diff --git a/h b/h new file mode 100644 index 000000000..5d88c51e5 --- /dev/null +++ b/h @@ -0,0 +1,531 @@ +commit 92902fc7d9ae7ad9f221235c74b992be6f101812 (HEAD -> master, origin/master, origin/HEAD) +Merge: 526f9be 8c46bdf +Author: mtgag +Date: Sat Jul 1 09:28:04 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 8c46bdf0e6c8f3ccab7d3101cbf56eea9b7a856a +Author: Aaron Gable +Date: Fri Jun 30 12:56:49 2023 -0700 + + Fix typo in LintRevocationListEx comment (#730) + +commit 7ef1f8451ba9894bb27645321618de2bf9a158be +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Jun 25 16:11:22 2023 -0700 + + util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727) + + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 5e0219d2a818f0d8c71f20191d79e010890c2269 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Mon Jun 26 01:02:29 2023 +0200 + + Bc critical (#722) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * returning fatal rather than na + + * Update v3/lints/rfc/lint_basic_constraints_not_critical.go + + Error instead of fatal + + Co-authored-by: Christopher Henderson + + * adding error description. + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 3746088f87cde72a751b8f8a68c9b0a9e9a6a8b0 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Jun 11 12:21:00 2023 -0700 + + util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698) + + Co-authored-by: GitHub + Co-authored-by: Zakir Durumeric + +commit 9b18bdcd8fedb5013bda10ba13de27e3bf4ed908 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jun 11 21:13:48 2023 +0200 + + Ca field empty description (#723) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * simply must not have a non-empty distinguished name should suffice. The field is always present, the lints tests if the Sequence is empty. + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 59a91a2b1b7562e80894103cf8f8e03319b82a92 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jun 11 21:02:42 2023 +0200 + + Max length check applies (#724) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * max length check only if component is present. + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 526f9be2c26b63477a2d03d8a6a2736e2fe89b72 +Merge: b52111b 45e8dff +Author: mtgag +Date: Fri Jun 9 06:52:40 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 45e8dff6fe0d2a6989366a3dbd44713c360afc8f +Author: mwahaj +Date: Sun Jun 4 23:13:06 2023 +0500 + + Update README.md (#719) + + Added PKI Insights which also used zlint for X.509 Certificate verification against the PKI and Industry standards + + Co-authored-by: Christopher Henderson + +commit af903824a31385208566fa640cc13036a0e4d8e4 +Author: Christopher Henderson +Date: Sun Jun 4 11:02:45 2023 -0700 + + Enable accepting a PEM encoded CRL via the command line interface (#721) + + * dispatching CRLs to the CRL linting infra + + * fixing typo in README + +commit 1d8591cffbd9513c7302ef8187297e7463358291 +Author: toddgaunt-gs <107932811+toddgaunt-gs@users.noreply.github.com> +Date: Mon May 29 12:05:30 2023 -0400 + + Remove references in comments to Initialize() method of lints (#718) + + Some comments still refer to lints having an Initialize method. This + appears to no longer be the case but a warning in the comments for + RegisterLint, RegisterCertificateLint, and RegisterRevocationListLint + was still referencing lints having such a method. + +commit b52111baec7700cadeafd21ca74e448cec162483 +Merge: 351a379 2438596 +Author: mtgag +Date: Tue May 16 08:44:04 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 24385962110d84a33e403ae611169297e8d205c1 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun May 14 20:16:08 2023 +0200 + + Always perform e_cert_unique_identifier_version_not_2_or_3 (#711) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 351a37987e16c681f69725836a73dc888179d2be +Merge: 92e659c a5c869f +Author: Christopher Henderson +Date: Sun May 14 11:06:52 2023 -0700 + + Merge branch 'master' into master + +commit a5c869f807cbfce8a689aeba5682eb8f326845ea +Author: Christopher Henderson +Date: Sat May 13 09:23:45 2023 -0700 + + Update copyright text to 2023 (#716) + + * Updating copyright headers to 2023 + +commit 92e659c5aefeeea3afd8a32cc768b112a9355218 +Author: mtgag +Date: Thu Apr 27 08:55:54 2023 +0200 + + always check and perform the operation in the execution + +commit 30b096ee5b613af5eff751d9c5b878e8d07f529e +Merge: 8600050 997ad51 +Author: mtgag +Date: Wed Apr 19 08:41:37 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 997ad5143216f4a3f461545f277be7e20bdcb557 +Author: Amir Omidi +Date: Sun Mar 26 14:02:27 2023 -0400 + + Add CRL linting infrastructure (#699) + + * Add the skeleton around linting CRLs + + * Change the entrypoint of zlint + + * Add tests for the new skeleton + + * Address reviews + + * starting my own suggestions to work coopertaively on he change + + * Take out generics from the registration struct (#3) + + * Update to use Zcrypto instead of stdlib crypto for RevocationList (#4) + + * Take out generics from the registration struct (#3) + + * updating to use zcrypto + + * pointing zcrypto back to master + + * go tidy up + + --------- + + Co-authored-by: Amir Omidi + + * Tidy go mod + + * Update zcrypto + + * go mod tidy one more time + + * Bypass lint for Registry + + * Add NextUpdate CRL lint (#5) + + --------- + + Co-authored-by: christopher-henderson + +commit 64ae4e500e020b535a475a6c99007f77b917e1e9 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 12 13:06:18 2023 -0700 + + build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20220412020605-290c469a71a5 to 0.7.0. + - [Release notes](https://github.com/golang/net/releases) + - [Commits](https://github.com/golang/net/commits/v0.7.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit 68901ea435cd9be1c5f37765ed178120c3f570f9 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 12 12:58:25 2023 -0700 + + build(deps): bump golang.org/x/net in /v3 (#702) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20220412020605-290c469a71a5 to 0.7.0. + - [Release notes](https://github.com/golang/net/releases) + - [Commits](https://github.com/golang/net/commits/v0.7.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit 5ed8e34fe97edb3fedd7f1fb5cbc48a1444ea195 +Author: Christopher Henderson +Date: Sun Mar 12 12:48:34 2023 -0700 + + asserting human readable strings is error prone (#707) + +commit c7740fad1793b30df07212f9297066363efb19ce +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 12 12:32:52 2023 -0700 + + build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701) + + Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.7 to 0.3.8. + - [Release notes](https://github.com/golang/text/releases) + - [Commits](https://github.com/golang/text/compare/v0.3.7...v0.3.8) + + --- + updated-dependencies: + - dependency-name: golang.org/x/text + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit a476724019152fa17e7ebb3c0bba6b896aecf89d +Author: Christopher Henderson +Date: Sun Mar 12 10:55:47 2023 -0700 + + Upgrading golangci-lint to v1.51.2 (#705) + +commit 46f7185e35ed0a7af55db60004a66ac4f15520fa +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 5 09:18:23 2023 -0800 + + build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700) + + Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.7 to 0.3.8. + - [Release notes](https://github.com/golang/text/releases) + - [Commits](https://github.com/golang/text/compare/v0.3.7...v0.3.8) + + --- + updated-dependencies: + - dependency-name: golang.org/x/text + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 8a9f61eb9d9b2ee4b14519573ee2f0d09474c316 +Author: Christopher Henderson +Date: Thu Nov 3 09:18:18 2022 -0700 + + test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695) + + * util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC + + * Trigger GHA + + * revert change + + * fixing our own tests + + Co-authored-by: GitHub + +commit 6292ca4c07afed0c9e4f43470126901161fd0c2c +Author: Christopher Henderson +Date: Sun Oct 16 11:41:20 2022 -0700 + + Adding support for linting profiles (#595) + + * adding support for linting profiles + + * at least tests running + + * Update v3/lint/profile.go + + Absolutely + + Co-authored-by: Daniel McCarney + + * Update v3/newProfile.sh + + * adding godoc to AllProfiles + + * util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC + + * Trigger GHA + + * fixing linter + + Co-authored-by: Daniel McCarney + Co-authored-by: GitHub + +commit c6273337f37bce57a42c61f61566465ba81a8f4d +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Oct 16 10:20:03 2022 -0700 + + util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694) + + Co-authored-by: GitHub + +commit 13fcc6ff15096c615205e0073681d571227522f9 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Oct 9 07:06:19 2022 -0700 + + util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693) + + Co-authored-by: GitHub + +commit 137e46e0ca400af8c38465773a9d9ef8dc044b62 +Author: Christopher Henderson +Date: Sun Sep 18 11:18:06 2022 -0700 + + Lint to check for invalid KU lengths (#686) + + * lint for incorrecty KU length + + * better code comment + + * correcting linter + + * fixing lint to check for combinations with nine possible flags + + * fixing comments + + * using cryptobyte + + * accounting for jumbo sized KUs + +commit 1209017ea441820ff41f4ef6b05e946ed53efcda +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Sep 18 19:08:44 2022 +0100 + + Prevent OU lint from applying to CA certificates. Add unit test to confirm change of behaviour (#691) + +commit 44e12c12ca43a4af86f0dc2da4a71493ac9f8345 +Author: Christopher Henderson +Date: Sun Aug 28 07:33:00 2022 -0700 + + Add lint to check for incorrect 'unused' bit encoding in KeyUsages (#684) + + * Add lint to check for incorrect 'unused' bit encoding + + * using real life test data as a failure case + +commit 3f5e40d69c7dd1ed2049051f00dba88e97794ef0 +Author: Christopher Henderson +Date: Sun Jul 31 11:02:44 2022 -0700 + + Lint for RSA close prime Fermat factorization susceptibility (#674) + + * lint for close prime factorization with a default round setting of 100 + +commit e5ee614b989dca0615c7fdb9cb6d621f281c5a20 +Author: Christopher Henderson +Date: Sat Jul 23 11:55:36 2022 -0700 + + Support for Configurable Lints (#648) + + * Support for configurable lints + +commit ed9a20f851f487d6d280b72dc9db232779fc11e3 +Author: Christopher Henderson +Date: Sun Jul 17 13:06:32 2022 -0700 + + Added lint to check for superfluous zero byte on KU (#682) + +commit d8b86f771ea068173826b2088f0c502c17eaaa8d +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jun 19 19:58:35 2022 +0200 + + Lints for allowable key usages as per RFC 8813 Section 3 and RFC 3279 Section 2.3.1 (#678) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * added lints that adress issues about correct key usage values for a certain public key type + + * adjustments in config.json + + * adjustments after code review + + * adjustments after code review + + * warnings are turned to errors + + * fixed error count + + Co-authored-by: mtg + Co-authored-by: GitHub + +commit c7955ed482857439faa68dfdfb67b94a1510bce1 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Mon Jun 13 16:19:30 2022 +0200 + + Sunset subject:organizationalUnitName (Section 7.1.4.2.2.i, CAB-Forum BR) (#643) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * added lint for presence of OU in subject + + * Update v3/lints/cabf_br/lint_subject_contains_organizational_unit_name.go + + Co-authored-by: Ryan Sleevi + + * separated lints to adress two requirements + + * separated lints to adress two requirements + + * reverted change proposed by IDE + + * aligning to #644 + + * Update v3/util/time.go + + * Update v3/util/time.go + + * Update v3/util/time.go + + * addressed requested changes, removing lint that is implemented in 675 + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Ryan Sleevi + Co-authored-by: Christopher Henderson diff --git a/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go b/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go index d67cd3ebd..4988ee57a 100644 --- a/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go +++ b/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go @@ -15,6 +15,9 @@ package rfc */ import ( + "errors" + + "github.com/zmap/zcrypto/encoding/asn1" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" @@ -22,6 +25,11 @@ import ( type unrecommendedQualifier struct{} +type policyInformation struct { + policyIdentifier asn1.ObjectIdentifier + policyQualifiersBytes asn1.RawValue +} + /******************************************************************* RFC 5280: 4.2.1.4 To promote interoperability, this profile RECOMMENDS that policy @@ -49,16 +57,113 @@ func NewUnrecommendedQualifier() lint.LintInterface { } func (l *unrecommendedQualifier) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) + + // TODO? extract to util method: HasAnyPolicyOID(c) + if !util.IsExtInCert(c, util.CertPolicyOID) { + return false + } + + for _, policyIds := range c.PolicyIdentifiers { + if policyIds.Equal(util.AnyPolicyOID) { + return true + } + } + return false } func (l *unrecommendedQualifier) Execute(c *x509.Certificate) *lint.LintResult { - for _, firstLvl := range c.QualifierId { - for _, qualifierId := range firstLvl { - if !qualifierId.Equal(util.CpsOID) && !qualifierId.Equal(util.UserNoticeOID) { + + var err, certificatePolicies = getCertificatePolicies(c) + + if err != nil { + return &lint.LintResult{Status: lint.Fatal, Details: err.Error()} + } + + for _, policyInformation := range certificatePolicies { + + if !policyInformation.policyIdentifier.Equal(util.AnyPolicyOID) { // if the policyIdentifier is not anyPolicy do not examine further + continue + } + + if len(policyInformation.policyQualifiersBytes.Bytes) == 0 { // this policy information does not have any policyQualifiers + continue + } + + var policyQualifiersSeq, policyQualifierInfoSeq asn1.RawValue + + empty, err := asn1.Unmarshal(policyInformation.policyQualifiersBytes.Bytes, &policyQualifiersSeq) + + if err != nil || len(empty) != 0 || policyQualifiersSeq.Class != 0 || policyQualifiersSeq.Tag != 16 || !policyQualifiersSeq.IsCompound { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policyQualifiers sequence."} + } + + //iterate over policyQualifiers ... SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL + for policyQualifierInfoSeqProcessed := false; !policyQualifierInfoSeqProcessed; { + // these bytes belong to the next PolicyQualifierInfo + policyQualifiersSeq.Bytes, err = asn1.Unmarshal(policyQualifiersSeq.Bytes, &policyQualifierInfoSeq) + if err != nil || policyQualifierInfoSeq.Class != 0 || policyQualifierInfoSeq.Tag != 16 || !policyQualifierInfoSeq.IsCompound { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policy qualifiers"} + } + if len(policyQualifiersSeq.Bytes) == 0 { // no further PolicyQualifierInfo exists + policyQualifierInfoSeqProcessed = true + } + + var policyQualifierId asn1.ObjectIdentifier + _, err = asn1.Unmarshal(policyQualifierInfoSeq.Bytes, &policyQualifierId) + if err != nil { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policyQualifierId."} + } + + if !policyQualifierId.Equal(util.CpsOID) && !policyQualifierId.Equal(util.UserNoticeOID) { return &lint.LintResult{Status: lint.Error} } } } + return &lint.LintResult{Status: lint.Pass} } + +func getCertificatePolicies(c *x509.Certificate) (error, []policyInformation) { + + extVal := util.GetExtFromCert(c, util.CertPolicyOID).Value + + // adjusted code taken from v3/util/oid.go GetMappedPolicies, see comments there + var certificatePoliciesSeq, policyInformationSeq asn1.RawValue + + empty, err := asn1.Unmarshal(extVal, &certificatePoliciesSeq) + + if err != nil || len(empty) != 0 || certificatePoliciesSeq.Class != 0 || certificatePoliciesSeq.Tag != 16 || !certificatePoliciesSeq.IsCompound { + return errors.New("policyExtensions: Could not unmarshal certificatePolicies sequence."), nil + } + + var certificatePolicies []policyInformation + + // iterate over certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + for policyInformationSeqProcessed := false; !policyInformationSeqProcessed; { + + // these bytes belong to the next PolicyInformation + certificatePoliciesSeq.Bytes, err = asn1.Unmarshal(certificatePoliciesSeq.Bytes, &policyInformationSeq) + if err != nil || policyInformationSeq.Class != 0 || policyInformationSeq.Tag != 16 || !policyInformationSeq.IsCompound { + return errors.New("policyExtensions: Could not unmarshal policyInformation sequence."), nil + } + + if len(certificatePoliciesSeq.Bytes) == 0 { // no further PolicyInformation exists + policyInformationSeqProcessed = true + } + + //PolicyInformation ::= SEQUENCE { + // policyIdentifier CertPolicyId, + // policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } + + var certPolicyId asn1.ObjectIdentifier + var policyQualifiers asn1.RawValue + policyQualifiers.Bytes, err = asn1.Unmarshal(policyInformationSeq.Bytes, &certPolicyId) + if err != nil { + return errors.New("policyExtensions: Could not unmarshal certPolicyId."), nil + } + + information := policyInformation{certPolicyId, policyQualifiers} + certificatePolicies = append(certificatePolicies, information) + } + return nil, certificatePolicies +} diff --git a/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier_test.go b/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier_test.go index 74081add5..70653e910 100644 --- a/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier_test.go +++ b/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier_test.go @@ -21,29 +21,55 @@ import ( "github.com/zmap/zlint/v3/test" ) -func TestNoticeRef(t *testing.T) { - inputPath := "userNoticePres.pem" - expected := lint.Pass - out := test.TestLint("e_ext_cert_policy_disallowed_any_policy_qualifier", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) +func TestUnrecommendedQualifier(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "Certificate with certificate policies extension and without the anyPolicy policyIdentifier present", + InputFilename: "withoutAnyPolicy.pem", + ExpectedResult: lint.NA, + }, + { + Name: "Certificate without certificate policies extension", + InputFilename: "CNWithoutSANSeptember2021.pem", + ExpectedResult: lint.NA, + }, + { + Name: "Certificate with certificate policies extension, with anyPolicy policyIdentifier present, without policyQualifiers", + InputFilename: "withAnyPolicyAndNoPolicyQualifiers.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "Certificate with certificate policies extension, with anyPolicy policyIdentifier present and a CPS qualifier present", + InputFilename: "withAnyPolicyAndCPSQualifier.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "Certificate with certificate policies extension, with anyPolicy policyIdentifier present and a UserNotice qualifier present", + InputFilename: "withAnyPolicyAndUserNoticeQualifier.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "Certificate with certificate policies extension, with anyPolicy policyIdentifier present and neither CPS nor UserNotice qualifier present", + InputFilename: "withAnyPolicyWithoutCPSOrUserNoticeQualifier.pem", + ExpectedResult: lint.Error, + }, + { + Name: "Certificate with certificate policies extension and many combinations of policies and qualifiers", + InputFilename: "withValidPoliciesRegardingAnyPolicy.pem", + ExpectedResult: lint.Pass, + }, } -} - -func TestCps(t *testing.T) { - inputPath := "userNoticeMissing.pem" - expected := lint.Pass - out := test.TestLint("e_ext_cert_policy_disallowed_any_policy_qualifier", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} -func TestNoticeRefUnknown(t *testing.T) { - inputPath := "userNoticeUnrecommended.pem" - expected := lint.Error - out := test.TestLint("e_ext_cert_policy_disallowed_any_policy_qualifier", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_ext_cert_policy_disallowed_any_policy_qualifier", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) } } diff --git a/v3/testdata/withAnyPolicyAndCPSQualifier.pem b/v3/testdata/withAnyPolicyAndCPSQualifier.pem new file mode 100644 index 000000000..a059dbcff --- /dev/null +++ b/v3/testdata/withAnyPolicyAndCPSQualifier.pem @@ -0,0 +1,82 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 67:32:5c:93:e9:a2:32:b8:61:f6:d6:e2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = JLint Sub CA, O = Lint, C = DE + Validity + Not Before: Jul 1 14:48:19 2023 GMT + Not After : Jul 1 15:48:19 2024 GMT + Subject: CN = e_ext_cert_policy_disallowed_any_policy_qualifier, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c6:ee:a4:ff:af:f9:d3:57:78:a1:35:b9:b9:6e: + f1:67:fd:3e:d3:b1:e5:13:25:5a:34:eb:68:7c:ea: + ae:32:01:e1:98:15:15:32:c3:03:75:e5:d6:2e:56: + 2d:03:34:28:25:e0:77:b8:db:1a:47:d9:ff:b1:d4: + 31:6a:d2:8e:ab:64:3a:0e:a3:e8:53:40:4f:ff:55: + 32:1d:59:a6:db:09:20:aa:c3:ee:57:ca:90:8d:de: + 26:2c:f5:b3:b3:45:d6:32:81:18:46:44:ad:1e:f8: + 92:a3:ed:b3:af:e5:72:80:3d:0b:c8:fc:fa:a1:e6: + 20:16:d7:18:70:4b:4a:c1:5f:a7:3b:aa:26:75:36: + 7a:13:62:98:2e:8f:18:5c:c0:e7:88:40:36:03:44: + 91:a9:80:3c:6a:dd:36:b1:53:ff:1b:d8:8a:97:ef: + 06:04:e0:ce:8b:53:4e:24:5d:89:9e:75:b1:31:75: + bf:b3:26:ba:6b:08:70:49:b8:b8:76:2c:27:07:e7: + a6:e5:ee:ac:de:f6:28:6b:b8:78:0e:b0:53:12:c2: + 0e:d7:b2:b7:e6:c2:e8:1d:2c:b1:6e:ac:19:a3:88: + 14:67:3e:7b:67:04:34:e5:8d:90:23:06:63:e0:c3: + 6b:b0:e1:c6:75:54:7d:47:47:c9:26:14:07:1a:e1: + 6f:c5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:C4:8F:CF:FE:87:49:92:71:70:4E:93:BC:C1:34:21:EE:A0:93:65:84 + + X509v3 Subject Key Identifier: + 22:BF:08:67:F1:B4:F2:53:77:63:B5:3A:39:74:A3:80:C1:2F:C3:D1 + X509v3 Certificate Policies: critical + Policy: X509v3 Any Policy + CPS: https://example.com/cps + + Signature Algorithm: sha256WithRSAEncryption + 3e:38:b8:e6:68:5f:81:95:8f:de:5f:dc:9a:82:8b:93:78:6d: + 16:ba:7e:dd:57:72:9e:91:72:21:07:b0:22:3a:83:68:b9:b2: + 26:ed:5b:9b:b9:b5:ac:49:8a:4c:8d:6f:32:cc:24:e7:b8:99: + 2b:b9:47:68:4a:55:9a:7a:74:de:06:a6:2d:58:57:00:89:76: + ac:ec:99:4f:44:69:28:21:25:31:9b:35:9d:82:46:bf:9d:0e: + 05:ff:58:a5:df:df:19:d2:df:4f:e2:ed:0d:85:d7:7d:98:e8: + dd:80:d8:e1:c5:3c:82:1b:69:3e:82:03:fc:2b:d5:87:37:c3: + b1:dc:06:f3:8e:83:42:90:b8:1c:2d:91:44:8c:8b:5a:eb:5c: + dc:77:86:e7:39:7b:c2:3c:40:1f:1c:5e:ad:f0:b4:2c:ad:45: + 81:82:a2:37:17:c5:05:80:d5:9c:ee:f8:24:ea:2f:91:e2:95: + 32:38:a0:fd:77:3c:ad:97:58:ff:3b:ba:0e:fd:a7:1a:06:61: + a0:6c:02:08:20:df:4e:9e:ab:f0:92:62:65:09:83:54:3e:17: + b4:a3:3a:8c:2c:c4:03:4d:5c:a7:bf:84:0f:0a:39:61:c5:39: + 5c:8d:8a:24:0b:31:84:d1:76:2a:74:1b:da:9b:f9:13:c9:9e: + 5f:f0:c1:34 +-----BEGIN CERTIFICATE----- +MIIDkDCCAnigAwIBAgIMZzJck+miMrhh9tbiMA0GCSqGSIb3DQEBCwUAMDMxFTAT +BgNVBAMMDEpMaW50IFN1YiBDQTENMAsGA1UECgwETGludDELMAkGA1UEBhMCREUw +HhcNMjMwNzAxMTQ0ODE5WhcNMjQwNzAxMTU0ODE5WjBYMTowOAYDVQQDDDFlX2V4 +dF9jZXJ0X3BvbGljeV9kaXNhbGxvd2VkX2FueV9wb2xpY3lfcXVhbGlmaWVyMQ0w +CwYDVQQKDARMaW50MQswCQYDVQQGEwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMbupP+v+dNXeKE1ublu8Wf9PtOx5RMlWjTraHzqrjIB4ZgVFTLD +A3Xl1i5WLQM0KCXgd7jbGkfZ/7HUMWrSjqtkOg6j6FNAT/9VMh1ZptsJIKrD7lfK +kI3eJiz1s7NF1jKBGEZErR74kqPts6/lcoA9C8j8+qHmIBbXGHBLSsFfpzuqJnU2 +ehNimC6PGFzA54hANgNEkamAPGrdNrFT/xvYipfvBgTgzotTTiRdiZ51sTF1v7Mm +umsIcEm4uHYsJwfnpuXurN72KGu4eA6wUxLCDteyt+bC6B0ssW6sGaOIFGc+e2cE +NOWNkCMGY+DDa7DhxnVUfUdHySYUBxrhb8UCAwEAAaN/MH0wHwYDVR0jBBgwFoAU +xI/P/odJknFwTpO8wTQh7qCTZYQwHQYDVR0OBBYEFCK/CGfxtPJTd2O1Ojl0o4DB +L8PRMDsGA1UdIAEB/wQxMC8wLQYEVR0gADAlMCMGCCsGAQUFBwIBFhdodHRwczov +L2V4YW1wbGUuY29tL2NwczANBgkqhkiG9w0BAQsFAAOCAQEAPji45mhfgZWP3l/c +moKLk3htFrp+3VdynpFyIQewIjqDaLmyJu1bm7m1rEmKTI1vMswk57iZK7lHaEpV +mnp03gamLVhXAIl2rOyZT0RpKCElMZs1nYJGv50OBf9Ypd/fGdLfT+LtDYXXfZjo +3YDY4cU8ghtpPoID/CvVhzfDsdwG846DQpC4HC2RRIyLWutc3HeG5zl7wjxAHxxe +rfC0LK1FgYKiNxfFBYDVnO74JOovkeKVMjig/Xc8rZdY/zu6Dv2nGgZhoGwCCCDf +Tp6r8JJiZQmDVD4XtKM6jCzEA01cp7+EDwo5YcU5XI2KJAsxhNF2KnQb2pv5E8me +X/DBNA== +-----END CERTIFICATE----- diff --git a/v3/testdata/withAnyPolicyAndNoPolicyQualifiers.pem b/v3/testdata/withAnyPolicyAndNoPolicyQualifiers.pem new file mode 100644 index 000000000..813160959 --- /dev/null +++ b/v3/testdata/withAnyPolicyAndNoPolicyQualifiers.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 87:51:1e:16:2e:f7:22:25:c8:a6:34:15 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = JLint Sub CA, O = Lint, C = DE + Validity + Not Before: Jul 1 14:48:19 2023 GMT + Not After : Jul 1 15:48:19 2024 GMT + Subject: CN = e_ext_cert_policy_disallowed_any_policy_qualifier, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a9:ab:6e:ba:1c:b8:e9:08:e2:30:06:3a:9a:16: + ee:07:a5:aa:24:27:f0:d2:67:aa:bd:82:98:53:8d: + c8:a2:82:47:ee:30:66:94:1e:ae:37:b9:81:0a:fe: + 03:72:d8:00:2b:7b:1d:81:25:be:47:3d:2e:fc:9b: + 64:19:eb:91:b6:a6:0e:a6:f1:60:ce:bd:e7:ff:78: + 94:68:a4:96:25:df:4e:0e:c8:a5:c6:f8:15:6f:76: + 34:16:ed:01:f5:c8:6e:9e:47:dd:24:c4:33:3f:d4: + d3:62:8c:51:83:d5:d1:aa:c0:ce:52:77:80:10:6d: + 98:fc:41:8c:63:64:b9:81:56:f1:0b:a8:67:70:3d: + 98:77:16:93:42:64:55:88:8b:39:89:32:60:91:4b: + eb:11:30:4d:49:91:fa:f5:0e:7a:b5:18:e8:45:cc: + 37:b2:e3:4a:f5:8e:d1:4f:94:2e:89:5d:8c:1a:79: + d7:79:91:1c:c8:cd:fd:85:8e:c0:75:41:e0:25:a0: + fb:4e:5d:42:88:98:85:23:35:d0:39:56:2c:7f:37: + 68:cf:ab:33:0f:63:98:11:77:64:74:16:bd:20:70: + e5:2d:17:ad:f7:84:4e:39:51:6b:ab:50:73:01:31: + 04:54:b1:e7:02:3d:d0:1a:41:39:03:18:86:29:45: + ef:15 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:C4:8F:CF:FE:87:49:92:71:70:4E:93:BC:C1:34:21:EE:A0:93:65:84 + + X509v3 Subject Key Identifier: + A3:6D:DA:40:AC:DC:B7:A4:E2:3D:D1:5B:F3:C5:F3:65:BC:57:6B:85 + X509v3 Certificate Policies: critical + Policy: X509v3 Any Policy + + Signature Algorithm: sha256WithRSAEncryption + b0:84:c9:75:ab:d7:b7:c7:02:cb:eb:44:06:cd:ba:38:9a:9a: + 1b:d5:fe:c5:77:65:69:38:54:26:ce:f1:d9:34:e4:2f:e8:11: + cb:89:15:2d:2d:4a:fd:5c:9f:11:93:10:d9:a6:4e:71:b6:61: + c8:41:f9:91:15:70:50:af:c6:6d:5b:ed:53:ba:a6:86:1a:68: + d9:24:2a:45:da:cd:8f:bb:55:61:68:6f:1b:39:07:8d:be:5b: + df:5e:41:a1:59:95:0b:ea:e4:b5:08:67:4b:4e:36:d8:67:78: + 12:08:a4:a3:49:42:1f:98:c6:5f:7c:9c:49:39:ee:4d:ef:f0: + 44:de:fc:b7:92:c1:9d:30:25:c9:58:fe:11:4a:2e:8e:99:88: + 24:1c:bd:72:a0:55:22:bc:d2:1c:c3:5e:3b:d2:94:00:49:4e: + e6:ba:80:6d:19:2a:e4:32:d1:08:1d:49:cd:80:3c:48:76:9c: + 30:ff:1b:c5:5d:53:0b:4c:b1:70:0a:1b:02:9e:71:66:9f:61: + 76:73:d7:a1:13:53:3a:21:a4:ad:b1:e5:7e:9f:46:de:58:9b: + 59:83:33:85:00:2d:87:08:a6:29:9c:b7:c9:01:10:d6:65:2b: + 60:76:2c:d0:e0:7c:41:3c:8e:91:70:e5:93:0a:b3:eb:59:1e: + 9a:f0:fa:b1 +-----BEGIN CERTIFICATE----- +MIIDajCCAlKgAwIBAgINAIdRHhYu9yIlyKY0FTANBgkqhkiG9w0BAQsFADAzMRUw +EwYDVQQDDAxKTGludCBTdWIgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRF +MB4XDTIzMDcwMTE0NDgxOVoXDTI0MDcwMTE1NDgxOVowWDE6MDgGA1UEAwwxZV9l +eHRfY2VydF9wb2xpY3lfZGlzYWxsb3dlZF9hbnlfcG9saWN5X3F1YWxpZmllcjEN +MAsGA1UECgwETGludDELMAkGA1UEBhMCREUwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCpq266HLjpCOIwBjqaFu4HpaokJ/DSZ6q9gphTjciigkfuMGaU +Hq43uYEK/gNy2AArex2BJb5HPS78m2QZ65G2pg6m8WDOvef/eJRopJYl304OyKXG ++BVvdjQW7QH1yG6eR90kxDM/1NNijFGD1dGqwM5Sd4AQbZj8QYxjZLmBVvELqGdw +PZh3FpNCZFWIizmJMmCRS+sRME1Jkfr1Dnq1GOhFzDey40r1jtFPlC6JXYwaedd5 +kRzIzf2FjsB1QeAloPtOXUKImIUjNdA5Vix/N2jPqzMPY5gRd2R0Fr0gcOUtF633 +hE45UWurUHMBMQRUsecCPdAaQTkDGIYpRe8VAgMBAAGjWDBWMB8GA1UdIwQYMBaA +FMSPz/6HSZJxcE6TvME0Ie6gk2WEMB0GA1UdDgQWBBSjbdpArNy3pOI90VvzxfNl +vFdrhTAUBgNVHSABAf8ECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQELBQADggEBALCE +yXWr17fHAsvrRAbNujiamhvV/sV3ZWk4VCbO8dk05C/oEcuJFS0tSv1cnxGTENmm +TnG2YchB+ZEVcFCvxm1b7VO6poYaaNkkKkXazY+7VWFobxs5B42+W99eQaFZlQvq +5LUIZ0tONthneBIIpKNJQh+Yxl98nEk57k3v8ETe/LeSwZ0wJclY/hFKLo6ZiCQc +vXKgVSK80hzDXjvSlABJTua6gG0ZKuQy0QgdSc2APEh2nDD/G8VdUwtMsXAKGwKe +cWafYXZz16ETUzohpK2x5X6fRt5Ym1mDM4UALYcIpimct8kBENZlK2B2LNDgfEE8 +jpFw5ZMKs+tZHprw+rE= +-----END CERTIFICATE----- diff --git a/v3/testdata/withAnyPolicyAndUserNoticeQualifier.pem b/v3/testdata/withAnyPolicyAndUserNoticeQualifier.pem new file mode 100644 index 000000000..b87f22218 --- /dev/null +++ b/v3/testdata/withAnyPolicyAndUserNoticeQualifier.pem @@ -0,0 +1,82 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4a:9d:a2:2e:85:a3:38:f3:da:b9:b8:8d + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = JLint Sub CA, O = Lint, C = DE + Validity + Not Before: Jul 1 14:48:20 2023 GMT + Not After : Jul 1 15:48:20 2024 GMT + Subject: CN = e_ext_cert_policy_disallowed_any_policy_qualifier, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c8:91:8a:84:6a:c8:41:81:65:8b:97:78:8b:d3: + 6c:bf:92:0f:56:22:12:82:83:9d:72:51:c0:5c:19: + 9c:00:12:03:49:8c:1d:05:0b:b2:34:61:78:f5:12: + 92:10:a0:cc:c9:4c:c9:d8:03:3e:cc:b3:29:42:1b: + f7:3a:2c:9e:de:68:29:09:88:49:8f:28:22:2a:95: + bd:db:ce:83:e3:f3:08:80:e1:8b:dd:37:36:c9:28: + 2b:3d:c9:6e:07:7b:3b:1a:b9:69:d8:a6:e0:22:80: + 49:4b:04:50:be:5c:1b:fe:8b:c1:6d:8f:1a:09:33: + d6:5c:c8:6a:e4:ee:d3:48:34:ab:af:27:3c:b6:be: + 7a:43:98:fc:4f:9f:6b:84:0d:e1:98:c8:6a:7e:17: + 62:4c:a4:a0:50:f7:f3:71:6c:8c:a3:25:9c:06:7f: + 5b:a4:5f:0b:af:b5:d5:1c:f9:aa:9c:22:e9:fe:e2: + bf:16:5d:a0:9e:ec:da:32:dc:c0:fa:32:57:7b:0d: + bb:c7:41:9b:9d:f3:7e:38:3a:65:96:1b:9c:44:b9: + a3:38:55:d0:4b:c7:04:f8:dd:65:9f:57:e2:56:88: + b2:b4:69:dc:df:50:6a:4f:ca:f6:20:65:a3:13:b9: + a0:86:9c:c5:c5:84:12:f9:c5:58:17:7c:9b:d8:41: + 4e:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:C4:8F:CF:FE:87:49:92:71:70:4E:93:BC:C1:34:21:EE:A0:93:65:84 + + X509v3 Subject Key Identifier: + C1:01:30:D6:18:D9:DA:F6:28:B6:73:A4:93:E0:0D:2C:46:F9:77:0B + X509v3 Certificate Policies: critical + Policy: X509v3 Any Policy + User Notice: + Explicit Text: zlint + + Signature Algorithm: sha256WithRSAEncryption + 45:74:4a:e2:5d:9d:50:ae:6f:66:c9:70:28:19:9a:47:10:ba: + 1f:e6:75:73:a9:08:e3:1d:9f:f3:55:ea:a6:6a:58:5b:24:b7: + ea:77:6d:94:1e:b1:5a:52:45:2b:99:59:ed:82:5a:84:f3:ba: + a6:a8:1e:ae:74:75:17:2b:49:a4:40:ec:36:81:b7:f7:e5:6a: + 9c:10:bc:ca:4a:70:d8:7c:bd:36:05:94:df:6e:32:c1:c9:7d: + f1:d4:a9:e6:cb:89:e7:51:5d:db:b9:de:9c:b4:3b:de:92:dc: + 0f:97:a2:e8:d3:40:41:34:95:2b:97:92:17:e9:91:fb:de:a4: + 0b:c7:1f:e1:d6:40:2d:d9:86:b1:db:05:d3:2f:f7:8f:73:27: + 43:4b:da:85:44:7f:a8:28:34:df:a2:de:a6:65:b5:a1:30:de: + 8f:e7:71:b3:34:a2:2e:be:e8:02:f5:ef:f9:ad:6e:dc:42:18: + eb:ec:a1:c9:98:4a:95:ab:c2:46:61:fa:98:bb:74:20:cf:91: + 89:b7:af:3f:52:25:c1:61:ff:57:a0:51:a9:b3:6a:34:4e:c0: + 52:78:9e:0a:f4:1c:58:4a:15:f6:c4:2e:51:9a:1c:78:19:38: + a6:23:d3:34:4a:7a:35:91:0a:12:36:ea:4f:5e:0b:61:32:28: + 78:2c:61:de +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIMSp2iLoWjOPPaubiNMA0GCSqGSIb3DQEBCwUAMDMxFTAT +BgNVBAMMDEpMaW50IFN1YiBDQTENMAsGA1UECgwETGludDELMAkGA1UEBhMCREUw +HhcNMjMwNzAxMTQ0ODIwWhcNMjQwNzAxMTU0ODIwWjBYMTowOAYDVQQDDDFlX2V4 +dF9jZXJ0X3BvbGljeV9kaXNhbGxvd2VkX2FueV9wb2xpY3lfcXVhbGlmaWVyMQ0w +CwYDVQQKDARMaW50MQswCQYDVQQGEwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMiRioRqyEGBZYuXeIvTbL+SD1YiEoKDnXJRwFwZnAASA0mMHQUL +sjRhePUSkhCgzMlMydgDPsyzKUIb9zosnt5oKQmISY8oIiqVvdvOg+PzCIDhi903 +NskoKz3Jbgd7Oxq5adim4CKASUsEUL5cG/6LwW2PGgkz1lzIauTu00g0q68nPLa+ +ekOY/E+fa4QN4ZjIan4XYkykoFD383FsjKMlnAZ/W6RfC6+11Rz5qpwi6f7ivxZd +oJ7s2jLcwPoyV3sNu8dBm53zfjg6ZZYbnES5ozhV0EvHBPjdZZ9X4laIsrRp3N9Q +ak/K9iBloxO5oIacxcWEEvnFWBd8m9hBTuUCAwEAAaNvMG0wHwYDVR0jBBgwFoAU +xI/P/odJknFwTpO8wTQh7qCTZYQwHQYDVR0OBBYEFMEBMNYY2dr2KLZzpJPgDSxG ++XcLMCsGA1UdIAEB/wQhMB8wHQYEVR0gADAVMBMGCCsGAQUFBwICMAcMBXpsaW50 +MA0GCSqGSIb3DQEBCwUAA4IBAQBFdEriXZ1Qrm9myXAoGZpHELof5nVzqQjjHZ/z +VeqmalhbJLfqd22UHrFaUkUrmVntglqE87qmqB6udHUXK0mkQOw2gbf35WqcELzK +SnDYfL02BZTfbjLByX3x1Knmy4nnUV3bud6ctDvektwPl6Lo00BBNJUrl5IX6ZH7 +3qQLxx/h1kAt2Yax2wXTL/ePcydDS9qFRH+oKDTfot6mZbWhMN6P53GzNKIuvugC +9e/5rW7cQhjr7KHJmEqVq8JGYfqYu3Qgz5GJt68/UiXBYf9XoFGps2o0TsBSeJ4K +9BxYShX2xC5Rmhx4GTimI9M0Sno1kQoSNupPXgthMih4LGHe +-----END CERTIFICATE----- diff --git a/v3/testdata/withAnyPolicyWithoutCPSOrUserNoticeQualifier.pem b/v3/testdata/withAnyPolicyWithoutCPSOrUserNoticeQualifier.pem new file mode 100644 index 000000000..0cf896b8f --- /dev/null +++ b/v3/testdata/withAnyPolicyWithoutCPSOrUserNoticeQualifier.pem @@ -0,0 +1,81 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3a:f9:7b:5e:a6:69:99:05:6b:4c:3b:96 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = JLint Sub CA, O = Lint, C = DE + Validity + Not Before: Jul 1 14:48:20 2023 GMT + Not After : Jul 1 15:48:20 2024 GMT + Subject: CN = e_ext_cert_policy_disallowed_any_policy_qualifier, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ba:e7:11:c5:f8:d3:d8:72:c9:a2:c0:eb:b8:05: + 71:c7:0b:af:f0:a6:de:53:3c:78:15:4e:03:f5:0d: + 62:f0:e9:48:9c:d5:2c:35:c6:84:bd:11:53:43:aa: + b7:58:58:70:30:7c:f1:c3:9a:36:54:13:7f:38:12: + f6:40:43:67:97:9c:be:8d:a4:2b:93:dc:24:ad:00: + d2:4a:7e:51:13:7f:bd:42:e3:8c:0d:5e:f0:cb:90: + 53:70:d6:87:08:cb:e9:26:5f:4f:90:9b:f2:fa:f4: + e0:8c:14:de:ea:13:c0:aa:af:97:d7:f2:14:2e:e1: + 85:00:3b:89:b8:54:3f:61:e2:3d:9a:4c:7a:83:40: + 1d:aa:1e:71:40:10:b3:c3:34:e6:e9:ec:70:8c:40: + c5:a7:29:41:cb:eb:04:a1:85:78:4d:a9:12:73:48: + 09:d0:5e:d6:4d:dd:d0:a4:1c:61:3b:e8:c4:d7:02: + 6b:b4:2e:28:8a:6b:1a:1f:49:b5:41:4d:00:7b:2d: + d9:60:1e:e9:3e:f3:dd:fc:5b:b2:6c:4c:bb:aa:e7: + 86:2f:1e:23:73:8e:fe:28:a2:5f:cf:dd:45:5e:da: + 9b:9b:a9:8c:e5:11:53:26:64:a0:fc:98:4a:d8:8d: + 2e:65:61:86:06:80:30:a9:6e:d8:0d:e4:d4:93:88: + 42:ef + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:C4:8F:CF:FE:87:49:92:71:70:4E:93:BC:C1:34:21:EE:A0:93:65:84 + + X509v3 Subject Key Identifier: + 46:D5:80:6C:65:70:28:2D:61:BE:6B:BE:54:38:B0:68:4E:B3:2A:B7 + X509v3 Certificate Policies: critical + Policy: X509v3 Any Policy + Unknown Qualifier: 1.2.3.4.5 + + Signature Algorithm: sha256WithRSAEncryption + 04:86:83:16:30:6b:88:00:16:d7:07:1b:08:9f:bd:99:43:a8: + 19:68:42:3f:3e:16:95:e5:d7:d4:04:22:60:c6:6f:b7:5d:bb: + d8:04:db:ac:42:94:63:a3:72:7d:c8:13:84:59:6b:99:d0:0b: + 8d:0c:ca:23:4b:81:f0:ae:61:f8:59:f9:c0:b8:dc:b4:8b:ca: + 2a:8a:45:21:bd:07:43:f1:35:da:cb:aa:a3:37:f3:80:73:29: + 0c:2e:8d:6a:7d:7a:38:0f:6b:27:ba:85:bc:5a:2b:7e:84:ef: + a7:80:38:7c:c1:45:00:35:89:fc:eb:c1:f9:3e:01:53:7c:7e: + 2a:9d:0c:32:c3:f0:4a:16:bc:93:75:85:92:50:af:3e:a3:42: + d6:85:3a:16:c9:61:80:c1:61:8d:40:f6:14:15:dd:94:a1:71: + 3f:12:d9:82:fa:6f:b8:e0:ea:1f:bd:60:4d:ce:59:da:a6:e6: + ce:c1:0a:07:14:17:34:30:19:c3:f4:11:94:56:b6:7a:b9:22: + 21:87:d4:ca:b0:26:57:0d:d7:b3:e0:ce:4d:24:36:f2:10:bd: + 50:80:ae:fb:6e:43:d9:42:17:76:4d:cd:bb:a7:0b:22:ca:ba: + 3f:eb:d9:2a:93:f2:d7:f1:7a:18:b8:b5:32:3f:16:79:4d:d5: + 83:52:20:a4 +-----BEGIN CERTIFICATE----- +MIIDjDCCAnSgAwIBAgIMOvl7XqZpmQVrTDuWMA0GCSqGSIb3DQEBCwUAMDMxFTAT +BgNVBAMMDEpMaW50IFN1YiBDQTENMAsGA1UECgwETGludDELMAkGA1UEBhMCREUw +HhcNMjMwNzAxMTQ0ODIwWhcNMjQwNzAxMTU0ODIwWjBYMTowOAYDVQQDDDFlX2V4 +dF9jZXJ0X3BvbGljeV9kaXNhbGxvd2VkX2FueV9wb2xpY3lfcXVhbGlmaWVyMQ0w +CwYDVQQKDARMaW50MQswCQYDVQQGEwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALrnEcX409hyyaLA67gFcccLr/Cm3lM8eBVOA/UNYvDpSJzVLDXG +hL0RU0Oqt1hYcDB88cOaNlQTfzgS9kBDZ5ecvo2kK5PcJK0A0kp+URN/vULjjA1e +8MuQU3DWhwjL6SZfT5Cb8vr04IwU3uoTwKqvl9fyFC7hhQA7ibhUP2HiPZpMeoNA +HaoecUAQs8M05unscIxAxacpQcvrBKGFeE2pEnNICdBe1k3d0KQcYTvoxNcCa7Qu +KIprGh9JtUFNAHst2WAe6T7z3fxbsmxMu6rnhi8eI3OO/iiiX8/dRV7am5upjOUR +UyZkoPyYStiNLmVhhgaAMKlu2A3k1JOIQu8CAwEAAaN7MHkwHwYDVR0jBBgwFoAU +xI/P/odJknFwTpO8wTQh7qCTZYQwHQYDVR0OBBYEFEbVgGxlcCgtYb5rvlQ4sGhO +syq3MDcGA1UdIAEB/wQtMCswKQYEVR0gADAhMB8GBCoDBAUWF2h0dHBzOi8vZXhh +bXBsZS5jb20vY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQAEhoMWMGuIABbXBxsIn72Z +Q6gZaEI/PhaV5dfUBCJgxm+3XbvYBNusQpRjo3J9yBOEWWuZ0AuNDMojS4HwrmH4 +WfnAuNy0i8oqikUhvQdD8TXay6qjN/OAcykMLo1qfXo4D2snuoW8Wit+hO+ngDh8 +wUUANYn868H5PgFTfH4qnQwyw/BKFryTdYWSUK8+o0LWhToWyWGAwWGNQPYUFd2U +oXE/EtmC+m+44OofvWBNzlnapubOwQoHFBc0MBnD9BGUVrZ6uSIhh9TKsCZXDdez +4M5NJDbyEL1QgK77bkPZQhd2Tc27pwsiyro/69kqk/LX8XoYuLUyPxZ5TdWDUiCk +-----END CERTIFICATE----- diff --git a/v3/testdata/withValidPoliciesRegardingAnyPolicy.pem b/v3/testdata/withValidPoliciesRegardingAnyPolicy.pem new file mode 100644 index 000000000..067d1d37c --- /dev/null +++ b/v3/testdata/withValidPoliciesRegardingAnyPolicy.pem @@ -0,0 +1,108 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 90:d6:6f:b9:81:d7:44:95:a0:8a:7d:b2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = JLint Sub CA, O = Lint, C = DE + Validity + Not Before: Jul 1 14:48:21 2023 GMT + Not After : Jul 1 15:48:21 2024 GMT + Subject: CN = e_ext_cert_policy_disallowed_any_policy_qualifier, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d0:bb:91:6a:82:b1:af:b7:a6:0a:5e:7a:21:e5: + 2f:4c:43:29:29:d9:f7:3c:c9:e4:14:05:75:50:e9: + 4c:e5:7c:9f:a5:51:37:ce:23:66:5c:d0:b7:f9:73: + bc:ff:00:15:8f:5c:d0:3c:dc:3b:3d:16:c2:5b:e2: + bc:9b:5e:d6:bb:a2:01:73:2f:05:01:71:78:4b:8a: + 2c:15:d6:d2:e1:ad:af:69:17:b2:e7:3e:77:f6:89: + db:d6:30:e7:f4:1c:03:28:9c:97:2c:e0:f6:59:57: + 7e:6a:57:76:e3:76:35:38:87:b7:0b:00:8b:b7:35: + 9e:bd:94:c5:fc:84:68:b7:13:21:c3:95:a6:34:9f: + f6:5b:22:f5:f0:29:35:c7:7f:83:c3:16:8d:8a:8a: + fb:9f:78:95:4d:0e:38:3a:e8:e8:91:6c:1e:95:da: + 56:4a:7e:11:f7:7a:1c:7f:d3:75:00:68:42:bd:07: + 4b:79:5a:42:d3:bb:1d:de:e8:aa:b9:10:d1:99:eb: + d1:c8:e4:35:39:de:f2:48:21:39:81:0b:3d:33:40: + 0d:10:17:2b:96:8a:4a:c0:c3:89:70:23:a2:14:33: + 85:e4:25:5a:2d:cb:ef:9c:af:ba:cd:a2:08:e6:55: + 9e:89:4e:1b:f8:84:d5:d4:14:da:3e:81:a3:10:2c: + 6c:13 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:C4:8F:CF:FE:87:49:92:71:70:4E:93:BC:C1:34:21:EE:A0:93:65:84 + + X509v3 Subject Key Identifier: + 2A:84:5B:84:E0:ED:59:9D:F9:86:6A:DB:AD:87:6D:1E:FB:70:5A:F5 + X509v3 Certificate Policies: critical + Policy: 1.2.3.4.5.6 + Unknown Qualifier: 1.3.2 + Unknown Qualifier: 1.3.2.4 + Unknown Qualifier: 1.3.2.4.5 + Policy: X509v3 Any Policy + CPS: https://example.com/cps + User Notice: + Explicit Text: zlint + User Notice: + Organization: zlint + Numbers: 1, 2 + Explicit Text: zlint + Policy: 2.9.8.7.6.5 + Policy: 1.9.8.7.6.5 + CPS: https://example.com/cps + User Notice: + User Notice: + Explicit Text: zlint + User Notice: + Organization: zlint + Numbers: 1, 2 + Explicit Text: zlint + + Signature Algorithm: sha256WithRSAEncryption + 65:0c:48:54:fe:59:07:49:41:46:87:85:de:bd:8a:26:ca:e1: + 38:5a:2b:21:d4:75:d2:01:86:2e:5c:e6:a6:6f:81:27:6e:0f: + 3d:7c:2b:ca:e0:24:a2:a2:84:a4:6d:05:ce:32:56:fc:5c:84: + 1d:7d:78:dd:73:bc:96:b3:10:a7:96:e6:4b:16:ea:14:b4:fc: + ee:f3:12:ef:9f:60:53:53:fa:20:93:3d:86:e3:f1:8a:32:4c: + 2c:4e:b0:51:04:6c:12:51:9f:26:e4:08:bc:fa:4e:61:d9:b7: + 01:f4:36:de:ce:4a:a3:4b:79:f4:1b:34:e7:f9:40:d9:33:34: + 23:de:99:6c:eb:08:0a:78:4d:cd:0b:27:e0:17:94:23:88:11: + c0:10:d1:82:c6:df:bf:20:96:b2:e4:2a:79:90:3a:be:f2:70: + e6:f3:d6:2b:ce:26:56:59:55:e0:27:04:56:1d:38:48:bc:a4: + 21:a4:f7:0a:ca:26:68:fc:6b:d5:fd:47:a3:9a:f6:67:e7:8b: + 08:c5:f1:09:e7:c3:61:f1:dd:15:04:75:72:ae:47:5c:a9:ac: + 84:c3:c0:bb:de:fb:7f:06:a3:02:c9:02:bd:41:7f:08:e7:df: + 4a:1f:c5:78:f1:ec:55:04:df:54:6c:a1:b9:bc:40:06:aa:84: + 57:67:6d:61 +-----BEGIN CERTIFICATE----- +MIIEwzCCA6ugAwIBAgINAJDWb7mB10SVoIp9sjANBgkqhkiG9w0BAQsFADAzMRUw +EwYDVQQDDAxKTGludCBTdWIgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRF +MB4XDTIzMDcwMTE0NDgyMVoXDTI0MDcwMTE1NDgyMVowWDE6MDgGA1UEAwwxZV9l +eHRfY2VydF9wb2xpY3lfZGlzYWxsb3dlZF9hbnlfcG9saWN5X3F1YWxpZmllcjEN +MAsGA1UECgwETGludDELMAkGA1UEBhMCREUwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDQu5FqgrGvt6YKXnoh5S9MQykp2fc8yeQUBXVQ6UzlfJ+lUTfO +I2Zc0Lf5c7z/ABWPXNA83Ds9FsJb4rybXta7ogFzLwUBcXhLiiwV1tLhra9pF7Ln +Pnf2idvWMOf0HAMonJcs4PZZV35qV3bjdjU4h7cLAIu3NZ69lMX8hGi3EyHDlaY0 +n/ZbIvXwKTXHf4PDFo2KivufeJVNDjg66OiRbB6V2lZKfhH3ehx/03UAaEK9B0t5 +WkLTux3e6Kq5ENGZ69HI5DU53vJIITmBCz0zQA0QFyuWikrAw4lwI6IUM4XkJVot +y++cr7rNogjmVZ6JThv4hNXUFNo+gaMQLGwTAgMBAAGjggGvMIIBqzAfBgNVHSME +GDAWgBTEj8/+h0mScXBOk7zBNCHuoJNlhDAdBgNVHQ4EFgQUKoRbhODtWZ35hmrb +rYdtHvtwWvUwggFnBgNVHSABAf8EggFbMIIBVzBpBgUqAwQFBjBgMB0GAisCFhdo +dHRwczovL2V4YW1wbGUuY29tL2NwczAeBgMrAgQWF2h0dHBzOi8vZXhhbXBsZS5j +b20vY3BzMB8GBCsCBAUWF2h0dHBzOi8vZXhhbXBsZS5jb20vY3BzMGgGBFUdIAAw +YDAjBggrBgEFBQcCARYXaHR0cHM6Ly9leGFtcGxlLmNvbS9jcHMwEwYIKwYBBQUH +AgIwBwwFemxpbnQwJAYIKwYBBQUHAgIwGDAPDAV6bGludDAGAgEBAgECDAV6bGlu +dDAHBgVZCAcGBTB3BgUxCAcGBTBuMCMGCCsGAQUFBwIBFhdodHRwczovL2V4YW1w +bGUuY29tL2NwczAMBggrBgEFBQcCAjAAMBMGCCsGAQUFBwICMAcMBXpsaW50MCQG +CCsGAQUFBwICMBgwDwwFemxpbnQwBgIBAQIBAgwFemxpbnQwDQYJKoZIhvcNAQEL +BQADggEBAGUMSFT+WQdJQUaHhd69iibK4ThaKyHUddIBhi5c5qZvgSduDz18K8rg +JKKihKRtBc4yVvxchB19eN1zvJazEKeW5ksW6hS0/O7zEu+fYFNT+iCTPYbj8Yoy +TCxOsFEEbBJRnybkCLz6TmHZtwH0Nt7OSqNLefQbNOf5QNkzNCPemWzrCAp4Tc0L +J+AXlCOIEcAQ0YLG378glrLkKnmQOr7ycObz1ivOJlZZVeAnBFYdOEi8pCGk9wrK +Jmj8a9X9R6Oa9mfniwjF8Qnnw2Hx3RUEdXKuR1yprITDwLve+38GowLJAr1Bfwjn +30ofxXjx7FUE31Rsobm8QAaqhFdnbWE= +-----END CERTIFICATE----- diff --git a/v3/testdata/withoutAnyPolicy.pem b/v3/testdata/withoutAnyPolicy.pem new file mode 100644 index 000000000..fdb900aa2 --- /dev/null +++ b/v3/testdata/withoutAnyPolicy.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 02:ab:5a:09:80:0d:91:82:4e:b2:d3:73 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = JLint Sub CA, O = Lint, C = DE + Validity + Not Before: Jul 1 14:48:19 2023 GMT + Not After : Jul 1 15:48:19 2024 GMT + Subject: CN = e_ext_cert_policy_disallowed_any_policy_qualifier, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cd:57:0a:b3:a5:c0:3d:65:87:fb:37:98:d6:ba: + 41:4c:32:43:c3:e5:46:74:09:50:6e:45:62:c7:32: + 0f:ec:27:ad:22:c2:90:e8:95:1b:f5:b3:6a:a9:e9: + 0e:c9:b5:9a:61:de:99:5d:4a:aa:53:a1:e7:a6:38: + fa:7b:02:c1:49:8f:dd:b0:89:0b:90:b2:75:c2:96: + be:69:c3:12:55:18:08:ae:82:ca:7d:6a:d0:88:33: + 52:22:d8:0e:cc:a2:37:f3:59:3f:01:9b:3f:4d:9f: + 6f:fe:38:d8:f1:9b:70:7e:46:34:f8:c4:ff:10:b4: + c7:2a:dc:28:84:5a:01:a2:fd:f3:a7:52:38:d6:f1: + d4:c1:24:c5:ef:a3:f7:0f:2c:bb:d5:56:ec:a5:c6: + 2a:6b:07:dc:e0:2f:ac:52:c8:86:36:17:cd:e9:6d: + fe:a4:7b:80:64:2c:70:61:82:21:f9:12:03:33:00: + ef:72:e5:97:cb:c1:5e:5d:6a:ba:2b:21:32:c3:0b: + da:9e:9e:20:a3:45:a7:c2:11:5a:af:11:dd:22:8b: + fc:58:c7:33:ad:de:3a:be:49:8e:7b:98:cc:9a:33: + 42:88:2c:63:b0:8d:67:45:0d:1e:9b:9c:3f:58:5d: + 8c:b5:da:44:a0:03:2a:05:af:5d:d8:53:e9:d9:86: + f3:33 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:C4:8F:CF:FE:87:49:92:71:70:4E:93:BC:C1:34:21:EE:A0:93:65:84 + + X509v3 Subject Key Identifier: + AA:89:35:E1:E1:C4:5B:8C:4A:E0:CF:EC:0E:9E:B6:63:A8:EB:8E:BC + X509v3 Certificate Policies: critical + Policy: 1.2.3.4.5 + + Signature Algorithm: sha256WithRSAEncryption + c5:1e:77:5f:5c:26:cc:5e:ea:03:8e:51:47:61:1b:5c:c8:2c: + 2a:3b:44:8d:a2:80:5e:34:e6:e5:7c:c1:6f:01:15:01:5f:ac: + 6d:b6:bb:74:af:33:ec:ad:2a:21:4c:ed:7f:ce:90:a4:21:5c: + 5e:27:68:de:ca:c7:90:cc:fd:b2:62:25:d3:a8:b5:fb:0b:d9: + 8a:f9:d2:df:59:23:48:56:19:08:45:21:b8:e4:65:9e:d1:5b: + 74:9c:38:48:f1:b0:90:3a:6a:77:58:97:50:44:d3:76:55:b1: + ac:72:8a:cb:a0:10:0f:ea:da:91:68:5c:77:8f:4b:7d:94:1b: + b8:25:03:6e:ea:35:0e:e2:86:81:e4:42:36:d3:4d:d6:b3:38: + eb:8c:05:94:4d:a5:62:08:6e:75:7f:f6:07:58:e0:7c:14:0a: + e7:ba:39:87:6b:08:9a:99:42:b4:ab:1c:7c:86:41:0e:01:28: + 0c:f8:e3:1d:b8:8d:2e:6e:a4:82:ed:5d:3e:9c:17:4e:8d:d6: + 9b:b9:84:25:43:78:13:f8:c5:04:e4:d5:93:a4:10:bd:72:d9: + 5a:bd:3b:85:fe:eb:b1:65:09:b5:e8:89:41:8d:b4:f4:32:ee: + 8f:5f:5a:53:dc:d3:31:37:af:6b:a2:6f:a9:18:b5:d3:e6:8c: + 26:e8:8b:1c +-----BEGIN CERTIFICATE----- +MIIDaTCCAlGgAwIBAgIMAqtaCYANkYJOstNzMA0GCSqGSIb3DQEBCwUAMDMxFTAT +BgNVBAMMDEpMaW50IFN1YiBDQTENMAsGA1UECgwETGludDELMAkGA1UEBhMCREUw +HhcNMjMwNzAxMTQ0ODE5WhcNMjQwNzAxMTU0ODE5WjBYMTowOAYDVQQDDDFlX2V4 +dF9jZXJ0X3BvbGljeV9kaXNhbGxvd2VkX2FueV9wb2xpY3lfcXVhbGlmaWVyMQ0w +CwYDVQQKDARMaW50MQswCQYDVQQGEwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM1XCrOlwD1lh/s3mNa6QUwyQ8PlRnQJUG5FYscyD+wnrSLCkOiV +G/WzaqnpDsm1mmHemV1KqlOh56Y4+nsCwUmP3bCJC5CydcKWvmnDElUYCK6Cyn1q +0IgzUiLYDsyiN/NZPwGbP02fb/442PGbcH5GNPjE/xC0xyrcKIRaAaL986dSONbx +1MEkxe+j9w8su9VW7KXGKmsH3OAvrFLIhjYXzelt/qR7gGQscGGCIfkSAzMA73Ll +l8vBXl1quishMsML2p6eIKNFp8IRWq8R3SKL/FjHM63eOr5JjnuYzJozQogsY7CN +Z0UNHpucP1hdjLXaRKADKgWvXdhT6dmG8zMCAwEAAaNYMFYwHwYDVR0jBBgwFoAU +xI/P/odJknFwTpO8wTQh7qCTZYQwHQYDVR0OBBYEFKqJNeHhxFuMSuDP7A6etmOo +6468MBQGA1UdIAEB/wQKMAgwBgYEKgMEBTANBgkqhkiG9w0BAQsFAAOCAQEAxR53 +X1wmzF7qA45RR2EbXMgsKjtEjaKAXjTm5XzBbwEVAV+sbba7dK8z7K0qIUztf86Q +pCFcXido3srHkMz9smIl06i1+wvZivnS31kjSFYZCEUhuORlntFbdJw4SPGwkDpq +d1iXUETTdlWxrHKKy6AQD+rakWhcd49LfZQbuCUDbuo1DuKGgeRCNtNN1rM464wF +lE2lYghudX/2B1jgfBQK57o5h2sImplCtKscfIZBDgEoDPjjHbiNLm6kgu1dPpwX +To3Wm7mEJUN4E/jFBOTVk6QQvXLZWr07hf7rsWUJteiJQY209DLuj19aU9zTMTev +a6JvqRi10+aMJuiLHA== +-----END CERTIFICATE-----