c0:e4:8d:a2:31:70:a5:31:23:f3: + 6e:d0:78:5d:30:8d:4f:7d:34:7f:99:49:1b:7b:b5: + 1e:86:b4:b9:d7:3b:c9:69:2f:7d:e7:8e:f5:d9:3c: + c2:56:a7:38:90:0e:f9:16:ec:d6:29:1e:1a:16:52: + 51:13:ff:b3:09:51:6a:d0:37:c7:40:bc:7a:e0:67: + a1:4f:4e:a2:56:a2:d1:a5:b0:99:ad:9c:b7:c1:b9: + 87:e4:4e:2e:f5:da:d5:88:f7:de:f5:01:a7:22:d0: + 50:b9:87:98:4f:87:f7:c2:02:75:80:a7:23:96:2b: + 6e:4d:25:ba:d7:f1:ed:c4:71:57:31:f5:8d:c7:5b: + 48:47:df:f4:f1:f6:ad:ec:5c:8a:fc:9b:7f:ec:7d: + 05:46:13:e7:30:f1:a8:71:95:be:70:bc:90:eb:22: + a8:9b:eb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 51:FA:67:76:4F:C8:4C:0A:F9:A7:14:A4:98:27:01:AC:23:39:16:87 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 1.2.3.4.5 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 4c:02:45:b9:f3:82:aa:12:eb:56:ab:34:d3:4b:02:9f:ef:67: + 07:d7:8a:5d:7d:2b:21:4d:13:e3:cc:70:99:2a:2d:62:b3:94: + cc:68:a7:94:ca:9e:fe:85:14:48:5a:68:70:7a:31:a4:e1:1a: + 7c:45:4a:8a:48:4f:77:08:e3:a7:e1:3e:92:95:e6:60:ad:bf: + 6d:f0:40:d1:bb:40:72:90:f9:0a:54:d3:cc:cc:a8:72:ff:6b: + 54:6f:d4:d5:f5:bf:f7:65:f4:7c:27:1f:18:5f:83:e0:f3:5e: + f0:0e:6a:28:2c:84:c0:a2:0f:3f:d2:a7:d9:1f:90:1a:ee:3e: + db:5e:61:14:01:a4:00:b9:15:7f:a2:cb:41:ed:29:57:d5:02: + 7d:2c:a3:a8:35:a7:08:39:95:97:27:72:6d:bc:a8:05:b1:73: + 98:37:3a:86:ab:65:ce:39:56:5b:ae:b9:c6:1f:74:2f:71:6c: + 91:b2:46:18:5c:e7:75:fc:70:9b:ee:6b:b1:18:b5:61:65:39: + 75:7a:61:a9:8c:6c:47:7c:01:53:3d:21:91:9e:27:a2:ce:74: + ca:05:28:da:7b:13:c9:c0:6e:06:91:5a:48:2c:3f:ef:f9:68: + 9b:63:df:77:31:c9:44:ed:9a:b1:48:c4:d7:23:19:48:21:4a: + a8:0d:d1:9d:ff:00:9b:e7:9b:cb:5c:bc:85:ad:66:67:ee:21: + ed:81:83:89:cb:6e:14:cf:0e:61:8c:9a:a7:32:3c:94:ff:ec: + b3:b7:f5:b1:49:ab:8c:20:5e:39:21:d3:31:c9:cf:b7:d5:ac: + 87:b2:6b:83:84:29:70:50:9b:cc:a3:60:a1:f5:81:b3:37:4a: + dd:12:2b:01:e5:79:8a:d3:c4:dd:b9:67:1f:cd:b7:f0:8e:d5: + f8:e3:ef:51:00:1c:c2:ff:15:f5:d9:d8:2d:b5:f0:59:a1:7c: + 59:7e:a4:da:3f:4a:48:d9:5e:e2:48:34:e0:e0:e2:30:74:60: + 28:03:ad:d2:92:ac:0f:a1:c7:69:75:00:44:a1:00:ae:f0:e5: + f5:3c:c2:18:05:16:18:c6:ad:cf:9e:c9:47:f9:c9:97:f1:c2: + e7:98:19:33:db:4c:bb:2e:cd:86:d1:e9:7a:4a:9d:8d:fc:27: + 14:25:b9:57:02:59:0c:62:3c:5e:f5:ff:00:ae:05:da:00:d6: + de:57:d4:7b:77:47:44:6b:74:6e:c5:32:fd:db:fe:76:46:49: + 2b:53:e9:12:7b:c9:b9:9a:3c:4f:b7:f7:2b:13:12:04:50:ae: + 3d:14:6e:94:ca:54:3b:bb:06:e5:4a:db:c1:ab:29:54:aa:10: + 55:90:c7:3a:c9:ef:7e:c0 +-----BEGIN CERTIFICATE----- +MIIGcDCCBFigAwIBAgIQOBej+UQIIIMBkwjHMlgvwzANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTI0MDkzMDEzMzcxNVoXDTI5MDky +OTEzMzcxNVowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQCVdpZlr+ku4rbJEUtDcgTFTXVA2QU+Z56iMbW5kYLk+NXd6K/m +RcSvV1QsuygeyN+fhtorgHkSmTxBz22Fc/pxnHePHZO0K0BgYOSQYbxrnwEeU0vr +qcDNkagSxOlBITwY2d9JDcruSfARHuuHfues3I7uqqioTaFtSAIR038XWUxP2H25 +vpxePezHhf3HQeXEkdv8I7R5e0Fo8qsE+RMZ5efzzCDImTkki+24EkI/fhxBwY8h +8oGQS7JYbKmtH8yH8+u0pcpToqka5gOz40eL6B+eSzBkeSF/DrJ0k7LKgxNPA/PI +56Fu6pAw51cYquqPnrkNMissVGuh/a0hSSpJJqpU80hQXMdHwFcay68SNBlY3M86 +dwG9RKegBA/cBY4OsVyMkc8NBDfn6Kp7wMiWFpGg7czPDpJOdBsyq2O6Km3oqCeH +6jZZpoAV2IPVDRQ6AY+nTw0K/Sh3ybiWwOSNojFwpTEj827QeF0wjU99NH+ZSRt7 +tR6GtLnXO8lpL33njvXZPMJWpziQDvkW7NYpHhoWUlET/7MJUWrQN8dAvHrgZ6FP +TqJWotGlsJmtnLfBuYfkTi712tWI9971Aaci0FC5h5hPh/fCAnWApyOWK25NJbrX +8e3EcVcx9Y3HW0hH3/Tx9q3sXIr8m3/sfQVGE+cw8ahxlb5wvJDrIqib6wIDAQAB +o4IBLDCCASgwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRR+md2T8hMCvmnFKSY +JwGsIzkWhzAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAR +BgNVHSAECjAIMAYGBCoDBAUwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEATAJFufOCqhLrVqs0 +00sCn+9nB9eKXX0rIU0T48xwmSotYrOUzGinlMqe/oUUSFpocHoxpOEafEVKikhP +dwjjp+E+kpXmYK2/bfBA0btAcpD5ClTTzMyocv9rVG/U1fW/92X0fCcfGF+D4PNe +8A5qKCyEwKIPP9Kn2R+QGu4+215hFAGkALkVf6LLQe0pV9UCfSyjqDWnCDmVlydy +bbyoBbFzmDc6hqtlzjlWW665xh90L3FskbJGGFzndfxwm+5rsRi1YWU5dXphqYxs +R3wBUz0hkZ4nos50ygUo2nsTycBuBpFaSCw/7/lom2PfdzHJRO2asUjE1yMZSCFK +qA3Rnf8Am+eby1y8ha1mZ+4h7YGDictuFM8OYYyapzI8lP/ss7f1sUmrjCBeOSHT +McnPt9Wsh7Jrg4QpcFCbzKNgofWBszdK3RIrAeV5itPE3blnH8238I7V+OPvUQAc +wv8V9dnYLbXwWaF8WX6k2j9KSNle4kg04ODiMHRgKAOt0pKsD6HHaXUARKEArvDl +9TzCGAUWGMatz57JR/nJl/HC55gZM9tMuy7NhtHpekqdjfwnFCW5VwJZDGI8XvX/ +AK4F2gDW3lfUe3dHRGt0bsUy/dv+dkZJK1PpEnvJuZo8T7f3KxMSBFCuPRRulMpU +O7sG5UrbwaspVKoQVZDHOsnvfsA= +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p1m0a0b1e1.pem b/v3/testdata/cacp_c1r0p1m0a0b1e1.pem new file mode 100644 index 000000000..5722ad948 --- /dev/null +++ b/v3/testdata/cacp_c1r0p1m0a0b1e1.pem @@ -0,0 +1,142 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b7:fb:1e:7b:22:e2:3c:32:2a:8d:3a:e5:0c:f4:93:3e + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Oct 4 03:58:26 2024 GMT + Not After : Oct 3 03:58:26 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:d2:5a:d9:f1:1f:a1:38:f9:e3:a7:18:a3:85:05: + 85:ec:f5:53:31:76:71:c1:97:22:8d:11:28:06:e4: + a0:c2:36:d9:2d:9c:96:e4:cc:f9:b1:cd:1f:1b:dd: + 01:83:f2:8f:d1:0b:85:64:5f:ec:2a:fb:32:0e:56: + d7:fc:29:82:1d:c8:3f:dd:40:5f:7f:8d:15:18:dd: + a7:18:be:17:de:c1:82:a4:0c:dc:e1:a1:ba:1d:4b: + 54:59:ed:1c:05:92:35:da:bc:b5:42:f8:d0:3e:ce: + 1a:50:79:b7:1b:b0:51:d1:27:26:94:6b:a9:a0:84: + 09:e1:96:82:09:e9:0f:bb:e4:ba:a5:c2:71:05:9c: + e1:fc:52:6b:79:fd:37:6b:ce:d6:df:4a:60:28:d0: + d7:92:05:06:2d:bd:d7:b5:18:c0:ad:3b:c4:a3:7b: + 96:70:23:29:9a:91:20:61:66:be:b1:66:ac:b3:93: + a3:8d:4a:2e:ac:89:4b:3a:2a:b0:6e:d4:9f:95:81: + f6:09:a9:2c:58:60:f8:76:03:34:1d:7c:96:43:28: + 4f:46:ff:90:83:10:e7:ed:66:30:75:e3:24:60:9a: + e3:42:aa:67:68:83:9b:fa:c6:ed:47:6d:c8:ee:b6: + 29:f6:7b:8a:9c:cd:8e:67:9f:cd:dd:32:96:78:11: + 91:49:37:57:2e:10:0c:fc:64:8c:b5:37:59:dc:b8: + 79:f4:9a:e9:44:5a:bd:34:92:2b:fb:e6:0a:c3:bc: + b6:e5:c3:ff:23:2a:cf:27:0c:5a:a1:14:af:ba:1e: + 41:53:3e:2e:77:40:58:60:89:31:6a:c2:45:1c:c8: + 7f:9b:1b:8a:8e:1c:64:44:55:03:74:51:75:45:7f: + c8:f1:ad:f0:b1:44:7a:ad:b6:26:bc:39:1a:0e:2f: + 1c:d6:e2:ae:41:eb:88:46:90:2d:52:e3:0f:18:7f: + 69:7a:f4:24:ff:9e:c2:5a:ac:78:40:27:29:30:0f: + 9f:5d:d9:00:2d:95:85:c3:bf:6d:24:a7:ef:88:65: + bc:8f:8c:44:0f:86:a6:ef:2a:20:62:d0:ce:96:fc: + 11:f0:8b:ff:22:b5:88:47:16:1b:b4:b0:2b:fa:b0: + b8:12:d7:2e:a7:27:c8:b5:34:91:65:d1:76:0d:01: + 83:17:02:86:de:46:4f:3f:c6:c6:cb:c4:89:39:56: + fc:ca:6a:47:4f:c8:67:3e:2e:d2:b3:82:b2:9e:b1: + 74:79:84:fa:b0:62:85:5d:51:51:6f:1a:30:51:86: + 1f:4b:12:10:9f:af:83:7f:1c:35:f9:53:4b:e3:14: + ce:3a:f5:ff:22:c8:27:fa:6c:8c:87:0a:5a:b5:e1: + d4:5c:45 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 76:88:80:DD:78:C1:68:BE:DF:5D:25:52:92:54:45:68:8D:D3:A8:B7 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 92:08:59:96:db:d3:6e:d9:0d:8a:19:d7:fb:b6:d0:ec:b8:97: + 10:f5:55:79:dc:13:b9:87:7c:d5:b0:6d:7a:da:c3:72:52:1d: + 54:e2:89:49:f3:13:81:c4:b3:92:cf:ba:c9:be:f9:cf:69:88: + 91:9c:58:75:82:40:95:6c:73:49:46:f1:ef:e6:3f:fc:70:d4: + 9f:5c:1c:f8:d5:d1:50:19:09:c0:cd:29:b4:1c:fc:db:89:02: + 25:8c:19:f3:4c:8f:f3:84:72:dd:0b:1e:bb:b2:fb:37:71:fc: + b4:03:4e:f0:6c:ff:a8:39:7f:0e:64:82:2c:1c:c4:ce:93:87: + a9:82:73:7e:41:c0:a7:f0:ea:ff:5f:7f:7c:61:fd:bf:53:e7: + 96:04:cd:ce:30:82:b1:56:1d:8e:42:88:c3:f1:05:98:33:11: + b9:58:66:7a:71:e5:1b:f2:f1:18:b4:cb:e9:63:a3:23:81:82: + b1:7e:9d:c5:1c:1e:fe:fa:46:86:25:b6:25:42:2d:d4:ed:02: + 3b:62:48:7d:5d:41:a6:63:06:b0:a1:f3:d5:92:cd:28:21:51: + fc:ff:cd:18:1f:b3:78:33:d5:ce:03:9b:28:36:b5:1a:89:0a: + 04:ed:77:b7:b5:72:13:18:be:93:33:24:4b:d1:1d:01:75:38: + b3:b3:f0:87:39:7e:f2:d6:25:2a:56:d8:4d:5b:26:06:54:06: + dc:0a:44:0c:1f:f1:ed:6a:2e:58:6d:ae:de:63:1d:0e:32:57: + 6d:7a:5d:fe:54:d7:98:ad:15:02:b3:2c:30:27:b5:54:c5:57: + 82:3b:f6:d3:4e:08:22:7c:b6:7f:51:d6:15:7b:77:e9:5c:8b: + fb:75:0d:2a:ee:31:79:92:60:2a:2f:2c:ed:ec:c3:88:58:42: + 80:bb:f3:64:80:37:4e:ce:80:8d:b7:0c:65:32:cf:c6:e8:0f: + cf:66:14:08:5a:d9:2d:b8:8d:c9:c6:34:ce:77:83:39:ed:55: + 3a:51:fc:a8:c6:c3:89:db:2e:03:2c:74:9b:42:1d:e7:63:32: + 8d:9e:9c:06:91:16:09:de:99:c8:08:85:68:17:55:b0:97:4d: + e8:a4:71:4b:ab:db:88:3c:1f:dd:dd:ec:64:e5:54:b7:2c:ed: + c0:ea:d2:1f:71:e4:48:54:04:c7:ad:18:06:80:9a:e7:c3:f6: + 1d:bc:0d:f0:52:d8:75:60:bb:03:ec:cd:2c:08:29:13:d4:41: + 9b:15:36:e6:88:1c:2c:d4:70:6a:5e:82:e2:85:34:3e:ee:90: + a8:1d:ea:f5:f2:94:9e:22:26:71:da:ab:58:c2:da:41:9b:c0: + 2b:2f:3c:e3:c4:26:9b:19 +-----BEGIN CERTIFICATE----- +MIIGczCCBFugAwIBAgIRALf7Hnsi4jwyKo065Qz0kz4wDQYJKoZIhvcNAQELBQAw +SDELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExJzAlBgNVBAMTHkZha2Ug +Um9vdCBDQSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDEwMDQwMzU4MjZaFw0yOTEw +MDMwMzU4MjZaMHAxCzAJBgNVBAYTAlhYMRMwEQYDVQQIEwpTb21lIFN0YXRlMRYw +FAYDVQQHEw1Tb21lIExvY2FsaXR5MRAwDgYDVQQKEwdTb21lIENBMSIwIAYDVQQD +ExlGYWtlIENBIGZvciB6bGludCB0ZXN0aW5nMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEA0lrZ8R+hOPnjpxijhQWF7PVTMXZxwZcijREoBuSgwjbZLZyW +5Mz5sc0fG90Bg/KP0QuFZF/sKvsyDlbX/CmCHcg/3UBff40VGN2nGL4X3sGCpAzc +4aG6HUtUWe0cBZI12ry1QvjQPs4aUHm3G7BR0ScmlGupoIQJ4ZaCCekPu+S6pcJx +BZzh/FJref03a87W30pgKNDXkgUGLb3XtRjArTvEo3uWcCMpmpEgYWa+sWass5Oj +jUourIlLOiqwbtSflYH2CaksWGD4dgM0HXyWQyhPRv+QgxDn7WYwdeMkYJrjQqpn +aIOb+sbtR23I7rYp9nuKnM2OZ5/N3TKWeBGRSTdXLhAM/GSMtTdZ3Lh59JrpRFq9 +NJIr++YKw7y25cP/IyrPJwxaoRSvuh5BUz4ud0BYYIkxasJFHMh/mxuKjhxkRFUD +dFF1RX/I8a3wsUR6rbYmvDkaDi8c1uKuQeuIRpAtUuMPGH9pevQk/57CWqx4QCcp +MA+fXdkALZWFw79tJKfviGW8j4xED4am7yogYtDOlvwR8Iv/IrWIRxYbtLAr+rC4 +EtcupyfItTSRZdF2DQGDFwKG3kZPP8bGy8SJOVb8ympHT8hnPi7Ss4KynrF0eYT6 +sGKFXVFRbxowUYYfSxIQn6+Dfxw1+VNL4xTOOvX/Isgn+myMhwpateHUXEUCAwEA +AaOCAS4wggEqMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYI +KwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUdoiA3XjBaL7fXSVS +klRFaI3TqLcwHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYB +BQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20v +b2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3Qw +EwYDVR0gBAwwCjAIBgZngQwBAgIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2Nh +LnNvbWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEAkghZltvTbtkN +ihnX+7bQ7LiXEPVVedwTuYd81bBtetrDclIdVOKJSfMTgcSzks+6yb75z2mIkZxY +dYJAlWxzSUbx7+Y//HDUn1wc+NXRUBkJwM0ptBz824kCJYwZ80yP84Ry3Qseu7L7 +N3H8tANO8Gz/qDl/DmSCLBzEzpOHqYJzfkHAp/Dq/19/fGH9v1PnlgTNzjCCsVYd +jkKIw/EFmDMRuVhmenHlG/LxGLTL6WOjI4GCsX6dxRwe/vpGhiW2JUIt1O0CO2JI +fV1BpmMGsKHz1ZLNKCFR/P/NGB+zeDPVzgObKDa1GokKBO13t7VyExi+kzMkS9Ed +AXU4s7Pwhzl+8tYlKlbYTVsmBlQG3ApEDB/x7WouWG2u3mMdDjJXbXpd/lTXmK0V +ArMsMCe1VMVXgjv2004IIny2f1HWFXt36VyL+3UNKu4xeZJgKi8s7ezDiFhCgLvz +ZIA3Ts6AjbcMZTLPxugPz2YUCFrZLbiNycY0zneDOe1VOlH8qMbDidsuAyx0m0Id +52MyjZ6cBpEWCd6ZyAiFaBdVsJdN6KRxS6vbiDwf3d3sZOVUtyztwOrSH3HkSFQE +x60YBoCa58P2HbwN8FLYdWC7A+zNLAgpE9RBmxU25ogcLNRwal6C4oU0Pu6QqB3q +9fKUniImcdqrWMLaQZvAKy8848Qmmxk= +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p1m0a1b0e1.pem b/v3/testdata/cacp_c1r0p1m0a1b0e1.pem new file mode 100644 index 000000000..726c2038f --- /dev/null +++ b/v3/testdata/cacp_c1r0p1m0a1b0e1.pem @@ -0,0 +1,142 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 72:84:e1:a7:fe:18:ff:12:c2:1e:fd:fe:b4:e7:81:fe + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Oct 13 08:42:09 2024 GMT + Not After : Oct 12 08:42:09 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:bd:f5:40:94:02:eb:da:39:d2:f9:e3:ec:6a:33: + 13:df:60:93:bd:7d:16:07:f6:8f:c4:73:b0:fa:f6: + 42:3e:06:d5:29:fc:11:51:61:02:75:96:c5:8c:da: + 02:68:47:cc:d5:05:83:4b:00:6b:27:e7:69:47:48: + d6:d3:c0:f3:ba:c6:83:0f:b6:e4:f7:d0:83:fa:ff: + 01:3b:df:dc:e4:55:5f:96:82:58:bd:95:89:09:fb: + 32:14:d5:02:63:3d:2e:dd:a8:8e:af:9e:f7:0b:2d: + 19:b2:aa:73:15:c3:ff:a7:ba:dd:c6:97:0d:d7:bc: + 29:e4:cf:51:15:2c:db:6c:fb:70:78:f1:ea:22:7f: + d0:cf:21:09:9e:da:96:fd:ba:38:e4:4c:34:05:c8: + d4:11:c2:2b:77:bc:b4:e1:46:c8:e9:5f:cb:13:01: + c2:fe:fd:7b:e1:89:8b:5e:f8:67:e3:3c:93:8e:2a: + 80:1c:06:4b:c7:49:ed:2f:a0:01:a1:35:af:2a:90: + 57:2b:b7:15:d6:8c:30:41:d9:d2:4e:95:eb:4c:12: + c9:3a:9f:a2:0f:3e:70:af:71:23:ea:c2:38:de:d8: + 4c:6b:cd:e2:c1:5b:b3:c8:71:f0:97:5a:5d:90:5d: + 29:a8:45:e1:a7:04:0f:2d:6c:24:fd:c9:1a:06:12: + 62:e8:e6:6e:53:f3:54:5b:e8:8d:94:49:84:97:9b: + 43:a6:50:b9:8c:ac:65:31:9f:5e:7c:f1:53:fc:e3: + f8:30:e0:75:ae:81:51:4c:f0:87:fc:b6:b9:fd:05: + 5e:2c:51:3e:68:e7:af:b6:b2:ee:0a:19:ac:19:17: + 39:62:71:fd:e8:e0:af:e5:d3:fa:a1:25:aa:49:60: + 64:b0:e0:74:c5:8c:bf:a4:1e:b8:3e:33:8a:a5:f6: + e8:8f:53:59:05:46:04:b8:d7:ab:92:ae:92:4d:2a: + 4d:0e:7e:ab:dd:ec:57:ba:5e:a5:73:75:16:6a:fd: + 91:87:dd:c7:98:fe:f6:71:b8:0b:0f:d5:ad:4d:9b: + c0:ab:5d:89:f6:7a:b2:9f:7c:78:7c:e0:ad:fb:99: + 99:d1:08:90:02:6f:67:38:4b:8a:1c:1e:ec:cd:ea: + 19:2f:e1:c8:c7:da:4d:ae:13:5b:44:1d:78:0a:8a: + cb:1e:cb:bf:61:8a:50:d9:a9:01:b6:9b:30:34:4c: + ca:1e:99:91:f1:be:14:c9:ea:7a:9c:15:e8:f1:99: + ce:f0:e9:89:6f:a3:f5:d8:7e:80:07:34:98:6d:77: + f4:59:f5:e7:d3:63:f8:12:d5:68:c1:cd:ed:44:3c: + 01:bb:d7:45:22:12:f1:f4:ff:cf:24:fa:55:c9:5a: + 83:58:9d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 3C:B4:B4:3B:9F:6F:7B:F9:8F:73:A2:E7:46:1E:CC:D0:86:7E:E7:61 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + b4:aa:60:21:ea:f2:86:53:d3:be:7b:8b:9f:4f:bb:97:cc:02: + a9:30:fb:44:23:a2:e8:ba:02:7a:1e:8f:df:49:c6:ff:1b:74: + 76:2e:ec:cd:b7:47:c6:85:80:91:19:b0:1a:0f:da:35:03:3c: + e0:55:10:1e:20:41:00:c6:fc:df:d8:70:39:34:d0:86:ee:4c: + 3c:a5:27:50:a6:b6:c0:93:0a:a2:75:bf:e9:31:07:9f:58:36: + 02:2b:30:56:93:9c:c8:37:12:27:0b:f0:ad:65:d7:a6:6c:44: + ee:7d:13:a9:15:fa:ab:fa:79:9c:d9:39:07:d4:a4:0f:8b:27: + c4:6f:cf:02:e3:3a:30:8f:16:4b:c7:4e:6d:94:b7:e0:a4:9f: + 97:02:34:cd:9e:17:84:bc:ab:18:ed:22:31:75:ef:19:17:99: + 7e:ea:80:78:67:3c:b8:d6:2d:fa:bd:70:1d:bd:9e:5d:4e:dd: + 0b:44:d1:dc:9a:95:03:e3:a0:07:06:58:03:e7:1b:fe:06:c1: + a6:31:78:03:cb:1e:72:68:33:ce:c1:42:75:9a:0d:e0:18:42: + 0d:81:47:52:c7:15:d4:5b:ab:0d:c0:98:ee:02:fc:6e:c6:24: + 91:e3:ee:d4:b3:3f:d0:b9:56:85:9d:9a:d6:42:99:7d:af:73: + 4a:3e:c0:93:90:1e:e0:2a:c7:52:e5:a6:bd:ef:2f:af:45:3a: + 7f:4b:86:5d:e5:5a:9c:b2:e6:83:fc:70:00:7d:56:31:93:16: + 94:32:20:91:3a:fd:44:dd:32:fd:09:f1:5d:fc:cb:1f:0d:ee: + 8b:dd:14:09:7a:17:3f:8a:69:cf:e4:1d:75:10:c1:8e:a5:78: + 13:53:7e:b4:79:f4:d3:b8:eb:72:aa:ae:d5:81:93:e3:95:8d: + d3:be:8d:2c:e4:e2:c8:07:ca:08:28:9f:6e:50:3c:77:d1:47: + 67:93:f9:bb:8b:4e:e3:ae:83:ff:d9:05:af:19:f5:40:02:db: + 89:97:b6:87:44:31:fb:11:ef:fe:45:c3:1a:bf:f2:e1:66:59: + 55:7c:bb:64:ee:db:3b:ae:62:80:62:d6:2f:61:cf:23:38:94: + f6:d9:29:d3:54:a4:15:1e:e5:f5:01:43:51:e2:7d:1a:40:f8: + ec:52:33:e8:6b:db:d5:d0:72:17:ef:27:0c:96:e8:6b:d8:4f: + 50:64:3b:b0:87:9e:cb:2a:4e:0a:a5:2f:4b:9b:a1:e4:a9:65: + 64:9c:66:7e:24:98:99:ab:d2:22:39:30:2c:51:57:2b:15:34: + 0e:41:d3:b5:64:c1:40:4b:9e:6b:ea:6e:77:c6:68:f2:98:23: + f0:f9:8a:fb:ac:38:5e:b0 +-----BEGIN CERTIFICATE----- +MIIGcDCCBFigAwIBAgIQcoThp/4Y/xLCHv3+tOeB/jANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTI0MTAxMzA4NDIwOVoXDTI5MTAx +MjA4NDIwOVowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQC99UCUAuvaOdL54+xqMxPfYJO9fRYH9o/Ec7D69kI+BtUp/BFR +YQJ1lsWM2gJoR8zVBYNLAGsn52lHSNbTwPO6xoMPtuT30IP6/wE739zkVV+Wgli9 +lYkJ+zIU1QJjPS7dqI6vnvcLLRmyqnMVw/+nut3Glw3XvCnkz1EVLNts+3B48eoi +f9DPIQme2pb9ujjkTDQFyNQRwit3vLThRsjpX8sTAcL+/XvhiYte+GfjPJOOKoAc +BkvHSe0voAGhNa8qkFcrtxXWjDBB2dJOletMEsk6n6IPPnCvcSPqwjje2ExrzeLB +W7PIcfCXWl2QXSmoReGnBA8tbCT9yRoGEmLo5m5T81Rb6I2USYSXm0OmULmMrGUx +n1588VP84/gw4HWugVFM8If8trn9BV4sUT5o56+2su4KGawZFzlicf3o4K/l0/qh +JapJYGSw4HTFjL+kHrg+M4ql9uiPU1kFRgS416uSrpJNKk0Ofqvd7Fe6XqVzdRZq +/ZGH3ceY/vZxuAsP1a1Nm8CrXYn2erKffHh84K37mZnRCJACb2c4S4ocHuzN6hkv +4cjH2k2uE1tEHXgKissey79hilDZqQG2mzA0TMoemZHxvhTJ6nqcFejxmc7w6Ylv +o/XYfoAHNJhtd/RZ9efTY/gS1WjBze1EPAG710UiEvH0/88k+lXJWoNYnQIDAQAB +o4IBLDCCASgwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ8tLQ7n297+Y9zoudG +HszQhn7nYTAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAR +BgNVHSAECjAIMAYGBFUdIAAwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEAtKpgIeryhlPTvnuL +n0+7l8wCqTD7RCOi6LoCeh6P30nG/xt0di7szbdHxoWAkRmwGg/aNQM84FUQHiBB +AMb839hwOTTQhu5MPKUnUKa2wJMKonW/6TEHn1g2AiswVpOcyDcSJwvwrWXXpmxE +7n0TqRX6q/p5nNk5B9SkD4snxG/PAuM6MI8WS8dObZS34KSflwI0zZ4XhLyrGO0i +MXXvGReZfuqAeGc8uNYt+r1wHb2eXU7dC0TR3JqVA+OgBwZYA+cb/gbBpjF4A8se +cmgzzsFCdZoN4BhCDYFHUscV1FurDcCY7gL8bsYkkePu1LM/0LlWhZ2a1kKZfa9z +Sj7Ak5Ae4CrHUuWmve8vr0U6f0uGXeVanLLmg/xwAH1WMZMWlDIgkTr9RN0y/Qnx +XfzLHw3ui90UCXoXP4ppz+QddRDBjqV4E1N+tHn007jrcqqu1YGT45WN076NLOTi +yAfKCCifblA8d9FHZ5P5u4tO466D/9kFrxn1QALbiZe2h0Qx+xHv/kXDGr/y4WZZ +VXy7ZO7bO65igGLWL2HPIziU9tkp01SkFR7l9QFDUeJ9GkD47FIz6Gvb1dByF+8n +DJboa9hPUGQ7sIeeyypOCqUvS5uh5KllZJxmfiSYmavSIjkwLFFXKxU0DkHTtWTB +QEuea+pud8Zo8pgj8PmK+6w4XrA= +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p1m1a0b0e0.pem b/v3/testdata/cacp_c1r0p1m1a0b0e0.pem new file mode 100644 index 000000000..793fe1137 --- /dev/null +++ b/v3/testdata/cacp_c1r0p1m1a0b0e0.pem @@ -0,0 +1,143 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2b:41:ad:6b:5e:05:c6:9d:34:77:49:d0:d3:6f:ee:a3 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Apr 23 00:00:00 2022 GMT + Not After : Apr 22 00:00:00 2027 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:d2:8f:2f:c3:db:e4:7c:a3:d1:dd:df:48:f8:ac: + 71:5e:44:f1:81:aa:74:48:5d:b2:49:2b:07:1b:ea: + 06:e2:07:c3:38:2a:df:cf:4c:03:64:e9:2f:db:f7: + e8:84:64:ea:7f:8e:33:e0:6f:e8:a6:c3:12:db:f6: + 41:9f:38:fa:69:3a:88:4b:52:cb:74:21:00:4c:e1: + 5a:e5:b1:5b:dd:8f:d7:36:52:4b:65:67:69:23:e0: + 14:aa:0b:5b:e7:af:46:f0:02:d4:9b:f2:08:9b:34: + 83:a1:69:3f:3d:66:2e:cc:94:74:06:2e:69:ce:b0: + be:fd:73:15:cf:40:02:6d:eb:b7:21:e9:5e:35:b7: + ac:f8:92:f0:35:cd:bf:a5:12:a4:f3:6f:dc:3b:0c: + 10:7b:72:fd:11:22:75:41:41:74:8a:ad:b8:b0:1a: + b4:98:38:1e:69:76:c5:af:d8:0b:6f:f2:42:e8:ea: + 7d:6b:71:b5:56:42:e5:d2:66:d5:26:62:81:d4:40: + 03:08:dc:23:04:e9:af:69:8b:8b:f4:38:42:96:7a: + 5b:66:0e:12:84:9f:3e:19:da:be:a8:b8:8d:29:c5: + e1:2f:2d:e4:e6:3b:b8:af:e1:58:a1:27:1f:fb:8a: + e0:cc:68:ce:26:00:56:4b:bb:ea:e6:7f:76:ad:da: + c1:9f:32:14:ec:7f:b8:96:b3:7a:9e:fe:69:a7:4e: + ab:89:44:cf:cd:ea:ce:ba:34:08:8e:b7:4a:05:e6: + 11:5e:0e:af:f3:a6:17:c8:b2:76:40:25:6e:b4:a2: + bf:2f:c1:8c:ce:19:88:9a:94:29:7b:a9:d3:39:2d: + d4:15:e5:c9:6d:ef:f7:9a:c4:21:00:c8:4c:45:95: + 04:15:ac:3a:9f:75:23:e9:45:28:fb:53:24:2d:dd: + 80:b6:da:20:fb:c2:ad:63:39:7d:51:c0:cf:7b:35: + 89:93:49:65:10:38:d1:76:a5:0e:9c:af:6a:51:c8: + fb:a7:a3:65:a4:2a:98:24:7b:e5:ef:46:09:51:f8: + 26:d4:c2:bb:ba:cc:9a:8b:95:db:2a:dc:a5:57:7e: + 8b:72:0b:54:4c:e2:67:48:15:6a:ec:1c:f7:43:63: + bb:24:bd:5b:9f:02:2c:6b:99:ea:9f:1c:79:0c:18: + a8:35:71:26:db:44:68:be:44:b4:db:df:10:eb:34: + 7a:08:78:d4:01:1b:5e:fc:a9:a1:b3:fe:91:b6:99: + b4:78:18:69:c0:75:69:91:98:40:f8:56:95:06:67: + 62:56:58:b5:c8:9c:6c:e0:e8:78:76:df:6e:06:0b: + e9:57:e1:ad:94:df:55:97:cc:85:ca:2f:d8:89:ca: + 43:28:ef + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + A7:D4:F6:F3:59:93:F0:8E:D9:93:61:3F:7C:BA:A1:1E:A6:6E:07:C1 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 1.2.3.5.7.9 + Policy: 1.2.4.6.8.10 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 19:07:36:68:dc:e2:16:b2:aa:c9:77:32:d6:9e:d9:98:c7:37: + ae:b1:dd:c7:46:55:48:09:20:5b:95:04:b0:c0:80:28:67:40: + aa:b9:de:24:c6:3e:d0:5d:d4:65:1a:17:01:7d:51:b4:9e:0b: + 88:2b:97:da:76:9f:e3:95:81:b1:c1:35:61:1b:d0:ce:8e:be: + 05:31:e3:fe:7f:07:86:83:2b:10:87:b1:23:4b:85:19:3c:6d: + a1:67:80:1e:09:17:b4:50:15:9b:50:6e:2f:9b:3b:7e:b1:d7: + 64:82:0f:5a:b7:b4:0b:23:c4:66:16:ab:79:13:7e:4e:1c:2a: + 94:2d:19:10:3c:6d:2f:6c:fa:8c:7f:f2:b7:e3:59:e0:1d:23: + 01:ee:35:53:6a:64:80:4e:7c:33:d5:06:2f:cf:e1:39:45:b5: + b7:fc:ba:f0:21:f6:5a:89:a7:da:bc:98:9d:b2:d5:3c:63:51: + 01:7d:be:db:d7:d0:d0:47:a7:c3:29:71:66:07:b0:c2:26:a1: + 80:cb:c9:c6:7c:0c:5e:bc:d5:4a:2b:86:02:54:3c:50:34:6b: + c8:d3:35:df:20:a8:f7:31:ef:a1:bd:fa:69:f6:39:cd:53:c4: + 31:66:38:aa:86:58:27:c1:2c:6e:1a:68:e2:06:6f:36:f0:b5: + 5c:db:c2:ad:2d:a6:59:ab:07:e7:96:f9:f4:fd:a1:be:e8:7c: + 60:b6:e8:37:56:40:a9:eb:2e:16:b1:dc:8f:02:5e:83:ab:d9: + 14:c9:3b:a5:af:65:9a:49:38:86:4b:50:50:b0:16:d0:80:30: + 0b:60:85:7a:ab:6f:7b:21:81:51:da:c5:68:27:0d:a8:a3:dc: + 20:30:c0:2f:91:22:b5:ea:5b:ce:08:91:b3:8b:f9:b5:65:a3: + de:15:ee:92:91:98:84:57:a7:18:a9:76:04:2c:ed:aa:a2:d0: + 91:76:60:5d:88:c8:23:d1:db:51:60:84:f7:70:ba:61:27:24: + ff:d2:3f:f4:cb:44:56:d4:63:22:37:0e:0a:80:81:ae:d3:de: + 42:83:d3:f7:44:09:42:cf:81:d9:a0:ee:cb:b8:e9:a8:da:59: + ca:1e:db:cf:94:68:5c:e5:28:3f:f7:3a:0c:7f:4d:13:2e:52: + ec:b1:37:94:62:69:ef:14:ac:84:60:9a:3c:a0:18:3c:27:40: + 86:a1:26:fa:eb:49:ab:a3:9f:7f:dd:5e:61:eb:e6:64:b2:9a: + 76:95:9d:17:e7:da:48:53:cb:d0:37:de:4c:f7:60:83:e1:c1: + dd:45:64:21:31:5a:93:b9:27:62:ff:f0:ef:70:06:47:22:ba: + 71:0d:98:df:cd:f6:cc:7a +-----BEGIN CERTIFICATE----- +MIIGejCCBGKgAwIBAgIQK0Gta14Fxp00d0nQ02/uozANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTIyMDQyMzAwMDAwMFoXDTI3MDQy +MjAwMDAwMFowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDSjy/D2+R8o9Hd30j4rHFeRPGBqnRIXbJJKwcb6gbiB8M4Kt/P +TANk6S/b9+iEZOp/jjPgb+imwxLb9kGfOPppOohLUst0IQBM4VrlsVvdj9c2Uktl +Z2kj4BSqC1vnr0bwAtSb8gibNIOhaT89Zi7MlHQGLmnOsL79cxXPQAJt67ch6V41 +t6z4kvA1zb+lEqTzb9w7DBB7cv0RInVBQXSKrbiwGrSYOB5pdsWv2Atv8kLo6n1r +cbVWQuXSZtUmYoHUQAMI3CME6a9pi4v0OEKWeltmDhKEnz4Z2r6ouI0pxeEvLeTm +O7iv4VihJx/7iuDMaM4mAFZLu+rmf3at2sGfMhTsf7iWs3qe/mmnTquJRM/N6s66 +NAiOt0oF5hFeDq/zphfIsnZAJW60or8vwYzOGYialCl7qdM5LdQV5clt7/eaxCEA +yExFlQQVrDqfdSPpRSj7UyQt3YC22iD7wq1jOX1RwM97NYmTSWUQONF2pQ6cr2pR +yPuno2WkKpgke+XvRglR+CbUwru6zJqLldsq3KVXfotyC1RM4mdIFWrsHPdDY7sk +vVufAixrmeqfHHkMGKg1cSbbRGi+RLTb3xDrNHoIeNQBG178qaGz/pG2mbR4GGnA +dWmRmED4VpUGZ2JWWLXInGzg6Hh2324GC+lX4a2U31WXzIXKL9iJykMo7wIDAQAB +o4IBNjCCATIwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSn1PbzWZPwjtmTYT98 +uqEepm4HwTAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAb +BgNVHSAEFDASMAcGBSoDBQcJMAcGBSoEBggKMC0GA1UdHwQmMCQwIqAgoB6GHGh0 +dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggIBABkH +Nmjc4hayqsl3Mtae2ZjHN66x3cdGVUgJIFuVBLDAgChnQKq53iTGPtBd1GUaFwF9 +UbSeC4grl9p2n+OVgbHBNWEb0M6OvgUx4/5/B4aDKxCHsSNLhRk8baFngB4JF7RQ +FZtQbi+bO36x12SCD1q3tAsjxGYWq3kTfk4cKpQtGRA8bS9s+ox/8rfjWeAdIwHu +NVNqZIBOfDPVBi/P4TlFtbf8uvAh9lqJp9q8mJ2y1TxjUQF9vtvX0NBHp8MpcWYH +sMImoYDLycZ8DF681UorhgJUPFA0a8jTNd8gqPcx76G9+mn2Oc1TxDFmOKqGWCfB +LG4aaOIGbzbwtVzbwq0tplmrB+eW+fT9ob7ofGC26DdWQKnrLhax3I8CXoOr2RTJ +O6WvZZpJOIZLUFCwFtCAMAtghXqrb3shgVHaxWgnDaij3CAwwC+RIrXqW84IkbOL ++bVlo94V7pKRmIRXpxipdgQs7aqi0JF2YF2IyCPR21FghPdwumEnJP/SP/TLRFbU +YyI3DgqAga7T3kKD0/dECULPgdmg7su46ajaWcoe28+UaFzlKD/3Ogx/TRMuUuyx +N5Riae8UrIRgmjygGDwnQIahJvrrSaujn3/dXmHr5mSymnaVnRfn2khTy9A33kz3 +YIPhwd1FZCExWpO5J2L/8O9wBkciunENmN/N9sx6 +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p1m1a0b0e1.pem b/v3/testdata/cacp_c1r0p1m1a0b0e1.pem new file mode 100644 index 000000000..f82c572d7 --- /dev/null +++ b/v3/testdata/cacp_c1r0p1m1a0b0e1.pem @@ -0,0 +1,143 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 7b:54:dc:f0:b1:6d:fb:dd:ad:8e:01:20:39:78:b0:28 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Sep 30 13:55:20 2024 GMT + Not After : Sep 29 13:55:20 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:df:5f:76:7e:1e:01:4d:2e:9d:33:99:52:78:9c: + e9:9a:03:ca:15:69:09:24:74:f1:6d:ce:7b:5f:e1: + db:8b:3e:c6:5a:72:d1:25:50:63:11:f9:2a:98:09: + 19:67:d1:12:97:b8:7c:a3:00:c4:32:fe:c8:9a:6e: + 96:1e:6d:93:fc:c1:35:6e:89:0d:fe:fd:d5:f4:cb: + f5:ca:40:0f:ff:fc:b0:85:a2:37:b7:cc:a2:86:8d: + 25:40:33:a8:8c:24:01:5d:ed:60:6b:05:32:df:cb: + 29:e5:55:73:50:3d:15:94:3d:3f:4e:4b:01:7d:3b: + 39:dd:2d:2e:9e:0a:03:57:b7:a4:c9:15:8d:63:16: + 46:72:62:8a:6e:ed:ea:8f:5c:15:25:3e:81:fc:0d: + 5e:dd:36:f3:db:96:46:03:b1:93:08:62:48:5d:f2: + 32:75:f2:45:89:36:01:70:9f:74:b4:2b:22:b8:d6: + 93:41:78:37:21:3c:6f:87:b9:ec:9e:d1:0d:61:bc: + c9:f1:fa:4c:fd:cd:30:6f:ac:31:13:eb:14:a6:e7: + 87:48:2e:55:13:f0:12:27:ec:a4:44:46:65:ca:07: + f4:a2:59:4b:63:d6:58:a7:ee:dc:3d:62:c6:31:19: + 9c:9e:20:f2:20:94:23:1d:a5:5c:8e:e4:81:f7:d5: + 1d:5e:6e:85:af:3e:e5:c2:24:9d:31:9a:5a:a0:43: + d5:5a:73:e0:ed:98:f0:df:ab:4f:ce:0a:1a:48:f6: + 0e:61:98:5f:13:8a:25:13:8e:ee:7c:dd:2f:d7:11: + a5:b8:18:13:52:d8:21:06:85:9c:46:9a:c9:c2:ec: + 40:ef:d1:ad:17:89:26:88:6e:2f:1f:00:1f:a5:e4: + 8c:ba:be:fd:10:c9:94:ea:fa:85:2f:eb:21:57:f1: + ba:8a:5f:be:29:eb:5c:dd:bd:a6:48:f9:59:1a:4d: + c6:12:0f:7a:4e:5f:14:7b:1f:6a:80:29:ca:34:19: + b7:a1:90:2e:33:95:6d:a6:48:06:57:ea:72:fa:39: + 97:8a:7d:a8:f2:e1:7b:ac:c1:78:7b:76:21:a9:9d: + ea:73:82:06:ae:23:4f:13:1d:cf:cb:c6:78:94:f4: + b2:cf:bc:b1:a1:62:91:27:9e:88:d3:a4:fe:44:7e: + 2a:0d:4e:68:c5:54:2d:01:d3:bf:14:62:0d:54:22: + 54:76:e9:04:e6:a4:6b:80:28:c1:cd:0e:8b:3a:9e: + 9b:6e:9a:a4:ce:27:e6:06:d5:bb:36:0f:a4:fd:a7: + 08:8a:69:14:7b:2b:a8:54:64:d5:72:84:8e:ee:4f: + b6:58:c1:5f:e6:b1:94:a9:57:21:f9:97:2c:d8:38: + 6d:ca:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 0F:AE:FB:36:D7:76:1A:1C:5C:3F:E0:40:A3:37:37:E7:E1:1B:10:4E + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 1.2.3.5.7.9 + Policy: 1.2.4.6.8.10 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + dc:e8:bc:8e:47:0e:ad:42:4f:63:1d:79:35:03:19:95:59:21: + 63:fc:5e:a9:97:65:c5:ab:67:fa:d0:4a:51:63:25:d8:fb:3f: + 6d:31:64:50:0a:1c:6f:33:55:94:18:27:2b:ea:24:a7:4b:c3: + e8:6c:47:1d:c9:44:5e:96:e5:c3:e2:71:0b:29:09:20:a2:a1: + c7:79:4a:99:2d:39:97:61:ec:c8:30:94:08:19:b0:7c:3b:36: + a9:ca:05:aa:ea:9a:c1:08:58:38:0c:3f:b4:a3:99:8c:cd:d1: + 16:d6:d7:44:b5:87:f5:4e:bc:cb:82:47:1a:62:11:2f:0b:4d: + 20:93:6d:0c:15:51:f9:3e:fb:d9:35:66:66:e0:63:c3:27:fe: + e0:c1:dd:6a:5e:3b:d4:2e:4f:99:13:4b:82:f5:1a:f7:df:a8: + bc:af:5d:ca:1e:fa:fc:7f:15:52:a9:a9:f4:d0:4d:8a:dc:72: + 2b:c2:59:b6:97:28:22:68:ea:75:c0:6b:ed:22:4f:c5:49:fc: + 73:b1:e3:18:af:f0:37:94:af:9c:33:af:cf:c4:2c:ff:d5:30: + 4b:c8:e0:ba:a8:bf:75:1a:ed:e1:e5:b4:d0:1c:de:b3:cf:97: + eb:02:f6:a9:a3:72:27:00:59:b4:d3:4e:6b:c9:bc:c7:e1:d8: + d0:41:3e:0e:1f:d1:30:f1:8d:d1:f8:ad:f4:b6:e4:04:bf:49: + bb:d1:5c:54:d9:6a:1d:9b:f7:f8:ce:61:33:68:7e:14:67:a4: + 86:bc:5e:4d:0c:74:89:27:45:c1:ad:2f:b6:c9:de:cc:08:a2: + 33:c9:f5:ea:4a:33:52:52:ba:01:a3:67:1a:31:d0:c8:b0:56: + 61:eb:c0:25:71:6f:f9:1b:34:e8:d5:78:6f:6d:5e:c5:cf:39: + ac:e8:66:ca:6a:22:dc:6e:30:a8:85:9e:ef:4b:b7:3d:1e:26: + 0b:7c:54:3f:e5:29:d8:25:1d:5b:d1:0c:3a:70:88:05:3c:79: + 54:34:ca:28:f2:d6:a6:81:96:79:11:7a:90:5d:d9:d1:ca:f8: + 4c:66:b4:f2:45:de:1e:98:a6:17:8b:3e:6f:86:4e:ae:29:43: + cb:8d:4e:56:6b:7f:bb:0d:c8:09:c3:93:e3:2b:a5:21:ed:d3: + 34:a5:d6:5f:6d:4c:1a:a5:4b:12:74:36:87:56:d3:24:31:4c: + 77:68:90:46:ac:de:09:a3:08:3c:50:67:8b:58:31:12:68:48: + 53:de:dd:fd:13:c6:20:91:31:10:87:bf:9b:c3:24:d6:e0:39: + 58:1f:04:1f:1d:31:7e:c8:a8:49:e8:3e:0f:f6:a2:75:04:81: + 40:2b:7c:95:33:ab:a8:9a +-----BEGIN CERTIFICATE----- +MIIGejCCBGKgAwIBAgIQe1Tc8LFt+92tjgEgOXiwKDANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTI0MDkzMDEzNTUyMFoXDTI5MDky +OTEzNTUyMFowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDfX3Z+HgFNLp0zmVJ4nOmaA8oVaQkkdPFtzntf4duLPsZactEl +UGMR+SqYCRln0RKXuHyjAMQy/siabpYebZP8wTVuiQ3+/dX0y/XKQA///LCFoje3 +zKKGjSVAM6iMJAFd7WBrBTLfyynlVXNQPRWUPT9OSwF9OzndLS6eCgNXt6TJFY1j +FkZyYopu7eqPXBUlPoH8DV7dNvPblkYDsZMIYkhd8jJ18kWJNgFwn3S0KyK41pNB +eDchPG+Hueye0Q1hvMnx+kz9zTBvrDET6xSm54dILlUT8BIn7KRERmXKB/SiWUtj +1lin7tw9YsYxGZyeIPIglCMdpVyO5IH31R1eboWvPuXCJJ0xmlqgQ9Vac+DtmPDf +q0/OChpI9g5hmF8TiiUTju583S/XEaW4GBNS2CEGhZxGmsnC7EDv0a0XiSaIbi8f +AB+l5Iy6vv0QyZTq+oUv6yFX8bqKX74p61zdvaZI+VkaTcYSD3pOXxR7H2qAKco0 +GbehkC4zlW2mSAZX6nL6OZeKfajy4XuswXh7diGpnepzggauI08THc/LxniU9LLP +vLGhYpEnnojTpP5EfioNTmjFVC0B078UYg1UIlR26QTmpGuAKMHNDos6nptumqTO +J+YG1bs2D6T9pwiKaRR7K6hUZNVyhI7uT7ZYwV/msZSpVyH5lyzYOG3KmQIDAQAB +o4IBNjCCATIwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQPrvs213YaHFw/4ECj +Nzfn4RsQTjAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAb +BgNVHSAEFDASMAcGBSoDBQcJMAcGBSoEBggKMC0GA1UdHwQmMCQwIqAgoB6GHGh0 +dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggIBANzo +vI5HDq1CT2MdeTUDGZVZIWP8XqmXZcWrZ/rQSlFjJdj7P20xZFAKHG8zVZQYJyvq +JKdLw+hsRx3JRF6W5cPicQspCSCiocd5SpktOZdh7MgwlAgZsHw7NqnKBarqmsEI +WDgMP7SjmYzN0RbW10S1h/VOvMuCRxpiES8LTSCTbQwVUfk++9k1ZmbgY8Mn/uDB +3WpeO9QuT5kTS4L1GvffqLyvXcoe+vx/FVKpqfTQTYrccivCWbaXKCJo6nXAa+0i +T8VJ/HOx4xiv8DeUr5wzr8/ELP/VMEvI4Lqov3Ua7eHltNAc3rPPl+sC9qmjcicA +WbTTTmvJvMfh2NBBPg4f0TDxjdH4rfS25AS/SbvRXFTZah2b9/jOYTNofhRnpIa8 +Xk0MdIknRcGtL7bJ3swIojPJ9epKM1JSugGjZxox0MiwVmHrwCVxb/kbNOjVeG9t +XsXPOazoZspqItxuMKiFnu9Ltz0eJgt8VD/lKdglHVvRDDpwiAU8eVQ0yijy1qaB +lnkRepBd2dHK+ExmtPJF3h6YpheLPm+GTq4pQ8uNTlZrf7sNyAnDk+MrpSHt0zSl +1l9tTBqlSxJ0NodW0yQxTHdokEas3gmjCDxQZ4tYMRJoSFPe3f0TxiCRMRCHv5vD +JNbgOVgfBB8dMX7IqEnoPg/2onUEgUArfJUzq6ia +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p1m1a0b1e1.pem b/v3/testdata/cacp_c1r0p1m1a0b1e1.pem new file mode 100644 index 000000000..33f03d0bb --- /dev/null +++ b/v3/testdata/cacp_c1r0p1m1a0b1e1.pem @@ -0,0 +1,143 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b4:97:0d:61:9a:13:fc:5a:83:9b:1b:bc:45:1d:7c:75 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Sep 30 13:57:08 2024 GMT + Not After : Sep 29 13:57:08 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:e7:8d:f6:59:af:0a:7e:d0:fc:19:c4:0c:23:a0: + fd:23:b6:b9:f0:a5:a0:df:54:ea:7b:2f:2f:4b:12: + 60:82:c0:53:d8:57:5e:07:19:22:18:74:0f:8e:0e: + 7f:f2:f5:55:1b:86:47:73:c7:00:3a:0a:b2:4a:b4: + bf:bf:1f:8a:1b:ce:00:30:08:07:e7:8c:47:34:42: + 3d:6f:3f:a0:b5:f0:a7:15:5f:5f:5b:81:5c:7e:f8: + f3:85:d5:8e:e8:e9:29:6d:40:71:37:86:60:89:38: + 93:31:1f:22:4d:0a:93:57:c5:40:8e:09:63:ea:28: + 36:b2:17:5f:8f:8f:03:bf:8b:3f:01:14:7c:f4:f3: + dd:63:72:aa:a5:c0:ac:c7:d9:88:7e:b9:2f:50:0a: + e2:c7:36:ca:46:c0:8a:18:dd:e6:75:07:61:b7:5b: + 2d:4a:2e:50:5a:b9:7c:bc:df:b0:0b:ea:34:2d:e8: + 6b:bc:49:5a:d2:5d:c4:b2:f9:3d:7a:cb:11:10:14: + 94:7f:5a:31:72:cb:98:e2:d0:fe:49:4c:b6:df:1a: + a6:73:3c:03:83:99:bc:e2:74:57:a2:62:ff:6c:25: + 88:4e:ff:6d:32:48:78:12:af:b2:8c:1f:33:90:85: + d5:5a:0a:91:61:66:ac:81:af:bc:e5:a3:ee:c6:d7: + c6:4c:1b:28:3b:0f:d5:71:ba:f2:bf:f7:9d:c8:e2: + 5e:7e:24:3a:8f:e2:24:41:32:27:f0:00:e1:14:6b: + 26:3c:48:8c:d1:21:5d:99:61:c2:d5:eb:5d:ca:04: + 34:e5:d8:33:ee:e6:59:d6:07:90:3f:40:fe:e0:1e: + 45:27:cc:5a:93:4e:05:e0:9f:c1:11:c6:35:f5:a2: + 6d:06:79:6a:80:7e:3a:a3:fd:9e:8f:fd:6c:6e:50: + b5:36:a0:52:6f:00:7d:66:e0:e2:61:bd:c1:5b:27: + e5:9b:6a:f2:94:f4:31:59:57:03:4f:b5:9e:b1:34: + 9b:35:c9:1f:15:1f:ec:d4:51:8b:aa:67:8e:69:3e: + 3f:13:e5:75:f8:90:30:5a:80:3c:64:15:59:5d:91: + 9e:88:5e:18:13:91:8c:94:61:60:7b:8f:6f:4d:cd: + e8:0e:aa:57:e4:30:54:87:b0:f1:a3:29:a9:d5:fc: + 91:33:07:78:d9:af:73:3f:86:18:37:3c:cd:25:03: + 79:08:49:1b:ff:fc:20:f5:d1:a4:0d:dd:b8:b8:a4: + 3a:f8:7c:9e:be:42:7a:18:dd:2e:b6:10:a6:2e:b3: + b5:a1:21:dd:92:9d:58:cd:4d:74:fe:fe:d0:7f:a1: + df:23:58:14:10:2b:88:ce:84:77:71:26:05:14:fd: + 08:07:4d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + B3:6F:1F:4D:69:41:EA:58:01:8B:08:59:16:AA:58:DA:28:A7:16:AD + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 1.2.3.5.7.9 + Policy: 2.23.140.1.2.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 9a:ef:87:4b:ba:10:41:cd:95:af:c8:50:34:34:01:01:05:24: + d7:c6:2c:f2:f4:fa:9b:8e:3c:a7:fd:75:69:30:f2:b4:60:18: + a3:24:08:11:7e:a3:c6:ac:a4:4b:e1:97:1d:cf:a3:f4:50:cc: + e1:63:2e:64:50:31:a4:a0:7a:ac:7f:e6:5f:10:54:29:c1:b5: + d5:31:cf:0f:e0:a9:84:14:2f:5d:a5:45:00:14:87:3f:1a:ee: + 8f:d0:5d:ad:12:78:49:59:20:df:f8:79:51:cf:1f:72:99:ba: + d1:e9:2d:4f:5e:08:fa:f3:b4:b3:07:aa:5a:2d:86:a8:a6:11: + ba:0e:84:31:41:bd:b6:ee:3e:44:24:6a:b0:2f:29:d6:fb:1a: + 21:fd:e4:b9:35:5d:35:c0:33:a1:fe:60:9f:ea:78:9a:94:6f: + e6:d7:7f:ad:ac:e9:76:4f:8f:78:5b:2a:3e:95:e3:a2:9f:89: + a4:17:2d:1c:ba:39:06:e0:f1:78:45:bf:ab:d7:e4:be:b4:b1: + 79:a1:c2:62:65:c2:c4:f5:78:9b:ec:4f:b6:c9:09:cd:73:e4: + 58:29:be:4e:f9:db:ea:88:22:66:5b:e0:42:4c:6e:0b:33:32: + 28:93:a0:e5:c1:0d:59:76:e0:2c:42:61:a5:e5:16:17:64:56: + 89:42:fe:52:d8:bf:f8:40:45:5d:f0:48:cd:8c:ed:ec:94:e6: + 14:6a:0f:a1:0e:70:7d:8e:cc:47:a1:61:b4:4a:40:8d:07:47: + b8:f3:89:e4:7c:88:6b:90:b1:13:aa:11:d3:f0:3c:f8:9d:84: + ca:0c:06:87:ac:28:d2:5c:15:c4:4d:53:3a:b0:df:ca:80:2e: + 4f:ed:a8:2f:ea:b0:3b:1b:32:04:09:84:6e:d9:87:e6:7d:2d: + d9:56:9d:59:e5:c3:92:7a:30:16:fc:da:ce:76:16:40:67:e0: + b7:36:41:c8:a0:f5:08:60:d9:98:9e:c2:5d:f2:7c:71:98:6c: + ea:e5:9c:65:9b:22:bb:74:07:d9:6a:ce:b1:96:ac:e2:56:90: + f6:91:fa:a8:3f:49:b4:a0:6f:20:23:74:db:64:e4:9d:7a:3a: + eb:12:ab:5a:e1:e3:b8:e1:93:4b:4d:23:cc:21:31:e1:98:ce: + 48:98:06:00:0f:51:26:99:5e:81:ac:7b:e0:82:6e:2b:aa:44: + 49:c3:66:52:df:e4:ab:8b:5d:fa:4d:a1:84:cf:76:c3:94:e7: + 9c:0e:a1:67:93:b4:88:83:58:98:a6:95:22:9b:92:25:4b:93: + 70:f5:6a:57:71:bd:75:a8:77:ac:c2:6b:3a:07:8f:16:9b:1d: + 3b:a6:93:5e:d6:a9:4b:12 +-----BEGIN CERTIFICATE----- +MIIGfDCCBGSgAwIBAgIRALSXDWGaE/xag5sbvEUdfHUwDQYJKoZIhvcNAQELBQAw +SDELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExJzAlBgNVBAMTHkZha2Ug +Um9vdCBDQSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA5MzAxMzU3MDhaFw0yOTA5 +MjkxMzU3MDhaMHAxCzAJBgNVBAYTAlhYMRMwEQYDVQQIEwpTb21lIFN0YXRlMRYw +FAYDVQQHEw1Tb21lIExvY2FsaXR5MRAwDgYDVQQKEwdTb21lIENBMSIwIAYDVQQD +ExlGYWtlIENBIGZvciB6bGludCB0ZXN0aW5nMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEA5432Wa8KftD8GcQMI6D9I7a58KWg31Tqey8vSxJggsBT2Fde +BxkiGHQPjg5/8vVVG4ZHc8cAOgqySrS/vx+KG84AMAgH54xHNEI9bz+gtfCnFV9f +W4FcfvjzhdWO6OkpbUBxN4ZgiTiTMR8iTQqTV8VAjglj6ig2shdfj48Dv4s/ARR8 +9PPdY3KqpcCsx9mIfrkvUArixzbKRsCKGN3mdQdht1stSi5QWrl8vN+wC+o0Lehr +vEla0l3Esvk9essREBSUf1oxcsuY4tD+SUy23xqmczwDg5m84nRXomL/bCWITv9t +Mkh4Eq+yjB8zkIXVWgqRYWasga+85aPuxtfGTBsoOw/Vcbryv/edyOJefiQ6j+Ik +QTIn8ADhFGsmPEiM0SFdmWHC1etdygQ05dgz7uZZ1geQP0D+4B5FJ8xak04F4J/B +EcY19aJtBnlqgH46o/2ej/1sblC1NqBSbwB9ZuDiYb3BWyflm2rylPQxWVcDT7We +sTSbNckfFR/s1FGLqmeOaT4/E+V1+JAwWoA8ZBVZXZGeiF4YE5GMlGFge49vTc3o +DqpX5DBUh7Dxoymp1fyRMwd42a9zP4YYNzzNJQN5CEkb//wg9dGkDd24uKQ6+Hye +vkJ6GN0uthCmLrO1oSHdkp1YzU10/v7Qf6HfI1gUECuIzoR3cSYFFP0IB00CAwEA +AaOCATcwggEzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYI +KwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUs28fTWlB6lgBiwhZ +FqpY2iinFq0wHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYB +BQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20v +b2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3Qw +HAYDVR0gBBUwEzAHBgUqAwUHCTAIBgZngQwBAgEwLQYDVR0fBCYwJDAioCCgHoYc +aHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEA +mu+HS7oQQc2Vr8hQNDQBAQUk18Ys8vT6m448p/11aTDytGAYoyQIEX6jxqykS+GX +Hc+j9FDM4WMuZFAxpKB6rH/mXxBUKcG11THPD+CphBQvXaVFABSHPxruj9BdrRJ4 +SVkg3/h5Uc8fcpm60ektT14I+vO0sweqWi2GqKYRug6EMUG9tu4+RCRqsC8p1vsa +If3kuTVdNcAzof5gn+p4mpRv5td/razpdk+PeFsqPpXjop+JpBctHLo5BuDxeEW/ +q9fkvrSxeaHCYmXCxPV4m+xPtskJzXPkWCm+Tvnb6ogiZlvgQkxuCzMyKJOg5cEN +WXbgLEJhpeUWF2RWiUL+Uti/+EBFXfBIzYzt7JTmFGoPoQ5wfY7MR6FhtEpAjQdH +uPOJ5HyIa5CxE6oR0/A8+J2EygwGh6wo0lwVxE1TOrDfyoAuT+2oL+qwOxsyBAmE +btmH5n0t2VadWeXDknowFvzaznYWQGfgtzZByKD1CGDZmJ7CXfJ8cZhs6uWcZZsi +u3QH2WrOsZas4laQ9pH6qD9JtKBvICN022TknXo66xKrWuHjuOGTS00jzCEx4ZjO +SJgGAA9RJplegax74IJuK6pEScNmUt/kq4td+k2hhM92w5TnnA6hZ5O0iINYmKaV +IpuSJUuTcPVqV3G9dah3rMJrOgePFpsdO6aTXtapSxI= +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r0p1m1a1b0e0.pem b/v3/testdata/cacp_c1r0p1m1a1b0e0.pem new file mode 100644 index 000000000..1e54c2d8a --- /dev/null +++ b/v3/testdata/cacp_c1r0p1m1a1b0e0.pem @@ -0,0 +1,143 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e2:6e:ba:43:96:62:04:5e:53:09:a6:e3:34:69:e2:0d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Sep 30 13:45:44 2024 GMT + Not After : Sep 29 13:45:44 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:b2:e9:50:c1:0f:64:2e:88:9f:bb:6c:f2:27:ac: + a7:c0:5b:cd:09:9b:c9:fa:03:ef:a3:dc:27:a7:b4: + cf:26:69:eb:bc:1f:b8:86:2e:cb:c7:6a:d1:ad:3d: + 88:c5:2f:d1:10:9a:fd:37:a1:24:79:ab:fc:10:a9: + 69:b3:fc:44:11:8a:56:36:0e:4c:2c:a4:3f:49:bd: + 3d:14:95:bf:df:6e:80:ea:d0:48:03:f5:e3:8e:90: + 3a:8d:00:1b:9a:71:03:ba:2f:6a:1e:09:f6:30:7b: + 1b:c8:56:bb:1c:04:f1:72:59:1b:8d:24:e2:e3:33: + e0:bd:62:6f:ed:74:79:2d:e7:dd:fb:71:07:30:4c: + 25:fb:b1:24:e2:3e:cd:78:32:68:8c:f5:e4:99:25: + be:fa:2f:ba:a8:bf:9c:f4:2e:eb:57:be:ba:58:ef: + f6:fd:0b:2e:03:40:55:49:c1:0a:32:5f:f9:60:90: + 52:25:51:2f:2c:7c:bb:23:6d:14:72:d7:4a:42:7f: + 81:00:58:3b:ab:04:9a:5f:2c:cb:a9:d1:95:42:1b: + 0d:71:dc:d2:b5:21:e8:ac:5a:86:dc:48:68:01:ee: + 7b:28:e6:2d:73:85:83:8d:5c:42:09:b8:11:e2:1a: + 53:54:57:58:cf:3a:3f:fb:5d:d2:c5:59:94:dd:b7: + 5d:a8:ff:b0:e7:e0:a3:54:c6:e7:f7:9f:df:c4:aa: + 5c:71:5a:2a:10:df:cd:7d:bd:70:8e:0b:0d:d3:14: + 4a:ab:7a:00:ee:b3:75:88:78:7a:4e:86:4c:ac:f0: + 54:d4:05:a4:03:53:e9:a5:09:55:a6:76:9f:8d:96: + a3:9a:4f:dd:58:45:95:4b:e1:48:5f:fb:9d:87:41: + 24:e5:d5:17:ac:c6:68:d0:74:4c:b2:e7:86:eb:30: + 83:54:36:88:f1:f4:d7:f5:48:40:39:4c:31:76:0d: + 2e:19:38:a5:fa:54:d8:93:a0:86:e5:5c:e9:64:99: + 2f:2f:3c:ee:4e:67:bd:59:fe:9b:ce:3d:4d:34:4d: + d8:76:23:06:dd:56:84:40:25:8c:52:ab:c4:e3:d4: + 2d:4e:46:1e:b3:23:78:9a:c8:79:fe:6d:b0:63:6c: + 63:1b:08:50:82:38:d7:0a:d2:12:f0:46:64:32:f5: + 29:7a:3a:77:dc:91:3e:8f:60:2d:2e:f6:92:f9:02: + 91:e7:a7:e2:06:dc:af:3a:26:4c:d9:ef:32:8f:22: + ef:3c:75:f5:90:3d:01:91:13:29:f2:01:4d:6a:f6: + 8a:a5:5b:7d:f8:aa:bf:31:74:56:cf:b1:0d:eb:3e: + d3:9a:1d:ff:96:b5:ff:6d:e3:64:0d:5b:dc:ff:1d: + 25:94:7d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + FC:93:E4:46:9E:96:CF:F1:DB:11:44:B7:83:AE:59:44:A5:D4:D9:D0 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 6b:14:20:11:e4:cd:4a:49:9b:14:a2:c8:b6:6e:48:8c:e0:ec: + 00:f9:fa:5e:e1:24:df:3f:6d:17:d0:ab:bd:af:2b:95:1e:c2: + 8b:8a:42:73:81:2b:2b:4d:08:5f:c2:e2:f5:f6:74:12:6b:9b: + 74:c1:8a:33:f1:69:9a:ff:16:8a:58:9b:01:52:f8:da:cc:5f: + 15:3a:26:46:70:d1:c6:39:92:11:17:60:12:76:e1:c8:53:fe: + c2:b0:37:28:ab:e2:4d:c5:71:41:5a:dd:1a:06:c9:fd:58:50: + 1e:0e:aa:9a:e8:e6:c8:30:90:51:cb:f8:41:42:62:c2:f2:f7: + 1d:5a:7f:4c:71:a2:7c:6f:9c:ab:c6:24:99:77:b6:0f:b2:76: + 90:97:e8:06:fa:bc:e2:1a:15:a0:d3:0b:c9:11:21:11:dc:e7: + 9e:8f:27:a4:2e:0c:c2:04:ff:e1:f6:fb:5e:14:d4:2f:14:68: + b8:a5:14:73:31:04:42:94:86:5a:bf:c8:bd:28:0b:0b:bc:d6: + 9d:f5:6c:7f:97:2e:4a:85:35:b9:b4:8d:11:bf:2a:30:e6:da: + 98:21:a0:3f:32:f0:11:d4:6e:24:86:93:db:cf:93:1a:73:4e: + 64:6a:cb:d9:d6:37:34:d1:7d:9d:df:6e:4c:f6:4a:56:04:3a: + ed:6d:8e:60:a3:4e:ad:fb:98:a3:9f:bd:35:7c:b0:67:49:c0: + f2:30:73:51:94:d7:80:3f:ba:db:f0:31:32:d9:94:37:f8:cc: + ab:af:3d:ad:9b:bc:a8:18:5f:40:3a:74:1f:bd:2e:17:d6:57: + 33:ce:22:3d:18:25:0f:d6:19:f5:cc:11:2b:5c:55:98:76:96: + 20:a3:eb:8c:ff:9d:c6:01:70:3f:8b:ff:a6:1c:c9:b8:24:1a: + d1:fe:1f:ec:40:a4:f3:a4:8d:5e:f8:2e:ac:ce:73:b0:f6:fb: + 27:59:31:73:11:d8:69:df:b6:2d:81:1a:89:c1:b3:fa:b1:fa: + bf:a7:c4:ed:f0:cf:85:2b:26:ca:08:a9:2d:93:36:49:5a:5e: + 39:0e:70:e9:18:80:60:d1:82:8c:83:79:3d:39:24:32:c4:f2: + 65:fd:06:61:43:c8:f6:9f:9a:46:10:9a:17:00:91:aa:0f:e7: + ab:04:e1:8d:2b:66:04:5b:6e:96:fe:63:6a:32:08:c0:78:3f: + 8f:95:a4:5c:3b:24:c7:37:1b:db:ee:35:36:fd:56:49:9c:0b: + 34:94:a3:52:13:30:ec:ec:58:95:95:cd:35:b7:f8:dd:75:93: + 43:4f:55:71:79:88:2d:56:72:5e:bc:2d:31:9f:ab:b1:4c:3f: + 21:24:45:e9:0f:ec:97:2b +-----BEGIN CERTIFICATE----- +MIIGezCCBGOgAwIBAgIRAOJuukOWYgReUwmm4zRp4g0wDQYJKoZIhvcNAQELBQAw +SDELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExJzAlBgNVBAMTHkZha2Ug +Um9vdCBDQSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA5MzAxMzQ1NDRaFw0yOTA5 +MjkxMzQ1NDRaMHAxCzAJBgNVBAYTAlhYMRMwEQYDVQQIEwpTb21lIFN0YXRlMRYw +FAYDVQQHEw1Tb21lIExvY2FsaXR5MRAwDgYDVQQKEwdTb21lIENBMSIwIAYDVQQD +ExlGYWtlIENBIGZvciB6bGludCB0ZXN0aW5nMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEAsulQwQ9kLoifu2zyJ6ynwFvNCZvJ+gPvo9wnp7TPJmnrvB+4 +hi7Lx2rRrT2IxS/REJr9N6Ekeav8EKlps/xEEYpWNg5MLKQ/Sb09FJW/326A6tBI +A/XjjpA6jQAbmnEDui9qHgn2MHsbyFa7HATxclkbjSTi4zPgvWJv7XR5Lefd+3EH +MEwl+7Ek4j7NeDJojPXkmSW++i+6qL+c9C7rV766WO/2/QsuA0BVScEKMl/5YJBS +JVEvLHy7I20UctdKQn+BAFg7qwSaXyzLqdGVQhsNcdzStSHorFqG3EhoAe57KOYt +c4WDjVxCCbgR4hpTVFdYzzo/+13SxVmU3bddqP+w5+CjVMbn95/fxKpccVoqEN/N +fb1wjgsN0xRKq3oA7rN1iHh6ToZMrPBU1AWkA1PppQlVpnafjZajmk/dWEWVS+FI +X/udh0Ek5dUXrMZo0HRMsueG6zCDVDaI8fTX9UhAOUwxdg0uGTil+lTYk6CG5Vzp +ZJkvLzzuTme9Wf6bzj1NNE3YdiMG3VaEQCWMUqvE49QtTkYesyN4msh5/m2wY2xj +GwhQgjjXCtIS8EZkMvUpejp33JE+j2AtLvaS+QKR56fiBtyvOiZM2e8yjyLvPHX1 +kD0BkRMp8gFNavaKpVt9+Kq/MXRWz7EN6z7Tmh3/lrX/beNkDVvc/x0llH0CAwEA +AaOCATYwggEyMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYI +KwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU/JPkRp6Wz/HbEUS3 +g65ZRKXU2dAwHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYB +BQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20v +b2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3Qw +GwYDVR0gBBQwEjAIBgZngQwBAgEwBgYEVR0gADAtBgNVHR8EJjAkMCKgIKAehhxo +dHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQBr +FCAR5M1KSZsUosi2bkiM4OwA+fpe4STfP20X0Ku9ryuVHsKLikJzgSsrTQhfwuL1 +9nQSa5t0wYoz8Wma/xaKWJsBUvjazF8VOiZGcNHGOZIRF2ASduHIU/7CsDcoq+JN +xXFBWt0aBsn9WFAeDqqa6ObIMJBRy/hBQmLC8vcdWn9McaJ8b5yrxiSZd7YPsnaQ +l+gG+rziGhWg0wvJESER3OeejyekLgzCBP/h9vteFNQvFGi4pRRzMQRClIZav8i9 +KAsLvNad9Wx/ly5KhTW5tI0Rvyow5tqYIaA/MvAR1G4khpPbz5Mac05kasvZ1jc0 +0X2d325M9kpWBDrtbY5go06t+5ijn701fLBnScDyMHNRlNeAP7rb8DEy2ZQ3+Myr +rz2tm7yoGF9AOnQfvS4X1lczziI9GCUP1hn1zBErXFWYdpYgo+uM/53GAXA/i/+m +HMm4JBrR/h/sQKTzpI1e+C6sznOw9vsnWTFzEdhp37YtgRqJwbP6sfq/p8Tt8M+F +KybKCKktkzZJWl45DnDpGIBg0YKMg3k9OSQyxPJl/QZhQ8j2n5pGEJoXAJGqD+er +BOGNK2YEW26W/mNqMgjAeD+PlaRcOyTHNxvb7jU2/VZJnAs0lKNSEzDs7FiVlc01 +t/jddZNDT1VxeYgtVnJevC0xn6uxTD8hJEXpD+yXKw== +-----END CERTIFICATE----- diff --git a/v3/testdata/cacp_c1r1p0m0a0b0e0.pem b/v3/testdata/cacp_c1r1p0m0a0b0e0.pem new file mode 100644 index 000000000..dba601bc4 --- /dev/null +++ b/v3/testdata/cacp_c1r1p0m0a0b0e0.pem @@ -0,0 +1,121 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 9e:a6:38:c0:1a:41:85:e4:89:20:79:e3:dc:f7:3d:38 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, ST = Some State, L = Some Locality, O = Some Organization, CN = Fake Root CA for zlint testing + Validity + Not Before: Sep 30 13:27:41 2024 GMT + Not After : Sep 29 13:27:41 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some Organization, CN = Fake Root CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:ce:0d:54:05:87:4b:a8:c4:af:4c:f6:a8:7b:ba: + 41:2e:8f:25:55:84:f9:a5:7a:ad:ee:72:74:20:36: + 30:21:a0:08:1e:07:fc:9c:b7:ca:50:00:2a:b7:b0: + 0c:a3:98:45:5a:a0:0f:b1:0b:99:d1:62:7d:0f:b5: + 38:b8:9f:5e:9c:8f:35:a9:bc:c8:04:0b:ab:b9:12: + 7d:ea:b9:7d:3f:09:e6:a9:1e:d8:9f:ff:0e:92:39: + dc:94:51:07:2c:cc:8c:e4:7a:e9:cb:c8:3d:86:15: + fe:e3:1b:66:c5:48:8a:06:9b:e6:aa:7d:ff:30:26: + 05:97:f1:28:26:63:da:31:7e:c3:4f:c4:6f:6c:66: + 0d:ac:5b:93:59:1c:53:b1:8a:29:47:a9:9f:e5:e9: + a4:e2:f7:2d:e7:38:18:6e:8a:ae:77:1b:29:50:31: + 58:e6:09:42:ba:3c:f1:66:7a:ef:33:1b:94:22:8f: + 17:ea:1b:b1:c6:5f:e3:4b:e0:19:76:6a:dd:82:a8: + a7:91:a1:96:54:fa:2a:13:95:f5:7c:3e:91:37:03: + 4d:16:1e:bc:b9:ab:f2:3d:c0:66:be:fe:34:57:dd: + 69:78:e9:38:de:d3:b3:56:7b:e8:c2:49:f9:ef:3f: + 7c:19:3a:43:cc:3a:f5:2c:ca:d3:a7:f4:3d:55:09: + 90:81:43:0f:9a:e5:72:53:6f:5c:70:08:db:39:d5: + 29:f2:27:1e:6f:36:94:e3:72:b6:1d:25:7b:1c:04: + 45:79:9e:c8:68:50:3d:eb:a8:3f:6b:9b:94:2c:db: + ff:6a:2f:6e:75:a4:b0:14:a2:cd:1f:f4:44:bc:9c: + 2b:a2:6f:91:5f:90:6d:64:87:eb:ee:c4:f1:4c:c9: + bd:40:d2:05:ca:66:71:2e:84:11:5e:f1:ea:7f:d0: + 08:91:e8:36:2b:1c:e1:e6:41:3b:95:2f:b5:a1:4b: + 71:aa:2d:c7:0e:bd:05:a4:2b:9a:ec:ea:7f:59:69: + 81:01:96:6d:f1:25:44:41:21:f9:a1:b5:14:82:55: + 92:7a:43:bc:a7:09:a6:44:7e:12:c5:00:99:9f:a3: + 0f:b4:f6:32:dc:73:be:82:37:4f:ec:42:69:7d:84: + 3c:86:51:cb:7f:2d:59:f5:d8:9b:01:12:c1:da:e1: + 91:5a:95:dd:d9:71:85:07:12:87:b7:b9:7e:e0:23: + 23:e4:6f:73:ed:7e:d4:97:47:2a:34:69:3e:1a:1d: + bd:63:4b:e4:18:c4:b7:67:fa:8a:34:98:27:71:ef: + ab:01:5b:29:b3:df:fc:65:7c:98:19:25:cf:db:0b: + 01:da:40:f9:e7:d8:9a:ee:1f:65:ef:3a:87:21:e1: + 5f:8e:07 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + EA:C5:45:12:04:D7:BC:70:A8:DF:66:16:D3:E4:B3:06:5F:22:7C:43 + Signature Algorithm: sha256WithRSAEncryption + c4:7e:e7:3b:4d:74:46:ba:4d:68:e9:e3:ef:06:b1:b1:31:5b: + 0e:9d:7f:ea:8c:1e:ab:52:73:b6:75:32:6d:28:ff:ca:15:41: + 08:92:3f:42:2d:00:7c:9a:c4:ab:22:1f:a5:5d:bf:d6:a5:c6: + 07:13:5b:2e:ca:a6:e1:e9:d1:8b:67:e0:36:0e:ea:69:af:a2: + 6c:8c:6e:63:4d:bd:39:a1:87:68:5c:64:a2:fb:ae:4e:e1:cc: + 89:dc:74:f2:11:63:57:03:15:ce:f9:33:c0:17:e3:74:f9:6b: + 58:5a:82:df:17:e4:f9:6b:14:47:5d:1c:ce:65:79:7b:2c:43: + 74:4e:f4:72:85:70:40:9f:d3:14:58:1e:ed:bc:3e:3c:e1:8b: + a2:d3:86:2a:e8:c1:eb:27:10:49:a4:8c:15:47:78:1c:d2:68: + 7d:74:b6:1e:11:22:da:79:e5:49:ae:eb:2d:49:ca:32:54:26: + 9b:9f:8f:d1:d1:eb:de:05:c5:56:81:36:f3:e8:5e:e1:cd:52: + 89:91:9f:2c:3e:fe:f2:88:bf:bf:b3:81:10:db:dc:81:86:90: + 3b:65:93:77:e7:f9:ac:44:4e:1f:8f:d1:fe:96:a0:f7:56:87: + 5a:c2:1b:13:86:41:03:b3:41:5c:94:34:69:20:6e:85:cd:3a: + a2:e3:3e:e5:07:77:11:76:fe:52:e8:c3:48:6d:6e:b9:0d:56: + 28:07:ae:56:80:5b:d5:49:d2:8a:ae:ec:da:6f:7b:c7:cb:80: + e5:0e:7b:3a:ae:f9:e5:2d:b9:71:e0:ef:b6:39:7f:02:90:7c: + 39:7f:ca:df:89:04:d0:03:c1:9f:66:93:90:58:1f:83:37:7e: + ef:1a:14:04:3e:5f:c8:f3:aa:5d:e6:2a:d4:41:b9:c9:dd:db: + b5:0c:bb:00:05:10:9e:33:1a:95:76:79:d4:e1:9c:a8:37:8f: + f7:77:29:da:ce:54:97:96:b0:6f:7a:5f:86:5a:ea:98:3c:72: + 27:89:56:ff:36:b2:77:44:0e:76:8f:92:13:c0:65:81:7e:72: + 1e:fe:a3:c7:2e:5c:57:cc:2f:8e:57:54:5b:83:30:86:c3:dd: + 62:3f:7b:fe:e2:40:76:6f:eb:44:84:40:38:85:3b:11:a2:9b: + bf:0a:ee:9d:ba:a3:4c:c8:c2:03:55:c9:08:75:32:68:a0:c6: + 64:70:69:2c:2f:f6:c3:e1:83:ec:83:a3:eb:1a:b2:59:57:82: + 9d:5d:e4:a5:36:9c:da:6b:b2:cf:27:00:42:a6:55:f1:3d:0f: + 92:93:4d:e4:99:dc:37:05:18:0f:37:2f:8d:d3:b2:47:53:90: + d0:dd:8a:53:bb:62:a2:3f +-----BEGIN CERTIFICATE----- +MIIFyzCCA7OgAwIBAgIRAJ6mOMAaQYXkiSB549z3PTgwDQYJKoZIhvcNAQELBQAw +fzELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAUBgNVBAcTDVNv +bWUgTG9jYWxpdHkxGjAYBgNVBAoTEVNvbWUgT3JnYW5pemF0aW9uMScwJQYDVQQD +Ex5GYWtlIFJvb3QgQ0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwOTMwMTMyNzQx +WhcNMjkwOTI5MTMyNzQxWjB/MQswCQYDVQQGEwJYWDETMBEGA1UECBMKU29tZSBT +dGF0ZTEWMBQGA1UEBxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBPcmdh +bml6YXRpb24xJzAlBgNVBAMTHkZha2UgUm9vdCBDQSBmb3IgemxpbnQgdGVzdGlu +ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM4NVAWHS6jEr0z2qHu6 +QS6PJVWE+aV6re5ydCA2MCGgCB4H/Jy3ylAAKrewDKOYRVqgD7ELmdFifQ+1OLif +XpyPNam8yAQLq7kSfeq5fT8J5qke2J//DpI53JRRByzMjOR66cvIPYYV/uMbZsVI +igab5qp9/zAmBZfxKCZj2jF+w0/Eb2xmDaxbk1kcU7GKKUepn+XppOL3Lec4GG6K +rncbKVAxWOYJQro88WZ67zMblCKPF+obscZf40vgGXZq3YKop5GhllT6KhOV9Xw+ +kTcDTRYevLmr8j3AZr7+NFfdaXjpON7Ts1Z76MJJ+e8/fBk6Q8w69SzK06f0PVUJ +kIFDD5rlclNvXHAI2znVKfInHm82lONyth0lexwERXmeyGhQPeuoP2ublCzb/2ov +bnWksBSizR/0RLycK6JvkV+QbWSH6+7E8UzJvUDSBcpmcS6EEV7x6n/QCJHoNisc +4eZBO5UvtaFLcaotxw69BaQrmuzqf1lpgQGWbfElREEh+aG1FIJVknpDvKcJpkR+ +EsUAmZ+jD7T2MtxzvoI3T+xCaX2EPIZRy38tWfXYmwESwdrhkVqV3dlxhQcSh7e5 +fuAjI+Rvc+1+1JdHKjRpPhodvWNL5BjEt2f6ijSYJ3HvqwFbKbPf/GV8mBklz9sL +AdpA+efYmu4fZe86hyHhX44HAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTqxUUSBNe8cKjfZhbT5LMGXyJ8QzANBgkq +hkiG9w0BAQsFAAOCAgEAxH7nO010RrpNaOnj7waxsTFbDp1/6oweq1JztnUybSj/ +yhVBCJI/Qi0AfJrEqyIfpV2/1qXGBxNbLsqm4enRi2fgNg7qaa+ibIxuY029OaGH +aFxkovuuTuHMidx08hFjVwMVzvkzwBfjdPlrWFqC3xfk+WsUR10czmV5eyxDdE70 +coVwQJ/TFFge7bw+POGLotOGKujB6ycQSaSMFUd4HNJofXS2HhEi2nnlSa7rLUnK +MlQmm5+P0dHr3gXFVoE28+he4c1SiZGfLD7+8oi/v7OBENvcgYaQO2WTd+f5rERO +H4/R/pag91aHWsIbE4ZBA7NBXJQ0aSBuhc06ouM+5Qd3EXb+UujDSG1uuQ1WKAeu +VoBb1UnSiq7s2m97x8uA5Q57Oq755S25ceDvtjl/ApB8OX/K34kE0APBn2aTkFgf +gzd+7xoUBD5fyPOqXeYq1EG5yd3btQy7AAUQnjMalXZ51OGcqDeP93cp2s5Ul5aw +b3pfhlrqmDxyJ4lW/zayd0QOdo+SE8BlgX5yHv6jxy5cV8wvjldUW4MwhsPdYj97 +/uJAdm/rRIRAOIU7EaKbvwrunbqjTMjCA1XJCHUyaKDGZHBpLC/2w+GD7IOj6xqy +WVeCnV3kpTac2muyzycAQqZV8T0PkpNN5JncNwUYDzcvjdOyR1OQ0N2KU7tioj8= +-----END CERTIFICATE----- diff --git a/v3/testdata/crlWithAuthKeyID.pem b/v3/testdata/crlWithAuthKeyID.pem new file mode 100644 index 000000000..b80642b38 --- /dev/null +++ b/v3/testdata/crlWithAuthKeyID.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290IENBFxEy +NDEwMjgyMzI5MzErMDEwMBcRMjUxMDI4MjMyOTMxKzAxMDAwJjAkAgEBFxEyNDEw +MjgyMzI5MzErMDEwMDAMMAoGA1UdFQQDCgEFoC8wLTAKBgNVHRQEAwIBATAfBgNV +HSMEGDAWgBRUsHutRbjiQH/7Cm77vjPJPKOE1TANBgkqhkiG9w0BAQsFAAOCAQEA +lz8TEEYTSCY633weMHkCMjJZoPgOmM5kIGBMg8Mgl6GNJA3pZYfwUhxpa+eb+M7U +WBo3JtXLWrIsu++YitTw16kLWIsUg2iEtDDZnPVagw+qtrYnifsihF+aSjbOUBQr +oaT5wnPbf3tG5I84TZ5/rTtkG7wtuU7bbSc2GdaG1x33cIG/EXMzgwxNWwoKSo2w +Z2spALtQFyPLTGxf9jhS7mYMDEAxu7njw5/10/BLGOWzmQhlkHaqdeqZqMk/y9gX +45y0z7F4T7SqpafacQHk4v6TD8vWVtCIU8gp0vNJTkJITZpdjm9IwgHexXsQXXrF +DXk+Gj9jgl9PQefJwSGTSg== +-----END X509 CRL----- diff --git a/v3/testdata/crlWithDuplicatesInRevokedCertificateList.pem b/v3/testdata/crlWithDuplicatesInRevokedCertificateList.pem new file mode 100644 index 000000000..731a8607c --- /dev/null +++ b/v3/testdata/crlWithDuplicatesInRevokedCertificateList.pem @@ -0,0 +1,8 @@ +-----BEGIN X509 CRL----- +MIIBBzCBrgIBATAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdSb290IENBGA8wMDAx +MDEwMTAwMDAwMFowSDAiAgEDGA8wMDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoB +BTAiAgEDGA8wMDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBBaAuMCwwHgYDVR0j +BBcwFYATcm9vdCBzdWJqZWN0IGtleSBpZDAKBgNVHRQEAwIBATAKBggqhkjOPQQD +AgNIADBFAiEAuKyEUD/rZigP95CfYTTujgc6hpQV5481Y+9N2vt7Y8cCIDSt1fNi +qv6UqrWJlIzWSpJYkm5jZZgf4MqTtHjJ40bM +-----END X509 CRL----- diff --git a/v3/testdata/crlWithMissingAuthKeyID.pem b/v3/testdata/crlWithMissingAuthKeyID.pem new file mode 100644 index 000000000..e9d3c6462 --- /dev/null +++ b/v3/testdata/crlWithMissingAuthKeyID.pem @@ -0,0 +1,11 @@ +-----BEGIN X509 CRL----- +MIIBmzCBhAIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdSb290IENBFxEy +NDEwMjgyMzIxMjkrMDEwMBcRMjUxMDI4MjMyMTI5KzAxMDAwJjAkAgEBFxEyNDEw +MjgyMzIxMjkrMDEwMDAMMAoGA1UdFQQDCgEFoA4wDDAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAQEACPLUGxlwMl/VViDPl/WXdUmOwemYhjgPsCqiyeh2m5ud +Ewp87b3rWpN/2xcTP6VNEgXDyVulX0OdKBI0t4UwXQoKnsXlIChQ8eJMTxvIDjcZ +hAOhtDjigKAlxQLzHcE/5C+dkZxK4McfwnA8Hd5MfasWqY9e8AWzaW04/V1gXZsT +v+6ivSpA0m1uS/oEhdqKg0x6WYWs8RnzgwMDZeg9UqOKq0J1xqQ96yZF4vfxWqCJ +kXajMAEerkWDK4ymxl6CgfGnAVzxxCtIuWJnto44j6QsOR1WvPSiD9NxGnfvEqPJ +7pTy0x7sF8IKkTFr4P66pttnrkcDvA+3ot1BbgB3GQ== +-----END X509 CRL----- diff --git a/v3/testdata/crlWithNoDuplicatesInRevokedCertificateList.pem b/v3/testdata/crlWithNoDuplicatesInRevokedCertificateList.pem new file mode 100644 index 000000000..74784b127 --- /dev/null +++ b/v3/testdata/crlWithNoDuplicatesInRevokedCertificateList.pem @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHYMIGAAgEBMAoGCCqGSM49BAMCMAAYDzAwMDEwMTAxMDAwMDAwWjAkMCICAQMY +DzAwMDEwMTAxMDAwMDAwWjAMMAoGA1UdFQQDCgEFoDYwNDAmBgNVHSMEHzAdgBtp +bnRlcm1lZGlhdGUgc3ViamVjdCBrZXkgaWQwCgYDVR0UBAMCAQEwCgYIKoZIzj0E +AwIDRwAwRAIgKW/t2p4I+U4VJ3Tuo70JGzUY7vgv8BHCCyCnWtuKoiQCID3zPiiV +X2MUcmUEIoNvck0XyDbsxWFaDn76xddAMD/v +-----END X509 CRL----- diff --git a/v3/util/ip.go b/v3/util/ip.go index a61c77344..eafe263fa 100644 --- a/v3/util/ip.go +++ b/v3/util/ip.go @@ -17,7 +17,6 @@ package util import ( - "fmt" "net" ) @@ -120,7 +119,7 @@ func init() { var err error if _, ipNet, err = net.ParseCIDR(network); err != nil { - panic(fmt.Sprintf("unexpected internal network value provided: %s", err.Error())) + panic("unexpected internal network value provided: " + err.Error()) } reservedNetworks = append(reservedNetworks, ipNet) } diff --git a/v3/util/oid.go b/v3/util/oid.go index 2521ac078..1c686d0a7 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -32,6 +32,7 @@ var ( CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison + DeltaCRLIndicatorOID = asn1.ObjectIdentifier{2, 5, 29, 27} // Delta CRL Indicator EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy diff --git a/v3/util/time.go b/v3/util/time.go index 90ec3bce5..1256cf7ee 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -76,6 +76,14 @@ var ( CABFBRs_1_7_9_Date = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_1_Date = time.Date(2024, time.March, 15, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_2_Date = time.Date(2024, time.January, 8, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_3_Date = time.Date(2024, time.April, 15, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_4_Date = time.Date(2024, time.May, 15, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_5_Date = time.Date(2024, time.July, 1, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_6_Date = time.Date(2024, time.August, 6, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_7_Date = time.Date(2024, time.September, 6, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_8_Date = time.Date(2024, time.October, 2, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) EtsiPSD2Date = time.Date(2018, time.November, 1, 0, 0, 0, 0, time.UTC)