diff --git a/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go b/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go new file mode 100644 index 000000000..08bd9d233 --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go @@ -0,0 +1,78 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIACAIssuersHasHTTPOnly struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +id-ad-caIssuers +1.3.6.1.5.5.7.48.2 uniformResourceIdentifier SHOULD A HTTP URL of the +Issuing CA’s certificate +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_ca_issuers_must_have_http_only", + Description: "The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIACAIssuersHasHTTPOnly, + }) +} + +func NewBRAIACAIssuersHasHTTPOnly() lint.LintInterface { + return &bRAIACAIssuersHasHTTPOnly{} +} + +func (l *bRAIACAIssuersHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return len(c.IssuingCertificateURL) > 0 && util.IsSubscriberCert(c) +} + +func (l *bRAIACAIssuersHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error, Details: "Could not parse caIssuers in AIA."} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in caIssuers of AIA, which is not allowed.", purl.Scheme)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only_test.go b/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only_test.go new file mode 100644 index 000000000..d91ed89b0 --- /dev/null +++ b/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only_test.go @@ -0,0 +1,92 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestBRAIACAIssuersHasHTTPOnly(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + + ExpectedResult lint.LintStatus + ExpectedDetails string + }{ + { + Name: "error - AIA has an FTP URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersFTPOnly.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Found scheme ftp in caIssuers of AIA, which is not allowed.", + }, + { + Name: "error - AIA has an HTTP and an LDAP URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersHTTPAndLDAP.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Found scheme ldap in caIssuers of AIA, which is not allowed.", + }, + { + Name: "pass - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersHTTPOnly.pem", + + ExpectedResult: lint.Pass, + }, + { + Name: "error - AIA has only one HTTPS URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersHttpsOnly.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Found scheme https in caIssuers of AIA, which is not allowed.", + }, + { + Name: "NE - AIA has only one HTTP URI for id-ad-caIssuers accessMethod and it is issued before September 15th 2023.", + InputFilename: "aiaCaIssuersHttpOnlyNE.pem", + + ExpectedResult: lint.NE, + }, + { + Name: "NA - AIA has only an id-ad-ocsp accessMethod.", + InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem", + + ExpectedResult: lint.NA, + }, + { + Name: "error - AIA has an LDAP URI for id-ad-caIssuers accessMethod.", + InputFilename: "aiaCaIssuersLDAPOnly.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "Found scheme ldap in caIssuers of AIA, which is not allowed.", + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_aia_ca_issuers_must_have_http_only", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + + if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details { + t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details) + } + }) + } +} diff --git a/v3/testdata/aiaCaIssuersFTPOnly.pem b/v3/testdata/aiaCaIssuersFTPOnly.pem new file mode 100644 index 000000000..6e8e5017c --- /dev/null +++ b/v3/testdata/aiaCaIssuersFTPOnly.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a4:f4:6d:4f:10:ca:7e:ef:f9:e3:c0:85 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8f:74:a1:d5:84:f6:c9:04:2a:ef:8d:3a:91:9c: + 35:d7:17:7a:ac:99:09:31:97:93:42:41:d2:81:51: + ff:59:82:62:7c:8e:30:b8:ec:52:a5:c3:6e:bf:73: + 22:b7:01:22:1b:da:cb:8b:0a:7c:ab:35:ab:6a:b6: + 81:8f:0c:33:de + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - URI:ftp://issuers.example.com/ + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:a5:9f:fc:9d:ed:7f:10:2d:5f:ea:c2:ee:f9: + 92:62:56:52:63:fe:f3:12:27:5f:1d:81:e0:01:c3:dc:aa:bd: + 2e:02:21:00:db:a7:aa:01:00:8d:53:c4:5f:d5:46:b2:42:31: + 87:03:77:f5:ad:83:49:e2:31:38:58:7d:8e:d9:03:d0:11:34 +-----BEGIN CERTIFICATE----- +MIIBeTCCAR6gAwIBAgINAKT0bU8Qyn7v+ePAhTAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAASPdKHVhPbJBCrvjTqRnDXXF3qsmQkxl5NCQdKBUf9ZgmJ8jjC47FKlw26/ +cyK3ASIb2suLCnyrNatqtoGPDDPeo08wTTATBgNVHSAEDDAKMAgGBmeBDAECATA2 +BggrBgEFBQcBAQQqMCgwJgYIKwYBBQUHMAKGGmZ0cDovL2lzc3VlcnMuZXhhbXBs +ZS5jb20vMAoGCCqGSM49BAMCA0kAMEYCIQCln/yd7X8QLV/qwu75kmJWUmP+8xIn +Xx2B4AHD3Kq9LgIhANunqgEAjVPEX9VGskIxhwN39a2DSeIxOFh9jtkD0BE0 +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaCaIssuersHTTPAndLDAP.pem b/v3/testdata/aiaCaIssuersHTTPAndLDAP.pem new file mode 100644 index 000000000..ec823fd0d --- /dev/null +++ b/v3/testdata/aiaCaIssuersHTTPAndLDAP.pem @@ -0,0 +1,46 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + cf:1d:3e:98:ec:3f:f1:df:cf:85:a6:75 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:ae:5e:8e:a1:a7:00:e1:75:66:4f:b8:b0:35:70: + 2c:cb:6e:fb:83:fc:9c:f8:7b:67:cf:2d:71:e3:2d: + f2:1f:30:ea:ef:63:09:8b:ee:df:f2:ae:54:2d:5f: + 9d:47:17:4d:09:2f:6e:bb:d2:5f:0a:f8:83:26:6c: + df:4f:6e:f3:39 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - URI:http://issuers.example.com/ca + CA Issuers - URI:ldap://issuers.example.com/ + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:28:e6:e6:7c:c9:b7:6a:af:ba:ae:ab:d3:39:39: + 48:2d:da:d4:a9:79:b0:e1:51:bf:10:70:6b:2b:90:4e:fd:db: + 02:21:00:9e:0d:0e:42:a1:19:38:e9:b8:72:e5:c2:25:bc:fd: + ef:15:93:65:20:f9:75:3f:41:8f:2b:ad:77:52:70:e7:6d +-----BEGIN CERTIFICATE----- +MIIBpDCCAUqgAwIBAgINAM8dPpjsP/Hfz4WmdTAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAASuXo6hpwDhdWZPuLA1cCzLbvuD/Jz4e2fPLXHjLfIfMOrvYwmL7t/yrlQt +X51HF00JL2670l8K+IMmbN9PbvM5o3sweTATBgNVHSAEDDAKMAgGBmeBDAECATBi +BggrBgEFBQcBAQRWMFQwKQYIKwYBBQUHMAKGHWh0dHA6Ly9pc3N1ZXJzLmV4YW1w +bGUuY29tL2NhMCcGCCsGAQUFBzAChhtsZGFwOi8vaXNzdWVycy5leGFtcGxlLmNv +bS8wCgYIKoZIzj0EAwIDSAAwRQIgKObmfMm3aq+6rqvTOTlILdrUqXmw4VG/EHBr +K5BO/dsCIQCeDQ5CoRk46bhy5cIlvP3vFZNlIPl1P0GPK613UnDnbQ== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaCaIssuersHTTPOnly.pem b/v3/testdata/aiaCaIssuersHTTPOnly.pem new file mode 100644 index 000000000..7e82231cc --- /dev/null +++ b/v3/testdata/aiaCaIssuersHTTPOnly.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e6:d6:fc:e0:b2:b6:a4:38:42:83:b0:2c + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:bf:30:2a:6f:9d:8c:bf:17:ce:e6:b5:6c:a6:2a: + a0:44:c8:22:62:09:d2:0f:b3:48:70:e3:b8:8a:f3: + 75:78:4b:4f:b6:ae:31:13:3e:e3:27:3f:2b:7c:89: + 61:cb:07:eb:3d:99:30:15:36:e9:2f:ba:92:0b:ef: + ee:07:d2:63:90 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - URI:http://ocsp.example.com/ocsp + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:a0:69:ca:bb:32:bd:b4:49:4a:e1:81:93:25: + 38:34:34:77:8a:bf:d8:5e:08:af:8a:f6:f3:66:b3:a9:e2:76: + fa:02:20:33:35:c3:07:ec:11:92:9a:02:a0:cb:7b:11:a0:84: + e6:28:1d:0d:6c:f7:09:d8:76:a5:e1:09:36:e9:48:de:b2 +-----BEGIN CERTIFICATE----- +MIIBejCCASCgAwIBAgINAObW/OCytqQ4QoOwLDAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAAS/MCpvnYy/F87mtWymKqBEyCJiCdIPs0hw47iK83V4S0+2rjETPuMnPyt8 +iWHLB+s9mTAVNukvupIL7+4H0mOQo1EwTzATBgNVHSAEDDAKMAgGBmeBDAECATA4 +BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAKGHGh0dHA6Ly9vY3NwLmV4YW1wbGUu +Y29tL29jc3AwCgYIKoZIzj0EAwIDSAAwRQIhAKBpyrsyvbRJSuGBkyU4NDR3ir/Y +XgivivbzZrOp4nb6AiAzNcMH7BGSmgKgy3sRoITmKB0NbPcJ2Hal4Qk26Ujesg== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaCaIssuersHttpOnlyNE.pem b/v3/testdata/aiaCaIssuersHttpOnlyNE.pem new file mode 100644 index 000000000..6c19957a7 --- /dev/null +++ b/v3/testdata/aiaCaIssuersHttpOnlyNE.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ba:05:bc:a4:0a:2a:63:34:48:e4:43:32 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 14 23:59:59 2023 GMT + Not After : Sep 14 23:59:59 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:b5:35:3a:dd:12:97:00:f4:d2:59:df:2f:8b:50: + 92:a2:b8:e8:1c:a7:0b:cb:c0:b1:fd:0b:28:af:9c: + aa:a0:84:14:5a:b0:fb:d0:f2:19:ff:46:73:0d:48: + a6:e8:c8:f0:11:f1:df:61:46:f6:e0:26:f9:c4:1a: + d6:e7:82:2e:24 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - URI:http://issuers.example.com/ + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:1e:a4:c4:b3:68:4c:fd:e4:13:c2:c6:35:d0:49: + cd:9f:70:22:af:79:02:c5:58:a0:f1:fa:ba:e8:3b:4c:2d:09: + 02:20:4c:52:61:be:dc:ad:61:f1:98:08:0f:d4:40:0a:9a:b3: + ba:80:c6:8d:4d:1d:0b:8e:39:79:a7:b9:b9:9d:c2:c6 +-----BEGIN CERTIFICATE----- +MIIBeDCCAR+gAwIBAgINALoFvKQKKmM0SORDMjAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTQyMzU5NTlaFw0yNDA5MTQyMzU5NTlaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAAS1NTrdEpcA9NJZ3y+LUJKiuOgcpwvLwLH9CyivnKqghBRasPvQ8hn/RnMN +SKboyPAR8d9hRvbgJvnEGtbngi4ko1AwTjATBgNVHSAEDDAKMAgGBmeBDAECATA3 +BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAKGG2h0dHA6Ly9pc3N1ZXJzLmV4YW1w +bGUuY29tLzAKBggqhkjOPQQDAgNHADBEAiAepMSzaEz95BPCxjXQSc2fcCKveQLF +WKDx+rroO0wtCQIgTFJhvtytYfGYCA/UQAqas7qAxo1NHQuOOXmnubmdwsY= +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaCaIssuersHttpOnlyNoCAIssuers.pem b/v3/testdata/aiaCaIssuersHttpOnlyNoCAIssuers.pem new file mode 100644 index 000000000..8305f3703 --- /dev/null +++ b/v3/testdata/aiaCaIssuersHttpOnlyNoCAIssuers.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + af:a9:43:14:a9:7a:a0:5d:2c:45:49:7b + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:3c:16:95:eb:6d:bc:30:86:2f:16:32:94:43:d3: + fc:44:d9:b9:29:83:d1:7c:e3:58:b4:4b:80:bf:98: + 79:e2:51:cc:3f:c0:55:c7:8b:da:d3:0d:a5:da:6e: + 42:75:12:aa:56:65:e9:d0:00:dc:f4:94:34:b4:33: + ee:ef:3f:45:70 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + OCSP - URI:http://ocsp.example.com/ocsp + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:70:53:45:99:31:5a:4f:bd:2e:28:59:7e:6b:e5: + e0:a7:eb:bc:ef:ac:51:eb:e7:e9:c3:58:65:4b:42:14:a5:85: + 02:21:00:fd:b4:78:6d:7f:05:6d:04:b4:ba:b9:53:5b:ef:74: + ea:4b:8e:75:56:fc:e0:fb:ec:59:fe:1e:7c:c5:43:2c:1c +-----BEGIN CERTIFICATE----- +MIIBejCCASCgAwIBAgINAK+pQxSpeqBdLEVJezAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAAQ8FpXrbbwwhi8WMpRD0/xE2bkpg9F841i0S4C/mHniUcw/wFXHi9rTDaXa +bkJ1EqpWZenQANz0lDS0M+7vP0Vwo1EwTzATBgNVHSAEDDAKMAgGBmeBDAECATA4 +BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmV4YW1wbGUu +Y29tL29jc3AwCgYIKoZIzj0EAwIDSAAwRQIgcFNFmTFaT70uKFl+a+Xgp+u876xR +6+fpw1hlS0IUpYUCIQD9tHhtfwVtBLS6uVNb73TqS451Vvzg++xZ/h58xUMsHA== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaCaIssuersHttpsOnly.pem b/v3/testdata/aiaCaIssuersHttpsOnly.pem new file mode 100644 index 000000000..8192ce4dc --- /dev/null +++ b/v3/testdata/aiaCaIssuersHttpsOnly.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 22:a2:d6:ed:44:07:03:e0:95:5d:a5:d9 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:4d:4a:2c:bd:c5:a7:5c:8d:f0:51:f4:2e:97:09: + 03:09:7a:89:95:c1:6b:5a:f4:75:48:56:9d:81:47: + 7f:c1:db:7e:d1:21:af:d8:3c:13:60:67:dd:18:35: + 91:03:23:b2:46:ce:2e:1f:95:92:1d:a2:92:b5:24: + 35:3a:9c:70:76 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - URI:https://ocsp.example.com/ocsp + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:1e:dd:1f:e3:b5:59:cc:fc:46:bd:de:f7:2a:e9: + c0:bc:f1:67:69:50:e0:45:48:42:13:d4:b4:01:c2:95:e4:e9: + 02:21:00:d8:bd:7e:2b:09:df:4c:dc:07:35:d0:67:d8:1c:9f: + 9a:d6:e3:27:26:c7:a1:5a:2d:c6:71:50:9a:c9:a4:87:40 +-----BEGIN CERTIFICATE----- +MIIBejCCASCgAwIBAgIMIqLW7UQHA+CVXaXZMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx +NTAwMDAwMFoXDTI0MDkxNTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABE1KLL3Fp1yN8FH0LpcJAwl6iZXBa1r0dUhWnYFHf8HbftEhr9g8E2Bn3Rg1 +kQMjskbOLh+Vkh2ikrUkNTqccHajUjBQMBMGA1UdIAQMMAowCAYGZ4EMAQIBMDkG +CCsGAQUFBwEBBC0wKzApBggrBgEFBQcwAoYdaHR0cHM6Ly9vY3NwLmV4YW1wbGUu +Y29tL29jc3AwCgYIKoZIzj0EAwIDSAAwRQIgHt0f47VZzPxGvd73KunAvPFnaVDg +RUhCE9S0AcKV5OkCIQDYvX4rCd9M3Ac10GfYHJ+a1uMnJsehWi3GcVCayaSHQA== +-----END CERTIFICATE----- diff --git a/v3/testdata/aiaCaIssuersLDAPOnly.pem b/v3/testdata/aiaCaIssuersLDAPOnly.pem new file mode 100644 index 000000000..88d0d2ee1 --- /dev/null +++ b/v3/testdata/aiaCaIssuersLDAPOnly.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 80:e9:dd:3c:87:d9:98:3c:c4:a9:2c:93 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 15 00:00:00 2023 GMT + Not After : Sep 15 00:00:00 2024 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:cd:10:7a:c7:20:48:b9:65:d6:f6:55:ce:b8:3a: + 91:e8:85:a2:9b:9e:3e:64:70:8f:ed:1e:94:b1:fc: + e7:81:4e:b9:fb:2d:34:39:79:84:b7:e0:c4:09:cc: + 1b:a8:53:5d:fc:86:19:aa:fd:58:5c:b9:4c:f8:f2: + e8:dc:86:5e:f2 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Authority Information Access: + CA Issuers - URI:ldap://issuers.example.com/ + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:16:b1:c7:79:88:ef:15:cb:e6:08:de:96:d3:8d: + 2f:ff:ea:04:af:2d:da:1d:b6:2a:f0:71:55:c1:69:fa:f0:63: + 02:20:11:08:6e:f8:29:d6:69:9e:91:22:80:60:fc:b6:49:51: + 57:ee:0d:2e:fc:04:bd:16:a8:95:62:18:42:c0:ca:b7 +-----BEGIN CERTIFICATE----- +MIIBeDCCAR+gAwIBAgINAIDp3TyH2Zg8xKkskzAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAATNEHrHIEi5Zdb2Vc64OpHohaKbnj5kcI/tHpSx/OeBTrn7LTQ5eYS34MQJ +zBuoU138hhmq/VhcuUz48ujchl7yo1AwTjATBgNVHSAEDDAKMAgGBmeBDAECATA3 +BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAKGG2xkYXA6Ly9pc3N1ZXJzLmV4YW1w +bGUuY29tLzAKBggqhkjOPQQDAgNHADBEAiAWscd5iO8Vy+YI3pbTjS//6gSvLdod +tirwcVXBafrwYwIgEQhu+CnWaZ6RIoBg/LZJUVfuDS78BL0WqJViGELAyrc= +-----END CERTIFICATE-----