From 0d4a7d55a313081f764c0b74c528ea374c066b26 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:07:57 +0100 Subject: [PATCH 01/29] Add files via upload --- v3/util/time.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/util/time.go b/v3/util/time.go index cd740a951..b702449ce 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -74,6 +74,7 @@ var ( AppleReducedLifetimeDate = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_7_9_Date = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) From 9ae17603010a88b7638f3d69c646eb34aaf5ee05 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:09:09 +0100 Subject: [PATCH 02/29] Add files via upload --- v3/testdata/subject_rdn_order_ko_01.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_02.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_03.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_04.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_05.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_06.pem | 95 +++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_07.pem | 91 +++++++++++++++++++++++ 7 files changed, 648 insertions(+) create mode 100644 v3/testdata/subject_rdn_order_ko_01.pem create mode 100644 v3/testdata/subject_rdn_order_ko_02.pem create mode 100644 v3/testdata/subject_rdn_order_ko_03.pem create mode 100644 v3/testdata/subject_rdn_order_ko_04.pem create mode 100644 v3/testdata/subject_rdn_order_ko_05.pem create mode 100644 v3/testdata/subject_rdn_order_ko_06.pem create mode 100644 v3/testdata/subject_rdn_order_ko_07.pem diff --git a/v3/testdata/subject_rdn_order_ko_01.pem b/v3/testdata/subject_rdn_order_ko_01.pem new file mode 100644 index 000000000..e717ccf24 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_01.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9092871303437831039 (0x7e305e463dc14b7f) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:10:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, CN = example.org, O = Example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 6f:1f:bd:b4:2c:a6:67:95:07:73:cb:79:1a:a5:99:e1:c8:f6: + 73:6e:53:0e:15:a1:c3:3e:07:a8:0f:6b:31:09:89:f6:d1:2b: + 42:aa:f8:62:4e:0d:dc:fc:03:f3:de:8e:e3:bf:c8:3c:b0:69: + f6:23:11:01:fa:aa:9c:c8:24:4e:f0:7a:86:d9:dc:79:b7:96: + ec:f5:70:6e:f0:73:7c:3f:56:5b:a7:48:d8:da:bb:bc:2c:ba: + dc:c0:c1:f5:1b:76:5d:1a:1d:ad:e6:f2:22:50:3f:06:fa:06: + f9:ec:6c:05:a2:5f:22:62:ef:80:de:20:48:31:7f:90:c0:9b: + f6:1b:d8:4e:36:55:03:fb:c6:d2:bf:bd:d5:2c:55:37:f0:75: + 2f:e7:96:43:29:ea:01:f7:89:75:72:ef:af:f8:31:a6:9c:3a: + 13:68:77:54:7d:75:05:fe:d6:b2:33:9b:d1:07:24:9d:8f:20: + 34:7a:19:ed:ae:94:47:3d:65:42:3d:ba:87:0d:61:ce:aa:57: + 0e:c5:bc:da:8b:9e:23:42:d2:76:fb:4f:c6:7f:62:66:b2:38: + 67:2c:3f:32:4b:2f:0a:78:51:ae:8c:8f:4f:49:72:6e:c7:78: + 65:d5:8b:e3:da:2a:55:35:b4:31:71:4c:9c:48:a0:74:ca:4e: + a2:c6:12:a3:96:fb:dd:08:49:82:0b:2e:30:18:91:3c:e2:d2: + e5:22:8f:b3:f6:d6:11:88:b6:df:ba:3b:88:49:3d:92:c6:d0: + d2:b2:0c:2b:4d:60:3f:47:a0:a9:82:4b:c8:13:09:f3:f2:71: + 2b:d6:7d:cf:67:5c:a8:2c:0e:3f:a9:e8:a6:8b:17:41:9f:77: + a9:04:5c:65:a8:4d:40:17:6c:ef:07:ef:a1:4f:fa:2e:78:f5: + 64:71:44:9d:b6:b0:26:e7:20:1e:06:e1:7c:24:a4:5b:2d:4e: + 80:ee:69:27:1e:6e:4a:e1:33:be:8d:06:8c:14:61:50:98:7f: + 5e:d8:d2:58:37:21:8a:46:6a:0c:70:4f:22:4a:05:75:9e:00: + 72:e0:74:f4:f1:86:6f:3e:fa:88:0b:35:34:89:bb:53:80:b0: + 29:d7:af:5c:8c:9d:7a:a3:8e:04:c2:4c:22:7a:3d:ff:c9:50: + 24:8a:3a:19:62:9c:46:97:b6:aa:75:0a:d3:d5:88:eb:1a:ce: + df:fc:b8:89:f0:6c:a6:a7:7d:1c:72:49:6c:cf:5e:8b:32:f6: + e1:27:95:39:94:7c:6a:e2:9c:14:04:26:0f:45:6e:81:a2:fd: + 39:45:3c:1f:9b:ff:1b:ff:71:1a:d4:12:10:57:71:bb:ab:f4: + 5f:35:82:63:fb:59:b8:10 +-----BEGIN CERTIFICATE----- +MIIEbDCCAlSgAwIBAgIIfjBeRj3BS38wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTAxMDAwWhcNMjUwMzA4MDg1 +MDAwWjBXMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xFDASBgNVBAMTC2V4YW1wbGUub3JnMRAwDgYDVQQKEwdFeGFtcGxlMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvK4wDWo5DAIU9pjCl27D4qMn ++OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpnouhEBZ38UILMkT3vItOvg6qQ22mJ +1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZebvmJtPLRPohW9XjiZtvlvH8OlvE +DFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1Ec9r1YM4eVOmxHX9MrCwj85FZEt/5 +B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfEW/fqsr6QPZoT835Rx24+uz9DnMeq +4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaSlW6SqxkzBtitTaEeOU1EgDzpIwID +AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA +bx+9tCymZ5UHc8t5GqWZ4cj2c25TDhWhwz4HqA9rMQmJ9tErQqr4Yk4N3PwD896O +47/IPLBp9iMRAfqqnMgkTvB6htncebeW7PVwbvBzfD9WW6dI2Nq7vCy63MDB9Rt2 +XRodrebyIlA/BvoG+exsBaJfImLvgN4gSDF/kMCb9hvYTjZVA/vG0r+91SxVN/B1 +L+eWQynqAfeJdXLvr/gxppw6E2h3VH11Bf7WsjOb0QcknY8gNHoZ7a6URz1lQj26 +hw1hzqpXDsW82oueI0LSdvtPxn9iZrI4Zyw/MksvCnhRroyPT0lybsd4ZdWL49oq +VTW0MXFMnEigdMpOosYSo5b73QhJggsuMBiRPOLS5SKPs/bWEYi237o7iEk9ksbQ +0rIMK01gP0egqYJLyBMJ8/JxK9Z9z2dcqCwOP6noposXQZ93qQRcZahNQBds7wfv +oU/6Lnj1ZHFEnbawJucgHgbhfCSkWy1OgO5pJx5uSuEzvo0GjBRhUJh/XtjSWDch +ikZqDHBPIkoFdZ4AcuB09PGGbz76iAs1NIm7U4CwKdevXIydeqOOBMJMIno9/8lQ +JIo6GWKcRpe2qnUK09WI6xrO3/y4ifBspqd9HHJJbM9eizL24SeVOZR8auKcFAQm +D0VugaL9OUU8H5v/G/9xGtQSEFdxu6v0XzWCY/tZuBA= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_02.pem b/v3/testdata/subject_rdn_order_ko_02.pem new file mode 100644 index 000000000..f508b42a4 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_02.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 766384265038364412 (0xaa2be6db70f7efc) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 13:59:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: CN = example.org, O = Example, L = Milano, ST = Milano, C = IT + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 0a:eb:9d:c0:96:17:e6:9b:d4:49:91:07:f4:30:3f:f4:89:49: + d0:85:e3:45:94:13:2d:d7:e6:fd:9b:1c:76:9f:80:d6:2b:98: + de:46:f5:bd:a4:95:06:d5:4d:45:f2:1a:b2:a8:ec:9f:d5:77: + 8a:70:af:d9:3f:e4:77:f0:ae:d9:de:6d:86:68:5b:1d:1e:a6: + f4:2e:f0:a9:c9:a8:a6:cf:f6:03:d2:c5:d1:87:a1:d0:77:1c: + 93:9d:f3:22:90:00:16:83:9f:8d:ac:fb:f1:17:45:12:f3:28: + f0:6a:d3:67:d7:7c:6b:13:18:98:3b:13:31:c1:83:c5:63:9b: + 4d:19:cd:bb:da:32:89:e4:c8:b3:60:bf:0c:86:58:8e:51:04: + c9:4d:fa:f6:02:9b:2a:8a:d3:bc:26:92:24:84:1e:36:37:f0: + 27:78:6b:48:8a:18:07:95:6c:99:00:37:b3:37:46:e2:f4:01: + f9:b5:f9:76:a2:78:d4:2e:44:71:ba:36:87:b4:19:43:7d:ce: + a2:bd:b9:69:f8:ea:56:c0:e2:d6:55:89:c6:80:3c:0a:bb:1f: + 5e:3d:9a:bd:f1:f8:b9:92:84:6e:22:da:d2:a8:01:17:33:1c: + 44:a6:0d:22:20:e1:f7:5e:42:60:06:9e:dc:5a:3b:3e:63:b8: + d8:db:0a:e8:bf:32:ca:bb:34:fd:d2:a5:27:89:af:46:af:2d: + 5b:e4:4c:f5:c6:e2:d1:a1:60:4f:e6:50:63:4f:9d:87:c2:e4: + 65:6d:4c:15:fa:60:84:c8:d5:f1:47:60:48:9a:e7:dc:70:1c: + 67:78:b4:e2:3d:3d:0b:7f:3f:33:32:dd:0a:dc:97:30:c0:d9: + 5b:0f:7c:a5:c7:70:23:64:b5:7c:0c:ba:67:67:71:b9:28:53: + 28:08:c6:1a:ae:d1:69:4f:aa:39:78:57:fd:02:50:de:de:73: + a9:51:f0:d2:4b:e9:9e:20:fd:96:55:70:37:5c:55:11:c1:a8: + 2b:1a:c1:4e:30:f5:b0:7d:09:3b:2b:4b:e6:73:d0:ca:d2:80: + 01:bd:57:81:e0:6b:4b:04:27:a8:fe:27:cb:d0:37:2b:78:1d: + c6:71:f1:ec:0e:b1:ac:db:d5:bb:d0:e2:94:84:04:a0:23:d0: + 2e:29:49:77:92:36:d1:8b:d2:aa:02:af:ca:8b:f4:0c:54:fa: + b3:56:90:a8:2a:54:ad:b2:2f:c5:8d:2c:7d:c5:55:99:d7:51: + c8:6d:a4:60:60:79:3f:f1:56:06:1b:a8:71:0d:8b:5f:b7:f7: + be:81:19:15:67:3d:c8:4b:8d:d0:90:2a:d6:d1:a4:c0:d8:9a: + 79:b9:1a:1b:92:40:ab:7c +-----BEGIN CERTIFICATE----- +MIIEbDCCAlSgAwIBAgIICqK+bbcPfvwwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTM1OTAwWhcNMjUwMzA4MDg1 +MDAwWjBXMRQwEgYDVQQDEwtleGFtcGxlLm9yZzEQMA4GA1UEChMHRXhhbXBsZTEP +MA0GA1UEBxMGTWlsYW5vMQ8wDQYDVQQIEwZNaWxhbm8xCzAJBgNVBAYTAklUMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqBYCHne6Psb+Tg/C9hR4hp +AVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m3UzA2jiT9r/o9J0fAMi/ +y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDnYrDZa1qJk3gI24wYPSSB +ay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6rFk/UmpsB2OG/1Sd18gl4 +YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7rmXXOS9Li+XEmYjEqA120 +1AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsWDfUGQieCSVcy82cCqwID +AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA +CuudwJYX5pvUSZEH9DA/9IlJ0IXjRZQTLdfm/Zscdp+A1iuY3kb1vaSVBtVNRfIa +sqjsn9V3inCv2T/kd/Cu2d5thmhbHR6m9C7wqcmops/2A9LF0Yeh0Hcck53zIpAA +FoOfjaz78RdFEvMo8GrTZ9d8axMYmDsTMcGDxWObTRnNu9oyieTIs2C/DIZYjlEE +yU369gKbKorTvCaSJIQeNjfwJ3hrSIoYB5VsmQA3szdG4vQB+bX5dqJ41C5Ecbo2 +h7QZQ33Oor25afjqVsDi1lWJxoA8CrsfXj2avfH4uZKEbiLa0qgBFzMcRKYNIiDh +915CYAae3Fo7PmO42NsK6L8yyrs0/dKlJ4mvRq8tW+RM9cbi0aFgT+ZQY0+dh8Lk +ZW1MFfpghMjV8UdgSJrn3HAcZ3i04j09C38/MzLdCtyXMMDZWw98pcdwI2S1fAy6 +Z2dxuShTKAjGGq7RaU+qOXhX/QJQ3t5zqVHw0kvpniD9llVwN1xVEcGoKxrBTjD1 +sH0JOytL5nPQytKAAb1XgeBrSwQnqP4ny9A3K3gdxnHx7A6xrNvVu9DilIQEoCPQ +LilJd5I20YvSqgKvyov0DFT6s1aQqCpUrbIvxY0sfcVVmddRyG2kYGB5P/FWBhuo +cQ2LX7f3voEZFWc9yEuN0JAq1tGkwNiaebkaG5JAq3w= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_03.pem b/v3/testdata/subject_rdn_order_ko_03.pem new file mode 100644 index 000000000..12b9fd809 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_03.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3065546558357960659 (0x2a8b025a5558f7d3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:02:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, O = Example, CN = example.org, street = Via Carducci + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 09:82:cd:65:23:8d:a9:1c:b2:c2:10:a2:ee:44:4c:03:d4:e0: + 69:b3:bf:cc:43:10:d7:a7:6c:3a:cf:8d:9f:61:0c:38:8a:09: + b2:f0:73:41:2f:07:94:7a:d3:38:ba:75:d7:4c:63:a8:2d:48: + c5:56:80:d7:3c:62:ba:c5:15:43:cd:de:60:33:2b:42:0b:e2: + 7c:65:f6:d9:ae:0b:9a:0b:54:c0:5a:1c:9b:95:91:17:6d:e9: + c5:7d:cc:52:47:35:65:16:10:45:81:58:45:3e:bf:35:15:b4: + 30:d2:ba:6a:75:3e:68:9c:2e:d5:aa:2c:07:ea:ae:71:74:78: + 63:63:3d:9f:15:08:5a:0f:80:cf:7a:f1:cc:ba:48:d5:a1:f7: + da:b8:c0:1c:c3:7c:94:fc:fd:d7:5b:56:ec:5a:a8:33:23:6a: + 18:74:d0:9a:a4:91:6e:3d:53:d0:ff:d3:a2:81:c2:74:50:44: + 4a:57:92:cd:8e:4b:d4:b0:08:22:9e:20:13:b0:0b:eb:9c:ce: + c2:b7:e9:d6:28:c6:d2:ea:29:3e:2f:7f:b1:02:16:7f:74:b3: + 4a:09:88:b9:ef:ce:74:60:18:cd:7b:37:03:07:45:d6:63:2d: + af:d2:df:80:b5:00:af:27:d0:f2:18:2b:b1:8a:68:ec:7e:f9: + 0e:cf:f1:4e:e0:89:03:1b:be:36:d4:a0:a7:f5:f3:76:b8:10: + 92:99:5c:00:08:85:c2:68:9c:47:5d:5a:f1:fa:29:ee:29:df: + 44:9a:bb:97:1d:cf:89:80:c2:4b:b0:39:68:07:48:e2:51:23: + 2e:d7:4b:49:5e:11:ad:60:c4:e3:1b:08:2e:01:7e:85:d0:76: + a3:5e:09:92:0f:0c:a0:9f:e5:d4:75:9e:f8:a6:f3:ac:43:6d: + 26:ca:29:5d:3a:e3:b1:33:2d:60:9b:a7:ea:d8:62:43:11:38: + c9:0b:f9:c1:ae:fb:c2:37:2a:65:62:21:6f:ba:49:33:98:5a: + c0:a0:8a:16:16:e6:56:29:e6:e8:f7:54:f5:68:48:aa:66:e0: + 90:17:42:ac:64:77:09:39:d7:e1:ba:c8:e3:9d:89:76:d3:bb: + ea:f7:64:23:8c:7e:24:ff:0d:7a:0e:49:5d:b9:1f:26:92:5f: + 64:a3:e5:07:40:27:f3:2b:6a:e8:4b:7c:95:7b:3e:9d:42:db: + 8d:03:04:f5:ab:1a:8d:13:93:fb:92:80:e0:1f:c2:49:70:22: + 25:b9:6f:bb:b7:49:6c:6c:05:59:6d:db:81:91:14:1d:92:9b: + 73:50:a6:80:3e:dd:a8:13:fe:df:3c:a3:92:fd:d4:95:ed:f6: + 57:84:a0:7f:1d:1f:05:13 +-----BEGIN CERTIFICATE----- +MIIEgzCCAmugAwIBAgIIKosCWlVY99MwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQwMjAwWhcNMjUwMzA4MDg1 +MDAwWjBuMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xEDAOBgNVBAoTB0V4YW1wbGUxFDASBgNVBAMTC2V4YW1wbGUub3JnMRUw +EwYDVQQJEwxWaWEgQ2FyZHVjY2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDBCoFgIed7o+xv5OD8L2FHiGkBWJujiZgLQhdHh4eyDh90Iijlz5rSfybb +Tx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L9U+w+sMkzi8EO/on3Yw790QJiRYZDpUK +jesOVD+BwOdisNlrWomTeAjbjBg9JIFrLrn/DVpxJLdTH8KWV81JmLYhNUdrgxkt +qUviF6K9HqsWT9SamwHY4b/VJ3XyCXhjGyReLf5m+jKWYFGcRg4LquhXItQWOBGW +0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTUBPsznzTeoTmFz0jQoRbVlccgOLok2d6Y +MQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUF +BwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAJgs1lI42pHLLCEKLuREwD1OBps7/MQxDX +p2w6z42fYQw4igmy8HNBLweUetM4unXXTGOoLUjFVoDXPGK6xRVDzd5gMytCC+J8 +ZfbZrguaC1TAWhyblZEXbenFfcxSRzVlFhBFgVhFPr81FbQw0rpqdT5onC7VqiwH +6q5xdHhjYz2fFQhaD4DPevHMukjVoffauMAcw3yU/P3XW1bsWqgzI2oYdNCapJFu +PVPQ/9OigcJ0UERKV5LNjkvUsAginiATsAvrnM7Ct+nWKMbS6ik+L3+xAhZ/dLNK +CYi57850YBjNezcDB0XWYy2v0t+AtQCvJ9DyGCuximjsfvkOz/FO4IkDG7421KCn +9fN2uBCSmVwACIXCaJxHXVrx+inuKd9EmruXHc+JgMJLsDloB0jiUSMu10tJXhGt +YMTjGwguAX6F0HajXgmSDwygn+XUdZ74pvOsQ20myildOuOxMy1gm6fq2GJDETjJ +C/nBrvvCNyplYiFvukkzmFrAoIoWFuZWKebo91T1aEiqZuCQF0KsZHcJOdfhusjj +nYl207vq92QjjH4k/w16DklduR8mkl9ko+UHQCfzK2roS3yVez6dQtuNAwT1qxqN +E5P7koDgH8JJcCIluW+7t0lsbAVZbduBkRQdkptzUKaAPt2oE/7fPKOS/dSV7fZX +hKB/HR8FEw== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_04.pem b/v3/testdata/subject_rdn_order_ko_04.pem new file mode 100644 index 000000000..1ea0791fc --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_04.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3792628805646187502 (0x34a21fcdf5747bee) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:05:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, O = Example, CN = example.org, DC = org, DC = example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 5a:12:f1:b2:6e:5f:cc:89:31:18:08:57:82:40:eb:4a:1f:41: + 5c:ef:7d:9d:d8:3f:eb:1f:7f:49:17:cf:9e:4b:69:76:85:6d: + 28:af:1b:09:c8:e0:98:3d:41:36:7a:24:e3:e9:39:8d:e3:c6: + 7c:c2:03:f8:81:1a:c8:7c:de:4f:94:c1:4c:8c:8d:0b:63:d7: + 09:d7:87:74:b2:a3:3d:8c:15:f3:a9:0e:3b:45:5e:21:01:84: + d5:ca:b9:39:0d:9b:fb:e8:52:3b:6d:ed:6d:6d:33:d5:08:ff: + 6c:cc:4f:43:81:f0:46:cb:b0:84:80:5c:e4:67:9b:ee:a7:f4: + 9c:94:19:13:3e:cd:8a:8d:7c:45:79:cc:bf:55:86:48:3a:d3: + 51:f3:92:d1:ec:91:40:bf:57:7b:84:1d:20:b5:3f:a8:39:a0: + a3:67:66:12:4a:c2:eb:d2:74:33:10:2b:82:fb:ea:61:68:33: + 42:a9:27:c2:ca:ce:6b:cc:d3:57:f8:27:66:26:a7:18:ff:6c: + 63:93:a2:a3:f8:ca:55:b6:06:65:f2:db:c9:8b:41:0c:bc:3f: + ca:b8:b7:3a:d6:a2:e5:9e:08:17:33:c8:bd:85:e2:2f:71:60: + 30:9c:79:ec:90:4c:c8:ef:73:49:a3:6b:56:8d:25:c1:4a:2f: + c5:ef:03:43:cd:fe:cb:9f:cb:b9:73:06:33:45:81:ab:85:da: + a5:5b:9f:9f:9e:60:6a:98:95:71:c1:27:06:ed:c4:d5:dd:ca: + 42:f2:12:cb:bb:c6:eb:ec:2b:ad:15:5a:91:cb:fd:d2:f1:f6: + ef:a4:00:86:c1:96:1b:59:58:6f:83:e1:3b:3a:2e:f0:d2:b4: + 8d:55:5a:82:4e:9a:8b:62:ed:a6:99:97:a3:aa:b6:ad:08:45: + 01:04:2c:1e:ec:f3:5b:f8:9c:15:0e:24:b0:60:94:b4:2c:86: + 97:7a:42:18:f8:d9:25:d4:8b:b4:5c:87:a9:8d:13:82:c6:f5: + 68:94:39:ab:63:26:85:37:e5:ca:d0:be:de:79:6a:97:5e:35: + 08:9b:83:76:14:18:81:c3:e9:76:60:42:9a:f8:be:02:35:9f: + e1:f0:81:e9:2d:be:58:fa:29:c0:67:59:45:f6:7f:a0:49:0c: + 93:37:48:aa:08:cf:6a:ca:c7:d4:58:25:c9:4d:01:cc:19:65: + 4c:de:52:e9:2b:2a:8c:94:0c:1c:f0:67:f0:9f:75:c0:32:b7: + d7:9c:e4:f9:99:a0:8a:0e:8a:6c:ff:4c:74:18:6c:43:40:3c: + f9:1a:94:76:a0:25:c3:1b:71:7b:36:64:8f:44:97:08:52:fe: + c5:2c:a6:64:d2:1e:00:ec +-----BEGIN CERTIFICATE----- +MIIEmzCCAoOgAwIBAgIINKIfzfV0e+4wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQwNTAwWhcNMjUwMzA4MDg1 +MDAwWjCBhTELMAkGA1UEBhMCSVQxDzANBgNVBAgTBk1pbGFubzEPMA0GA1UEBxMG +TWlsYW5vMRAwDgYDVQQKEwdFeGFtcGxlMRQwEgYDVQQDEwtleGFtcGxlLm9yZzET +MBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBCoFgIed7o+xv5OD8L2FHiGkB +WJujiZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L +9U+w+sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+BwOdisNlrWomTeAjbjBg9JIFr +Lrn/DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9HqsWT9SamwHY4b/VJ3XyCXhj +GyReLf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTU +BPsznzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMB +AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQBa +EvGybl/MiTEYCFeCQOtKH0Fc732d2D/rH39JF8+eS2l2hW0orxsJyOCYPUE2eiTj +6TmN48Z8wgP4gRrIfN5PlMFMjI0LY9cJ14d0sqM9jBXzqQ47RV4hAYTVyrk5DZv7 +6FI7be1tbTPVCP9szE9DgfBGy7CEgFzkZ5vup/SclBkTPs2KjXxFecy/VYZIOtNR +85LR7JFAv1d7hB0gtT+oOaCjZ2YSSsLr0nQzECuC++phaDNCqSfCys5rzNNX+Cdm +JqcY/2xjk6Kj+MpVtgZl8tvJi0EMvD/KuLc61qLlnggXM8i9heIvcWAwnHnskEzI +73NJo2tWjSXBSi/F7wNDzf7Ln8u5cwYzRYGrhdqlW5+fnmBqmJVxwScG7cTV3cpC +8hLLu8br7CutFVqRy/3S8fbvpACGwZYbWVhvg+E7Oi7w0rSNVVqCTpqLYu2mmZej +qratCEUBBCwe7PNb+JwVDiSwYJS0LIaXekIY+Nkl1Iu0XIepjROCxvVolDmrYyaF +N+XK0L7eeWqXXjUIm4N2FBiBw+l2YEKa+L4CNZ/h8IHpLb5Y+inAZ1lF9n+gSQyT +N0iqCM9qysfUWCXJTQHMGWVM3lLpKyqMlAwc8Gfwn3XAMrfXnOT5maCKDops/0x0 +GGxDQDz5GpR2oCXDG3F7NmSPRJcIUv7FLKZk0h4A7A== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_05.pem b/v3/testdata/subject_rdn_order_ko_05.pem new file mode 100644 index 000000000..728f80bce --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_05.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3989736575603356219 (0x375e6446e838b23b) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:07:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, GN = Flash, SN = Gordon, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 89:58:5c:be:7f:1e:6f:91:36:9c:cd:ec:e0:c2:5d:89:62:9a: + 74:37:de:b1:ba:12:7e:86:bb:33:0f:b9:78:fb:f1:b2:fd:bf: + 54:4f:f2:7c:ac:92:e8:5f:26:e9:fe:18:51:86:12:c9:d5:1e: + 81:4c:1b:16:f5:e2:b9:f5:5d:7e:82:0f:bd:f0:ec:07:8c:81: + 92:ab:81:a4:5e:37:cb:f1:a4:b7:d5:de:14:9d:d2:62:76:b5: + e7:58:4f:70:8e:dc:61:10:9b:be:f3:56:3b:77:12:87:08:c7: + 75:f3:45:17:74:2a:23:16:f4:4e:20:65:60:60:45:04:b2:45: + 3c:8d:65:d8:b6:f8:85:8f:cc:d0:3f:73:21:98:a5:27:87:b4: + d5:69:51:4b:86:88:c1:a0:86:dc:e6:0b:6a:e1:6a:02:30:ef: + 5b:b6:73:74:a7:f2:ec:92:d2:e2:60:f0:fd:cc:af:ae:8a:fd: + fa:2e:91:85:99:69:b2:6f:b1:84:f3:c2:dd:fb:1d:30:e8:c7: + bc:d4:10:c9:ff:be:38:95:c4:13:c4:22:50:5f:99:3c:2f:78: + cf:c7:6f:4c:99:20:dc:4a:d1:e7:8b:ec:ab:08:b8:0c:14:5e: + 42:27:06:86:17:6c:41:53:d2:38:30:17:49:3d:22:3e:25:1c: + d5:94:5d:aa:eb:01:6b:9e:9c:fc:8a:a9:7b:f4:56:8e:a8:2c: + bc:2c:19:ce:1b:f6:4e:88:ec:1e:62:1e:ab:cb:53:ab:38:02: + f7:ee:33:fa:c2:a3:80:97:57:88:7b:fb:6c:6d:7f:de:93:42: + 27:b1:91:73:2c:3f:f6:44:41:2c:d9:44:55:9d:3f:57:1c:6c: + 83:89:8d:74:77:c1:81:f4:1d:69:ff:e9:38:b9:fa:fe:e6:ec: + 38:a3:52:1d:df:ff:bd:f3:80:fd:e7:52:84:2c:f7:6c:42:54: + c0:a6:24:13:90:95:8d:91:11:40:6d:b9:1e:f6:04:fa:ab:58: + 41:2b:26:e3:bd:88:30:4e:82:d0:6f:a2:91:ff:05:58:08:9d: + 02:d0:cd:c5:94:16:ed:75:3c:3c:e0:0b:02:af:e7:ff:9a:71: + 5b:2e:df:dc:e7:24:14:c5:91:70:d0:de:b9:52:89:44:9b:8f: + 29:10:c6:eb:86:29:66:e3:12:62:96:f1:0c:b3:1a:71:68:73: + 91:77:83:1c:d1:64:47:9c:13:ca:ef:84:1e:04:23:82:25:12: + b6:54:a1:c4:a8:3d:37:e4:f6:b3:e5:e3:c3:1d:6e:5d:a6:73: + 36:8d:aa:82:2c:35:6a:69:99:ea:24:7b:f2:e5:ce:2b:8f:5a: + a1:c2:ce:d6:d4:dc:0f:06 +-----BEGIN CERTIFICATE----- +MIIEezCCAmOgAwIBAgIIN15kRug4sjswDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQwNzAwWhcNMjUwMzA4MDg1 +MDAwWjBmMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xDjAMBgNVBCoTBUZsYXNoMQ8wDQYDVQQEEwZHb3Jkb24xFDASBgNVBAMT +C2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqB +YCHne6Psb+Tg/C9hR4hpAVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m +3UzA2jiT9r/o9J0fAMi/y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDn +YrDZa1qJk3gI24wYPSSBay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6r +Fk/UmpsB2OG/1Sd18gl4YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7r +mXXOS9Li+XEmYjEqA1201AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsW +DfUGQieCSVcy82cCqwIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkq +hkiG9w0BAQsFAAOCAgEAiVhcvn8eb5E2nM3s4MJdiWKadDfesboSfoa7Mw+5ePvx +sv2/VE/yfKyS6F8m6f4YUYYSydUegUwbFvXiufVdfoIPvfDsB4yBkquBpF43y/Gk +t9XeFJ3SYna151hPcI7cYRCbvvNWO3cShwjHdfNFF3QqIxb0TiBlYGBFBLJFPI1l +2Lb4hY/M0D9zIZilJ4e01WlRS4aIwaCG3OYLauFqAjDvW7ZzdKfy7JLS4mDw/cyv +ror9+i6RhZlpsm+xhPPC3fsdMOjHvNQQyf++OJXEE8QiUF+ZPC94z8dvTJkg3ErR +54vsqwi4DBReQicGhhdsQVPSODAXST0iPiUc1ZRdqusBa56c/Iqpe/RWjqgsvCwZ +zhv2TojsHmIeq8tTqzgC9+4z+sKjgJdXiHv7bG1/3pNCJ7GRcyw/9kRBLNlEVZ0/ +Vxxsg4mNdHfBgfQdaf/pOLn6/ubsOKNSHd//vfOA/edShCz3bEJUwKYkE5CVjZER +QG25HvYE+qtYQSsm472IME6C0G+ikf8FWAidAtDNxZQW7XU8POALAq/n/5pxWy7f +3OckFMWRcNDeuVKJRJuPKRDG64YpZuMSYpbxDLMacWhzkXeDHNFkR5wTyu+EHgQj +giUStlShxKg9N+T2s+Xjwx1uXaZzNo2qgiw1ammZ6iR78uXOK49aocLO1tTcDwY= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_06.pem b/v3/testdata/subject_rdn_order_ko_06.pem new file mode 100644 index 000000000..d143b65e5 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_06.pem @@ -0,0 +1,95 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6256546164417316078 (0x56d3b79682ed44ee) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:12:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, street = Via Carducci, postalCode = 20100, O = Example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:example.org + Signature Algorithm: sha256WithRSAEncryption + 4f:c8:a4:cf:30:8f:2b:6b:f8:98:ac:b2:38:d3:6a:97:2a:a8: + 12:d0:cc:b6:c9:bd:96:5b:96:f5:67:94:d0:00:a7:5c:06:c6: + ab:96:ed:27:3a:67:41:0c:25:61:6d:58:f0:a5:94:93:41:b4: + 9c:4b:fa:08:27:7d:d8:a1:a0:15:77:77:e2:84:54:f2:60:4f: + 5b:02:11:4a:e9:ec:d2:97:00:9c:b1:f0:5e:b4:b1:da:27:41: + 27:49:8c:17:f0:3c:3f:c2:60:9d:3c:d2:20:1e:3d:ad:bf:6e: + 07:b7:ed:5f:cf:23:01:4f:26:9e:ed:0d:e5:a8:c1:c0:10:2c: + 72:8a:fd:b9:14:32:73:c6:f8:8f:a4:20:ef:ee:8f:c5:b7:81: + be:80:df:a5:ac:81:e4:60:22:23:46:9d:81:23:17:4e:42:1e: + 3f:d8:8e:59:7b:6b:18:02:71:98:34:f7:12:db:d6:f8:51:2a: + b4:3f:2f:15:47:78:1c:71:96:18:22:44:c6:97:75:ca:2e:b5: + d1:ff:3b:6b:80:57:fb:67:88:ea:9b:9e:cd:e5:28:bc:ef:44: + 67:be:70:d4:cc:a2:5b:b4:7f:3b:6e:0b:fc:23:7c:3d:f7:30: + bb:1f:07:c1:77:fb:58:13:71:20:1c:22:eb:63:05:9b:5d:8a: + 9d:e0:9c:3f:8b:32:34:ba:10:72:fa:36:e8:4c:0d:76:c3:2a: + 67:c9:70:ec:a9:1a:d7:84:c2:e2:a5:d3:e4:06:28:26:0b:94: + c6:7b:88:5f:27:02:75:55:ee:26:ee:55:36:38:35:43:0f:8c: + 71:48:c2:7f:45:01:d5:b9:28:93:d6:26:31:43:53:25:33:98: + e0:df:03:b3:db:6a:b9:a6:7c:3a:0f:d8:50:af:0d:56:e8:87: + 4a:a5:a0:da:91:db:19:4f:78:48:08:48:66:0a:9c:24:82:14: + f0:a2:b0:6b:cc:fa:f4:1a:bf:b1:fa:ff:0a:45:d7:e3:df:66: + 60:0e:d5:75:a5:1f:94:09:0f:3a:98:06:d2:4b:7c:d3:fd:6e: + 7b:a1:ad:23:e0:d5:5e:0a:5e:96:a7:a0:97:8b:90:6e:29:ec: + 2e:7f:7a:bf:9c:a2:c8:3a:dc:fc:48:51:e8:05:bd:a3:5b:b5: + 4a:6d:73:62:1d:f4:a1:1b:d9:28:77:79:4b:a5:5c:0b:b5:61: + 4c:4c:c7:20:f5:6d:78:29:3e:5d:56:ef:4d:ca:45:6b:fb:70: + 48:e0:74:b9:89:a7:4b:30:29:59:3e:c2:33:97:35:d9:f3:2a: + 1b:96:d5:6b:fc:4d:09:a8:99:7b:7f:bc:44:d4:1e:30:f5:34: + be:e6:e3:79:77:f0:3a:53 +-----BEGIN CERTIFICATE----- +MIIElTCCAn2gAwIBAgIIVtO3loLtRO4wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQxMjAwWhcNMjUwMzA4MDg1 +MDAwWjBoMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xFTATBgNVBAkTDFZpYSBDYXJkdWNjaTEOMAwGA1UEERMFMjAxMDAxEDAO +BgNVBAoTB0V4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB +CoFgIed7o+xv5OD8L2FHiGkBWJujiZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6 +zebdTMDaOJP2v+j0nR8AyL/L9U+w+sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+B +wOdisNlrWomTeAjbjBg9JIFrLrn/DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9 +HqsWT9SamwHY4b/VJ3XyCXhjGyReLf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHo +fuuZdc5L0uL5cSZiMSoDXbTUBPsznzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5u +uxYN9QZCJ4JJVzLzZwKrAgMBAAGjLzAtMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYG +A1UdEQQPMA2CC2V4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQBPyKTPMI8r +a/iYrLI402qXKqgS0My2yb2WW5b1Z5TQAKdcBsarlu0nOmdBDCVhbVjwpZSTQbSc +S/oIJ33YoaAVd3fihFTyYE9bAhFK6ezSlwCcsfBetLHaJ0EnSYwX8Dw/wmCdPNIg +Hj2tv24Ht+1fzyMBTyae7Q3lqMHAECxyiv25FDJzxviPpCDv7o/Ft4G+gN+lrIHk +YCIjRp2BIxdOQh4/2I5Ze2sYAnGYNPcS29b4USq0Py8VR3gccZYYIkTGl3XKLrXR +/ztrgFf7Z4jqm57N5Si870RnvnDUzKJbtH87bgv8I3w99zC7HwfBd/tYE3EgHCLr +YwWbXYqd4Jw/izI0uhBy+jboTA12wypnyXDsqRrXhMLipdPkBigmC5TGe4hfJwJ1 +Ve4m7lU2ODVDD4xxSMJ/RQHVuSiT1iYxQ1MlM5jg3wOz22q5pnw6D9hQrw1W6IdK +paDakdsZT3hICEhmCpwkghTworBrzPr0Gr+x+v8KRdfj32ZgDtV1pR+UCQ86mAbS +S3zT/W57oa0j4NVeCl6Wp6CXi5BuKewuf3q/nKLIOtz8SFHoBb2jW7VKbXNiHfSh +G9kod3lLpVwLtWFMTMcg9W14KT5dVu9NykVr+3BI4HS5iadLMClZPsIzlzXZ8yob +ltVr/E0JqJl7f7xE1B4w9TS+5uN5d/A6Uw== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_07.pem b/v3/testdata/subject_rdn_order_ko_07.pem new file mode 100644 index 000000000..0d185a38c --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_07.pem @@ -0,0 +1,91 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 204622961721394657 (0x2d6f77fe24ac5e1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:15:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: CN = example.org, C = IT + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 9f:e6:50:72:f3:e3:a3:4c:2a:83:33:fa:84:7b:20:4a:db:fd: + d7:5c:c0:57:07:35:fd:3f:b6:6b:14:61:69:69:f4:c4:ed:cf: + c0:d2:6c:07:b9:48:da:93:1b:54:25:d1:5b:62:2c:0e:67:95: + 3f:50:20:ac:fd:bf:82:c4:19:9c:3a:77:0b:c5:05:d6:6c:f2: + c0:37:f0:db:f9:81:f6:bd:23:f6:1f:b5:f0:14:4c:65:8d:fa: + ac:6c:22:d7:3f:92:34:e7:a6:bf:15:0c:b4:88:33:95:ec:70: + 04:75:e9:0a:e1:da:de:f3:46:10:c7:81:6f:9c:28:1c:cd:89: + 99:2e:0c:1b:c9:87:fc:b0:dc:bc:fd:81:e5:ac:5b:5c:23:1b: + eb:c9:32:22:55:b9:3e:bb:67:93:59:13:e8:50:f8:3e:83:0d: + de:3b:6e:89:d6:39:fe:49:dd:d1:ad:0f:42:92:54:10:2c:9d: + 9e:04:cf:db:5c:1a:b6:96:8a:77:6f:e1:75:4c:d3:36:57:a1: + 81:b0:12:ad:76:0a:11:d3:99:9b:49:1f:52:be:9f:7e:d2:c0: + 66:f0:1c:e1:a7:34:ad:bb:c5:55:cd:d0:c1:2c:12:6a:46:6b: + 83:32:e7:c3:d5:0f:80:04:c6:35:4f:61:35:45:87:17:c2:97: + e3:51:fd:c6:77:96:16:b4:e3:22:d2:f5:ea:dd:c4:c3:0b:61: + d4:2d:3b:46:81:eb:d5:38:3c:a1:90:b1:f7:ef:dd:31:a1:12: + c8:2b:7b:12:20:84:b8:85:72:20:3e:a5:fc:97:57:eb:ed:55: + 6a:70:69:c4:dd:14:60:65:a9:17:e9:d2:ba:a6:57:3c:9c:2b: + 6e:de:8b:b8:ab:52:15:82:e3:ce:f5:a0:60:21:c1:72:11:0f: + f9:ea:af:fd:c7:99:bb:83:97:b8:93:30:1f:65:4f:38:d1:4f: + cb:ce:64:9f:35:3a:e7:3d:0e:09:ba:a7:ac:4e:75:7d:37:aa: + d6:e5:38:d2:4b:e2:73:fb:39:f8:2b:62:08:96:f2:2a:d1:6b: + ef:9f:af:00:a9:b8:56:f5:be:d1:bb:c6:37:cf:9e:6b:40:9f: + 15:66:4e:99:5b:ce:89:0d:7a:9b:8f:af:31:cd:85:ab:67:10: + 05:82:f4:0f:e5:4f:fb:46:f6:12:ed:6c:cb:38:a7:eb:4c:ae: + 2b:7f:b3:b1:65:c4:d7:46:46:50:a8:a4:79:bb:75:e2:aa:d5: + c0:33:9e:37:54:a3:04:ba:fa:9e:ee:07:b3:ae:e8:dd:f8:53: + 45:f0:16:d2:f2:0c:a8:87:80:92:a8:7d:72:60:f1:a5:42:f4: + 9f:16:d4:c5:a1:0f:7f:d7 +-----BEGIN CERTIFICATE----- +MIIEODCCAiCgAwIBAgIIAtb3f+JKxeEwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQxNTAwWhcNMjUwMzA4MDg1 +MDAwWjAjMRQwEgYDVQQDEwtleGFtcGxlLm9yZzELMAkGA1UEBhMCSVQwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBCoFgIed7o+xv5OD8L2FHiGkBWJuj +iZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L9U+w ++sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+BwOdisNlrWomTeAjbjBg9JIFrLrn/ +DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9HqsWT9SamwHY4b/VJ3XyCXhjGyRe +Lf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTUBPsz +nzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMBAAGj +FzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCf5lBy +8+OjTCqDM/qEeyBK2/3XXMBXBzX9P7ZrFGFpafTE7c/A0mwHuUjakxtUJdFbYiwO +Z5U/UCCs/b+CxBmcOncLxQXWbPLAN/Db+YH2vSP2H7XwFExljfqsbCLXP5I056a/ +FQy0iDOV7HAEdekK4dre80YQx4FvnCgczYmZLgwbyYf8sNy8/YHlrFtcIxvryTIi +Vbk+u2eTWRPoUPg+gw3eO26J1jn+Sd3RrQ9CklQQLJ2eBM/bXBq2lop3b+F1TNM2 +V6GBsBKtdgoR05mbSR9Svp9+0sBm8BzhpzStu8VVzdDBLBJqRmuDMufD1Q+ABMY1 +T2E1RYcXwpfjUf3Gd5YWtOMi0vXq3cTDC2HULTtGgevVODyhkLH3790xoRLIK3sS +IIS4hXIgPqX8l1fr7VVqcGnE3RRgZakX6dK6plc8nCtu3ou4q1IVguPO9aBgIcFy +EQ/56q/9x5m7g5e4kzAfZU840U/LzmSfNTrnPQ4JuqesTnV9N6rW5TjSS+Jz+zn4 +K2IIlvIq0Wvvn68AqbhW9b7Ru8Y3z55rQJ8VZk6ZW86JDXqbj68xzYWrZxAFgvQP +5U/7RvYS7WzLOKfrTK4rf7OxZcTXRkZQqKR5u3XiqtXAM543VKMEuvqe7gezrujd ++FNF8BbS8gyoh4CSqH1yYPGlQvSfFtTFoQ9/1w== +-----END CERTIFICATE----- From c66f6f6104bcd0054e09d149ac7cd6bb0e7a2dde Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:10:44 +0100 Subject: [PATCH 03/29] Add files via upload --- v3/testdata/subject_rdn_order_ok_01.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_02.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_03.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_04.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_05.pem | 94 +++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_06.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_07.pem | 91 ++++++++++++++++++++++++ 7 files changed, 648 insertions(+) create mode 100644 v3/testdata/subject_rdn_order_ok_01.pem create mode 100644 v3/testdata/subject_rdn_order_ok_02.pem create mode 100644 v3/testdata/subject_rdn_order_ok_03.pem create mode 100644 v3/testdata/subject_rdn_order_ok_04.pem create mode 100644 v3/testdata/subject_rdn_order_ok_05.pem create mode 100644 v3/testdata/subject_rdn_order_ok_06.pem create mode 100644 v3/testdata/subject_rdn_order_ok_07.pem diff --git a/v3/testdata/subject_rdn_order_ok_01.pem b/v3/testdata/subject_rdn_order_ok_01.pem new file mode 100644 index 000000000..2c5b9dc86 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_01.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6076550832111709079 (0x54543ec96f9f6b97) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 09:41:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, O = Example, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b4:a3:ea:46:45:d7:d9:9a:04:ab:00:77:7e:df: + 14:c9:ac:f3:b7:3e:da:75:a1:6b:20:d7:89:ec:55: + 9d:03:e1:27:47:bf:cc:1b:e0:01:e8:b5:d0:ad:ff: + ff:19:e1:eb:f5:ae:7f:7f:35:a4:09:98:6a:17:87: + 76:d3:36:e1:8c:25:c2:17:a7:5e:32:12:4e:c4:9a: + b7:c4:d5:cb:f8:fe:28:66:b5:e0:d6:bf:d3:b7:2e: + 55:30:5d:ec:7b:5e:ef:c0:32:0d:89:44:2b:67:8c: + 1e:bd:88:b0:50:cb:18:22:e7:42:4a:c3:82:5f:4b: + 3a:b3:47:8c:08:f1:cf:dd:d3:e4:a1:f4:68:29:76: + 30:f9:bc:43:5d:90:a0:38:cc:be:73:04:10:42:1f: + 9c:75:b1:5f:2f:af:95:4d:98:87:36:13:16:cf:18: + 3e:cd:fd:f4:1d:42:b7:10:ee:4f:11:1c:4d:74:1a: + 2f:58:9f:4e:29:35:0d:9a:af:55:0c:11:23:81:50: + ad:7f:2b:13:fc:95:af:a7:68:fe:7f:af:97:4a:85: + a5:a2:b5:a9:cf:96:63:3e:84:8b:f2:c6:61:a4:f9: + 26:13:9e:1b:5f:79:06:7b:8e:c5:f6:d5:6c:52:bb: + 3c:40:ff:03:f2:e2:ee:d8:a5:7f:d4:25:f7:52:45: + 7f:e7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 3f:a4:2a:b5:7a:99:11:c0:a0:4b:3b:b4:5f:14:38:7e:1b:ef: + 6d:c8:b9:8d:c6:74:7d:09:ce:7b:84:9c:88:47:db:e1:20:fd: + 35:d3:ac:5e:ba:ff:89:77:88:86:9e:d5:74:b4:72:28:94:35: + 01:1b:5e:b4:26:d1:e3:3c:e1:93:57:0d:09:ab:7a:14:36:3d: + 7a:5d:ed:01:4a:57:cf:2c:b9:4d:61:70:b4:f7:6c:c1:60:74: + fa:68:7a:08:0f:23:84:3a:e8:f9:1d:96:ca:7c:75:66:62:25: + e3:d5:45:f9:e1:a5:ab:a3:54:c8:4c:53:c4:4f:0e:b5:39:45: + 2c:a0:45:f5:fc:6e:49:3d:eb:f4:70:75:6a:68:e3:ed:fc:64: + 82:56:e9:c0:be:31:1e:a8:a4:92:22:6e:c6:94:03:49:ae:21: + e9:77:52:4f:5a:de:59:9a:d9:a1:ea:bb:00:3e:0c:62:c1:8a: + 81:4d:e8:46:29:00:f6:23:83:c2:d3:df:b5:b3:cf:16:7e:d8: + 35:53:5b:8a:d2:85:a9:45:78:0c:d3:de:e8:3c:ba:8c:96:23: + 43:1e:53:35:36:de:0b:4a:29:63:0c:d9:e1:b4:52:67:01:94: + 98:75:34:5b:90:7f:6b:88:f9:9e:e4:73:08:1a:41:93:df:b4: + 39:bf:ae:d8:b4:b6:92:77:45:76:9f:98:78:14:c5:32:62:1d: + 40:2b:b1:a6:c9:63:67:94:5f:ce:08:50:9b:98:2f:d7:b6:d3: + 4f:66:1b:4f:85:dd:d9:6d:48:43:72:d5:a3:8e:13:bd:43:56: + 75:22:21:6d:dd:9a:6f:7c:13:45:ac:30:a2:6d:57:82:ef:11: + 94:a4:0c:d8:7b:f2:28:47:82:2d:5a:48:b8:a0:af:95:06:e1: + 3f:24:10:a0:cc:17:72:d1:cd:05:34:98:9d:05:98:38:74:22: + 9c:4f:72:37:a4:8e:41:c7:30:d5:ad:3f:f1:8b:a5:f3:76:05: + f3:3a:fd:fd:2d:94:01:5e:6a:61:11:1c:e8:67:63:23:69:17: + 08:44:37:96:60:b8:e0:5e:eb:de:a7:66:49:55:13:90:bd:ec: + 80:bd:ca:ac:08:ce:d7:18:e3:fc:5f:eb:73:46:7f:e4:f8:e4: + b2:bf:09:1b:36:32:89:93:ac:aa:96:e4:fb:47:69:79:b7:fa: + 21:c0:5c:9c:24:4e:ff:8e:6a:2d:24:24:e1:71:04:19:39:37: + 89:41:a3:b8:4a:2f:60:a0:e4:f8:12:87:9e:37:d6:15:5a:b2: + d0:46:75:7b:c7:07:0e:8e:40:36:b6:1f:dd:5d:5b:06:a9:f8: + 53:76:15:a0:76:3f:50:e3 +-----BEGIN CERTIFICATE----- +MIIEbDCCAlSgAwIBAgIIVFQ+yW+fa5cwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MDk0MTAwWhcNMjUwMzA4MDg1 +MDAwWjBXMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xEDAOBgNVBAoTB0V4YW1wbGUxFDASBgNVBAMTC2V4YW1wbGUub3JnMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtKPqRkXX2ZoEqwB3ft8Uyazz +tz7adaFrINeJ7FWdA+EnR7/MG+AB6LXQrf//GeHr9a5/fzWkCZhqF4d20zbhjCXC +F6deMhJOxJq3xNXL+P4oZrXg1r/Tty5VMF3se17vwDINiUQrZ4wevYiwUMsYIudC +SsOCX0s6s0eMCPHP3dPkofRoKXYw+bxDXZCgOMy+cwQQQh+cdbFfL6+VTZiHNhMW +zxg+zf30HUK3EO5PERxNdBovWJ9OKTUNmq9VDBEjgVCtfysT/JWvp2j+f6+XSoWl +orWpz5ZjPoSL8sZhpPkmE54bX3kGe47F9tVsUrs8QP8D8uLu2KV/1CX3UkV/5wID +AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA +P6QqtXqZEcCgSzu0XxQ4fhvvbci5jcZ0fQnOe4SciEfb4SD9NdOsXrr/iXeIhp7V +dLRyKJQ1ARtetCbR4zzhk1cNCat6FDY9el3tAUpXzyy5TWFwtPdswWB0+mh6CA8j +hDro+R2Wynx1ZmIl49VF+eGlq6NUyExTxE8OtTlFLKBF9fxuST3r9HB1amjj7fxk +glbpwL4xHqikkiJuxpQDSa4h6XdST1reWZrZoeq7AD4MYsGKgU3oRikA9iODwtPf +tbPPFn7YNVNbitKFqUV4DNPe6Dy6jJYjQx5TNTbeC0opYwzZ4bRSZwGUmHU0W5B/ +a4j5nuRzCBpBk9+0Ob+u2LS2kndFdp+YeBTFMmIdQCuxpsljZ5RfzghQm5gv17bT +T2YbT4Xd2W1IQ3LVo44TvUNWdSIhbd2ab3wTRawwom1Xgu8RlKQM2HvyKEeCLVpI +uKCvlQbhPyQQoMwXctHNBTSYnQWYOHQinE9yN6SOQccw1a0/8Yul83YF8zr9/S2U +AV5qYREc6GdjI2kXCEQ3lmC44F7r3qdmSVUTkL3sgL3KrAjO1xjj/F/rc0Z/5Pjk +sr8JGzYyiZOsqpbk+0dpebf6IcBcnCRO/45qLSQk4XEEGTk3iUGjuEovYKDk+BKH +njfWFVqy0EZ1e8cHDo5ANrYf3V1bBqn4U3YVoHY/UOM= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_02.pem b/v3/testdata/subject_rdn_order_ok_02.pem new file mode 100644 index 000000000..3642d66df --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_02.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8707574737929004705 (0x78d78516e56c66a1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:20:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, postalCode = 20100, street = Via Carducci, O = Example, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 62:89:12:5f:aa:93:da:26:e6:4e:6c:79:93:74:8d:2b:c3:3f: + 8f:7e:cc:0f:6c:8a:19:79:5b:2f:55:41:cf:28:ca:cb:78:06: + 51:ef:a5:01:8c:4d:d3:43:74:53:37:05:af:6b:26:39:81:b3: + d2:86:d0:c8:20:37:2e:ed:7b:f4:55:ba:44:22:2c:bf:3b:81: + f9:ac:bf:a8:94:15:d9:96:cd:38:32:39:82:c2:a9:69:ba:eb: + 61:a6:0a:72:b1:0b:dd:8e:8e:56:5f:71:64:12:5f:62:98:f1: + 52:88:0f:ff:b0:76:5d:5d:e2:52:74:2b:1f:62:f5:10:74:89: + cf:4e:0b:a9:0d:3c:20:40:9c:59:10:d8:c7:78:b9:82:22:fa: + 3b:6e:92:16:e7:07:90:3f:26:ef:d1:11:d5:04:0a:8b:8f:2c: + 9a:19:f3:03:aa:aa:93:6d:9c:97:65:b0:ff:cd:1d:44:ac:7e: + f0:ee:6a:b1:df:2f:77:f2:a4:c8:fb:ab:e6:b9:9d:30:44:74: + 06:d5:53:22:87:1e:bc:d2:cf:9f:12:53:02:88:dc:42:0c:a3: + fe:f8:55:0f:3c:a0:a7:69:58:b0:9c:a4:bb:47:24:62:da:d2: + 76:0f:eb:f3:c1:f8:4e:7f:79:e1:b8:45:6a:95:41:9b:f8:75: + 41:c3:e4:96:da:1d:a3:f4:03:8c:61:ce:95:86:d2:ce:02:79: + 2c:cf:4e:a2:17:03:7d:72:13:ed:b9:a3:85:a3:05:b5:a6:a0: + f5:7a:78:39:9b:81:9c:4d:b7:6b:ce:90:89:c5:d7:2b:28:27: + f3:fb:2a:cb:5a:42:79:b0:59:f8:c4:0a:ef:67:c3:21:83:93: + 46:fa:a8:9c:4b:a2:57:1b:3d:6a:69:99:1b:ce:c8:ad:30:75: + 35:14:29:0d:5e:ae:1d:db:16:1e:a3:7f:0c:cf:26:b5:6d:17: + a3:a8:42:d6:ff:5b:49:5a:57:57:4f:4b:cd:b7:bc:06:4d:59: + 6b:75:b3:92:d4:89:91:dd:70:93:ec:d2:06:72:61:2b:f3:23: + 1e:e8:7e:62:c1:ea:5b:94:4d:d6:24:4a:66:07:33:fb:c2:a5: + 30:b5:0a:b0:11:ce:90:39:b9:fe:c7:74:6a:13:9a:c7:09:cd: + 5d:49:af:95:c9:eb:4f:02:1c:c9:fd:1a:d6:12:9e:3d:d2:36: + 95:62:d1:1e:66:8f:85:2c:14:46:ac:a2:36:b8:a0:05:95:d1: + 98:72:d9:68:a3:25:ef:1c:31:01:7d:b6:cc:82:2b:04:98:0a: + 07:53:a8:03:bd:70:af:29:8b:2f:e0:de:16:6f:36:0e:99:aa: + 68:09:72:49:9f:61:1b:ad +-----BEGIN CERTIFICATE----- +MIIEkzCCAnugAwIBAgIIeNeFFuVsZqEwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTAyMDAwWhcNMjUwMzA4MDg1 +MDAwWjB+MQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xDjAMBgNVBBETBTIwMTAwMRUwEwYDVQQJEwxWaWEgQ2FyZHVjY2kxEDAO +BgNVBAoTB0V4YW1wbGUxFDASBgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqBYCHne6Psb+Tg/C9hR4hpAVibo4mYC0IX +R4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m3UzA2jiT9r/o9J0fAMi/y/VPsPrDJM4v +BDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDnYrDZa1qJk3gI24wYPSSBay65/w1acSS3 +Ux/CllfNSZi2ITVHa4MZLalL4heivR6rFk/UmpsB2OG/1Sd18gl4YxskXi3+Zvoy +lmBRnEYOC6roVyLUFjgRltD+Y1bx6H7rmXXOS9Li+XEmYjEqA1201AT7M5803qE5 +hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsWDfUGQieCSVcy82cCqwIDAQABoxcwFTAT +BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAYokSX6qT2ibm +Tmx5k3SNK8M/j37MD2yKGXlbL1VBzyjKy3gGUe+lAYxN00N0UzcFr2smOYGz0obQ +yCA3Lu179FW6RCIsvzuB+ay/qJQV2ZbNODI5gsKpabrrYaYKcrEL3Y6OVl9xZBJf +YpjxUogP/7B2XV3iUnQrH2L1EHSJz04LqQ08IECcWRDYx3i5giL6O26SFucHkD8m +79ER1QQKi48smhnzA6qqk22cl2Ww/80dRKx+8O5qsd8vd/KkyPur5rmdMER0BtVT +IocevNLPnxJTAojcQgyj/vhVDzygp2lYsJyku0ckYtrSdg/r88H4Tn954bhFapVB +m/h1QcPkltodo/QDjGHOlYbSzgJ5LM9OohcDfXIT7bmjhaMFtaag9Xp4OZuBnE23 +a86QicXXKygn8/sqy1pCebBZ+MQK72fDIYOTRvqonEuiVxs9ammZG87IrTB1NRQp +DV6uHdsWHqN/DM8mtW0Xo6hC1v9bSVpXV09Lzbe8Bk1Za3WzktSJkd1wk+zSBnJh +K/MjHuh+YsHqW5RN1iRKZgcz+8KlMLUKsBHOkDm5/sd0ahOaxwnNXUmvlcnrTwIc +yf0a1hKePdI2lWLRHmaPhSwURqyiNrigBZXRmHLZaKMl7xwxAX22zIIrBJgKB1Oo +A71wrymLL+DeFm82DpmqaAlySZ9hG60= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_03.pem b/v3/testdata/subject_rdn_order_ok_03.pem new file mode 100644 index 000000000..f685bc3b5 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_03.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3787884309683191120 (0x349144b5e8f13d50) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:29:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: critical + DNS:example.org + Signature Algorithm: sha256WithRSAEncryption + 14:1d:17:7b:5e:e0:bc:fd:b5:cb:c0:3c:0e:ba:c9:e4:c3:89: + d9:c1:8e:37:13:5d:dc:c3:b1:2e:b6:93:77:a6:7e:54:e4:62: + 28:ce:77:e2:c9:83:42:26:51:59:f4:31:83:db:d9:d1:0f:45: + 9a:2a:a0:23:d3:29:dc:7c:0b:58:d9:36:db:8a:e0:78:c0:23: + ee:2c:8d:f6:5a:16:44:77:70:b2:07:15:08:e4:db:8b:96:24: + 46:2d:36:46:64:8d:39:17:65:e2:cd:d1:62:a4:03:3a:b0:ba: + 96:28:fb:2e:67:13:24:26:ed:17:08:30:56:d2:a8:6e:21:25: + 26:e4:fe:44:b0:3f:08:3b:53:a6:06:36:b7:66:4f:f4:83:27: + 35:e7:15:98:3b:0f:3a:1b:b4:28:53:4b:2c:78:0b:bb:64:a5: + bf:e4:bf:d3:4f:87:dc:86:e7:a5:ea:0d:e2:01:b9:c2:f7:95: + 72:9b:6c:2d:7d:58:3b:f5:b7:3d:b7:e0:6a:3f:07:fa:5a:9d: + 56:c0:f9:51:e0:ed:d2:94:27:e8:dd:d6:8b:b4:39:ba:0f:f8: + 99:ea:25:e5:3a:04:11:07:ca:3f:b0:49:5d:09:a3:6d:f6:d5: + 0b:f7:76:dd:1b:39:aa:13:ba:77:56:37:a8:21:cf:ba:99:da: + 55:dd:84:26:03:e5:f2:cf:32:08:3f:cf:a6:47:5d:3e:aa:66: + 80:34:8d:45:5e:cf:59:d9:f8:00:68:09:94:bd:72:ee:93:b4: + ab:6d:d3:e6:4d:b7:82:f0:84:fb:2c:3d:27:61:51:d1:2d:03: + 9e:bd:d2:f3:20:4f:08:b9:6d:ca:a3:5d:23:6d:9a:07:54:31: + cf:aa:bd:cc:05:c9:f4:be:83:5f:13:ce:a6:a9:ae:42:73:96: + c4:b5:05:ee:61:49:78:8b:65:46:2a:64:ae:8c:44:9e:3b:e5: + 2d:b4:fc:9a:79:50:cb:c1:39:3f:7b:78:3b:09:9a:aa:29:69: + 46:a4:a0:10:c5:33:39:66:0e:42:bf:f1:f3:02:3d:d8:56:d0: + e8:80:e2:f9:54:cc:74:9d:52:67:32:73:eb:cf:c8:d5:15:10: + da:78:08:cb:71:a1:73:1a:55:1c:65:30:17:d2:49:b8:ae:ac: + 33:6a:6f:81:10:63:26:1d:fe:51:ef:e7:1c:55:d9:41:cb:7f: + d1:bc:36:80:1f:fe:c1:1b:6c:e6:ba:27:b7:78:f5:29:1d:b0: + 30:57:b3:e3:9a:da:5e:17:71:8a:ef:dd:b6:52:9a:f3:1f:fb: + f3:91:2e:fb:5a:c3:a3:a3:1a:73:bc:8e:45:56:96:e6:7c:58: + 5c:e4:85:96:a8:57:e4:ea +-----BEGIN CERTIFICATE----- +MIIEMDCCAhigAwIBAgIINJFEtejxPVAwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTAyOTAwWhcNMjUwMzA4MDg1 +MDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqBYCHne6Ps +b+Tg/C9hR4hpAVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m3UzA2jiT +9r/o9J0fAMi/y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDnYrDZa1qJ +k3gI24wYPSSBay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6rFk/UmpsB +2OG/1Sd18gl4YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7rmXXOS9Li ++XEmYjEqA1201AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsWDfUGQieC +SVcy82cCqwIDAQABozIwMDATBgNVHSUEDDAKBggrBgEFBQcDATAZBgNVHREBAf8E +DzANggtleGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAFB0Xe17gvP21y8A8 +DrrJ5MOJ2cGONxNd3MOxLraTd6Z+VORiKM534smDQiZRWfQxg9vZ0Q9FmiqgI9Mp +3HwLWNk224rgeMAj7iyN9loWRHdwsgcVCOTbi5YkRi02RmSNORdl4s3RYqQDOrC6 +lij7LmcTJCbtFwgwVtKobiElJuT+RLA/CDtTpgY2t2ZP9IMnNecVmDsPOhu0KFNL +LHgLu2Slv+S/00+H3IbnpeoN4gG5wveVcptsLX1YO/W3Pbfgaj8H+lqdVsD5UeDt +0pQn6N3Wi7Q5ug/4meol5ToEEQfKP7BJXQmjbfbVC/d23Rs5qhO6d1Y3qCHPupna +Vd2EJgPl8s8yCD/PpkddPqpmgDSNRV7PWdn4AGgJlL1y7pO0q23T5k23gvCE+yw9 +J2FR0S0Dnr3S8yBPCLltyqNdI22aB1Qxz6q9zAXJ9L6DXxPOpqmuQnOWxLUF7mFJ +eItlRipkroxEnjvlLbT8mnlQy8E5P3t4OwmaqilpRqSgEMUzOWYOQr/x8wI92FbQ +6IDi+VTMdJ1SZzJz68/I1RUQ2ngIy3GhcxpVHGUwF9JJuK6sM2pvgRBjJh3+Ue/n +HFXZQct/0bw2gB/+wRts5ront3j1KR2wMFez45raXhdxiu/dtlKa8x/785Eu+1rD +o6Mac7yORVaW5nxYXOSFlqhX5Oo= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_04.pem b/v3/testdata/subject_rdn_order_ok_04.pem new file mode 100644 index 000000000..e5e80f802 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_04.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5917778588860444809 (0x52202c45d8707089) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:50:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: DC = org, DC = example, C = IT, ST = Milano, L = Milano, O = Example, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 11:f4:93:85:4a:d1:7d:d4:28:5b:fa:c5:79:99:8f:e5:2c:74: + bd:13:c9:35:4d:92:2d:84:a5:aa:b1:63:83:4e:99:3b:c3:bb: + 03:51:f8:f2:9e:42:c3:7d:e1:e5:4c:da:67:cd:c9:3c:d6:68: + 0c:1e:2b:70:80:4a:81:0b:d2:b5:82:0f:6f:93:5d:48:2e:29: + d9:52:45:8d:91:29:26:b6:69:e8:0f:f7:29:4d:83:da:e9:5a: + f6:71:57:4e:b2:4a:e7:7e:b6:68:f1:56:5d:41:d8:03:94:d1: + 46:7b:b3:d8:38:42:26:80:18:ef:4c:42:30:66:2a:a2:de:fe: + e0:2e:e8:74:79:16:b1:a2:9a:bc:93:3e:5c:30:68:6e:38:83: + f0:b2:51:e9:a0:ab:8b:43:d8:1f:15:98:86:fe:e0:34:69:27: + bb:65:12:26:dd:0c:56:53:86:c3:33:0d:da:b5:70:73:39:67: + 6d:55:84:2b:bb:71:5e:93:c1:29:ee:bc:37:78:39:c3:74:80: + 04:8d:ff:29:af:48:ec:a9:34:5a:d4:7b:d4:f2:cf:a4:81:13: + f7:3c:03:6c:73:cf:1b:f1:d7:cd:2e:fd:ea:9c:9e:98:63:29: + aa:90:02:91:68:28:aa:ec:4e:f7:12:05:73:b9:32:f0:17:ca: + a5:d1:68:dd:b2:8a:56:be:7b:73:57:b9:2b:7e:58:7d:3b:f4: + 74:ae:b5:88:c1:88:0d:6e:d4:23:78:4b:36:fe:21:b2:d8:7a: + 57:90:95:47:c1:a1:c5:15:65:02:50:cf:11:f1:8e:94:b7:f8: + 46:9c:2e:b2:db:78:69:e8:a8:c8:43:57:be:cb:82:f2:65:3c: + 49:f3:f9:b1:95:57:50:4c:53:ce:21:55:42:06:b4:bd:91:67: + 21:5f:c9:c8:b6:d4:f7:e8:8d:f9:67:c3:08:4b:7e:60:86:79: + 7f:d2:70:75:fa:b0:af:90:39:e3:f3:f9:69:8f:a8:9e:3f:16: + af:e7:46:fd:07:fe:77:13:7a:41:8e:f4:a9:60:45:ba:c0:4a: + 51:ce:bf:fe:e4:e6:04:01:b1:e1:d0:60:3a:4c:f0:bf:d5:9f: + b4:6d:e8:06:9a:21:01:8e:ae:d3:bf:d8:29:1b:ec:5f:d3:5d: + 4e:22:37:6a:05:c9:30:8b:41:58:38:64:21:f0:a0:77:28:66: + 95:32:1f:f6:5b:42:48:84:4d:a6:d6:bf:81:d0:5c:3c:89:40: + 75:74:f6:fb:de:16:7c:9b:d6:7a:76:3a:37:c1:04:68:e9:7d: + 14:c5:8f:6c:6c:70:d5:c3:c6:d1:08:cc:6d:a1:5f:8b:d2:16: + 3a:58:53:2e:3f:9c:f1:cc +-----BEGIN CERTIFICATE----- +MIIEmzCCAoOgAwIBAgIIUiAsRdhwcIkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTA1MDAwWhcNMjUwMzA4MDg1 +MDAwWjCBhTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2V4 +YW1wbGUxCzAJBgNVBAYTAklUMQ8wDQYDVQQIEwZNaWxhbm8xDzANBgNVBAcTBk1p +bGFubzEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBCoFgIed7o+xv5OD8L2FHiGkB +WJujiZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L +9U+w+sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+BwOdisNlrWomTeAjbjBg9JIFr +Lrn/DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9HqsWT9SamwHY4b/VJ3XyCXhj +GyReLf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTU +BPsznzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMB +AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAR +9JOFStF91Chb+sV5mY/lLHS9E8k1TZIthKWqsWODTpk7w7sDUfjynkLDfeHlTNpn +zck81mgMHitwgEqBC9K1gg9vk11ILinZUkWNkSkmtmnoD/cpTYPa6Vr2cVdOskrn +frZo8VZdQdgDlNFGe7PYOEImgBjvTEIwZiqi3v7gLuh0eRaxopq8kz5cMGhuOIPw +slHpoKuLQ9gfFZiG/uA0aSe7ZRIm3QxWU4bDMw3atXBzOWdtVYQru3Fek8Ep7rw3 +eDnDdIAEjf8pr0jsqTRa1HvU8s+kgRP3PANsc88b8dfNLv3qnJ6YYymqkAKRaCiq +7E73EgVzuTLwF8ql0WjdsopWvntzV7krflh9O/R0rrWIwYgNbtQjeEs2/iGy2HpX +kJVHwaHFFWUCUM8R8Y6Ut/hGnC6y23hp6KjIQ1e+y4LyZTxJ8/mxlVdQTFPOIVVC +BrS9kWchX8nIttT36I35Z8MIS35ghnl/0nB1+rCvkDnj8/lpj6iePxav50b9B/53 +E3pBjvSpYEW6wEpRzr/+5OYEAbHh0GA6TPC/1Z+0begGmiEBjq7Tv9gpG+xf011O +IjdqBckwi0FYOGQh8KB3KGaVMh/2W0JIhE2m1r+B0Fw8iUB1dPb73hZ8m9Z6djo3 +wQRo6X0UxY9sbHDVw8bRCMxtoV+L0hY6WFMuP5zxzA== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_05.pem b/v3/testdata/subject_rdn_order_ok_05.pem new file mode 100644 index 000000000..d335363e9 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_05.pem @@ -0,0 +1,94 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3973831062308419373 (0x3725e24c024e772d) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 11:11:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, street = Via Carducci, O = Example, CN = example.org, serialNumber = 1234567890, businessCategory = Private Organization, jurisdictionC = IT + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 33:90:f2:a3:3f:3a:7b:cf:f6:ce:c9:1c:05:40:58:90:07:a5: + 13:15:f1:5c:cb:35:22:95:be:a0:29:fe:cb:7a:29:eb:d5:91: + 95:94:f4:73:cd:2e:fb:92:ec:a4:6e:b9:3d:d1:a9:1a:9b:d9: + 1d:cb:68:1b:a9:36:03:4a:62:d3:1b:cd:a1:2a:8f:ca:1e:8b: + 27:e0:22:d8:a6:02:cb:fd:e5:91:ff:30:0f:98:a7:33:b6:b5: + c4:75:7e:87:63:20:86:57:8f:7e:10:48:fe:76:0e:d0:6c:6d: + d9:e5:a7:d8:31:c8:cc:c6:3b:40:4e:56:dc:fc:40:2d:4a:7c: + 46:b3:67:c3:a9:6c:e4:23:d1:12:48:96:37:39:a8:7d:50:b4: + 07:57:ff:50:74:d9:82:84:1a:ff:b0:c6:11:0d:da:65:4b:27: + 50:64:a6:d6:48:66:52:d4:49:f1:44:08:2b:6b:96:76:b4:94: + eb:0e:b3:29:57:77:e2:69:08:66:81:31:d3:c5:69:c9:ae:cb: + 9e:08:99:55:7d:fc:20:51:a5:4a:95:24:5a:66:2a:70:6a:ee: + f2:cb:ad:04:fd:54:71:a7:68:a4:55:ee:1b:db:7e:44:03:99: + 74:72:bb:15:84:d0:f5:e1:84:8d:df:7d:d0:fb:92:b1:22:5d: + d1:8f:b6:fd:c3:aa:ab:c0:87:c4:71:af:17:63:5e:f3:21:8c: + 89:94:b9:e0:52:5c:5c:69:67:b3:10:fd:12:8b:a3:a2:fa:ec: + e7:b9:85:a9:b7:a6:06:5e:d4:23:52:c9:87:92:41:4e:a5:eb: + ea:71:9a:b5:ef:54:0d:46:04:f9:18:5a:4b:25:9a:74:a5:9b: + 73:08:f4:d6:55:1f:12:07:67:ff:26:26:e4:ea:30:7b:34:6e: + 39:a1:57:71:fc:91:fd:ea:2c:f5:c8:bf:ee:db:d9:12:2c:24: + bf:c1:09:f5:0e:ca:d3:86:e5:da:d5:58:42:dc:5a:b5:6f:c7: + 6e:45:6c:97:15:18:fc:5d:f6:58:20:e4:60:08:50:45:75:3a: + 94:d0:ba:d7:aa:5f:30:02:6d:6a:85:56:06:3b:1e:75:6f:91: + 5b:5c:e0:07:a5:9c:56:32:b7:81:e8:c5:9a:55:20:47:64:e8: + 68:b9:76:c4:e3:e1:db:80:b6:ee:e7:35:2d:d2:38:bb:52:ac: + 32:99:90:9b:d4:33:27:51:dc:f1:26:bc:90:95:82:c3:ab:28: + 92:a2:6b:e3:f7:1b:f4:5e:9b:3d:98:61:e0:c3:69:2a:26:af: + 89:88:dc:ad:86:12:18:93:04:6c:83:7f:af:7b:5c:f3:87:7a: + e0:5a:c5:2e:70:f1:9d:27 +-----BEGIN CERTIFICATE----- +MIIEzTCCArWgAwIBAgIINyXiTAJOdy0wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTExMTAwWhcNMjUwMzA4MDg1 +MDAwWjCBtzELMAkGA1UEBhMCSVQxDzANBgNVBAgTBk1pbGFubzEPMA0GA1UEBxMG +TWlsYW5vMRUwEwYDVQQJEwxWaWEgQ2FyZHVjY2kxEDAOBgNVBAoTB0V4YW1wbGUx +FDASBgNVBAMTC2V4YW1wbGUub3JnMRMwEQYDVQQFEwoxMjM0NTY3ODkwMR0wGwYD +VQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJJVDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEKgWAh53uj7G/k4PwvYUeI +aQFYm6OJmAtCF0eHh7IOH3QiKOXPmtJ/JttPHeiNGfrN5t1MwNo4k/a/6PSdHwDI +v8v1T7D6wyTOLwQ7+ifdjDv3RAmJFhkOlQqN6w5UP4HA52Kw2WtaiZN4CNuMGD0k +gWsuuf8NWnEkt1MfwpZXzUmYtiE1R2uDGS2pS+IXor0eqxZP1JqbAdjhv9UndfIJ +eGMbJF4t/mb6MpZgUZxGDguq6Fci1BY4EZbQ/mNW8eh+65l1zkvS4vlxJmIxKgNd +tNQE+zOfNN6hOYXPSNChFtWVxyA4uiTZ3pgxAQscvm67Fg31BkIngklXMvNnAqsC +AwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIB +ADOQ8qM/OnvP9s7JHAVAWJAHpRMV8VzLNSKVvqAp/st6KevVkZWU9HPNLvuS7KRu +uT3RqRqb2R3LaBupNgNKYtMbzaEqj8oeiyfgItimAsv95ZH/MA+YpzO2tcR1fodj +IIZXj34QSP52DtBsbdnlp9gxyMzGO0BOVtz8QC1KfEazZ8OpbOQj0RJIljc5qH1Q +tAdX/1B02YKEGv+wxhEN2mVLJ1BkptZIZlLUSfFECCtrlna0lOsOsylXd+JpCGaB +MdPFacmuy54ImVV9/CBRpUqVJFpmKnBq7vLLrQT9VHGnaKRV7hvbfkQDmXRyuxWE +0PXhhI3ffdD7krEiXdGPtv3DqqvAh8RxrxdjXvMhjImUueBSXFxpZ7MQ/RKLo6L6 +7Oe5ham3pgZe1CNSyYeSQU6l6+pxmrXvVA1GBPkYWkslmnSlm3MI9NZVHxIHZ/8m +JuTqMHs0bjmhV3H8kf3qLPXIv+7b2RIsJL/BCfUOytOG5drVWELcWrVvx25FbJcV +GPxd9lgg5GAIUEV1OpTQuteqXzACbWqFVgY7HnVvkVtc4AelnFYyt4HoxZpVIEdk +6Gi5dsTj4duAtu7nNS3SOLtSrDKZkJvUMydR3PEmvJCVgsOrKJKia+P3G/Remz2Y +YeDDaSomr4mI3K2GEhiTBGyDf697XPOHeuBaxS5w8Z0n +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_06.pem b/v3/testdata/subject_rdn_order_ok_06.pem new file mode 100644 index 000000000..471cc77a4 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_06.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3991351525678630817 (0x37642110c5c9c7a1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 13:34:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, SN = Flash, GN = Gordon, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + a7:1d:bd:b0:9e:f1:16:d7:ec:76:90:d4:97:37:dd:d4:64:f7: + 4f:fe:2e:31:83:a9:9f:3f:d3:d6:49:f6:d3:0a:89:06:8e:dc: + 25:4c:3c:c9:0b:04:69:b3:f3:1c:2a:38:28:71:89:7d:5a:04: + b4:c9:1e:e7:03:45:7c:ed:04:f1:1e:0f:95:f4:fa:e8:04:0c: + 25:1b:05:34:85:ab:e8:b2:7e:aa:9b:1a:45:ae:d4:24:d6:ae: + 77:ab:11:9c:2c:fd:a7:63:3f:30:52:85:ae:3d:7c:b6:9b:e6: + d3:b0:b2:6c:d7:4d:1d:89:b5:9b:b3:c3:2d:1c:24:38:ca:4c: + f4:fb:70:bf:86:bb:a2:e6:85:0e:4e:70:90:62:dc:6d:86:83: + b9:43:5d:6a:bb:79:88:8a:cb:ac:dc:28:91:5b:6e:d3:06:81: + a5:d0:36:52:d7:49:b4:3c:f5:d2:8d:ac:1a:9d:80:e7:1e:42: + 13:ce:2d:ef:ea:ed:6e:8a:28:e7:5e:a2:57:22:a7:a5:21:67: + 42:43:47:9e:a0:a8:50:e9:0f:f5:32:37:a0:2f:42:66:c8:6b: + 0a:d8:ac:18:19:67:7e:e5:45:9a:1d:f5:5b:4a:91:2d:07:d0: + af:fc:3e:35:91:f4:e8:41:b4:ec:5b:7f:41:1c:f7:04:6e:78: + 8f:bc:79:47:c5:59:a7:98:35:c3:19:3a:06:f0:53:0f:e1:e7: + 2b:28:40:ac:c0:09:2f:42:43:0c:56:23:09:62:06:e9:c2:0f: + 27:6b:90:09:8a:fe:6a:ed:c3:cb:ba:4c:be:0c:af:a4:30:5c: + 60:90:ba:41:fa:8b:fc:39:ad:95:2f:81:8b:e9:ba:d8:db:1f: + e9:95:47:a5:90:d7:2a:b9:48:e3:e9:16:59:2a:ae:7e:0c:e6: + ff:0c:f3:e5:91:15:b3:97:fc:46:93:ec:a1:e3:93:5f:e5:4c: + 3a:ed:8b:a6:f1:f3:b6:c9:af:41:fa:23:2d:e6:1c:96:a0:48: + 86:1a:9d:99:e4:68:0b:3b:33:94:3d:98:c1:1f:c8:48:81:32: + 6a:7c:c6:51:06:a0:72:bd:8a:00:13:0a:c6:17:46:e4:3c:44: + 42:d8:ee:c2:03:34:cf:3e:21:13:c9:4f:ab:27:de:1c:bb:d3: + 44:a3:d9:fc:8c:ea:62:20:ee:d3:7f:2c:1f:1b:40:6e:d2:af: + fb:81:af:52:39:34:41:e3:99:ce:f5:04:c2:a5:97:eb:16:18: + c6:fd:46:46:97:6a:26:1b:7a:18:27:47:f2:3a:b1:bd:f1:21: + 67:a6:98:e5:6f:b9:d6:c1:11:cb:ce:ee:43:32:f3:31:b3:35: + d3:c8:1d:4a:97:d0:e7:16 +-----BEGIN CERTIFICATE----- +MIIEezCCAmOgAwIBAgIIN2QhEMXJx6EwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTMzNDAwWhcNMjUwMzA4MDg1 +MDAwWjBmMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xDjAMBgNVBAQTBUZsYXNoMQ8wDQYDVQQqEwZHb3Jkb24xFDASBgNVBAMT +C2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqB +YCHne6Psb+Tg/C9hR4hpAVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m +3UzA2jiT9r/o9J0fAMi/y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDn +YrDZa1qJk3gI24wYPSSBay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6r +Fk/UmpsB2OG/1Sd18gl4YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7r +mXXOS9Li+XEmYjEqA1201AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsW +DfUGQieCSVcy82cCqwIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkq +hkiG9w0BAQsFAAOCAgEApx29sJ7xFtfsdpDUlzfd1GT3T/4uMYOpnz/T1kn20wqJ +Bo7cJUw8yQsEabPzHCo4KHGJfVoEtMke5wNFfO0E8R4PlfT66AQMJRsFNIWr6LJ+ +qpsaRa7UJNaud6sRnCz9p2M/MFKFrj18tpvm07CybNdNHYm1m7PDLRwkOMpM9Ptw +v4a7ouaFDk5wkGLcbYaDuUNdart5iIrLrNwokVtu0waBpdA2UtdJtDz10o2sGp2A +5x5CE84t7+rtbooo516iVyKnpSFnQkNHnqCoUOkP9TI3oC9CZshrCtisGBlnfuVF +mh31W0qRLQfQr/w+NZH06EG07Ft/QRz3BG54j7x5R8VZp5g1wxk6BvBTD+HnKyhA +rMAJL0JDDFYjCWIG6cIPJ2uQCYr+au3Dy7pMvgyvpDBcYJC6QfqL/DmtlS+Bi+m6 +2Nsf6ZVHpZDXKrlI4+kWWSqufgzm/wzz5ZEVs5f8RpPsoeOTX+VMOu2LpvHztsmv +QfojLeYclqBIhhqdmeRoCzszlD2YwR/ISIEyanzGUQagcr2KABMKxhdG5DxEQtju +wgM0zz4hE8lPqyfeHLvTRKPZ/IzqYiDu038sHxtAbtKv+4GvUjk0QeOZzvUEwqWX +6xYYxv1GRpdqJht6GCdH8jqxvfEhZ6aY5W+51sERy87uQzLzMbM108gdSpfQ5xY= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_07.pem b/v3/testdata/subject_rdn_order_ok_07.pem new file mode 100644 index 000000000..3ae297ff5 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_07.pem @@ -0,0 +1,91 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2032570151512653799 (0x1c3523c8a5f93fe7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 13:44:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + a1:49:74:57:6e:4d:64:95:5e:9e:a5:03:98:2a:87:e2:2d:3f: + b5:c2:67:8d:d6:13:d2:ba:0f:c5:e0:8c:6b:fe:1a:66:49:7d: + f3:c7:6c:ef:68:91:d7:0e:7b:a0:71:dd:9e:33:36:8a:04:09: + c9:ce:ab:fb:c3:f2:39:82:e3:f3:44:17:b0:31:a4:8a:27:73: + 60:31:9f:de:7a:6a:8a:da:44:9e:70:e1:37:37:12:55:99:37: + 10:81:79:06:d0:7e:02:0d:8b:0d:8f:eb:1d:e3:08:9c:04:70: + 1b:31:f0:53:a6:08:3f:6c:20:8d:0b:51:eb:f4:96:7c:96:e6: + 54:34:86:bf:7e:75:c8:09:e7:ff:78:7c:35:69:ac:f1:0b:33: + 53:2c:3a:a1:66:05:35:61:81:82:4f:c8:2d:7d:a8:0e:04:76: + 49:20:c7:1e:85:c8:2d:c4:45:ae:0b:d2:d1:54:b2:3e:48:1c: + e7:b5:fb:34:ae:dd:1e:4f:83:30:0a:18:82:47:2b:2c:ce:44: + 79:27:fc:a6:e9:08:a7:74:5c:c0:e2:9f:c4:2d:df:e8:9d:fb: + e5:33:b2:06:26:9f:60:b6:eb:05:d0:21:de:e9:02:9a:79:5b: + 3e:29:db:f7:b5:73:89:d1:f6:d7:39:a4:45:0a:82:e9:c1:06: + 4d:2b:6d:fe:16:b3:4d:11:7e:12:2e:19:89:9e:05:1d:d5:ae: + 7b:17:3a:75:c7:3e:17:33:d4:35:23:63:20:bd:ea:6e:57:52: + ba:d7:55:45:67:0b:b5:55:82:d1:f2:4f:20:21:b7:8a:49:7b: + 43:37:a7:5c:7c:1f:67:83:15:bf:ff:22:c8:da:06:8d:fb:11: + 06:7b:7c:b8:9b:2f:bf:0e:91:a7:c8:7e:e8:a9:68:6c:09:b5: + f0:b9:86:ce:12:12:3d:ef:9f:45:1e:e0:b8:eb:23:d9:39:b3: + 7d:99:e9:92:3e:83:84:88:2d:ae:81:71:ff:af:20:a5:fd:ad: + d3:00:40:64:fb:58:77:80:7a:07:7b:29:20:bc:9f:51:29:ad: + 72:72:8a:03:03:dd:c5:51:ec:f9:8f:a7:9e:2e:ad:3e:e9:b2: + 24:c7:af:46:81:01:0d:7a:f2:41:1b:b3:4d:97:52:ca:c0:e9: + ed:74:c1:e3:27:d5:e3:48:55:1e:95:2a:25:b8:f8:c8:ba:8d: + 90:0a:6d:d1:ec:37:9e:63:04:d2:ae:33:aa:29:42:07:e7:37: + be:24:be:be:65:30:cd:c2:e3:a0:b4:d5:bb:81:e1:03:7a:fd: + 91:96:2b:69:e9:e9:57:64:e1:52:19:fd:7c:8c:a7:a6:08:d8: + 6c:da:c3:8c:1d:0e:3e:35 +-----BEGIN CERTIFICATE----- +MIIEKzCCAhOgAwIBAgIIHDUjyKX5P+cwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTM0NDAwWhcNMjUwMzA4MDg1 +MDAwWjAWMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMEKgWAh53uj7G/k4PwvYUeIaQFYm6OJmAtCF0eHh7IOH3Qi +KOXPmtJ/JttPHeiNGfrN5t1MwNo4k/a/6PSdHwDIv8v1T7D6wyTOLwQ7+ifdjDv3 +RAmJFhkOlQqN6w5UP4HA52Kw2WtaiZN4CNuMGD0kgWsuuf8NWnEkt1MfwpZXzUmY +tiE1R2uDGS2pS+IXor0eqxZP1JqbAdjhv9UndfIJeGMbJF4t/mb6MpZgUZxGDguq +6Fci1BY4EZbQ/mNW8eh+65l1zkvS4vlxJmIxKgNdtNQE+zOfNN6hOYXPSNChFtWV +xyA4uiTZ3pgxAQscvm67Fg31BkIngklXMvNnAqsCAwEAAaMXMBUwEwYDVR0lBAww +CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAKFJdFduTWSVXp6lA5gqh+It +P7XCZ43WE9K6D8XgjGv+GmZJffPHbO9okdcOe6Bx3Z4zNooECcnOq/vD8jmC4/NE +F7AxpIonc2Axn956aoraRJ5w4Tc3ElWZNxCBeQbQfgINiw2P6x3jCJwEcBsx8FOm +CD9sII0LUev0lnyW5lQ0hr9+dcgJ5/94fDVprPELM1MsOqFmBTVhgYJPyC19qA4E +dkkgxx6FyC3ERa4L0tFUsj5IHOe1+zSu3R5PgzAKGIJHKyzORHkn/KbpCKd0XMDi +n8Qt3+id++UzsgYmn2C26wXQId7pApp5Wz4p2/e1c4nR9tc5pEUKgunBBk0rbf4W +s00RfhIuGYmeBR3VrnsXOnXHPhcz1DUjYyC96m5XUrrXVUVnC7VVgtHyTyAht4pJ +e0M3p1x8H2eDFb//IsjaBo37EQZ7fLibL78OkafIfuipaGwJtfC5hs4SEj3vn0Ue +4LjrI9k5s32Z6ZI+g4SILa6Bcf+vIKX9rdMAQGT7WHeAegd7KSC8n1EprXJyigMD +3cVR7PmPp54urT7psiTHr0aBAQ168kEbs02XUsrA6e10weMn1eNIVR6VKiW4+Mi6 +jZAKbdHsN55jBNKuM6opQgfnN74kvr5lMM3C46C01buB4QN6/ZGWK2np6Vdk4VIZ +/XyMp6YI2Gzaw4wdDj41 +-----END CERTIFICATE----- From 3bd2334ede002f24b01ab7041274c3b99ec4cee2 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:11:45 +0100 Subject: [PATCH 04/29] Add files via upload --- .../cabf_br/lint_invalid_subject_rdn_order.go | 144 +++++++++++++++ .../lint_invalid_subject_rdn_order_test.go | 173 ++++++++++++++++++ 2 files changed, 317 insertions(+) create mode 100644 v3/lints/cabf_br/lint_invalid_subject_rdn_order.go create mode 100644 v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go new file mode 100644 index 000000000..02bbef1d6 --- /dev/null +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -0,0 +1,144 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "crypto/x509/pkix" + "encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_subject_rdn_order", + Description: "Subject field attributes (RDNs) SHALL be encoded in a specific order", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidSubjectRDNOrder, + }) +} + +type invalidSubjectRDNOrder struct{} + +func NewInvalidSubjectRDNOrder() lint.LintInterface { + return &invalidSubjectRDNOrder{} +} + +func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { + return !util.IsCACert(c) +} + +func getShortOIDName(oid string) string { + switch oid { + case "2.5.4.3": + return "CN" + case "2.5.4.4": + return "SN" + case "2.5.4.6": + return "C" + case "2.5.4.7": + return "L" + case "2.5.4.8": + return "ST" + case "2.5.4.9": + return "street" + case "2.5.4.10": + return "O" + case "2.5.4.11": + return "OU" + case "2.5.4.17": + return "postalCode" + case "2.5.4.42": + return "givenName" + case "0.9.2342.19200300.100.1.25": + return "DC" + default: + return "" + } +} + +func findElement(arr []string, target string) (int, bool) { + for i, value := range arr { + if value == target { + return i, true + } + } + return -1, false +} + +func checkOrder(actualOrder []string, expectedOrder []string) bool { + var prevPosition int + prevPosition = 0 + + for _, targetElement := range actualOrder { + position, found := findElement(expectedOrder, targetElement) + if found { + if position < prevPosition { + return false + } + prevPosition = position + } + } + return true +} + +func checkSubjectRDNOrder(cert *x509.Certificate) bool { + + rawSubject := cert.RawSubject + + var rdnSequence pkix.RDNSequence + _, err := asn1.Unmarshal(rawSubject, &rdnSequence) + if err != nil { + return false + } + + var rdnOrder []string + + for _, rdn := range rdnSequence { + for _, atv := range rdn { + rdnShortName := getShortOIDName(atv.Type.String()) + if rdnShortName != "" { + rdnOrder = append(rdnOrder, rdnShortName) + } + } + } + + // Expected order of RDNs as per CABF BR section 7.1.4.2 + expectedRDNOrder := []string{"DC", "C", "ST", "L", "postalCode", "street", "O", "SN", "givenName", "OU", "CN"} + + return checkOrder(rdnOrder, expectedRDNOrder) +} + +func (l *invalidSubjectRDNOrder) Execute(c *x509.Certificate) *lint.LintResult { + + var out lint.LintResult + + if checkSubjectRDNOrder(c) { + out.Status = lint.Pass + } else { + out.Status = lint.Error + } + return &out +} diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go new file mode 100644 index 000000000..e945ccb0c --- /dev/null +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go @@ -0,0 +1,173 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + === Proper RDN order test cases + subject_rdn_order_ok_01.pem C, ST, L, O, CN + subject_rdn_order_ok_02.pem C, ST, L, postalCode, street, O, CN + subject_rdn_order_ok_03.pem + subject_rdn_order_ok_04.pem DC, DC, C, ST, L, O, CN + subject_rdn_order_ok_05.pem C, ST, L, street, O, CN, serialNumber, businessCategory, jurisdictionCountry + subject_rdn_order_ok_06.pem C, ST, L, SN, givenName, CN + subject_rdn_order_ok_07.pem CN + + === Wrong RDN order test cases + subject_rdn_order_ko_01.pem C, ST, L, CN, O + subject_rdn_order_ko_02.pem CN, O, L, ST, C + subject_rdn_order_ko_03.pem C, ST, L, O, CN, street + subject_rdn_order_ko_04.pem C, ST, L, O, CN, DC, DC + subject_rdn_order_ko_05.pem C, ST, L, givenName, SN, CN + subject_rdn_order_ko_06.pem C, ST, L, street, postalCode, O + subject_rdn_order_ko_07.pem CN, C +*/ + +func TestInvalidSubjectRDNOrder_OK_01(t *testing.T) { + inputPath := "subject_rdn_order_ok_01.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_02(t *testing.T) { + inputPath := "subject_rdn_order_ok_02.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_03(t *testing.T) { + inputPath := "subject_rdn_order_ok_03.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_04(t *testing.T) { + inputPath := "subject_rdn_order_ok_04.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_05(t *testing.T) { + inputPath := "subject_rdn_order_ok_05.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_06(t *testing.T) { + inputPath := "subject_rdn_order_ok_06.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_07(t *testing.T) { + inputPath := "subject_rdn_order_ok_07.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_01(t *testing.T) { + inputPath := "subject_rdn_order_ko_01.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_02(t *testing.T) { + inputPath := "subject_rdn_order_ko_02.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_03(t *testing.T) { + inputPath := "subject_rdn_order_ko_03.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_04(t *testing.T) { + inputPath := "subject_rdn_order_ko_04.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_05(t *testing.T) { + inputPath := "subject_rdn_order_ko_05.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_06(t *testing.T) { + inputPath := "subject_rdn_order_ko_06.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_07(t *testing.T) { + inputPath := "subject_rdn_order_ko_07.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} From 95e89c8808fb6789bdecece885ecc8db38c06cd1 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 9 Mar 2024 07:24:24 +0100 Subject: [PATCH 05/29] Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment --- v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go index e945ccb0c..20613a72b 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go @@ -26,6 +26,7 @@ import ( "github.com/zmap/zlint/v3/test" ) +//nolint:all /* === Proper RDN order test cases subject_rdn_order_ok_01.pem C, ST, L, O, CN From 7230486e1fbbc7cbfceb4fe79a6688f8bfe54427 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 9 Mar 2024 07:32:41 +0100 Subject: [PATCH 06/29] Update lint_invalid_subject_rdn_order.go Fixed import block --- v3/lints/cabf_br/lint_invalid_subject_rdn_order.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go index 02bbef1d6..89f453090 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -22,6 +22,7 @@ package cabf_br import ( "crypto/x509/pkix" "encoding/asn1" + "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" From 36682ed27fdadfc8722dd97dcdce638058b3cf67 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 10 Mar 2024 08:05:38 +0100 Subject: [PATCH 07/29] Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson --- v3/lints/cabf_br/lint_invalid_subject_rdn_order.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go index 89f453090..7fec7bf7a 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -48,7 +48,7 @@ func NewInvalidSubjectRDNOrder() lint.LintInterface { } func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) + return util.IsSubscriberCert(c) } func getShortOIDName(oid string) string { From fc81eceea08c9cb2620139fb7a537ce3fff652d1 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 10 Mar 2024 08:17:25 +0100 Subject: [PATCH 08/29] Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". --- .../cabf_br/lint_invalid_subject_rdn_order.go | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go index 7fec7bf7a..b4710e205 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -53,28 +53,28 @@ func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { func getShortOIDName(oid string) string { switch oid { - case "2.5.4.3": - return "CN" - case "2.5.4.4": - return "SN" + case "0.9.2342.19200300.100.1.25": + return "DC" case "2.5.4.6": return "C" - case "2.5.4.7": - return "L" case "2.5.4.8": return "ST" + case "2.5.4.7": + return "L" + case "2.5.4.17": + return "postalCode" case "2.5.4.9": return "street" case "2.5.4.10": return "O" - case "2.5.4.11": - return "OU" - case "2.5.4.17": - return "postalCode" + case "2.5.4.4": + return "SN" case "2.5.4.42": return "givenName" - case "0.9.2342.19200300.100.1.25": - return "DC" + case "2.5.4.11": + return "OU" + case "2.5.4.3": + return "CN" default: return "" } From 9e54f087e13d06035117b33d5368f8c82ca16033 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 10 Mar 2024 08:32:42 +0100 Subject: [PATCH 09/29] Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. --- .../lint_invalid_subject_rdn_order_test.go | 190 +++++++----------- 1 file changed, 69 insertions(+), 121 deletions(-) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go index 20613a72b..3aa634a42 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go @@ -47,128 +47,76 @@ import ( subject_rdn_order_ko_07.pem CN, C */ -func TestInvalidSubjectRDNOrder_OK_01(t *testing.T) { - inputPath := "subject_rdn_order_ok_01.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) +func TestInvalidSubjectRDNOrder(t *testing.T) { + type Data struct { + input string + want lint.LintStatus } -} - -func TestInvalidSubjectRDNOrder_OK_02(t *testing.T) { - inputPath := "subject_rdn_order_ok_02.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_03(t *testing.T) { - inputPath := "subject_rdn_order_ok_03.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + data := []Data{ + { + input: "subject_rdn_order_ok_01.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_02.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_03.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_04.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_05.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_06.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_07.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ko_01.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_02.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_03.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_04.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_05.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_06.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_07.pem", + want: lint.Error, + }, } -} - -func TestInvalidSubjectRDNOrder_OK_04(t *testing.T) { - inputPath := "subject_rdn_order_ok_04.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_05(t *testing.T) { - inputPath := "subject_rdn_order_ok_05.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_06(t *testing.T) { - inputPath := "subject_rdn_order_ok_06.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_07(t *testing.T) { - inputPath := "subject_rdn_order_ok_07.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_01(t *testing.T) { - inputPath := "subject_rdn_order_ko_01.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_02(t *testing.T) { - inputPath := "subject_rdn_order_ko_02.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_03(t *testing.T) { - inputPath := "subject_rdn_order_ko_03.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_04(t *testing.T) { - inputPath := "subject_rdn_order_ko_04.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_05(t *testing.T) { - inputPath := "subject_rdn_order_ko_05.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_06(t *testing.T) { - inputPath := "subject_rdn_order_ko_06.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_07(t *testing.T) { - inputPath := "subject_rdn_order_ko_07.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_invalid_subject_rdn_order", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) } } From 8ca486a720dbf7849e4ee2cb8648b7ffdf83920e Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 30 Mar 2024 11:27:26 +0100 Subject: [PATCH 10/29] Update time.go Added CABFEV_Sec9_2_8_Date --- v3/util/time.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/v3/util/time.go b/v3/util/time.go index b702449ce..3a385e6bb 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -82,6 +82,8 @@ var ( CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) + // Date when section 9.2.8 of CABF EVG became effective + CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) ) var ( From 1df8c9b16a9e91593859010fae5d316f5b2e5277 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 30 Mar 2024 11:29:20 +0100 Subject: [PATCH 11/29] Add files via upload --- v3/testdata/orgid_subj_and_ext_ko_01.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ko_02.pem | 105 ++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ko_03.pem | 105 ++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_01.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_02.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_03.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_04.pem | 102 ++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_05.pem | 102 ++++++++++++++++++++++ 8 files changed, 838 insertions(+) create mode 100644 v3/testdata/orgid_subj_and_ext_ko_01.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ko_02.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ko_03.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_01.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_02.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_03.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_04.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_05.pem diff --git a/v3/testdata/orgid_subj_and_ext_ko_01.pem b/v3/testdata/orgid_subj_and_ext_ko_01.pem new file mode 100644 index 000000000..87b75afd7 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ko_01.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 8f:c6:55:69:97:15:5a:40:79:c6:1d:e4:22:21:72:ca + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 14:59:53 2024 GMT + Not After : Mar 29 14:59:53 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = "NTRUS+CA-1234567890" + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b3:75:b6:18:05:68:18:12:6e:97:c2:8a:75:a9: + d7:90:fb:51:d1:84:39:e6:b7:6c:97:2c:82:17:42: + e7:b2:a4:4a:a9:b7:80:d8:38:07:3c:f4:b2:8f:78: + 3d:1c:36:0d:aa:f2:e8:0a:1f:6d:c7:3c:70:7a:26: + 1f:c4:ba:e5:02:e1:6b:cc:9e:23:6e:b0:67:67:3a: + 5e:92:58:d5:db:99:84:08:6d:44:11:f4:97:f9:c6: + 10:29:4b:8b:8a:65:b0:55:c7:74:2d:f7:96:9a:3f: + 9a:d9:bb:3e:76:88:ae:77:07:33:36:59:65:88:cd: + d0:8d:7f:45:90:db:ef:ef:9e:f7:12:69:86:92:6b: + e5:7d:a1:8c:62:ce:16:07:53:df:91:a8:2f:ab:97: + b0:dd:9a:1d:3e:b5:b4:b7:c8:8d:3e:3e:9e:3c:d7: + 33:df:63:fb:c1:4c:eb:ca:03:c6:3a:89:9f:f1:d1: + a0:28:c9:54:58:20:38:bd:45:09:ea:47:38:39:ae: + b5:3a:46:e8:bf:4f:f8:03:dd:33:28:0c:60:a7:39: + ed:86:4d:a4:7a:61:4d:e3:80:1a:30:96:95:72:44: + 42:8d:42:14:f4:3b:86:94:17:f5:12:ea:e7:09:da: + 7d:02:2d:a2:e4:5b:75:3a:c4:f1:97:d3:f7:aa:ba: + d3:db + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + E7:D3:82:87:FB:05:52:CE:5B:2E:67:3A:92:B3:52:B6:4A:B9:C9:84 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...NTR..US. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + 0d:ec:f2:c8:ed:e5:0f:eb:e6:2f:24:c1:01:7a:de:3a:ea:9b: + ea:d3:c8:51:25:fa:42:2c:1c:37:55:d1:66:a3:21:55:c8:af: + 0a:b7:20:10:70:31:7e:2c:8a:c2:67:04:3e:36:55:64:be:48: + 7c:21:01:60:2b:17:25:cd:29:24:3f:f1:70:1c:d4:96:b7:02: + 4e:12:72:e8:fb:80:09:b1:0f:4b:3d:e7:e8:13:02:ba:79:fc: + 83:e7:29:f6:91:a0:79:57:b1:72:6d:b0:b4:dc:3b:54:ea:83: + bc:e0:7b:d6:b3:85:ea:50:e7:dd:0c:b5:02:d0:13:c3:ca:e1: + cc:49:d5:f9:40:d8:74:a1:a2:9b:12:81:c7:40:36:9a:16:26: + d1:44:24:4e:4e:ec:8a:89:79:b0:3b:39:1f:6d:c7:c7:41:dd: + 2a:10:10:b5:27:34:9f:24:d2:e2:2c:9d:8d:ba:ae:c1:58:d8: + 28:d0:39:74:24:f6:94:1b:41:b3:4a:98:6c:d7:6f:4e:87:5f: + 76:eb:33:a5:7e:9b:bb:46:9b:b9:a3:ef:f8:ae:6f:bb:46:72: + f2:5d:c3:c5:ef:90:ed:cc:dc:f4:da:22:ba:24:47:9f:0f:c3: + 79:7b:9f:3b:48:ee:1c:e2:f7:7c:82:f3:f8:49:d0:a3:3d:c8: + 98:ff:a5:27 +-----BEGIN CERTIFICATE----- +MIIE7TCCA9WgAwIBAgIRAI/GVWmXFVpAecYd5CIhcsowDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTQ1OTUzWhcNMjUwMzI5MTQ1 +OTUzWjCBxjELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEcMBoGA1UEYRMTTlRSVVMr +Q0EtMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALN1 +thgFaBgSbpfCinWp15D7UdGEOea3bJcsghdC57KkSqm3gNg4Bzz0so94PRw2Dary +6Aofbcc8cHomH8S65QLha8yeI26wZ2c6XpJY1duZhAhtRBH0l/nGEClLi4plsFXH +dC33lpo/mtm7PnaIrncHMzZZZYjN0I1/RZDb7++e9xJphpJr5X2hjGLOFgdT35Go +L6uXsN2aHT61tLfIjT4+njzXM99j+8FM68oDxjqJn/HRoCjJVFggOL1FCepHODmu +tTpG6L9P+APdMygMYKc57YZNpHphTeOAGjCWlXJEQo1CFPQ7hpQX9RLq5wnafQIt +ouRbdTrE8ZfT96q609sCAwEAAaOCAVYwggFSMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFOfTgof7BVLOWy5n +OpKzUrZKucmEMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsG +AQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29t +L29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290 +MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYD +VR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAgBgVn +gQwDAQQXMBUTA05UUhMCVVMMCjEyMzQ1Njc4OTAwDQYJKoZIhvcNAQELBQADggEB +AA3s8sjt5Q/r5i8kwQF63jrqm+rTyFEl+kIsHDdV0WajIVXIrwq3IBBwMX4sisJn +BD42VWS+SHwhAWArFyXNKSQ/8XAc1Ja3Ak4Scuj7gAmxD0s95+gTArp5/IPnKfaR +oHlXsXJtsLTcO1Tqg7zge9azhepQ590MtQLQE8PK4cxJ1flA2HShopsSgcdANpoW +JtFEJE5O7IqJebA7OR9tx8dB3SoQELUnNJ8k0uIsnY26rsFY2CjQOXQk9pQbQbNK +mGzXb06HX3brM6V+m7tGm7mj7/iub7tGcvJdw8XvkO3M3PTaIrokR58Pw3l7nztI +7hzi93yC8/hJ0KM9yJj/pSc= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ko_02.pem b/v3/testdata/orgid_subj_and_ext_ko_02.pem new file mode 100644 index 000000000..ff59d088d --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ko_02.pem @@ -0,0 +1,105 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 6b:70:9d:94:0f:c0:e9:1d:88:03:8f:66:11:8f:50:08 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 30 10:05:55 2024 GMT + Not After : Mar 30 10:05:55 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = PSDAT-FMA-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b2:4c:9f:31:9b:46:04:07:94:6c:a8:5d:af:8e: + 29:4b:52:7d:e4:d7:d2:42:dd:6f:c4:88:04:e4:d9: + 97:c6:70:08:a9:fb:ed:16:0e:61:cc:e1:01:05:b4: + 46:ef:6c:34:4f:3b:d5:f4:37:3d:d8:bb:3e:9e:a6: + 9c:ca:af:d7:f0:cc:bb:07:94:cf:23:ce:49:ef:5e: + 1a:0b:fa:65:e3:b2:f6:3f:a1:dd:48:6f:d9:fa:d7: + 27:50:29:c6:08:88:f3:3f:58:90:ad:04:81:84:de: + c1:98:75:df:23:23:fe:c4:8a:af:b5:62:69:2e:3a: + f7:8c:61:e7:8d:ad:df:51:48:0d:66:a1:4b:53:5a: + 59:d7:ba:50:6c:70:af:12:a6:32:9e:f6:39:ab:c1: + da:15:68:11:ec:c1:e6:77:d4:15:cb:4a:e8:16:61: + de:06:26:40:02:7f:15:fb:59:7f:ce:7c:2c:35:f8: + e4:b7:a7:55:46:78:b8:42:aa:16:a3:30:44:88:70: + f1:ea:6e:d2:97:04:e4:ef:8f:4a:13:f8:29:12:16: + 47:cb:c1:50:eb:6f:25:74:fc:82:99:3e:6b:c4:b6: + 33:0a:88:7e:8a:84:10:f9:2a:0e:65:aa:a6:d3:22: + 93:33:c2:00:d2:a3:91:e1:f5:16:67:79:59:92:fa: + ce:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 17:A9:69:84:98:F1:C5:E5:86:9F:A7:59:4E:50:C9:F1:99:09:5C:49 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...PSD..AT..FMA-123-456-7890 + Signature Algorithm: sha256WithRSAEncryption + 69:13:c5:02:22:37:2e:24:0d:79:bc:d1:7a:46:ef:3f:2b:b6: + 29:f9:a4:72:08:58:cc:f1:79:e3:b0:c7:fc:7c:ec:24:82:6f: + de:0b:44:ba:66:d5:b7:00:81:0e:14:26:e7:41:55:f1:51:26: + 25:d2:65:7c:35:9a:ef:d2:76:38:e8:7c:bd:79:12:8b:c9:43: + ef:bf:0b:62:c0:98:fc:96:ef:9c:d3:af:83:34:53:19:b9:07: + d7:f4:b4:d0:86:8b:51:25:70:f8:53:6c:f4:b2:5c:1d:52:f5: + 26:8a:f1:79:ef:dc:3b:a6:51:fa:e8:94:cb:70:c4:80:52:b6: + 54:a0:71:84:0b:4f:da:f8:e2:e4:37:10:0a:8c:fe:1c:8b:c3: + f9:03:21:92:45:bd:a6:86:68:9e:ad:41:6d:9f:e5:ab:a0:85: + 47:45:8c:8f:a2:b1:af:28:e5:d8:e9:ce:2a:22:d3:1d:8e:08: + 8d:5b:8c:26:47:27:99:a0:77:ad:48:52:54:14:a4:e4:1f:69: + 29:d2:43:d8:d6:c0:fd:01:05:0e:d0:3e:37:f5:7d:31:af:ed: + 5d:e4:ef:83:64:e6:c7:61:9e:13:ac:b9:0b:be:ab:fe:a2:ac: + fd:99:ab:fb:9c:37:e2:63:c3:c8:df:d8:b4:5d:0c:a6:8f:dd: + 9d:92:3e:0a +-----BEGIN CERTIFICATE----- +MIIE8zCCA9ugAwIBAgIQa3CdlA/A6R2IA49mEY9QCDANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDAzMzAxMDA1NTVaFw0yNTAzMzAxMDA1 +NTVaMIHHMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMR0wGwYDVQRhExRQU0RBVC1G +TUEtMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJM +nzGbRgQHlGyoXa+OKUtSfeTX0kLdb8SIBOTZl8ZwCKn77RYOYczhAQW0Ru9sNE87 +1fQ3Pdi7Pp6mnMqv1/DMuweUzyPOSe9eGgv6ZeOy9j+h3Uhv2frXJ1ApxgiI8z9Y +kK0EgYTewZh13yMj/sSKr7ViaS4694xh542t31FIDWahS1NaWde6UGxwrxKmMp72 +OavB2hVoEezB5nfUFctK6BZh3gYmQAJ/FftZf858LDX45LenVUZ4uEKqFqMwRIhw +8epu0pcE5O+PShP4KRIWR8vBUOtvJXT8gpk+a8S2MwqIfoqEEPkqDmWqptMikzPC +ANKjkeH1Fmd5WZL6zqsCAwEAAaOCAVwwggFYMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFBepaYSY8cXlhp+n +WU5QyfGZCVxJMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsG +AQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29t +L29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290 +MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYD +VR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAmBgVn +gQwDAQQdMBsTA1BTRBMCQVQMEEZNQS0xMjMtNDU2LTc4OTAwDQYJKoZIhvcNAQEL +BQADggEBAGkTxQIiNy4kDXm80XpG7z8rtin5pHIIWMzxeeOwx/x87CSCb94LRLpm +1bcAgQ4UJudBVfFRJiXSZXw1mu/SdjjofL15EovJQ++/C2LAmPyW75zTr4M0Uxm5 +B9f0tNCGi1ElcPhTbPSyXB1S9SaK8Xnv3DumUfrolMtwxIBStlSgcYQLT9r44uQ3 +EAqM/hyLw/kDIZJFvaaGaJ6tQW2f5aughUdFjI+isa8o5djpzioi0x2OCI1bjCZH +J5mgd61IUlQUpOQfaSnSQ9jWwP0BBQ7QPjf1fTGv7V3k74Nk5sdhnhOsuQu+q/6i +rP2Zq/ucN+Jjw8jf2LRdDKaP3Z2SPgo= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ko_03.pem b/v3/testdata/orgid_subj_and_ext_ko_03.pem new file mode 100644 index 000000000..b42eeacd8 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ko_03.pem @@ -0,0 +1,105 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ca:15:64:b2:c2:b9:4e:e3:34:19:f5:29:d4:14:b5:95 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 30 10:08:11 2024 GMT + Not After : Mar 30 10:08:11 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATBEE-12345 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a9:c1:f2:44:4a:7c:0c:25:17:4e:be:e6:b2:e8: + 91:ad:67:b5:6a:51:57:66:78:e6:79:3d:db:c9:33: + ef:62:e8:6b:10:cd:91:0c:64:e1:1f:25:24:55:c8: + da:a0:3e:0b:5a:d6:43:bd:1a:49:ea:52:28:64:00: + eb:19:9f:10:b1:30:a8:06:43:50:d9:58:99:b7:89: + ae:ee:e5:6b:fc:41:d9:67:b4:6a:4d:c2:34:ad:fa: + 06:31:aa:14:03:3a:b9:c8:d9:06:1e:df:8c:6d:f5: + 6c:c9:4e:63:64:7f:58:3d:ca:fe:e3:ab:6e:47:8c: + f9:5e:41:ca:3d:f4:20:06:ba:1c:ca:65:97:86:aa: + 9f:6f:67:1d:b2:f7:fe:92:b2:4b:c1:f1:70:8d:8f: + 6c:23:d7:42:4d:34:7b:b1:13:e6:a7:84:85:a8:b1: + c4:9f:9d:08:af:08:77:7d:c9:50:4a:77:8a:22:de: + d6:db:40:f5:f3:53:88:71:7b:4b:e1:5b:08:b1:e1: + 00:ec:bd:c4:14:5c:60:8a:14:1b:21:ff:dd:ac:6b: + b5:a1:a3:85:cf:a4:96:54:76:02:90:85:06:ec:e4: + b1:08:75:10:a8:ed:44:03:76:25:77:0b:2b:d3:9f: + 6c:15:81:a1:37:a1:62:1a:69:b8:e7:26:69:98:1e: + e0:6f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 5D:EB:2E:60:D6:D1:B3:AB:5C:F4:21:31:B5:D1:68:88:50:CF:D2:AA + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...VAT..BE..12345 + Signature Algorithm: sha256WithRSAEncryption + 1a:d8:6d:19:8a:9c:f3:30:c5:f0:39:ef:18:a3:ff:ed:d2:b2: + a5:be:21:ff:d2:7d:68:87:19:6b:aa:bf:22:f1:e2:b1:80:89: + c1:b6:73:44:b2:90:7c:cc:1a:e9:4e:e5:bc:9c:85:58:6e:33: + 90:69:56:88:bc:f6:ed:03:36:7f:72:c2:9e:77:3c:77:6e:6c: + bb:32:09:33:1f:61:eb:92:40:96:c9:01:a4:d6:56:91:cb:9a: + b4:a8:33:c6:ba:bd:94:44:42:5f:74:c4:fa:1f:c6:46:d4:d8: + 0c:dd:09:1e:96:e7:70:45:29:30:ef:c0:a9:33:5e:ce:84:d8: + d2:0f:79:31:e1:01:01:c7:6e:d1:4b:2e:ff:55:19:a0:e2:a5: + a4:fc:82:90:5e:e9:bc:c9:bc:01:69:8d:26:5b:fd:47:f8:1e: + 13:e0:29:8a:88:c7:10:21:2b:67:41:52:a1:4d:5a:e4:28:9d: + 76:c2:ee:bc:99:a9:a9:4c:48:f9:68:3f:69:25:00:91:c2:3d: + 83:4a:2e:ff:b1:e7:a2:4b:31:12:d4:53:a6:9d:41:4f:8b:49: + d2:b6:b5:88:e6:2b:02:aa:4a:e2:50:a0:fa:0b:96:76:3c:59: + a6:a7:a0:bc:2b:a2:e4:e7:1f:60:7d:3c:53:cc:23:0e:a1:dc: + 23:70:4c:50 +-----BEGIN CERTIFICATE----- +MIIE4TCCA8mgAwIBAgIRAMoVZLLCuU7jNBn1KdQUtZUwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzMwMTAwODExWhcNMjUwMzMwMTAw +ODExWjCBvzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEYRMMVkFUQkVF +LTEyMzQ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqcHyREp8DCUX +Tr7msuiRrWe1alFXZnjmeT3byTPvYuhrEM2RDGThHyUkVcjaoD4LWtZDvRpJ6lIo +ZADrGZ8QsTCoBkNQ2ViZt4mu7uVr/EHZZ7RqTcI0rfoGMaoUAzq5yNkGHt+MbfVs +yU5jZH9YPcr+46tuR4z5XkHKPfQgBrocymWXhqqfb2cdsvf+krJLwfFwjY9sI9dC +TTR7sRPmp4SFqLHEn50Irwh3fclQSneKIt7W20D181OIcXtL4VsIseEA7L3EFFxg +ihQbIf/drGu1oaOFz6SWVHYCkIUG7OSxCHUQqO1EA3Yldwsr059sFYGhN6FiGmm4 +5yZpmB7gbwIDAQABo4IBUTCCAU0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG +CCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUXesuYNbRs6tc9CExtdFoiFDP +0qowHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYBBQUHAQEE +WDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vb2NzcDAp +BggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3QwFgYDVR0R +BA8wDYILZXhhbXBsZS5jb20wEgYDVR0gBAswCTAHBgVngQwBATAtBgNVHR8EJjAk +MCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMBsGBWeBDAMBBBIw +EBMDVkFUEwJCRQwFMTIzNDUwDQYJKoZIhvcNAQELBQADggEBABrYbRmKnPMwxfA5 +7xij/+3SsqW+If/SfWiHGWuqvyLx4rGAicG2c0SykHzMGulO5bychVhuM5BpVoi8 +9u0DNn9ywp53PHdubLsyCTMfYeuSQJbJAaTWVpHLmrSoM8a6vZREQl90xPofxkbU +2AzdCR6W53BFKTDvwKkzXs6E2NIPeTHhAQHHbtFLLv9VGaDipaT8gpBe6bzJvAFp +jSZb/Uf4HhPgKYqIxxAhK2dBUqFNWuQonXbC7ryZqalMSPloP2klAJHCPYNKLv+x +56JLMRLUU6adQU+LSdK2tYjmKwKqSuJQoPoLlnY8WaanoLwrouTnH2B9PFPMIw6h +3CNwTFA= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_01.pem b/v3/testdata/orgid_subj_and_ext_ok_01.pem new file mode 100644 index 000000000..51e477122 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_01.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c7:57:87:54:50:2f:fb:c8:d4:74:2d:7c:6e:71:a6:92 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 13:31:00 2024 GMT + Not After : Mar 29 13:31:00 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e9:67:65:8b:3c:82:79:e9:43:31:3a:80:4b:d8: + 0e:43:b8:a5:fd:fa:25:3c:57:41:1e:7e:bb:f8:ff: + 11:cc:64:97:57:a4:a2:46:f1:ef:fe:6f:cd:71:c1: + a7:10:34:4f:15:13:05:1b:fc:dc:fe:1b:45:13:d9: + d3:69:4d:7a:a4:72:53:f1:64:32:fb:16:34:df:9f: + 25:47:1f:cb:25:5f:01:3d:7f:3d:49:c1:0b:7f:a4: + e0:a9:aa:4a:9e:30:c2:4c:1d:fe:41:a8:09:7a:c9: + 6b:11:22:36:8c:df:db:d1:ec:cc:03:fd:a4:92:6b: + 6f:5f:24:6d:f3:e6:a1:b2:a8:31:09:72:2b:bd:cb: + 0e:f7:26:9b:be:56:66:d2:c3:58:26:29:9c:ec:d4: + f7:e0:65:c2:c0:78:32:05:6e:6d:e1:2c:61:f0:5b: + 9b:a3:f4:05:0a:1e:49:c3:cf:60:10:a5:32:b1:1a: + 55:32:bc:28:4f:15:5f:bf:3a:ac:21:9c:2f:20:94: + d0:4d:4a:f4:0d:63:06:4c:b3:c7:8c:ac:bb:3e:a9: + 6e:b6:07:32:60:c2:27:bb:c0:9a:70:b2:73:43:62: + a5:d5:64:52:4d:d7:e5:46:20:0f:53:a6:d3:1d:9d: + da:7d:ad:e6:6d:dd:bf:60:14:78:11:db:f2:34:3a: + ba:55 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 10:CB:CA:80:71:74:B0:06:2B:D7:CA:CC:62:DB:B1:59:2E:DF:C2:E1 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...VAT..IT. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + 0f:36:91:78:5e:4d:c4:f1:53:b6:8c:e8:4e:05:de:ee:70:16: + 73:29:9b:36:e1:5d:72:91:71:2d:79:44:9b:4b:9a:da:01:54: + 2c:f7:43:cb:49:a4:aa:2c:f9:e6:0d:1a:a3:49:4a:e0:a3:ba: + 40:b9:76:0a:bf:b5:b4:db:91:3b:a5:5a:73:8b:ef:96:f7:40: + 44:b8:92:79:f5:14:03:d7:14:49:ab:09:8d:73:1d:18:89:fb: + b9:25:b7:8b:5e:8f:16:14:17:12:72:f9:9d:b0:a6:98:1b:47: + 26:76:a8:33:02:60:c7:68:ee:3d:f3:95:6e:c7:a3:31:cf:9a: + d8:c1:c3:b5:9d:69:c0:8a:a3:92:cb:8e:4c:e2:25:85:82:d5: + cf:db:10:83:cf:19:11:73:10:a4:a1:65:fb:a0:72:fe:08:a3: + 8d:f3:49:12:36:50:8a:6e:3d:09:b8:73:cb:50:89:55:99:0f: + 2f:33:35:a9:0f:c9:52:7d:e5:23:0a:9d:2d:77:33:9c:5d:e0: + fa:c9:92:6d:66:32:cf:6a:d7:ad:47:2b:b0:fd:e7:b1:70:96: + 36:0b:e7:eb:da:f2:df:79:f1:a0:fe:0a:84:48:a0:b8:d2:36: + d2:74:8e:fc:50:cd:8f:37:02:dc:b4:63:55:ce:46:b0:76:b1: + d8:1a:53:93 +-----BEGIN CERTIFICATE----- +MIIE6jCCA9KgAwIBAgIRAMdXh1RQL/vI1HQtfG5xppIwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTMzMTAwWhcNMjUwMzI5MTMz +MTAwWjCBwzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEZMBcGA1UEYRMQVkFUSVQt +MTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOlnZYs8 +gnnpQzE6gEvYDkO4pf36JTxXQR5+u/j/Ecxkl1ekokbx7/5vzXHBpxA0TxUTBRv8 +3P4bRRPZ02lNeqRyU/FkMvsWNN+fJUcfyyVfAT1/PUnBC3+k4KmqSp4wwkwd/kGo +CXrJaxEiNozf29HszAP9pJJrb18kbfPmobKoMQlyK73LDvcmm75WZtLDWCYpnOzU +9+BlwsB4MgVubeEsYfBbm6P0BQoeScPPYBClMrEaVTK8KE8VX786rCGcLyCU0E1K +9A1jBkyzx4ysuz6pbrYHMmDCJ7vAmnCyc0NipdVkUk3X5UYgD1Om0x2d2n2t5m3d +v2AUeBHb8jQ6ulUCAwEAAaOCAVYwggFSMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFBDLyoBxdLAGK9fKzGLb +sVku38LhMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUF +BwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29j +c3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYG +A1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYDVR0f +BCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAgBgVngQwD +AQQXMBUTA1ZBVBMCSVQMCjEyMzQ1Njc4OTAwDQYJKoZIhvcNAQELBQADggEBAA82 +kXheTcTxU7aM6E4F3u5wFnMpmzbhXXKRcS15RJtLmtoBVCz3Q8tJpKos+eYNGqNJ +SuCjukC5dgq/tbTbkTulWnOL75b3QES4knn1FAPXFEmrCY1zHRiJ+7klt4tejxYU +FxJy+Z2wppgbRyZ2qDMCYMdo7j3zlW7HozHPmtjBw7WdacCKo5LLjkziJYWC1c/b +EIPPGRFzEKShZfugcv4Io43zSRI2UIpuPQm4c8tQiVWZDy8zNakPyVJ95SMKnS13 +M5xd4PrJkm1mMs9q161HK7D957FwljYL5+va8t958aD+CoRIoLjSNtJ0jvxQzY83 +Aty0Y1XORrB2sdgaU5M= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_02.pem b/v3/testdata/orgid_subj_and_ext_ok_02.pem new file mode 100644 index 000000000..bf34b7130 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_02.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + f7:27:d7:bd:69:ed:73:0b:8e:65:c8:6d:fa:93:99:43 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 13:44:08 2024 GMT + Not After : Mar 29 13:44:08 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:f0:0f:d1:5d:1d:7c:b3:6d:32:12:91:de:fe:e6: + d0:e1:b1:4a:e8:20:47:7e:2b:90:07:36:57:09:4e: + 69:6e:99:2f:0d:73:0d:87:2e:e0:5d:ff:93:bf:97: + 6c:ed:76:e4:aa:c9:78:94:15:e9:c5:16:5b:a1:29: + 3f:05:93:b0:31:ac:ec:66:91:aa:e7:32:2b:2f:41: + dc:cd:ac:16:84:f6:e7:c3:1b:46:f2:1a:4e:05:3d: + aa:d6:28:a5:0f:30:3d:92:2b:a8:1a:7b:2b:c1:46: + b3:69:c5:aa:53:22:62:38:66:55:94:37:99:7d:29: + 10:32:92:8b:c4:6b:f2:df:20:63:a2:01:a3:7b:33: + 2f:ca:32:07:fd:ee:03:70:15:7e:8a:d5:51:b9:70: + 20:5a:f1:dc:e5:cd:c1:ac:10:01:69:f5:28:4b:9b: + 1f:c0:3b:9f:bb:5a:8d:15:d0:10:ab:b0:b1:be:06: + d7:35:e6:69:1f:49:8e:72:98:98:fd:b0:f5:a4:96: + 93:47:c2:0a:7d:b8:b0:b7:f8:98:e1:50:3a:93:af: + 89:ba:82:27:6f:64:7c:e4:12:6c:ed:cd:99:26:d2: + 00:48:aa:88:80:aa:6d:27:d4:3e:da:6e:81:df:af: + ed:62:71:5c:5c:2e:04:d2:40:41:9e:27:41:a5:83: + 80:a9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 9F:27:0B:BA:3F:95:33:55:C2:00:FA:86:DA:F6:9A:D4:21:E8:34:EF + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...NTR..IT. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + a8:e4:dc:fb:9d:f5:cd:5e:8c:e4:43:c1:d8:cc:f7:0f:c4:57: + 09:ef:47:15:c4:a4:81:56:13:c3:f1:ae:a7:f0:12:fe:90:97: + da:97:60:b2:32:19:68:b1:19:b4:ec:58:b4:0b:7c:d8:ed:08: + 3b:a5:38:dd:c3:f0:86:6b:c4:7c:24:d5:e3:7f:52:4d:af:c2: + 4c:b2:43:5d:9a:12:e6:11:7d:a3:4e:28:24:39:94:b0:82:2c: + 2a:fc:ef:5f:2e:77:0c:35:f8:26:5d:ef:5d:3c:f2:a0:61:78: + f8:7c:ad:43:73:f7:64:be:ad:6c:6e:a0:6b:3e:14:dd:f7:15: + bf:e3:e0:d9:89:8d:df:73:68:0b:30:ab:31:3c:a6:53:d6:ed: + 0c:39:32:09:ed:aa:ae:65:4a:1f:ce:9b:2d:a7:a1:13:00:a4: + 5a:d1:95:7f:7d:77:31:72:a7:4b:35:e2:9d:ff:d1:45:5f:34: + 01:1f:40:8b:ce:2a:b8:3f:7e:39:6e:23:29:6e:07:d5:f3:d1: + dd:10:07:ef:fc:3d:78:81:2d:23:10:95:1f:89:a0:54:ef:e1: + 1b:bb:22:cf:eb:0d:1a:05:3f:1c:f1:d9:9d:6d:42:f8:a8:b8: + 48:5f:95:82:aa:c3:7e:a5:a5:3f:bf:24:ab:4a:0c:16:43:1d: + 70:37:ca:7c +-----BEGIN CERTIFICATE----- +MIIE6zCCA9OgAwIBAgIRAPcn171p7XMLjmXIbfqTmUMwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTM0NDA4WhcNMjUwMzI5MTM0 +NDA4WjCBwzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEZMBcGA1UEYRMQVkFUSVQt +MTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPAP0V0d +fLNtMhKR3v7m0OGxSuggR34rkAc2VwlOaW6ZLw1zDYcu4F3/k7+XbO125KrJeJQV +6cUWW6EpPwWTsDGs7GaRqucyKy9B3M2sFoT258MbRvIaTgU9qtYopQ8wPZIrqBp7 +K8FGs2nFqlMiYjhmVZQ3mX0pEDKSi8Rr8t8gY6IBo3szL8oyB/3uA3AVforVUblw +IFrx3OXNwawQAWn1KEubH8A7n7tajRXQEKuwsb4G1zXmaR9JjnKYmP2w9aSWk0fC +Cn24sLf4mOFQOpOvibqCJ29kfOQSbO3NmSbSAEiqiICqbSfUPtpugd+v7WJxXFwu +BNJAQZ4nQaWDgKkCAwEAAaOCAVcwggFTMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFJ8nC7o/lTNVwgD6htr2 +mtQh6DTvMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUF +BwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29j +c3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYG +A1UdEQQPMA2CC2V4YW1wbGUuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQICMC0GA1Ud +HwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwIAYFZ4EM +AwEEFzAVEwNOVFITAklUDAoxMjM0NTY3ODkwMA0GCSqGSIb3DQEBCwUAA4IBAQCo +5Nz7nfXNXozkQ8HYzPcPxFcJ70cVxKSBVhPD8a6n8BL+kJfal2CyMhlosRm07Fi0 +C3zY7Qg7pTjdw/CGa8R8JNXjf1JNr8JMskNdmhLmEX2jTigkOZSwgiwq/O9fLncM +NfgmXe9dPPKgYXj4fK1Dc/dkvq1sbqBrPhTd9xW/4+DZiY3fc2gLMKsxPKZT1u0M +OTIJ7aquZUofzpstp6ETAKRa0ZV/fXcxcqdLNeKd/9FFXzQBH0CLziq4P345biMp +bgfV89HdEAfv/D14gS0jEJUfiaBU7+EbuyLP6w0aBT8c8dmdbUL4qLhIX5WCqsN+ +paU/vySrSgwWQx1wN8p8 +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_03.pem b/v3/testdata/orgid_subj_and_ext_ok_03.pem new file mode 100644 index 000000000..258a52166 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_03.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c2:1d:b7:06:b1:40:2a:f4:e9:15:d7:3c:bf:fd:e5:47 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jan 29 00:00:00 2020 GMT + Not After : Jan 28 00:00:00 2021 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a6:70:69:9d:8b:34:fb:33:f2:d8:ca:54:4a:d6: + 32:2f:1b:bf:9b:cf:38:2c:9c:30:33:12:19:34:4e: + 1b:ae:df:92:67:a4:65:3c:68:c3:63:06:40:ca:aa: + ca:ce:d2:d9:11:69:b4:db:d3:c8:46:7b:7c:21:6f: + fc:1f:4d:97:c4:0c:5b:74:a6:ed:3a:ea:1a:5f:8d: + 3b:9f:ed:e2:02:96:a9:b6:a3:4b:8f:6a:00:97:cd: + 4a:10:24:28:b2:68:b0:3a:1d:7d:37:44:1a:6a:86: + 44:6e:9e:f6:0c:3e:74:d2:cc:eb:fc:88:4a:3b:67: + fa:f8:a4:77:fd:a3:69:1d:bc:02:62:60:7f:a3:b3: + 92:c0:ec:07:1c:5b:70:be:54:73:fb:44:8d:12:32: + 96:f6:ec:28:32:4b:5a:a5:d4:1b:e9:e3:2e:fb:0b: + b0:6b:13:e6:84:ce:74:7f:cc:bf:40:cb:d7:ab:df: + 7b:c1:d9:a7:33:5e:e3:e8:57:95:b7:ce:3c:52:a7: + 18:38:c0:05:15:18:c0:4f:4c:42:5f:97:03:f6:fd: + 12:d4:6e:51:d8:da:d0:af:3b:fd:e4:74:ba:5c:ae: + 30:7e:d4:04:16:cb:56:2a:50:8e:28:2c:ef:33:ca: + e0:09:20:1d:b0:1e:e6:3d:bf:c0:b5:7a:74:c1:d3: + f2:f9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 08:5F:A7:9D:24:99:DD:23:49:03:66:4D:CC:18:D6:72:87:B5:9D:9D + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...VAT..BE. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + 91:c2:e0:45:ff:c7:d2:b2:ca:49:ae:bc:84:99:b9:1e:f7:d5: + d3:2b:26:6f:54:af:57:48:fb:d9:8e:8a:b7:f0:3c:23:21:56: + db:92:b8:cf:90:33:9b:44:da:49:6d:58:26:80:d6:3b:c9:db: + 3e:30:8a:ed:9c:eb:b8:49:02:40:5a:d8:4a:47:3a:10:ae:9c: + 43:37:e2:de:cf:63:d8:8b:8f:81:f1:cd:f3:ae:26:de:90:b6: + 96:0c:e9:b0:9a:ee:cf:21:95:f4:8e:38:dc:f4:ac:d0:41:04: + 68:fc:e9:d5:e8:8a:3b:af:0f:2a:5f:51:2d:e9:2d:53:7b:c6: + 19:84:30:38:5d:f3:6a:e7:4b:7e:e5:18:05:b8:f4:38:af:d4: + cb:ff:93:ab:e2:1e:35:f6:b7:d6:10:7e:d1:d1:fd:26:4c:39: + 73:88:85:4e:0d:5e:3b:3a:94:fa:c0:2c:86:8d:23:bc:d2:20: + c4:14:6f:1a:98:71:b4:8c:1d:5e:78:98:89:57:f9:79:d6:4f: + 3a:30:ff:6d:9c:39:6b:77:03:ee:4e:fd:8a:2e:98:0a:d0:d6: + a4:65:6b:03:e8:d6:ad:0f:b3:c7:83:4d:90:0f:9c:7e:5f:8b: + b3:31:39:bd:f4:62:1a:2b:d6:ad:09:c8:67:eb:dc:58:aa:36: + be:f5:a4:65 +-----BEGIN CERTIFICATE----- +MIIE6jCCA9KgAwIBAgIRAMIdtwaxQCr06RXXPL/95UcwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjAwMTI5MDAwMDAwWhcNMjEwMTI4MDAw +MDAwWjCBwzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEZMBcGA1UEYRMQVkFUSVQt +MTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZwaZ2L +NPsz8tjKVErWMi8bv5vPOCycMDMSGTROG67fkmekZTxow2MGQMqqys7S2RFptNvT +yEZ7fCFv/B9Nl8QMW3Sm7TrqGl+NO5/t4gKWqbajS49qAJfNShAkKLJosDodfTdE +GmqGRG6e9gw+dNLM6/yISjtn+vikd/2jaR28AmJgf6OzksDsBxxbcL5Uc/tEjRIy +lvbsKDJLWqXUG+njLvsLsGsT5oTOdH/Mv0DL16vfe8HZpzNe4+hXlbfOPFKnGDjA +BRUYwE9MQl+XA/b9EtRuUdja0K87/eR0ulyuMH7UBBbLVipQjigs7zPK4AkgHbAe +5j2/wLV6dMHT8vkCAwEAAaOCAVYwggFSMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFAhfp50kmd0jSQNmTcwY +1nKHtZ2dMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUF +BwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29j +c3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYG +A1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYDVR0f +BCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAgBgVngQwD +AQQXMBUTA1ZBVBMCQkUMCjEyMzQ1Njc4OTAwDQYJKoZIhvcNAQELBQADggEBAJHC +4EX/x9KyykmuvISZuR731dMrJm9Ur1dI+9mOirfwPCMhVtuSuM+QM5tE2kltWCaA +1jvJ2z4wiu2c67hJAkBa2EpHOhCunEM34t7PY9iLj4HxzfOuJt6QtpYM6bCa7s8h +lfSOONz0rNBBBGj86dXoijuvDypfUS3pLVN7xhmEMDhd82rnS37lGAW49Div1Mv/ +k6viHjX2t9YQftHR/SZMOXOIhU4NXjs6lPrALIaNI7zSIMQUbxqYcbSMHV54mIlX ++XnWTzow/22cOWt3A+5O/YoumArQ1qRlawPo1q0Ps8eDTZAPnH5fi7MxOb30Yhor +1q0JyGfr3FiqNr71pGU= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_04.pem b/v3/testdata/orgid_subj_and_ext_ok_04.pem new file mode 100644 index 000000000..73a33605e --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_04.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a6:94:17:72:37:47:c7:98:f1:a3:59:27:3a:60:6a:4d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 15:05:33 2024 GMT + Not After : Mar 29 15:05:33 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ef:fe:60:e2:81:13:db:ff:b7:ee:2d:5a:f4:ec: + 3c:44:a7:e0:7a:8f:98:31:70:53:29:85:d0:77:02: + a0:49:93:89:6c:82:c4:95:12:44:a5:8a:d9:46:f1: + 19:84:d8:91:e7:be:5a:5e:2e:92:b4:f8:ae:b5:d9: + 37:5b:fc:b8:6c:44:4b:74:af:e7:7c:44:5c:2e:b3: + 26:be:77:99:95:9a:f3:51:78:24:38:48:d4:9c:94: + 3c:2d:ea:c7:9f:d7:1c:56:50:71:2f:f1:56:3e:2e: + e4:33:de:ba:28:c9:79:aa:e4:69:bf:46:f1:35:b3: + 70:13:45:67:55:84:e2:a3:1f:e2:9a:3d:8a:bc:62: + 4b:fd:fd:a0:a1:46:0a:5d:97:fc:81:ee:11:d9:a4: + 05:b8:b2:b9:05:44:15:47:ef:ec:3c:10:6f:04:04: + 93:7a:ce:b5:9b:92:bb:c1:49:2a:61:cc:3e:0e:cc: + 2a:8a:7a:14:6c:a6:cd:39:d5:33:a6:e8:b6:e0:95: + 76:92:ea:91:ee:76:4d:6b:1d:17:6f:7a:20:f2:5b: + 3d:8c:94:30:5b:db:5d:98:8f:ea:3a:85:0f:e3:07: + 8b:84:93:e5:e1:45:34:66:d3:9c:26:91:cb:28:03: + 0a:07:0b:9c:7e:17:8b:06:a5:c4:8d:5a:77:97:4f: + 47:f5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + E6:C2:40:43:AB:57:32:1A:E1:E6:48:76:C4:67:7A:9F:3D:57:E1:6E + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + a7:6d:a4:f3:d5:db:f7:73:79:43:3f:b6:f5:7a:fc:00:88:58: + cf:ec:05:6e:55:df:82:25:6b:f8:d8:0c:0a:c0:00:d9:5a:57: + 94:e6:0e:02:3a:43:fb:d1:b9:68:11:d8:2f:04:49:2e:ea:fc: + 33:16:d9:2f:f7:05:7d:06:1f:2e:f6:47:a2:78:ab:f3:25:01: + aa:dc:3c:d7:62:60:9b:7f:bb:46:fa:ab:ed:56:61:58:87:f2: + 24:db:4c:0b:ad:3a:56:d3:73:2c:04:2c:33:d7:1a:52:76:a3: + db:85:a9:ce:01:42:38:dc:77:5a:fe:9a:0f:d2:9a:70:e2:f9: + 26:f9:e8:fd:be:a7:a3:37:9d:f5:21:81:1d:69:06:f5:37:43: + 2b:30:92:be:20:df:b3:e4:5b:ec:04:9a:ba:64:65:17:a9:2a: + 4b:7d:ea:fa:ad:83:8c:00:f6:ea:1b:bb:cd:22:26:99:ba:1f: + 3e:4f:bd:e9:b0:67:d7:27:91:97:9d:e6:cb:c4:a4:7e:bf:31: + de:2b:e6:d7:14:89:fe:13:b2:db:ed:74:ab:8e:16:15:be:a6: + 1c:60:52:4f:8f:bf:67:bb:0d:7d:62:e2:66:70:2b:89:1e:32: + a5:1a:8e:b2:82:e2:90:bc:15:19:8f:93:41:2c:a4:ac:cb:df: + f7:8c:43:7a +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIRAKaUF3I3R8eY8aNZJzpgak0wDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTUwNTMzWhcNMjUwMzI5MTUw +NTMzWjCBqDELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAO/+YOKBE9v/t+4tWvTsPESn4HqPmDFwUymF0HcCoEmT +iWyCxJUSRKWK2UbxGYTYkee+Wl4ukrT4rrXZN1v8uGxES3Sv53xEXC6zJr53mZWa +81F4JDhI1JyUPC3qx5/XHFZQcS/xVj4u5DPeuijJearkab9G8TWzcBNFZ1WE4qMf +4po9irxiS/39oKFGCl2X/IHuEdmkBbiyuQVEFUfv7DwQbwQEk3rOtZuSu8FJKmHM +Pg7MKop6FGymzTnVM6botuCVdpLqke52TWsdF296IPJbPYyUMFvbXZiP6jqFD+MH +i4ST5eFFNGbTnCaRyygDCgcLnH4XiwalxI1ad5dPR/UCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFObCQEOrVzIa4eZIdsRnep89V+FuMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAp22k89Xb93N5Qz+29Xr8 +AIhYz+wFblXfgiVr+NgMCsAA2VpXlOYOAjpD+9G5aBHYLwRJLur8MxbZL/cFfQYf +LvZHonir8yUBqtw812Jgm3+7Rvqr7VZhWIfyJNtMC606VtNzLAQsM9caUnaj24Wp +zgFCONx3Wv6aD9KacOL5Jvno/b6nozed9SGBHWkG9TdDKzCSviDfs+Rb7ASaumRl +F6kqS33q+q2DjAD26hu7zSImmbofPk+96bBn1yeRl53my8Skfr8x3ivm1xSJ/hOy +2+10q44WFb6mHGBST4+/Z7sNfWLiZnAriR4ypRqOsoLikLwVGY+TQSykrMvf94xD +eg== +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_05.pem b/v3/testdata/orgid_subj_and_ext_ok_05.pem new file mode 100644 index 000000000..3f259f339 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_05.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 44:94:07:44:46:97:7c:ba:96:a2:d0:d5:53:54:05:00 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 30 09:08:27 2024 GMT + Not After : Mar 30 09:08:27 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:f0:5d:f1:11:dd:94:9d:28:e6:b2:fc:9f:cd:74: + 9c:20:58:1b:f9:0d:85:bb:9d:a6:b2:5d:23:3c:78: + c0:42:be:15:de:56:01:13:73:60:a4:39:a1:4c:38: + dd:5f:df:f6:18:13:c7:e5:24:de:14:e5:56:00:87: + 10:03:fd:7b:cc:b6:79:57:62:3d:86:e3:8a:46:a5: + 9a:99:85:a4:f3:b4:60:d3:81:16:11:f6:7a:77:27: + 0e:ca:27:29:fe:b9:79:2d:48:18:a2:ec:7b:31:b6: + 0f:64:88:ea:42:87:31:9f:52:a6:41:62:3e:9e:20: + d7:3b:28:9f:d0:89:cc:13:87:71:e8:2d:a2:3d:cc: + 96:e7:1d:b1:b4:23:cc:3a:47:4b:4a:79:3a:b4:97: + 5b:f1:68:f3:be:33:fc:dc:1d:24:3c:3f:1b:7a:6c: + 84:d8:22:c2:ac:46:55:f6:fd:1c:d6:34:4e:85:47: + a2:f3:f0:ac:25:58:f3:fb:5b:0b:ef:c7:1b:64:1c: + 3f:7a:38:69:be:06:67:76:a5:0e:9e:ba:14:f3:0b: + 36:0c:26:3a:1e:38:d5:0f:7a:ee:96:3a:2d:ed:74: + f8:c9:87:8a:51:96:1a:1c:e9:57:98:e2:bc:d6:e6: + 6d:f3:2f:4c:ef:61:da:4c:b7:52:32:6f:e7:ba:0a: + 16:15 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 34:67:E3:3B:A9:07:DF:54:DD:6D:7B:55:DB:E3:53:BA:3C:06:2F:AB + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 00:f6:56:fa:d5:b9:62:35:7e:61:93:f7:8a:a7:7f:ca:ff:2b: + e6:ec:11:f4:34:81:ca:00:f7:19:e3:64:e3:0b:ec:51:b7:59: + 2f:5d:bc:b8:eb:e6:d3:1a:b5:eb:49:da:fb:83:73:0d:75:68: + 92:41:83:62:6a:5b:67:89:67:db:a3:0d:fd:8b:c6:27:32:af: + 7f:db:ab:2c:b9:99:c3:06:38:df:79:26:d8:4a:53:2a:01:96: + b4:59:d8:52:f8:76:80:d2:dd:d8:c2:aa:c5:26:dc:6c:9c:15: + 96:5c:10:07:88:a1:37:e3:07:0b:89:b7:ea:85:13:b7:6c:a7: + 3d:37:a2:67:43:d2:84:44:88:90:6f:26:87:93:a9:f7:9e:61: + 13:cf:9b:85:7d:c2:d0:9e:2b:64:a9:35:65:ff:cc:ec:b4:9b: + 1f:63:3b:6a:e7:83:25:75:18:e7:08:7f:8e:8b:97:94:d1:0d: + 63:67:bf:b3:58:8c:bc:ba:a0:dd:59:c5:4e:3a:ba:6f:28:80: + e0:fd:1d:4d:09:55:1a:c6:7f:27:44:d4:5a:0e:01:f6:a3:15: + ee:4d:0a:5c:0a:6d:6b:53:4a:80:12:11:0f:60:d5:f2:53:93: + 93:c2:fe:13:5b:ca:67:f9:3a:5c:13:52:33:bd:ea:c3:69:f9: + b5:29:6b:26 +-----BEGIN CERTIFICATE----- +MIIExzCCA6+gAwIBAgIQRJQHREaXfLqWotDVU1QFADANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDAzMzAwOTA4MjdaFw0yNTAzMzAwOTA4 +MjdaMIHDMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRkwFwYDVQRhExBWQVRJVC0x +MjM0NTY3ODkwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8F3xEd2U +nSjmsvyfzXScIFgb+Q2Fu52msl0jPHjAQr4V3lYBE3NgpDmhTDjdX9/2GBPH5STe +FOVWAIcQA/17zLZ5V2I9huOKRqWamYWk87Rg04EWEfZ6dycOyicp/rl5LUgYoux7 +MbYPZIjqQocxn1KmQWI+niDXOyif0InME4dx6C2iPcyW5x2xtCPMOkdLSnk6tJdb +8WjzvjP83B0kPD8bemyE2CLCrEZV9v0c1jROhUei8/CsJVjz+1sL78cbZBw/ejhp +vgZndqUOnroU8ws2DCY6HjjVD3ruljot7XT4yYeKUZYaHOlXmOK81uZt8y9M72Ha +TLdSMm/nugoWFQIDAQABo4IBNDCCATAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW +MBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUNGfjO6kH31TdbXtV2+NT +ujwGL6swHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYBBQUH +AQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vb2Nz +cDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3QwFgYD +VR0RBA8wDYILZXhhbXBsZS5jb20wEgYDVR0gBAswCTAHBgVngQwBATAtBgNVHR8E +JjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMA0GCSqGSIb3 +DQEBCwUAA4IBAQAA9lb61bliNX5hk/eKp3/K/yvm7BH0NIHKAPcZ42TjC+xRt1kv +Xby46+bTGrXrSdr7g3MNdWiSQYNialtniWfbow39i8YnMq9/26ssuZnDBjjfeSbY +SlMqAZa0WdhS+HaA0t3YwqrFJtxsnBWWXBAHiKE34wcLibfqhRO3bKc9N6JnQ9KE +RIiQbyaHk6n3nmETz5uFfcLQnitkqTVl/8zstJsfYztq54MldRjnCH+Oi5eU0Q1j +Z7+zWIy8uqDdWcVOOrpvKIDg/R1NCVUaxn8nRNRaDgH2oxXuTQpcCm1rU0qAEhEP +YNXyU5OTwv4TW8pn+TpcE1IzverDafm1KWsm +-----END CERTIFICATE----- From ae29a40d1e5c592c0be51abe056b1661117182b5 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 30 Mar 2024 11:30:58 +0100 Subject: [PATCH 12/29] Add files via upload --- ...lint_ev_orgid_inconsistent_subj_and_ext.go | 114 ++++++++++++++++++ ...ev_orgid_inconsistent_subj_and_ext_test.go | 97 +++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go create mode 100644 v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go diff --git a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go new file mode 100644 index 000000000..1914213c8 --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go @@ -0,0 +1,114 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "errors" + "regexp" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_orgid_inconsistent_subj_and_ext", + Description: "Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent", + Citation: "EVGs 9.2.8 and 9.8.2", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.CABFEV_Sec9_2_8_Date, + }, + Lint: NewOrgIdInconsistentSubjAndExt, + }) +} + +// According to EVGs 9.2.8 +type OrganizationIdentifier struct { + Scheme string + Country string + State string + Reference string +} + +func ParseOrgId(orgIdString string, orgId *OrganizationIdentifier) error { + + // This is according to the EVG (stricter than ETSI EN 319 412-1) + OrgIdPattern := `^[A-Z]{3}[A-Z]{2}(?:\+[A-Z]{2})?\-.+$` + + compiledRegexp, err := regexp.Compile(OrgIdPattern) + if err != nil { + // This should neve occur, but one never knows.... + panic(err) + } + + if !compiledRegexp.MatchString(orgIdString) { + return errors.New("Cannot parse organizationIdentifier: it is probably invalid") + } + + orgId.Scheme = orgIdString[0:3] + orgId.Country = orgIdString[3:5] + + if orgIdString[5] == '+' { + orgId.State = orgIdString[6:8] + orgId.Reference = orgIdString[9:] + } else { + orgId.Reference = orgIdString[6:] + } + + return nil +} + +type orgIdInconsistentSubjAndExt struct{} + +func NewOrgIdInconsistentSubjAndExt() lint.LintInterface { + return &orgIdInconsistentSubjAndExt{} +} + +func (l *orgIdInconsistentSubjAndExt) CheckApplies(c *x509.Certificate) bool { + // It is actually mandatory that, if orgId is present, cabfOrgId be present as well, + // however this is already checked by another lint + return util.IsEV(c.PolicyIdentifiers) && (len(c.Subject.OrganizationIDs) > 0) && + util.IsExtInCert(c, util.CabfExtensionOrganizationIdentifier) +} + +func (l *orgIdInconsistentSubjAndExt) Execute(c *x509.Certificate) *lint.LintResult { + // It should be safe to assume there is only one element in OrganizationIDs + var orgId OrganizationIdentifier + err := ParseOrgId(c.Subject.OrganizationIDs[0], &orgId) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "the organizationIdentifier Subject attribute probably has an invalid value"} + } + + if (c.CABFOrganizationIdentifier.Scheme != orgId.Scheme) || + (c.CABFOrganizationIdentifier.Country != orgId.Country) || + (c.CABFOrganizationIdentifier.State != orgId.State) || + (c.CABFOrganizationIdentifier.Reference != orgId.Reference) { + + return &lint.LintResult{ + Status: lint.Error, + Details: "CABFOrganizationIdentifier is NOT consistent with organizationIdentifier"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go new file mode 100644 index 000000000..a8592c41b --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go @@ -0,0 +1,97 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +/* + === Pass test cases === + orgid_subj_and_ext_ok_01.pem EV cert with orgId=="VATIT-1234567890" and cabfOrgId consistent + + === NA test cases === + orgid_subj_and_ext_ok_02.pem OV cert with orgId=="VATIT-1234567890" and cabfOrgId NOT consistent + orgid_subj_and_ext_ok_04.pem EV cert without orgId + orgid_subj_and_ext_ok_05.pem EV cert with orgId but NO cabfOrgId (which is wrong, but not this lint's business) + + === NE test cases === + orgid_subj_and_ext_ok_03.pem EV cert with orgId and cabfOrgId NOT consistent, but issued before 31/1/2020 + + === Fail test cases === + orgid_subj_and_ext_ko_01.pem EV cert with orgId=="NTRUS+CA-1234567890" and cabfOrgId NOT consistent + orgid_subj_and_ext_ko_02.pem EV cert with orgId=="PSDAT-FMA-1234567890" and cabfOrgId NOT consistent + orgid_subj_and_ext_ko_03.pem EV cert with invalid orgId ("VATBEE-12345") +*/ + +package cabf_ev + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestOrgIdInconsistentSubjAndExt(t *testing.T) { + + type Data struct { + input string + want lint.LintStatus + } + + data := []Data{ + { + input: "orgid_subj_and_ext_ok_01.pem", + want: lint.Pass, + }, + { + input: "orgid_subj_and_ext_ok_02.pem", + want: lint.NA, + }, + { + input: "orgid_subj_and_ext_ok_03.pem", + want: lint.NE, + }, + { + input: "orgid_subj_and_ext_ok_04.pem", + want: lint.NA, + }, + { + input: "orgid_subj_and_ext_ok_05.pem", + want: lint.NA, + }, + { + input: "orgid_subj_and_ext_ko_01.pem", + want: lint.Error, + }, + { + input: "orgid_subj_and_ext_ko_02.pem", + want: lint.Error, + }, + { + input: "orgid_subj_and_ext_ko_03.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_ev_orgid_inconsistent_subj_and_ext", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} From faa938dc4e6f59d0311334561cdfa699f00a8179 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 7 Apr 2024 17:39:11 +0200 Subject: [PATCH 13/29] Revised according to Chris and Corey suggestions --- ...lint_ev_orgid_inconsistent_subj_and_ext.go | 36 ++++++++++--------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go index 1914213c8..e32eab51e 100644 --- a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go +++ b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go @@ -49,31 +49,35 @@ type OrganizationIdentifier struct { Reference string } -func ParseOrgId(orgIdString string, orgId *OrganizationIdentifier) error { +// This is according to the EVG (stricter than ETSI EN 319 412-1) +var OrgIdPattern = `^(?P[A-Z]{3})(?P[A-Z]{2})(?:\+(?P[A-Z]{2}))?\-(?P.+)$` - // This is according to the EVG (stricter than ETSI EN 319 412-1) - OrgIdPattern := `^[A-Z]{3}[A-Z]{2}(?:\+[A-Z]{2})?\-.+$` +func ParseOrgId(orgIdString string, orgId *OrganizationIdentifier) error { - compiledRegexp, err := regexp.Compile(OrgIdPattern) - if err != nil { - // This should neve occur, but one never knows.... - panic(err) - } + re := regexp.MustCompile(OrgIdPattern) - if !compiledRegexp.MatchString(orgIdString) { + if !re.MatchString(orgIdString) { return errors.New("Cannot parse organizationIdentifier: it is probably invalid") } - orgId.Scheme = orgIdString[0:3] - orgId.Country = orgIdString[3:5] + names := re.SubexpNames() + match := re.FindStringSubmatch(orgIdString) + + // Initialize a map to hold group names and values + result := make(map[string]string) - if orgIdString[5] == '+' { - orgId.State = orgIdString[6:8] - orgId.Reference = orgIdString[9:] - } else { - orgId.Reference = orgIdString[6:] + // Populate the map + for i, name := range names { + if i != 0 && name != "" { // Skip the whole match and unnamed groups + result[name] = match[i] + } } + orgId.Scheme = result["scheme"] + orgId.Country = result["country"] + orgId.State = result["state"] + orgId.Reference = result["reference"] + return nil } From d2aa5b1199885f5af6d948ed9034041c90e7b8bf Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 10:38:37 +0200 Subject: [PATCH 14/29] Add files via upload --- v3/lints/cabf_br/lint_e_invalid_cps_uri.go | 74 +++++++++++++++++ .../cabf_br/lint_e_invalid_cps_uri_test.go | 83 +++++++++++++++++++ 2 files changed, 157 insertions(+) create mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri.go create mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri.go new file mode 100644 index 000000000..a2c542d50 --- /dev/null +++ b/v3/lints/cabf_br/lint_e_invalid_cps_uri.go @@ -0,0 +1,74 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "net/url" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_cps_uri", + Description: "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL", + Citation: "CABF BR 7.1.2 (several subsections thereof)", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidCPSUri, + }) +} + +type invalidCPSUri struct{} + +func NewInvalidCPSUri() lint.LintInterface { + return &invalidCPSUri{} +} + +func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.CertPolicyOID) +} + +func isValidHttpOrHttpsURL(input string) bool { + parsedURL, err := url.Parse(input) + if err != nil { + return false + } + + scheme := parsedURL.Scheme + return scheme == "http" || scheme == "https" +} + +func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult { + // There should normally be just one CPS URI, but one never knows... + for _, pol := range c.CPSuri { + for _, uri := range pol { + if !isValidHttpOrHttpsURL(uri) { + return &lint.LintResult{Status: lint.Error} + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go new file mode 100644 index 000000000..7170bfa07 --- /dev/null +++ b/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go @@ -0,0 +1,83 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + === Pass test cases === + invalid_cps_uri_ok_01.pem Certificate with a well-formed CPS URI + invalid_cps_uri_ok_02.pem Certificate without a CPS URI + + === NE test cases === + invalid_cps_uri_ok_03.pem Certificate with an invalid CPS URI, but issued before effective date + + === Fail test cases === + invalid_cps_uri_ko_01.pem Certificate with an invalid CPS URI (disallowed scheme) + invalid_cps_uri_ko_02.pem Certificate with an invalid CPS URI (syntax error) + invalid_cps_uri_ko_03.pem Certificate with two CPS URIs, one good and one bad +*/ + +func TestInvalidCPSUri(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "invalid_cps_uri_ok_01.pem", + want: lint.Pass, + }, + { + input: "invalid_cps_uri_ok_02.pem", + want: lint.Pass, + }, + { + input: "invalid_cps_uri_ok_03.pem", + want: lint.NE, + }, + { + input: "invalid_cps_uri_ko_01.pem", + want: lint.Error, + }, + { + input: "invalid_cps_uri_ko_02.pem", + want: lint.Error, + }, + { + input: "invalid_cps_uri_ko_03.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_invalid_cps_uri", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} From b827d18210d977c332411e8db7599161305f92e0 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 10:40:01 +0200 Subject: [PATCH 15/29] Add files via upload --- v3/testdata/invalid_cps_uri_ko_01.pem | 109 +++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ko_02.pem | 109 +++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ko_03.pem | 112 ++++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ok_01.pem | 109 +++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ok_02.pem | 107 ++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ok_03.pem | 109 +++++++++++++++++++++++++ 6 files changed, 655 insertions(+) create mode 100644 v3/testdata/invalid_cps_uri_ko_01.pem create mode 100644 v3/testdata/invalid_cps_uri_ko_02.pem create mode 100644 v3/testdata/invalid_cps_uri_ko_03.pem create mode 100644 v3/testdata/invalid_cps_uri_ok_01.pem create mode 100644 v3/testdata/invalid_cps_uri_ok_02.pem create mode 100644 v3/testdata/invalid_cps_uri_ok_03.pem diff --git a/v3/testdata/invalid_cps_uri_ko_01.pem b/v3/testdata/invalid_cps_uri_ko_01.pem new file mode 100644 index 000000000..708b80ce0 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ko_01.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 793070860651290632 (0xb018dbef2d56008) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: ftp://www.some-ca.inc/cps + + Signature Algorithm: sha256WithRSAEncryption + 97:54:ef:06:28:ff:dd:57:18:92:a4:e1:89:56:d5:90:f4:46: + 9d:df:f4:67:d4:5f:dd:b5:0c:33:0a:cb:bc:a4:3c:86:3b:0b: + 48:61:f0:0b:68:b1:72:ee:2a:55:f1:78:d4:25:10:ef:58:00: + 5f:2e:26:a8:76:32:0e:45:31:69:98:79:a7:5d:51:b5:5d:d8: + 4b:61:41:ee:02:ce:e6:10:18:cb:88:cd:3a:00:db:27:51:75: + ef:23:b8:61:2b:53:72:a6:fd:95:96:80:c2:3a:87:8a:f2:cf: + a4:c2:56:d2:8f:3d:52:28:a8:ee:11:c2:f4:0f:cb:6f:87:30: + 35:8d:bd:0f:a2:3f:25:6b:b3:68:de:46:8d:fa:23:d9:8a:43: + 90:a0:6b:97:cf:bb:8a:b5:e4:64:d0:dc:07:3f:e5:46:d0:d5: + 79:e7:0f:7b:0c:ac:4c:03:8c:d3:c3:55:14:76:ed:02:a6:e1: + 96:58:ab:2c:42:ac:6d:e7:75:04:3f:35:ae:7f:35:a0:5f:e7: + 10:df:22:3f:94:eb:a2:9a:1a:a7:75:8d:f8:13:95:c4:a0:bc: + a5:90:ab:8f:af:f5:42:ba:c0:15:47:c8:15:47:d9:98:70:c8: + ff:10:90:1b:68:3d:74:ed:ec:94:14:70:5a:33:ce:1a:d7:ba: + 9a:38:0e:d3:dc:9c:83:54:19:5e:bc:95:7e:ed:e6:8e:18:93: + 28:c8:b9:77:a5:e5:a9:31:8e:29:9c:b2:8c:e3:d5:29:ce:5f: + 5d:1c:b7:f7:00:36:5a:38:e3:99:a0:7c:20:a6:38:dd:6d:5b: + d8:76:e1:03:51:51:d2:7b:3b:01:35:4a:88:76:72:63:61:19: + 7e:4e:79:62:7a:c0:e6:0c:a8:9e:3e:cf:15:1a:98:ab:f1:67: + 8e:f7:4d:a4:01:b7:72:59:44:ec:e2:2d:d0:be:d0:9e:4f:af: + 4f:56:06:90:c8:04:b3:04:cd:00:ca:c9:cb:d3:c4:04:0c:d6: + 2e:0b:c7:85:05:31:32:89:70:4e:2f:b9:f1:04:b5:35:1f:0d: + 12:0d:8d:fe:3c:1f:c7:bf:10:5d:01:c8:56:27:83:3d:67:ac: + 82:e6:40:70:89:8d:c7:d7:5b:e2:3d:95:1d:e4:fa:92:ce:4e: + f7:47:88:e0:b7:10:60:8b:5f:8f:6c:7f:53:56:db:4b:ab:84: + db:d1:42:28:f9:de:35:4d:ad:c7:d7:e8:8c:13:c5:24:51:88: + 3e:f3:9d:b3:7a:ba:14:9a:ac:ae:6b:a4:6e:c3:7c:53:18:0d: + b2:9f:17:c7:96:de:56:ef:fd:bd:b8:b7:30:d0:7c:81:28:4c: + 12:db:c0:f0:e5:50:83:cb +-----BEGIN CERTIFICATE----- +MIIFKDCCAxCgAwIBAgIICwGNvvLVYAgwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm +dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQCXVO8G +KP/dVxiSpOGJVtWQ9Ead3/Rn1F/dtQwzCsu8pDyGOwtIYfALaLFy7ipV8XjUJRDv +WABfLiaodjIORTFpmHmnXVG1XdhLYUHuAs7mEBjLiM06ANsnUXXvI7hhK1Nypv2V +loDCOoeK8s+kwlbSjz1SKKjuEcL0D8tvhzA1jb0Poj8la7No3kaN+iPZikOQoGuX +z7uKteRk0NwHP+VG0NV55w97DKxMA4zTw1UUdu0CpuGWWKssQqxt53UEPzWufzWg +X+cQ3yI/lOuimhqndY34E5XEoLylkKuPr/VCusAVR8gVR9mYcMj/EJAbaD107eyU +FHBaM84a17qaOA7T3JyDVBlevJV+7eaOGJMoyLl3peWpMY4pnLKM49Upzl9dHLf3 +ADZaOOOZoHwgpjjdbVvYduEDUVHSezsBNUqIdnJjYRl+TnliesDmDKiePs8VGpir +8WeO902kAbdyWUTs4i3QvtCeT69PVgaQyASzBM0AysnL08QEDNYuC8eFBTEyiXBO +L7nxBLU1Hw0SDY3+PB/HvxBdAchWJ4M9Z6yC5kBwiY3H11viPZUd5PqSzk73R4jg +txBgi1+PbH9TVttLq4Tb0UIo+d41Ta3H1+iME8UkUYg+852zeroUmqyua6Ruw3xT +GA2ynxfHlt5W7/29uLcw0HyBKEwS28Dw5VCDyw== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ko_02.pem b/v3/testdata/invalid_cps_uri_ko_02.pem new file mode 100644 index 000000000..8e87b4c1f --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ko_02.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1892436556900320617 (0x1a4349059e01c569) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: www.some-ca.inc + + Signature Algorithm: sha256WithRSAEncryption + 16:57:14:9b:a6:7b:51:88:49:42:81:dc:ae:c0:13:ff:5e:55: + cf:24:5b:c8:00:68:dc:ac:7f:23:db:e5:24:bd:da:93:71:70: + c1:4a:7c:22:09:61:51:da:07:52:b7:5c:e8:0f:9e:30:6f:8e: + 5e:33:0b:a2:75:2a:14:85:80:a9:72:5d:ba:c0:31:31:4f:b7: + 56:ae:37:0a:9b:79:e5:34:5a:24:44:c6:c0:6f:b8:39:de:96: + 69:43:f3:e9:69:c0:eb:5a:f3:c3:2b:7a:03:8b:d4:06:c6:a7: + de:09:00:c5:85:12:0f:6b:bb:1d:96:c7:e2:7a:17:56:17:dd: + c5:25:2c:41:3c:cb:d9:77:b6:fc:81:5b:d3:16:d1:c7:6b:8a: + bc:0e:5a:30:74:33:12:dd:ff:40:a4:83:2a:83:58:72:41:84: + 19:87:f9:5c:3a:1d:c7:79:ca:5f:2c:ec:60:f3:a2:64:33:f4: + 87:d8:f9:54:ba:28:7f:69:e7:2f:f7:40:04:90:86:21:3c:68: + 0e:ee:c9:b2:ce:47:d7:2c:8a:90:65:83:70:59:53:fd:8a:df: + f7:2c:91:c2:06:be:ed:9b:89:65:47:32:ec:ec:70:c1:5c:7f: + ee:24:ea:ec:a7:b5:6f:28:b0:11:5f:47:e7:f5:ce:82:63:36: + 6b:7a:74:53:00:e3:72:2c:1d:9e:4e:e7:27:54:59:1d:43:61: + 36:53:bc:ba:7c:d4:d4:db:af:bd:4e:1c:a2:de:98:f0:a9:48: + 75:73:1d:2a:cd:ea:12:b0:a9:dd:25:01:f7:e4:3c:15:8c:cb: + 53:ff:d1:33:b8:a0:4d:fa:c7:c3:d8:b9:6d:e3:df:62:77:6e: + 89:7b:17:c4:bc:96:3f:ed:25:72:f2:7b:66:04:49:da:91:a9: + 73:ca:50:9b:ad:e2:46:ef:dd:7f:7a:14:55:df:ad:c5:55:f9: + f8:77:a7:1c:09:d7:42:ff:28:ef:c6:5b:e0:b5:f0:80:d8:ac: + 09:45:1c:eb:a0:e5:69:07:de:ef:6d:b3:0d:6b:5d:e8:ea:d3: + 9b:b3:98:70:45:fd:8f:5b:53:14:c0:e6:0b:57:5f:9a:37:14: + 69:e2:10:8f:ab:59:3f:b7:54:51:4f:03:6c:1d:ce:54:40:2a: + be:f2:b5:f6:c8:25:b4:70:be:f7:44:4d:ed:03:ab:c3:98:59: + 87:2a:41:be:5a:1b:d6:0d:40:11:64:ef:0f:13:37:fe:49:c3: + c7:df:f8:2d:e5:5a:6b:b4:e7:d2:52:1f:57:75:04:f9:0c:09: + 5a:b4:e6:8f:be:74:5f:24:9b:bd:92:4c:ee:3d:96:1d:a1:fa: + f2:51:42:4e:bc:a3:a8:c3 +-----BEGIN CERTIFICATE----- +MIIFHjCCAwagAwIBAgIIGkNJBZ4BxWkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GzMIGwMAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwOgYDVR0gBDMwMTAIBgZngQwBAgIwJQYEKgMEBTAdMBsGCCsGAQUFBwIBFg93 +d3cuc29tZS1jYS5pbmMwDQYJKoZIhvcNAQELBQADggIBABZXFJume1GISUKB3K7A +E/9eVc8kW8gAaNysfyPb5SS92pNxcMFKfCIJYVHaB1K3XOgPnjBvjl4zC6J1KhSF +gKlyXbrAMTFPt1auNwqbeeU0WiRExsBvuDnelmlD8+lpwOta88MregOL1AbGp94J +AMWFEg9rux2Wx+J6F1YX3cUlLEE8y9l3tvyBW9MW0cdrirwOWjB0MxLd/0CkgyqD +WHJBhBmH+Vw6Hcd5yl8s7GDzomQz9IfY+VS6KH9p5y/3QASQhiE8aA7uybLOR9cs +ipBlg3BZU/2K3/cskcIGvu2biWVHMuzscMFcf+4k6uyntW8osBFfR+f1zoJjNmt6 +dFMA43IsHZ5O5ydUWR1DYTZTvLp81NTbr71OHKLemPCpSHVzHSrN6hKwqd0lAffk +PBWMy1P/0TO4oE36x8PYuW3j32J3bol7F8S8lj/tJXLye2YESdqRqXPKUJut4kbv +3X96FFXfrcVV+fh3pxwJ10L/KO/GW+C18IDYrAlFHOug5WkH3u9tsw1rXejq05uz +mHBF/Y9bUxTA5gtXX5o3FGniEI+rWT+3VFFPA2wdzlRAKr7ytfbIJbRwvvdETe0D +q8OYWYcqQb5aG9YNQBFk7w8TN/5Jw8ff+C3lWmu059JSH1d1BPkMCVq05o++dF8k +m72STO49lh2h+vJRQk68o6jD +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ko_03.pem b/v3/testdata/invalid_cps_uri_ko_03.pem new file mode 100644 index 000000000..87f547721 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ko_03.pem @@ -0,0 +1,112 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1059656979734169929 (0xeb4a868a4d18949) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: https://www.some-ca.inc/cps + Policy: 1.3.6.1.5.1.1234567890.1.1 + CPS: this is not a valid url + + Signature Algorithm: sha256WithRSAEncryption + 93:29:fc:e5:54:0f:83:0a:37:36:85:37:90:d0:9c:4b:af:56: + 23:3e:88:6d:25:41:d2:23:4b:87:ee:9f:8b:6c:9b:eb:0d:5e: + 10:fa:44:8f:26:33:31:ec:7e:a8:7f:4a:91:ad:2b:fc:7c:db: + f3:fa:4c:76:5e:d6:39:78:99:f3:a6:52:ed:61:8e:8e:8f:71: + 9b:e6:d8:75:dd:b5:47:c3:f7:84:e8:ad:09:52:c9:76:0c:b2: + d3:e1:a9:cf:52:05:b2:d5:7e:9a:f4:67:15:7b:43:7e:7e:3f: + 84:ec:ca:a5:c8:b8:6e:09:64:6d:c7:58:53:e0:66:61:2d:9d: + fe:c7:e8:ff:1a:b0:ca:93:6f:c5:9f:4c:46:ef:54:41:f7:05: + a8:89:0f:64:27:1c:71:3a:1c:fa:ab:d0:0e:09:8b:67:f5:ce: + c5:5b:cb:bd:e6:42:e0:ef:75:f2:73:26:8e:a6:22:cd:b0:52: + 4d:ed:e5:cf:c2:64:2d:03:f2:b3:86:db:06:74:25:a8:19:e3: + 16:43:d9:0d:f7:31:58:d3:cb:5d:c4:74:1d:fa:30:a7:c1:b7: + 7e:3c:e1:9e:f1:6f:2b:5c:73:c2:68:33:2d:24:28:52:a1:f5: + 14:a5:9a:d7:27:fc:a9:be:7e:e9:05:e9:78:2f:6f:c4:ce:96: + 22:b6:f5:41:af:8d:c0:8a:85:c5:35:47:d0:8a:9c:71:e7:44: + 0f:34:5f:f3:fe:44:95:76:b3:1e:ad:a4:ee:cb:3c:3f:5a:bc: + 6f:43:55:a8:b9:80:47:38:c1:43:c0:f2:71:e9:d0:2b:b3:16: + 3d:3c:81:16:49:0c:d1:05:f0:5b:66:a9:02:a2:38:db:74:9c: + 0c:a9:50:b3:66:d8:12:80:8d:e1:dd:22:f3:22:4d:80:ce:2e: + 86:a2:8b:c0:d1:92:f7:8c:6d:1f:30:1d:d4:4c:8e:b5:91:b1: + dd:18:f9:9c:98:18:0f:ab:24:c9:ea:6f:9f:91:51:81:b0:ec: + 73:d1:c8:6f:f7:fd:62:2b:d8:18:eb:08:4b:32:ee:37:df:f7: + ed:0a:c7:6f:6f:ef:9e:6f:e4:9d:f5:c4:23:ab:de:38:74:7c: + 89:85:77:f1:5c:54:8f:71:33:9f:2c:fb:e5:58:92:f2:eb:de: + 90:04:b9:f5:b9:72:35:d0:10:75:e0:5a:0f:93:fa:1f:de:27: + 14:ff:60:a4:91:ac:e0:f4:57:a0:d5:21:ee:8a:79:e8:20:c7: + 66:82:30:3c:8b:eb:3c:7a:0c:33:64:e6:8c:2e:15:fd:60:62: + 9d:38:d1:03:3d:3d:09:69:c9:71:d8:ca:68:c1:54:80:e1:3a: + bb:71:aa:90:bc:11:81:3b +-----BEGIN CERTIFICATE----- +MIIFYTCCA0mgAwIBAgIIDrSoaKTRiUkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4H2MIHzMAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwfQYDVR0gBHYwdDAIBgZngQwBAgIwMQYEKgMEBTApMCcGCCsGAQUFBwIBFhto +dHRwczovL3d3dy5zb21lLWNhLmluYy9jcHMwNQYMKwYBBQGEzNiFUgEBMCUwIwYI +KwYBBQUHAgEWF3RoaXMgaXMgbm90IGEgdmFsaWQgdXJsMA0GCSqGSIb3DQEBCwUA +A4ICAQCTKfzlVA+DCjc2hTeQ0JxLr1YjPohtJUHSI0uH7p+LbJvrDV4Q+kSPJjMx +7H6of0qRrSv8fNvz+kx2XtY5eJnzplLtYY6Oj3Gb5th13bVHw/eE6K0JUsl2DLLT +4anPUgWy1X6a9GcVe0N+fj+E7MqlyLhuCWRtx1hT4GZhLZ3+x+j/GrDKk2/Fn0xG +71RB9wWoiQ9kJxxxOhz6q9AOCYtn9c7FW8u95kLg73XycyaOpiLNsFJN7eXPwmQt +A/KzhtsGdCWoGeMWQ9kN9zFY08tdxHQd+jCnwbd+POGe8W8rXHPCaDMtJChSofUU +pZrXJ/ypvn7pBel4L2/EzpYitvVBr43AioXFNUfQipxx50QPNF/z/kSVdrMeraTu +yzw/WrxvQ1WouYBHOMFDwPJx6dArsxY9PIEWSQzRBfBbZqkCojjbdJwMqVCzZtgS +gI3h3SLzIk2Azi6GoovA0ZL3jG0fMB3UTI61kbHdGPmcmBgPqyTJ6m+fkVGBsOxz +0chv9/1iK9gY6whLMu433/ftCsdvb++eb+Sd9cQjq944dHyJhXfxXFSPcTOfLPvl +WJLy696QBLn1uXI10BB14FoPk/of3icU/2Ckkazg9Feg1SHuinnoIMdmgjA8i+s8 +egwzZOaMLhX9YGKdONEDPT0Jaclx2MpowVSA4Tq7caqQvBGBOw== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ok_01.pem b/v3/testdata/invalid_cps_uri_ok_01.pem new file mode 100644 index 000000000..31baa3e55 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ok_01.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6516163087356195736 (0x5a6e0fcdc860f398) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: https://ca.someca-inc.com/cps + + Signature Algorithm: sha256WithRSAEncryption + 17:6a:75:79:9d:ae:e0:00:0c:93:9e:74:02:70:9d:e3:58:b2: + 55:4e:2c:88:b2:6c:89:87:c5:e4:ec:31:97:c6:12:b3:2e:92: + 1a:60:e8:40:23:99:93:c7:bc:d9:d1:ce:66:de:4b:14:b1:86: + c5:c6:9d:6c:28:16:e0:2d:74:ee:8c:49:b8:39:ad:a2:d3:25: + 8e:ac:f8:c7:af:7e:e5:1d:a8:f2:1b:e2:cb:69:94:e2:58:e1: + 47:4c:34:9d:f7:bd:a8:b0:f0:92:e5:05:94:a0:c0:38:3b:34: + 22:ef:cc:5c:47:db:fa:b0:82:2a:f5:8f:25:85:53:fe:fe:2c: + 9e:22:c0:78:02:e3:e9:32:71:11:01:cb:c7:d3:db:a7:e5:27: + 2c:72:44:d0:f4:4c:57:08:eb:26:36:e1:ee:40:ce:2f:81:45: + 75:1c:4f:d1:9d:c5:e5:f0:88:3c:c2:fb:0b:c4:6a:a8:7c:a6: + ea:5d:33:9e:b8:6e:92:57:af:13:12:51:4d:1b:8f:2e:bd:7d: + 2f:5e:2e:ac:57:9d:78:23:5b:1d:e5:4b:be:d3:d4:20:18:40: + 27:cd:4b:9a:f2:2e:1c:19:bf:6d:50:80:39:e2:28:70:c1:8b: + 4a:dc:2e:98:da:6d:12:ce:1e:58:29:fa:04:fe:14:6a:81:7c: + 9e:c2:fd:93:fe:00:f1:a0:fb:e6:94:5f:b8:aa:18:12:86:70: + e1:02:9a:e4:91:a6:3e:14:9d:8d:4c:33:0b:b5:61:96:96:e9: + 95:bd:34:83:79:42:a9:98:19:6e:d8:68:a6:af:56:15:da:e7: + e5:d1:b3:6d:af:cf:96:03:bb:90:73:4e:18:43:a7:30:3c:dc: + fb:b5:69:48:96:d1:27:c8:89:0a:2b:bc:8c:48:45:0c:60:bb: + 15:01:84:de:8c:e0:47:cb:b7:7a:c5:06:94:bf:6a:25:c5:57: + af:69:69:94:17:b3:21:6c:ef:74:a5:bc:39:3a:4c:f7:3b:fe: + ab:20:7d:51:bb:5d:c2:cc:8c:23:5d:41:6a:d3:8f:5e:cc:1e: + 6f:70:45:1f:7c:1c:d4:62:76:43:8a:f8:48:34:5d:a1:65:c1: + 4a:5a:d0:56:96:45:33:29:b2:38:86:7f:d0:1b:d6:53:61:d9: + c6:2d:ea:cc:a6:ba:5e:d3:54:a6:b7:bc:09:f9:d9:39:e3:7f: + 78:e2:ec:fc:cc:46:d7:1f:e6:70:5f:a7:88:cb:73:76:c0:57: + b6:14:80:6a:b4:dc:a8:dc:16:87:05:ae:bf:16:1c:a8:a5:c8: + 6a:e6:ab:1c:66:52:9b:04:77:70:67:57:58:d3:9b:32:29:ea: + 79:71:50:27:3a:b6:34:9e +-----BEGIN CERTIFICATE----- +MIIFLDCCAxSgAwIBAgIIWm4Pzchg85gwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 +MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4HBMIG+MAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwSAYDVR0gBEEwPzAIBgZngQwBAgIwMwYEKgMEBTArMCkGCCsGAQUFBwIBFh1o +dHRwczovL2NhLnNvbWVjYS1pbmMuY29tL2NwczANBgkqhkiG9w0BAQsFAAOCAgEA +F2p1eZ2u4AAMk550AnCd41iyVU4siLJsiYfF5Owxl8YSsy6SGmDoQCOZk8e82dHO +Zt5LFLGGxcadbCgW4C107oxJuDmtotMljqz4x69+5R2o8hviy2mU4ljhR0w0nfe9 +qLDwkuUFlKDAODs0Iu/MXEfb+rCCKvWPJYVT/v4sniLAeALj6TJxEQHLx9Pbp+Un +LHJE0PRMVwjrJjbh7kDOL4FFdRxP0Z3F5fCIPML7C8RqqHym6l0znrhuklevExJR +TRuPLr19L14urFedeCNbHeVLvtPUIBhAJ81LmvIuHBm/bVCAOeIocMGLStwumNpt +Es4eWCn6BP4UaoF8nsL9k/4A8aD75pRfuKoYEoZw4QKa5JGmPhSdjUwzC7Vhlpbp +lb00g3lCqZgZbthopq9WFdrn5dGzba/PlgO7kHNOGEOnMDzc+7VpSJbRJ8iJCiu8 +jEhFDGC7FQGE3ozgR8u3esUGlL9qJcVXr2lplBezIWzvdKW8OTpM9zv+qyB9Ubtd +wsyMI11BatOPXsweb3BFH3wc1GJ2Q4r4SDRdoWXBSlrQVpZFMymyOIZ/0BvWU2HZ +xi3qzKa6XtNUpre8CfnZOeN/eOLs/MxG1x/mcF+niMtzdsBXthSAarTcqNwWhwWu +vxYcqKXIauarHGZSmwR3cGdXWNObMinqeXFQJzq2NJ4= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ok_02.pem b/v3/testdata/invalid_cps_uri_ok_02.pem new file mode 100644 index 000000000..3743ed739 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ok_02.pem @@ -0,0 +1,107 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1791917909163485810 (0x18de2bd82a59aa72) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + + Signature Algorithm: sha256WithRSAEncryption + 7b:4a:e1:20:a9:28:1c:50:9b:f4:3d:eb:40:b4:02:96:05:4a: + cf:17:45:6c:6e:d8:4d:bd:d5:4e:26:64:37:4b:b4:7d:d6:b4: + bf:96:a6:1c:f1:a8:54:57:a3:6d:c9:12:82:c1:db:0d:78:f4: + f7:64:3b:88:fa:59:c3:3a:b0:a1:50:78:8b:4b:0a:dc:a3:64: + 77:16:2d:dc:ba:81:55:28:18:69:66:5f:94:0a:7a:06:b1:42: + 7d:c7:65:a1:b3:30:f9:2d:a5:20:cc:be:5e:e3:14:ce:67:f5: + 69:ea:11:7e:cd:62:be:89:eb:30:79:70:f3:fd:fd:e1:23:e9: + 27:20:b8:33:84:f2:e0:75:9c:c3:6b:41:69:42:72:9b:c3:21: + a4:be:fa:fa:87:21:e9:d0:1d:0a:ab:f3:07:a1:8e:f7:ea:47: + cf:e6:8c:8a:02:58:22:ca:17:3b:de:d7:43:63:63:0c:71:a1: + dc:77:43:fd:fc:07:e7:62:f8:d4:93:3b:a5:c8:33:1e:db:6c: + 91:03:91:6c:b2:0f:cf:c0:69:d8:60:6a:ea:08:d0:0d:48:47: + c8:e4:11:61:c4:2f:60:3a:3c:b4:38:90:d0:1b:70:d7:b1:e5: + fb:fd:35:81:be:38:88:5d:fc:2b:68:02:72:ee:00:ff:dd:40: + 72:63:d8:7b:4e:e8:c7:05:f0:45:73:d8:36:03:b4:65:c5:3b: + 0d:2d:61:99:91:c1:51:bb:f6:45:5d:d2:2a:31:a7:73:65:99: + 64:12:6c:79:96:98:0d:1f:e4:21:12:6f:7d:a3:a2:87:d3:29: + 1d:f3:2d:c9:e1:d5:74:af:09:bd:1e:85:07:f3:86:25:d6:f7: + 6e:37:d8:aa:10:9c:af:71:f6:07:4e:88:13:30:0e:2a:c9:24: + 19:8c:aa:f6:39:a7:36:92:6b:3b:c6:8e:66:2b:7d:0b:13:25: + e4:3b:30:c4:f9:f4:00:6f:ef:27:c2:45:6f:2e:06:c6:09:3a: + 91:51:28:e3:a6:db:68:51:4d:18:2c:ad:8b:c9:e2:c2:58:e3: + d7:d2:1f:85:8f:7b:0d:b1:60:08:6e:72:fd:e4:85:e3:68:39: + 4e:6d:b3:6f:4b:8a:71:be:ba:07:ba:e2:32:95:8b:83:ed:18: + 41:7c:b1:da:43:b6:1b:65:0a:61:0a:a9:3a:f8:59:8f:1e:34: + cd:52:c2:bd:c3:4d:3a:be:e8:10:01:0b:4a:16:1e:5a:0c:26: + 02:0f:a9:58:9d:70:44:a0:d6:ee:64:1c:68:40:f4:04:d5:2d: + 11:a0:76:7e:15:b3:5c:27:b2:87:b1:1c:7f:45:c9:b1:d0:2b: + 6c:c6:5d:80:c3:7b:43:0d +-----BEGIN CERTIFICATE----- +MIIE/zCCAuegAwIBAgIIGN4r2CpZqnIwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 +MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GUMIGRMAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwGwYDVR0gBBQwEjAIBgZngQwBAgIwBgYEKgMEBTANBgkqhkiG9w0BAQsFAAOC +AgEAe0rhIKkoHFCb9D3rQLQClgVKzxdFbG7YTb3VTiZkN0u0fda0v5amHPGoVFej +bckSgsHbDXj092Q7iPpZwzqwoVB4i0sK3KNkdxYt3LqBVSgYaWZflAp6BrFCfcdl +obMw+S2lIMy+XuMUzmf1aeoRfs1ivonrMHlw8/394SPpJyC4M4Ty4HWcw2tBaUJy +m8MhpL76+och6dAdCqvzB6GO9+pHz+aMigJYIsoXO97XQ2NjDHGh3HdD/fwH52L4 +1JM7pcgzHttskQORbLIPz8Bp2GBq6gjQDUhHyOQRYcQvYDo8tDiQ0Btw17Hl+/01 +gb44iF38K2gCcu4A/91AcmPYe07oxwXwRXPYNgO0ZcU7DS1hmZHBUbv2RV3SKjGn +c2WZZBJseZaYDR/kIRJvfaOih9MpHfMtyeHVdK8JvR6FB/OGJdb3bjfYqhCcr3H2 +B06IEzAOKskkGYyq9jmnNpJrO8aOZit9CxMl5DswxPn0AG/vJ8JFby4Gxgk6kVEo +46bbaFFNGCyti8niwljj19IfhY97DbFgCG5y/eSF42g5Tm2zb0uKcb66B7riMpWL +g+0YQXyx2kO2G2UKYQqpOvhZjx40zVLCvcNNOr7oEAELShYeWgwmAg+pWJ1wRKDW +7mQcaED0BNUtEaB2fhWzXCeyh7Ecf0XJsdArbMZdgMN7Qw0= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ok_03.pem b/v3/testdata/invalid_cps_uri_ok_03.pem new file mode 100644 index 000000000..39bff4caf --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ok_03.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5909114158428413719 (0x52016404ee5b5f17) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Sep 13 16:57:00 2023 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: ftp://www.some-ca.inc/cps + + Signature Algorithm: sha256WithRSAEncryption + 7e:98:f4:4b:2e:e1:88:8e:e1:7a:1c:8e:e2:9a:6b:55:4e:a0: + 74:63:1d:aa:3c:63:fb:a1:e4:e5:16:53:e0:db:a7:8d:e3:08: + 1b:20:82:67:83:53:84:09:9c:c9:0d:a7:dc:e9:22:51:ea:54: + 70:15:32:da:11:84:6b:26:94:20:1d:99:11:2a:1f:ac:96:35: + 3c:75:30:ae:4e:77:83:95:00:b4:16:27:bd:96:a5:17:51:69: + 4a:96:40:78:d0:9f:bb:42:1d:d6:aa:ca:fe:cc:96:53:e3:8d: + ee:72:15:db:d4:12:2f:98:1a:07:7c:ef:a7:51:c8:9d:d2:c1: + cb:ba:76:4f:22:95:73:ff:52:fe:3e:f5:1c:9b:cb:e2:36:3e: + bd:28:ac:d0:f5:f1:e9:a0:bb:44:60:f6:a2:90:88:29:79:d5: + 6e:74:f1:5c:ab:d8:19:5f:c0:0c:bd:94:ab:f0:1f:2f:32:2b: + 94:80:6d:66:9e:97:17:7b:d2:d0:89:73:4b:04:0d:3f:ce:69: + d6:13:f5:91:2a:a0:75:d9:98:bb:e0:be:38:41:2a:7b:c8:78: + bf:39:18:9d:fc:62:e2:24:b6:74:49:9b:8c:1e:3c:df:53:81: + ef:33:4a:7a:83:59:8f:2e:7e:cb:70:32:aa:dc:a1:e8:b0:f7: + 6e:ed:28:1b:1a:1f:d9:4b:b4:90:b1:2c:3a:29:ef:02:b3:4d: + e7:18:6c:ec:72:4f:a9:85:19:93:d9:b0:12:da:52:d4:17:cb: + 69:44:17:4e:fe:05:b1:d7:f8:e7:42:ee:05:d8:a4:f7:89:31: + f1:c1:dd:58:1c:2c:ff:ba:c8:bd:46:fa:73:d1:d3:5a:d8:e8: + 21:37:fd:19:3d:1a:ac:06:b2:cb:e0:18:da:9f:61:5a:b6:5c: + e9:e7:1f:cd:0b:08:1f:c4:ac:56:26:88:09:53:12:e5:42:54: + 50:78:0c:d5:61:11:81:a7:1a:c8:3a:1c:21:7d:05:77:ba:0c: + 8d:28:77:41:5b:c8:f4:6a:65:72:43:ba:d6:67:2f:7e:f2:ee: + dd:36:8f:7b:aa:cc:ff:f4:11:74:d5:24:5d:31:6c:13:ca:f7: + 3a:dd:35:b5:8c:5b:8f:bc:a7:3d:b1:fd:14:38:29:58:b0:47: + 53:f6:65:b7:fd:93:a1:5d:5e:bb:ad:b0:cd:2a:c2:1a:79:05: + 75:af:ce:fe:43:25:e6:d4:a9:fa:01:b6:ca:c0:b6:2c:a7:1f: + b1:29:1a:bd:b6:d0:1b:c7:0b:2a:11:65:18:6b:b3:9f:c8:61: + 35:a9:7b:08:2d:5b:3d:01:26:14:89:5c:e1:13:43:d1:5d:bd: + c7:3a:76:36:a2:10:66:18 +-----BEGIN CERTIFICATE----- +MIIFKDCCAxCgAwIBAgIIUgFkBO5bXxcwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjMwOTEzMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm +dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQB+mPRL +LuGIjuF6HI7immtVTqB0Yx2qPGP7oeTlFlPg26eN4wgbIIJng1OECZzJDafc6SJR +6lRwFTLaEYRrJpQgHZkRKh+sljU8dTCuTneDlQC0Fie9lqUXUWlKlkB40J+7Qh3W +qsr+zJZT443uchXb1BIvmBoHfO+nUcid0sHLunZPIpVz/1L+PvUcm8viNj69KKzQ +9fHpoLtEYPaikIgpedVudPFcq9gZX8AMvZSr8B8vMiuUgG1mnpcXe9LQiXNLBA0/ +zmnWE/WRKqB12Zi74L44QSp7yHi/ORid/GLiJLZ0SZuMHjzfU4HvM0p6g1mPLn7L +cDKq3KHosPdu7SgbGh/ZS7SQsSw6Ke8Cs03nGGzsck+phRmT2bAS2lLUF8tpRBdO +/gWx1/jnQu4F2KT3iTHxwd1YHCz/usi9Rvpz0dNa2OghN/0ZPRqsBrLL4Bjan2Fa +tlzp5x/NCwgfxKxWJogJUxLlQlRQeAzVYRGBpxrIOhwhfQV3ugyNKHdBW8j0amVy +Q7rWZy9+8u7dNo97qsz/9BF01SRdMWwTyvc63TW1jFuPvKc9sf0UOClYsEdT9mW3 +/ZOhXV67rbDNKsIaeQV1r87+QyXm1Kn6AbbKwLYspx+xKRq9ttAbxwsqEWUYa7Of +yGE1qXsILVs9ASYUiVzhE0PRXb3HOnY2ohBmGA== +-----END CERTIFICATE----- From e2f2f0ed5a7ab95d78cdb32fc99d2cb53494935e Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:25:52 +0200 Subject: [PATCH 16/29] Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go --- v3/lints/cabf_br/lint_e_invalid_cps_uri.go | 74 ---------------------- 1 file changed, 74 deletions(-) delete mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri.go diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri.go deleted file mode 100644 index a2c542d50..000000000 --- a/v3/lints/cabf_br/lint_e_invalid_cps_uri.go +++ /dev/null @@ -1,74 +0,0 @@ -/* - * ZLint Copyright 2024 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/* - * Contributed by Adriano Santoni - * of ACTALIS S.p.A. (www.actalis.com). - */ - -package cabf_br - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/v3/lint" - "github.com/zmap/zlint/v3/util" - - "net/url" -) - -func init() { - lint.RegisterCertificateLint(&lint.CertificateLint{ - LintMetadata: lint.LintMetadata{ - Name: "e_invalid_cps_uri", - Description: "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL", - Citation: "CABF BR 7.1.2 (several subsections thereof)", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_2_0_0_Date, - }, - Lint: NewInvalidCPSUri, - }) -} - -type invalidCPSUri struct{} - -func NewInvalidCPSUri() lint.LintInterface { - return &invalidCPSUri{} -} - -func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) -} - -func isValidHttpOrHttpsURL(input string) bool { - parsedURL, err := url.Parse(input) - if err != nil { - return false - } - - scheme := parsedURL.Scheme - return scheme == "http" || scheme == "https" -} - -func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult { - // There should normally be just one CPS URI, but one never knows... - for _, pol := range c.CPSuri { - for _, uri := range pol { - if !isValidHttpOrHttpsURL(uri) { - return &lint.LintResult{Status: lint.Error} - } - } - } - - return &lint.LintResult{Status: lint.Pass} -} From 126e1acaaa12916ff65651716fced0bf715f04a0 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:26:16 +0200 Subject: [PATCH 17/29] Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go --- .../cabf_br/lint_e_invalid_cps_uri_test.go | 83 ------------------- 1 file changed, 83 deletions(-) delete mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go deleted file mode 100644 index 7170bfa07..000000000 --- a/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go +++ /dev/null @@ -1,83 +0,0 @@ -/* - * ZLint Copyright 2024 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/* - * Contributed by Adriano Santoni - * of ACTALIS S.p.A. (www.actalis.com). - */ - -package cabf_br - -import ( - "testing" - - "github.com/zmap/zlint/v3/lint" - "github.com/zmap/zlint/v3/test" -) - -/* - === Pass test cases === - invalid_cps_uri_ok_01.pem Certificate with a well-formed CPS URI - invalid_cps_uri_ok_02.pem Certificate without a CPS URI - - === NE test cases === - invalid_cps_uri_ok_03.pem Certificate with an invalid CPS URI, but issued before effective date - - === Fail test cases === - invalid_cps_uri_ko_01.pem Certificate with an invalid CPS URI (disallowed scheme) - invalid_cps_uri_ko_02.pem Certificate with an invalid CPS URI (syntax error) - invalid_cps_uri_ko_03.pem Certificate with two CPS URIs, one good and one bad -*/ - -func TestInvalidCPSUri(t *testing.T) { - type Data struct { - input string - want lint.LintStatus - } - data := []Data{ - { - input: "invalid_cps_uri_ok_01.pem", - want: lint.Pass, - }, - { - input: "invalid_cps_uri_ok_02.pem", - want: lint.Pass, - }, - { - input: "invalid_cps_uri_ok_03.pem", - want: lint.NE, - }, - { - input: "invalid_cps_uri_ko_01.pem", - want: lint.Error, - }, - { - input: "invalid_cps_uri_ko_02.pem", - want: lint.Error, - }, - { - input: "invalid_cps_uri_ko_03.pem", - want: lint.Error, - }, - } - for _, testData := range data { - testData := testData - t.Run(testData.input, func(t *testing.T) { - out := test.TestLint("e_invalid_cps_uri", testData.input) - if out.Status != testData.want { - t.Errorf("expected %s, got %s", testData.want, out.Status) - } - }) - } -} From a7fbe525a238561555d7ab20b62c7c91ee4e9d1d Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:26:52 +0200 Subject: [PATCH 18/29] Delete v3/testdata/invalid_cps_uri_ko_01.pem --- v3/testdata/invalid_cps_uri_ko_01.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ko_01.pem diff --git a/v3/testdata/invalid_cps_uri_ko_01.pem b/v3/testdata/invalid_cps_uri_ko_01.pem deleted file mode 100644 index 708b80ce0..000000000 --- a/v3/testdata/invalid_cps_uri_ko_01.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 793070860651290632 (0xb018dbef2d56008) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: ftp://www.some-ca.inc/cps - - Signature Algorithm: sha256WithRSAEncryption - 97:54:ef:06:28:ff:dd:57:18:92:a4:e1:89:56:d5:90:f4:46: - 9d:df:f4:67:d4:5f:dd:b5:0c:33:0a:cb:bc:a4:3c:86:3b:0b: - 48:61:f0:0b:68:b1:72:ee:2a:55:f1:78:d4:25:10:ef:58:00: - 5f:2e:26:a8:76:32:0e:45:31:69:98:79:a7:5d:51:b5:5d:d8: - 4b:61:41:ee:02:ce:e6:10:18:cb:88:cd:3a:00:db:27:51:75: - ef:23:b8:61:2b:53:72:a6:fd:95:96:80:c2:3a:87:8a:f2:cf: - a4:c2:56:d2:8f:3d:52:28:a8:ee:11:c2:f4:0f:cb:6f:87:30: - 35:8d:bd:0f:a2:3f:25:6b:b3:68:de:46:8d:fa:23:d9:8a:43: - 90:a0:6b:97:cf:bb:8a:b5:e4:64:d0:dc:07:3f:e5:46:d0:d5: - 79:e7:0f:7b:0c:ac:4c:03:8c:d3:c3:55:14:76:ed:02:a6:e1: - 96:58:ab:2c:42:ac:6d:e7:75:04:3f:35:ae:7f:35:a0:5f:e7: - 10:df:22:3f:94:eb:a2:9a:1a:a7:75:8d:f8:13:95:c4:a0:bc: - a5:90:ab:8f:af:f5:42:ba:c0:15:47:c8:15:47:d9:98:70:c8: - ff:10:90:1b:68:3d:74:ed:ec:94:14:70:5a:33:ce:1a:d7:ba: - 9a:38:0e:d3:dc:9c:83:54:19:5e:bc:95:7e:ed:e6:8e:18:93: - 28:c8:b9:77:a5:e5:a9:31:8e:29:9c:b2:8c:e3:d5:29:ce:5f: - 5d:1c:b7:f7:00:36:5a:38:e3:99:a0:7c:20:a6:38:dd:6d:5b: - d8:76:e1:03:51:51:d2:7b:3b:01:35:4a:88:76:72:63:61:19: - 7e:4e:79:62:7a:c0:e6:0c:a8:9e:3e:cf:15:1a:98:ab:f1:67: - 8e:f7:4d:a4:01:b7:72:59:44:ec:e2:2d:d0:be:d0:9e:4f:af: - 4f:56:06:90:c8:04:b3:04:cd:00:ca:c9:cb:d3:c4:04:0c:d6: - 2e:0b:c7:85:05:31:32:89:70:4e:2f:b9:f1:04:b5:35:1f:0d: - 12:0d:8d:fe:3c:1f:c7:bf:10:5d:01:c8:56:27:83:3d:67:ac: - 82:e6:40:70:89:8d:c7:d7:5b:e2:3d:95:1d:e4:fa:92:ce:4e: - f7:47:88:e0:b7:10:60:8b:5f:8f:6c:7f:53:56:db:4b:ab:84: - db:d1:42:28:f9:de:35:4d:ad:c7:d7:e8:8c:13:c5:24:51:88: - 3e:f3:9d:b3:7a:ba:14:9a:ac:ae:6b:a4:6e:c3:7c:53:18:0d: - b2:9f:17:c7:96:de:56:ef:fd:bd:b8:b7:30:d0:7c:81:28:4c: - 12:db:c0:f0:e5:50:83:cb ------BEGIN CERTIFICATE----- -MIIFKDCCAxCgAwIBAgIICwGNvvLVYAgwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm -dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQCXVO8G -KP/dVxiSpOGJVtWQ9Ead3/Rn1F/dtQwzCsu8pDyGOwtIYfALaLFy7ipV8XjUJRDv -WABfLiaodjIORTFpmHmnXVG1XdhLYUHuAs7mEBjLiM06ANsnUXXvI7hhK1Nypv2V -loDCOoeK8s+kwlbSjz1SKKjuEcL0D8tvhzA1jb0Poj8la7No3kaN+iPZikOQoGuX -z7uKteRk0NwHP+VG0NV55w97DKxMA4zTw1UUdu0CpuGWWKssQqxt53UEPzWufzWg -X+cQ3yI/lOuimhqndY34E5XEoLylkKuPr/VCusAVR8gVR9mYcMj/EJAbaD107eyU -FHBaM84a17qaOA7T3JyDVBlevJV+7eaOGJMoyLl3peWpMY4pnLKM49Upzl9dHLf3 -ADZaOOOZoHwgpjjdbVvYduEDUVHSezsBNUqIdnJjYRl+TnliesDmDKiePs8VGpir -8WeO902kAbdyWUTs4i3QvtCeT69PVgaQyASzBM0AysnL08QEDNYuC8eFBTEyiXBO -L7nxBLU1Hw0SDY3+PB/HvxBdAchWJ4M9Z6yC5kBwiY3H11viPZUd5PqSzk73R4jg -txBgi1+PbH9TVttLq4Tb0UIo+d41Ta3H1+iME8UkUYg+852zeroUmqyua6Ruw3xT -GA2ynxfHlt5W7/29uLcw0HyBKEwS28Dw5VCDyw== ------END CERTIFICATE----- From b289660debed201b98dfbf9085912bf462924801 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:27:15 +0200 Subject: [PATCH 19/29] Delete v3/testdata/invalid_cps_uri_ko_02.pem --- v3/testdata/invalid_cps_uri_ko_02.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ko_02.pem diff --git a/v3/testdata/invalid_cps_uri_ko_02.pem b/v3/testdata/invalid_cps_uri_ko_02.pem deleted file mode 100644 index 8e87b4c1f..000000000 --- a/v3/testdata/invalid_cps_uri_ko_02.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1892436556900320617 (0x1a4349059e01c569) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: www.some-ca.inc - - Signature Algorithm: sha256WithRSAEncryption - 16:57:14:9b:a6:7b:51:88:49:42:81:dc:ae:c0:13:ff:5e:55: - cf:24:5b:c8:00:68:dc:ac:7f:23:db:e5:24:bd:da:93:71:70: - c1:4a:7c:22:09:61:51:da:07:52:b7:5c:e8:0f:9e:30:6f:8e: - 5e:33:0b:a2:75:2a:14:85:80:a9:72:5d:ba:c0:31:31:4f:b7: - 56:ae:37:0a:9b:79:e5:34:5a:24:44:c6:c0:6f:b8:39:de:96: - 69:43:f3:e9:69:c0:eb:5a:f3:c3:2b:7a:03:8b:d4:06:c6:a7: - de:09:00:c5:85:12:0f:6b:bb:1d:96:c7:e2:7a:17:56:17:dd: - c5:25:2c:41:3c:cb:d9:77:b6:fc:81:5b:d3:16:d1:c7:6b:8a: - bc:0e:5a:30:74:33:12:dd:ff:40:a4:83:2a:83:58:72:41:84: - 19:87:f9:5c:3a:1d:c7:79:ca:5f:2c:ec:60:f3:a2:64:33:f4: - 87:d8:f9:54:ba:28:7f:69:e7:2f:f7:40:04:90:86:21:3c:68: - 0e:ee:c9:b2:ce:47:d7:2c:8a:90:65:83:70:59:53:fd:8a:df: - f7:2c:91:c2:06:be:ed:9b:89:65:47:32:ec:ec:70:c1:5c:7f: - ee:24:ea:ec:a7:b5:6f:28:b0:11:5f:47:e7:f5:ce:82:63:36: - 6b:7a:74:53:00:e3:72:2c:1d:9e:4e:e7:27:54:59:1d:43:61: - 36:53:bc:ba:7c:d4:d4:db:af:bd:4e:1c:a2:de:98:f0:a9:48: - 75:73:1d:2a:cd:ea:12:b0:a9:dd:25:01:f7:e4:3c:15:8c:cb: - 53:ff:d1:33:b8:a0:4d:fa:c7:c3:d8:b9:6d:e3:df:62:77:6e: - 89:7b:17:c4:bc:96:3f:ed:25:72:f2:7b:66:04:49:da:91:a9: - 73:ca:50:9b:ad:e2:46:ef:dd:7f:7a:14:55:df:ad:c5:55:f9: - f8:77:a7:1c:09:d7:42:ff:28:ef:c6:5b:e0:b5:f0:80:d8:ac: - 09:45:1c:eb:a0:e5:69:07:de:ef:6d:b3:0d:6b:5d:e8:ea:d3: - 9b:b3:98:70:45:fd:8f:5b:53:14:c0:e6:0b:57:5f:9a:37:14: - 69:e2:10:8f:ab:59:3f:b7:54:51:4f:03:6c:1d:ce:54:40:2a: - be:f2:b5:f6:c8:25:b4:70:be:f7:44:4d:ed:03:ab:c3:98:59: - 87:2a:41:be:5a:1b:d6:0d:40:11:64:ef:0f:13:37:fe:49:c3: - c7:df:f8:2d:e5:5a:6b:b4:e7:d2:52:1f:57:75:04:f9:0c:09: - 5a:b4:e6:8f:be:74:5f:24:9b:bd:92:4c:ee:3d:96:1d:a1:fa: - f2:51:42:4e:bc:a3:a8:c3 ------BEGIN CERTIFICATE----- -MIIFHjCCAwagAwIBAgIIGkNJBZ4BxWkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GzMIGwMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwOgYDVR0gBDMwMTAIBgZngQwBAgIwJQYEKgMEBTAdMBsGCCsGAQUFBwIBFg93 -d3cuc29tZS1jYS5pbmMwDQYJKoZIhvcNAQELBQADggIBABZXFJume1GISUKB3K7A -E/9eVc8kW8gAaNysfyPb5SS92pNxcMFKfCIJYVHaB1K3XOgPnjBvjl4zC6J1KhSF -gKlyXbrAMTFPt1auNwqbeeU0WiRExsBvuDnelmlD8+lpwOta88MregOL1AbGp94J -AMWFEg9rux2Wx+J6F1YX3cUlLEE8y9l3tvyBW9MW0cdrirwOWjB0MxLd/0CkgyqD -WHJBhBmH+Vw6Hcd5yl8s7GDzomQz9IfY+VS6KH9p5y/3QASQhiE8aA7uybLOR9cs -ipBlg3BZU/2K3/cskcIGvu2biWVHMuzscMFcf+4k6uyntW8osBFfR+f1zoJjNmt6 -dFMA43IsHZ5O5ydUWR1DYTZTvLp81NTbr71OHKLemPCpSHVzHSrN6hKwqd0lAffk -PBWMy1P/0TO4oE36x8PYuW3j32J3bol7F8S8lj/tJXLye2YESdqRqXPKUJut4kbv -3X96FFXfrcVV+fh3pxwJ10L/KO/GW+C18IDYrAlFHOug5WkH3u9tsw1rXejq05uz -mHBF/Y9bUxTA5gtXX5o3FGniEI+rWT+3VFFPA2wdzlRAKr7ytfbIJbRwvvdETe0D -q8OYWYcqQb5aG9YNQBFk7w8TN/5Jw8ff+C3lWmu059JSH1d1BPkMCVq05o++dF8k -m72STO49lh2h+vJRQk68o6jD ------END CERTIFICATE----- From b5af6be446a242166638f582ba90867e1b5cbde1 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:27:42 +0200 Subject: [PATCH 20/29] Delete v3/testdata/invalid_cps_uri_ko_03.pem --- v3/testdata/invalid_cps_uri_ko_03.pem | 112 -------------------------- 1 file changed, 112 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ko_03.pem diff --git a/v3/testdata/invalid_cps_uri_ko_03.pem b/v3/testdata/invalid_cps_uri_ko_03.pem deleted file mode 100644 index 87f547721..000000000 --- a/v3/testdata/invalid_cps_uri_ko_03.pem +++ /dev/null @@ -1,112 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1059656979734169929 (0xeb4a868a4d18949) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: https://www.some-ca.inc/cps - Policy: 1.3.6.1.5.1.1234567890.1.1 - CPS: this is not a valid url - - Signature Algorithm: sha256WithRSAEncryption - 93:29:fc:e5:54:0f:83:0a:37:36:85:37:90:d0:9c:4b:af:56: - 23:3e:88:6d:25:41:d2:23:4b:87:ee:9f:8b:6c:9b:eb:0d:5e: - 10:fa:44:8f:26:33:31:ec:7e:a8:7f:4a:91:ad:2b:fc:7c:db: - f3:fa:4c:76:5e:d6:39:78:99:f3:a6:52:ed:61:8e:8e:8f:71: - 9b:e6:d8:75:dd:b5:47:c3:f7:84:e8:ad:09:52:c9:76:0c:b2: - d3:e1:a9:cf:52:05:b2:d5:7e:9a:f4:67:15:7b:43:7e:7e:3f: - 84:ec:ca:a5:c8:b8:6e:09:64:6d:c7:58:53:e0:66:61:2d:9d: - fe:c7:e8:ff:1a:b0:ca:93:6f:c5:9f:4c:46:ef:54:41:f7:05: - a8:89:0f:64:27:1c:71:3a:1c:fa:ab:d0:0e:09:8b:67:f5:ce: - c5:5b:cb:bd:e6:42:e0:ef:75:f2:73:26:8e:a6:22:cd:b0:52: - 4d:ed:e5:cf:c2:64:2d:03:f2:b3:86:db:06:74:25:a8:19:e3: - 16:43:d9:0d:f7:31:58:d3:cb:5d:c4:74:1d:fa:30:a7:c1:b7: - 7e:3c:e1:9e:f1:6f:2b:5c:73:c2:68:33:2d:24:28:52:a1:f5: - 14:a5:9a:d7:27:fc:a9:be:7e:e9:05:e9:78:2f:6f:c4:ce:96: - 22:b6:f5:41:af:8d:c0:8a:85:c5:35:47:d0:8a:9c:71:e7:44: - 0f:34:5f:f3:fe:44:95:76:b3:1e:ad:a4:ee:cb:3c:3f:5a:bc: - 6f:43:55:a8:b9:80:47:38:c1:43:c0:f2:71:e9:d0:2b:b3:16: - 3d:3c:81:16:49:0c:d1:05:f0:5b:66:a9:02:a2:38:db:74:9c: - 0c:a9:50:b3:66:d8:12:80:8d:e1:dd:22:f3:22:4d:80:ce:2e: - 86:a2:8b:c0:d1:92:f7:8c:6d:1f:30:1d:d4:4c:8e:b5:91:b1: - dd:18:f9:9c:98:18:0f:ab:24:c9:ea:6f:9f:91:51:81:b0:ec: - 73:d1:c8:6f:f7:fd:62:2b:d8:18:eb:08:4b:32:ee:37:df:f7: - ed:0a:c7:6f:6f:ef:9e:6f:e4:9d:f5:c4:23:ab:de:38:74:7c: - 89:85:77:f1:5c:54:8f:71:33:9f:2c:fb:e5:58:92:f2:eb:de: - 90:04:b9:f5:b9:72:35:d0:10:75:e0:5a:0f:93:fa:1f:de:27: - 14:ff:60:a4:91:ac:e0:f4:57:a0:d5:21:ee:8a:79:e8:20:c7: - 66:82:30:3c:8b:eb:3c:7a:0c:33:64:e6:8c:2e:15:fd:60:62: - 9d:38:d1:03:3d:3d:09:69:c9:71:d8:ca:68:c1:54:80:e1:3a: - bb:71:aa:90:bc:11:81:3b ------BEGIN CERTIFICATE----- -MIIFYTCCA0mgAwIBAgIIDrSoaKTRiUkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4H2MIHzMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwfQYDVR0gBHYwdDAIBgZngQwBAgIwMQYEKgMEBTApMCcGCCsGAQUFBwIBFhto -dHRwczovL3d3dy5zb21lLWNhLmluYy9jcHMwNQYMKwYBBQGEzNiFUgEBMCUwIwYI -KwYBBQUHAgEWF3RoaXMgaXMgbm90IGEgdmFsaWQgdXJsMA0GCSqGSIb3DQEBCwUA -A4ICAQCTKfzlVA+DCjc2hTeQ0JxLr1YjPohtJUHSI0uH7p+LbJvrDV4Q+kSPJjMx -7H6of0qRrSv8fNvz+kx2XtY5eJnzplLtYY6Oj3Gb5th13bVHw/eE6K0JUsl2DLLT -4anPUgWy1X6a9GcVe0N+fj+E7MqlyLhuCWRtx1hT4GZhLZ3+x+j/GrDKk2/Fn0xG -71RB9wWoiQ9kJxxxOhz6q9AOCYtn9c7FW8u95kLg73XycyaOpiLNsFJN7eXPwmQt -A/KzhtsGdCWoGeMWQ9kN9zFY08tdxHQd+jCnwbd+POGe8W8rXHPCaDMtJChSofUU -pZrXJ/ypvn7pBel4L2/EzpYitvVBr43AioXFNUfQipxx50QPNF/z/kSVdrMeraTu -yzw/WrxvQ1WouYBHOMFDwPJx6dArsxY9PIEWSQzRBfBbZqkCojjbdJwMqVCzZtgS -gI3h3SLzIk2Azi6GoovA0ZL3jG0fMB3UTI61kbHdGPmcmBgPqyTJ6m+fkVGBsOxz -0chv9/1iK9gY6whLMu433/ftCsdvb++eb+Sd9cQjq944dHyJhXfxXFSPcTOfLPvl -WJLy696QBLn1uXI10BB14FoPk/of3icU/2Ckkazg9Feg1SHuinnoIMdmgjA8i+s8 -egwzZOaMLhX9YGKdONEDPT0Jaclx2MpowVSA4Tq7caqQvBGBOw== ------END CERTIFICATE----- From d9fea03ea512a70b607cf8982dc3e1b3aa09dc88 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:27:59 +0200 Subject: [PATCH 21/29] Delete v3/testdata/invalid_cps_uri_ok_01.pem --- v3/testdata/invalid_cps_uri_ok_01.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ok_01.pem diff --git a/v3/testdata/invalid_cps_uri_ok_01.pem b/v3/testdata/invalid_cps_uri_ok_01.pem deleted file mode 100644 index 31baa3e55..000000000 --- a/v3/testdata/invalid_cps_uri_ok_01.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 6516163087356195736 (0x5a6e0fcdc860f398) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Mar 8 08:50:00 2025 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: https://ca.someca-inc.com/cps - - Signature Algorithm: sha256WithRSAEncryption - 17:6a:75:79:9d:ae:e0:00:0c:93:9e:74:02:70:9d:e3:58:b2: - 55:4e:2c:88:b2:6c:89:87:c5:e4:ec:31:97:c6:12:b3:2e:92: - 1a:60:e8:40:23:99:93:c7:bc:d9:d1:ce:66:de:4b:14:b1:86: - c5:c6:9d:6c:28:16:e0:2d:74:ee:8c:49:b8:39:ad:a2:d3:25: - 8e:ac:f8:c7:af:7e:e5:1d:a8:f2:1b:e2:cb:69:94:e2:58:e1: - 47:4c:34:9d:f7:bd:a8:b0:f0:92:e5:05:94:a0:c0:38:3b:34: - 22:ef:cc:5c:47:db:fa:b0:82:2a:f5:8f:25:85:53:fe:fe:2c: - 9e:22:c0:78:02:e3:e9:32:71:11:01:cb:c7:d3:db:a7:e5:27: - 2c:72:44:d0:f4:4c:57:08:eb:26:36:e1:ee:40:ce:2f:81:45: - 75:1c:4f:d1:9d:c5:e5:f0:88:3c:c2:fb:0b:c4:6a:a8:7c:a6: - ea:5d:33:9e:b8:6e:92:57:af:13:12:51:4d:1b:8f:2e:bd:7d: - 2f:5e:2e:ac:57:9d:78:23:5b:1d:e5:4b:be:d3:d4:20:18:40: - 27:cd:4b:9a:f2:2e:1c:19:bf:6d:50:80:39:e2:28:70:c1:8b: - 4a:dc:2e:98:da:6d:12:ce:1e:58:29:fa:04:fe:14:6a:81:7c: - 9e:c2:fd:93:fe:00:f1:a0:fb:e6:94:5f:b8:aa:18:12:86:70: - e1:02:9a:e4:91:a6:3e:14:9d:8d:4c:33:0b:b5:61:96:96:e9: - 95:bd:34:83:79:42:a9:98:19:6e:d8:68:a6:af:56:15:da:e7: - e5:d1:b3:6d:af:cf:96:03:bb:90:73:4e:18:43:a7:30:3c:dc: - fb:b5:69:48:96:d1:27:c8:89:0a:2b:bc:8c:48:45:0c:60:bb: - 15:01:84:de:8c:e0:47:cb:b7:7a:c5:06:94:bf:6a:25:c5:57: - af:69:69:94:17:b3:21:6c:ef:74:a5:bc:39:3a:4c:f7:3b:fe: - ab:20:7d:51:bb:5d:c2:cc:8c:23:5d:41:6a:d3:8f:5e:cc:1e: - 6f:70:45:1f:7c:1c:d4:62:76:43:8a:f8:48:34:5d:a1:65:c1: - 4a:5a:d0:56:96:45:33:29:b2:38:86:7f:d0:1b:d6:53:61:d9: - c6:2d:ea:cc:a6:ba:5e:d3:54:a6:b7:bc:09:f9:d9:39:e3:7f: - 78:e2:ec:fc:cc:46:d7:1f:e6:70:5f:a7:88:cb:73:76:c0:57: - b6:14:80:6a:b4:dc:a8:dc:16:87:05:ae:bf:16:1c:a8:a5:c8: - 6a:e6:ab:1c:66:52:9b:04:77:70:67:57:58:d3:9b:32:29:ea: - 79:71:50:27:3a:b6:34:9e ------BEGIN CERTIFICATE----- -MIIFLDCCAxSgAwIBAgIIWm4Pzchg85gwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 -MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4HBMIG+MAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwSAYDVR0gBEEwPzAIBgZngQwBAgIwMwYEKgMEBTArMCkGCCsGAQUFBwIBFh1o -dHRwczovL2NhLnNvbWVjYS1pbmMuY29tL2NwczANBgkqhkiG9w0BAQsFAAOCAgEA -F2p1eZ2u4AAMk550AnCd41iyVU4siLJsiYfF5Owxl8YSsy6SGmDoQCOZk8e82dHO -Zt5LFLGGxcadbCgW4C107oxJuDmtotMljqz4x69+5R2o8hviy2mU4ljhR0w0nfe9 -qLDwkuUFlKDAODs0Iu/MXEfb+rCCKvWPJYVT/v4sniLAeALj6TJxEQHLx9Pbp+Un -LHJE0PRMVwjrJjbh7kDOL4FFdRxP0Z3F5fCIPML7C8RqqHym6l0znrhuklevExJR -TRuPLr19L14urFedeCNbHeVLvtPUIBhAJ81LmvIuHBm/bVCAOeIocMGLStwumNpt -Es4eWCn6BP4UaoF8nsL9k/4A8aD75pRfuKoYEoZw4QKa5JGmPhSdjUwzC7Vhlpbp -lb00g3lCqZgZbthopq9WFdrn5dGzba/PlgO7kHNOGEOnMDzc+7VpSJbRJ8iJCiu8 -jEhFDGC7FQGE3ozgR8u3esUGlL9qJcVXr2lplBezIWzvdKW8OTpM9zv+qyB9Ubtd -wsyMI11BatOPXsweb3BFH3wc1GJ2Q4r4SDRdoWXBSlrQVpZFMymyOIZ/0BvWU2HZ -xi3qzKa6XtNUpre8CfnZOeN/eOLs/MxG1x/mcF+niMtzdsBXthSAarTcqNwWhwWu -vxYcqKXIauarHGZSmwR3cGdXWNObMinqeXFQJzq2NJ4= ------END CERTIFICATE----- From a3241602dde59a23f3a9e2d72c877b8084fb5abd Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:28:17 +0200 Subject: [PATCH 22/29] Delete v3/testdata/invalid_cps_uri_ok_02.pem --- v3/testdata/invalid_cps_uri_ok_02.pem | 107 -------------------------- 1 file changed, 107 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ok_02.pem diff --git a/v3/testdata/invalid_cps_uri_ok_02.pem b/v3/testdata/invalid_cps_uri_ok_02.pem deleted file mode 100644 index 3743ed739..000000000 --- a/v3/testdata/invalid_cps_uri_ok_02.pem +++ /dev/null @@ -1,107 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1791917909163485810 (0x18de2bd82a59aa72) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Mar 8 08:50:00 2025 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - - Signature Algorithm: sha256WithRSAEncryption - 7b:4a:e1:20:a9:28:1c:50:9b:f4:3d:eb:40:b4:02:96:05:4a: - cf:17:45:6c:6e:d8:4d:bd:d5:4e:26:64:37:4b:b4:7d:d6:b4: - bf:96:a6:1c:f1:a8:54:57:a3:6d:c9:12:82:c1:db:0d:78:f4: - f7:64:3b:88:fa:59:c3:3a:b0:a1:50:78:8b:4b:0a:dc:a3:64: - 77:16:2d:dc:ba:81:55:28:18:69:66:5f:94:0a:7a:06:b1:42: - 7d:c7:65:a1:b3:30:f9:2d:a5:20:cc:be:5e:e3:14:ce:67:f5: - 69:ea:11:7e:cd:62:be:89:eb:30:79:70:f3:fd:fd:e1:23:e9: - 27:20:b8:33:84:f2:e0:75:9c:c3:6b:41:69:42:72:9b:c3:21: - a4:be:fa:fa:87:21:e9:d0:1d:0a:ab:f3:07:a1:8e:f7:ea:47: - cf:e6:8c:8a:02:58:22:ca:17:3b:de:d7:43:63:63:0c:71:a1: - dc:77:43:fd:fc:07:e7:62:f8:d4:93:3b:a5:c8:33:1e:db:6c: - 91:03:91:6c:b2:0f:cf:c0:69:d8:60:6a:ea:08:d0:0d:48:47: - c8:e4:11:61:c4:2f:60:3a:3c:b4:38:90:d0:1b:70:d7:b1:e5: - fb:fd:35:81:be:38:88:5d:fc:2b:68:02:72:ee:00:ff:dd:40: - 72:63:d8:7b:4e:e8:c7:05:f0:45:73:d8:36:03:b4:65:c5:3b: - 0d:2d:61:99:91:c1:51:bb:f6:45:5d:d2:2a:31:a7:73:65:99: - 64:12:6c:79:96:98:0d:1f:e4:21:12:6f:7d:a3:a2:87:d3:29: - 1d:f3:2d:c9:e1:d5:74:af:09:bd:1e:85:07:f3:86:25:d6:f7: - 6e:37:d8:aa:10:9c:af:71:f6:07:4e:88:13:30:0e:2a:c9:24: - 19:8c:aa:f6:39:a7:36:92:6b:3b:c6:8e:66:2b:7d:0b:13:25: - e4:3b:30:c4:f9:f4:00:6f:ef:27:c2:45:6f:2e:06:c6:09:3a: - 91:51:28:e3:a6:db:68:51:4d:18:2c:ad:8b:c9:e2:c2:58:e3: - d7:d2:1f:85:8f:7b:0d:b1:60:08:6e:72:fd:e4:85:e3:68:39: - 4e:6d:b3:6f:4b:8a:71:be:ba:07:ba:e2:32:95:8b:83:ed:18: - 41:7c:b1:da:43:b6:1b:65:0a:61:0a:a9:3a:f8:59:8f:1e:34: - cd:52:c2:bd:c3:4d:3a:be:e8:10:01:0b:4a:16:1e:5a:0c:26: - 02:0f:a9:58:9d:70:44:a0:d6:ee:64:1c:68:40:f4:04:d5:2d: - 11:a0:76:7e:15:b3:5c:27:b2:87:b1:1c:7f:45:c9:b1:d0:2b: - 6c:c6:5d:80:c3:7b:43:0d ------BEGIN CERTIFICATE----- -MIIE/zCCAuegAwIBAgIIGN4r2CpZqnIwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 -MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GUMIGRMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwGwYDVR0gBBQwEjAIBgZngQwBAgIwBgYEKgMEBTANBgkqhkiG9w0BAQsFAAOC -AgEAe0rhIKkoHFCb9D3rQLQClgVKzxdFbG7YTb3VTiZkN0u0fda0v5amHPGoVFej -bckSgsHbDXj092Q7iPpZwzqwoVB4i0sK3KNkdxYt3LqBVSgYaWZflAp6BrFCfcdl -obMw+S2lIMy+XuMUzmf1aeoRfs1ivonrMHlw8/394SPpJyC4M4Ty4HWcw2tBaUJy -m8MhpL76+och6dAdCqvzB6GO9+pHz+aMigJYIsoXO97XQ2NjDHGh3HdD/fwH52L4 -1JM7pcgzHttskQORbLIPz8Bp2GBq6gjQDUhHyOQRYcQvYDo8tDiQ0Btw17Hl+/01 -gb44iF38K2gCcu4A/91AcmPYe07oxwXwRXPYNgO0ZcU7DS1hmZHBUbv2RV3SKjGn -c2WZZBJseZaYDR/kIRJvfaOih9MpHfMtyeHVdK8JvR6FB/OGJdb3bjfYqhCcr3H2 -B06IEzAOKskkGYyq9jmnNpJrO8aOZit9CxMl5DswxPn0AG/vJ8JFby4Gxgk6kVEo -46bbaFFNGCyti8niwljj19IfhY97DbFgCG5y/eSF42g5Tm2zb0uKcb66B7riMpWL -g+0YQXyx2kO2G2UKYQqpOvhZjx40zVLCvcNNOr7oEAELShYeWgwmAg+pWJ1wRKDW -7mQcaED0BNUtEaB2fhWzXCeyh7Ecf0XJsdArbMZdgMN7Qw0= ------END CERTIFICATE----- From 9ef6f60dacadd65b804a98dce3f43421ca78c256 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:28:44 +0200 Subject: [PATCH 23/29] Delete v3/testdata/invalid_cps_uri_ok_03.pem --- v3/testdata/invalid_cps_uri_ok_03.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ok_03.pem diff --git a/v3/testdata/invalid_cps_uri_ok_03.pem b/v3/testdata/invalid_cps_uri_ok_03.pem deleted file mode 100644 index 39bff4caf..000000000 --- a/v3/testdata/invalid_cps_uri_ok_03.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 5909114158428413719 (0x52016404ee5b5f17) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Sep 13 16:57:00 2023 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: ftp://www.some-ca.inc/cps - - Signature Algorithm: sha256WithRSAEncryption - 7e:98:f4:4b:2e:e1:88:8e:e1:7a:1c:8e:e2:9a:6b:55:4e:a0: - 74:63:1d:aa:3c:63:fb:a1:e4:e5:16:53:e0:db:a7:8d:e3:08: - 1b:20:82:67:83:53:84:09:9c:c9:0d:a7:dc:e9:22:51:ea:54: - 70:15:32:da:11:84:6b:26:94:20:1d:99:11:2a:1f:ac:96:35: - 3c:75:30:ae:4e:77:83:95:00:b4:16:27:bd:96:a5:17:51:69: - 4a:96:40:78:d0:9f:bb:42:1d:d6:aa:ca:fe:cc:96:53:e3:8d: - ee:72:15:db:d4:12:2f:98:1a:07:7c:ef:a7:51:c8:9d:d2:c1: - cb:ba:76:4f:22:95:73:ff:52:fe:3e:f5:1c:9b:cb:e2:36:3e: - bd:28:ac:d0:f5:f1:e9:a0:bb:44:60:f6:a2:90:88:29:79:d5: - 6e:74:f1:5c:ab:d8:19:5f:c0:0c:bd:94:ab:f0:1f:2f:32:2b: - 94:80:6d:66:9e:97:17:7b:d2:d0:89:73:4b:04:0d:3f:ce:69: - d6:13:f5:91:2a:a0:75:d9:98:bb:e0:be:38:41:2a:7b:c8:78: - bf:39:18:9d:fc:62:e2:24:b6:74:49:9b:8c:1e:3c:df:53:81: - ef:33:4a:7a:83:59:8f:2e:7e:cb:70:32:aa:dc:a1:e8:b0:f7: - 6e:ed:28:1b:1a:1f:d9:4b:b4:90:b1:2c:3a:29:ef:02:b3:4d: - e7:18:6c:ec:72:4f:a9:85:19:93:d9:b0:12:da:52:d4:17:cb: - 69:44:17:4e:fe:05:b1:d7:f8:e7:42:ee:05:d8:a4:f7:89:31: - f1:c1:dd:58:1c:2c:ff:ba:c8:bd:46:fa:73:d1:d3:5a:d8:e8: - 21:37:fd:19:3d:1a:ac:06:b2:cb:e0:18:da:9f:61:5a:b6:5c: - e9:e7:1f:cd:0b:08:1f:c4:ac:56:26:88:09:53:12:e5:42:54: - 50:78:0c:d5:61:11:81:a7:1a:c8:3a:1c:21:7d:05:77:ba:0c: - 8d:28:77:41:5b:c8:f4:6a:65:72:43:ba:d6:67:2f:7e:f2:ee: - dd:36:8f:7b:aa:cc:ff:f4:11:74:d5:24:5d:31:6c:13:ca:f7: - 3a:dd:35:b5:8c:5b:8f:bc:a7:3d:b1:fd:14:38:29:58:b0:47: - 53:f6:65:b7:fd:93:a1:5d:5e:bb:ad:b0:cd:2a:c2:1a:79:05: - 75:af:ce:fe:43:25:e6:d4:a9:fa:01:b6:ca:c0:b6:2c:a7:1f: - b1:29:1a:bd:b6:d0:1b:c7:0b:2a:11:65:18:6b:b3:9f:c8:61: - 35:a9:7b:08:2d:5b:3d:01:26:14:89:5c:e1:13:43:d1:5d:bd: - c7:3a:76:36:a2:10:66:18 ------BEGIN CERTIFICATE----- -MIIFKDCCAxCgAwIBAgIIUgFkBO5bXxcwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjMwOTEzMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm -dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQB+mPRL -LuGIjuF6HI7immtVTqB0Yx2qPGP7oeTlFlPg26eN4wgbIIJng1OECZzJDafc6SJR -6lRwFTLaEYRrJpQgHZkRKh+sljU8dTCuTneDlQC0Fie9lqUXUWlKlkB40J+7Qh3W -qsr+zJZT443uchXb1BIvmBoHfO+nUcid0sHLunZPIpVz/1L+PvUcm8viNj69KKzQ -9fHpoLtEYPaikIgpedVudPFcq9gZX8AMvZSr8B8vMiuUgG1mnpcXe9LQiXNLBA0/ -zmnWE/WRKqB12Zi74L44QSp7yHi/ORid/GLiJLZ0SZuMHjzfU4HvM0p6g1mPLn7L -cDKq3KHosPdu7SgbGh/ZS7SQsSw6Ke8Cs03nGGzsck+phRmT2bAS2lLUF8tpRBdO -/gWx1/jnQu4F2KT3iTHxwd1YHCz/usi9Rvpz0dNa2OghN/0ZPRqsBrLL4Bjan2Fa -tlzp5x/NCwgfxKxWJogJUxLlQlRQeAzVYRGBpxrIOhwhfQV3ugyNKHdBW8j0amVy -Q7rWZy9+8u7dNo97qsz/9BF01SRdMWwTyvc63TW1jFuPvKc9sf0UOClYsEdT9mW3 -/ZOhXV67rbDNKsIaeQV1r87+QyXm1Kn6AbbKwLYspx+xKRq9ttAbxwsqEWUYa7Of -yGE1qXsILVs9ASYUiVzhE0PRXb3HOnY2ohBmGA== ------END CERTIFICATE----- From e0e1bdf287036a6636cf917313471e412a99aa30 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 18 Apr 2024 11:49:21 +0200 Subject: [PATCH 24/29] Add files via upload --- v3/lints/rfc/lint_crl_missing_crl_number.go | 62 +++++++++++++++++++ .../rfc/lint_crl_missing_crl_number_test.go | 40 ++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 v3/lints/rfc/lint_crl_missing_crl_number.go create mode 100644 v3/lints/rfc/lint_crl_missing_crl_number_test.go diff --git a/v3/lints/rfc/lint_crl_missing_crl_number.go b/v3/lints/rfc/lint_crl_missing_crl_number.go new file mode 100644 index 000000000..cbe28b232 --- /dev/null +++ b/v3/lints/rfc/lint_crl_missing_crl_number.go @@ -0,0 +1,62 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_missing_crl_number", + Description: "CRL issuers conforming to this profile MUST include this extension in all CRLs", + Citation: "RFC5280 ยง5.2.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewMissingCRLNumber, + }) +} + +type missingCRLNumber struct{} + +func NewMissingCRLNumber() lint.RevocationListLintInterface { + return &missingCRLNumber{} +} + +func (l *missingCRLNumber) CheckApplies(c *x509.RevocationList) bool { + return true +} + +func (l *missingCRLNumber) Execute(c *x509.RevocationList) *lint.LintResult { + for _, e := range c.Extensions { + if e.Id.Equal(util.CRLNumberOID) { + return &lint.LintResult{Status: lint.Pass} + } + } + + return &lint.LintResult{ + Status: lint.Error, + Details: "This CRL lacks the mandatory CRL Number extension", + } +} diff --git a/v3/lints/rfc/lint_crl_missing_crl_number_test.go b/v3/lints/rfc/lint_crl_missing_crl_number_test.go new file mode 100644 index 000000000..3c3a25fe2 --- /dev/null +++ b/v3/lints/rfc/lint_crl_missing_crl_number_test.go @@ -0,0 +1,40 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package rfc + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestMissingCRLNumberOK(t *testing.T) { + inputPath := "crl_missing_crl_number_ok.pem" + expected := lint.Pass + out := test.TestRevocationListLint(t, "e_crl_missing_crl_number", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestMissingCRLNumberKO(t *testing.T) { + inputPath := "crl_missing_crl_number_ko.pem" + expected := lint.Error + out := test.TestRevocationListLint(t, "e_crl_missing_crl_number", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} From 86ef81d36c019b9f3012fc2ddae5bc8d116ec249 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 18 Apr 2024 11:50:08 +0200 Subject: [PATCH 25/29] Add files via upload --- v3/util/oid.go | 65 ++++++++++++++++++++++---------------------------- 1 file changed, 28 insertions(+), 37 deletions(-) diff --git a/v3/util/oid.go b/v3/util/oid.go index 5ded05d68..3e25acc09 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -24,35 +24,34 @@ import ( var ( //extension OIDs - AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension - AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension - AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access - AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier - BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints - CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies - CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points - CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison - EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax - FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL - InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy - IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name - KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage - LegalEntityIdentifierOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 1} // Legal Entity Identifier - LegalEntityIdentifierRoleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 2} // Legal Entity Identifier Role - LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext - NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints - OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check - PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints - PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings - PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period - QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements - TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List - SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities - SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name - SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes - SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax - SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier - ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code + AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension + AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension + AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access + AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier + BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints + CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies + CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points + CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison + EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax + FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL + InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy + IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name + KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage + LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext + NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints + OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check + PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints + PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings + PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period + QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements + TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List + SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities + SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name + SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes + SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax + SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code + CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number // CA/B reserved policies BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated @@ -160,14 +159,6 @@ func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool { return false } -func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier { - types := make([]asn1.ObjectIdentifier, 0) - for _, name := range name.Names { - types = append(types, name.Type) - } - return types -} - // helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error) { if polMap == nil { From 2c70763b4ed3003a117a0f6c402428695f7d89b9 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 18 Apr 2024 11:51:23 +0200 Subject: [PATCH 26/29] Add files via upload --- v3/testdata/crl_missing_crl_number_ko.pem | 12 ++++++++++++ v3/testdata/crl_missing_crl_number_ok.pem | 13 +++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 v3/testdata/crl_missing_crl_number_ko.pem create mode 100644 v3/testdata/crl_missing_crl_number_ok.pem diff --git a/v3/testdata/crl_missing_crl_number_ko.pem b/v3/testdata/crl_missing_crl_number_ko.pem new file mode 100644 index 000000000..a76a04b80 --- /dev/null +++ b/v3/testdata/crl_missing_crl_number_ko.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE +ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN +MjQwNDE4MDcyMDM0WhcNMjQwNDE5MDcyMDM0WqAUMBIwEAYDVR0jBAkwB4AFAQID +BAUwDQYJKoZIhvcNAQELBQADggEBAItG2rOL7KnlKCOnEwZh1DUMGb1R9MGamQse +Yz+XLuP6MOAVlZno/61Jjea4uKQWSPdTX6jE7BTW67CFFlnFLQLu7PODd6pSvqRo +hvw4LrI5y/+FeIqkwGNxQKyxYUdLfC8ybouKgQF4S0l31oAeW61fQ4QVh2bNU4y7 +EdgODmwnsIjhaCOSVh25CnEG4V/XdbZQhQjl/S/C6Emd2tFHjyRdxAk+dEdJhAJV +4p6PFGXlapyEjb+lTSTy/Tub4hrVEJiQsVgLXSsZRZBBrtRow68SSwCyEzLD6OZt +fjVl4W3Tkio7dudTEHvlLSmoXB7SFVIRZ79KChryyPorrjijRNA= +-----END X509 CRL----- + diff --git a/v3/testdata/crl_missing_crl_number_ok.pem b/v3/testdata/crl_missing_crl_number_ok.pem new file mode 100644 index 000000000..b07707155 --- /dev/null +++ b/v3/testdata/crl_missing_crl_number_ok.pem @@ -0,0 +1,13 @@ +-----BEGIN X509 CRL----- +MIIBrzCBmAIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE +ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN +MjQwNDE4MDcxOTA5WhcNMjQwNDE5MDcxOTA5WqAhMB8wEAYDVR0jBAkwB4AFAQID +BAUwCwYDVR0UBAQCAhI0MA0GCSqGSIb3DQEBCwUAA4IBAQBKeHtcc4thnELs6EiQ +Cm/BvDmbz6k4F0jBEV/vMbSomp0+lrM8mJDpyos/cU+Ug8EWgS2/789ujm+aHPEJ +84A66/lmg77/iJZFwTtgOURSBbMmaEeFLpZy1ZJRbGOgn2c1SxHcd7m4Hb1BfTe1 +yCFanjwX6aB7RWDXFKlpZ77VGvLTqX36MbEWaiifMdmrH+wQ22njDi9PT0qMScNv +2vZ4s4f9tjQLxWnr+mqeeZhU4wa0uv98SWzoSzx+0gdLsPeYyw7ethYonPu9kNsM +6DEBZ6i1QjzilR8aIYKZ3JOB4PY7McMjI9iJIJp71hoXAZsiFbhKeydq+VppBzxf +BquN +-----END X509 CRL----- + From 782ea669dedbec3d8c0f54dd50dc243a009a0be6 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 18 Apr 2024 11:54:40 +0200 Subject: [PATCH 27/29] Add files via upload --- v3/util/oid.go | 65 ++++++++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 28 deletions(-) diff --git a/v3/util/oid.go b/v3/util/oid.go index 3e25acc09..5ded05d68 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -24,34 +24,35 @@ import ( var ( //extension OIDs - AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension - AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension - AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access - AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier - BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints - CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies - CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points - CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison - EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax - FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL - InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy - IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name - KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage - LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext - NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints - OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check - PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints - PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings - PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period - QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements - TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List - SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities - SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name - SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes - SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax - SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier - ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code - CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number + AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension + AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension + AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access + AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier + BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints + CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies + CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points + CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison + EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax + FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL + InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy + IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name + KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage + LegalEntityIdentifierOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 1} // Legal Entity Identifier + LegalEntityIdentifierRoleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 2} // Legal Entity Identifier Role + LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext + NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints + OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check + PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints + PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings + PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period + QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements + TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List + SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities + SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name + SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes + SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax + SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code // CA/B reserved policies BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated @@ -159,6 +160,14 @@ func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool { return false } +func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier { + types := make([]asn1.ObjectIdentifier, 0) + for _, name := range name.Names { + types = append(types, name.Type) + } + return types +} + // helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error) { if polMap == nil { From 14203a3ee75f2615662e6c41f0100bd305d16f23 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 18 Apr 2024 11:58:22 +0200 Subject: [PATCH 28/29] Update oid.go Add OID for CRL Number --- v3/util/oid.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/util/oid.go b/v3/util/oid.go index 5ded05d68..f7833bad2 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -53,6 +53,7 @@ var ( SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code + CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number // CA/B reserved policies BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated From 281aebacb50bcf76e8c7b77251cd3784e8849236 Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sun, 28 Apr 2024 11:21:22 -0700 Subject: [PATCH 29/29] Update v3/util/oid.go --- v3/util/oid.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/util/oid.go b/v3/util/oid.go index d3472ffcf..ec81a9041 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -53,7 +53,7 @@ var ( SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code - CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number + CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number // Extended Key Usage OIDs PreCertificateSigningCertificateEKU = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} // CA/B Reserved Certificate Policy Identifiers