diff --git a/v3/integration/config.json b/v3/integration/config.json index c6a4baee9..d2854202f 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -976,6 +976,9 @@ }, "e_subj_country_not_uppercase": { "ErrCount": 1303 + }, + "e_ev_extra_subject_attribs": { + "ErrCount": 63 } } } diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs.go b/v3/lints/cabf_ev/lint_extra_subject_attribs.go new file mode 100644 index 000000000..1a161db2a --- /dev/null +++ b/v3/lints/cabf_ev/lint_extra_subject_attribs.go @@ -0,0 +1,100 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "crypto/x509/pkix" + "encoding/asn1" + "fmt" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_extra_subject_attribs", + Description: "CAs SHALL NOT include any Subject Distinguished Name attributes except as specified...", + Citation: "EVGs ยง7.1.4.2.9", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.SC16EffectiveDate, + }, + Lint: NewExtraSubjectAttribs, + }) +} + +type extraSubjectAttribs struct{} + +func NewExtraSubjectAttribs() lint.LintInterface { + return &extraSubjectAttribs{} +} + +func (l *extraSubjectAttribs) CheckApplies(c *x509.Certificate) bool { + return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) +} + +/* + * We also include the OU attribute here, even though it is now banned, because this lint + * deals with a more general requirement that came into force long before the OU ban, + * and there is already another lint that deals with the OU attribute specifically. + * + * The organizationIdentifier attribute is only permitted starting from 21-may-2019 (EVGL 1.7.0), + * which is slightly after SC16 came into force, however any certificates that contain this + * attribute and were issued before that date have long since expired, so it makes no difference. + */ +var allowedAttribs = map[string]bool{ + "1.3.6.1.4.1.311.60.2.1.1": true, // joiLocalityName + "1.3.6.1.4.1.311.60.2.1.2": true, // joiStateOrProvinceName + "1.3.6.1.4.1.311.60.2.1.3": true, // joiCountryName + "2.5.4.3": true, // commonName + "2.5.4.5": true, // serialNumber + "2.5.4.6": true, // countryName + "2.5.4.7": true, // localityName + "2.5.4.8": true, // stateOrProvinceName + "2.5.4.9": true, // streetAddress + "2.5.4.10": true, // organizationName + "2.5.4.11": true, // organizationalUnitName + "2.5.4.15": true, // businessCategory + "2.5.4.17": true, // postalCode + "2.5.4.97": true, // organizationIdentifier +} + +func (l *extraSubjectAttribs) Execute(c *x509.Certificate) *lint.LintResult { + + var rdnSequence pkix.RDNSequence + _, err := asn1.Unmarshal(c.RawSubject, &rdnSequence) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + + for _, rdn := range rdnSequence { + for _, atv := range rdn { + if !allowedAttribs[atv.Type.String()] { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("Subject attribute %s is not allowed in EV certificates", atv.Type.String()), + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go b/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go new file mode 100644 index 000000000..4b32a6354 --- /dev/null +++ b/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go @@ -0,0 +1,73 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_ev + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + * Test cases + * + * File Description + * ------------------------ ------------- + * extra_subj_attrs_na1.pem CA certificate + * extra_subj_attrs_na2.pem OV Subscriber certificate + * extra_subj_attrs_ok1.pem EV Subscriber certificate with valid Subject + * extra_subj_attrs_ne1.pem EV Subscriber certificate with invalid Subject, issued before effective date + * extra_subj_attrs_ko1.pem EV Subscriber certificate with invalid Subject, issued after effective date + * + */ + +func TestExtraSubjectAttribs(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "extra_subj_attrs_na1.pem", + want: lint.NA, + }, + { + input: "extra_subj_attrs_na2.pem", + want: lint.NA, + }, + { + input: "extra_subj_attrs_ok1.pem", + want: lint.Pass, + }, + { + input: "extra_subj_attrs_ne1.pem", + want: lint.NE, + }, + { + input: "extra_subj_attrs_ko1.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_ev_extra_subject_attribs", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/testdata/extra_subj_attrs_ko1.pem b/v3/testdata/extra_subj_attrs_ko1.pem new file mode 100644 index 000000000..248994baf --- /dev/null +++ b/v3/testdata/extra_subj_attrs_ko1.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2b:2a:cd:c0:f6:58:82:5b:9a:72:3c:9f:3b:39:6f:30 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jul 4 04:31:44 2024 GMT + Not After : Jul 4 04:31:44 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, postOfficeBox = 12345 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a6:25:29:3d:58:9c:78:2b:98:c0:d0:b8:01:b6: + 4c:e7:1c:a4:9f:83:bb:91:1d:ad:48:08:6f:bd:23: + 19:ad:f8:ba:1b:16:bf:76:1e:07:78:d1:cd:8c:f5: + 84:ba:f5:94:fd:af:d3:cf:bf:3c:c6:4f:65:97:4a: + e7:ed:04:bb:a0:6c:b4:2a:e9:8e:2b:b8:9c:41:cb: + d2:b7:09:b6:0b:f4:2c:e1:cc:9a:38:0e:ba:47:59: + 94:28:fd:73:fc:1d:1b:f3:d8:ce:57:99:81:5b:9d: + d2:4b:19:ac:d5:7e:7c:84:62:ba:68:00:1c:a8:be: + f7:37:b0:61:ca:cc:a0:5f:52:15:b9:af:4e:e9:53: + 79:68:57:2c:cc:a2:ab:5d:8e:de:f9:4a:27:12:fe: + d7:63:53:54:7b:69:02:47:7b:35:cf:1f:b3:d7:59: + ab:54:48:48:f8:e9:c4:66:98:75:4a:1d:bb:47:66: + 93:e4:e7:28:b9:75:91:56:86:a1:ae:29:ca:92:72: + 96:4d:49:c0:43:ad:36:35:6d:db:4a:9f:8c:0f:de: + bb:68:6e:38:00:a0:e6:5c:5c:c5:2a:ba:93:1a:31: + 98:d6:90:44:21:5a:7f:09:41:db:15:85:0b:ae:77: + 84:f2:60:73:21:09:d8:0c:88:d9:09:5a:02:d2:05: + 42:f1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 0C:AC:27:F2:A5:94:5F:B4:9B:40:93:6B:79:E6:10:35:AE:F6:2D:CB + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 49:f5:b3:65:03:8b:cd:2b:25:83:7c:e3:9e:ed:47:fe:58:23: + 5f:a6:78:2f:e7:89:2e:f3:d3:0b:ba:7d:76:a0:5c:83:92:56: + 2c:9e:1b:80:c6:36:a8:90:5d:a7:99:f8:dd:d9:83:dc:dc:10: + bc:ca:a4:ed:c2:6d:8e:7f:35:63:0c:ba:37:cf:73:fc:44:d1: + 43:e0:ee:df:12:21:a9:2e:a4:b9:08:83:f8:88:b2:50:ad:a2: + 97:59:db:4f:64:79:70:c7:4b:3d:f4:bd:76:51:72:c4:91:28: + 4f:79:38:74:95:21:16:bb:23:b6:13:01:72:5b:2c:21:b7:ec: + a3:15:90:87:cd:8d:c3:99:0a:8a:db:ec:bd:0d:78:26:64:da: + 5b:94:b7:3e:f8:5c:52:3f:bd:94:ab:2a:9f:1d:9c:7e:d4:a5: + f7:99:56:81:c3:35:76:12:b1:8f:24:ff:73:75:b9:56:6e:17: + dc:db:4d:1d:d3:ed:3f:e6:70:2e:dd:a2:c6:cc:10:ed:5e:a1: + 5e:4d:f0:72:48:8e:65:66:53:4d:66:43:c6:00:00:03:e3:e9: + 57:9a:5a:dc:de:04:c0:c8:ee:19:75:ed:39:a7:ba:be:fc:fc: + d4:fd:2e:69:7c:df:a1:2f:31:3f:c3:2f:b4:c0:63:95:e6:b2: + c1:76:34:d2 +-----BEGIN CERTIFICATE----- +MIIEnTCCA4WgAwIBAgIQKyrNwPZYgluacjyfOzlvMDANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MDQwNDMxNDRaFw0yNTA3MDQwNDMx +NDRaMIGZMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAx +DjAMBgNVBBITBTEyMzQ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +piUpPViceCuYwNC4AbZM5xykn4O7kR2tSAhvvSMZrfi6Gxa/dh4HeNHNjPWEuvWU +/a/Tz788xk9ll0rn7QS7oGy0KumOK7icQcvStwm2C/Qs4cyaOA66R1mUKP1z/B0b +89jOV5mBW53SSxms1X58hGK6aAAcqL73N7BhysygX1IVua9O6VN5aFcszKKrXY7e ++UonEv7XY1NUe2kCR3s1zx+z11mrVEhI+OnEZph1Sh27R2aT5OcouXWRVoahrinK +knKWTUnAQ602NW3bSp+MD967aG44AKDmXFzFKrqTGjGY1pBEIVp/CUHbFYULrneE +8mBzIQnYDIjZCVoC0gVC8QIDAQABo4IBNDCCATAwDgYDVR0PAQH/BAQDAgWgMB0G +A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUDKwn8qWUX7Sb +QJNreeYQNa72LcswHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYI +KwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5j +b20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jv +b3QwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwEgYDVR0gBAswCTAHBgVngQwBATAt +BgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMA0G +CSqGSIb3DQEBCwUAA4IBAQBJ9bNlA4vNKyWDfOOe7Uf+WCNfpngv54ku89MLun12 +oFyDklYsnhuAxjaokF2nmfjd2YPc3BC8yqTtwm2OfzVjDLo3z3P8RNFD4O7fEiGp +LqS5CIP4iLJQraKXWdtPZHlwx0s99L12UXLEkShPeTh0lSEWuyO2EwFyWywht+yj +FZCHzY3DmQqK2+y9DXgmZNpblLc++FxSP72UqyqfHZx+1KX3mVaBwzV2ErGPJP9z +dblWbhfc200d0+0/5nAu3aLGzBDtXqFeTfBySI5lZlNNZkPGAAAD4+lXmlrc3gTA +yO4Zde05p7q+/PzU/S5pfN+hLzE/wy+0wGOV5rLBdjTS +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_na1.pem b/v3/testdata/extra_subj_attrs_na1.pem new file mode 100644 index 000000000..ad85cc30c --- /dev/null +++ b/v3/testdata/extra_subj_attrs_na1.pem @@ -0,0 +1,142 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 47:5f:5a:fe:a4:fd:5a:41:04:88:2e:04:af:dc:c2:f6 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Jul 4 04:19:44 2024 GMT + Not After : Jul 3 04:19:44 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:d3:0d:4b:35:d2:c9:64:51:1b:a4:09:f6:90:02: + 0c:b8:7a:68:d2:c7:85:4d:7b:3e:a4:3a:11:36:3c: + 01:41:c0:e3:78:48:aa:7d:e5:75:cb:6e:ae:22:b7: + 0e:81:a3:44:ff:62:22:5a:cf:d8:d6:c5:a6:9e:4d: + 8e:bc:34:23:9b:4a:4d:43:4d:37:bf:9b:6b:ad:25: + 52:07:20:2a:c9:50:e8:0a:0a:f7:7e:b0:30:71:8c: + 04:18:5c:17:d8:8c:94:52:39:6f:bc:14:3c:63:3e: + ef:de:f0:2f:c1:7f:25:83:48:fd:16:c6:0e:3d:bc: + c5:50:de:07:59:96:f5:a2:a7:a6:46:67:b6:1f:9a: + 79:97:1e:e1:9e:8f:2e:12:fc:49:7d:d3:41:e1:18: + 1d:26:2c:24:33:cd:2a:11:4c:d2:1c:1a:8b:9c:7b: + 4e:4b:46:96:ac:99:ce:5b:c4:1c:ed:00:f0:42:ee: + 4e:95:23:1e:4f:39:5f:bc:51:de:c0:10:a5:65:f1: + a7:3b:ad:98:02:76:2f:42:48:c0:00:d0:3b:40:b0: + 70:62:42:7c:bc:26:9b:65:1f:4e:47:1c:70:30:6a: + 5e:d0:f1:f8:17:6a:0c:c0:8e:50:f2:9f:3f:91:1a: + 00:37:92:8e:09:e8:21:6f:20:a5:f2:4a:c9:5d:43: + 0c:bc:91:9a:20:6d:c1:66:97:b7:7f:6f:34:6d:7d: + de:8c:f2:e2:50:46:13:19:d7:ec:2e:3c:19:15:12: + bc:36:35:46:68:38:91:8f:27:8b:42:fa:68:a1:23: + 03:c7:f6:2e:14:97:ac:e9:35:7f:6e:ad:b8:74:c6: + c1:1c:e4:c6:df:1d:56:28:a6:c1:e4:8f:61:6f:9c: + 38:7d:d7:a4:16:ca:fd:e3:c6:80:72:07:8b:35:1d: + 72:77:eb:a3:4e:ee:24:0e:9b:b8:e5:67:06:73:72: + d1:cc:b3:9c:a0:ed:77:0d:85:9b:26:91:3f:50:8c: + a0:53:86:ed:2a:e3:84:d0:24:ff:6b:af:68:92:dd: + 1d:e5:c7:ce:8a:8a:0f:87:4c:86:14:f3:4d:b1:d2: + e7:7f:1a:4d:52:d2:6a:ab:d4:95:e1:75:05:82:e3: + a3:4a:5c:fe:5f:c3:5e:19:93:7f:25:6e:64:44:72: + a5:6a:19:ee:74:43:ad:dc:27:ae:70:72:a7:2b:29: + 01:7a:dd:33:b2:2d:d9:c5:42:7f:f4:86:91:2b:65: + 17:75:b8:90:ed:93:e3:aa:7d:48:dd:04:06:7f:86: + 52:04:29:69:ef:f6:9a:d8:43:ea:05:a3:ea:5a:69: + 1e:8d:2f:a3:05:a0:82:a8:60:ec:80:b6:9d:39:40: + b7:bb:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 64:3A:86:7F:DE:C9:23:B3:A6:E1:4B:32:BB:CF:9D:09:16:9D:9C:6F + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 14:aa:57:81:07:a3:8c:f9:8e:df:38:10:dc:75:bb:75:a1:61: + 88:0b:ae:1b:98:22:67:d4:f4:2d:2d:1f:76:ce:99:fb:f0:75: + d1:46:1d:39:7f:07:61:d5:89:23:e4:fb:9e:63:13:5b:cb:f8: + 0d:f9:13:5d:fb:d1:a0:25:cb:c8:70:d2:46:b5:16:a5:24:1f: + 68:d4:6e:c8:35:e0:eb:26:ae:35:d3:4d:0f:40:70:30:2a:7f: + 32:d2:10:fd:57:29:fc:15:4f:8a:62:f4:b0:6b:1b:9d:b9:32: + 75:cc:4d:f3:c5:cf:63:e9:cd:49:bb:17:83:c7:56:a1:dd:11: + 2a:91:b1:33:d9:e5:7d:d5:00:a1:f7:dd:e1:1b:2b:12:d9:a1: + 98:21:c3:05:62:30:b1:1d:26:16:76:f1:8e:02:b4:4c:f8:6d: + 14:aa:30:1b:4a:2e:78:c5:e5:12:48:64:65:12:22:89:8c:15: + c1:c3:56:1c:ec:65:15:66:63:ea:4a:ec:80:84:ec:4f:0b:52: + 34:50:3b:28:6d:f1:66:b9:82:8a:27:3f:0f:8c:48:2c:bc:19: + 29:87:ca:de:28:64:0a:e3:c8:29:fc:1d:d9:75:28:a0:f3:08: + ba:c4:5b:9b:e5:c6:09:6f:24:a3:d3:96:36:96:a3:a2:4e:81: + a7:88:8d:8f:7b:0c:66:2e:59:28:f4:b8:df:15:0c:e0:82:04: + 19:81:57:27:dd:c5:71:43:0e:11:a6:d4:16:46:80:2b:1e:ab: + 88:cd:e4:42:3e:f1:6c:89:83:8a:63:05:fb:e5:d9:68:b0:e8: + d6:7a:b4:48:58:58:5c:71:31:03:49:54:4e:f3:c0:5e:e8:2d: + 9d:87:25:44:ba:18:1f:36:67:04:fd:00:62:15:b8:70:62:53: + 31:26:16:a5:93:60:3a:f7:d5:5c:53:5a:db:98:a3:2c:c8:07: + aa:2b:f6:8b:c1:c8:01:b4:fb:8e:bd:df:f8:94:38:3d:4c:7f: + dd:9b:a9:37:bb:d6:ca:20:93:17:3a:b7:55:3b:5c:89:4f:58: + b3:b2:89:9a:a0:12:e8:f7:60:7c:3e:00:b9:37:52:6c:91:96: + 5e:4d:ce:c3:21:66:17:ba:e5:2c:7c:69:ce:26:39:e4:49:47: + fc:51:b3:7e:15:16:b3:b9:05:b2:f8:00:2e:3b:e1:41:45:30: + 20:c5:56:e8:fd:c8:ca:a3:b8:6c:11:07:94:54:5c:ad:39:7d: + 55:bc:24:da:65:68:ac:a8:8a:0d:eb:ce:89:5e:29:0d:c7:f4: + 49:ae:29:a7:68:43:8e:a7:94:1c:52:48:c3:b3:21:0e:eb:4d: + 17:3b:d3:49:c9:ae:9e:c8 +-----BEGIN CERTIFICATE----- +MIIGcDCCBFigAwIBAgIQR19a/qT9WkEEiC4Er9zC9jANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTI0MDcwNDA0MTk0NFoXDTI5MDcw +MzA0MTk0NFowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDTDUs10slkURukCfaQAgy4emjSx4VNez6kOhE2PAFBwON4SKp9 +5XXLbq4itw6Bo0T/YiJaz9jWxaaeTY68NCObSk1DTTe/m2utJVIHICrJUOgKCvd+ +sDBxjAQYXBfYjJRSOW+8FDxjPu/e8C/BfyWDSP0Wxg49vMVQ3gdZlvWip6ZGZ7Yf +mnmXHuGejy4S/El900HhGB0mLCQzzSoRTNIcGouce05LRpasmc5bxBztAPBC7k6V +Ix5POV+8Ud7AEKVl8ac7rZgCdi9CSMAA0DtAsHBiQny8JptlH05HHHAwal7Q8fgX +agzAjlDynz+RGgA3ko4J6CFvIKXySsldQwy8kZogbcFml7d/bzRtfd6M8uJQRhMZ +1+wuPBkVErw2NUZoOJGPJ4tC+mihIwPH9i4Ul6zpNX9urbh0xsEc5MbfHVYopsHk +j2FvnDh916QWyv3jxoByB4s1HXJ366NO7iQOm7jlZwZzctHMs5yg7XcNhZsmkT9Q +jKBThu0q44TQJP9rr2iS3R3lx86Kig+HTIYU802x0ud/Gk1S0mqr1JXhdQWC46NK +XP5fw14Zk38lbmREcqVqGe50Q63cJ65wcqcrKQF63TOyLdnFQn/0hpErZRd1uJDt +k+OqfUjdBAZ/hlIEKWnv9prYQ+oFo+paaR6NL6MFoIKoYOyAtp05QLe7/wIDAQAB +o4IBLDCCASgwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRkOoZ/3skjs6bhSzK7 +z50JFp2cbzAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAR +BgNVHSAECjAIMAYGBFUdIAAwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEAFKpXgQejjPmO3zgQ +3HW7daFhiAuuG5giZ9T0LS0fds6Z+/B10UYdOX8HYdWJI+T7nmMTW8v4DfkTXfvR +oCXLyHDSRrUWpSQfaNRuyDXg6yauNdNND0BwMCp/MtIQ/Vcp/BVPimL0sGsbnbky +dcxN88XPY+nNSbsXg8dWod0RKpGxM9nlfdUAoffd4RsrEtmhmCHDBWIwsR0mFnbx +jgK0TPhtFKowG0oueMXlEkhkZRIiiYwVwcNWHOxlFWZj6krsgITsTwtSNFA7KG3x +ZrmCiic/D4xILLwZKYfK3ihkCuPIKfwd2XUooPMIusRbm+XGCW8ko9OWNpajok6B +p4iNj3sMZi5ZKPS43xUM4IIEGYFXJ93FcUMOEabUFkaAKx6riM3kQj7xbImDimMF +++XZaLDo1nq0SFhYXHExA0lUTvPAXugtnYclRLoYHzZnBP0AYhW4cGJTMSYWpZNg +OvfVXFNa25ijLMgHqiv2i8HIAbT7jr3f+JQ4PUx/3ZupN7vWyiCTFzq3VTtciU9Y +s7KJmqAS6PdgfD4AuTdSbJGWXk3OwyFmF7rlLHxpziY55ElH/FGzfhUWs7kFsvgA +LjvhQUUwIMVW6P3IyqO4bBEHlFRcrTl9Vbwk2mVorKiKDevOiV4pDcf0Sa4pp2hD +jqeUHFJIw7MhDutNFzvTScmunsg= +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_na2.pem b/v3/testdata/extra_subj_attrs_na2.pem new file mode 100644 index 000000000..804d1c503 --- /dev/null +++ b/v3/testdata/extra_subj_attrs_na2.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 22:be:cc:c3:29:b6:22:3e:00:0d:bb:b0:23:83:42:39 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jul 4 04:23:50 2024 GMT + Not After : Jul 4 04:23:50 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d5:7d:26:8a:e7:99:f2:c8:d9:1d:e3:3a:9d:a9: + 7b:9f:9f:b7:4c:5c:c5:87:1c:06:4c:d2:a1:f9:b0: + 40:ec:34:e1:a4:86:ec:e2:56:e9:d1:cd:15:33:05: + c1:fd:3b:1e:05:43:ec:53:bd:9d:bd:68:96:00:f8: + e1:f0:12:cc:ec:89:0d:d8:34:24:f4:cd:e3:67:57: + f0:68:1c:f1:24:ba:18:05:80:a7:16:69:c3:84:84: + 50:3a:5b:46:e5:bb:db:ec:b5:51:07:5c:3e:65:33: + a6:7e:05:09:c7:2d:ab:74:71:d5:db:a9:ad:ae:03: + 21:f3:e9:19:78:4e:05:46:be:03:c1:14:b0:0b:36: + 3e:39:1e:af:c4:de:40:e3:9c:4d:76:62:5c:93:0b: + da:65:29:e4:9b:53:1d:e2:a3:ba:a9:d5:53:02:16: + df:5c:ab:39:54:76:1f:07:21:50:85:4e:d7:4b:ce: + 06:9d:9f:dd:1b:47:00:8c:33:25:8f:5c:37:fc:63: + 7e:85:6a:de:33:5d:24:65:5f:7d:4a:d2:7d:99:0a: + c9:7e:dd:68:a8:d3:7a:58:54:db:8b:66:46:e2:60: + e8:ce:4a:b0:d2:70:ea:23:eb:4f:63:27:14:81:7e: + 2e:92:c7:dd:e3:12:20:bb:ab:ba:ee:9b:f9:88:8e: + c6:ef + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 5E:48:EF:42:2E:9C:D8:F9:CE:DF:D1:5E:29:CB:79:74:AC:13:EC:D5 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 90:96:91:18:19:f7:ce:ea:f1:82:0c:33:44:b2:38:03:f1:5a: + 21:78:f0:b0:d0:94:c9:54:04:c9:4a:04:d8:ec:30:fe:09:08: + 61:bf:a9:d4:b5:e6:d1:c2:43:a2:13:82:95:32:ac:9c:e5:d7: + aa:4b:e6:8c:3a:14:e8:4e:90:04:7d:1f:1d:85:30:77:9b:76: + 02:c1:55:a4:06:7f:3b:90:96:a1:8b:09:41:28:59:fb:e1:9c: + 0a:ed:e1:b7:ee:14:8b:34:18:a5:e3:aa:e0:e4:3e:f3:f6:fb: + 52:5b:52:a2:56:d9:50:b6:d2:89:87:07:bf:a3:38:92:96:af: + ae:84:db:f5:b0:11:4c:5c:8b:96:f0:d1:8d:b4:d1:b1:04:68: + 85:f8:88:a7:74:66:0a:c7:45:dd:3f:57:7d:41:2d:7a:f4:1c: + 35:12:36:9e:25:ad:85:53:95:46:05:5d:a7:71:2e:37:8b:60: + b2:32:f8:e5:83:28:69:41:64:d5:75:7c:3f:c3:f7:14:0c:c0: + 9d:14:d2:f8:bc:16:2d:2a:db:d9:fc:11:fb:20:b2:fd:8b:e0: + f0:ce:46:3a:0d:68:75:58:bf:47:02:fd:91:3e:73:fe:4f:50: + 0a:23:92:81:5c:ab:f6:85:6f:67:e6:72:b6:c6:d5:ff:98:de: + 49:9a:fe:d2 +-----BEGIN CERTIFICATE----- +MIIEeDCCA2CgAwIBAgIQIr7Mwym2Ij4ADbuwI4NCOTANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MDQwNDIzNTBaFw0yNTA3MDQwNDIz +NTBaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBANV9JornmfLI2R3jOp2pe5+ft0xcxYccBkzSofmwQOw04aSG7OJW +6dHNFTMFwf07HgVD7FO9nb1olgD44fASzOyJDdg0JPTN42dX8Ggc8SS6GAWApxZp +w4SEUDpbRuW72+y1UQdcPmUzpn4FCcctq3Rx1dupra4DIfPpGXhOBUa+A8EUsAs2 +Pjker8TeQOOcTXZiXJML2mUp5JtTHeKjuqnVUwIW31yrOVR2HwchUIVO10vOBp2f +3RtHAIwzJY9cN/xjfoVq3jNdJGVffUrSfZkKyX7daKjTelhU24tmRuJg6M5KsNJw +6iPrT2MnFIF+LpLH3eMSILuruu6b+YiOxu8CAwEAAaOCATUwggExMA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FF5I70IunNj5zt/RXinLeXSsE+zVMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBMGA1UdIAQMMAow +CAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBAJCWkRgZ987q8YIMM0SyOAPxWiF4 +8LDQlMlUBMlKBNjsMP4JCGG/qdS15tHCQ6ITgpUyrJzl16pL5ow6FOhOkAR9Hx2F +MHebdgLBVaQGfzuQlqGLCUEoWfvhnArt4bfuFIs0GKXjquDkPvP2+1JbUqJW2VC2 +0omHB7+jOJKWr66E2/WwEUxci5bw0Y200bEEaIX4iKd0ZgrHRd0/V31BLXr0HDUS +Np4lrYVTlUYFXadxLjeLYLIy+OWDKGlBZNV1fD/D9xQMwJ0U0vi8Fi0q29n8Efsg +sv2L4PDORjoNaHVYv0cC/ZE+c/5PUAojkoFcq/aFb2fmcrbG1f+Y3kma/tI= +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_ne1.pem b/v3/testdata/extra_subj_attrs_ne1.pem new file mode 100644 index 000000000..2b8c1743d --- /dev/null +++ b/v3/testdata/extra_subj_attrs_ne1.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a5:98:78:aa:79:0f:60:55:84:58:71:6f:79:72:97:19 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 13 00:00:00 2019 GMT + Not After : Apr 12 00:00:00 2020 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, postOfficeBox = 12345 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ab:97:ce:b7:ff:15:ce:9b:1f:f9:45:5a:4b:4b: + ad:67:62:38:47:9d:00:34:93:24:e2:f7:6f:94:df: + 41:a5:97:2b:ca:d1:eb:d8:87:e0:ab:8d:98:a5:bc: + b7:8e:d3:cd:ff:eb:65:f8:a7:c3:a7:6b:be:76:b3: + 4a:f9:bb:d8:a7:a2:f7:4a:5c:f4:44:07:00:03:04: + 43:a7:8d:df:f7:41:a6:32:6b:da:b3:44:c8:e6:c6: + e3:7b:7f:05:f6:21:80:36:9e:76:db:74:55:ab:20: + e8:90:bb:56:ed:99:c8:be:83:5e:fd:51:ae:50:f6: + e4:9a:ed:85:ae:66:e5:2c:21:bf:69:11:dc:3d:be: + 40:4e:7f:f0:7e:5d:cc:ec:f0:0c:f4:3e:f4:11:d2: + 56:35:70:6c:d5:85:40:45:09:86:04:47:8d:08:ec: + d9:7a:cc:17:b4:e0:7d:a9:7f:87:ac:1b:55:fd:0f: + 7a:bb:80:6b:b8:fa:68:5f:97:71:bd:11:cb:a5:aa: + cb:db:68:9a:05:89:bd:7f:ba:98:8d:98:be:3d:07: + 1e:46:6a:03:e5:86:9b:d8:53:38:a9:0e:be:72:43: + 87:a7:9f:5c:78:e6:24:d9:a1:78:a1:40:3d:12:df: + 01:06:7f:4c:ad:a1:1a:c1:d9:91:5d:b1:4a:e5:3f: + ca:2f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + A9:43:73:EC:D3:04:19:3D:F5:8E:74:9D:AB:2C:CB:2B:E7:9C:31:33 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 26:f6:a7:1b:0d:a3:5b:45:32:f3:a8:e4:08:3e:81:15:a6:6d: + 7c:20:a3:9e:83:73:90:3f:fc:7d:19:ad:1d:7c:5e:b1:fe:dc: + 87:a2:37:34:55:4f:63:38:6a:a9:7a:b8:0d:04:ba:fc:42:43: + b3:85:c7:b2:3c:6c:31:23:c4:86:7e:08:f5:55:bc:38:2b:5d: + 5f:5e:28:f9:b6:6a:9d:2a:b0:bc:c8:30:f1:7b:e6:d1:f7:2e: + c1:7a:71:bc:d5:b0:f5:c0:ac:bd:a8:f6:ad:d1:2b:24:fe:ab: + 03:a0:20:5e:56:1b:7e:70:04:05:91:ad:63:be:1f:c6:1a:ea: + 46:b5:a2:d6:cf:29:5b:45:b5:77:9f:ec:fc:67:49:cc:7e:2e: + 4d:df:dd:46:ba:a6:0f:0b:34:ec:e0:e5:a9:34:de:4e:d4:b1: + 99:e2:f4:5e:87:21:7c:d3:aa:6b:d5:11:99:2a:b9:97:b3:34: + 6d:3d:5e:aa:50:62:17:80:f1:ca:08:17:cb:b4:34:25:8f:1a: + 4c:b0:a5:62:58:85:c4:8f:25:53:62:3a:b9:0c:ee:99:d3:e0: + 6d:b8:e1:55:cf:5a:1e:47:23:37:3c:a3:4b:84:db:80:f3:a7: + fd:37:d3:72:45:82:37:a0:a4:a1:e6:ca:55:ba:67:24:10:4b: + ab:29:bc:11 +-----BEGIN CERTIFICATE----- +MIIEnjCCA4agAwIBAgIRAKWYeKp5D2BVhFhxb3lylxkwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMTkwNDEzMDAwMDAwWhcNMjAwNDEyMDAw +MDAwWjCBmTELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUub3JnMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MQ4wDAYDVQQSEwUxMjM0NTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKuXzrf/Fc6bH/lFWktLrWdiOEedADSTJOL3b5TfQaWXK8rR69iH4KuNmKW8t47T +zf/rZfinw6drvnazSvm72Kei90pc9EQHAAMEQ6eN3/dBpjJr2rNEyObG43t/BfYh +gDaedtt0Vasg6JC7Vu2ZyL6DXv1RrlD25Jrtha5m5Swhv2kR3D2+QE5/8H5dzOzw +DPQ+9BHSVjVwbNWFQEUJhgRHjQjs2XrMF7Tgfal/h6wbVf0PeruAa7j6aF+Xcb0R +y6Wqy9tomgWJvX+6mI2Yvj0HHkZqA+WGm9hTOKkOvnJDh6efXHjmJNmheKFAPRLf +AQZ/TK2hGsHZkV2xSuU/yi8CAwEAAaOCATQwggEwMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFKlDc+zTBBk9 +9Y50nassyyvnnDEzMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQG +CCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMu +Y29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9y +b290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBIGA1UdIAQLMAkwBwYFZ4EMAQEw +LQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAN +BgkqhkiG9w0BAQsFAAOCAQEAJvanGw2jW0Uy86jkCD6BFaZtfCCjnoNzkD/8fRmt +HXxesf7ch6I3NFVPYzhqqXq4DQS6/EJDs4XHsjxsMSPEhn4I9VW8OCtdX14o+bZq +nSqwvMgw8Xvm0fcuwXpxvNWw9cCsvaj2rdErJP6rA6AgXlYbfnAEBZGtY74fxhrq +RrWi1s8pW0W1d5/s/GdJzH4uTd/dRrqmDws07ODlqTTeTtSxmeL0XochfNOqa9UR +mSq5l7M0bT1eqlBiF4DxyggXy7Q0JY8aTLClYliFxI8lU2I6uQzumdPgbbjhVc9a +HkcjNzyjS4TbgPOn/TfTckWCN6CkoebKVbpnJBBLqym8EQ== +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_ok1.pem b/v3/testdata/extra_subj_attrs_ok1.pem new file mode 100644 index 000000000..b043c24e2 --- /dev/null +++ b/v3/testdata/extra_subj_attrs_ok1.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 81:24:5e:a7:9a:04:90:ae:40:ca:b8:89:2c:04:97 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jul 4 04:25:41 2024 GMT + Not After : Jul 4 04:25:41 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, businessCategory = Non-Commercial Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:9b:1b:85:2f:53:fb:08:40:6a:2a:40:a1:cc:6d: + f2:d5:bb:4a:86:f9:12:03:e4:55:0b:c6:dc:70:ec: + 91:f1:3f:b7:44:4f:05:53:2b:68:31:8e:9c:27:92: + 17:b6:ea:43:02:88:12:76:80:00:b7:5f:60:9f:47: + 02:e6:19:f9:4f:65:3a:f6:6c:54:b2:41:14:a0:0f: + 9b:a0:bd:ca:ff:d9:bb:bf:51:58:eb:37:66:57:38: + 8c:86:30:77:d1:b8:63:73:9f:0a:83:73:1e:ae:ab: + f4:0c:f4:53:dc:18:20:2a:19:1f:f2:53:60:9a:b9: + 49:e3:be:54:d9:e1:ff:60:7b:d3:aa:df:3c:eb:bc: + 8c:15:12:fd:fc:98:ce:5f:f6:5a:b8:27:38:2f:60: + 84:f8:fc:3a:4e:81:7a:bb:63:41:70:c8:46:76:55: + 4b:dc:14:94:0a:84:9c:87:99:ca:d7:74:3c:62:22: + c0:58:e3:21:60:4f:4a:f3:d8:eb:fd:fa:a2:35:45: + eb:5f:bf:33:1c:10:71:62:9d:68:3b:86:95:de:fb: + a9:18:22:e9:30:d5:22:aa:1b:df:28:03:21:fd:1d: + 6b:38:fc:52:e1:53:48:aa:4d:85:5d:92:71:43:63: + 28:79:ca:a1:ea:c6:8d:ee:9a:b9:a6:8d:c7:c7:eb: + 94:9b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 81:2F:1F:10:DF:33:E6:9B:E4:2C:0F:AE:E6:F4:8D:51:BC:63:E1:BA + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 72:26:40:51:65:5b:b9:f0:d0:df:12:73:28:8b:57:63:f9:e6: + c4:5c:32:02:3d:63:32:eb:04:6c:71:aa:11:39:98:8c:09:0c: + 42:b9:90:7f:21:a1:c1:1e:37:46:5a:4a:77:d7:c6:29:c6:20: + 98:87:a5:6b:ff:31:de:4d:ad:90:42:ef:93:62:a7:23:df:29: + 50:00:1b:d4:b4:be:8a:1b:87:d2:58:b0:31:ec:1a:1f:98:ab: + 0d:03:ce:72:b3:a8:fd:59:47:83:39:ed:44:0f:96:a6:96:df: + ba:3e:94:74:c7:e1:41:ef:d5:5b:65:1e:ff:2a:8d:c5:74:8d: + aa:3f:e6:27:ab:54:0a:57:ae:72:7a:4c:48:55:58:0a:8f:f1: + f2:bc:14:d3:fc:af:7a:82:e8:61:bf:ac:91:c3:6b:5c:52:7b: + 69:39:78:04:39:ba:ec:c6:68:55:12:57:b9:1b:dd:0f:0b:5d: + 65:09:ff:e7:d3:d5:c6:ae:66:e7:b5:df:42:f8:64:32:d6:30: + 7a:ef:53:95:c5:38:e1:43:b3:9b:13:57:7e:6e:b6:7f:48:58: + 6d:8f:d3:fb:03:bf:dc:8d:92:72:b6:5a:33:92:d3:8a:9c:a8: + 7a:f6:a0:5e:ba:04:2e:54:fb:65:88:df:6c:87:95:e5:13:20: + 1f:b3:7c:f6 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIQAIEkXqeaBJCuQMq4iSwElzANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MDQwNDI1NDFaFw0yNTA3MDQwNDI1 +NDFaMIGpMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HjAcBgNVBA8TFU5vbi1Db21tZXJjaWFsIEVudGl0eTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAJsbhS9T+whAaipAocxt8tW7Sob5EgPkVQvG3HDskfE/ +t0RPBVMraDGOnCeSF7bqQwKIEnaAALdfYJ9HAuYZ+U9lOvZsVLJBFKAPm6C9yv/Z +u79RWOs3Zlc4jIYwd9G4Y3OfCoNzHq6r9Az0U9wYICoZH/JTYJq5SeO+VNnh/2B7 +06rfPOu8jBUS/fyYzl/2WrgnOC9ghPj8Ok6BertjQXDIRnZVS9wUlAqEnIeZytd0 +PGIiwFjjIWBPSvPY6/36ojVF61+/MxwQcWKdaDuGld77qRgi6TDVIqob3ygDIf0d +azj8UuFTSKpNhV2ScUNjKHnKoerGje6auaaNx8frlJsCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFIEvHxDfM+ab5CwPrub0jVG8Y+G6MB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAciZAUWVbufDQ3xJzKItX +Y/nmxFwyAj1jMusEbHGqETmYjAkMQrmQfyGhwR43RlpKd9fGKcYgmIela/8x3k2t +kELvk2KnI98pUAAb1LS+ihuH0liwMewaH5irDQPOcrOo/VlHgzntRA+Wppbfuj6U +dMfhQe/VW2Ue/yqNxXSNqj/mJ6tUCleucnpMSFVYCo/x8rwU0/yveoLoYb+skcNr +XFJ7aTl4BDm67MZoVRJXuRvdDwtdZQn/59PVxq5m57XfQvhkMtYweu9TlcU44UOz +mxNXfm62f0hYbY/T+wO/3I2ScrZaM5LTipyoevagXroELlT7ZYjfbIeV5RMgH7N8 +9g== +-----END CERTIFICATE----- diff --git a/v3/util/time.go b/v3/util/time.go index 451585b00..c91de7a20 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -86,6 +86,7 @@ var ( CABFBRs_2_0_8_Date = time.Date(2024, time.October, 2, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + SC16EffectiveDate = time.Date(2019, time.April, 16, 0, 0, 0, 0, time.UTC) SC17EffectiveDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) // Enforcement date of CRL reason codes from Ballot SC 061