From 0d4a7d55a313081f764c0b74c528ea374c066b26 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:07:57 +0100 Subject: [PATCH 01/29] Add files via upload --- v3/util/time.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/util/time.go b/v3/util/time.go index cd740a951..b702449ce 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -74,6 +74,7 @@ var ( AppleReducedLifetimeDate = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_7_9_Date = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) From 9ae17603010a88b7638f3d69c646eb34aaf5ee05 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:09:09 +0100 Subject: [PATCH 02/29] Add files via upload --- v3/testdata/subject_rdn_order_ko_01.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_02.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_03.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_04.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_05.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_06.pem | 95 +++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ko_07.pem | 91 +++++++++++++++++++++++ 7 files changed, 648 insertions(+) create mode 100644 v3/testdata/subject_rdn_order_ko_01.pem create mode 100644 v3/testdata/subject_rdn_order_ko_02.pem create mode 100644 v3/testdata/subject_rdn_order_ko_03.pem create mode 100644 v3/testdata/subject_rdn_order_ko_04.pem create mode 100644 v3/testdata/subject_rdn_order_ko_05.pem create mode 100644 v3/testdata/subject_rdn_order_ko_06.pem create mode 100644 v3/testdata/subject_rdn_order_ko_07.pem diff --git a/v3/testdata/subject_rdn_order_ko_01.pem b/v3/testdata/subject_rdn_order_ko_01.pem new file mode 100644 index 000000000..e717ccf24 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_01.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9092871303437831039 (0x7e305e463dc14b7f) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:10:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, CN = example.org, O = Example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 6f:1f:bd:b4:2c:a6:67:95:07:73:cb:79:1a:a5:99:e1:c8:f6: + 73:6e:53:0e:15:a1:c3:3e:07:a8:0f:6b:31:09:89:f6:d1:2b: + 42:aa:f8:62:4e:0d:dc:fc:03:f3:de:8e:e3:bf:c8:3c:b0:69: + f6:23:11:01:fa:aa:9c:c8:24:4e:f0:7a:86:d9:dc:79:b7:96: + ec:f5:70:6e:f0:73:7c:3f:56:5b:a7:48:d8:da:bb:bc:2c:ba: + dc:c0:c1:f5:1b:76:5d:1a:1d:ad:e6:f2:22:50:3f:06:fa:06: + f9:ec:6c:05:a2:5f:22:62:ef:80:de:20:48:31:7f:90:c0:9b: + f6:1b:d8:4e:36:55:03:fb:c6:d2:bf:bd:d5:2c:55:37:f0:75: + 2f:e7:96:43:29:ea:01:f7:89:75:72:ef:af:f8:31:a6:9c:3a: + 13:68:77:54:7d:75:05:fe:d6:b2:33:9b:d1:07:24:9d:8f:20: + 34:7a:19:ed:ae:94:47:3d:65:42:3d:ba:87:0d:61:ce:aa:57: + 0e:c5:bc:da:8b:9e:23:42:d2:76:fb:4f:c6:7f:62:66:b2:38: + 67:2c:3f:32:4b:2f:0a:78:51:ae:8c:8f:4f:49:72:6e:c7:78: + 65:d5:8b:e3:da:2a:55:35:b4:31:71:4c:9c:48:a0:74:ca:4e: + a2:c6:12:a3:96:fb:dd:08:49:82:0b:2e:30:18:91:3c:e2:d2: + e5:22:8f:b3:f6:d6:11:88:b6:df:ba:3b:88:49:3d:92:c6:d0: + d2:b2:0c:2b:4d:60:3f:47:a0:a9:82:4b:c8:13:09:f3:f2:71: + 2b:d6:7d:cf:67:5c:a8:2c:0e:3f:a9:e8:a6:8b:17:41:9f:77: + a9:04:5c:65:a8:4d:40:17:6c:ef:07:ef:a1:4f:fa:2e:78:f5: + 64:71:44:9d:b6:b0:26:e7:20:1e:06:e1:7c:24:a4:5b:2d:4e: + 80:ee:69:27:1e:6e:4a:e1:33:be:8d:06:8c:14:61:50:98:7f: + 5e:d8:d2:58:37:21:8a:46:6a:0c:70:4f:22:4a:05:75:9e:00: + 72:e0:74:f4:f1:86:6f:3e:fa:88:0b:35:34:89:bb:53:80:b0: + 29:d7:af:5c:8c:9d:7a:a3:8e:04:c2:4c:22:7a:3d:ff:c9:50: + 24:8a:3a:19:62:9c:46:97:b6:aa:75:0a:d3:d5:88:eb:1a:ce: + df:fc:b8:89:f0:6c:a6:a7:7d:1c:72:49:6c:cf:5e:8b:32:f6: + e1:27:95:39:94:7c:6a:e2:9c:14:04:26:0f:45:6e:81:a2:fd: + 39:45:3c:1f:9b:ff:1b:ff:71:1a:d4:12:10:57:71:bb:ab:f4: + 5f:35:82:63:fb:59:b8:10 +-----BEGIN CERTIFICATE----- +MIIEbDCCAlSgAwIBAgIIfjBeRj3BS38wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTAxMDAwWhcNMjUwMzA4MDg1 +MDAwWjBXMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xFDASBgNVBAMTC2V4YW1wbGUub3JnMRAwDgYDVQQKEwdFeGFtcGxlMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvK4wDWo5DAIU9pjCl27D4qMn ++OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpnouhEBZ38UILMkT3vItOvg6qQ22mJ +1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZebvmJtPLRPohW9XjiZtvlvH8OlvE +DFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1Ec9r1YM4eVOmxHX9MrCwj85FZEt/5 +B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfEW/fqsr6QPZoT835Rx24+uz9DnMeq +4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaSlW6SqxkzBtitTaEeOU1EgDzpIwID +AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA +bx+9tCymZ5UHc8t5GqWZ4cj2c25TDhWhwz4HqA9rMQmJ9tErQqr4Yk4N3PwD896O +47/IPLBp9iMRAfqqnMgkTvB6htncebeW7PVwbvBzfD9WW6dI2Nq7vCy63MDB9Rt2 +XRodrebyIlA/BvoG+exsBaJfImLvgN4gSDF/kMCb9hvYTjZVA/vG0r+91SxVN/B1 +L+eWQynqAfeJdXLvr/gxppw6E2h3VH11Bf7WsjOb0QcknY8gNHoZ7a6URz1lQj26 +hw1hzqpXDsW82oueI0LSdvtPxn9iZrI4Zyw/MksvCnhRroyPT0lybsd4ZdWL49oq +VTW0MXFMnEigdMpOosYSo5b73QhJggsuMBiRPOLS5SKPs/bWEYi237o7iEk9ksbQ +0rIMK01gP0egqYJLyBMJ8/JxK9Z9z2dcqCwOP6noposXQZ93qQRcZahNQBds7wfv +oU/6Lnj1ZHFEnbawJucgHgbhfCSkWy1OgO5pJx5uSuEzvo0GjBRhUJh/XtjSWDch +ikZqDHBPIkoFdZ4AcuB09PGGbz76iAs1NIm7U4CwKdevXIydeqOOBMJMIno9/8lQ +JIo6GWKcRpe2qnUK09WI6xrO3/y4ifBspqd9HHJJbM9eizL24SeVOZR8auKcFAQm +D0VugaL9OUU8H5v/G/9xGtQSEFdxu6v0XzWCY/tZuBA= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_02.pem b/v3/testdata/subject_rdn_order_ko_02.pem new file mode 100644 index 000000000..f508b42a4 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_02.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 766384265038364412 (0xaa2be6db70f7efc) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 13:59:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: CN = example.org, O = Example, L = Milano, ST = Milano, C = IT + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 0a:eb:9d:c0:96:17:e6:9b:d4:49:91:07:f4:30:3f:f4:89:49: + d0:85:e3:45:94:13:2d:d7:e6:fd:9b:1c:76:9f:80:d6:2b:98: + de:46:f5:bd:a4:95:06:d5:4d:45:f2:1a:b2:a8:ec:9f:d5:77: + 8a:70:af:d9:3f:e4:77:f0:ae:d9:de:6d:86:68:5b:1d:1e:a6: + f4:2e:f0:a9:c9:a8:a6:cf:f6:03:d2:c5:d1:87:a1:d0:77:1c: + 93:9d:f3:22:90:00:16:83:9f:8d:ac:fb:f1:17:45:12:f3:28: + f0:6a:d3:67:d7:7c:6b:13:18:98:3b:13:31:c1:83:c5:63:9b: + 4d:19:cd:bb:da:32:89:e4:c8:b3:60:bf:0c:86:58:8e:51:04: + c9:4d:fa:f6:02:9b:2a:8a:d3:bc:26:92:24:84:1e:36:37:f0: + 27:78:6b:48:8a:18:07:95:6c:99:00:37:b3:37:46:e2:f4:01: + f9:b5:f9:76:a2:78:d4:2e:44:71:ba:36:87:b4:19:43:7d:ce: + a2:bd:b9:69:f8:ea:56:c0:e2:d6:55:89:c6:80:3c:0a:bb:1f: + 5e:3d:9a:bd:f1:f8:b9:92:84:6e:22:da:d2:a8:01:17:33:1c: + 44:a6:0d:22:20:e1:f7:5e:42:60:06:9e:dc:5a:3b:3e:63:b8: + d8:db:0a:e8:bf:32:ca:bb:34:fd:d2:a5:27:89:af:46:af:2d: + 5b:e4:4c:f5:c6:e2:d1:a1:60:4f:e6:50:63:4f:9d:87:c2:e4: + 65:6d:4c:15:fa:60:84:c8:d5:f1:47:60:48:9a:e7:dc:70:1c: + 67:78:b4:e2:3d:3d:0b:7f:3f:33:32:dd:0a:dc:97:30:c0:d9: + 5b:0f:7c:a5:c7:70:23:64:b5:7c:0c:ba:67:67:71:b9:28:53: + 28:08:c6:1a:ae:d1:69:4f:aa:39:78:57:fd:02:50:de:de:73: + a9:51:f0:d2:4b:e9:9e:20:fd:96:55:70:37:5c:55:11:c1:a8: + 2b:1a:c1:4e:30:f5:b0:7d:09:3b:2b:4b:e6:73:d0:ca:d2:80: + 01:bd:57:81:e0:6b:4b:04:27:a8:fe:27:cb:d0:37:2b:78:1d: + c6:71:f1:ec:0e:b1:ac:db:d5:bb:d0:e2:94:84:04:a0:23:d0: + 2e:29:49:77:92:36:d1:8b:d2:aa:02:af:ca:8b:f4:0c:54:fa: + b3:56:90:a8:2a:54:ad:b2:2f:c5:8d:2c:7d:c5:55:99:d7:51: + c8:6d:a4:60:60:79:3f:f1:56:06:1b:a8:71:0d:8b:5f:b7:f7: + be:81:19:15:67:3d:c8:4b:8d:d0:90:2a:d6:d1:a4:c0:d8:9a: + 79:b9:1a:1b:92:40:ab:7c +-----BEGIN CERTIFICATE----- +MIIEbDCCAlSgAwIBAgIICqK+bbcPfvwwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTM1OTAwWhcNMjUwMzA4MDg1 +MDAwWjBXMRQwEgYDVQQDEwtleGFtcGxlLm9yZzEQMA4GA1UEChMHRXhhbXBsZTEP +MA0GA1UEBxMGTWlsYW5vMQ8wDQYDVQQIEwZNaWxhbm8xCzAJBgNVBAYTAklUMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqBYCHne6Psb+Tg/C9hR4hp +AVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m3UzA2jiT9r/o9J0fAMi/ +y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDnYrDZa1qJk3gI24wYPSSB +ay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6rFk/UmpsB2OG/1Sd18gl4 +YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7rmXXOS9Li+XEmYjEqA120 +1AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsWDfUGQieCSVcy82cCqwID +AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA +CuudwJYX5pvUSZEH9DA/9IlJ0IXjRZQTLdfm/Zscdp+A1iuY3kb1vaSVBtVNRfIa +sqjsn9V3inCv2T/kd/Cu2d5thmhbHR6m9C7wqcmops/2A9LF0Yeh0Hcck53zIpAA +FoOfjaz78RdFEvMo8GrTZ9d8axMYmDsTMcGDxWObTRnNu9oyieTIs2C/DIZYjlEE +yU369gKbKorTvCaSJIQeNjfwJ3hrSIoYB5VsmQA3szdG4vQB+bX5dqJ41C5Ecbo2 +h7QZQ33Oor25afjqVsDi1lWJxoA8CrsfXj2avfH4uZKEbiLa0qgBFzMcRKYNIiDh +915CYAae3Fo7PmO42NsK6L8yyrs0/dKlJ4mvRq8tW+RM9cbi0aFgT+ZQY0+dh8Lk +ZW1MFfpghMjV8UdgSJrn3HAcZ3i04j09C38/MzLdCtyXMMDZWw98pcdwI2S1fAy6 +Z2dxuShTKAjGGq7RaU+qOXhX/QJQ3t5zqVHw0kvpniD9llVwN1xVEcGoKxrBTjD1 +sH0JOytL5nPQytKAAb1XgeBrSwQnqP4ny9A3K3gdxnHx7A6xrNvVu9DilIQEoCPQ +LilJd5I20YvSqgKvyov0DFT6s1aQqCpUrbIvxY0sfcVVmddRyG2kYGB5P/FWBhuo +cQ2LX7f3voEZFWc9yEuN0JAq1tGkwNiaebkaG5JAq3w= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_03.pem b/v3/testdata/subject_rdn_order_ko_03.pem new file mode 100644 index 000000000..12b9fd809 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_03.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3065546558357960659 (0x2a8b025a5558f7d3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:02:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, O = Example, CN = example.org, street = Via Carducci + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 09:82:cd:65:23:8d:a9:1c:b2:c2:10:a2:ee:44:4c:03:d4:e0: + 69:b3:bf:cc:43:10:d7:a7:6c:3a:cf:8d:9f:61:0c:38:8a:09: + b2:f0:73:41:2f:07:94:7a:d3:38:ba:75:d7:4c:63:a8:2d:48: + c5:56:80:d7:3c:62:ba:c5:15:43:cd:de:60:33:2b:42:0b:e2: + 7c:65:f6:d9:ae:0b:9a:0b:54:c0:5a:1c:9b:95:91:17:6d:e9: + c5:7d:cc:52:47:35:65:16:10:45:81:58:45:3e:bf:35:15:b4: + 30:d2:ba:6a:75:3e:68:9c:2e:d5:aa:2c:07:ea:ae:71:74:78: + 63:63:3d:9f:15:08:5a:0f:80:cf:7a:f1:cc:ba:48:d5:a1:f7: + da:b8:c0:1c:c3:7c:94:fc:fd:d7:5b:56:ec:5a:a8:33:23:6a: + 18:74:d0:9a:a4:91:6e:3d:53:d0:ff:d3:a2:81:c2:74:50:44: + 4a:57:92:cd:8e:4b:d4:b0:08:22:9e:20:13:b0:0b:eb:9c:ce: + c2:b7:e9:d6:28:c6:d2:ea:29:3e:2f:7f:b1:02:16:7f:74:b3: + 4a:09:88:b9:ef:ce:74:60:18:cd:7b:37:03:07:45:d6:63:2d: + af:d2:df:80:b5:00:af:27:d0:f2:18:2b:b1:8a:68:ec:7e:f9: + 0e:cf:f1:4e:e0:89:03:1b:be:36:d4:a0:a7:f5:f3:76:b8:10: + 92:99:5c:00:08:85:c2:68:9c:47:5d:5a:f1:fa:29:ee:29:df: + 44:9a:bb:97:1d:cf:89:80:c2:4b:b0:39:68:07:48:e2:51:23: + 2e:d7:4b:49:5e:11:ad:60:c4:e3:1b:08:2e:01:7e:85:d0:76: + a3:5e:09:92:0f:0c:a0:9f:e5:d4:75:9e:f8:a6:f3:ac:43:6d: + 26:ca:29:5d:3a:e3:b1:33:2d:60:9b:a7:ea:d8:62:43:11:38: + c9:0b:f9:c1:ae:fb:c2:37:2a:65:62:21:6f:ba:49:33:98:5a: + c0:a0:8a:16:16:e6:56:29:e6:e8:f7:54:f5:68:48:aa:66:e0: + 90:17:42:ac:64:77:09:39:d7:e1:ba:c8:e3:9d:89:76:d3:bb: + ea:f7:64:23:8c:7e:24:ff:0d:7a:0e:49:5d:b9:1f:26:92:5f: + 64:a3:e5:07:40:27:f3:2b:6a:e8:4b:7c:95:7b:3e:9d:42:db: + 8d:03:04:f5:ab:1a:8d:13:93:fb:92:80:e0:1f:c2:49:70:22: + 25:b9:6f:bb:b7:49:6c:6c:05:59:6d:db:81:91:14:1d:92:9b: + 73:50:a6:80:3e:dd:a8:13:fe:df:3c:a3:92:fd:d4:95:ed:f6: + 57:84:a0:7f:1d:1f:05:13 +-----BEGIN CERTIFICATE----- +MIIEgzCCAmugAwIBAgIIKosCWlVY99MwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQwMjAwWhcNMjUwMzA4MDg1 +MDAwWjBuMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xEDAOBgNVBAoTB0V4YW1wbGUxFDASBgNVBAMTC2V4YW1wbGUub3JnMRUw +EwYDVQQJEwxWaWEgQ2FyZHVjY2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDBCoFgIed7o+xv5OD8L2FHiGkBWJujiZgLQhdHh4eyDh90Iijlz5rSfybb +Tx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L9U+w+sMkzi8EO/on3Yw790QJiRYZDpUK +jesOVD+BwOdisNlrWomTeAjbjBg9JIFrLrn/DVpxJLdTH8KWV81JmLYhNUdrgxkt +qUviF6K9HqsWT9SamwHY4b/VJ3XyCXhjGyReLf5m+jKWYFGcRg4LquhXItQWOBGW +0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTUBPsznzTeoTmFz0jQoRbVlccgOLok2d6Y +MQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUF +BwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAJgs1lI42pHLLCEKLuREwD1OBps7/MQxDX +p2w6z42fYQw4igmy8HNBLweUetM4unXXTGOoLUjFVoDXPGK6xRVDzd5gMytCC+J8 +ZfbZrguaC1TAWhyblZEXbenFfcxSRzVlFhBFgVhFPr81FbQw0rpqdT5onC7VqiwH +6q5xdHhjYz2fFQhaD4DPevHMukjVoffauMAcw3yU/P3XW1bsWqgzI2oYdNCapJFu +PVPQ/9OigcJ0UERKV5LNjkvUsAginiATsAvrnM7Ct+nWKMbS6ik+L3+xAhZ/dLNK +CYi57850YBjNezcDB0XWYy2v0t+AtQCvJ9DyGCuximjsfvkOz/FO4IkDG7421KCn +9fN2uBCSmVwACIXCaJxHXVrx+inuKd9EmruXHc+JgMJLsDloB0jiUSMu10tJXhGt +YMTjGwguAX6F0HajXgmSDwygn+XUdZ74pvOsQ20myildOuOxMy1gm6fq2GJDETjJ +C/nBrvvCNyplYiFvukkzmFrAoIoWFuZWKebo91T1aEiqZuCQF0KsZHcJOdfhusjj +nYl207vq92QjjH4k/w16DklduR8mkl9ko+UHQCfzK2roS3yVez6dQtuNAwT1qxqN +E5P7koDgH8JJcCIluW+7t0lsbAVZbduBkRQdkptzUKaAPt2oE/7fPKOS/dSV7fZX +hKB/HR8FEw== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_04.pem b/v3/testdata/subject_rdn_order_ko_04.pem new file mode 100644 index 000000000..1ea0791fc --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_04.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3792628805646187502 (0x34a21fcdf5747bee) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:05:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, O = Example, CN = example.org, DC = org, DC = example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 5a:12:f1:b2:6e:5f:cc:89:31:18:08:57:82:40:eb:4a:1f:41: + 5c:ef:7d:9d:d8:3f:eb:1f:7f:49:17:cf:9e:4b:69:76:85:6d: + 28:af:1b:09:c8:e0:98:3d:41:36:7a:24:e3:e9:39:8d:e3:c6: + 7c:c2:03:f8:81:1a:c8:7c:de:4f:94:c1:4c:8c:8d:0b:63:d7: + 09:d7:87:74:b2:a3:3d:8c:15:f3:a9:0e:3b:45:5e:21:01:84: + d5:ca:b9:39:0d:9b:fb:e8:52:3b:6d:ed:6d:6d:33:d5:08:ff: + 6c:cc:4f:43:81:f0:46:cb:b0:84:80:5c:e4:67:9b:ee:a7:f4: + 9c:94:19:13:3e:cd:8a:8d:7c:45:79:cc:bf:55:86:48:3a:d3: + 51:f3:92:d1:ec:91:40:bf:57:7b:84:1d:20:b5:3f:a8:39:a0: + a3:67:66:12:4a:c2:eb:d2:74:33:10:2b:82:fb:ea:61:68:33: + 42:a9:27:c2:ca:ce:6b:cc:d3:57:f8:27:66:26:a7:18:ff:6c: + 63:93:a2:a3:f8:ca:55:b6:06:65:f2:db:c9:8b:41:0c:bc:3f: + ca:b8:b7:3a:d6:a2:e5:9e:08:17:33:c8:bd:85:e2:2f:71:60: + 30:9c:79:ec:90:4c:c8:ef:73:49:a3:6b:56:8d:25:c1:4a:2f: + c5:ef:03:43:cd:fe:cb:9f:cb:b9:73:06:33:45:81:ab:85:da: + a5:5b:9f:9f:9e:60:6a:98:95:71:c1:27:06:ed:c4:d5:dd:ca: + 42:f2:12:cb:bb:c6:eb:ec:2b:ad:15:5a:91:cb:fd:d2:f1:f6: + ef:a4:00:86:c1:96:1b:59:58:6f:83:e1:3b:3a:2e:f0:d2:b4: + 8d:55:5a:82:4e:9a:8b:62:ed:a6:99:97:a3:aa:b6:ad:08:45: + 01:04:2c:1e:ec:f3:5b:f8:9c:15:0e:24:b0:60:94:b4:2c:86: + 97:7a:42:18:f8:d9:25:d4:8b:b4:5c:87:a9:8d:13:82:c6:f5: + 68:94:39:ab:63:26:85:37:e5:ca:d0:be:de:79:6a:97:5e:35: + 08:9b:83:76:14:18:81:c3:e9:76:60:42:9a:f8:be:02:35:9f: + e1:f0:81:e9:2d:be:58:fa:29:c0:67:59:45:f6:7f:a0:49:0c: + 93:37:48:aa:08:cf:6a:ca:c7:d4:58:25:c9:4d:01:cc:19:65: + 4c:de:52:e9:2b:2a:8c:94:0c:1c:f0:67:f0:9f:75:c0:32:b7: + d7:9c:e4:f9:99:a0:8a:0e:8a:6c:ff:4c:74:18:6c:43:40:3c: + f9:1a:94:76:a0:25:c3:1b:71:7b:36:64:8f:44:97:08:52:fe: + c5:2c:a6:64:d2:1e:00:ec +-----BEGIN CERTIFICATE----- +MIIEmzCCAoOgAwIBAgIINKIfzfV0e+4wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQwNTAwWhcNMjUwMzA4MDg1 +MDAwWjCBhTELMAkGA1UEBhMCSVQxDzANBgNVBAgTBk1pbGFubzEPMA0GA1UEBxMG +TWlsYW5vMRAwDgYDVQQKEwdFeGFtcGxlMRQwEgYDVQQDEwtleGFtcGxlLm9yZzET +MBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBCoFgIed7o+xv5OD8L2FHiGkB +WJujiZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L +9U+w+sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+BwOdisNlrWomTeAjbjBg9JIFr +Lrn/DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9HqsWT9SamwHY4b/VJ3XyCXhj +GyReLf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTU +BPsznzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMB +AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQBa +EvGybl/MiTEYCFeCQOtKH0Fc732d2D/rH39JF8+eS2l2hW0orxsJyOCYPUE2eiTj +6TmN48Z8wgP4gRrIfN5PlMFMjI0LY9cJ14d0sqM9jBXzqQ47RV4hAYTVyrk5DZv7 +6FI7be1tbTPVCP9szE9DgfBGy7CEgFzkZ5vup/SclBkTPs2KjXxFecy/VYZIOtNR +85LR7JFAv1d7hB0gtT+oOaCjZ2YSSsLr0nQzECuC++phaDNCqSfCys5rzNNX+Cdm +JqcY/2xjk6Kj+MpVtgZl8tvJi0EMvD/KuLc61qLlnggXM8i9heIvcWAwnHnskEzI +73NJo2tWjSXBSi/F7wNDzf7Ln8u5cwYzRYGrhdqlW5+fnmBqmJVxwScG7cTV3cpC +8hLLu8br7CutFVqRy/3S8fbvpACGwZYbWVhvg+E7Oi7w0rSNVVqCTpqLYu2mmZej +qratCEUBBCwe7PNb+JwVDiSwYJS0LIaXekIY+Nkl1Iu0XIepjROCxvVolDmrYyaF +N+XK0L7eeWqXXjUIm4N2FBiBw+l2YEKa+L4CNZ/h8IHpLb5Y+inAZ1lF9n+gSQyT +N0iqCM9qysfUWCXJTQHMGWVM3lLpKyqMlAwc8Gfwn3XAMrfXnOT5maCKDops/0x0 +GGxDQDz5GpR2oCXDG3F7NmSPRJcIUv7FLKZk0h4A7A== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_05.pem b/v3/testdata/subject_rdn_order_ko_05.pem new file mode 100644 index 000000000..728f80bce --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_05.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3989736575603356219 (0x375e6446e838b23b) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:07:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, GN = Flash, SN = Gordon, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 89:58:5c:be:7f:1e:6f:91:36:9c:cd:ec:e0:c2:5d:89:62:9a: + 74:37:de:b1:ba:12:7e:86:bb:33:0f:b9:78:fb:f1:b2:fd:bf: + 54:4f:f2:7c:ac:92:e8:5f:26:e9:fe:18:51:86:12:c9:d5:1e: + 81:4c:1b:16:f5:e2:b9:f5:5d:7e:82:0f:bd:f0:ec:07:8c:81: + 92:ab:81:a4:5e:37:cb:f1:a4:b7:d5:de:14:9d:d2:62:76:b5: + e7:58:4f:70:8e:dc:61:10:9b:be:f3:56:3b:77:12:87:08:c7: + 75:f3:45:17:74:2a:23:16:f4:4e:20:65:60:60:45:04:b2:45: + 3c:8d:65:d8:b6:f8:85:8f:cc:d0:3f:73:21:98:a5:27:87:b4: + d5:69:51:4b:86:88:c1:a0:86:dc:e6:0b:6a:e1:6a:02:30:ef: + 5b:b6:73:74:a7:f2:ec:92:d2:e2:60:f0:fd:cc:af:ae:8a:fd: + fa:2e:91:85:99:69:b2:6f:b1:84:f3:c2:dd:fb:1d:30:e8:c7: + bc:d4:10:c9:ff:be:38:95:c4:13:c4:22:50:5f:99:3c:2f:78: + cf:c7:6f:4c:99:20:dc:4a:d1:e7:8b:ec:ab:08:b8:0c:14:5e: + 42:27:06:86:17:6c:41:53:d2:38:30:17:49:3d:22:3e:25:1c: + d5:94:5d:aa:eb:01:6b:9e:9c:fc:8a:a9:7b:f4:56:8e:a8:2c: + bc:2c:19:ce:1b:f6:4e:88:ec:1e:62:1e:ab:cb:53:ab:38:02: + f7:ee:33:fa:c2:a3:80:97:57:88:7b:fb:6c:6d:7f:de:93:42: + 27:b1:91:73:2c:3f:f6:44:41:2c:d9:44:55:9d:3f:57:1c:6c: + 83:89:8d:74:77:c1:81:f4:1d:69:ff:e9:38:b9:fa:fe:e6:ec: + 38:a3:52:1d:df:ff:bd:f3:80:fd:e7:52:84:2c:f7:6c:42:54: + c0:a6:24:13:90:95:8d:91:11:40:6d:b9:1e:f6:04:fa:ab:58: + 41:2b:26:e3:bd:88:30:4e:82:d0:6f:a2:91:ff:05:58:08:9d: + 02:d0:cd:c5:94:16:ed:75:3c:3c:e0:0b:02:af:e7:ff:9a:71: + 5b:2e:df:dc:e7:24:14:c5:91:70:d0:de:b9:52:89:44:9b:8f: + 29:10:c6:eb:86:29:66:e3:12:62:96:f1:0c:b3:1a:71:68:73: + 91:77:83:1c:d1:64:47:9c:13:ca:ef:84:1e:04:23:82:25:12: + b6:54:a1:c4:a8:3d:37:e4:f6:b3:e5:e3:c3:1d:6e:5d:a6:73: + 36:8d:aa:82:2c:35:6a:69:99:ea:24:7b:f2:e5:ce:2b:8f:5a: + a1:c2:ce:d6:d4:dc:0f:06 +-----BEGIN CERTIFICATE----- +MIIEezCCAmOgAwIBAgIIN15kRug4sjswDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQwNzAwWhcNMjUwMzA4MDg1 +MDAwWjBmMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xDjAMBgNVBCoTBUZsYXNoMQ8wDQYDVQQEEwZHb3Jkb24xFDASBgNVBAMT +C2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqB +YCHne6Psb+Tg/C9hR4hpAVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m +3UzA2jiT9r/o9J0fAMi/y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDn +YrDZa1qJk3gI24wYPSSBay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6r +Fk/UmpsB2OG/1Sd18gl4YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7r +mXXOS9Li+XEmYjEqA1201AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsW +DfUGQieCSVcy82cCqwIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkq +hkiG9w0BAQsFAAOCAgEAiVhcvn8eb5E2nM3s4MJdiWKadDfesboSfoa7Mw+5ePvx +sv2/VE/yfKyS6F8m6f4YUYYSydUegUwbFvXiufVdfoIPvfDsB4yBkquBpF43y/Gk +t9XeFJ3SYna151hPcI7cYRCbvvNWO3cShwjHdfNFF3QqIxb0TiBlYGBFBLJFPI1l +2Lb4hY/M0D9zIZilJ4e01WlRS4aIwaCG3OYLauFqAjDvW7ZzdKfy7JLS4mDw/cyv +ror9+i6RhZlpsm+xhPPC3fsdMOjHvNQQyf++OJXEE8QiUF+ZPC94z8dvTJkg3ErR +54vsqwi4DBReQicGhhdsQVPSODAXST0iPiUc1ZRdqusBa56c/Iqpe/RWjqgsvCwZ +zhv2TojsHmIeq8tTqzgC9+4z+sKjgJdXiHv7bG1/3pNCJ7GRcyw/9kRBLNlEVZ0/ +Vxxsg4mNdHfBgfQdaf/pOLn6/ubsOKNSHd//vfOA/edShCz3bEJUwKYkE5CVjZER +QG25HvYE+qtYQSsm472IME6C0G+ikf8FWAidAtDNxZQW7XU8POALAq/n/5pxWy7f +3OckFMWRcNDeuVKJRJuPKRDG64YpZuMSYpbxDLMacWhzkXeDHNFkR5wTyu+EHgQj +giUStlShxKg9N+T2s+Xjwx1uXaZzNo2qgiw1ammZ6iR78uXOK49aocLO1tTcDwY= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_06.pem b/v3/testdata/subject_rdn_order_ko_06.pem new file mode 100644 index 000000000..d143b65e5 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_06.pem @@ -0,0 +1,95 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6256546164417316078 (0x56d3b79682ed44ee) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:12:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, street = Via Carducci, postalCode = 20100, O = Example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:example.org + Signature Algorithm: sha256WithRSAEncryption + 4f:c8:a4:cf:30:8f:2b:6b:f8:98:ac:b2:38:d3:6a:97:2a:a8: + 12:d0:cc:b6:c9:bd:96:5b:96:f5:67:94:d0:00:a7:5c:06:c6: + ab:96:ed:27:3a:67:41:0c:25:61:6d:58:f0:a5:94:93:41:b4: + 9c:4b:fa:08:27:7d:d8:a1:a0:15:77:77:e2:84:54:f2:60:4f: + 5b:02:11:4a:e9:ec:d2:97:00:9c:b1:f0:5e:b4:b1:da:27:41: + 27:49:8c:17:f0:3c:3f:c2:60:9d:3c:d2:20:1e:3d:ad:bf:6e: + 07:b7:ed:5f:cf:23:01:4f:26:9e:ed:0d:e5:a8:c1:c0:10:2c: + 72:8a:fd:b9:14:32:73:c6:f8:8f:a4:20:ef:ee:8f:c5:b7:81: + be:80:df:a5:ac:81:e4:60:22:23:46:9d:81:23:17:4e:42:1e: + 3f:d8:8e:59:7b:6b:18:02:71:98:34:f7:12:db:d6:f8:51:2a: + b4:3f:2f:15:47:78:1c:71:96:18:22:44:c6:97:75:ca:2e:b5: + d1:ff:3b:6b:80:57:fb:67:88:ea:9b:9e:cd:e5:28:bc:ef:44: + 67:be:70:d4:cc:a2:5b:b4:7f:3b:6e:0b:fc:23:7c:3d:f7:30: + bb:1f:07:c1:77:fb:58:13:71:20:1c:22:eb:63:05:9b:5d:8a: + 9d:e0:9c:3f:8b:32:34:ba:10:72:fa:36:e8:4c:0d:76:c3:2a: + 67:c9:70:ec:a9:1a:d7:84:c2:e2:a5:d3:e4:06:28:26:0b:94: + c6:7b:88:5f:27:02:75:55:ee:26:ee:55:36:38:35:43:0f:8c: + 71:48:c2:7f:45:01:d5:b9:28:93:d6:26:31:43:53:25:33:98: + e0:df:03:b3:db:6a:b9:a6:7c:3a:0f:d8:50:af:0d:56:e8:87: + 4a:a5:a0:da:91:db:19:4f:78:48:08:48:66:0a:9c:24:82:14: + f0:a2:b0:6b:cc:fa:f4:1a:bf:b1:fa:ff:0a:45:d7:e3:df:66: + 60:0e:d5:75:a5:1f:94:09:0f:3a:98:06:d2:4b:7c:d3:fd:6e: + 7b:a1:ad:23:e0:d5:5e:0a:5e:96:a7:a0:97:8b:90:6e:29:ec: + 2e:7f:7a:bf:9c:a2:c8:3a:dc:fc:48:51:e8:05:bd:a3:5b:b5: + 4a:6d:73:62:1d:f4:a1:1b:d9:28:77:79:4b:a5:5c:0b:b5:61: + 4c:4c:c7:20:f5:6d:78:29:3e:5d:56:ef:4d:ca:45:6b:fb:70: + 48:e0:74:b9:89:a7:4b:30:29:59:3e:c2:33:97:35:d9:f3:2a: + 1b:96:d5:6b:fc:4d:09:a8:99:7b:7f:bc:44:d4:1e:30:f5:34: + be:e6:e3:79:77:f0:3a:53 +-----BEGIN CERTIFICATE----- +MIIElTCCAn2gAwIBAgIIVtO3loLtRO4wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQxMjAwWhcNMjUwMzA4MDg1 +MDAwWjBoMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xFTATBgNVBAkTDFZpYSBDYXJkdWNjaTEOMAwGA1UEERMFMjAxMDAxEDAO +BgNVBAoTB0V4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB +CoFgIed7o+xv5OD8L2FHiGkBWJujiZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6 +zebdTMDaOJP2v+j0nR8AyL/L9U+w+sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+B +wOdisNlrWomTeAjbjBg9JIFrLrn/DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9 +HqsWT9SamwHY4b/VJ3XyCXhjGyReLf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHo +fuuZdc5L0uL5cSZiMSoDXbTUBPsznzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5u +uxYN9QZCJ4JJVzLzZwKrAgMBAAGjLzAtMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBYG +A1UdEQQPMA2CC2V4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQBPyKTPMI8r +a/iYrLI402qXKqgS0My2yb2WW5b1Z5TQAKdcBsarlu0nOmdBDCVhbVjwpZSTQbSc +S/oIJ33YoaAVd3fihFTyYE9bAhFK6ezSlwCcsfBetLHaJ0EnSYwX8Dw/wmCdPNIg +Hj2tv24Ht+1fzyMBTyae7Q3lqMHAECxyiv25FDJzxviPpCDv7o/Ft4G+gN+lrIHk +YCIjRp2BIxdOQh4/2I5Ze2sYAnGYNPcS29b4USq0Py8VR3gccZYYIkTGl3XKLrXR +/ztrgFf7Z4jqm57N5Si870RnvnDUzKJbtH87bgv8I3w99zC7HwfBd/tYE3EgHCLr +YwWbXYqd4Jw/izI0uhBy+jboTA12wypnyXDsqRrXhMLipdPkBigmC5TGe4hfJwJ1 +Ve4m7lU2ODVDD4xxSMJ/RQHVuSiT1iYxQ1MlM5jg3wOz22q5pnw6D9hQrw1W6IdK +paDakdsZT3hICEhmCpwkghTworBrzPr0Gr+x+v8KRdfj32ZgDtV1pR+UCQ86mAbS +S3zT/W57oa0j4NVeCl6Wp6CXi5BuKewuf3q/nKLIOtz8SFHoBb2jW7VKbXNiHfSh +G9kod3lLpVwLtWFMTMcg9W14KT5dVu9NykVr+3BI4HS5iadLMClZPsIzlzXZ8yob +ltVr/E0JqJl7f7xE1B4w9TS+5uN5d/A6Uw== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ko_07.pem b/v3/testdata/subject_rdn_order_ko_07.pem new file mode 100644 index 000000000..0d185a38c --- /dev/null +++ b/v3/testdata/subject_rdn_order_ko_07.pem @@ -0,0 +1,91 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 204622961721394657 (0x2d6f77fe24ac5e1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 14:15:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: CN = example.org, C = IT + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 9f:e6:50:72:f3:e3:a3:4c:2a:83:33:fa:84:7b:20:4a:db:fd: + d7:5c:c0:57:07:35:fd:3f:b6:6b:14:61:69:69:f4:c4:ed:cf: + c0:d2:6c:07:b9:48:da:93:1b:54:25:d1:5b:62:2c:0e:67:95: + 3f:50:20:ac:fd:bf:82:c4:19:9c:3a:77:0b:c5:05:d6:6c:f2: + c0:37:f0:db:f9:81:f6:bd:23:f6:1f:b5:f0:14:4c:65:8d:fa: + ac:6c:22:d7:3f:92:34:e7:a6:bf:15:0c:b4:88:33:95:ec:70: + 04:75:e9:0a:e1:da:de:f3:46:10:c7:81:6f:9c:28:1c:cd:89: + 99:2e:0c:1b:c9:87:fc:b0:dc:bc:fd:81:e5:ac:5b:5c:23:1b: + eb:c9:32:22:55:b9:3e:bb:67:93:59:13:e8:50:f8:3e:83:0d: + de:3b:6e:89:d6:39:fe:49:dd:d1:ad:0f:42:92:54:10:2c:9d: + 9e:04:cf:db:5c:1a:b6:96:8a:77:6f:e1:75:4c:d3:36:57:a1: + 81:b0:12:ad:76:0a:11:d3:99:9b:49:1f:52:be:9f:7e:d2:c0: + 66:f0:1c:e1:a7:34:ad:bb:c5:55:cd:d0:c1:2c:12:6a:46:6b: + 83:32:e7:c3:d5:0f:80:04:c6:35:4f:61:35:45:87:17:c2:97: + e3:51:fd:c6:77:96:16:b4:e3:22:d2:f5:ea:dd:c4:c3:0b:61: + d4:2d:3b:46:81:eb:d5:38:3c:a1:90:b1:f7:ef:dd:31:a1:12: + c8:2b:7b:12:20:84:b8:85:72:20:3e:a5:fc:97:57:eb:ed:55: + 6a:70:69:c4:dd:14:60:65:a9:17:e9:d2:ba:a6:57:3c:9c:2b: + 6e:de:8b:b8:ab:52:15:82:e3:ce:f5:a0:60:21:c1:72:11:0f: + f9:ea:af:fd:c7:99:bb:83:97:b8:93:30:1f:65:4f:38:d1:4f: + cb:ce:64:9f:35:3a:e7:3d:0e:09:ba:a7:ac:4e:75:7d:37:aa: + d6:e5:38:d2:4b:e2:73:fb:39:f8:2b:62:08:96:f2:2a:d1:6b: + ef:9f:af:00:a9:b8:56:f5:be:d1:bb:c6:37:cf:9e:6b:40:9f: + 15:66:4e:99:5b:ce:89:0d:7a:9b:8f:af:31:cd:85:ab:67:10: + 05:82:f4:0f:e5:4f:fb:46:f6:12:ed:6c:cb:38:a7:eb:4c:ae: + 2b:7f:b3:b1:65:c4:d7:46:46:50:a8:a4:79:bb:75:e2:aa:d5: + c0:33:9e:37:54:a3:04:ba:fa:9e:ee:07:b3:ae:e8:dd:f8:53: + 45:f0:16:d2:f2:0c:a8:87:80:92:a8:7d:72:60:f1:a5:42:f4: + 9f:16:d4:c5:a1:0f:7f:d7 +-----BEGIN CERTIFICATE----- +MIIEODCCAiCgAwIBAgIIAtb3f+JKxeEwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTQxNTAwWhcNMjUwMzA4MDg1 +MDAwWjAjMRQwEgYDVQQDEwtleGFtcGxlLm9yZzELMAkGA1UEBhMCSVQwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBCoFgIed7o+xv5OD8L2FHiGkBWJuj +iZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L9U+w ++sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+BwOdisNlrWomTeAjbjBg9JIFrLrn/ +DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9HqsWT9SamwHY4b/VJ3XyCXhjGyRe +Lf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTUBPsz +nzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMBAAGj +FzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCf5lBy +8+OjTCqDM/qEeyBK2/3XXMBXBzX9P7ZrFGFpafTE7c/A0mwHuUjakxtUJdFbYiwO +Z5U/UCCs/b+CxBmcOncLxQXWbPLAN/Db+YH2vSP2H7XwFExljfqsbCLXP5I056a/ +FQy0iDOV7HAEdekK4dre80YQx4FvnCgczYmZLgwbyYf8sNy8/YHlrFtcIxvryTIi +Vbk+u2eTWRPoUPg+gw3eO26J1jn+Sd3RrQ9CklQQLJ2eBM/bXBq2lop3b+F1TNM2 +V6GBsBKtdgoR05mbSR9Svp9+0sBm8BzhpzStu8VVzdDBLBJqRmuDMufD1Q+ABMY1 +T2E1RYcXwpfjUf3Gd5YWtOMi0vXq3cTDC2HULTtGgevVODyhkLH3790xoRLIK3sS +IIS4hXIgPqX8l1fr7VVqcGnE3RRgZakX6dK6plc8nCtu3ou4q1IVguPO9aBgIcFy +EQ/56q/9x5m7g5e4kzAfZU840U/LzmSfNTrnPQ4JuqesTnV9N6rW5TjSS+Jz+zn4 +K2IIlvIq0Wvvn68AqbhW9b7Ru8Y3z55rQJ8VZk6ZW86JDXqbj68xzYWrZxAFgvQP +5U/7RvYS7WzLOKfrTK4rf7OxZcTXRkZQqKR5u3XiqtXAM543VKMEuvqe7gezrujd ++FNF8BbS8gyoh4CSqH1yYPGlQvSfFtTFoQ9/1w== +-----END CERTIFICATE----- From c66f6f6104bcd0054e09d149ac7cd6bb0e7a2dde Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:10:44 +0100 Subject: [PATCH 03/29] Add files via upload --- v3/testdata/subject_rdn_order_ok_01.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_02.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_03.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_04.pem | 93 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_05.pem | 94 +++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_06.pem | 92 ++++++++++++++++++++++++ v3/testdata/subject_rdn_order_ok_07.pem | 91 ++++++++++++++++++++++++ 7 files changed, 648 insertions(+) create mode 100644 v3/testdata/subject_rdn_order_ok_01.pem create mode 100644 v3/testdata/subject_rdn_order_ok_02.pem create mode 100644 v3/testdata/subject_rdn_order_ok_03.pem create mode 100644 v3/testdata/subject_rdn_order_ok_04.pem create mode 100644 v3/testdata/subject_rdn_order_ok_05.pem create mode 100644 v3/testdata/subject_rdn_order_ok_06.pem create mode 100644 v3/testdata/subject_rdn_order_ok_07.pem diff --git a/v3/testdata/subject_rdn_order_ok_01.pem b/v3/testdata/subject_rdn_order_ok_01.pem new file mode 100644 index 000000000..2c5b9dc86 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_01.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6076550832111709079 (0x54543ec96f9f6b97) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 09:41:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, O = Example, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b4:a3:ea:46:45:d7:d9:9a:04:ab:00:77:7e:df: + 14:c9:ac:f3:b7:3e:da:75:a1:6b:20:d7:89:ec:55: + 9d:03:e1:27:47:bf:cc:1b:e0:01:e8:b5:d0:ad:ff: + ff:19:e1:eb:f5:ae:7f:7f:35:a4:09:98:6a:17:87: + 76:d3:36:e1:8c:25:c2:17:a7:5e:32:12:4e:c4:9a: + b7:c4:d5:cb:f8:fe:28:66:b5:e0:d6:bf:d3:b7:2e: + 55:30:5d:ec:7b:5e:ef:c0:32:0d:89:44:2b:67:8c: + 1e:bd:88:b0:50:cb:18:22:e7:42:4a:c3:82:5f:4b: + 3a:b3:47:8c:08:f1:cf:dd:d3:e4:a1:f4:68:29:76: + 30:f9:bc:43:5d:90:a0:38:cc:be:73:04:10:42:1f: + 9c:75:b1:5f:2f:af:95:4d:98:87:36:13:16:cf:18: + 3e:cd:fd:f4:1d:42:b7:10:ee:4f:11:1c:4d:74:1a: + 2f:58:9f:4e:29:35:0d:9a:af:55:0c:11:23:81:50: + ad:7f:2b:13:fc:95:af:a7:68:fe:7f:af:97:4a:85: + a5:a2:b5:a9:cf:96:63:3e:84:8b:f2:c6:61:a4:f9: + 26:13:9e:1b:5f:79:06:7b:8e:c5:f6:d5:6c:52:bb: + 3c:40:ff:03:f2:e2:ee:d8:a5:7f:d4:25:f7:52:45: + 7f:e7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 3f:a4:2a:b5:7a:99:11:c0:a0:4b:3b:b4:5f:14:38:7e:1b:ef: + 6d:c8:b9:8d:c6:74:7d:09:ce:7b:84:9c:88:47:db:e1:20:fd: + 35:d3:ac:5e:ba:ff:89:77:88:86:9e:d5:74:b4:72:28:94:35: + 01:1b:5e:b4:26:d1:e3:3c:e1:93:57:0d:09:ab:7a:14:36:3d: + 7a:5d:ed:01:4a:57:cf:2c:b9:4d:61:70:b4:f7:6c:c1:60:74: + fa:68:7a:08:0f:23:84:3a:e8:f9:1d:96:ca:7c:75:66:62:25: + e3:d5:45:f9:e1:a5:ab:a3:54:c8:4c:53:c4:4f:0e:b5:39:45: + 2c:a0:45:f5:fc:6e:49:3d:eb:f4:70:75:6a:68:e3:ed:fc:64: + 82:56:e9:c0:be:31:1e:a8:a4:92:22:6e:c6:94:03:49:ae:21: + e9:77:52:4f:5a:de:59:9a:d9:a1:ea:bb:00:3e:0c:62:c1:8a: + 81:4d:e8:46:29:00:f6:23:83:c2:d3:df:b5:b3:cf:16:7e:d8: + 35:53:5b:8a:d2:85:a9:45:78:0c:d3:de:e8:3c:ba:8c:96:23: + 43:1e:53:35:36:de:0b:4a:29:63:0c:d9:e1:b4:52:67:01:94: + 98:75:34:5b:90:7f:6b:88:f9:9e:e4:73:08:1a:41:93:df:b4: + 39:bf:ae:d8:b4:b6:92:77:45:76:9f:98:78:14:c5:32:62:1d: + 40:2b:b1:a6:c9:63:67:94:5f:ce:08:50:9b:98:2f:d7:b6:d3: + 4f:66:1b:4f:85:dd:d9:6d:48:43:72:d5:a3:8e:13:bd:43:56: + 75:22:21:6d:dd:9a:6f:7c:13:45:ac:30:a2:6d:57:82:ef:11: + 94:a4:0c:d8:7b:f2:28:47:82:2d:5a:48:b8:a0:af:95:06:e1: + 3f:24:10:a0:cc:17:72:d1:cd:05:34:98:9d:05:98:38:74:22: + 9c:4f:72:37:a4:8e:41:c7:30:d5:ad:3f:f1:8b:a5:f3:76:05: + f3:3a:fd:fd:2d:94:01:5e:6a:61:11:1c:e8:67:63:23:69:17: + 08:44:37:96:60:b8:e0:5e:eb:de:a7:66:49:55:13:90:bd:ec: + 80:bd:ca:ac:08:ce:d7:18:e3:fc:5f:eb:73:46:7f:e4:f8:e4: + b2:bf:09:1b:36:32:89:93:ac:aa:96:e4:fb:47:69:79:b7:fa: + 21:c0:5c:9c:24:4e:ff:8e:6a:2d:24:24:e1:71:04:19:39:37: + 89:41:a3:b8:4a:2f:60:a0:e4:f8:12:87:9e:37:d6:15:5a:b2: + d0:46:75:7b:c7:07:0e:8e:40:36:b6:1f:dd:5d:5b:06:a9:f8: + 53:76:15:a0:76:3f:50:e3 +-----BEGIN CERTIFICATE----- +MIIEbDCCAlSgAwIBAgIIVFQ+yW+fa5cwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MDk0MTAwWhcNMjUwMzA4MDg1 +MDAwWjBXMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xEDAOBgNVBAoTB0V4YW1wbGUxFDASBgNVBAMTC2V4YW1wbGUub3JnMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtKPqRkXX2ZoEqwB3ft8Uyazz +tz7adaFrINeJ7FWdA+EnR7/MG+AB6LXQrf//GeHr9a5/fzWkCZhqF4d20zbhjCXC +F6deMhJOxJq3xNXL+P4oZrXg1r/Tty5VMF3se17vwDINiUQrZ4wevYiwUMsYIudC +SsOCX0s6s0eMCPHP3dPkofRoKXYw+bxDXZCgOMy+cwQQQh+cdbFfL6+VTZiHNhMW +zxg+zf30HUK3EO5PERxNdBovWJ9OKTUNmq9VDBEjgVCtfysT/JWvp2j+f6+XSoWl +orWpz5ZjPoSL8sZhpPkmE54bX3kGe47F9tVsUrs8QP8D8uLu2KV/1CX3UkV/5wID +AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA +P6QqtXqZEcCgSzu0XxQ4fhvvbci5jcZ0fQnOe4SciEfb4SD9NdOsXrr/iXeIhp7V +dLRyKJQ1ARtetCbR4zzhk1cNCat6FDY9el3tAUpXzyy5TWFwtPdswWB0+mh6CA8j +hDro+R2Wynx1ZmIl49VF+eGlq6NUyExTxE8OtTlFLKBF9fxuST3r9HB1amjj7fxk +glbpwL4xHqikkiJuxpQDSa4h6XdST1reWZrZoeq7AD4MYsGKgU3oRikA9iODwtPf +tbPPFn7YNVNbitKFqUV4DNPe6Dy6jJYjQx5TNTbeC0opYwzZ4bRSZwGUmHU0W5B/ +a4j5nuRzCBpBk9+0Ob+u2LS2kndFdp+YeBTFMmIdQCuxpsljZ5RfzghQm5gv17bT +T2YbT4Xd2W1IQ3LVo44TvUNWdSIhbd2ab3wTRawwom1Xgu8RlKQM2HvyKEeCLVpI +uKCvlQbhPyQQoMwXctHNBTSYnQWYOHQinE9yN6SOQccw1a0/8Yul83YF8zr9/S2U +AV5qYREc6GdjI2kXCEQ3lmC44F7r3qdmSVUTkL3sgL3KrAjO1xjj/F/rc0Z/5Pjk +sr8JGzYyiZOsqpbk+0dpebf6IcBcnCRO/45qLSQk4XEEGTk3iUGjuEovYKDk+BKH +njfWFVqy0EZ1e8cHDo5ANrYf3V1bBqn4U3YVoHY/UOM= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_02.pem b/v3/testdata/subject_rdn_order_ok_02.pem new file mode 100644 index 000000000..3642d66df --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_02.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8707574737929004705 (0x78d78516e56c66a1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:20:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, postalCode = 20100, street = Via Carducci, O = Example, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 62:89:12:5f:aa:93:da:26:e6:4e:6c:79:93:74:8d:2b:c3:3f: + 8f:7e:cc:0f:6c:8a:19:79:5b:2f:55:41:cf:28:ca:cb:78:06: + 51:ef:a5:01:8c:4d:d3:43:74:53:37:05:af:6b:26:39:81:b3: + d2:86:d0:c8:20:37:2e:ed:7b:f4:55:ba:44:22:2c:bf:3b:81: + f9:ac:bf:a8:94:15:d9:96:cd:38:32:39:82:c2:a9:69:ba:eb: + 61:a6:0a:72:b1:0b:dd:8e:8e:56:5f:71:64:12:5f:62:98:f1: + 52:88:0f:ff:b0:76:5d:5d:e2:52:74:2b:1f:62:f5:10:74:89: + cf:4e:0b:a9:0d:3c:20:40:9c:59:10:d8:c7:78:b9:82:22:fa: + 3b:6e:92:16:e7:07:90:3f:26:ef:d1:11:d5:04:0a:8b:8f:2c: + 9a:19:f3:03:aa:aa:93:6d:9c:97:65:b0:ff:cd:1d:44:ac:7e: + f0:ee:6a:b1:df:2f:77:f2:a4:c8:fb:ab:e6:b9:9d:30:44:74: + 06:d5:53:22:87:1e:bc:d2:cf:9f:12:53:02:88:dc:42:0c:a3: + fe:f8:55:0f:3c:a0:a7:69:58:b0:9c:a4:bb:47:24:62:da:d2: + 76:0f:eb:f3:c1:f8:4e:7f:79:e1:b8:45:6a:95:41:9b:f8:75: + 41:c3:e4:96:da:1d:a3:f4:03:8c:61:ce:95:86:d2:ce:02:79: + 2c:cf:4e:a2:17:03:7d:72:13:ed:b9:a3:85:a3:05:b5:a6:a0: + f5:7a:78:39:9b:81:9c:4d:b7:6b:ce:90:89:c5:d7:2b:28:27: + f3:fb:2a:cb:5a:42:79:b0:59:f8:c4:0a:ef:67:c3:21:83:93: + 46:fa:a8:9c:4b:a2:57:1b:3d:6a:69:99:1b:ce:c8:ad:30:75: + 35:14:29:0d:5e:ae:1d:db:16:1e:a3:7f:0c:cf:26:b5:6d:17: + a3:a8:42:d6:ff:5b:49:5a:57:57:4f:4b:cd:b7:bc:06:4d:59: + 6b:75:b3:92:d4:89:91:dd:70:93:ec:d2:06:72:61:2b:f3:23: + 1e:e8:7e:62:c1:ea:5b:94:4d:d6:24:4a:66:07:33:fb:c2:a5: + 30:b5:0a:b0:11:ce:90:39:b9:fe:c7:74:6a:13:9a:c7:09:cd: + 5d:49:af:95:c9:eb:4f:02:1c:c9:fd:1a:d6:12:9e:3d:d2:36: + 95:62:d1:1e:66:8f:85:2c:14:46:ac:a2:36:b8:a0:05:95:d1: + 98:72:d9:68:a3:25:ef:1c:31:01:7d:b6:cc:82:2b:04:98:0a: + 07:53:a8:03:bd:70:af:29:8b:2f:e0:de:16:6f:36:0e:99:aa: + 68:09:72:49:9f:61:1b:ad +-----BEGIN CERTIFICATE----- +MIIEkzCCAnugAwIBAgIIeNeFFuVsZqEwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTAyMDAwWhcNMjUwMzA4MDg1 +MDAwWjB+MQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xDjAMBgNVBBETBTIwMTAwMRUwEwYDVQQJEwxWaWEgQ2FyZHVjY2kxEDAO +BgNVBAoTB0V4YW1wbGUxFDASBgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqBYCHne6Psb+Tg/C9hR4hpAVibo4mYC0IX +R4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m3UzA2jiT9r/o9J0fAMi/y/VPsPrDJM4v +BDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDnYrDZa1qJk3gI24wYPSSBay65/w1acSS3 +Ux/CllfNSZi2ITVHa4MZLalL4heivR6rFk/UmpsB2OG/1Sd18gl4YxskXi3+Zvoy +lmBRnEYOC6roVyLUFjgRltD+Y1bx6H7rmXXOS9Li+XEmYjEqA1201AT7M5803qE5 +hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsWDfUGQieCSVcy82cCqwIDAQABoxcwFTAT +BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAYokSX6qT2ibm +Tmx5k3SNK8M/j37MD2yKGXlbL1VBzyjKy3gGUe+lAYxN00N0UzcFr2smOYGz0obQ +yCA3Lu179FW6RCIsvzuB+ay/qJQV2ZbNODI5gsKpabrrYaYKcrEL3Y6OVl9xZBJf +YpjxUogP/7B2XV3iUnQrH2L1EHSJz04LqQ08IECcWRDYx3i5giL6O26SFucHkD8m +79ER1QQKi48smhnzA6qqk22cl2Ww/80dRKx+8O5qsd8vd/KkyPur5rmdMER0BtVT +IocevNLPnxJTAojcQgyj/vhVDzygp2lYsJyku0ckYtrSdg/r88H4Tn954bhFapVB +m/h1QcPkltodo/QDjGHOlYbSzgJ5LM9OohcDfXIT7bmjhaMFtaag9Xp4OZuBnE23 +a86QicXXKygn8/sqy1pCebBZ+MQK72fDIYOTRvqonEuiVxs9ammZG87IrTB1NRQp +DV6uHdsWHqN/DM8mtW0Xo6hC1v9bSVpXV09Lzbe8Bk1Za3WzktSJkd1wk+zSBnJh +K/MjHuh+YsHqW5RN1iRKZgcz+8KlMLUKsBHOkDm5/sd0ahOaxwnNXUmvlcnrTwIc +yf0a1hKePdI2lWLRHmaPhSwURqyiNrigBZXRmHLZaKMl7xwxAX22zIIrBJgKB1Oo +A71wrymLL+DeFm82DpmqaAlySZ9hG60= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_03.pem b/v3/testdata/subject_rdn_order_ok_03.pem new file mode 100644 index 000000000..f685bc3b5 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_03.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3787884309683191120 (0x349144b5e8f13d50) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:29:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: critical + DNS:example.org + Signature Algorithm: sha256WithRSAEncryption + 14:1d:17:7b:5e:e0:bc:fd:b5:cb:c0:3c:0e:ba:c9:e4:c3:89: + d9:c1:8e:37:13:5d:dc:c3:b1:2e:b6:93:77:a6:7e:54:e4:62: + 28:ce:77:e2:c9:83:42:26:51:59:f4:31:83:db:d9:d1:0f:45: + 9a:2a:a0:23:d3:29:dc:7c:0b:58:d9:36:db:8a:e0:78:c0:23: + ee:2c:8d:f6:5a:16:44:77:70:b2:07:15:08:e4:db:8b:96:24: + 46:2d:36:46:64:8d:39:17:65:e2:cd:d1:62:a4:03:3a:b0:ba: + 96:28:fb:2e:67:13:24:26:ed:17:08:30:56:d2:a8:6e:21:25: + 26:e4:fe:44:b0:3f:08:3b:53:a6:06:36:b7:66:4f:f4:83:27: + 35:e7:15:98:3b:0f:3a:1b:b4:28:53:4b:2c:78:0b:bb:64:a5: + bf:e4:bf:d3:4f:87:dc:86:e7:a5:ea:0d:e2:01:b9:c2:f7:95: + 72:9b:6c:2d:7d:58:3b:f5:b7:3d:b7:e0:6a:3f:07:fa:5a:9d: + 56:c0:f9:51:e0:ed:d2:94:27:e8:dd:d6:8b:b4:39:ba:0f:f8: + 99:ea:25:e5:3a:04:11:07:ca:3f:b0:49:5d:09:a3:6d:f6:d5: + 0b:f7:76:dd:1b:39:aa:13:ba:77:56:37:a8:21:cf:ba:99:da: + 55:dd:84:26:03:e5:f2:cf:32:08:3f:cf:a6:47:5d:3e:aa:66: + 80:34:8d:45:5e:cf:59:d9:f8:00:68:09:94:bd:72:ee:93:b4: + ab:6d:d3:e6:4d:b7:82:f0:84:fb:2c:3d:27:61:51:d1:2d:03: + 9e:bd:d2:f3:20:4f:08:b9:6d:ca:a3:5d:23:6d:9a:07:54:31: + cf:aa:bd:cc:05:c9:f4:be:83:5f:13:ce:a6:a9:ae:42:73:96: + c4:b5:05:ee:61:49:78:8b:65:46:2a:64:ae:8c:44:9e:3b:e5: + 2d:b4:fc:9a:79:50:cb:c1:39:3f:7b:78:3b:09:9a:aa:29:69: + 46:a4:a0:10:c5:33:39:66:0e:42:bf:f1:f3:02:3d:d8:56:d0: + e8:80:e2:f9:54:cc:74:9d:52:67:32:73:eb:cf:c8:d5:15:10: + da:78:08:cb:71:a1:73:1a:55:1c:65:30:17:d2:49:b8:ae:ac: + 33:6a:6f:81:10:63:26:1d:fe:51:ef:e7:1c:55:d9:41:cb:7f: + d1:bc:36:80:1f:fe:c1:1b:6c:e6:ba:27:b7:78:f5:29:1d:b0: + 30:57:b3:e3:9a:da:5e:17:71:8a:ef:dd:b6:52:9a:f3:1f:fb: + f3:91:2e:fb:5a:c3:a3:a3:1a:73:bc:8e:45:56:96:e6:7c:58: + 5c:e4:85:96:a8:57:e4:ea +-----BEGIN CERTIFICATE----- +MIIEMDCCAhigAwIBAgIINJFEtejxPVAwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTAyOTAwWhcNMjUwMzA4MDg1 +MDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqBYCHne6Ps +b+Tg/C9hR4hpAVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m3UzA2jiT +9r/o9J0fAMi/y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDnYrDZa1qJ +k3gI24wYPSSBay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6rFk/UmpsB +2OG/1Sd18gl4YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7rmXXOS9Li ++XEmYjEqA1201AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsWDfUGQieC +SVcy82cCqwIDAQABozIwMDATBgNVHSUEDDAKBggrBgEFBQcDATAZBgNVHREBAf8E +DzANggtleGFtcGxlLm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAFB0Xe17gvP21y8A8 +DrrJ5MOJ2cGONxNd3MOxLraTd6Z+VORiKM534smDQiZRWfQxg9vZ0Q9FmiqgI9Mp +3HwLWNk224rgeMAj7iyN9loWRHdwsgcVCOTbi5YkRi02RmSNORdl4s3RYqQDOrC6 +lij7LmcTJCbtFwgwVtKobiElJuT+RLA/CDtTpgY2t2ZP9IMnNecVmDsPOhu0KFNL +LHgLu2Slv+S/00+H3IbnpeoN4gG5wveVcptsLX1YO/W3Pbfgaj8H+lqdVsD5UeDt +0pQn6N3Wi7Q5ug/4meol5ToEEQfKP7BJXQmjbfbVC/d23Rs5qhO6d1Y3qCHPupna +Vd2EJgPl8s8yCD/PpkddPqpmgDSNRV7PWdn4AGgJlL1y7pO0q23T5k23gvCE+yw9 +J2FR0S0Dnr3S8yBPCLltyqNdI22aB1Qxz6q9zAXJ9L6DXxPOpqmuQnOWxLUF7mFJ +eItlRipkroxEnjvlLbT8mnlQy8E5P3t4OwmaqilpRqSgEMUzOWYOQr/x8wI92FbQ +6IDi+VTMdJ1SZzJz68/I1RUQ2ngIy3GhcxpVHGUwF9JJuK6sM2pvgRBjJh3+Ue/n +HFXZQct/0bw2gB/+wRts5ront3j1KR2wMFez45raXhdxiu/dtlKa8x/785Eu+1rD +o6Mac7yORVaW5nxYXOSFlqhX5Oo= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_04.pem b/v3/testdata/subject_rdn_order_ok_04.pem new file mode 100644 index 000000000..e5e80f802 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_04.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5917778588860444809 (0x52202c45d8707089) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 10:50:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: DC = org, DC = example, C = IT, ST = Milano, L = Milano, O = Example, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 11:f4:93:85:4a:d1:7d:d4:28:5b:fa:c5:79:99:8f:e5:2c:74: + bd:13:c9:35:4d:92:2d:84:a5:aa:b1:63:83:4e:99:3b:c3:bb: + 03:51:f8:f2:9e:42:c3:7d:e1:e5:4c:da:67:cd:c9:3c:d6:68: + 0c:1e:2b:70:80:4a:81:0b:d2:b5:82:0f:6f:93:5d:48:2e:29: + d9:52:45:8d:91:29:26:b6:69:e8:0f:f7:29:4d:83:da:e9:5a: + f6:71:57:4e:b2:4a:e7:7e:b6:68:f1:56:5d:41:d8:03:94:d1: + 46:7b:b3:d8:38:42:26:80:18:ef:4c:42:30:66:2a:a2:de:fe: + e0:2e:e8:74:79:16:b1:a2:9a:bc:93:3e:5c:30:68:6e:38:83: + f0:b2:51:e9:a0:ab:8b:43:d8:1f:15:98:86:fe:e0:34:69:27: + bb:65:12:26:dd:0c:56:53:86:c3:33:0d:da:b5:70:73:39:67: + 6d:55:84:2b:bb:71:5e:93:c1:29:ee:bc:37:78:39:c3:74:80: + 04:8d:ff:29:af:48:ec:a9:34:5a:d4:7b:d4:f2:cf:a4:81:13: + f7:3c:03:6c:73:cf:1b:f1:d7:cd:2e:fd:ea:9c:9e:98:63:29: + aa:90:02:91:68:28:aa:ec:4e:f7:12:05:73:b9:32:f0:17:ca: + a5:d1:68:dd:b2:8a:56:be:7b:73:57:b9:2b:7e:58:7d:3b:f4: + 74:ae:b5:88:c1:88:0d:6e:d4:23:78:4b:36:fe:21:b2:d8:7a: + 57:90:95:47:c1:a1:c5:15:65:02:50:cf:11:f1:8e:94:b7:f8: + 46:9c:2e:b2:db:78:69:e8:a8:c8:43:57:be:cb:82:f2:65:3c: + 49:f3:f9:b1:95:57:50:4c:53:ce:21:55:42:06:b4:bd:91:67: + 21:5f:c9:c8:b6:d4:f7:e8:8d:f9:67:c3:08:4b:7e:60:86:79: + 7f:d2:70:75:fa:b0:af:90:39:e3:f3:f9:69:8f:a8:9e:3f:16: + af:e7:46:fd:07:fe:77:13:7a:41:8e:f4:a9:60:45:ba:c0:4a: + 51:ce:bf:fe:e4:e6:04:01:b1:e1:d0:60:3a:4c:f0:bf:d5:9f: + b4:6d:e8:06:9a:21:01:8e:ae:d3:bf:d8:29:1b:ec:5f:d3:5d: + 4e:22:37:6a:05:c9:30:8b:41:58:38:64:21:f0:a0:77:28:66: + 95:32:1f:f6:5b:42:48:84:4d:a6:d6:bf:81:d0:5c:3c:89:40: + 75:74:f6:fb:de:16:7c:9b:d6:7a:76:3a:37:c1:04:68:e9:7d: + 14:c5:8f:6c:6c:70:d5:c3:c6:d1:08:cc:6d:a1:5f:8b:d2:16: + 3a:58:53:2e:3f:9c:f1:cc +-----BEGIN CERTIFICATE----- +MIIEmzCCAoOgAwIBAgIIUiAsRdhwcIkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTA1MDAwWhcNMjUwMzA4MDg1 +MDAwWjCBhTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2V4 +YW1wbGUxCzAJBgNVBAYTAklUMQ8wDQYDVQQIEwZNaWxhbm8xDzANBgNVBAcTBk1p +bGFubzEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBCoFgIed7o+xv5OD8L2FHiGkB +WJujiZgLQhdHh4eyDh90Iijlz5rSfybbTx3ojRn6zebdTMDaOJP2v+j0nR8AyL/L +9U+w+sMkzi8EO/on3Yw790QJiRYZDpUKjesOVD+BwOdisNlrWomTeAjbjBg9JIFr +Lrn/DVpxJLdTH8KWV81JmLYhNUdrgxktqUviF6K9HqsWT9SamwHY4b/VJ3XyCXhj +GyReLf5m+jKWYFGcRg4LquhXItQWOBGW0P5jVvHofuuZdc5L0uL5cSZiMSoDXbTU +BPsznzTeoTmFz0jQoRbVlccgOLok2d6YMQELHL5uuxYN9QZCJ4JJVzLzZwKrAgMB +AAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAR +9JOFStF91Chb+sV5mY/lLHS9E8k1TZIthKWqsWODTpk7w7sDUfjynkLDfeHlTNpn +zck81mgMHitwgEqBC9K1gg9vk11ILinZUkWNkSkmtmnoD/cpTYPa6Vr2cVdOskrn +frZo8VZdQdgDlNFGe7PYOEImgBjvTEIwZiqi3v7gLuh0eRaxopq8kz5cMGhuOIPw +slHpoKuLQ9gfFZiG/uA0aSe7ZRIm3QxWU4bDMw3atXBzOWdtVYQru3Fek8Ep7rw3 +eDnDdIAEjf8pr0jsqTRa1HvU8s+kgRP3PANsc88b8dfNLv3qnJ6YYymqkAKRaCiq +7E73EgVzuTLwF8ql0WjdsopWvntzV7krflh9O/R0rrWIwYgNbtQjeEs2/iGy2HpX +kJVHwaHFFWUCUM8R8Y6Ut/hGnC6y23hp6KjIQ1e+y4LyZTxJ8/mxlVdQTFPOIVVC +BrS9kWchX8nIttT36I35Z8MIS35ghnl/0nB1+rCvkDnj8/lpj6iePxav50b9B/53 +E3pBjvSpYEW6wEpRzr/+5OYEAbHh0GA6TPC/1Z+0begGmiEBjq7Tv9gpG+xf011O +IjdqBckwi0FYOGQh8KB3KGaVMh/2W0JIhE2m1r+B0Fw8iUB1dPb73hZ8m9Z6djo3 +wQRo6X0UxY9sbHDVw8bRCMxtoV+L0hY6WFMuP5zxzA== +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_05.pem b/v3/testdata/subject_rdn_order_ok_05.pem new file mode 100644 index 000000000..d335363e9 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_05.pem @@ -0,0 +1,94 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3973831062308419373 (0x3725e24c024e772d) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 11:11:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, street = Via Carducci, O = Example, CN = example.org, serialNumber = 1234567890, businessCategory = Private Organization, jurisdictionC = IT + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 33:90:f2:a3:3f:3a:7b:cf:f6:ce:c9:1c:05:40:58:90:07:a5: + 13:15:f1:5c:cb:35:22:95:be:a0:29:fe:cb:7a:29:eb:d5:91: + 95:94:f4:73:cd:2e:fb:92:ec:a4:6e:b9:3d:d1:a9:1a:9b:d9: + 1d:cb:68:1b:a9:36:03:4a:62:d3:1b:cd:a1:2a:8f:ca:1e:8b: + 27:e0:22:d8:a6:02:cb:fd:e5:91:ff:30:0f:98:a7:33:b6:b5: + c4:75:7e:87:63:20:86:57:8f:7e:10:48:fe:76:0e:d0:6c:6d: + d9:e5:a7:d8:31:c8:cc:c6:3b:40:4e:56:dc:fc:40:2d:4a:7c: + 46:b3:67:c3:a9:6c:e4:23:d1:12:48:96:37:39:a8:7d:50:b4: + 07:57:ff:50:74:d9:82:84:1a:ff:b0:c6:11:0d:da:65:4b:27: + 50:64:a6:d6:48:66:52:d4:49:f1:44:08:2b:6b:96:76:b4:94: + eb:0e:b3:29:57:77:e2:69:08:66:81:31:d3:c5:69:c9:ae:cb: + 9e:08:99:55:7d:fc:20:51:a5:4a:95:24:5a:66:2a:70:6a:ee: + f2:cb:ad:04:fd:54:71:a7:68:a4:55:ee:1b:db:7e:44:03:99: + 74:72:bb:15:84:d0:f5:e1:84:8d:df:7d:d0:fb:92:b1:22:5d: + d1:8f:b6:fd:c3:aa:ab:c0:87:c4:71:af:17:63:5e:f3:21:8c: + 89:94:b9:e0:52:5c:5c:69:67:b3:10:fd:12:8b:a3:a2:fa:ec: + e7:b9:85:a9:b7:a6:06:5e:d4:23:52:c9:87:92:41:4e:a5:eb: + ea:71:9a:b5:ef:54:0d:46:04:f9:18:5a:4b:25:9a:74:a5:9b: + 73:08:f4:d6:55:1f:12:07:67:ff:26:26:e4:ea:30:7b:34:6e: + 39:a1:57:71:fc:91:fd:ea:2c:f5:c8:bf:ee:db:d9:12:2c:24: + bf:c1:09:f5:0e:ca:d3:86:e5:da:d5:58:42:dc:5a:b5:6f:c7: + 6e:45:6c:97:15:18:fc:5d:f6:58:20:e4:60:08:50:45:75:3a: + 94:d0:ba:d7:aa:5f:30:02:6d:6a:85:56:06:3b:1e:75:6f:91: + 5b:5c:e0:07:a5:9c:56:32:b7:81:e8:c5:9a:55:20:47:64:e8: + 68:b9:76:c4:e3:e1:db:80:b6:ee:e7:35:2d:d2:38:bb:52:ac: + 32:99:90:9b:d4:33:27:51:dc:f1:26:bc:90:95:82:c3:ab:28: + 92:a2:6b:e3:f7:1b:f4:5e:9b:3d:98:61:e0:c3:69:2a:26:af: + 89:88:dc:ad:86:12:18:93:04:6c:83:7f:af:7b:5c:f3:87:7a: + e0:5a:c5:2e:70:f1:9d:27 +-----BEGIN CERTIFICATE----- +MIIEzTCCArWgAwIBAgIINyXiTAJOdy0wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTExMTAwWhcNMjUwMzA4MDg1 +MDAwWjCBtzELMAkGA1UEBhMCSVQxDzANBgNVBAgTBk1pbGFubzEPMA0GA1UEBxMG +TWlsYW5vMRUwEwYDVQQJEwxWaWEgQ2FyZHVjY2kxEDAOBgNVBAoTB0V4YW1wbGUx +FDASBgNVBAMTC2V4YW1wbGUub3JnMRMwEQYDVQQFEwoxMjM0NTY3ODkwMR0wGwYD +VQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJJVDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEKgWAh53uj7G/k4PwvYUeI +aQFYm6OJmAtCF0eHh7IOH3QiKOXPmtJ/JttPHeiNGfrN5t1MwNo4k/a/6PSdHwDI +v8v1T7D6wyTOLwQ7+ifdjDv3RAmJFhkOlQqN6w5UP4HA52Kw2WtaiZN4CNuMGD0k +gWsuuf8NWnEkt1MfwpZXzUmYtiE1R2uDGS2pS+IXor0eqxZP1JqbAdjhv9UndfIJ +eGMbJF4t/mb6MpZgUZxGDguq6Fci1BY4EZbQ/mNW8eh+65l1zkvS4vlxJmIxKgNd +tNQE+zOfNN6hOYXPSNChFtWVxyA4uiTZ3pgxAQscvm67Fg31BkIngklXMvNnAqsC +AwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIB +ADOQ8qM/OnvP9s7JHAVAWJAHpRMV8VzLNSKVvqAp/st6KevVkZWU9HPNLvuS7KRu +uT3RqRqb2R3LaBupNgNKYtMbzaEqj8oeiyfgItimAsv95ZH/MA+YpzO2tcR1fodj +IIZXj34QSP52DtBsbdnlp9gxyMzGO0BOVtz8QC1KfEazZ8OpbOQj0RJIljc5qH1Q +tAdX/1B02YKEGv+wxhEN2mVLJ1BkptZIZlLUSfFECCtrlna0lOsOsylXd+JpCGaB +MdPFacmuy54ImVV9/CBRpUqVJFpmKnBq7vLLrQT9VHGnaKRV7hvbfkQDmXRyuxWE +0PXhhI3ffdD7krEiXdGPtv3DqqvAh8RxrxdjXvMhjImUueBSXFxpZ7MQ/RKLo6L6 +7Oe5ham3pgZe1CNSyYeSQU6l6+pxmrXvVA1GBPkYWkslmnSlm3MI9NZVHxIHZ/8m +JuTqMHs0bjmhV3H8kf3qLPXIv+7b2RIsJL/BCfUOytOG5drVWELcWrVvx25FbJcV +GPxd9lgg5GAIUEV1OpTQuteqXzACbWqFVgY7HnVvkVtc4AelnFYyt4HoxZpVIEdk +6Gi5dsTj4duAtu7nNS3SOLtSrDKZkJvUMydR3PEmvJCVgsOrKJKia+P3G/Remz2Y +YeDDaSomr4mI3K2GEhiTBGyDf697XPOHeuBaxS5w8Z0n +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_06.pem b/v3/testdata/subject_rdn_order_ok_06.pem new file mode 100644 index 000000000..471cc77a4 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_06.pem @@ -0,0 +1,92 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3991351525678630817 (0x37642110c5c9c7a1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 13:34:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = IT, ST = Milano, L = Milano, SN = Flash, GN = Gordon, CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + a7:1d:bd:b0:9e:f1:16:d7:ec:76:90:d4:97:37:dd:d4:64:f7: + 4f:fe:2e:31:83:a9:9f:3f:d3:d6:49:f6:d3:0a:89:06:8e:dc: + 25:4c:3c:c9:0b:04:69:b3:f3:1c:2a:38:28:71:89:7d:5a:04: + b4:c9:1e:e7:03:45:7c:ed:04:f1:1e:0f:95:f4:fa:e8:04:0c: + 25:1b:05:34:85:ab:e8:b2:7e:aa:9b:1a:45:ae:d4:24:d6:ae: + 77:ab:11:9c:2c:fd:a7:63:3f:30:52:85:ae:3d:7c:b6:9b:e6: + d3:b0:b2:6c:d7:4d:1d:89:b5:9b:b3:c3:2d:1c:24:38:ca:4c: + f4:fb:70:bf:86:bb:a2:e6:85:0e:4e:70:90:62:dc:6d:86:83: + b9:43:5d:6a:bb:79:88:8a:cb:ac:dc:28:91:5b:6e:d3:06:81: + a5:d0:36:52:d7:49:b4:3c:f5:d2:8d:ac:1a:9d:80:e7:1e:42: + 13:ce:2d:ef:ea:ed:6e:8a:28:e7:5e:a2:57:22:a7:a5:21:67: + 42:43:47:9e:a0:a8:50:e9:0f:f5:32:37:a0:2f:42:66:c8:6b: + 0a:d8:ac:18:19:67:7e:e5:45:9a:1d:f5:5b:4a:91:2d:07:d0: + af:fc:3e:35:91:f4:e8:41:b4:ec:5b:7f:41:1c:f7:04:6e:78: + 8f:bc:79:47:c5:59:a7:98:35:c3:19:3a:06:f0:53:0f:e1:e7: + 2b:28:40:ac:c0:09:2f:42:43:0c:56:23:09:62:06:e9:c2:0f: + 27:6b:90:09:8a:fe:6a:ed:c3:cb:ba:4c:be:0c:af:a4:30:5c: + 60:90:ba:41:fa:8b:fc:39:ad:95:2f:81:8b:e9:ba:d8:db:1f: + e9:95:47:a5:90:d7:2a:b9:48:e3:e9:16:59:2a:ae:7e:0c:e6: + ff:0c:f3:e5:91:15:b3:97:fc:46:93:ec:a1:e3:93:5f:e5:4c: + 3a:ed:8b:a6:f1:f3:b6:c9:af:41:fa:23:2d:e6:1c:96:a0:48: + 86:1a:9d:99:e4:68:0b:3b:33:94:3d:98:c1:1f:c8:48:81:32: + 6a:7c:c6:51:06:a0:72:bd:8a:00:13:0a:c6:17:46:e4:3c:44: + 42:d8:ee:c2:03:34:cf:3e:21:13:c9:4f:ab:27:de:1c:bb:d3: + 44:a3:d9:fc:8c:ea:62:20:ee:d3:7f:2c:1f:1b:40:6e:d2:af: + fb:81:af:52:39:34:41:e3:99:ce:f5:04:c2:a5:97:eb:16:18: + c6:fd:46:46:97:6a:26:1b:7a:18:27:47:f2:3a:b1:bd:f1:21: + 67:a6:98:e5:6f:b9:d6:c1:11:cb:ce:ee:43:32:f3:31:b3:35: + d3:c8:1d:4a:97:d0:e7:16 +-----BEGIN CERTIFICATE----- +MIIEezCCAmOgAwIBAgIIN2QhEMXJx6EwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTMzNDAwWhcNMjUwMzA4MDg1 +MDAwWjBmMQswCQYDVQQGEwJJVDEPMA0GA1UECBMGTWlsYW5vMQ8wDQYDVQQHEwZN +aWxhbm8xDjAMBgNVBAQTBUZsYXNoMQ8wDQYDVQQqEwZHb3Jkb24xFDASBgNVBAMT +C2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwQqB +YCHne6Psb+Tg/C9hR4hpAVibo4mYC0IXR4eHsg4fdCIo5c+a0n8m208d6I0Z+s3m +3UzA2jiT9r/o9J0fAMi/y/VPsPrDJM4vBDv6J92MO/dECYkWGQ6VCo3rDlQ/gcDn +YrDZa1qJk3gI24wYPSSBay65/w1acSS3Ux/CllfNSZi2ITVHa4MZLalL4heivR6r +Fk/UmpsB2OG/1Sd18gl4YxskXi3+ZvoylmBRnEYOC6roVyLUFjgRltD+Y1bx6H7r +mXXOS9Li+XEmYjEqA1201AT7M5803qE5hc9I0KEW1ZXHIDi6JNnemDEBCxy+brsW +DfUGQieCSVcy82cCqwIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkq +hkiG9w0BAQsFAAOCAgEApx29sJ7xFtfsdpDUlzfd1GT3T/4uMYOpnz/T1kn20wqJ +Bo7cJUw8yQsEabPzHCo4KHGJfVoEtMke5wNFfO0E8R4PlfT66AQMJRsFNIWr6LJ+ +qpsaRa7UJNaud6sRnCz9p2M/MFKFrj18tpvm07CybNdNHYm1m7PDLRwkOMpM9Ptw +v4a7ouaFDk5wkGLcbYaDuUNdart5iIrLrNwokVtu0waBpdA2UtdJtDz10o2sGp2A +5x5CE84t7+rtbooo516iVyKnpSFnQkNHnqCoUOkP9TI3oC9CZshrCtisGBlnfuVF +mh31W0qRLQfQr/w+NZH06EG07Ft/QRz3BG54j7x5R8VZp5g1wxk6BvBTD+HnKyhA +rMAJL0JDDFYjCWIG6cIPJ2uQCYr+au3Dy7pMvgyvpDBcYJC6QfqL/DmtlS+Bi+m6 +2Nsf6ZVHpZDXKrlI4+kWWSqufgzm/wzz5ZEVs5f8RpPsoeOTX+VMOu2LpvHztsmv +QfojLeYclqBIhhqdmeRoCzszlD2YwR/ISIEyanzGUQagcr2KABMKxhdG5DxEQtju +wgM0zz4hE8lPqyfeHLvTRKPZ/IzqYiDu038sHxtAbtKv+4GvUjk0QeOZzvUEwqWX +6xYYxv1GRpdqJht6GCdH8jqxvfEhZ6aY5W+51sERy87uQzLzMbM108gdSpfQ5xY= +-----END CERTIFICATE----- diff --git a/v3/testdata/subject_rdn_order_ok_07.pem b/v3/testdata/subject_rdn_order_ok_07.pem new file mode 100644 index 000000000..3ae297ff5 --- /dev/null +++ b/v3/testdata/subject_rdn_order_ok_07.pem @@ -0,0 +1,91 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2032570151512653799 (0x1c3523c8a5f93fe7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 8 13:44:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c1:0a:81:60:21:e7:7b:a3:ec:6f:e4:e0:fc:2f: + 61:47:88:69:01:58:9b:a3:89:98:0b:42:17:47:87: + 87:b2:0e:1f:74:22:28:e5:cf:9a:d2:7f:26:db:4f: + 1d:e8:8d:19:fa:cd:e6:dd:4c:c0:da:38:93:f6:bf: + e8:f4:9d:1f:00:c8:bf:cb:f5:4f:b0:fa:c3:24:ce: + 2f:04:3b:fa:27:dd:8c:3b:f7:44:09:89:16:19:0e: + 95:0a:8d:eb:0e:54:3f:81:c0:e7:62:b0:d9:6b:5a: + 89:93:78:08:db:8c:18:3d:24:81:6b:2e:b9:ff:0d: + 5a:71:24:b7:53:1f:c2:96:57:cd:49:98:b6:21:35: + 47:6b:83:19:2d:a9:4b:e2:17:a2:bd:1e:ab:16:4f: + d4:9a:9b:01:d8:e1:bf:d5:27:75:f2:09:78:63:1b: + 24:5e:2d:fe:66:fa:32:96:60:51:9c:46:0e:0b:aa: + e8:57:22:d4:16:38:11:96:d0:fe:63:56:f1:e8:7e: + eb:99:75:ce:4b:d2:e2:f9:71:26:62:31:2a:03:5d: + b4:d4:04:fb:33:9f:34:de:a1:39:85:cf:48:d0:a1: + 16:d5:95:c7:20:38:ba:24:d9:de:98:31:01:0b:1c: + be:6e:bb:16:0d:f5:06:42:27:82:49:57:32:f3:67: + 02:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + a1:49:74:57:6e:4d:64:95:5e:9e:a5:03:98:2a:87:e2:2d:3f: + b5:c2:67:8d:d6:13:d2:ba:0f:c5:e0:8c:6b:fe:1a:66:49:7d: + f3:c7:6c:ef:68:91:d7:0e:7b:a0:71:dd:9e:33:36:8a:04:09: + c9:ce:ab:fb:c3:f2:39:82:e3:f3:44:17:b0:31:a4:8a:27:73: + 60:31:9f:de:7a:6a:8a:da:44:9e:70:e1:37:37:12:55:99:37: + 10:81:79:06:d0:7e:02:0d:8b:0d:8f:eb:1d:e3:08:9c:04:70: + 1b:31:f0:53:a6:08:3f:6c:20:8d:0b:51:eb:f4:96:7c:96:e6: + 54:34:86:bf:7e:75:c8:09:e7:ff:78:7c:35:69:ac:f1:0b:33: + 53:2c:3a:a1:66:05:35:61:81:82:4f:c8:2d:7d:a8:0e:04:76: + 49:20:c7:1e:85:c8:2d:c4:45:ae:0b:d2:d1:54:b2:3e:48:1c: + e7:b5:fb:34:ae:dd:1e:4f:83:30:0a:18:82:47:2b:2c:ce:44: + 79:27:fc:a6:e9:08:a7:74:5c:c0:e2:9f:c4:2d:df:e8:9d:fb: + e5:33:b2:06:26:9f:60:b6:eb:05:d0:21:de:e9:02:9a:79:5b: + 3e:29:db:f7:b5:73:89:d1:f6:d7:39:a4:45:0a:82:e9:c1:06: + 4d:2b:6d:fe:16:b3:4d:11:7e:12:2e:19:89:9e:05:1d:d5:ae: + 7b:17:3a:75:c7:3e:17:33:d4:35:23:63:20:bd:ea:6e:57:52: + ba:d7:55:45:67:0b:b5:55:82:d1:f2:4f:20:21:b7:8a:49:7b: + 43:37:a7:5c:7c:1f:67:83:15:bf:ff:22:c8:da:06:8d:fb:11: + 06:7b:7c:b8:9b:2f:bf:0e:91:a7:c8:7e:e8:a9:68:6c:09:b5: + f0:b9:86:ce:12:12:3d:ef:9f:45:1e:e0:b8:eb:23:d9:39:b3: + 7d:99:e9:92:3e:83:84:88:2d:ae:81:71:ff:af:20:a5:fd:ad: + d3:00:40:64:fb:58:77:80:7a:07:7b:29:20:bc:9f:51:29:ad: + 72:72:8a:03:03:dd:c5:51:ec:f9:8f:a7:9e:2e:ad:3e:e9:b2: + 24:c7:af:46:81:01:0d:7a:f2:41:1b:b3:4d:97:52:ca:c0:e9: + ed:74:c1:e3:27:d5:e3:48:55:1e:95:2a:25:b8:f8:c8:ba:8d: + 90:0a:6d:d1:ec:37:9e:63:04:d2:ae:33:aa:29:42:07:e7:37: + be:24:be:be:65:30:cd:c2:e3:a0:b4:d5:bb:81:e1:03:7a:fd: + 91:96:2b:69:e9:e9:57:64:e1:52:19:fd:7c:8c:a7:a6:08:d8: + 6c:da:c3:8c:1d:0e:3e:35 +-----BEGIN CERTIFICATE----- +MIIEKzCCAhOgAwIBAgIIHDUjyKX5P+cwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzA4MTM0NDAwWhcNMjUwMzA4MDg1 +MDAwWjAWMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMEKgWAh53uj7G/k4PwvYUeIaQFYm6OJmAtCF0eHh7IOH3Qi +KOXPmtJ/JttPHeiNGfrN5t1MwNo4k/a/6PSdHwDIv8v1T7D6wyTOLwQ7+ifdjDv3 +RAmJFhkOlQqN6w5UP4HA52Kw2WtaiZN4CNuMGD0kgWsuuf8NWnEkt1MfwpZXzUmY +tiE1R2uDGS2pS+IXor0eqxZP1JqbAdjhv9UndfIJeGMbJF4t/mb6MpZgUZxGDguq +6Fci1BY4EZbQ/mNW8eh+65l1zkvS4vlxJmIxKgNdtNQE+zOfNN6hOYXPSNChFtWV +xyA4uiTZ3pgxAQscvm67Fg31BkIngklXMvNnAqsCAwEAAaMXMBUwEwYDVR0lBAww +CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAKFJdFduTWSVXp6lA5gqh+It +P7XCZ43WE9K6D8XgjGv+GmZJffPHbO9okdcOe6Bx3Z4zNooECcnOq/vD8jmC4/NE +F7AxpIonc2Axn956aoraRJ5w4Tc3ElWZNxCBeQbQfgINiw2P6x3jCJwEcBsx8FOm +CD9sII0LUev0lnyW5lQ0hr9+dcgJ5/94fDVprPELM1MsOqFmBTVhgYJPyC19qA4E +dkkgxx6FyC3ERa4L0tFUsj5IHOe1+zSu3R5PgzAKGIJHKyzORHkn/KbpCKd0XMDi +n8Qt3+id++UzsgYmn2C26wXQId7pApp5Wz4p2/e1c4nR9tc5pEUKgunBBk0rbf4W +s00RfhIuGYmeBR3VrnsXOnXHPhcz1DUjYyC96m5XUrrXVUVnC7VVgtHyTyAht4pJ +e0M3p1x8H2eDFb//IsjaBo37EQZ7fLibL78OkafIfuipaGwJtfC5hs4SEj3vn0Ue +4LjrI9k5s32Z6ZI+g4SILa6Bcf+vIKX9rdMAQGT7WHeAegd7KSC8n1EprXJyigMD +3cVR7PmPp54urT7psiTHr0aBAQ168kEbs02XUsrA6e10weMn1eNIVR6VKiW4+Mi6 +jZAKbdHsN55jBNKuM6opQgfnN74kvr5lMM3C46C01buB4QN6/ZGWK2np6Vdk4VIZ +/XyMp6YI2Gzaw4wdDj41 +-----END CERTIFICATE----- From 3bd2334ede002f24b01ab7041274c3b99ec4cee2 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 8 Mar 2024 16:11:45 +0100 Subject: [PATCH 04/29] Add files via upload --- .../cabf_br/lint_invalid_subject_rdn_order.go | 144 +++++++++++++++ .../lint_invalid_subject_rdn_order_test.go | 173 ++++++++++++++++++ 2 files changed, 317 insertions(+) create mode 100644 v3/lints/cabf_br/lint_invalid_subject_rdn_order.go create mode 100644 v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go new file mode 100644 index 000000000..02bbef1d6 --- /dev/null +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -0,0 +1,144 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "crypto/x509/pkix" + "encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_subject_rdn_order", + Description: "Subject field attributes (RDNs) SHALL be encoded in a specific order", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidSubjectRDNOrder, + }) +} + +type invalidSubjectRDNOrder struct{} + +func NewInvalidSubjectRDNOrder() lint.LintInterface { + return &invalidSubjectRDNOrder{} +} + +func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { + return !util.IsCACert(c) +} + +func getShortOIDName(oid string) string { + switch oid { + case "2.5.4.3": + return "CN" + case "2.5.4.4": + return "SN" + case "2.5.4.6": + return "C" + case "2.5.4.7": + return "L" + case "2.5.4.8": + return "ST" + case "2.5.4.9": + return "street" + case "2.5.4.10": + return "O" + case "2.5.4.11": + return "OU" + case "2.5.4.17": + return "postalCode" + case "2.5.4.42": + return "givenName" + case "0.9.2342.19200300.100.1.25": + return "DC" + default: + return "" + } +} + +func findElement(arr []string, target string) (int, bool) { + for i, value := range arr { + if value == target { + return i, true + } + } + return -1, false +} + +func checkOrder(actualOrder []string, expectedOrder []string) bool { + var prevPosition int + prevPosition = 0 + + for _, targetElement := range actualOrder { + position, found := findElement(expectedOrder, targetElement) + if found { + if position < prevPosition { + return false + } + prevPosition = position + } + } + return true +} + +func checkSubjectRDNOrder(cert *x509.Certificate) bool { + + rawSubject := cert.RawSubject + + var rdnSequence pkix.RDNSequence + _, err := asn1.Unmarshal(rawSubject, &rdnSequence) + if err != nil { + return false + } + + var rdnOrder []string + + for _, rdn := range rdnSequence { + for _, atv := range rdn { + rdnShortName := getShortOIDName(atv.Type.String()) + if rdnShortName != "" { + rdnOrder = append(rdnOrder, rdnShortName) + } + } + } + + // Expected order of RDNs as per CABF BR section 7.1.4.2 + expectedRDNOrder := []string{"DC", "C", "ST", "L", "postalCode", "street", "O", "SN", "givenName", "OU", "CN"} + + return checkOrder(rdnOrder, expectedRDNOrder) +} + +func (l *invalidSubjectRDNOrder) Execute(c *x509.Certificate) *lint.LintResult { + + var out lint.LintResult + + if checkSubjectRDNOrder(c) { + out.Status = lint.Pass + } else { + out.Status = lint.Error + } + return &out +} diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go new file mode 100644 index 000000000..e945ccb0c --- /dev/null +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go @@ -0,0 +1,173 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + === Proper RDN order test cases + subject_rdn_order_ok_01.pem C, ST, L, O, CN + subject_rdn_order_ok_02.pem C, ST, L, postalCode, street, O, CN + subject_rdn_order_ok_03.pem + subject_rdn_order_ok_04.pem DC, DC, C, ST, L, O, CN + subject_rdn_order_ok_05.pem C, ST, L, street, O, CN, serialNumber, businessCategory, jurisdictionCountry + subject_rdn_order_ok_06.pem C, ST, L, SN, givenName, CN + subject_rdn_order_ok_07.pem CN + + === Wrong RDN order test cases + subject_rdn_order_ko_01.pem C, ST, L, CN, O + subject_rdn_order_ko_02.pem CN, O, L, ST, C + subject_rdn_order_ko_03.pem C, ST, L, O, CN, street + subject_rdn_order_ko_04.pem C, ST, L, O, CN, DC, DC + subject_rdn_order_ko_05.pem C, ST, L, givenName, SN, CN + subject_rdn_order_ko_06.pem C, ST, L, street, postalCode, O + subject_rdn_order_ko_07.pem CN, C +*/ + +func TestInvalidSubjectRDNOrder_OK_01(t *testing.T) { + inputPath := "subject_rdn_order_ok_01.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_02(t *testing.T) { + inputPath := "subject_rdn_order_ok_02.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_03(t *testing.T) { + inputPath := "subject_rdn_order_ok_03.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_04(t *testing.T) { + inputPath := "subject_rdn_order_ok_04.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_05(t *testing.T) { + inputPath := "subject_rdn_order_ok_05.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_06(t *testing.T) { + inputPath := "subject_rdn_order_ok_06.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_OK_07(t *testing.T) { + inputPath := "subject_rdn_order_ok_07.pem" + expected := lint.Pass + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_01(t *testing.T) { + inputPath := "subject_rdn_order_ko_01.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_02(t *testing.T) { + inputPath := "subject_rdn_order_ko_02.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_03(t *testing.T) { + inputPath := "subject_rdn_order_ko_03.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_04(t *testing.T) { + inputPath := "subject_rdn_order_ko_04.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_05(t *testing.T) { + inputPath := "subject_rdn_order_ko_05.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_06(t *testing.T) { + inputPath := "subject_rdn_order_ko_06.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestInvalidSubjectRDNOrder_KO_07(t *testing.T) { + inputPath := "subject_rdn_order_ko_07.pem" + expected := lint.Error + out := test.TestLint("e_invalid_subject_rdn_order", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} From 95e89c8808fb6789bdecece885ecc8db38c06cd1 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 9 Mar 2024 07:24:24 +0100 Subject: [PATCH 05/29] Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment --- v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go index e945ccb0c..20613a72b 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go @@ -26,6 +26,7 @@ import ( "github.com/zmap/zlint/v3/test" ) +//nolint:all /* === Proper RDN order test cases subject_rdn_order_ok_01.pem C, ST, L, O, CN From 7230486e1fbbc7cbfceb4fe79a6688f8bfe54427 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 9 Mar 2024 07:32:41 +0100 Subject: [PATCH 06/29] Update lint_invalid_subject_rdn_order.go Fixed import block --- v3/lints/cabf_br/lint_invalid_subject_rdn_order.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go index 02bbef1d6..89f453090 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -22,6 +22,7 @@ package cabf_br import ( "crypto/x509/pkix" "encoding/asn1" + "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" From 36682ed27fdadfc8722dd97dcdce638058b3cf67 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 10 Mar 2024 08:05:38 +0100 Subject: [PATCH 07/29] Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson --- v3/lints/cabf_br/lint_invalid_subject_rdn_order.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go index 89f453090..7fec7bf7a 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -48,7 +48,7 @@ func NewInvalidSubjectRDNOrder() lint.LintInterface { } func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) + return util.IsSubscriberCert(c) } func getShortOIDName(oid string) string { From fc81eceea08c9cb2620139fb7a537ce3fff652d1 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 10 Mar 2024 08:17:25 +0100 Subject: [PATCH 08/29] Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". --- .../cabf_br/lint_invalid_subject_rdn_order.go | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go index 7fec7bf7a..b4710e205 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -53,28 +53,28 @@ func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { func getShortOIDName(oid string) string { switch oid { - case "2.5.4.3": - return "CN" - case "2.5.4.4": - return "SN" + case "0.9.2342.19200300.100.1.25": + return "DC" case "2.5.4.6": return "C" - case "2.5.4.7": - return "L" case "2.5.4.8": return "ST" + case "2.5.4.7": + return "L" + case "2.5.4.17": + return "postalCode" case "2.5.4.9": return "street" case "2.5.4.10": return "O" - case "2.5.4.11": - return "OU" - case "2.5.4.17": - return "postalCode" + case "2.5.4.4": + return "SN" case "2.5.4.42": return "givenName" - case "0.9.2342.19200300.100.1.25": - return "DC" + case "2.5.4.11": + return "OU" + case "2.5.4.3": + return "CN" default: return "" } From 9e54f087e13d06035117b33d5368f8c82ca16033 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 10 Mar 2024 08:32:42 +0100 Subject: [PATCH 09/29] Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. --- .../lint_invalid_subject_rdn_order_test.go | 190 +++++++----------- 1 file changed, 69 insertions(+), 121 deletions(-) diff --git a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go index 20613a72b..3aa634a42 100644 --- a/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go +++ b/v3/lints/cabf_br/lint_invalid_subject_rdn_order_test.go @@ -47,128 +47,76 @@ import ( subject_rdn_order_ko_07.pem CN, C */ -func TestInvalidSubjectRDNOrder_OK_01(t *testing.T) { - inputPath := "subject_rdn_order_ok_01.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) +func TestInvalidSubjectRDNOrder(t *testing.T) { + type Data struct { + input string + want lint.LintStatus } -} - -func TestInvalidSubjectRDNOrder_OK_02(t *testing.T) { - inputPath := "subject_rdn_order_ok_02.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_03(t *testing.T) { - inputPath := "subject_rdn_order_ok_03.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + data := []Data{ + { + input: "subject_rdn_order_ok_01.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_02.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_03.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_04.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_05.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_06.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ok_07.pem", + want: lint.Pass, + }, + { + input: "subject_rdn_order_ko_01.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_02.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_03.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_04.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_05.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_06.pem", + want: lint.Error, + }, + { + input: "subject_rdn_order_ko_07.pem", + want: lint.Error, + }, } -} - -func TestInvalidSubjectRDNOrder_OK_04(t *testing.T) { - inputPath := "subject_rdn_order_ok_04.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_05(t *testing.T) { - inputPath := "subject_rdn_order_ok_05.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_06(t *testing.T) { - inputPath := "subject_rdn_order_ok_06.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_OK_07(t *testing.T) { - inputPath := "subject_rdn_order_ok_07.pem" - expected := lint.Pass - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_01(t *testing.T) { - inputPath := "subject_rdn_order_ko_01.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_02(t *testing.T) { - inputPath := "subject_rdn_order_ko_02.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_03(t *testing.T) { - inputPath := "subject_rdn_order_ko_03.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_04(t *testing.T) { - inputPath := "subject_rdn_order_ko_04.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_05(t *testing.T) { - inputPath := "subject_rdn_order_ko_05.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_06(t *testing.T) { - inputPath := "subject_rdn_order_ko_06.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -func TestInvalidSubjectRDNOrder_KO_07(t *testing.T) { - inputPath := "subject_rdn_order_ko_07.pem" - expected := lint.Error - out := test.TestLint("e_invalid_subject_rdn_order", inputPath) - if out.Status != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_invalid_subject_rdn_order", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) } } From 8ca486a720dbf7849e4ee2cb8648b7ffdf83920e Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 30 Mar 2024 11:27:26 +0100 Subject: [PATCH 10/29] Update time.go Added CABFEV_Sec9_2_8_Date --- v3/util/time.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/v3/util/time.go b/v3/util/time.go index b702449ce..3a385e6bb 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -82,6 +82,8 @@ var ( CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) + // Date when section 9.2.8 of CABF EVG became effective + CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) ) var ( From 1df8c9b16a9e91593859010fae5d316f5b2e5277 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 30 Mar 2024 11:29:20 +0100 Subject: [PATCH 11/29] Add files via upload --- v3/testdata/orgid_subj_and_ext_ko_01.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ko_02.pem | 105 ++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ko_03.pem | 105 ++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_01.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_02.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_03.pem | 106 +++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_04.pem | 102 ++++++++++++++++++++++ v3/testdata/orgid_subj_and_ext_ok_05.pem | 102 ++++++++++++++++++++++ 8 files changed, 838 insertions(+) create mode 100644 v3/testdata/orgid_subj_and_ext_ko_01.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ko_02.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ko_03.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_01.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_02.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_03.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_04.pem create mode 100644 v3/testdata/orgid_subj_and_ext_ok_05.pem diff --git a/v3/testdata/orgid_subj_and_ext_ko_01.pem b/v3/testdata/orgid_subj_and_ext_ko_01.pem new file mode 100644 index 000000000..87b75afd7 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ko_01.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 8f:c6:55:69:97:15:5a:40:79:c6:1d:e4:22:21:72:ca + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 14:59:53 2024 GMT + Not After : Mar 29 14:59:53 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = "NTRUS+CA-1234567890" + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b3:75:b6:18:05:68:18:12:6e:97:c2:8a:75:a9: + d7:90:fb:51:d1:84:39:e6:b7:6c:97:2c:82:17:42: + e7:b2:a4:4a:a9:b7:80:d8:38:07:3c:f4:b2:8f:78: + 3d:1c:36:0d:aa:f2:e8:0a:1f:6d:c7:3c:70:7a:26: + 1f:c4:ba:e5:02:e1:6b:cc:9e:23:6e:b0:67:67:3a: + 5e:92:58:d5:db:99:84:08:6d:44:11:f4:97:f9:c6: + 10:29:4b:8b:8a:65:b0:55:c7:74:2d:f7:96:9a:3f: + 9a:d9:bb:3e:76:88:ae:77:07:33:36:59:65:88:cd: + d0:8d:7f:45:90:db:ef:ef:9e:f7:12:69:86:92:6b: + e5:7d:a1:8c:62:ce:16:07:53:df:91:a8:2f:ab:97: + b0:dd:9a:1d:3e:b5:b4:b7:c8:8d:3e:3e:9e:3c:d7: + 33:df:63:fb:c1:4c:eb:ca:03:c6:3a:89:9f:f1:d1: + a0:28:c9:54:58:20:38:bd:45:09:ea:47:38:39:ae: + b5:3a:46:e8:bf:4f:f8:03:dd:33:28:0c:60:a7:39: + ed:86:4d:a4:7a:61:4d:e3:80:1a:30:96:95:72:44: + 42:8d:42:14:f4:3b:86:94:17:f5:12:ea:e7:09:da: + 7d:02:2d:a2:e4:5b:75:3a:c4:f1:97:d3:f7:aa:ba: + d3:db + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + E7:D3:82:87:FB:05:52:CE:5B:2E:67:3A:92:B3:52:B6:4A:B9:C9:84 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...NTR..US. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + 0d:ec:f2:c8:ed:e5:0f:eb:e6:2f:24:c1:01:7a:de:3a:ea:9b: + ea:d3:c8:51:25:fa:42:2c:1c:37:55:d1:66:a3:21:55:c8:af: + 0a:b7:20:10:70:31:7e:2c:8a:c2:67:04:3e:36:55:64:be:48: + 7c:21:01:60:2b:17:25:cd:29:24:3f:f1:70:1c:d4:96:b7:02: + 4e:12:72:e8:fb:80:09:b1:0f:4b:3d:e7:e8:13:02:ba:79:fc: + 83:e7:29:f6:91:a0:79:57:b1:72:6d:b0:b4:dc:3b:54:ea:83: + bc:e0:7b:d6:b3:85:ea:50:e7:dd:0c:b5:02:d0:13:c3:ca:e1: + cc:49:d5:f9:40:d8:74:a1:a2:9b:12:81:c7:40:36:9a:16:26: + d1:44:24:4e:4e:ec:8a:89:79:b0:3b:39:1f:6d:c7:c7:41:dd: + 2a:10:10:b5:27:34:9f:24:d2:e2:2c:9d:8d:ba:ae:c1:58:d8: + 28:d0:39:74:24:f6:94:1b:41:b3:4a:98:6c:d7:6f:4e:87:5f: + 76:eb:33:a5:7e:9b:bb:46:9b:b9:a3:ef:f8:ae:6f:bb:46:72: + f2:5d:c3:c5:ef:90:ed:cc:dc:f4:da:22:ba:24:47:9f:0f:c3: + 79:7b:9f:3b:48:ee:1c:e2:f7:7c:82:f3:f8:49:d0:a3:3d:c8: + 98:ff:a5:27 +-----BEGIN CERTIFICATE----- +MIIE7TCCA9WgAwIBAgIRAI/GVWmXFVpAecYd5CIhcsowDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTQ1OTUzWhcNMjUwMzI5MTQ1 +OTUzWjCBxjELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEcMBoGA1UEYRMTTlRSVVMr +Q0EtMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALN1 +thgFaBgSbpfCinWp15D7UdGEOea3bJcsghdC57KkSqm3gNg4Bzz0so94PRw2Dary +6Aofbcc8cHomH8S65QLha8yeI26wZ2c6XpJY1duZhAhtRBH0l/nGEClLi4plsFXH +dC33lpo/mtm7PnaIrncHMzZZZYjN0I1/RZDb7++e9xJphpJr5X2hjGLOFgdT35Go +L6uXsN2aHT61tLfIjT4+njzXM99j+8FM68oDxjqJn/HRoCjJVFggOL1FCepHODmu +tTpG6L9P+APdMygMYKc57YZNpHphTeOAGjCWlXJEQo1CFPQ7hpQX9RLq5wnafQIt +ouRbdTrE8ZfT96q609sCAwEAAaOCAVYwggFSMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFOfTgof7BVLOWy5n +OpKzUrZKucmEMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsG +AQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29t +L29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290 +MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYD +VR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAgBgVn +gQwDAQQXMBUTA05UUhMCVVMMCjEyMzQ1Njc4OTAwDQYJKoZIhvcNAQELBQADggEB +AA3s8sjt5Q/r5i8kwQF63jrqm+rTyFEl+kIsHDdV0WajIVXIrwq3IBBwMX4sisJn +BD42VWS+SHwhAWArFyXNKSQ/8XAc1Ja3Ak4Scuj7gAmxD0s95+gTArp5/IPnKfaR +oHlXsXJtsLTcO1Tqg7zge9azhepQ590MtQLQE8PK4cxJ1flA2HShopsSgcdANpoW +JtFEJE5O7IqJebA7OR9tx8dB3SoQELUnNJ8k0uIsnY26rsFY2CjQOXQk9pQbQbNK +mGzXb06HX3brM6V+m7tGm7mj7/iub7tGcvJdw8XvkO3M3PTaIrokR58Pw3l7nztI +7hzi93yC8/hJ0KM9yJj/pSc= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ko_02.pem b/v3/testdata/orgid_subj_and_ext_ko_02.pem new file mode 100644 index 000000000..ff59d088d --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ko_02.pem @@ -0,0 +1,105 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 6b:70:9d:94:0f:c0:e9:1d:88:03:8f:66:11:8f:50:08 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 30 10:05:55 2024 GMT + Not After : Mar 30 10:05:55 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = PSDAT-FMA-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b2:4c:9f:31:9b:46:04:07:94:6c:a8:5d:af:8e: + 29:4b:52:7d:e4:d7:d2:42:dd:6f:c4:88:04:e4:d9: + 97:c6:70:08:a9:fb:ed:16:0e:61:cc:e1:01:05:b4: + 46:ef:6c:34:4f:3b:d5:f4:37:3d:d8:bb:3e:9e:a6: + 9c:ca:af:d7:f0:cc:bb:07:94:cf:23:ce:49:ef:5e: + 1a:0b:fa:65:e3:b2:f6:3f:a1:dd:48:6f:d9:fa:d7: + 27:50:29:c6:08:88:f3:3f:58:90:ad:04:81:84:de: + c1:98:75:df:23:23:fe:c4:8a:af:b5:62:69:2e:3a: + f7:8c:61:e7:8d:ad:df:51:48:0d:66:a1:4b:53:5a: + 59:d7:ba:50:6c:70:af:12:a6:32:9e:f6:39:ab:c1: + da:15:68:11:ec:c1:e6:77:d4:15:cb:4a:e8:16:61: + de:06:26:40:02:7f:15:fb:59:7f:ce:7c:2c:35:f8: + e4:b7:a7:55:46:78:b8:42:aa:16:a3:30:44:88:70: + f1:ea:6e:d2:97:04:e4:ef:8f:4a:13:f8:29:12:16: + 47:cb:c1:50:eb:6f:25:74:fc:82:99:3e:6b:c4:b6: + 33:0a:88:7e:8a:84:10:f9:2a:0e:65:aa:a6:d3:22: + 93:33:c2:00:d2:a3:91:e1:f5:16:67:79:59:92:fa: + ce:ab + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 17:A9:69:84:98:F1:C5:E5:86:9F:A7:59:4E:50:C9:F1:99:09:5C:49 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...PSD..AT..FMA-123-456-7890 + Signature Algorithm: sha256WithRSAEncryption + 69:13:c5:02:22:37:2e:24:0d:79:bc:d1:7a:46:ef:3f:2b:b6: + 29:f9:a4:72:08:58:cc:f1:79:e3:b0:c7:fc:7c:ec:24:82:6f: + de:0b:44:ba:66:d5:b7:00:81:0e:14:26:e7:41:55:f1:51:26: + 25:d2:65:7c:35:9a:ef:d2:76:38:e8:7c:bd:79:12:8b:c9:43: + ef:bf:0b:62:c0:98:fc:96:ef:9c:d3:af:83:34:53:19:b9:07: + d7:f4:b4:d0:86:8b:51:25:70:f8:53:6c:f4:b2:5c:1d:52:f5: + 26:8a:f1:79:ef:dc:3b:a6:51:fa:e8:94:cb:70:c4:80:52:b6: + 54:a0:71:84:0b:4f:da:f8:e2:e4:37:10:0a:8c:fe:1c:8b:c3: + f9:03:21:92:45:bd:a6:86:68:9e:ad:41:6d:9f:e5:ab:a0:85: + 47:45:8c:8f:a2:b1:af:28:e5:d8:e9:ce:2a:22:d3:1d:8e:08: + 8d:5b:8c:26:47:27:99:a0:77:ad:48:52:54:14:a4:e4:1f:69: + 29:d2:43:d8:d6:c0:fd:01:05:0e:d0:3e:37:f5:7d:31:af:ed: + 5d:e4:ef:83:64:e6:c7:61:9e:13:ac:b9:0b:be:ab:fe:a2:ac: + fd:99:ab:fb:9c:37:e2:63:c3:c8:df:d8:b4:5d:0c:a6:8f:dd: + 9d:92:3e:0a +-----BEGIN CERTIFICATE----- +MIIE8zCCA9ugAwIBAgIQa3CdlA/A6R2IA49mEY9QCDANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDAzMzAxMDA1NTVaFw0yNTAzMzAxMDA1 +NTVaMIHHMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMR0wGwYDVQRhExRQU0RBVC1G +TUEtMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJM +nzGbRgQHlGyoXa+OKUtSfeTX0kLdb8SIBOTZl8ZwCKn77RYOYczhAQW0Ru9sNE87 +1fQ3Pdi7Pp6mnMqv1/DMuweUzyPOSe9eGgv6ZeOy9j+h3Uhv2frXJ1ApxgiI8z9Y +kK0EgYTewZh13yMj/sSKr7ViaS4694xh542t31FIDWahS1NaWde6UGxwrxKmMp72 +OavB2hVoEezB5nfUFctK6BZh3gYmQAJ/FftZf858LDX45LenVUZ4uEKqFqMwRIhw +8epu0pcE5O+PShP4KRIWR8vBUOtvJXT8gpk+a8S2MwqIfoqEEPkqDmWqptMikzPC +ANKjkeH1Fmd5WZL6zqsCAwEAAaOCAVwwggFYMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFBepaYSY8cXlhp+n +WU5QyfGZCVxJMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsG +AQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29t +L29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290 +MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYD +VR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAmBgVn +gQwDAQQdMBsTA1BTRBMCQVQMEEZNQS0xMjMtNDU2LTc4OTAwDQYJKoZIhvcNAQEL +BQADggEBAGkTxQIiNy4kDXm80XpG7z8rtin5pHIIWMzxeeOwx/x87CSCb94LRLpm +1bcAgQ4UJudBVfFRJiXSZXw1mu/SdjjofL15EovJQ++/C2LAmPyW75zTr4M0Uxm5 +B9f0tNCGi1ElcPhTbPSyXB1S9SaK8Xnv3DumUfrolMtwxIBStlSgcYQLT9r44uQ3 +EAqM/hyLw/kDIZJFvaaGaJ6tQW2f5aughUdFjI+isa8o5djpzioi0x2OCI1bjCZH +J5mgd61IUlQUpOQfaSnSQ9jWwP0BBQ7QPjf1fTGv7V3k74Nk5sdhnhOsuQu+q/6i +rP2Zq/ucN+Jjw8jf2LRdDKaP3Z2SPgo= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ko_03.pem b/v3/testdata/orgid_subj_and_ext_ko_03.pem new file mode 100644 index 000000000..b42eeacd8 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ko_03.pem @@ -0,0 +1,105 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ca:15:64:b2:c2:b9:4e:e3:34:19:f5:29:d4:14:b5:95 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 30 10:08:11 2024 GMT + Not After : Mar 30 10:08:11 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATBEE-12345 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a9:c1:f2:44:4a:7c:0c:25:17:4e:be:e6:b2:e8: + 91:ad:67:b5:6a:51:57:66:78:e6:79:3d:db:c9:33: + ef:62:e8:6b:10:cd:91:0c:64:e1:1f:25:24:55:c8: + da:a0:3e:0b:5a:d6:43:bd:1a:49:ea:52:28:64:00: + eb:19:9f:10:b1:30:a8:06:43:50:d9:58:99:b7:89: + ae:ee:e5:6b:fc:41:d9:67:b4:6a:4d:c2:34:ad:fa: + 06:31:aa:14:03:3a:b9:c8:d9:06:1e:df:8c:6d:f5: + 6c:c9:4e:63:64:7f:58:3d:ca:fe:e3:ab:6e:47:8c: + f9:5e:41:ca:3d:f4:20:06:ba:1c:ca:65:97:86:aa: + 9f:6f:67:1d:b2:f7:fe:92:b2:4b:c1:f1:70:8d:8f: + 6c:23:d7:42:4d:34:7b:b1:13:e6:a7:84:85:a8:b1: + c4:9f:9d:08:af:08:77:7d:c9:50:4a:77:8a:22:de: + d6:db:40:f5:f3:53:88:71:7b:4b:e1:5b:08:b1:e1: + 00:ec:bd:c4:14:5c:60:8a:14:1b:21:ff:dd:ac:6b: + b5:a1:a3:85:cf:a4:96:54:76:02:90:85:06:ec:e4: + b1:08:75:10:a8:ed:44:03:76:25:77:0b:2b:d3:9f: + 6c:15:81:a1:37:a1:62:1a:69:b8:e7:26:69:98:1e: + e0:6f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 5D:EB:2E:60:D6:D1:B3:AB:5C:F4:21:31:B5:D1:68:88:50:CF:D2:AA + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...VAT..BE..12345 + Signature Algorithm: sha256WithRSAEncryption + 1a:d8:6d:19:8a:9c:f3:30:c5:f0:39:ef:18:a3:ff:ed:d2:b2: + a5:be:21:ff:d2:7d:68:87:19:6b:aa:bf:22:f1:e2:b1:80:89: + c1:b6:73:44:b2:90:7c:cc:1a:e9:4e:e5:bc:9c:85:58:6e:33: + 90:69:56:88:bc:f6:ed:03:36:7f:72:c2:9e:77:3c:77:6e:6c: + bb:32:09:33:1f:61:eb:92:40:96:c9:01:a4:d6:56:91:cb:9a: + b4:a8:33:c6:ba:bd:94:44:42:5f:74:c4:fa:1f:c6:46:d4:d8: + 0c:dd:09:1e:96:e7:70:45:29:30:ef:c0:a9:33:5e:ce:84:d8: + d2:0f:79:31:e1:01:01:c7:6e:d1:4b:2e:ff:55:19:a0:e2:a5: + a4:fc:82:90:5e:e9:bc:c9:bc:01:69:8d:26:5b:fd:47:f8:1e: + 13:e0:29:8a:88:c7:10:21:2b:67:41:52:a1:4d:5a:e4:28:9d: + 76:c2:ee:bc:99:a9:a9:4c:48:f9:68:3f:69:25:00:91:c2:3d: + 83:4a:2e:ff:b1:e7:a2:4b:31:12:d4:53:a6:9d:41:4f:8b:49: + d2:b6:b5:88:e6:2b:02:aa:4a:e2:50:a0:fa:0b:96:76:3c:59: + a6:a7:a0:bc:2b:a2:e4:e7:1f:60:7d:3c:53:cc:23:0e:a1:dc: + 23:70:4c:50 +-----BEGIN CERTIFICATE----- +MIIE4TCCA8mgAwIBAgIRAMoVZLLCuU7jNBn1KdQUtZUwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzMwMTAwODExWhcNMjUwMzMwMTAw +ODExWjCBvzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEYRMMVkFUQkVF +LTEyMzQ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqcHyREp8DCUX +Tr7msuiRrWe1alFXZnjmeT3byTPvYuhrEM2RDGThHyUkVcjaoD4LWtZDvRpJ6lIo +ZADrGZ8QsTCoBkNQ2ViZt4mu7uVr/EHZZ7RqTcI0rfoGMaoUAzq5yNkGHt+MbfVs +yU5jZH9YPcr+46tuR4z5XkHKPfQgBrocymWXhqqfb2cdsvf+krJLwfFwjY9sI9dC +TTR7sRPmp4SFqLHEn50Irwh3fclQSneKIt7W20D181OIcXtL4VsIseEA7L3EFFxg +ihQbIf/drGu1oaOFz6SWVHYCkIUG7OSxCHUQqO1EA3Yldwsr059sFYGhN6FiGmm4 +5yZpmB7gbwIDAQABo4IBUTCCAU0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG +CCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUXesuYNbRs6tc9CExtdFoiFDP +0qowHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYBBQUHAQEE +WDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vb2NzcDAp +BggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3QwFgYDVR0R +BA8wDYILZXhhbXBsZS5jb20wEgYDVR0gBAswCTAHBgVngQwBATAtBgNVHR8EJjAk +MCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMBsGBWeBDAMBBBIw +EBMDVkFUEwJCRQwFMTIzNDUwDQYJKoZIhvcNAQELBQADggEBABrYbRmKnPMwxfA5 +7xij/+3SsqW+If/SfWiHGWuqvyLx4rGAicG2c0SykHzMGulO5bychVhuM5BpVoi8 +9u0DNn9ywp53PHdubLsyCTMfYeuSQJbJAaTWVpHLmrSoM8a6vZREQl90xPofxkbU +2AzdCR6W53BFKTDvwKkzXs6E2NIPeTHhAQHHbtFLLv9VGaDipaT8gpBe6bzJvAFp +jSZb/Uf4HhPgKYqIxxAhK2dBUqFNWuQonXbC7ryZqalMSPloP2klAJHCPYNKLv+x +56JLMRLUU6adQU+LSdK2tYjmKwKqSuJQoPoLlnY8WaanoLwrouTnH2B9PFPMIw6h +3CNwTFA= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_01.pem b/v3/testdata/orgid_subj_and_ext_ok_01.pem new file mode 100644 index 000000000..51e477122 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_01.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c7:57:87:54:50:2f:fb:c8:d4:74:2d:7c:6e:71:a6:92 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 13:31:00 2024 GMT + Not After : Mar 29 13:31:00 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e9:67:65:8b:3c:82:79:e9:43:31:3a:80:4b:d8: + 0e:43:b8:a5:fd:fa:25:3c:57:41:1e:7e:bb:f8:ff: + 11:cc:64:97:57:a4:a2:46:f1:ef:fe:6f:cd:71:c1: + a7:10:34:4f:15:13:05:1b:fc:dc:fe:1b:45:13:d9: + d3:69:4d:7a:a4:72:53:f1:64:32:fb:16:34:df:9f: + 25:47:1f:cb:25:5f:01:3d:7f:3d:49:c1:0b:7f:a4: + e0:a9:aa:4a:9e:30:c2:4c:1d:fe:41:a8:09:7a:c9: + 6b:11:22:36:8c:df:db:d1:ec:cc:03:fd:a4:92:6b: + 6f:5f:24:6d:f3:e6:a1:b2:a8:31:09:72:2b:bd:cb: + 0e:f7:26:9b:be:56:66:d2:c3:58:26:29:9c:ec:d4: + f7:e0:65:c2:c0:78:32:05:6e:6d:e1:2c:61:f0:5b: + 9b:a3:f4:05:0a:1e:49:c3:cf:60:10:a5:32:b1:1a: + 55:32:bc:28:4f:15:5f:bf:3a:ac:21:9c:2f:20:94: + d0:4d:4a:f4:0d:63:06:4c:b3:c7:8c:ac:bb:3e:a9: + 6e:b6:07:32:60:c2:27:bb:c0:9a:70:b2:73:43:62: + a5:d5:64:52:4d:d7:e5:46:20:0f:53:a6:d3:1d:9d: + da:7d:ad:e6:6d:dd:bf:60:14:78:11:db:f2:34:3a: + ba:55 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 10:CB:CA:80:71:74:B0:06:2B:D7:CA:CC:62:DB:B1:59:2E:DF:C2:E1 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...VAT..IT. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + 0f:36:91:78:5e:4d:c4:f1:53:b6:8c:e8:4e:05:de:ee:70:16: + 73:29:9b:36:e1:5d:72:91:71:2d:79:44:9b:4b:9a:da:01:54: + 2c:f7:43:cb:49:a4:aa:2c:f9:e6:0d:1a:a3:49:4a:e0:a3:ba: + 40:b9:76:0a:bf:b5:b4:db:91:3b:a5:5a:73:8b:ef:96:f7:40: + 44:b8:92:79:f5:14:03:d7:14:49:ab:09:8d:73:1d:18:89:fb: + b9:25:b7:8b:5e:8f:16:14:17:12:72:f9:9d:b0:a6:98:1b:47: + 26:76:a8:33:02:60:c7:68:ee:3d:f3:95:6e:c7:a3:31:cf:9a: + d8:c1:c3:b5:9d:69:c0:8a:a3:92:cb:8e:4c:e2:25:85:82:d5: + cf:db:10:83:cf:19:11:73:10:a4:a1:65:fb:a0:72:fe:08:a3: + 8d:f3:49:12:36:50:8a:6e:3d:09:b8:73:cb:50:89:55:99:0f: + 2f:33:35:a9:0f:c9:52:7d:e5:23:0a:9d:2d:77:33:9c:5d:e0: + fa:c9:92:6d:66:32:cf:6a:d7:ad:47:2b:b0:fd:e7:b1:70:96: + 36:0b:e7:eb:da:f2:df:79:f1:a0:fe:0a:84:48:a0:b8:d2:36: + d2:74:8e:fc:50:cd:8f:37:02:dc:b4:63:55:ce:46:b0:76:b1: + d8:1a:53:93 +-----BEGIN CERTIFICATE----- +MIIE6jCCA9KgAwIBAgIRAMdXh1RQL/vI1HQtfG5xppIwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTMzMTAwWhcNMjUwMzI5MTMz +MTAwWjCBwzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEZMBcGA1UEYRMQVkFUSVQt +MTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOlnZYs8 +gnnpQzE6gEvYDkO4pf36JTxXQR5+u/j/Ecxkl1ekokbx7/5vzXHBpxA0TxUTBRv8 +3P4bRRPZ02lNeqRyU/FkMvsWNN+fJUcfyyVfAT1/PUnBC3+k4KmqSp4wwkwd/kGo +CXrJaxEiNozf29HszAP9pJJrb18kbfPmobKoMQlyK73LDvcmm75WZtLDWCYpnOzU +9+BlwsB4MgVubeEsYfBbm6P0BQoeScPPYBClMrEaVTK8KE8VX786rCGcLyCU0E1K +9A1jBkyzx4ysuz6pbrYHMmDCJ7vAmnCyc0NipdVkUk3X5UYgD1Om0x2d2n2t5m3d +v2AUeBHb8jQ6ulUCAwEAAaOCAVYwggFSMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFBDLyoBxdLAGK9fKzGLb +sVku38LhMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUF +BwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29j +c3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYG +A1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYDVR0f +BCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAgBgVngQwD +AQQXMBUTA1ZBVBMCSVQMCjEyMzQ1Njc4OTAwDQYJKoZIhvcNAQELBQADggEBAA82 +kXheTcTxU7aM6E4F3u5wFnMpmzbhXXKRcS15RJtLmtoBVCz3Q8tJpKos+eYNGqNJ +SuCjukC5dgq/tbTbkTulWnOL75b3QES4knn1FAPXFEmrCY1zHRiJ+7klt4tejxYU +FxJy+Z2wppgbRyZ2qDMCYMdo7j3zlW7HozHPmtjBw7WdacCKo5LLjkziJYWC1c/b +EIPPGRFzEKShZfugcv4Io43zSRI2UIpuPQm4c8tQiVWZDy8zNakPyVJ95SMKnS13 +M5xd4PrJkm1mMs9q161HK7D957FwljYL5+va8t958aD+CoRIoLjSNtJ0jvxQzY83 +Aty0Y1XORrB2sdgaU5M= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_02.pem b/v3/testdata/orgid_subj_and_ext_ok_02.pem new file mode 100644 index 000000000..bf34b7130 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_02.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + f7:27:d7:bd:69:ed:73:0b:8e:65:c8:6d:fa:93:99:43 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 13:44:08 2024 GMT + Not After : Mar 29 13:44:08 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:f0:0f:d1:5d:1d:7c:b3:6d:32:12:91:de:fe:e6: + d0:e1:b1:4a:e8:20:47:7e:2b:90:07:36:57:09:4e: + 69:6e:99:2f:0d:73:0d:87:2e:e0:5d:ff:93:bf:97: + 6c:ed:76:e4:aa:c9:78:94:15:e9:c5:16:5b:a1:29: + 3f:05:93:b0:31:ac:ec:66:91:aa:e7:32:2b:2f:41: + dc:cd:ac:16:84:f6:e7:c3:1b:46:f2:1a:4e:05:3d: + aa:d6:28:a5:0f:30:3d:92:2b:a8:1a:7b:2b:c1:46: + b3:69:c5:aa:53:22:62:38:66:55:94:37:99:7d:29: + 10:32:92:8b:c4:6b:f2:df:20:63:a2:01:a3:7b:33: + 2f:ca:32:07:fd:ee:03:70:15:7e:8a:d5:51:b9:70: + 20:5a:f1:dc:e5:cd:c1:ac:10:01:69:f5:28:4b:9b: + 1f:c0:3b:9f:bb:5a:8d:15:d0:10:ab:b0:b1:be:06: + d7:35:e6:69:1f:49:8e:72:98:98:fd:b0:f5:a4:96: + 93:47:c2:0a:7d:b8:b0:b7:f8:98:e1:50:3a:93:af: + 89:ba:82:27:6f:64:7c:e4:12:6c:ed:cd:99:26:d2: + 00:48:aa:88:80:aa:6d:27:d4:3e:da:6e:81:df:af: + ed:62:71:5c:5c:2e:04:d2:40:41:9e:27:41:a5:83: + 80:a9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 9F:27:0B:BA:3F:95:33:55:C2:00:FA:86:DA:F6:9A:D4:21:E8:34:EF + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...NTR..IT. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + a8:e4:dc:fb:9d:f5:cd:5e:8c:e4:43:c1:d8:cc:f7:0f:c4:57: + 09:ef:47:15:c4:a4:81:56:13:c3:f1:ae:a7:f0:12:fe:90:97: + da:97:60:b2:32:19:68:b1:19:b4:ec:58:b4:0b:7c:d8:ed:08: + 3b:a5:38:dd:c3:f0:86:6b:c4:7c:24:d5:e3:7f:52:4d:af:c2: + 4c:b2:43:5d:9a:12:e6:11:7d:a3:4e:28:24:39:94:b0:82:2c: + 2a:fc:ef:5f:2e:77:0c:35:f8:26:5d:ef:5d:3c:f2:a0:61:78: + f8:7c:ad:43:73:f7:64:be:ad:6c:6e:a0:6b:3e:14:dd:f7:15: + bf:e3:e0:d9:89:8d:df:73:68:0b:30:ab:31:3c:a6:53:d6:ed: + 0c:39:32:09:ed:aa:ae:65:4a:1f:ce:9b:2d:a7:a1:13:00:a4: + 5a:d1:95:7f:7d:77:31:72:a7:4b:35:e2:9d:ff:d1:45:5f:34: + 01:1f:40:8b:ce:2a:b8:3f:7e:39:6e:23:29:6e:07:d5:f3:d1: + dd:10:07:ef:fc:3d:78:81:2d:23:10:95:1f:89:a0:54:ef:e1: + 1b:bb:22:cf:eb:0d:1a:05:3f:1c:f1:d9:9d:6d:42:f8:a8:b8: + 48:5f:95:82:aa:c3:7e:a5:a5:3f:bf:24:ab:4a:0c:16:43:1d: + 70:37:ca:7c +-----BEGIN CERTIFICATE----- +MIIE6zCCA9OgAwIBAgIRAPcn171p7XMLjmXIbfqTmUMwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTM0NDA4WhcNMjUwMzI5MTM0 +NDA4WjCBwzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEZMBcGA1UEYRMQVkFUSVQt +MTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPAP0V0d +fLNtMhKR3v7m0OGxSuggR34rkAc2VwlOaW6ZLw1zDYcu4F3/k7+XbO125KrJeJQV +6cUWW6EpPwWTsDGs7GaRqucyKy9B3M2sFoT258MbRvIaTgU9qtYopQ8wPZIrqBp7 +K8FGs2nFqlMiYjhmVZQ3mX0pEDKSi8Rr8t8gY6IBo3szL8oyB/3uA3AVforVUblw +IFrx3OXNwawQAWn1KEubH8A7n7tajRXQEKuwsb4G1zXmaR9JjnKYmP2w9aSWk0fC +Cn24sLf4mOFQOpOvibqCJ29kfOQSbO3NmSbSAEiqiICqbSfUPtpugd+v7WJxXFwu +BNJAQZ4nQaWDgKkCAwEAAaOCAVcwggFTMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFJ8nC7o/lTNVwgD6htr2 +mtQh6DTvMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUF +BwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29j +c3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYG +A1UdEQQPMA2CC2V4YW1wbGUuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQICMC0GA1Ud +HwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwIAYFZ4EM +AwEEFzAVEwNOVFITAklUDAoxMjM0NTY3ODkwMA0GCSqGSIb3DQEBCwUAA4IBAQCo +5Nz7nfXNXozkQ8HYzPcPxFcJ70cVxKSBVhPD8a6n8BL+kJfal2CyMhlosRm07Fi0 +C3zY7Qg7pTjdw/CGa8R8JNXjf1JNr8JMskNdmhLmEX2jTigkOZSwgiwq/O9fLncM +NfgmXe9dPPKgYXj4fK1Dc/dkvq1sbqBrPhTd9xW/4+DZiY3fc2gLMKsxPKZT1u0M +OTIJ7aquZUofzpstp6ETAKRa0ZV/fXcxcqdLNeKd/9FFXzQBH0CLziq4P345biMp +bgfV89HdEAfv/D14gS0jEJUfiaBU7+EbuyLP6w0aBT8c8dmdbUL4qLhIX5WCqsN+ +paU/vySrSgwWQx1wN8p8 +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_03.pem b/v3/testdata/orgid_subj_and_ext_ok_03.pem new file mode 100644 index 000000000..258a52166 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_03.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c2:1d:b7:06:b1:40:2a:f4:e9:15:d7:3c:bf:fd:e5:47 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jan 29 00:00:00 2020 GMT + Not After : Jan 28 00:00:00 2021 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a6:70:69:9d:8b:34:fb:33:f2:d8:ca:54:4a:d6: + 32:2f:1b:bf:9b:cf:38:2c:9c:30:33:12:19:34:4e: + 1b:ae:df:92:67:a4:65:3c:68:c3:63:06:40:ca:aa: + ca:ce:d2:d9:11:69:b4:db:d3:c8:46:7b:7c:21:6f: + fc:1f:4d:97:c4:0c:5b:74:a6:ed:3a:ea:1a:5f:8d: + 3b:9f:ed:e2:02:96:a9:b6:a3:4b:8f:6a:00:97:cd: + 4a:10:24:28:b2:68:b0:3a:1d:7d:37:44:1a:6a:86: + 44:6e:9e:f6:0c:3e:74:d2:cc:eb:fc:88:4a:3b:67: + fa:f8:a4:77:fd:a3:69:1d:bc:02:62:60:7f:a3:b3: + 92:c0:ec:07:1c:5b:70:be:54:73:fb:44:8d:12:32: + 96:f6:ec:28:32:4b:5a:a5:d4:1b:e9:e3:2e:fb:0b: + b0:6b:13:e6:84:ce:74:7f:cc:bf:40:cb:d7:ab:df: + 7b:c1:d9:a7:33:5e:e3:e8:57:95:b7:ce:3c:52:a7: + 18:38:c0:05:15:18:c0:4f:4c:42:5f:97:03:f6:fd: + 12:d4:6e:51:d8:da:d0:af:3b:fd:e4:74:ba:5c:ae: + 30:7e:d4:04:16:cb:56:2a:50:8e:28:2c:ef:33:ca: + e0:09:20:1d:b0:1e:e6:3d:bf:c0:b5:7a:74:c1:d3: + f2:f9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 08:5F:A7:9D:24:99:DD:23:49:03:66:4D:CC:18:D6:72:87:B5:9D:9D + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + 2.23.140.3.1: + 0...VAT..BE. +1234567890 + Signature Algorithm: sha256WithRSAEncryption + 91:c2:e0:45:ff:c7:d2:b2:ca:49:ae:bc:84:99:b9:1e:f7:d5: + d3:2b:26:6f:54:af:57:48:fb:d9:8e:8a:b7:f0:3c:23:21:56: + db:92:b8:cf:90:33:9b:44:da:49:6d:58:26:80:d6:3b:c9:db: + 3e:30:8a:ed:9c:eb:b8:49:02:40:5a:d8:4a:47:3a:10:ae:9c: + 43:37:e2:de:cf:63:d8:8b:8f:81:f1:cd:f3:ae:26:de:90:b6: + 96:0c:e9:b0:9a:ee:cf:21:95:f4:8e:38:dc:f4:ac:d0:41:04: + 68:fc:e9:d5:e8:8a:3b:af:0f:2a:5f:51:2d:e9:2d:53:7b:c6: + 19:84:30:38:5d:f3:6a:e7:4b:7e:e5:18:05:b8:f4:38:af:d4: + cb:ff:93:ab:e2:1e:35:f6:b7:d6:10:7e:d1:d1:fd:26:4c:39: + 73:88:85:4e:0d:5e:3b:3a:94:fa:c0:2c:86:8d:23:bc:d2:20: + c4:14:6f:1a:98:71:b4:8c:1d:5e:78:98:89:57:f9:79:d6:4f: + 3a:30:ff:6d:9c:39:6b:77:03:ee:4e:fd:8a:2e:98:0a:d0:d6: + a4:65:6b:03:e8:d6:ad:0f:b3:c7:83:4d:90:0f:9c:7e:5f:8b: + b3:31:39:bd:f4:62:1a:2b:d6:ad:09:c8:67:eb:dc:58:aa:36: + be:f5:a4:65 +-----BEGIN CERTIFICATE----- +MIIE6jCCA9KgAwIBAgIRAMIdtwaxQCr06RXXPL/95UcwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjAwMTI5MDAwMDAwWhcNMjEwMTI4MDAw +MDAwWjCBwzELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEZMBcGA1UEYRMQVkFUSVQt +MTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZwaZ2L +NPsz8tjKVErWMi8bv5vPOCycMDMSGTROG67fkmekZTxow2MGQMqqys7S2RFptNvT +yEZ7fCFv/B9Nl8QMW3Sm7TrqGl+NO5/t4gKWqbajS49qAJfNShAkKLJosDodfTdE +GmqGRG6e9gw+dNLM6/yISjtn+vikd/2jaR28AmJgf6OzksDsBxxbcL5Uc/tEjRIy +lvbsKDJLWqXUG+njLvsLsGsT5oTOdH/Mv0DL16vfe8HZpzNe4+hXlbfOPFKnGDjA +BRUYwE9MQl+XA/b9EtRuUdja0K87/eR0ulyuMH7UBBbLVipQjigs7zPK4AkgHbAe +5j2/wLV6dMHT8vkCAwEAAaOCAVYwggFSMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFAhfp50kmd0jSQNmTcwY +1nKHtZ2dMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUF +BwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29j +c3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYG +A1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQLMAkwBwYFZ4EMAQEwLQYDVR0f +BCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAgBgVngQwD +AQQXMBUTA1ZBVBMCQkUMCjEyMzQ1Njc4OTAwDQYJKoZIhvcNAQELBQADggEBAJHC +4EX/x9KyykmuvISZuR731dMrJm9Ur1dI+9mOirfwPCMhVtuSuM+QM5tE2kltWCaA +1jvJ2z4wiu2c67hJAkBa2EpHOhCunEM34t7PY9iLj4HxzfOuJt6QtpYM6bCa7s8h +lfSOONz0rNBBBGj86dXoijuvDypfUS3pLVN7xhmEMDhd82rnS37lGAW49Div1Mv/ +k6viHjX2t9YQftHR/SZMOXOIhU4NXjs6lPrALIaNI7zSIMQUbxqYcbSMHV54mIlX ++XnWTzow/22cOWt3A+5O/YoumArQ1qRlawPo1q0Ps8eDTZAPnH5fi7MxOb30Yhor +1q0JyGfr3FiqNr71pGU= +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_04.pem b/v3/testdata/orgid_subj_and_ext_ok_04.pem new file mode 100644 index 000000000..73a33605e --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_04.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a6:94:17:72:37:47:c7:98:f1:a3:59:27:3a:60:6a:4d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 29 15:05:33 2024 GMT + Not After : Mar 29 15:05:33 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ef:fe:60:e2:81:13:db:ff:b7:ee:2d:5a:f4:ec: + 3c:44:a7:e0:7a:8f:98:31:70:53:29:85:d0:77:02: + a0:49:93:89:6c:82:c4:95:12:44:a5:8a:d9:46:f1: + 19:84:d8:91:e7:be:5a:5e:2e:92:b4:f8:ae:b5:d9: + 37:5b:fc:b8:6c:44:4b:74:af:e7:7c:44:5c:2e:b3: + 26:be:77:99:95:9a:f3:51:78:24:38:48:d4:9c:94: + 3c:2d:ea:c7:9f:d7:1c:56:50:71:2f:f1:56:3e:2e: + e4:33:de:ba:28:c9:79:aa:e4:69:bf:46:f1:35:b3: + 70:13:45:67:55:84:e2:a3:1f:e2:9a:3d:8a:bc:62: + 4b:fd:fd:a0:a1:46:0a:5d:97:fc:81:ee:11:d9:a4: + 05:b8:b2:b9:05:44:15:47:ef:ec:3c:10:6f:04:04: + 93:7a:ce:b5:9b:92:bb:c1:49:2a:61:cc:3e:0e:cc: + 2a:8a:7a:14:6c:a6:cd:39:d5:33:a6:e8:b6:e0:95: + 76:92:ea:91:ee:76:4d:6b:1d:17:6f:7a:20:f2:5b: + 3d:8c:94:30:5b:db:5d:98:8f:ea:3a:85:0f:e3:07: + 8b:84:93:e5:e1:45:34:66:d3:9c:26:91:cb:28:03: + 0a:07:0b:9c:7e:17:8b:06:a5:c4:8d:5a:77:97:4f: + 47:f5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + E6:C2:40:43:AB:57:32:1A:E1:E6:48:76:C4:67:7A:9F:3D:57:E1:6E + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + a7:6d:a4:f3:d5:db:f7:73:79:43:3f:b6:f5:7a:fc:00:88:58: + cf:ec:05:6e:55:df:82:25:6b:f8:d8:0c:0a:c0:00:d9:5a:57: + 94:e6:0e:02:3a:43:fb:d1:b9:68:11:d8:2f:04:49:2e:ea:fc: + 33:16:d9:2f:f7:05:7d:06:1f:2e:f6:47:a2:78:ab:f3:25:01: + aa:dc:3c:d7:62:60:9b:7f:bb:46:fa:ab:ed:56:61:58:87:f2: + 24:db:4c:0b:ad:3a:56:d3:73:2c:04:2c:33:d7:1a:52:76:a3: + db:85:a9:ce:01:42:38:dc:77:5a:fe:9a:0f:d2:9a:70:e2:f9: + 26:f9:e8:fd:be:a7:a3:37:9d:f5:21:81:1d:69:06:f5:37:43: + 2b:30:92:be:20:df:b3:e4:5b:ec:04:9a:ba:64:65:17:a9:2a: + 4b:7d:ea:fa:ad:83:8c:00:f6:ea:1b:bb:cd:22:26:99:ba:1f: + 3e:4f:bd:e9:b0:67:d7:27:91:97:9d:e6:cb:c4:a4:7e:bf:31: + de:2b:e6:d7:14:89:fe:13:b2:db:ed:74:ab:8e:16:15:be:a6: + 1c:60:52:4f:8f:bf:67:bb:0d:7d:62:e2:66:70:2b:89:1e:32: + a5:1a:8e:b2:82:e2:90:bc:15:19:8f:93:41:2c:a4:ac:cb:df: + f7:8c:43:7a +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIRAKaUF3I3R8eY8aNZJzpgak0wDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwMzI5MTUwNTMzWhcNMjUwMzI5MTUw +NTMzWjCBqDELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAO/+YOKBE9v/t+4tWvTsPESn4HqPmDFwUymF0HcCoEmT +iWyCxJUSRKWK2UbxGYTYkee+Wl4ukrT4rrXZN1v8uGxES3Sv53xEXC6zJr53mZWa +81F4JDhI1JyUPC3qx5/XHFZQcS/xVj4u5DPeuijJearkab9G8TWzcBNFZ1WE4qMf +4po9irxiS/39oKFGCl2X/IHuEdmkBbiyuQVEFUfv7DwQbwQEk3rOtZuSu8FJKmHM +Pg7MKop6FGymzTnVM6botuCVdpLqke52TWsdF296IPJbPYyUMFvbXZiP6jqFD+MH +i4ST5eFFNGbTnCaRyygDCgcLnH4XiwalxI1ad5dPR/UCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFObCQEOrVzIa4eZIdsRnep89V+FuMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAp22k89Xb93N5Qz+29Xr8 +AIhYz+wFblXfgiVr+NgMCsAA2VpXlOYOAjpD+9G5aBHYLwRJLur8MxbZL/cFfQYf +LvZHonir8yUBqtw812Jgm3+7Rvqr7VZhWIfyJNtMC606VtNzLAQsM9caUnaj24Wp +zgFCONx3Wv6aD9KacOL5Jvno/b6nozed9SGBHWkG9TdDKzCSviDfs+Rb7ASaumRl +F6kqS33q+q2DjAD26hu7zSImmbofPk+96bBn1yeRl53my8Skfr8x3ivm1xSJ/hOy +2+10q44WFb6mHGBST4+/Z7sNfWLiZnAriR4ypRqOsoLikLwVGY+TQSykrMvf94xD +eg== +-----END CERTIFICATE----- diff --git a/v3/testdata/orgid_subj_and_ext_ok_05.pem b/v3/testdata/orgid_subj_and_ext_ok_05.pem new file mode 100644 index 000000000..3f259f339 --- /dev/null +++ b/v3/testdata/orgid_subj_and_ext_ok_05.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 44:94:07:44:46:97:7c:ba:96:a2:d0:d5:53:54:05:00 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Mar 30 09:08:27 2024 GMT + Not After : Mar 30 09:08:27 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization, organizationIdentifier = VATIT-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:f0:5d:f1:11:dd:94:9d:28:e6:b2:fc:9f:cd:74: + 9c:20:58:1b:f9:0d:85:bb:9d:a6:b2:5d:23:3c:78: + c0:42:be:15:de:56:01:13:73:60:a4:39:a1:4c:38: + dd:5f:df:f6:18:13:c7:e5:24:de:14:e5:56:00:87: + 10:03:fd:7b:cc:b6:79:57:62:3d:86:e3:8a:46:a5: + 9a:99:85:a4:f3:b4:60:d3:81:16:11:f6:7a:77:27: + 0e:ca:27:29:fe:b9:79:2d:48:18:a2:ec:7b:31:b6: + 0f:64:88:ea:42:87:31:9f:52:a6:41:62:3e:9e:20: + d7:3b:28:9f:d0:89:cc:13:87:71:e8:2d:a2:3d:cc: + 96:e7:1d:b1:b4:23:cc:3a:47:4b:4a:79:3a:b4:97: + 5b:f1:68:f3:be:33:fc:dc:1d:24:3c:3f:1b:7a:6c: + 84:d8:22:c2:ac:46:55:f6:fd:1c:d6:34:4e:85:47: + a2:f3:f0:ac:25:58:f3:fb:5b:0b:ef:c7:1b:64:1c: + 3f:7a:38:69:be:06:67:76:a5:0e:9e:ba:14:f3:0b: + 36:0c:26:3a:1e:38:d5:0f:7a:ee:96:3a:2d:ed:74: + f8:c9:87:8a:51:96:1a:1c:e9:57:98:e2:bc:d6:e6: + 6d:f3:2f:4c:ef:61:da:4c:b7:52:32:6f:e7:ba:0a: + 16:15 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 34:67:E3:3B:A9:07:DF:54:DD:6D:7B:55:DB:E3:53:BA:3C:06:2F:AB + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 00:f6:56:fa:d5:b9:62:35:7e:61:93:f7:8a:a7:7f:ca:ff:2b: + e6:ec:11:f4:34:81:ca:00:f7:19:e3:64:e3:0b:ec:51:b7:59: + 2f:5d:bc:b8:eb:e6:d3:1a:b5:eb:49:da:fb:83:73:0d:75:68: + 92:41:83:62:6a:5b:67:89:67:db:a3:0d:fd:8b:c6:27:32:af: + 7f:db:ab:2c:b9:99:c3:06:38:df:79:26:d8:4a:53:2a:01:96: + b4:59:d8:52:f8:76:80:d2:dd:d8:c2:aa:c5:26:dc:6c:9c:15: + 96:5c:10:07:88:a1:37:e3:07:0b:89:b7:ea:85:13:b7:6c:a7: + 3d:37:a2:67:43:d2:84:44:88:90:6f:26:87:93:a9:f7:9e:61: + 13:cf:9b:85:7d:c2:d0:9e:2b:64:a9:35:65:ff:cc:ec:b4:9b: + 1f:63:3b:6a:e7:83:25:75:18:e7:08:7f:8e:8b:97:94:d1:0d: + 63:67:bf:b3:58:8c:bc:ba:a0:dd:59:c5:4e:3a:ba:6f:28:80: + e0:fd:1d:4d:09:55:1a:c6:7f:27:44:d4:5a:0e:01:f6:a3:15: + ee:4d:0a:5c:0a:6d:6b:53:4a:80:12:11:0f:60:d5:f2:53:93: + 93:c2:fe:13:5b:ca:67:f9:3a:5c:13:52:33:bd:ea:c3:69:f9: + b5:29:6b:26 +-----BEGIN CERTIFICATE----- +MIIExzCCA6+gAwIBAgIQRJQHREaXfLqWotDVU1QFADANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDAzMzAwOTA4MjdaFw0yNTAzMzAwOTA4 +MjdaMIHDMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRkwFwYDVQRhExBWQVRJVC0x +MjM0NTY3ODkwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8F3xEd2U +nSjmsvyfzXScIFgb+Q2Fu52msl0jPHjAQr4V3lYBE3NgpDmhTDjdX9/2GBPH5STe +FOVWAIcQA/17zLZ5V2I9huOKRqWamYWk87Rg04EWEfZ6dycOyicp/rl5LUgYoux7 +MbYPZIjqQocxn1KmQWI+niDXOyif0InME4dx6C2iPcyW5x2xtCPMOkdLSnk6tJdb +8WjzvjP83B0kPD8bemyE2CLCrEZV9v0c1jROhUei8/CsJVjz+1sL78cbZBw/ejhp +vgZndqUOnroU8ws2DCY6HjjVD3ruljot7XT4yYeKUZYaHOlXmOK81uZt8y9M72Ha +TLdSMm/nugoWFQIDAQABo4IBNDCCATAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW +MBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUNGfjO6kH31TdbXtV2+NT +ujwGL6swHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYBBQUH +AQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vb2Nz +cDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3QwFgYD +VR0RBA8wDYILZXhhbXBsZS5jb20wEgYDVR0gBAswCTAHBgVngQwBATAtBgNVHR8E +JjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMA0GCSqGSIb3 +DQEBCwUAA4IBAQAA9lb61bliNX5hk/eKp3/K/yvm7BH0NIHKAPcZ42TjC+xRt1kv +Xby46+bTGrXrSdr7g3MNdWiSQYNialtniWfbow39i8YnMq9/26ssuZnDBjjfeSbY +SlMqAZa0WdhS+HaA0t3YwqrFJtxsnBWWXBAHiKE34wcLibfqhRO3bKc9N6JnQ9KE +RIiQbyaHk6n3nmETz5uFfcLQnitkqTVl/8zstJsfYztq54MldRjnCH+Oi5eU0Q1j +Z7+zWIy8uqDdWcVOOrpvKIDg/R1NCVUaxn8nRNRaDgH2oxXuTQpcCm1rU0qAEhEP +YNXyU5OTwv4TW8pn+TpcE1IzverDafm1KWsm +-----END CERTIFICATE----- From ae29a40d1e5c592c0be51abe056b1661117182b5 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 30 Mar 2024 11:30:58 +0100 Subject: [PATCH 12/29] Add files via upload --- ...lint_ev_orgid_inconsistent_subj_and_ext.go | 114 ++++++++++++++++++ ...ev_orgid_inconsistent_subj_and_ext_test.go | 97 +++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go create mode 100644 v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go diff --git a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go new file mode 100644 index 000000000..1914213c8 --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go @@ -0,0 +1,114 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "errors" + "regexp" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_orgid_inconsistent_subj_and_ext", + Description: "Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent", + Citation: "EVGs 9.2.8 and 9.8.2", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.CABFEV_Sec9_2_8_Date, + }, + Lint: NewOrgIdInconsistentSubjAndExt, + }) +} + +// According to EVGs 9.2.8 +type OrganizationIdentifier struct { + Scheme string + Country string + State string + Reference string +} + +func ParseOrgId(orgIdString string, orgId *OrganizationIdentifier) error { + + // This is according to the EVG (stricter than ETSI EN 319 412-1) + OrgIdPattern := `^[A-Z]{3}[A-Z]{2}(?:\+[A-Z]{2})?\-.+$` + + compiledRegexp, err := regexp.Compile(OrgIdPattern) + if err != nil { + // This should neve occur, but one never knows.... + panic(err) + } + + if !compiledRegexp.MatchString(orgIdString) { + return errors.New("Cannot parse organizationIdentifier: it is probably invalid") + } + + orgId.Scheme = orgIdString[0:3] + orgId.Country = orgIdString[3:5] + + if orgIdString[5] == '+' { + orgId.State = orgIdString[6:8] + orgId.Reference = orgIdString[9:] + } else { + orgId.Reference = orgIdString[6:] + } + + return nil +} + +type orgIdInconsistentSubjAndExt struct{} + +func NewOrgIdInconsistentSubjAndExt() lint.LintInterface { + return &orgIdInconsistentSubjAndExt{} +} + +func (l *orgIdInconsistentSubjAndExt) CheckApplies(c *x509.Certificate) bool { + // It is actually mandatory that, if orgId is present, cabfOrgId be present as well, + // however this is already checked by another lint + return util.IsEV(c.PolicyIdentifiers) && (len(c.Subject.OrganizationIDs) > 0) && + util.IsExtInCert(c, util.CabfExtensionOrganizationIdentifier) +} + +func (l *orgIdInconsistentSubjAndExt) Execute(c *x509.Certificate) *lint.LintResult { + // It should be safe to assume there is only one element in OrganizationIDs + var orgId OrganizationIdentifier + err := ParseOrgId(c.Subject.OrganizationIDs[0], &orgId) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "the organizationIdentifier Subject attribute probably has an invalid value"} + } + + if (c.CABFOrganizationIdentifier.Scheme != orgId.Scheme) || + (c.CABFOrganizationIdentifier.Country != orgId.Country) || + (c.CABFOrganizationIdentifier.State != orgId.State) || + (c.CABFOrganizationIdentifier.Reference != orgId.Reference) { + + return &lint.LintResult{ + Status: lint.Error, + Details: "CABFOrganizationIdentifier is NOT consistent with organizationIdentifier"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go new file mode 100644 index 000000000..a8592c41b --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go @@ -0,0 +1,97 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +/* + === Pass test cases === + orgid_subj_and_ext_ok_01.pem EV cert with orgId=="VATIT-1234567890" and cabfOrgId consistent + + === NA test cases === + orgid_subj_and_ext_ok_02.pem OV cert with orgId=="VATIT-1234567890" and cabfOrgId NOT consistent + orgid_subj_and_ext_ok_04.pem EV cert without orgId + orgid_subj_and_ext_ok_05.pem EV cert with orgId but NO cabfOrgId (which is wrong, but not this lint's business) + + === NE test cases === + orgid_subj_and_ext_ok_03.pem EV cert with orgId and cabfOrgId NOT consistent, but issued before 31/1/2020 + + === Fail test cases === + orgid_subj_and_ext_ko_01.pem EV cert with orgId=="NTRUS+CA-1234567890" and cabfOrgId NOT consistent + orgid_subj_and_ext_ko_02.pem EV cert with orgId=="PSDAT-FMA-1234567890" and cabfOrgId NOT consistent + orgid_subj_and_ext_ko_03.pem EV cert with invalid orgId ("VATBEE-12345") +*/ + +package cabf_ev + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestOrgIdInconsistentSubjAndExt(t *testing.T) { + + type Data struct { + input string + want lint.LintStatus + } + + data := []Data{ + { + input: "orgid_subj_and_ext_ok_01.pem", + want: lint.Pass, + }, + { + input: "orgid_subj_and_ext_ok_02.pem", + want: lint.NA, + }, + { + input: "orgid_subj_and_ext_ok_03.pem", + want: lint.NE, + }, + { + input: "orgid_subj_and_ext_ok_04.pem", + want: lint.NA, + }, + { + input: "orgid_subj_and_ext_ok_05.pem", + want: lint.NA, + }, + { + input: "orgid_subj_and_ext_ko_01.pem", + want: lint.Error, + }, + { + input: "orgid_subj_and_ext_ko_02.pem", + want: lint.Error, + }, + { + input: "orgid_subj_and_ext_ko_03.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_ev_orgid_inconsistent_subj_and_ext", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} From faa938dc4e6f59d0311334561cdfa699f00a8179 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 7 Apr 2024 17:39:11 +0200 Subject: [PATCH 13/29] Revised according to Chris and Corey suggestions --- ...lint_ev_orgid_inconsistent_subj_and_ext.go | 36 ++++++++++--------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go index 1914213c8..e32eab51e 100644 --- a/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go +++ b/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go @@ -49,31 +49,35 @@ type OrganizationIdentifier struct { Reference string } -func ParseOrgId(orgIdString string, orgId *OrganizationIdentifier) error { +// This is according to the EVG (stricter than ETSI EN 319 412-1) +var OrgIdPattern = `^(?P[A-Z]{3})(?P[A-Z]{2})(?:\+(?P[A-Z]{2}))?\-(?P.+)$` - // This is according to the EVG (stricter than ETSI EN 319 412-1) - OrgIdPattern := `^[A-Z]{3}[A-Z]{2}(?:\+[A-Z]{2})?\-.+$` +func ParseOrgId(orgIdString string, orgId *OrganizationIdentifier) error { - compiledRegexp, err := regexp.Compile(OrgIdPattern) - if err != nil { - // This should neve occur, but one never knows.... - panic(err) - } + re := regexp.MustCompile(OrgIdPattern) - if !compiledRegexp.MatchString(orgIdString) { + if !re.MatchString(orgIdString) { return errors.New("Cannot parse organizationIdentifier: it is probably invalid") } - orgId.Scheme = orgIdString[0:3] - orgId.Country = orgIdString[3:5] + names := re.SubexpNames() + match := re.FindStringSubmatch(orgIdString) + + // Initialize a map to hold group names and values + result := make(map[string]string) - if orgIdString[5] == '+' { - orgId.State = orgIdString[6:8] - orgId.Reference = orgIdString[9:] - } else { - orgId.Reference = orgIdString[6:] + // Populate the map + for i, name := range names { + if i != 0 && name != "" { // Skip the whole match and unnamed groups + result[name] = match[i] + } } + orgId.Scheme = result["scheme"] + orgId.Country = result["country"] + orgId.State = result["state"] + orgId.Reference = result["reference"] + return nil } From d2aa5b1199885f5af6d948ed9034041c90e7b8bf Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 10:38:37 +0200 Subject: [PATCH 14/29] Add files via upload --- v3/lints/cabf_br/lint_e_invalid_cps_uri.go | 74 +++++++++++++++++ .../cabf_br/lint_e_invalid_cps_uri_test.go | 83 +++++++++++++++++++ 2 files changed, 157 insertions(+) create mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri.go create mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri.go new file mode 100644 index 000000000..a2c542d50 --- /dev/null +++ b/v3/lints/cabf_br/lint_e_invalid_cps_uri.go @@ -0,0 +1,74 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "net/url" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_cps_uri", + Description: "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL", + Citation: "CABF BR 7.1.2 (several subsections thereof)", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidCPSUri, + }) +} + +type invalidCPSUri struct{} + +func NewInvalidCPSUri() lint.LintInterface { + return &invalidCPSUri{} +} + +func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.CertPolicyOID) +} + +func isValidHttpOrHttpsURL(input string) bool { + parsedURL, err := url.Parse(input) + if err != nil { + return false + } + + scheme := parsedURL.Scheme + return scheme == "http" || scheme == "https" +} + +func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult { + // There should normally be just one CPS URI, but one never knows... + for _, pol := range c.CPSuri { + for _, uri := range pol { + if !isValidHttpOrHttpsURL(uri) { + return &lint.LintResult{Status: lint.Error} + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go new file mode 100644 index 000000000..7170bfa07 --- /dev/null +++ b/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go @@ -0,0 +1,83 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + === Pass test cases === + invalid_cps_uri_ok_01.pem Certificate with a well-formed CPS URI + invalid_cps_uri_ok_02.pem Certificate without a CPS URI + + === NE test cases === + invalid_cps_uri_ok_03.pem Certificate with an invalid CPS URI, but issued before effective date + + === Fail test cases === + invalid_cps_uri_ko_01.pem Certificate with an invalid CPS URI (disallowed scheme) + invalid_cps_uri_ko_02.pem Certificate with an invalid CPS URI (syntax error) + invalid_cps_uri_ko_03.pem Certificate with two CPS URIs, one good and one bad +*/ + +func TestInvalidCPSUri(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "invalid_cps_uri_ok_01.pem", + want: lint.Pass, + }, + { + input: "invalid_cps_uri_ok_02.pem", + want: lint.Pass, + }, + { + input: "invalid_cps_uri_ok_03.pem", + want: lint.NE, + }, + { + input: "invalid_cps_uri_ko_01.pem", + want: lint.Error, + }, + { + input: "invalid_cps_uri_ko_02.pem", + want: lint.Error, + }, + { + input: "invalid_cps_uri_ko_03.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_invalid_cps_uri", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} From b827d18210d977c332411e8db7599161305f92e0 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 10:40:01 +0200 Subject: [PATCH 15/29] Add files via upload --- v3/testdata/invalid_cps_uri_ko_01.pem | 109 +++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ko_02.pem | 109 +++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ko_03.pem | 112 ++++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ok_01.pem | 109 +++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ok_02.pem | 107 ++++++++++++++++++++++++ v3/testdata/invalid_cps_uri_ok_03.pem | 109 +++++++++++++++++++++++++ 6 files changed, 655 insertions(+) create mode 100644 v3/testdata/invalid_cps_uri_ko_01.pem create mode 100644 v3/testdata/invalid_cps_uri_ko_02.pem create mode 100644 v3/testdata/invalid_cps_uri_ko_03.pem create mode 100644 v3/testdata/invalid_cps_uri_ok_01.pem create mode 100644 v3/testdata/invalid_cps_uri_ok_02.pem create mode 100644 v3/testdata/invalid_cps_uri_ok_03.pem diff --git a/v3/testdata/invalid_cps_uri_ko_01.pem b/v3/testdata/invalid_cps_uri_ko_01.pem new file mode 100644 index 000000000..708b80ce0 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ko_01.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 793070860651290632 (0xb018dbef2d56008) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: ftp://www.some-ca.inc/cps + + Signature Algorithm: sha256WithRSAEncryption + 97:54:ef:06:28:ff:dd:57:18:92:a4:e1:89:56:d5:90:f4:46: + 9d:df:f4:67:d4:5f:dd:b5:0c:33:0a:cb:bc:a4:3c:86:3b:0b: + 48:61:f0:0b:68:b1:72:ee:2a:55:f1:78:d4:25:10:ef:58:00: + 5f:2e:26:a8:76:32:0e:45:31:69:98:79:a7:5d:51:b5:5d:d8: + 4b:61:41:ee:02:ce:e6:10:18:cb:88:cd:3a:00:db:27:51:75: + ef:23:b8:61:2b:53:72:a6:fd:95:96:80:c2:3a:87:8a:f2:cf: + a4:c2:56:d2:8f:3d:52:28:a8:ee:11:c2:f4:0f:cb:6f:87:30: + 35:8d:bd:0f:a2:3f:25:6b:b3:68:de:46:8d:fa:23:d9:8a:43: + 90:a0:6b:97:cf:bb:8a:b5:e4:64:d0:dc:07:3f:e5:46:d0:d5: + 79:e7:0f:7b:0c:ac:4c:03:8c:d3:c3:55:14:76:ed:02:a6:e1: + 96:58:ab:2c:42:ac:6d:e7:75:04:3f:35:ae:7f:35:a0:5f:e7: + 10:df:22:3f:94:eb:a2:9a:1a:a7:75:8d:f8:13:95:c4:a0:bc: + a5:90:ab:8f:af:f5:42:ba:c0:15:47:c8:15:47:d9:98:70:c8: + ff:10:90:1b:68:3d:74:ed:ec:94:14:70:5a:33:ce:1a:d7:ba: + 9a:38:0e:d3:dc:9c:83:54:19:5e:bc:95:7e:ed:e6:8e:18:93: + 28:c8:b9:77:a5:e5:a9:31:8e:29:9c:b2:8c:e3:d5:29:ce:5f: + 5d:1c:b7:f7:00:36:5a:38:e3:99:a0:7c:20:a6:38:dd:6d:5b: + d8:76:e1:03:51:51:d2:7b:3b:01:35:4a:88:76:72:63:61:19: + 7e:4e:79:62:7a:c0:e6:0c:a8:9e:3e:cf:15:1a:98:ab:f1:67: + 8e:f7:4d:a4:01:b7:72:59:44:ec:e2:2d:d0:be:d0:9e:4f:af: + 4f:56:06:90:c8:04:b3:04:cd:00:ca:c9:cb:d3:c4:04:0c:d6: + 2e:0b:c7:85:05:31:32:89:70:4e:2f:b9:f1:04:b5:35:1f:0d: + 12:0d:8d:fe:3c:1f:c7:bf:10:5d:01:c8:56:27:83:3d:67:ac: + 82:e6:40:70:89:8d:c7:d7:5b:e2:3d:95:1d:e4:fa:92:ce:4e: + f7:47:88:e0:b7:10:60:8b:5f:8f:6c:7f:53:56:db:4b:ab:84: + db:d1:42:28:f9:de:35:4d:ad:c7:d7:e8:8c:13:c5:24:51:88: + 3e:f3:9d:b3:7a:ba:14:9a:ac:ae:6b:a4:6e:c3:7c:53:18:0d: + b2:9f:17:c7:96:de:56:ef:fd:bd:b8:b7:30:d0:7c:81:28:4c: + 12:db:c0:f0:e5:50:83:cb +-----BEGIN CERTIFICATE----- +MIIFKDCCAxCgAwIBAgIICwGNvvLVYAgwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm +dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQCXVO8G +KP/dVxiSpOGJVtWQ9Ead3/Rn1F/dtQwzCsu8pDyGOwtIYfALaLFy7ipV8XjUJRDv +WABfLiaodjIORTFpmHmnXVG1XdhLYUHuAs7mEBjLiM06ANsnUXXvI7hhK1Nypv2V +loDCOoeK8s+kwlbSjz1SKKjuEcL0D8tvhzA1jb0Poj8la7No3kaN+iPZikOQoGuX +z7uKteRk0NwHP+VG0NV55w97DKxMA4zTw1UUdu0CpuGWWKssQqxt53UEPzWufzWg +X+cQ3yI/lOuimhqndY34E5XEoLylkKuPr/VCusAVR8gVR9mYcMj/EJAbaD107eyU +FHBaM84a17qaOA7T3JyDVBlevJV+7eaOGJMoyLl3peWpMY4pnLKM49Upzl9dHLf3 +ADZaOOOZoHwgpjjdbVvYduEDUVHSezsBNUqIdnJjYRl+TnliesDmDKiePs8VGpir +8WeO902kAbdyWUTs4i3QvtCeT69PVgaQyASzBM0AysnL08QEDNYuC8eFBTEyiXBO +L7nxBLU1Hw0SDY3+PB/HvxBdAchWJ4M9Z6yC5kBwiY3H11viPZUd5PqSzk73R4jg +txBgi1+PbH9TVttLq4Tb0UIo+d41Ta3H1+iME8UkUYg+852zeroUmqyua6Ruw3xT +GA2ynxfHlt5W7/29uLcw0HyBKEwS28Dw5VCDyw== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ko_02.pem b/v3/testdata/invalid_cps_uri_ko_02.pem new file mode 100644 index 000000000..8e87b4c1f --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ko_02.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1892436556900320617 (0x1a4349059e01c569) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: www.some-ca.inc + + Signature Algorithm: sha256WithRSAEncryption + 16:57:14:9b:a6:7b:51:88:49:42:81:dc:ae:c0:13:ff:5e:55: + cf:24:5b:c8:00:68:dc:ac:7f:23:db:e5:24:bd:da:93:71:70: + c1:4a:7c:22:09:61:51:da:07:52:b7:5c:e8:0f:9e:30:6f:8e: + 5e:33:0b:a2:75:2a:14:85:80:a9:72:5d:ba:c0:31:31:4f:b7: + 56:ae:37:0a:9b:79:e5:34:5a:24:44:c6:c0:6f:b8:39:de:96: + 69:43:f3:e9:69:c0:eb:5a:f3:c3:2b:7a:03:8b:d4:06:c6:a7: + de:09:00:c5:85:12:0f:6b:bb:1d:96:c7:e2:7a:17:56:17:dd: + c5:25:2c:41:3c:cb:d9:77:b6:fc:81:5b:d3:16:d1:c7:6b:8a: + bc:0e:5a:30:74:33:12:dd:ff:40:a4:83:2a:83:58:72:41:84: + 19:87:f9:5c:3a:1d:c7:79:ca:5f:2c:ec:60:f3:a2:64:33:f4: + 87:d8:f9:54:ba:28:7f:69:e7:2f:f7:40:04:90:86:21:3c:68: + 0e:ee:c9:b2:ce:47:d7:2c:8a:90:65:83:70:59:53:fd:8a:df: + f7:2c:91:c2:06:be:ed:9b:89:65:47:32:ec:ec:70:c1:5c:7f: + ee:24:ea:ec:a7:b5:6f:28:b0:11:5f:47:e7:f5:ce:82:63:36: + 6b:7a:74:53:00:e3:72:2c:1d:9e:4e:e7:27:54:59:1d:43:61: + 36:53:bc:ba:7c:d4:d4:db:af:bd:4e:1c:a2:de:98:f0:a9:48: + 75:73:1d:2a:cd:ea:12:b0:a9:dd:25:01:f7:e4:3c:15:8c:cb: + 53:ff:d1:33:b8:a0:4d:fa:c7:c3:d8:b9:6d:e3:df:62:77:6e: + 89:7b:17:c4:bc:96:3f:ed:25:72:f2:7b:66:04:49:da:91:a9: + 73:ca:50:9b:ad:e2:46:ef:dd:7f:7a:14:55:df:ad:c5:55:f9: + f8:77:a7:1c:09:d7:42:ff:28:ef:c6:5b:e0:b5:f0:80:d8:ac: + 09:45:1c:eb:a0:e5:69:07:de:ef:6d:b3:0d:6b:5d:e8:ea:d3: + 9b:b3:98:70:45:fd:8f:5b:53:14:c0:e6:0b:57:5f:9a:37:14: + 69:e2:10:8f:ab:59:3f:b7:54:51:4f:03:6c:1d:ce:54:40:2a: + be:f2:b5:f6:c8:25:b4:70:be:f7:44:4d:ed:03:ab:c3:98:59: + 87:2a:41:be:5a:1b:d6:0d:40:11:64:ef:0f:13:37:fe:49:c3: + c7:df:f8:2d:e5:5a:6b:b4:e7:d2:52:1f:57:75:04:f9:0c:09: + 5a:b4:e6:8f:be:74:5f:24:9b:bd:92:4c:ee:3d:96:1d:a1:fa: + f2:51:42:4e:bc:a3:a8:c3 +-----BEGIN CERTIFICATE----- +MIIFHjCCAwagAwIBAgIIGkNJBZ4BxWkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GzMIGwMAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwOgYDVR0gBDMwMTAIBgZngQwBAgIwJQYEKgMEBTAdMBsGCCsGAQUFBwIBFg93 +d3cuc29tZS1jYS5pbmMwDQYJKoZIhvcNAQELBQADggIBABZXFJume1GISUKB3K7A +E/9eVc8kW8gAaNysfyPb5SS92pNxcMFKfCIJYVHaB1K3XOgPnjBvjl4zC6J1KhSF +gKlyXbrAMTFPt1auNwqbeeU0WiRExsBvuDnelmlD8+lpwOta88MregOL1AbGp94J +AMWFEg9rux2Wx+J6F1YX3cUlLEE8y9l3tvyBW9MW0cdrirwOWjB0MxLd/0CkgyqD +WHJBhBmH+Vw6Hcd5yl8s7GDzomQz9IfY+VS6KH9p5y/3QASQhiE8aA7uybLOR9cs +ipBlg3BZU/2K3/cskcIGvu2biWVHMuzscMFcf+4k6uyntW8osBFfR+f1zoJjNmt6 +dFMA43IsHZ5O5ydUWR1DYTZTvLp81NTbr71OHKLemPCpSHVzHSrN6hKwqd0lAffk +PBWMy1P/0TO4oE36x8PYuW3j32J3bol7F8S8lj/tJXLye2YESdqRqXPKUJut4kbv +3X96FFXfrcVV+fh3pxwJ10L/KO/GW+C18IDYrAlFHOug5WkH3u9tsw1rXejq05uz +mHBF/Y9bUxTA5gtXX5o3FGniEI+rWT+3VFFPA2wdzlRAKr7ytfbIJbRwvvdETe0D +q8OYWYcqQb5aG9YNQBFk7w8TN/5Jw8ff+C3lWmu059JSH1d1BPkMCVq05o++dF8k +m72STO49lh2h+vJRQk68o6jD +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ko_03.pem b/v3/testdata/invalid_cps_uri_ko_03.pem new file mode 100644 index 000000000..87f547721 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ko_03.pem @@ -0,0 +1,112 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1059656979734169929 (0xeb4a868a4d18949) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: https://www.some-ca.inc/cps + Policy: 1.3.6.1.5.1.1234567890.1.1 + CPS: this is not a valid url + + Signature Algorithm: sha256WithRSAEncryption + 93:29:fc:e5:54:0f:83:0a:37:36:85:37:90:d0:9c:4b:af:56: + 23:3e:88:6d:25:41:d2:23:4b:87:ee:9f:8b:6c:9b:eb:0d:5e: + 10:fa:44:8f:26:33:31:ec:7e:a8:7f:4a:91:ad:2b:fc:7c:db: + f3:fa:4c:76:5e:d6:39:78:99:f3:a6:52:ed:61:8e:8e:8f:71: + 9b:e6:d8:75:dd:b5:47:c3:f7:84:e8:ad:09:52:c9:76:0c:b2: + d3:e1:a9:cf:52:05:b2:d5:7e:9a:f4:67:15:7b:43:7e:7e:3f: + 84:ec:ca:a5:c8:b8:6e:09:64:6d:c7:58:53:e0:66:61:2d:9d: + fe:c7:e8:ff:1a:b0:ca:93:6f:c5:9f:4c:46:ef:54:41:f7:05: + a8:89:0f:64:27:1c:71:3a:1c:fa:ab:d0:0e:09:8b:67:f5:ce: + c5:5b:cb:bd:e6:42:e0:ef:75:f2:73:26:8e:a6:22:cd:b0:52: + 4d:ed:e5:cf:c2:64:2d:03:f2:b3:86:db:06:74:25:a8:19:e3: + 16:43:d9:0d:f7:31:58:d3:cb:5d:c4:74:1d:fa:30:a7:c1:b7: + 7e:3c:e1:9e:f1:6f:2b:5c:73:c2:68:33:2d:24:28:52:a1:f5: + 14:a5:9a:d7:27:fc:a9:be:7e:e9:05:e9:78:2f:6f:c4:ce:96: + 22:b6:f5:41:af:8d:c0:8a:85:c5:35:47:d0:8a:9c:71:e7:44: + 0f:34:5f:f3:fe:44:95:76:b3:1e:ad:a4:ee:cb:3c:3f:5a:bc: + 6f:43:55:a8:b9:80:47:38:c1:43:c0:f2:71:e9:d0:2b:b3:16: + 3d:3c:81:16:49:0c:d1:05:f0:5b:66:a9:02:a2:38:db:74:9c: + 0c:a9:50:b3:66:d8:12:80:8d:e1:dd:22:f3:22:4d:80:ce:2e: + 86:a2:8b:c0:d1:92:f7:8c:6d:1f:30:1d:d4:4c:8e:b5:91:b1: + dd:18:f9:9c:98:18:0f:ab:24:c9:ea:6f:9f:91:51:81:b0:ec: + 73:d1:c8:6f:f7:fd:62:2b:d8:18:eb:08:4b:32:ee:37:df:f7: + ed:0a:c7:6f:6f:ef:9e:6f:e4:9d:f5:c4:23:ab:de:38:74:7c: + 89:85:77:f1:5c:54:8f:71:33:9f:2c:fb:e5:58:92:f2:eb:de: + 90:04:b9:f5:b9:72:35:d0:10:75:e0:5a:0f:93:fa:1f:de:27: + 14:ff:60:a4:91:ac:e0:f4:57:a0:d5:21:ee:8a:79:e8:20:c7: + 66:82:30:3c:8b:eb:3c:7a:0c:33:64:e6:8c:2e:15:fd:60:62: + 9d:38:d1:03:3d:3d:09:69:c9:71:d8:ca:68:c1:54:80:e1:3a: + bb:71:aa:90:bc:11:81:3b +-----BEGIN CERTIFICATE----- +MIIFYTCCA0mgAwIBAgIIDrSoaKTRiUkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4H2MIHzMAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwfQYDVR0gBHYwdDAIBgZngQwBAgIwMQYEKgMEBTApMCcGCCsGAQUFBwIBFhto +dHRwczovL3d3dy5zb21lLWNhLmluYy9jcHMwNQYMKwYBBQGEzNiFUgEBMCUwIwYI +KwYBBQUHAgEWF3RoaXMgaXMgbm90IGEgdmFsaWQgdXJsMA0GCSqGSIb3DQEBCwUA +A4ICAQCTKfzlVA+DCjc2hTeQ0JxLr1YjPohtJUHSI0uH7p+LbJvrDV4Q+kSPJjMx +7H6of0qRrSv8fNvz+kx2XtY5eJnzplLtYY6Oj3Gb5th13bVHw/eE6K0JUsl2DLLT +4anPUgWy1X6a9GcVe0N+fj+E7MqlyLhuCWRtx1hT4GZhLZ3+x+j/GrDKk2/Fn0xG +71RB9wWoiQ9kJxxxOhz6q9AOCYtn9c7FW8u95kLg73XycyaOpiLNsFJN7eXPwmQt +A/KzhtsGdCWoGeMWQ9kN9zFY08tdxHQd+jCnwbd+POGe8W8rXHPCaDMtJChSofUU +pZrXJ/ypvn7pBel4L2/EzpYitvVBr43AioXFNUfQipxx50QPNF/z/kSVdrMeraTu +yzw/WrxvQ1WouYBHOMFDwPJx6dArsxY9PIEWSQzRBfBbZqkCojjbdJwMqVCzZtgS +gI3h3SLzIk2Azi6GoovA0ZL3jG0fMB3UTI61kbHdGPmcmBgPqyTJ6m+fkVGBsOxz +0chv9/1iK9gY6whLMu433/ftCsdvb++eb+Sd9cQjq944dHyJhXfxXFSPcTOfLPvl +WJLy696QBLn1uXI10BB14FoPk/of3icU/2Ckkazg9Feg1SHuinnoIMdmgjA8i+s8 +egwzZOaMLhX9YGKdONEDPT0Jaclx2MpowVSA4Tq7caqQvBGBOw== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ok_01.pem b/v3/testdata/invalid_cps_uri_ok_01.pem new file mode 100644 index 000000000..31baa3e55 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ok_01.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6516163087356195736 (0x5a6e0fcdc860f398) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: https://ca.someca-inc.com/cps + + Signature Algorithm: sha256WithRSAEncryption + 17:6a:75:79:9d:ae:e0:00:0c:93:9e:74:02:70:9d:e3:58:b2: + 55:4e:2c:88:b2:6c:89:87:c5:e4:ec:31:97:c6:12:b3:2e:92: + 1a:60:e8:40:23:99:93:c7:bc:d9:d1:ce:66:de:4b:14:b1:86: + c5:c6:9d:6c:28:16:e0:2d:74:ee:8c:49:b8:39:ad:a2:d3:25: + 8e:ac:f8:c7:af:7e:e5:1d:a8:f2:1b:e2:cb:69:94:e2:58:e1: + 47:4c:34:9d:f7:bd:a8:b0:f0:92:e5:05:94:a0:c0:38:3b:34: + 22:ef:cc:5c:47:db:fa:b0:82:2a:f5:8f:25:85:53:fe:fe:2c: + 9e:22:c0:78:02:e3:e9:32:71:11:01:cb:c7:d3:db:a7:e5:27: + 2c:72:44:d0:f4:4c:57:08:eb:26:36:e1:ee:40:ce:2f:81:45: + 75:1c:4f:d1:9d:c5:e5:f0:88:3c:c2:fb:0b:c4:6a:a8:7c:a6: + ea:5d:33:9e:b8:6e:92:57:af:13:12:51:4d:1b:8f:2e:bd:7d: + 2f:5e:2e:ac:57:9d:78:23:5b:1d:e5:4b:be:d3:d4:20:18:40: + 27:cd:4b:9a:f2:2e:1c:19:bf:6d:50:80:39:e2:28:70:c1:8b: + 4a:dc:2e:98:da:6d:12:ce:1e:58:29:fa:04:fe:14:6a:81:7c: + 9e:c2:fd:93:fe:00:f1:a0:fb:e6:94:5f:b8:aa:18:12:86:70: + e1:02:9a:e4:91:a6:3e:14:9d:8d:4c:33:0b:b5:61:96:96:e9: + 95:bd:34:83:79:42:a9:98:19:6e:d8:68:a6:af:56:15:da:e7: + e5:d1:b3:6d:af:cf:96:03:bb:90:73:4e:18:43:a7:30:3c:dc: + fb:b5:69:48:96:d1:27:c8:89:0a:2b:bc:8c:48:45:0c:60:bb: + 15:01:84:de:8c:e0:47:cb:b7:7a:c5:06:94:bf:6a:25:c5:57: + af:69:69:94:17:b3:21:6c:ef:74:a5:bc:39:3a:4c:f7:3b:fe: + ab:20:7d:51:bb:5d:c2:cc:8c:23:5d:41:6a:d3:8f:5e:cc:1e: + 6f:70:45:1f:7c:1c:d4:62:76:43:8a:f8:48:34:5d:a1:65:c1: + 4a:5a:d0:56:96:45:33:29:b2:38:86:7f:d0:1b:d6:53:61:d9: + c6:2d:ea:cc:a6:ba:5e:d3:54:a6:b7:bc:09:f9:d9:39:e3:7f: + 78:e2:ec:fc:cc:46:d7:1f:e6:70:5f:a7:88:cb:73:76:c0:57: + b6:14:80:6a:b4:dc:a8:dc:16:87:05:ae:bf:16:1c:a8:a5:c8: + 6a:e6:ab:1c:66:52:9b:04:77:70:67:57:58:d3:9b:32:29:ea: + 79:71:50:27:3a:b6:34:9e +-----BEGIN CERTIFICATE----- +MIIFLDCCAxSgAwIBAgIIWm4Pzchg85gwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 +MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4HBMIG+MAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwSAYDVR0gBEEwPzAIBgZngQwBAgIwMwYEKgMEBTArMCkGCCsGAQUFBwIBFh1o +dHRwczovL2NhLnNvbWVjYS1pbmMuY29tL2NwczANBgkqhkiG9w0BAQsFAAOCAgEA +F2p1eZ2u4AAMk550AnCd41iyVU4siLJsiYfF5Owxl8YSsy6SGmDoQCOZk8e82dHO +Zt5LFLGGxcadbCgW4C107oxJuDmtotMljqz4x69+5R2o8hviy2mU4ljhR0w0nfe9 +qLDwkuUFlKDAODs0Iu/MXEfb+rCCKvWPJYVT/v4sniLAeALj6TJxEQHLx9Pbp+Un +LHJE0PRMVwjrJjbh7kDOL4FFdRxP0Z3F5fCIPML7C8RqqHym6l0znrhuklevExJR +TRuPLr19L14urFedeCNbHeVLvtPUIBhAJ81LmvIuHBm/bVCAOeIocMGLStwumNpt +Es4eWCn6BP4UaoF8nsL9k/4A8aD75pRfuKoYEoZw4QKa5JGmPhSdjUwzC7Vhlpbp +lb00g3lCqZgZbthopq9WFdrn5dGzba/PlgO7kHNOGEOnMDzc+7VpSJbRJ8iJCiu8 +jEhFDGC7FQGE3ozgR8u3esUGlL9qJcVXr2lplBezIWzvdKW8OTpM9zv+qyB9Ubtd +wsyMI11BatOPXsweb3BFH3wc1GJ2Q4r4SDRdoWXBSlrQVpZFMymyOIZ/0BvWU2HZ +xi3qzKa6XtNUpre8CfnZOeN/eOLs/MxG1x/mcF+niMtzdsBXthSAarTcqNwWhwWu +vxYcqKXIauarHGZSmwR3cGdXWNObMinqeXFQJzq2NJ4= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ok_02.pem b/v3/testdata/invalid_cps_uri_ok_02.pem new file mode 100644 index 000000000..3743ed739 --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ok_02.pem @@ -0,0 +1,107 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1791917909163485810 (0x18de2bd82a59aa72) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Mar 30 16:57:00 2024 GMT + Not After : Mar 8 08:50:00 2025 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + + Signature Algorithm: sha256WithRSAEncryption + 7b:4a:e1:20:a9:28:1c:50:9b:f4:3d:eb:40:b4:02:96:05:4a: + cf:17:45:6c:6e:d8:4d:bd:d5:4e:26:64:37:4b:b4:7d:d6:b4: + bf:96:a6:1c:f1:a8:54:57:a3:6d:c9:12:82:c1:db:0d:78:f4: + f7:64:3b:88:fa:59:c3:3a:b0:a1:50:78:8b:4b:0a:dc:a3:64: + 77:16:2d:dc:ba:81:55:28:18:69:66:5f:94:0a:7a:06:b1:42: + 7d:c7:65:a1:b3:30:f9:2d:a5:20:cc:be:5e:e3:14:ce:67:f5: + 69:ea:11:7e:cd:62:be:89:eb:30:79:70:f3:fd:fd:e1:23:e9: + 27:20:b8:33:84:f2:e0:75:9c:c3:6b:41:69:42:72:9b:c3:21: + a4:be:fa:fa:87:21:e9:d0:1d:0a:ab:f3:07:a1:8e:f7:ea:47: + cf:e6:8c:8a:02:58:22:ca:17:3b:de:d7:43:63:63:0c:71:a1: + dc:77:43:fd:fc:07:e7:62:f8:d4:93:3b:a5:c8:33:1e:db:6c: + 91:03:91:6c:b2:0f:cf:c0:69:d8:60:6a:ea:08:d0:0d:48:47: + c8:e4:11:61:c4:2f:60:3a:3c:b4:38:90:d0:1b:70:d7:b1:e5: + fb:fd:35:81:be:38:88:5d:fc:2b:68:02:72:ee:00:ff:dd:40: + 72:63:d8:7b:4e:e8:c7:05:f0:45:73:d8:36:03:b4:65:c5:3b: + 0d:2d:61:99:91:c1:51:bb:f6:45:5d:d2:2a:31:a7:73:65:99: + 64:12:6c:79:96:98:0d:1f:e4:21:12:6f:7d:a3:a2:87:d3:29: + 1d:f3:2d:c9:e1:d5:74:af:09:bd:1e:85:07:f3:86:25:d6:f7: + 6e:37:d8:aa:10:9c:af:71:f6:07:4e:88:13:30:0e:2a:c9:24: + 19:8c:aa:f6:39:a7:36:92:6b:3b:c6:8e:66:2b:7d:0b:13:25: + e4:3b:30:c4:f9:f4:00:6f:ef:27:c2:45:6f:2e:06:c6:09:3a: + 91:51:28:e3:a6:db:68:51:4d:18:2c:ad:8b:c9:e2:c2:58:e3: + d7:d2:1f:85:8f:7b:0d:b1:60:08:6e:72:fd:e4:85:e3:68:39: + 4e:6d:b3:6f:4b:8a:71:be:ba:07:ba:e2:32:95:8b:83:ed:18: + 41:7c:b1:da:43:b6:1b:65:0a:61:0a:a9:3a:f8:59:8f:1e:34: + cd:52:c2:bd:c3:4d:3a:be:e8:10:01:0b:4a:16:1e:5a:0c:26: + 02:0f:a9:58:9d:70:44:a0:d6:ee:64:1c:68:40:f4:04:d5:2d: + 11:a0:76:7e:15:b3:5c:27:b2:87:b1:1c:7f:45:c9:b1:d0:2b: + 6c:c6:5d:80:c3:7b:43:0d +-----BEGIN CERTIFICATE----- +MIIE/zCCAuegAwIBAgIIGN4r2CpZqnIwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 +MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GUMIGRMAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwGwYDVR0gBBQwEjAIBgZngQwBAgIwBgYEKgMEBTANBgkqhkiG9w0BAQsFAAOC +AgEAe0rhIKkoHFCb9D3rQLQClgVKzxdFbG7YTb3VTiZkN0u0fda0v5amHPGoVFej +bckSgsHbDXj092Q7iPpZwzqwoVB4i0sK3KNkdxYt3LqBVSgYaWZflAp6BrFCfcdl +obMw+S2lIMy+XuMUzmf1aeoRfs1ivonrMHlw8/394SPpJyC4M4Ty4HWcw2tBaUJy +m8MhpL76+och6dAdCqvzB6GO9+pHz+aMigJYIsoXO97XQ2NjDHGh3HdD/fwH52L4 +1JM7pcgzHttskQORbLIPz8Bp2GBq6gjQDUhHyOQRYcQvYDo8tDiQ0Btw17Hl+/01 +gb44iF38K2gCcu4A/91AcmPYe07oxwXwRXPYNgO0ZcU7DS1hmZHBUbv2RV3SKjGn +c2WZZBJseZaYDR/kIRJvfaOih9MpHfMtyeHVdK8JvR6FB/OGJdb3bjfYqhCcr3H2 +B06IEzAOKskkGYyq9jmnNpJrO8aOZit9CxMl5DswxPn0AG/vJ8JFby4Gxgk6kVEo +46bbaFFNGCyti8niwljj19IfhY97DbFgCG5y/eSF42g5Tm2zb0uKcb66B7riMpWL +g+0YQXyx2kO2G2UKYQqpOvhZjx40zVLCvcNNOr7oEAELShYeWgwmAg+pWJ1wRKDW +7mQcaED0BNUtEaB2fhWzXCeyh7Ecf0XJsdArbMZdgMN7Qw0= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_cps_uri_ok_03.pem b/v3/testdata/invalid_cps_uri_ok_03.pem new file mode 100644 index 000000000..39bff4caf --- /dev/null +++ b/v3/testdata/invalid_cps_uri_ok_03.pem @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5909114158428413719 (0x52016404ee5b5f17) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA + Validity + Not Before: Sep 13 16:57:00 2023 GMT + Not After : Aug 13 16:57:00 2024 GMT + Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: + c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: + e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: + 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: + af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: + d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: + 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: + e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: + 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: + d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: + b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: + da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: + e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: + 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: + aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: + 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: + 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: + e9:23 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + Policy: 1.2.3.4.5 + CPS: ftp://www.some-ca.inc/cps + + Signature Algorithm: sha256WithRSAEncryption + 7e:98:f4:4b:2e:e1:88:8e:e1:7a:1c:8e:e2:9a:6b:55:4e:a0: + 74:63:1d:aa:3c:63:fb:a1:e4:e5:16:53:e0:db:a7:8d:e3:08: + 1b:20:82:67:83:53:84:09:9c:c9:0d:a7:dc:e9:22:51:ea:54: + 70:15:32:da:11:84:6b:26:94:20:1d:99:11:2a:1f:ac:96:35: + 3c:75:30:ae:4e:77:83:95:00:b4:16:27:bd:96:a5:17:51:69: + 4a:96:40:78:d0:9f:bb:42:1d:d6:aa:ca:fe:cc:96:53:e3:8d: + ee:72:15:db:d4:12:2f:98:1a:07:7c:ef:a7:51:c8:9d:d2:c1: + cb:ba:76:4f:22:95:73:ff:52:fe:3e:f5:1c:9b:cb:e2:36:3e: + bd:28:ac:d0:f5:f1:e9:a0:bb:44:60:f6:a2:90:88:29:79:d5: + 6e:74:f1:5c:ab:d8:19:5f:c0:0c:bd:94:ab:f0:1f:2f:32:2b: + 94:80:6d:66:9e:97:17:7b:d2:d0:89:73:4b:04:0d:3f:ce:69: + d6:13:f5:91:2a:a0:75:d9:98:bb:e0:be:38:41:2a:7b:c8:78: + bf:39:18:9d:fc:62:e2:24:b6:74:49:9b:8c:1e:3c:df:53:81: + ef:33:4a:7a:83:59:8f:2e:7e:cb:70:32:aa:dc:a1:e8:b0:f7: + 6e:ed:28:1b:1a:1f:d9:4b:b4:90:b1:2c:3a:29:ef:02:b3:4d: + e7:18:6c:ec:72:4f:a9:85:19:93:d9:b0:12:da:52:d4:17:cb: + 69:44:17:4e:fe:05:b1:d7:f8:e7:42:ee:05:d8:a4:f7:89:31: + f1:c1:dd:58:1c:2c:ff:ba:c8:bd:46:fa:73:d1:d3:5a:d8:e8: + 21:37:fd:19:3d:1a:ac:06:b2:cb:e0:18:da:9f:61:5a:b6:5c: + e9:e7:1f:cd:0b:08:1f:c4:ac:56:26:88:09:53:12:e5:42:54: + 50:78:0c:d5:61:11:81:a7:1a:c8:3a:1c:21:7d:05:77:ba:0c: + 8d:28:77:41:5b:c8:f4:6a:65:72:43:ba:d6:67:2f:7e:f2:ee: + dd:36:8f:7b:aa:cc:ff:f4:11:74:d5:24:5d:31:6c:13:ca:f7: + 3a:dd:35:b5:8c:5b:8f:bc:a7:3d:b1:fd:14:38:29:58:b0:47: + 53:f6:65:b7:fd:93:a1:5d:5e:bb:ad:b0:cd:2a:c2:1a:79:05: + 75:af:ce:fe:43:25:e6:d4:a9:fa:01:b6:ca:c0:b6:2c:a7:1f: + b1:29:1a:bd:b6:d0:1b:c7:0b:2a:11:65:18:6b:b3:9f:c8:61: + 35:a9:7b:08:2d:5b:3d:01:26:14:89:5c:e1:13:43:d1:5d:bd: + c7:3a:76:36:a2:10:66:18 +-----BEGIN CERTIFICATE----- +MIIFKDCCAxCgAwIBAgIIUgFkBO5bXxcwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE +BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh +MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD +ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjMwOTEzMTY1NzAwWhcNMjQwODEzMTY1 +NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE +BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS +BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn +ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ +ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E +c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE +W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS +lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v +cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm +dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQB+mPRL +LuGIjuF6HI7immtVTqB0Yx2qPGP7oeTlFlPg26eN4wgbIIJng1OECZzJDafc6SJR +6lRwFTLaEYRrJpQgHZkRKh+sljU8dTCuTneDlQC0Fie9lqUXUWlKlkB40J+7Qh3W +qsr+zJZT443uchXb1BIvmBoHfO+nUcid0sHLunZPIpVz/1L+PvUcm8viNj69KKzQ +9fHpoLtEYPaikIgpedVudPFcq9gZX8AMvZSr8B8vMiuUgG1mnpcXe9LQiXNLBA0/ +zmnWE/WRKqB12Zi74L44QSp7yHi/ORid/GLiJLZ0SZuMHjzfU4HvM0p6g1mPLn7L +cDKq3KHosPdu7SgbGh/ZS7SQsSw6Ke8Cs03nGGzsck+phRmT2bAS2lLUF8tpRBdO +/gWx1/jnQu4F2KT3iTHxwd1YHCz/usi9Rvpz0dNa2OghN/0ZPRqsBrLL4Bjan2Fa +tlzp5x/NCwgfxKxWJogJUxLlQlRQeAzVYRGBpxrIOhwhfQV3ugyNKHdBW8j0amVy +Q7rWZy9+8u7dNo97qsz/9BF01SRdMWwTyvc63TW1jFuPvKc9sf0UOClYsEdT9mW3 +/ZOhXV67rbDNKsIaeQV1r87+QyXm1Kn6AbbKwLYspx+xKRq9ttAbxwsqEWUYa7Of +yGE1qXsILVs9ASYUiVzhE0PRXb3HOnY2ohBmGA== +-----END CERTIFICATE----- From e2f2f0ed5a7ab95d78cdb32fc99d2cb53494935e Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:25:52 +0200 Subject: [PATCH 16/29] Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go --- v3/lints/cabf_br/lint_e_invalid_cps_uri.go | 74 ---------------------- 1 file changed, 74 deletions(-) delete mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri.go diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri.go deleted file mode 100644 index a2c542d50..000000000 --- a/v3/lints/cabf_br/lint_e_invalid_cps_uri.go +++ /dev/null @@ -1,74 +0,0 @@ -/* - * ZLint Copyright 2024 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/* - * Contributed by Adriano Santoni - * of ACTALIS S.p.A. (www.actalis.com). - */ - -package cabf_br - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/v3/lint" - "github.com/zmap/zlint/v3/util" - - "net/url" -) - -func init() { - lint.RegisterCertificateLint(&lint.CertificateLint{ - LintMetadata: lint.LintMetadata{ - Name: "e_invalid_cps_uri", - Description: "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL", - Citation: "CABF BR 7.1.2 (several subsections thereof)", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_2_0_0_Date, - }, - Lint: NewInvalidCPSUri, - }) -} - -type invalidCPSUri struct{} - -func NewInvalidCPSUri() lint.LintInterface { - return &invalidCPSUri{} -} - -func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) -} - -func isValidHttpOrHttpsURL(input string) bool { - parsedURL, err := url.Parse(input) - if err != nil { - return false - } - - scheme := parsedURL.Scheme - return scheme == "http" || scheme == "https" -} - -func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult { - // There should normally be just one CPS URI, but one never knows... - for _, pol := range c.CPSuri { - for _, uri := range pol { - if !isValidHttpOrHttpsURL(uri) { - return &lint.LintResult{Status: lint.Error} - } - } - } - - return &lint.LintResult{Status: lint.Pass} -} From 126e1acaaa12916ff65651716fced0bf715f04a0 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:26:16 +0200 Subject: [PATCH 17/29] Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go --- .../cabf_br/lint_e_invalid_cps_uri_test.go | 83 ------------------- 1 file changed, 83 deletions(-) delete mode 100644 v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go deleted file mode 100644 index 7170bfa07..000000000 --- a/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go +++ /dev/null @@ -1,83 +0,0 @@ -/* - * ZLint Copyright 2024 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/* - * Contributed by Adriano Santoni - * of ACTALIS S.p.A. (www.actalis.com). - */ - -package cabf_br - -import ( - "testing" - - "github.com/zmap/zlint/v3/lint" - "github.com/zmap/zlint/v3/test" -) - -/* - === Pass test cases === - invalid_cps_uri_ok_01.pem Certificate with a well-formed CPS URI - invalid_cps_uri_ok_02.pem Certificate without a CPS URI - - === NE test cases === - invalid_cps_uri_ok_03.pem Certificate with an invalid CPS URI, but issued before effective date - - === Fail test cases === - invalid_cps_uri_ko_01.pem Certificate with an invalid CPS URI (disallowed scheme) - invalid_cps_uri_ko_02.pem Certificate with an invalid CPS URI (syntax error) - invalid_cps_uri_ko_03.pem Certificate with two CPS URIs, one good and one bad -*/ - -func TestInvalidCPSUri(t *testing.T) { - type Data struct { - input string - want lint.LintStatus - } - data := []Data{ - { - input: "invalid_cps_uri_ok_01.pem", - want: lint.Pass, - }, - { - input: "invalid_cps_uri_ok_02.pem", - want: lint.Pass, - }, - { - input: "invalid_cps_uri_ok_03.pem", - want: lint.NE, - }, - { - input: "invalid_cps_uri_ko_01.pem", - want: lint.Error, - }, - { - input: "invalid_cps_uri_ko_02.pem", - want: lint.Error, - }, - { - input: "invalid_cps_uri_ko_03.pem", - want: lint.Error, - }, - } - for _, testData := range data { - testData := testData - t.Run(testData.input, func(t *testing.T) { - out := test.TestLint("e_invalid_cps_uri", testData.input) - if out.Status != testData.want { - t.Errorf("expected %s, got %s", testData.want, out.Status) - } - }) - } -} From a7fbe525a238561555d7ab20b62c7c91ee4e9d1d Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:26:52 +0200 Subject: [PATCH 18/29] Delete v3/testdata/invalid_cps_uri_ko_01.pem --- v3/testdata/invalid_cps_uri_ko_01.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ko_01.pem diff --git a/v3/testdata/invalid_cps_uri_ko_01.pem b/v3/testdata/invalid_cps_uri_ko_01.pem deleted file mode 100644 index 708b80ce0..000000000 --- a/v3/testdata/invalid_cps_uri_ko_01.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 793070860651290632 (0xb018dbef2d56008) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: ftp://www.some-ca.inc/cps - - Signature Algorithm: sha256WithRSAEncryption - 97:54:ef:06:28:ff:dd:57:18:92:a4:e1:89:56:d5:90:f4:46: - 9d:df:f4:67:d4:5f:dd:b5:0c:33:0a:cb:bc:a4:3c:86:3b:0b: - 48:61:f0:0b:68:b1:72:ee:2a:55:f1:78:d4:25:10:ef:58:00: - 5f:2e:26:a8:76:32:0e:45:31:69:98:79:a7:5d:51:b5:5d:d8: - 4b:61:41:ee:02:ce:e6:10:18:cb:88:cd:3a:00:db:27:51:75: - ef:23:b8:61:2b:53:72:a6:fd:95:96:80:c2:3a:87:8a:f2:cf: - a4:c2:56:d2:8f:3d:52:28:a8:ee:11:c2:f4:0f:cb:6f:87:30: - 35:8d:bd:0f:a2:3f:25:6b:b3:68:de:46:8d:fa:23:d9:8a:43: - 90:a0:6b:97:cf:bb:8a:b5:e4:64:d0:dc:07:3f:e5:46:d0:d5: - 79:e7:0f:7b:0c:ac:4c:03:8c:d3:c3:55:14:76:ed:02:a6:e1: - 96:58:ab:2c:42:ac:6d:e7:75:04:3f:35:ae:7f:35:a0:5f:e7: - 10:df:22:3f:94:eb:a2:9a:1a:a7:75:8d:f8:13:95:c4:a0:bc: - a5:90:ab:8f:af:f5:42:ba:c0:15:47:c8:15:47:d9:98:70:c8: - ff:10:90:1b:68:3d:74:ed:ec:94:14:70:5a:33:ce:1a:d7:ba: - 9a:38:0e:d3:dc:9c:83:54:19:5e:bc:95:7e:ed:e6:8e:18:93: - 28:c8:b9:77:a5:e5:a9:31:8e:29:9c:b2:8c:e3:d5:29:ce:5f: - 5d:1c:b7:f7:00:36:5a:38:e3:99:a0:7c:20:a6:38:dd:6d:5b: - d8:76:e1:03:51:51:d2:7b:3b:01:35:4a:88:76:72:63:61:19: - 7e:4e:79:62:7a:c0:e6:0c:a8:9e:3e:cf:15:1a:98:ab:f1:67: - 8e:f7:4d:a4:01:b7:72:59:44:ec:e2:2d:d0:be:d0:9e:4f:af: - 4f:56:06:90:c8:04:b3:04:cd:00:ca:c9:cb:d3:c4:04:0c:d6: - 2e:0b:c7:85:05:31:32:89:70:4e:2f:b9:f1:04:b5:35:1f:0d: - 12:0d:8d:fe:3c:1f:c7:bf:10:5d:01:c8:56:27:83:3d:67:ac: - 82:e6:40:70:89:8d:c7:d7:5b:e2:3d:95:1d:e4:fa:92:ce:4e: - f7:47:88:e0:b7:10:60:8b:5f:8f:6c:7f:53:56:db:4b:ab:84: - db:d1:42:28:f9:de:35:4d:ad:c7:d7:e8:8c:13:c5:24:51:88: - 3e:f3:9d:b3:7a:ba:14:9a:ac:ae:6b:a4:6e:c3:7c:53:18:0d: - b2:9f:17:c7:96:de:56:ef:fd:bd:b8:b7:30:d0:7c:81:28:4c: - 12:db:c0:f0:e5:50:83:cb ------BEGIN CERTIFICATE----- -MIIFKDCCAxCgAwIBAgIICwGNvvLVYAgwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm -dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQCXVO8G -KP/dVxiSpOGJVtWQ9Ead3/Rn1F/dtQwzCsu8pDyGOwtIYfALaLFy7ipV8XjUJRDv -WABfLiaodjIORTFpmHmnXVG1XdhLYUHuAs7mEBjLiM06ANsnUXXvI7hhK1Nypv2V -loDCOoeK8s+kwlbSjz1SKKjuEcL0D8tvhzA1jb0Poj8la7No3kaN+iPZikOQoGuX -z7uKteRk0NwHP+VG0NV55w97DKxMA4zTw1UUdu0CpuGWWKssQqxt53UEPzWufzWg -X+cQ3yI/lOuimhqndY34E5XEoLylkKuPr/VCusAVR8gVR9mYcMj/EJAbaD107eyU -FHBaM84a17qaOA7T3JyDVBlevJV+7eaOGJMoyLl3peWpMY4pnLKM49Upzl9dHLf3 -ADZaOOOZoHwgpjjdbVvYduEDUVHSezsBNUqIdnJjYRl+TnliesDmDKiePs8VGpir -8WeO902kAbdyWUTs4i3QvtCeT69PVgaQyASzBM0AysnL08QEDNYuC8eFBTEyiXBO -L7nxBLU1Hw0SDY3+PB/HvxBdAchWJ4M9Z6yC5kBwiY3H11viPZUd5PqSzk73R4jg -txBgi1+PbH9TVttLq4Tb0UIo+d41Ta3H1+iME8UkUYg+852zeroUmqyua6Ruw3xT -GA2ynxfHlt5W7/29uLcw0HyBKEwS28Dw5VCDyw== ------END CERTIFICATE----- From b289660debed201b98dfbf9085912bf462924801 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:27:15 +0200 Subject: [PATCH 19/29] Delete v3/testdata/invalid_cps_uri_ko_02.pem --- v3/testdata/invalid_cps_uri_ko_02.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ko_02.pem diff --git a/v3/testdata/invalid_cps_uri_ko_02.pem b/v3/testdata/invalid_cps_uri_ko_02.pem deleted file mode 100644 index 8e87b4c1f..000000000 --- a/v3/testdata/invalid_cps_uri_ko_02.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1892436556900320617 (0x1a4349059e01c569) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: www.some-ca.inc - - Signature Algorithm: sha256WithRSAEncryption - 16:57:14:9b:a6:7b:51:88:49:42:81:dc:ae:c0:13:ff:5e:55: - cf:24:5b:c8:00:68:dc:ac:7f:23:db:e5:24:bd:da:93:71:70: - c1:4a:7c:22:09:61:51:da:07:52:b7:5c:e8:0f:9e:30:6f:8e: - 5e:33:0b:a2:75:2a:14:85:80:a9:72:5d:ba:c0:31:31:4f:b7: - 56:ae:37:0a:9b:79:e5:34:5a:24:44:c6:c0:6f:b8:39:de:96: - 69:43:f3:e9:69:c0:eb:5a:f3:c3:2b:7a:03:8b:d4:06:c6:a7: - de:09:00:c5:85:12:0f:6b:bb:1d:96:c7:e2:7a:17:56:17:dd: - c5:25:2c:41:3c:cb:d9:77:b6:fc:81:5b:d3:16:d1:c7:6b:8a: - bc:0e:5a:30:74:33:12:dd:ff:40:a4:83:2a:83:58:72:41:84: - 19:87:f9:5c:3a:1d:c7:79:ca:5f:2c:ec:60:f3:a2:64:33:f4: - 87:d8:f9:54:ba:28:7f:69:e7:2f:f7:40:04:90:86:21:3c:68: - 0e:ee:c9:b2:ce:47:d7:2c:8a:90:65:83:70:59:53:fd:8a:df: - f7:2c:91:c2:06:be:ed:9b:89:65:47:32:ec:ec:70:c1:5c:7f: - ee:24:ea:ec:a7:b5:6f:28:b0:11:5f:47:e7:f5:ce:82:63:36: - 6b:7a:74:53:00:e3:72:2c:1d:9e:4e:e7:27:54:59:1d:43:61: - 36:53:bc:ba:7c:d4:d4:db:af:bd:4e:1c:a2:de:98:f0:a9:48: - 75:73:1d:2a:cd:ea:12:b0:a9:dd:25:01:f7:e4:3c:15:8c:cb: - 53:ff:d1:33:b8:a0:4d:fa:c7:c3:d8:b9:6d:e3:df:62:77:6e: - 89:7b:17:c4:bc:96:3f:ed:25:72:f2:7b:66:04:49:da:91:a9: - 73:ca:50:9b:ad:e2:46:ef:dd:7f:7a:14:55:df:ad:c5:55:f9: - f8:77:a7:1c:09:d7:42:ff:28:ef:c6:5b:e0:b5:f0:80:d8:ac: - 09:45:1c:eb:a0:e5:69:07:de:ef:6d:b3:0d:6b:5d:e8:ea:d3: - 9b:b3:98:70:45:fd:8f:5b:53:14:c0:e6:0b:57:5f:9a:37:14: - 69:e2:10:8f:ab:59:3f:b7:54:51:4f:03:6c:1d:ce:54:40:2a: - be:f2:b5:f6:c8:25:b4:70:be:f7:44:4d:ed:03:ab:c3:98:59: - 87:2a:41:be:5a:1b:d6:0d:40:11:64:ef:0f:13:37:fe:49:c3: - c7:df:f8:2d:e5:5a:6b:b4:e7:d2:52:1f:57:75:04:f9:0c:09: - 5a:b4:e6:8f:be:74:5f:24:9b:bd:92:4c:ee:3d:96:1d:a1:fa: - f2:51:42:4e:bc:a3:a8:c3 ------BEGIN CERTIFICATE----- -MIIFHjCCAwagAwIBAgIIGkNJBZ4BxWkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GzMIGwMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwOgYDVR0gBDMwMTAIBgZngQwBAgIwJQYEKgMEBTAdMBsGCCsGAQUFBwIBFg93 -d3cuc29tZS1jYS5pbmMwDQYJKoZIhvcNAQELBQADggIBABZXFJume1GISUKB3K7A -E/9eVc8kW8gAaNysfyPb5SS92pNxcMFKfCIJYVHaB1K3XOgPnjBvjl4zC6J1KhSF -gKlyXbrAMTFPt1auNwqbeeU0WiRExsBvuDnelmlD8+lpwOta88MregOL1AbGp94J -AMWFEg9rux2Wx+J6F1YX3cUlLEE8y9l3tvyBW9MW0cdrirwOWjB0MxLd/0CkgyqD -WHJBhBmH+Vw6Hcd5yl8s7GDzomQz9IfY+VS6KH9p5y/3QASQhiE8aA7uybLOR9cs -ipBlg3BZU/2K3/cskcIGvu2biWVHMuzscMFcf+4k6uyntW8osBFfR+f1zoJjNmt6 -dFMA43IsHZ5O5ydUWR1DYTZTvLp81NTbr71OHKLemPCpSHVzHSrN6hKwqd0lAffk -PBWMy1P/0TO4oE36x8PYuW3j32J3bol7F8S8lj/tJXLye2YESdqRqXPKUJut4kbv -3X96FFXfrcVV+fh3pxwJ10L/KO/GW+C18IDYrAlFHOug5WkH3u9tsw1rXejq05uz -mHBF/Y9bUxTA5gtXX5o3FGniEI+rWT+3VFFPA2wdzlRAKr7ytfbIJbRwvvdETe0D -q8OYWYcqQb5aG9YNQBFk7w8TN/5Jw8ff+C3lWmu059JSH1d1BPkMCVq05o++dF8k -m72STO49lh2h+vJRQk68o6jD ------END CERTIFICATE----- From b5af6be446a242166638f582ba90867e1b5cbde1 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:27:42 +0200 Subject: [PATCH 20/29] Delete v3/testdata/invalid_cps_uri_ko_03.pem --- v3/testdata/invalid_cps_uri_ko_03.pem | 112 -------------------------- 1 file changed, 112 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ko_03.pem diff --git a/v3/testdata/invalid_cps_uri_ko_03.pem b/v3/testdata/invalid_cps_uri_ko_03.pem deleted file mode 100644 index 87f547721..000000000 --- a/v3/testdata/invalid_cps_uri_ko_03.pem +++ /dev/null @@ -1,112 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1059656979734169929 (0xeb4a868a4d18949) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: https://www.some-ca.inc/cps - Policy: 1.3.6.1.5.1.1234567890.1.1 - CPS: this is not a valid url - - Signature Algorithm: sha256WithRSAEncryption - 93:29:fc:e5:54:0f:83:0a:37:36:85:37:90:d0:9c:4b:af:56: - 23:3e:88:6d:25:41:d2:23:4b:87:ee:9f:8b:6c:9b:eb:0d:5e: - 10:fa:44:8f:26:33:31:ec:7e:a8:7f:4a:91:ad:2b:fc:7c:db: - f3:fa:4c:76:5e:d6:39:78:99:f3:a6:52:ed:61:8e:8e:8f:71: - 9b:e6:d8:75:dd:b5:47:c3:f7:84:e8:ad:09:52:c9:76:0c:b2: - d3:e1:a9:cf:52:05:b2:d5:7e:9a:f4:67:15:7b:43:7e:7e:3f: - 84:ec:ca:a5:c8:b8:6e:09:64:6d:c7:58:53:e0:66:61:2d:9d: - fe:c7:e8:ff:1a:b0:ca:93:6f:c5:9f:4c:46:ef:54:41:f7:05: - a8:89:0f:64:27:1c:71:3a:1c:fa:ab:d0:0e:09:8b:67:f5:ce: - c5:5b:cb:bd:e6:42:e0:ef:75:f2:73:26:8e:a6:22:cd:b0:52: - 4d:ed:e5:cf:c2:64:2d:03:f2:b3:86:db:06:74:25:a8:19:e3: - 16:43:d9:0d:f7:31:58:d3:cb:5d:c4:74:1d:fa:30:a7:c1:b7: - 7e:3c:e1:9e:f1:6f:2b:5c:73:c2:68:33:2d:24:28:52:a1:f5: - 14:a5:9a:d7:27:fc:a9:be:7e:e9:05:e9:78:2f:6f:c4:ce:96: - 22:b6:f5:41:af:8d:c0:8a:85:c5:35:47:d0:8a:9c:71:e7:44: - 0f:34:5f:f3:fe:44:95:76:b3:1e:ad:a4:ee:cb:3c:3f:5a:bc: - 6f:43:55:a8:b9:80:47:38:c1:43:c0:f2:71:e9:d0:2b:b3:16: - 3d:3c:81:16:49:0c:d1:05:f0:5b:66:a9:02:a2:38:db:74:9c: - 0c:a9:50:b3:66:d8:12:80:8d:e1:dd:22:f3:22:4d:80:ce:2e: - 86:a2:8b:c0:d1:92:f7:8c:6d:1f:30:1d:d4:4c:8e:b5:91:b1: - dd:18:f9:9c:98:18:0f:ab:24:c9:ea:6f:9f:91:51:81:b0:ec: - 73:d1:c8:6f:f7:fd:62:2b:d8:18:eb:08:4b:32:ee:37:df:f7: - ed:0a:c7:6f:6f:ef:9e:6f:e4:9d:f5:c4:23:ab:de:38:74:7c: - 89:85:77:f1:5c:54:8f:71:33:9f:2c:fb:e5:58:92:f2:eb:de: - 90:04:b9:f5:b9:72:35:d0:10:75:e0:5a:0f:93:fa:1f:de:27: - 14:ff:60:a4:91:ac:e0:f4:57:a0:d5:21:ee:8a:79:e8:20:c7: - 66:82:30:3c:8b:eb:3c:7a:0c:33:64:e6:8c:2e:15:fd:60:62: - 9d:38:d1:03:3d:3d:09:69:c9:71:d8:ca:68:c1:54:80:e1:3a: - bb:71:aa:90:bc:11:81:3b ------BEGIN CERTIFICATE----- -MIIFYTCCA0mgAwIBAgIIDrSoaKTRiUkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4H2MIHzMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwfQYDVR0gBHYwdDAIBgZngQwBAgIwMQYEKgMEBTApMCcGCCsGAQUFBwIBFhto -dHRwczovL3d3dy5zb21lLWNhLmluYy9jcHMwNQYMKwYBBQGEzNiFUgEBMCUwIwYI -KwYBBQUHAgEWF3RoaXMgaXMgbm90IGEgdmFsaWQgdXJsMA0GCSqGSIb3DQEBCwUA -A4ICAQCTKfzlVA+DCjc2hTeQ0JxLr1YjPohtJUHSI0uH7p+LbJvrDV4Q+kSPJjMx -7H6of0qRrSv8fNvz+kx2XtY5eJnzplLtYY6Oj3Gb5th13bVHw/eE6K0JUsl2DLLT -4anPUgWy1X6a9GcVe0N+fj+E7MqlyLhuCWRtx1hT4GZhLZ3+x+j/GrDKk2/Fn0xG -71RB9wWoiQ9kJxxxOhz6q9AOCYtn9c7FW8u95kLg73XycyaOpiLNsFJN7eXPwmQt -A/KzhtsGdCWoGeMWQ9kN9zFY08tdxHQd+jCnwbd+POGe8W8rXHPCaDMtJChSofUU -pZrXJ/ypvn7pBel4L2/EzpYitvVBr43AioXFNUfQipxx50QPNF/z/kSVdrMeraTu -yzw/WrxvQ1WouYBHOMFDwPJx6dArsxY9PIEWSQzRBfBbZqkCojjbdJwMqVCzZtgS -gI3h3SLzIk2Azi6GoovA0ZL3jG0fMB3UTI61kbHdGPmcmBgPqyTJ6m+fkVGBsOxz -0chv9/1iK9gY6whLMu433/ftCsdvb++eb+Sd9cQjq944dHyJhXfxXFSPcTOfLPvl -WJLy696QBLn1uXI10BB14FoPk/of3icU/2Ckkazg9Feg1SHuinnoIMdmgjA8i+s8 -egwzZOaMLhX9YGKdONEDPT0Jaclx2MpowVSA4Tq7caqQvBGBOw== ------END CERTIFICATE----- From d9fea03ea512a70b607cf8982dc3e1b3aa09dc88 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:27:59 +0200 Subject: [PATCH 21/29] Delete v3/testdata/invalid_cps_uri_ok_01.pem --- v3/testdata/invalid_cps_uri_ok_01.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ok_01.pem diff --git a/v3/testdata/invalid_cps_uri_ok_01.pem b/v3/testdata/invalid_cps_uri_ok_01.pem deleted file mode 100644 index 31baa3e55..000000000 --- a/v3/testdata/invalid_cps_uri_ok_01.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 6516163087356195736 (0x5a6e0fcdc860f398) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Mar 8 08:50:00 2025 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: https://ca.someca-inc.com/cps - - Signature Algorithm: sha256WithRSAEncryption - 17:6a:75:79:9d:ae:e0:00:0c:93:9e:74:02:70:9d:e3:58:b2: - 55:4e:2c:88:b2:6c:89:87:c5:e4:ec:31:97:c6:12:b3:2e:92: - 1a:60:e8:40:23:99:93:c7:bc:d9:d1:ce:66:de:4b:14:b1:86: - c5:c6:9d:6c:28:16:e0:2d:74:ee:8c:49:b8:39:ad:a2:d3:25: - 8e:ac:f8:c7:af:7e:e5:1d:a8:f2:1b:e2:cb:69:94:e2:58:e1: - 47:4c:34:9d:f7:bd:a8:b0:f0:92:e5:05:94:a0:c0:38:3b:34: - 22:ef:cc:5c:47:db:fa:b0:82:2a:f5:8f:25:85:53:fe:fe:2c: - 9e:22:c0:78:02:e3:e9:32:71:11:01:cb:c7:d3:db:a7:e5:27: - 2c:72:44:d0:f4:4c:57:08:eb:26:36:e1:ee:40:ce:2f:81:45: - 75:1c:4f:d1:9d:c5:e5:f0:88:3c:c2:fb:0b:c4:6a:a8:7c:a6: - ea:5d:33:9e:b8:6e:92:57:af:13:12:51:4d:1b:8f:2e:bd:7d: - 2f:5e:2e:ac:57:9d:78:23:5b:1d:e5:4b:be:d3:d4:20:18:40: - 27:cd:4b:9a:f2:2e:1c:19:bf:6d:50:80:39:e2:28:70:c1:8b: - 4a:dc:2e:98:da:6d:12:ce:1e:58:29:fa:04:fe:14:6a:81:7c: - 9e:c2:fd:93:fe:00:f1:a0:fb:e6:94:5f:b8:aa:18:12:86:70: - e1:02:9a:e4:91:a6:3e:14:9d:8d:4c:33:0b:b5:61:96:96:e9: - 95:bd:34:83:79:42:a9:98:19:6e:d8:68:a6:af:56:15:da:e7: - e5:d1:b3:6d:af:cf:96:03:bb:90:73:4e:18:43:a7:30:3c:dc: - fb:b5:69:48:96:d1:27:c8:89:0a:2b:bc:8c:48:45:0c:60:bb: - 15:01:84:de:8c:e0:47:cb:b7:7a:c5:06:94:bf:6a:25:c5:57: - af:69:69:94:17:b3:21:6c:ef:74:a5:bc:39:3a:4c:f7:3b:fe: - ab:20:7d:51:bb:5d:c2:cc:8c:23:5d:41:6a:d3:8f:5e:cc:1e: - 6f:70:45:1f:7c:1c:d4:62:76:43:8a:f8:48:34:5d:a1:65:c1: - 4a:5a:d0:56:96:45:33:29:b2:38:86:7f:d0:1b:d6:53:61:d9: - c6:2d:ea:cc:a6:ba:5e:d3:54:a6:b7:bc:09:f9:d9:39:e3:7f: - 78:e2:ec:fc:cc:46:d7:1f:e6:70:5f:a7:88:cb:73:76:c0:57: - b6:14:80:6a:b4:dc:a8:dc:16:87:05:ae:bf:16:1c:a8:a5:c8: - 6a:e6:ab:1c:66:52:9b:04:77:70:67:57:58:d3:9b:32:29:ea: - 79:71:50:27:3a:b6:34:9e ------BEGIN CERTIFICATE----- -MIIFLDCCAxSgAwIBAgIIWm4Pzchg85gwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 -MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4HBMIG+MAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwSAYDVR0gBEEwPzAIBgZngQwBAgIwMwYEKgMEBTArMCkGCCsGAQUFBwIBFh1o -dHRwczovL2NhLnNvbWVjYS1pbmMuY29tL2NwczANBgkqhkiG9w0BAQsFAAOCAgEA -F2p1eZ2u4AAMk550AnCd41iyVU4siLJsiYfF5Owxl8YSsy6SGmDoQCOZk8e82dHO -Zt5LFLGGxcadbCgW4C107oxJuDmtotMljqz4x69+5R2o8hviy2mU4ljhR0w0nfe9 -qLDwkuUFlKDAODs0Iu/MXEfb+rCCKvWPJYVT/v4sniLAeALj6TJxEQHLx9Pbp+Un -LHJE0PRMVwjrJjbh7kDOL4FFdRxP0Z3F5fCIPML7C8RqqHym6l0znrhuklevExJR -TRuPLr19L14urFedeCNbHeVLvtPUIBhAJ81LmvIuHBm/bVCAOeIocMGLStwumNpt -Es4eWCn6BP4UaoF8nsL9k/4A8aD75pRfuKoYEoZw4QKa5JGmPhSdjUwzC7Vhlpbp -lb00g3lCqZgZbthopq9WFdrn5dGzba/PlgO7kHNOGEOnMDzc+7VpSJbRJ8iJCiu8 -jEhFDGC7FQGE3ozgR8u3esUGlL9qJcVXr2lplBezIWzvdKW8OTpM9zv+qyB9Ubtd -wsyMI11BatOPXsweb3BFH3wc1GJ2Q4r4SDRdoWXBSlrQVpZFMymyOIZ/0BvWU2HZ -xi3qzKa6XtNUpre8CfnZOeN/eOLs/MxG1x/mcF+niMtzdsBXthSAarTcqNwWhwWu -vxYcqKXIauarHGZSmwR3cGdXWNObMinqeXFQJzq2NJ4= ------END CERTIFICATE----- From a3241602dde59a23f3a9e2d72c877b8084fb5abd Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:28:17 +0200 Subject: [PATCH 22/29] Delete v3/testdata/invalid_cps_uri_ok_02.pem --- v3/testdata/invalid_cps_uri_ok_02.pem | 107 -------------------------- 1 file changed, 107 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ok_02.pem diff --git a/v3/testdata/invalid_cps_uri_ok_02.pem b/v3/testdata/invalid_cps_uri_ok_02.pem deleted file mode 100644 index 3743ed739..000000000 --- a/v3/testdata/invalid_cps_uri_ok_02.pem +++ /dev/null @@ -1,107 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1791917909163485810 (0x18de2bd82a59aa72) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Mar 30 16:57:00 2024 GMT - Not After : Mar 8 08:50:00 2025 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - - Signature Algorithm: sha256WithRSAEncryption - 7b:4a:e1:20:a9:28:1c:50:9b:f4:3d:eb:40:b4:02:96:05:4a: - cf:17:45:6c:6e:d8:4d:bd:d5:4e:26:64:37:4b:b4:7d:d6:b4: - bf:96:a6:1c:f1:a8:54:57:a3:6d:c9:12:82:c1:db:0d:78:f4: - f7:64:3b:88:fa:59:c3:3a:b0:a1:50:78:8b:4b:0a:dc:a3:64: - 77:16:2d:dc:ba:81:55:28:18:69:66:5f:94:0a:7a:06:b1:42: - 7d:c7:65:a1:b3:30:f9:2d:a5:20:cc:be:5e:e3:14:ce:67:f5: - 69:ea:11:7e:cd:62:be:89:eb:30:79:70:f3:fd:fd:e1:23:e9: - 27:20:b8:33:84:f2:e0:75:9c:c3:6b:41:69:42:72:9b:c3:21: - a4:be:fa:fa:87:21:e9:d0:1d:0a:ab:f3:07:a1:8e:f7:ea:47: - cf:e6:8c:8a:02:58:22:ca:17:3b:de:d7:43:63:63:0c:71:a1: - dc:77:43:fd:fc:07:e7:62:f8:d4:93:3b:a5:c8:33:1e:db:6c: - 91:03:91:6c:b2:0f:cf:c0:69:d8:60:6a:ea:08:d0:0d:48:47: - c8:e4:11:61:c4:2f:60:3a:3c:b4:38:90:d0:1b:70:d7:b1:e5: - fb:fd:35:81:be:38:88:5d:fc:2b:68:02:72:ee:00:ff:dd:40: - 72:63:d8:7b:4e:e8:c7:05:f0:45:73:d8:36:03:b4:65:c5:3b: - 0d:2d:61:99:91:c1:51:bb:f6:45:5d:d2:2a:31:a7:73:65:99: - 64:12:6c:79:96:98:0d:1f:e4:21:12:6f:7d:a3:a2:87:d3:29: - 1d:f3:2d:c9:e1:d5:74:af:09:bd:1e:85:07:f3:86:25:d6:f7: - 6e:37:d8:aa:10:9c:af:71:f6:07:4e:88:13:30:0e:2a:c9:24: - 19:8c:aa:f6:39:a7:36:92:6b:3b:c6:8e:66:2b:7d:0b:13:25: - e4:3b:30:c4:f9:f4:00:6f:ef:27:c2:45:6f:2e:06:c6:09:3a: - 91:51:28:e3:a6:db:68:51:4d:18:2c:ad:8b:c9:e2:c2:58:e3: - d7:d2:1f:85:8f:7b:0d:b1:60:08:6e:72:fd:e4:85:e3:68:39: - 4e:6d:b3:6f:4b:8a:71:be:ba:07:ba:e2:32:95:8b:83:ed:18: - 41:7c:b1:da:43:b6:1b:65:0a:61:0a:a9:3a:f8:59:8f:1e:34: - cd:52:c2:bd:c3:4d:3a:be:e8:10:01:0b:4a:16:1e:5a:0c:26: - 02:0f:a9:58:9d:70:44:a0:d6:ee:64:1c:68:40:f4:04:d5:2d: - 11:a0:76:7e:15:b3:5c:27:b2:87:b1:1c:7f:45:c9:b1:d0:2b: - 6c:c6:5d:80:c3:7b:43:0d ------BEGIN CERTIFICATE----- -MIIE/zCCAuegAwIBAgIIGN4r2CpZqnIwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjUwMzA4MDg1 -MDAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GUMIGRMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwGwYDVR0gBBQwEjAIBgZngQwBAgIwBgYEKgMEBTANBgkqhkiG9w0BAQsFAAOC -AgEAe0rhIKkoHFCb9D3rQLQClgVKzxdFbG7YTb3VTiZkN0u0fda0v5amHPGoVFej -bckSgsHbDXj092Q7iPpZwzqwoVB4i0sK3KNkdxYt3LqBVSgYaWZflAp6BrFCfcdl -obMw+S2lIMy+XuMUzmf1aeoRfs1ivonrMHlw8/394SPpJyC4M4Ty4HWcw2tBaUJy -m8MhpL76+och6dAdCqvzB6GO9+pHz+aMigJYIsoXO97XQ2NjDHGh3HdD/fwH52L4 -1JM7pcgzHttskQORbLIPz8Bp2GBq6gjQDUhHyOQRYcQvYDo8tDiQ0Btw17Hl+/01 -gb44iF38K2gCcu4A/91AcmPYe07oxwXwRXPYNgO0ZcU7DS1hmZHBUbv2RV3SKjGn -c2WZZBJseZaYDR/kIRJvfaOih9MpHfMtyeHVdK8JvR6FB/OGJdb3bjfYqhCcr3H2 -B06IEzAOKskkGYyq9jmnNpJrO8aOZit9CxMl5DswxPn0AG/vJ8JFby4Gxgk6kVEo -46bbaFFNGCyti8niwljj19IfhY97DbFgCG5y/eSF42g5Tm2zb0uKcb66B7riMpWL -g+0YQXyx2kO2G2UKYQqpOvhZjx40zVLCvcNNOr7oEAELShYeWgwmAg+pWJ1wRKDW -7mQcaED0BNUtEaB2fhWzXCeyh7Ecf0XJsdArbMZdgMN7Qw0= ------END CERTIFICATE----- From 9ef6f60dacadd65b804a98dce3f43421ca78c256 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Mon, 8 Apr 2024 14:28:44 +0200 Subject: [PATCH 23/29] Delete v3/testdata/invalid_cps_uri_ok_03.pem --- v3/testdata/invalid_cps_uri_ok_03.pem | 109 -------------------------- 1 file changed, 109 deletions(-) delete mode 100644 v3/testdata/invalid_cps_uri_ok_03.pem diff --git a/v3/testdata/invalid_cps_uri_ok_03.pem b/v3/testdata/invalid_cps_uri_ok_03.pem deleted file mode 100644 index 39bff4caf..000000000 --- a/v3/testdata/invalid_cps_uri_ok_03.pem +++ /dev/null @@ -1,109 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 5909114158428413719 (0x52016404ee5b5f17) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA - Validity - Not Before: Sep 13 16:57:00 2023 GMT - Not After : Aug 13 16:57:00 2024 GMT - Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e: - c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47: - e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a: - 67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3: - af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59: - d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25: - 25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5: - e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48: - 7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29: - d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9: - b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3: - da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9: - e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be: - 90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7: - aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f: - 3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e: - 92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c: - e9:23 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Key Identifier: - EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Alternative Name: - DNS:example.org - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.2 - Policy: 1.2.3.4.5 - CPS: ftp://www.some-ca.inc/cps - - Signature Algorithm: sha256WithRSAEncryption - 7e:98:f4:4b:2e:e1:88:8e:e1:7a:1c:8e:e2:9a:6b:55:4e:a0: - 74:63:1d:aa:3c:63:fb:a1:e4:e5:16:53:e0:db:a7:8d:e3:08: - 1b:20:82:67:83:53:84:09:9c:c9:0d:a7:dc:e9:22:51:ea:54: - 70:15:32:da:11:84:6b:26:94:20:1d:99:11:2a:1f:ac:96:35: - 3c:75:30:ae:4e:77:83:95:00:b4:16:27:bd:96:a5:17:51:69: - 4a:96:40:78:d0:9f:bb:42:1d:d6:aa:ca:fe:cc:96:53:e3:8d: - ee:72:15:db:d4:12:2f:98:1a:07:7c:ef:a7:51:c8:9d:d2:c1: - cb:ba:76:4f:22:95:73:ff:52:fe:3e:f5:1c:9b:cb:e2:36:3e: - bd:28:ac:d0:f5:f1:e9:a0:bb:44:60:f6:a2:90:88:29:79:d5: - 6e:74:f1:5c:ab:d8:19:5f:c0:0c:bd:94:ab:f0:1f:2f:32:2b: - 94:80:6d:66:9e:97:17:7b:d2:d0:89:73:4b:04:0d:3f:ce:69: - d6:13:f5:91:2a:a0:75:d9:98:bb:e0:be:38:41:2a:7b:c8:78: - bf:39:18:9d:fc:62:e2:24:b6:74:49:9b:8c:1e:3c:df:53:81: - ef:33:4a:7a:83:59:8f:2e:7e:cb:70:32:aa:dc:a1:e8:b0:f7: - 6e:ed:28:1b:1a:1f:d9:4b:b4:90:b1:2c:3a:29:ef:02:b3:4d: - e7:18:6c:ec:72:4f:a9:85:19:93:d9:b0:12:da:52:d4:17:cb: - 69:44:17:4e:fe:05:b1:d7:f8:e7:42:ee:05:d8:a4:f7:89:31: - f1:c1:dd:58:1c:2c:ff:ba:c8:bd:46:fa:73:d1:d3:5a:d8:e8: - 21:37:fd:19:3d:1a:ac:06:b2:cb:e0:18:da:9f:61:5a:b6:5c: - e9:e7:1f:cd:0b:08:1f:c4:ac:56:26:88:09:53:12:e5:42:54: - 50:78:0c:d5:61:11:81:a7:1a:c8:3a:1c:21:7d:05:77:ba:0c: - 8d:28:77:41:5b:c8:f4:6a:65:72:43:ba:d6:67:2f:7e:f2:ee: - dd:36:8f:7b:aa:cc:ff:f4:11:74:d5:24:5d:31:6c:13:ca:f7: - 3a:dd:35:b5:8c:5b:8f:bc:a7:3d:b1:fd:14:38:29:58:b0:47: - 53:f6:65:b7:fd:93:a1:5d:5e:bb:ad:b0:cd:2a:c2:1a:79:05: - 75:af:ce:fe:43:25:e6:d4:a9:fa:01:b6:ca:c0:b6:2c:a7:1f: - b1:29:1a:bd:b6:d0:1b:c7:0b:2a:11:65:18:6b:b3:9f:c8:61: - 35:a9:7b:08:2d:5b:3d:01:26:14:89:5c:e1:13:43:d1:5d:bd: - c7:3a:76:36:a2:10:66:18 ------BEGIN CERTIFICATE----- -MIIFKDCCAxCgAwIBAgIIUgFkBO5bXxcwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE -BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh -MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD -ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjMwOTEzMTY1NzAwWhcNMjQwODEzMTY1 -NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE -BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS -BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn -ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ -ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E -c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE -W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS -lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v -cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm -dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQB+mPRL -LuGIjuF6HI7immtVTqB0Yx2qPGP7oeTlFlPg26eN4wgbIIJng1OECZzJDafc6SJR -6lRwFTLaEYRrJpQgHZkRKh+sljU8dTCuTneDlQC0Fie9lqUXUWlKlkB40J+7Qh3W -qsr+zJZT443uchXb1BIvmBoHfO+nUcid0sHLunZPIpVz/1L+PvUcm8viNj69KKzQ -9fHpoLtEYPaikIgpedVudPFcq9gZX8AMvZSr8B8vMiuUgG1mnpcXe9LQiXNLBA0/ -zmnWE/WRKqB12Zi74L44QSp7yHi/ORid/GLiJLZ0SZuMHjzfU4HvM0p6g1mPLn7L -cDKq3KHosPdu7SgbGh/ZS7SQsSw6Ke8Cs03nGGzsck+phRmT2bAS2lLUF8tpRBdO -/gWx1/jnQu4F2KT3iTHxwd1YHCz/usi9Rvpz0dNa2OghN/0ZPRqsBrLL4Bjan2Fa -tlzp5x/NCwgfxKxWJogJUxLlQlRQeAzVYRGBpxrIOhwhfQV3ugyNKHdBW8j0amVy -Q7rWZy9+8u7dNo97qsz/9BF01SRdMWwTyvc63TW1jFuPvKc9sf0UOClYsEdT9mW3 -/ZOhXV67rbDNKsIaeQV1r87+QyXm1Kn6AbbKwLYspx+xKRq9ttAbxwsqEWUYa7Of -yGE1qXsILVs9ASYUiVzhE0PRXb3HOnY2ohBmGA== ------END CERTIFICATE----- From b7bc0a99d271e9cd28e34a62f7e4ccd633b3fa02 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 5 Dec 2024 16:42:21 +0100 Subject: [PATCH 24/29] Add files via upload --- .../cabf_ev/lint_extra_subject_attribs.go | 100 ++++++++++++++++++ .../lint_extra_subject_attribs_test.go | 73 +++++++++++++ 2 files changed, 173 insertions(+) create mode 100644 v3/lints/cabf_ev/lint_extra_subject_attribs.go create mode 100644 v3/lints/cabf_ev/lint_extra_subject_attribs_test.go diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs.go b/v3/lints/cabf_ev/lint_extra_subject_attribs.go new file mode 100644 index 000000000..c2a99f894 --- /dev/null +++ b/v3/lints/cabf_ev/lint_extra_subject_attribs.go @@ -0,0 +1,100 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "crypto/x509/pkix" + "encoding/asn1" + "fmt" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_extra_subject_attribs", + Description: "CAs SHALL NOT include any Subject Distinguished Name attributes except as specified...", + Citation: "EVGs ยง7.1.4.2.9", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.SC16EffectiveDate, + }, + Lint: NewExtraSubjectAttribs, + }) +} + +type extraSubjectAttribs struct{} + +func NewExtraSubjectAttribs() lint.LintInterface { + return &extraSubjectAttribs{} +} + +func (l *extraSubjectAttribs) CheckApplies(c *x509.Certificate) bool { + return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) +} + +/* + * We also include the OU attribute here, even though it is now banned, because this lint + * deals with a more general requirement that came into force long before the OU ban, + * and there is already another lint that deals with the OU attribute specifically. + * + * The organizationIdentifier attribute is only permitted starting from 21-may-2019 (EVGL 1.7.0), + * that is slightly later than SC16 came into force, however any certificates that contain this + * attribute and were issued before that date have long since expired, so let's not split hairs. + */ +var allowedAttribs = map[string]bool{ + "1.3.6.1.4.1.311.60.2.1.1": true, // joiLocalityName + "1.3.6.1.4.1.311.60.2.1.2": true, // joiStateOrProvinceName + "1.3.6.1.4.1.311.60.2.1.3": true, // joiCountryName + "2.5.4.3": true, // commonName + "2.5.4.5": true, // serialNumber + "2.5.4.6": true, // countryName + "2.5.4.7": true, // localityName + "2.5.4.8": true, // stateOrProvinceName + "2.5.4.9": true, // streetAddress + "2.5.4.10": true, // organizationName + "2.5.4.11": true, // organizationalUnitName + "2.5.4.15": true, // businessCategory + "2.5.4.17": true, // postalCode + "2.5.4.97": true, // organizationIdentifier +} + +func (l *extraSubjectAttribs) Execute(c *x509.Certificate) *lint.LintResult { + + var rdnSequence pkix.RDNSequence + _, err := asn1.Unmarshal(c.RawSubject, &rdnSequence) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + + for _, rdn := range rdnSequence { + for _, atv := range rdn { + if !allowedAttribs[atv.Type.String()] { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("Subject attribute %s is not allowed in EV certificates", atv.Type.String()), + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go b/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go new file mode 100644 index 000000000..4b32a6354 --- /dev/null +++ b/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go @@ -0,0 +1,73 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_ev + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + * Test cases + * + * File Description + * ------------------------ ------------- + * extra_subj_attrs_na1.pem CA certificate + * extra_subj_attrs_na2.pem OV Subscriber certificate + * extra_subj_attrs_ok1.pem EV Subscriber certificate with valid Subject + * extra_subj_attrs_ne1.pem EV Subscriber certificate with invalid Subject, issued before effective date + * extra_subj_attrs_ko1.pem EV Subscriber certificate with invalid Subject, issued after effective date + * + */ + +func TestExtraSubjectAttribs(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "extra_subj_attrs_na1.pem", + want: lint.NA, + }, + { + input: "extra_subj_attrs_na2.pem", + want: lint.NA, + }, + { + input: "extra_subj_attrs_ok1.pem", + want: lint.Pass, + }, + { + input: "extra_subj_attrs_ne1.pem", + want: lint.NE, + }, + { + input: "extra_subj_attrs_ko1.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_ev_extra_subject_attribs", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} From a41de2842ac469614b9b705695602dd38d1abb77 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 5 Dec 2024 16:43:37 +0100 Subject: [PATCH 25/29] Add files via upload --- v3/testdata/extra_subj_attrs_ko1.pem | 101 +++++++++++++++++++ v3/testdata/extra_subj_attrs_na1.pem | 142 +++++++++++++++++++++++++++ v3/testdata/extra_subj_attrs_na2.pem | 100 +++++++++++++++++++ v3/testdata/extra_subj_attrs_ne1.pem | 101 +++++++++++++++++++ v3/testdata/extra_subj_attrs_ok1.pem | 102 +++++++++++++++++++ 5 files changed, 546 insertions(+) create mode 100644 v3/testdata/extra_subj_attrs_ko1.pem create mode 100644 v3/testdata/extra_subj_attrs_na1.pem create mode 100644 v3/testdata/extra_subj_attrs_na2.pem create mode 100644 v3/testdata/extra_subj_attrs_ne1.pem create mode 100644 v3/testdata/extra_subj_attrs_ok1.pem diff --git a/v3/testdata/extra_subj_attrs_ko1.pem b/v3/testdata/extra_subj_attrs_ko1.pem new file mode 100644 index 000000000..248994baf --- /dev/null +++ b/v3/testdata/extra_subj_attrs_ko1.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2b:2a:cd:c0:f6:58:82:5b:9a:72:3c:9f:3b:39:6f:30 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jul 4 04:31:44 2024 GMT + Not After : Jul 4 04:31:44 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, postOfficeBox = 12345 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a6:25:29:3d:58:9c:78:2b:98:c0:d0:b8:01:b6: + 4c:e7:1c:a4:9f:83:bb:91:1d:ad:48:08:6f:bd:23: + 19:ad:f8:ba:1b:16:bf:76:1e:07:78:d1:cd:8c:f5: + 84:ba:f5:94:fd:af:d3:cf:bf:3c:c6:4f:65:97:4a: + e7:ed:04:bb:a0:6c:b4:2a:e9:8e:2b:b8:9c:41:cb: + d2:b7:09:b6:0b:f4:2c:e1:cc:9a:38:0e:ba:47:59: + 94:28:fd:73:fc:1d:1b:f3:d8:ce:57:99:81:5b:9d: + d2:4b:19:ac:d5:7e:7c:84:62:ba:68:00:1c:a8:be: + f7:37:b0:61:ca:cc:a0:5f:52:15:b9:af:4e:e9:53: + 79:68:57:2c:cc:a2:ab:5d:8e:de:f9:4a:27:12:fe: + d7:63:53:54:7b:69:02:47:7b:35:cf:1f:b3:d7:59: + ab:54:48:48:f8:e9:c4:66:98:75:4a:1d:bb:47:66: + 93:e4:e7:28:b9:75:91:56:86:a1:ae:29:ca:92:72: + 96:4d:49:c0:43:ad:36:35:6d:db:4a:9f:8c:0f:de: + bb:68:6e:38:00:a0:e6:5c:5c:c5:2a:ba:93:1a:31: + 98:d6:90:44:21:5a:7f:09:41:db:15:85:0b:ae:77: + 84:f2:60:73:21:09:d8:0c:88:d9:09:5a:02:d2:05: + 42:f1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 0C:AC:27:F2:A5:94:5F:B4:9B:40:93:6B:79:E6:10:35:AE:F6:2D:CB + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 49:f5:b3:65:03:8b:cd:2b:25:83:7c:e3:9e:ed:47:fe:58:23: + 5f:a6:78:2f:e7:89:2e:f3:d3:0b:ba:7d:76:a0:5c:83:92:56: + 2c:9e:1b:80:c6:36:a8:90:5d:a7:99:f8:dd:d9:83:dc:dc:10: + bc:ca:a4:ed:c2:6d:8e:7f:35:63:0c:ba:37:cf:73:fc:44:d1: + 43:e0:ee:df:12:21:a9:2e:a4:b9:08:83:f8:88:b2:50:ad:a2: + 97:59:db:4f:64:79:70:c7:4b:3d:f4:bd:76:51:72:c4:91:28: + 4f:79:38:74:95:21:16:bb:23:b6:13:01:72:5b:2c:21:b7:ec: + a3:15:90:87:cd:8d:c3:99:0a:8a:db:ec:bd:0d:78:26:64:da: + 5b:94:b7:3e:f8:5c:52:3f:bd:94:ab:2a:9f:1d:9c:7e:d4:a5: + f7:99:56:81:c3:35:76:12:b1:8f:24:ff:73:75:b9:56:6e:17: + dc:db:4d:1d:d3:ed:3f:e6:70:2e:dd:a2:c6:cc:10:ed:5e:a1: + 5e:4d:f0:72:48:8e:65:66:53:4d:66:43:c6:00:00:03:e3:e9: + 57:9a:5a:dc:de:04:c0:c8:ee:19:75:ed:39:a7:ba:be:fc:fc: + d4:fd:2e:69:7c:df:a1:2f:31:3f:c3:2f:b4:c0:63:95:e6:b2: + c1:76:34:d2 +-----BEGIN CERTIFICATE----- +MIIEnTCCA4WgAwIBAgIQKyrNwPZYgluacjyfOzlvMDANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MDQwNDMxNDRaFw0yNTA3MDQwNDMx +NDRaMIGZMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAx +DjAMBgNVBBITBTEyMzQ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +piUpPViceCuYwNC4AbZM5xykn4O7kR2tSAhvvSMZrfi6Gxa/dh4HeNHNjPWEuvWU +/a/Tz788xk9ll0rn7QS7oGy0KumOK7icQcvStwm2C/Qs4cyaOA66R1mUKP1z/B0b +89jOV5mBW53SSxms1X58hGK6aAAcqL73N7BhysygX1IVua9O6VN5aFcszKKrXY7e ++UonEv7XY1NUe2kCR3s1zx+z11mrVEhI+OnEZph1Sh27R2aT5OcouXWRVoahrinK +knKWTUnAQ602NW3bSp+MD967aG44AKDmXFzFKrqTGjGY1pBEIVp/CUHbFYULrneE +8mBzIQnYDIjZCVoC0gVC8QIDAQABo4IBNDCCATAwDgYDVR0PAQH/BAQDAgWgMB0G +A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUDKwn8qWUX7Sb +QJNreeYQNa72LcswHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYI +KwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5j +b20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jv +b3QwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwEgYDVR0gBAswCTAHBgVngQwBATAt +BgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMA0G +CSqGSIb3DQEBCwUAA4IBAQBJ9bNlA4vNKyWDfOOe7Uf+WCNfpngv54ku89MLun12 +oFyDklYsnhuAxjaokF2nmfjd2YPc3BC8yqTtwm2OfzVjDLo3z3P8RNFD4O7fEiGp +LqS5CIP4iLJQraKXWdtPZHlwx0s99L12UXLEkShPeTh0lSEWuyO2EwFyWywht+yj +FZCHzY3DmQqK2+y9DXgmZNpblLc++FxSP72UqyqfHZx+1KX3mVaBwzV2ErGPJP9z +dblWbhfc200d0+0/5nAu3aLGzBDtXqFeTfBySI5lZlNNZkPGAAAD4+lXmlrc3gTA +yO4Zde05p7q+/PzU/S5pfN+hLzE/wy+0wGOV5rLBdjTS +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_na1.pem b/v3/testdata/extra_subj_attrs_na1.pem new file mode 100644 index 000000000..ad85cc30c --- /dev/null +++ b/v3/testdata/extra_subj_attrs_na1.pem @@ -0,0 +1,142 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 47:5f:5a:fe:a4:fd:5a:41:04:88:2e:04:af:dc:c2:f6 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Jul 4 04:19:44 2024 GMT + Not After : Jul 3 04:19:44 2029 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:d3:0d:4b:35:d2:c9:64:51:1b:a4:09:f6:90:02: + 0c:b8:7a:68:d2:c7:85:4d:7b:3e:a4:3a:11:36:3c: + 01:41:c0:e3:78:48:aa:7d:e5:75:cb:6e:ae:22:b7: + 0e:81:a3:44:ff:62:22:5a:cf:d8:d6:c5:a6:9e:4d: + 8e:bc:34:23:9b:4a:4d:43:4d:37:bf:9b:6b:ad:25: + 52:07:20:2a:c9:50:e8:0a:0a:f7:7e:b0:30:71:8c: + 04:18:5c:17:d8:8c:94:52:39:6f:bc:14:3c:63:3e: + ef:de:f0:2f:c1:7f:25:83:48:fd:16:c6:0e:3d:bc: + c5:50:de:07:59:96:f5:a2:a7:a6:46:67:b6:1f:9a: + 79:97:1e:e1:9e:8f:2e:12:fc:49:7d:d3:41:e1:18: + 1d:26:2c:24:33:cd:2a:11:4c:d2:1c:1a:8b:9c:7b: + 4e:4b:46:96:ac:99:ce:5b:c4:1c:ed:00:f0:42:ee: + 4e:95:23:1e:4f:39:5f:bc:51:de:c0:10:a5:65:f1: + a7:3b:ad:98:02:76:2f:42:48:c0:00:d0:3b:40:b0: + 70:62:42:7c:bc:26:9b:65:1f:4e:47:1c:70:30:6a: + 5e:d0:f1:f8:17:6a:0c:c0:8e:50:f2:9f:3f:91:1a: + 00:37:92:8e:09:e8:21:6f:20:a5:f2:4a:c9:5d:43: + 0c:bc:91:9a:20:6d:c1:66:97:b7:7f:6f:34:6d:7d: + de:8c:f2:e2:50:46:13:19:d7:ec:2e:3c:19:15:12: + bc:36:35:46:68:38:91:8f:27:8b:42:fa:68:a1:23: + 03:c7:f6:2e:14:97:ac:e9:35:7f:6e:ad:b8:74:c6: + c1:1c:e4:c6:df:1d:56:28:a6:c1:e4:8f:61:6f:9c: + 38:7d:d7:a4:16:ca:fd:e3:c6:80:72:07:8b:35:1d: + 72:77:eb:a3:4e:ee:24:0e:9b:b8:e5:67:06:73:72: + d1:cc:b3:9c:a0:ed:77:0d:85:9b:26:91:3f:50:8c: + a0:53:86:ed:2a:e3:84:d0:24:ff:6b:af:68:92:dd: + 1d:e5:c7:ce:8a:8a:0f:87:4c:86:14:f3:4d:b1:d2: + e7:7f:1a:4d:52:d2:6a:ab:d4:95:e1:75:05:82:e3: + a3:4a:5c:fe:5f:c3:5e:19:93:7f:25:6e:64:44:72: + a5:6a:19:ee:74:43:ad:dc:27:ae:70:72:a7:2b:29: + 01:7a:dd:33:b2:2d:d9:c5:42:7f:f4:86:91:2b:65: + 17:75:b8:90:ed:93:e3:aa:7d:48:dd:04:06:7f:86: + 52:04:29:69:ef:f6:9a:d8:43:ea:05:a3:ea:5a:69: + 1e:8d:2f:a3:05:a0:82:a8:60:ec:80:b6:9d:39:40: + b7:bb:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 64:3A:86:7F:DE:C9:23:B3:A6:E1:4B:32:BB:CF:9D:09:16:9D:9C:6F + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 14:aa:57:81:07:a3:8c:f9:8e:df:38:10:dc:75:bb:75:a1:61: + 88:0b:ae:1b:98:22:67:d4:f4:2d:2d:1f:76:ce:99:fb:f0:75: + d1:46:1d:39:7f:07:61:d5:89:23:e4:fb:9e:63:13:5b:cb:f8: + 0d:f9:13:5d:fb:d1:a0:25:cb:c8:70:d2:46:b5:16:a5:24:1f: + 68:d4:6e:c8:35:e0:eb:26:ae:35:d3:4d:0f:40:70:30:2a:7f: + 32:d2:10:fd:57:29:fc:15:4f:8a:62:f4:b0:6b:1b:9d:b9:32: + 75:cc:4d:f3:c5:cf:63:e9:cd:49:bb:17:83:c7:56:a1:dd:11: + 2a:91:b1:33:d9:e5:7d:d5:00:a1:f7:dd:e1:1b:2b:12:d9:a1: + 98:21:c3:05:62:30:b1:1d:26:16:76:f1:8e:02:b4:4c:f8:6d: + 14:aa:30:1b:4a:2e:78:c5:e5:12:48:64:65:12:22:89:8c:15: + c1:c3:56:1c:ec:65:15:66:63:ea:4a:ec:80:84:ec:4f:0b:52: + 34:50:3b:28:6d:f1:66:b9:82:8a:27:3f:0f:8c:48:2c:bc:19: + 29:87:ca:de:28:64:0a:e3:c8:29:fc:1d:d9:75:28:a0:f3:08: + ba:c4:5b:9b:e5:c6:09:6f:24:a3:d3:96:36:96:a3:a2:4e:81: + a7:88:8d:8f:7b:0c:66:2e:59:28:f4:b8:df:15:0c:e0:82:04: + 19:81:57:27:dd:c5:71:43:0e:11:a6:d4:16:46:80:2b:1e:ab: + 88:cd:e4:42:3e:f1:6c:89:83:8a:63:05:fb:e5:d9:68:b0:e8: + d6:7a:b4:48:58:58:5c:71:31:03:49:54:4e:f3:c0:5e:e8:2d: + 9d:87:25:44:ba:18:1f:36:67:04:fd:00:62:15:b8:70:62:53: + 31:26:16:a5:93:60:3a:f7:d5:5c:53:5a:db:98:a3:2c:c8:07: + aa:2b:f6:8b:c1:c8:01:b4:fb:8e:bd:df:f8:94:38:3d:4c:7f: + dd:9b:a9:37:bb:d6:ca:20:93:17:3a:b7:55:3b:5c:89:4f:58: + b3:b2:89:9a:a0:12:e8:f7:60:7c:3e:00:b9:37:52:6c:91:96: + 5e:4d:ce:c3:21:66:17:ba:e5:2c:7c:69:ce:26:39:e4:49:47: + fc:51:b3:7e:15:16:b3:b9:05:b2:f8:00:2e:3b:e1:41:45:30: + 20:c5:56:e8:fd:c8:ca:a3:b8:6c:11:07:94:54:5c:ad:39:7d: + 55:bc:24:da:65:68:ac:a8:8a:0d:eb:ce:89:5e:29:0d:c7:f4: + 49:ae:29:a7:68:43:8e:a7:94:1c:52:48:c3:b3:21:0e:eb:4d: + 17:3b:d3:49:c9:ae:9e:c8 +-----BEGIN CERTIFICATE----- +MIIGcDCCBFigAwIBAgIQR19a/qT9WkEEiC4Er9zC9jANBgkqhkiG9w0BAQsFADBI +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS +b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTI0MDcwNDA0MTk0NFoXDTI5MDcw +MzA0MTk0NFowcDELMAkGA1UEBhMCWFgxEzARBgNVBAgTClNvbWUgU3RhdGUxFjAU +BgNVBAcTDVNvbWUgTG9jYWxpdHkxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMT +GUZha2UgQ0EgZm9yIHpsaW50IHRlc3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDTDUs10slkURukCfaQAgy4emjSx4VNez6kOhE2PAFBwON4SKp9 +5XXLbq4itw6Bo0T/YiJaz9jWxaaeTY68NCObSk1DTTe/m2utJVIHICrJUOgKCvd+ +sDBxjAQYXBfYjJRSOW+8FDxjPu/e8C/BfyWDSP0Wxg49vMVQ3gdZlvWip6ZGZ7Yf +mnmXHuGejy4S/El900HhGB0mLCQzzSoRTNIcGouce05LRpasmc5bxBztAPBC7k6V +Ix5POV+8Ud7AEKVl8ac7rZgCdi9CSMAA0DtAsHBiQny8JptlH05HHHAwal7Q8fgX +agzAjlDynz+RGgA3ko4J6CFvIKXySsldQwy8kZogbcFml7d/bzRtfd6M8uJQRhMZ +1+wuPBkVErw2NUZoOJGPJ4tC+mihIwPH9i4Ul6zpNX9urbh0xsEc5MbfHVYopsHk +j2FvnDh916QWyv3jxoByB4s1HXJ366NO7iQOm7jlZwZzctHMs5yg7XcNhZsmkT9Q +jKBThu0q44TQJP9rr2iS3R3lx86Kig+HTIYU802x0ud/Gk1S0mqr1JXhdQWC46NK +XP5fw14Zk38lbmREcqVqGe50Q63cJ65wcqcrKQF63TOyLdnFQn/0hpErZRd1uJDt +k+OqfUjdBAZ/hlIEKWnv9prYQ+oFo+paaR6NL6MFoIKoYOyAtp05QLe7/wIDAQAB +o4IBLDCCASgwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRkOoZ/3skjs6bhSzK7 +z50JFp2cbzAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEF +BQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9v +Y3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAR +BgNVHSAECjAIMAYGBFUdIAAwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAgEAFKpXgQejjPmO3zgQ +3HW7daFhiAuuG5giZ9T0LS0fds6Z+/B10UYdOX8HYdWJI+T7nmMTW8v4DfkTXfvR +oCXLyHDSRrUWpSQfaNRuyDXg6yauNdNND0BwMCp/MtIQ/Vcp/BVPimL0sGsbnbky +dcxN88XPY+nNSbsXg8dWod0RKpGxM9nlfdUAoffd4RsrEtmhmCHDBWIwsR0mFnbx +jgK0TPhtFKowG0oueMXlEkhkZRIiiYwVwcNWHOxlFWZj6krsgITsTwtSNFA7KG3x +ZrmCiic/D4xILLwZKYfK3ihkCuPIKfwd2XUooPMIusRbm+XGCW8ko9OWNpajok6B +p4iNj3sMZi5ZKPS43xUM4IIEGYFXJ93FcUMOEabUFkaAKx6riM3kQj7xbImDimMF +++XZaLDo1nq0SFhYXHExA0lUTvPAXugtnYclRLoYHzZnBP0AYhW4cGJTMSYWpZNg +OvfVXFNa25ijLMgHqiv2i8HIAbT7jr3f+JQ4PUx/3ZupN7vWyiCTFzq3VTtciU9Y +s7KJmqAS6PdgfD4AuTdSbJGWXk3OwyFmF7rlLHxpziY55ElH/FGzfhUWs7kFsvgA +LjvhQUUwIMVW6P3IyqO4bBEHlFRcrTl9Vbwk2mVorKiKDevOiV4pDcf0Sa4pp2hD +jqeUHFJIw7MhDutNFzvTScmunsg= +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_na2.pem b/v3/testdata/extra_subj_attrs_na2.pem new file mode 100644 index 000000000..804d1c503 --- /dev/null +++ b/v3/testdata/extra_subj_attrs_na2.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 22:be:cc:c3:29:b6:22:3e:00:0d:bb:b0:23:83:42:39 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jul 4 04:23:50 2024 GMT + Not After : Jul 4 04:23:50 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d5:7d:26:8a:e7:99:f2:c8:d9:1d:e3:3a:9d:a9: + 7b:9f:9f:b7:4c:5c:c5:87:1c:06:4c:d2:a1:f9:b0: + 40:ec:34:e1:a4:86:ec:e2:56:e9:d1:cd:15:33:05: + c1:fd:3b:1e:05:43:ec:53:bd:9d:bd:68:96:00:f8: + e1:f0:12:cc:ec:89:0d:d8:34:24:f4:cd:e3:67:57: + f0:68:1c:f1:24:ba:18:05:80:a7:16:69:c3:84:84: + 50:3a:5b:46:e5:bb:db:ec:b5:51:07:5c:3e:65:33: + a6:7e:05:09:c7:2d:ab:74:71:d5:db:a9:ad:ae:03: + 21:f3:e9:19:78:4e:05:46:be:03:c1:14:b0:0b:36: + 3e:39:1e:af:c4:de:40:e3:9c:4d:76:62:5c:93:0b: + da:65:29:e4:9b:53:1d:e2:a3:ba:a9:d5:53:02:16: + df:5c:ab:39:54:76:1f:07:21:50:85:4e:d7:4b:ce: + 06:9d:9f:dd:1b:47:00:8c:33:25:8f:5c:37:fc:63: + 7e:85:6a:de:33:5d:24:65:5f:7d:4a:d2:7d:99:0a: + c9:7e:dd:68:a8:d3:7a:58:54:db:8b:66:46:e2:60: + e8:ce:4a:b0:d2:70:ea:23:eb:4f:63:27:14:81:7e: + 2e:92:c7:dd:e3:12:20:bb:ab:ba:ee:9b:f9:88:8e: + c6:ef + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 5E:48:EF:42:2E:9C:D8:F9:CE:DF:D1:5E:29:CB:79:74:AC:13:EC:D5 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 90:96:91:18:19:f7:ce:ea:f1:82:0c:33:44:b2:38:03:f1:5a: + 21:78:f0:b0:d0:94:c9:54:04:c9:4a:04:d8:ec:30:fe:09:08: + 61:bf:a9:d4:b5:e6:d1:c2:43:a2:13:82:95:32:ac:9c:e5:d7: + aa:4b:e6:8c:3a:14:e8:4e:90:04:7d:1f:1d:85:30:77:9b:76: + 02:c1:55:a4:06:7f:3b:90:96:a1:8b:09:41:28:59:fb:e1:9c: + 0a:ed:e1:b7:ee:14:8b:34:18:a5:e3:aa:e0:e4:3e:f3:f6:fb: + 52:5b:52:a2:56:d9:50:b6:d2:89:87:07:bf:a3:38:92:96:af: + ae:84:db:f5:b0:11:4c:5c:8b:96:f0:d1:8d:b4:d1:b1:04:68: + 85:f8:88:a7:74:66:0a:c7:45:dd:3f:57:7d:41:2d:7a:f4:1c: + 35:12:36:9e:25:ad:85:53:95:46:05:5d:a7:71:2e:37:8b:60: + b2:32:f8:e5:83:28:69:41:64:d5:75:7c:3f:c3:f7:14:0c:c0: + 9d:14:d2:f8:bc:16:2d:2a:db:d9:fc:11:fb:20:b2:fd:8b:e0: + f0:ce:46:3a:0d:68:75:58:bf:47:02:fd:91:3e:73:fe:4f:50: + 0a:23:92:81:5c:ab:f6:85:6f:67:e6:72:b6:c6:d5:ff:98:de: + 49:9a:fe:d2 +-----BEGIN CERTIFICATE----- +MIIEeDCCA2CgAwIBAgIQIr7Mwym2Ij4ADbuwI4NCOTANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MDQwNDIzNTBaFw0yNTA3MDQwNDIz +NTBaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBANV9JornmfLI2R3jOp2pe5+ft0xcxYccBkzSofmwQOw04aSG7OJW +6dHNFTMFwf07HgVD7FO9nb1olgD44fASzOyJDdg0JPTN42dX8Ggc8SS6GAWApxZp +w4SEUDpbRuW72+y1UQdcPmUzpn4FCcctq3Rx1dupra4DIfPpGXhOBUa+A8EUsAs2 +Pjker8TeQOOcTXZiXJML2mUp5JtTHeKjuqnVUwIW31yrOVR2HwchUIVO10vOBp2f +3RtHAIwzJY9cN/xjfoVq3jNdJGVffUrSfZkKyX7daKjTelhU24tmRuJg6M5KsNJw +6iPrT2MnFIF+LpLH3eMSILuruu6b+YiOxu8CAwEAAaOCATUwggExMA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FF5I70IunNj5zt/RXinLeXSsE+zVMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBMGA1UdIAQMMAow +CAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBAJCWkRgZ987q8YIMM0SyOAPxWiF4 +8LDQlMlUBMlKBNjsMP4JCGG/qdS15tHCQ6ITgpUyrJzl16pL5ow6FOhOkAR9Hx2F +MHebdgLBVaQGfzuQlqGLCUEoWfvhnArt4bfuFIs0GKXjquDkPvP2+1JbUqJW2VC2 +0omHB7+jOJKWr66E2/WwEUxci5bw0Y200bEEaIX4iKd0ZgrHRd0/V31BLXr0HDUS +Np4lrYVTlUYFXadxLjeLYLIy+OWDKGlBZNV1fD/D9xQMwJ0U0vi8Fi0q29n8Efsg +sv2L4PDORjoNaHVYv0cC/ZE+c/5PUAojkoFcq/aFb2fmcrbG1f+Y3kma/tI= +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_ne1.pem b/v3/testdata/extra_subj_attrs_ne1.pem new file mode 100644 index 000000000..2b8c1743d --- /dev/null +++ b/v3/testdata/extra_subj_attrs_ne1.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a5:98:78:aa:79:0f:60:55:84:58:71:6f:79:72:97:19 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 13 00:00:00 2019 GMT + Not After : Apr 12 00:00:00 2020 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, postOfficeBox = 12345 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ab:97:ce:b7:ff:15:ce:9b:1f:f9:45:5a:4b:4b: + ad:67:62:38:47:9d:00:34:93:24:e2:f7:6f:94:df: + 41:a5:97:2b:ca:d1:eb:d8:87:e0:ab:8d:98:a5:bc: + b7:8e:d3:cd:ff:eb:65:f8:a7:c3:a7:6b:be:76:b3: + 4a:f9:bb:d8:a7:a2:f7:4a:5c:f4:44:07:00:03:04: + 43:a7:8d:df:f7:41:a6:32:6b:da:b3:44:c8:e6:c6: + e3:7b:7f:05:f6:21:80:36:9e:76:db:74:55:ab:20: + e8:90:bb:56:ed:99:c8:be:83:5e:fd:51:ae:50:f6: + e4:9a:ed:85:ae:66:e5:2c:21:bf:69:11:dc:3d:be: + 40:4e:7f:f0:7e:5d:cc:ec:f0:0c:f4:3e:f4:11:d2: + 56:35:70:6c:d5:85:40:45:09:86:04:47:8d:08:ec: + d9:7a:cc:17:b4:e0:7d:a9:7f:87:ac:1b:55:fd:0f: + 7a:bb:80:6b:b8:fa:68:5f:97:71:bd:11:cb:a5:aa: + cb:db:68:9a:05:89:bd:7f:ba:98:8d:98:be:3d:07: + 1e:46:6a:03:e5:86:9b:d8:53:38:a9:0e:be:72:43: + 87:a7:9f:5c:78:e6:24:d9:a1:78:a1:40:3d:12:df: + 01:06:7f:4c:ad:a1:1a:c1:d9:91:5d:b1:4a:e5:3f: + ca:2f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + A9:43:73:EC:D3:04:19:3D:F5:8E:74:9D:AB:2C:CB:2B:E7:9C:31:33 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 26:f6:a7:1b:0d:a3:5b:45:32:f3:a8:e4:08:3e:81:15:a6:6d: + 7c:20:a3:9e:83:73:90:3f:fc:7d:19:ad:1d:7c:5e:b1:fe:dc: + 87:a2:37:34:55:4f:63:38:6a:a9:7a:b8:0d:04:ba:fc:42:43: + b3:85:c7:b2:3c:6c:31:23:c4:86:7e:08:f5:55:bc:38:2b:5d: + 5f:5e:28:f9:b6:6a:9d:2a:b0:bc:c8:30:f1:7b:e6:d1:f7:2e: + c1:7a:71:bc:d5:b0:f5:c0:ac:bd:a8:f6:ad:d1:2b:24:fe:ab: + 03:a0:20:5e:56:1b:7e:70:04:05:91:ad:63:be:1f:c6:1a:ea: + 46:b5:a2:d6:cf:29:5b:45:b5:77:9f:ec:fc:67:49:cc:7e:2e: + 4d:df:dd:46:ba:a6:0f:0b:34:ec:e0:e5:a9:34:de:4e:d4:b1: + 99:e2:f4:5e:87:21:7c:d3:aa:6b:d5:11:99:2a:b9:97:b3:34: + 6d:3d:5e:aa:50:62:17:80:f1:ca:08:17:cb:b4:34:25:8f:1a: + 4c:b0:a5:62:58:85:c4:8f:25:53:62:3a:b9:0c:ee:99:d3:e0: + 6d:b8:e1:55:cf:5a:1e:47:23:37:3c:a3:4b:84:db:80:f3:a7: + fd:37:d3:72:45:82:37:a0:a4:a1:e6:ca:55:ba:67:24:10:4b: + ab:29:bc:11 +-----BEGIN CERTIFICATE----- +MIIEnjCCA4agAwIBAgIRAKWYeKp5D2BVhFhxb3lylxkwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMTkwNDEzMDAwMDAwWhcNMjAwNDEyMDAw +MDAwWjCBmTELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUub3JnMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MQ4wDAYDVQQSEwUxMjM0NTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKuXzrf/Fc6bH/lFWktLrWdiOEedADSTJOL3b5TfQaWXK8rR69iH4KuNmKW8t47T +zf/rZfinw6drvnazSvm72Kei90pc9EQHAAMEQ6eN3/dBpjJr2rNEyObG43t/BfYh +gDaedtt0Vasg6JC7Vu2ZyL6DXv1RrlD25Jrtha5m5Swhv2kR3D2+QE5/8H5dzOzw +DPQ+9BHSVjVwbNWFQEUJhgRHjQjs2XrMF7Tgfal/h6wbVf0PeruAa7j6aF+Xcb0R +y6Wqy9tomgWJvX+6mI2Yvj0HHkZqA+WGm9hTOKkOvnJDh6efXHjmJNmheKFAPRLf +AQZ/TK2hGsHZkV2xSuU/yi8CAwEAAaOCATQwggEwMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFKlDc+zTBBk9 +9Y50nassyyvnnDEzMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQG +CCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMu +Y29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9y +b290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBIGA1UdIAQLMAkwBwYFZ4EMAQEw +LQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDAN +BgkqhkiG9w0BAQsFAAOCAQEAJvanGw2jW0Uy86jkCD6BFaZtfCCjnoNzkD/8fRmt +HXxesf7ch6I3NFVPYzhqqXq4DQS6/EJDs4XHsjxsMSPEhn4I9VW8OCtdX14o+bZq +nSqwvMgw8Xvm0fcuwXpxvNWw9cCsvaj2rdErJP6rA6AgXlYbfnAEBZGtY74fxhrq +RrWi1s8pW0W1d5/s/GdJzH4uTd/dRrqmDws07ODlqTTeTtSxmeL0XochfNOqa9UR +mSq5l7M0bT1eqlBiF4DxyggXy7Q0JY8aTLClYliFxI8lU2I6uQzumdPgbbjhVc9a +HkcjNzyjS4TbgPOn/TfTckWCN6CkoebKVbpnJBBLqym8EQ== +-----END CERTIFICATE----- diff --git a/v3/testdata/extra_subj_attrs_ok1.pem b/v3/testdata/extra_subj_attrs_ok1.pem new file mode 100644 index 000000000..b043c24e2 --- /dev/null +++ b/v3/testdata/extra_subj_attrs_ok1.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 81:24:5e:a7:9a:04:90:ae:40:ca:b8:89:2c:04:97 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Jul 4 04:25:41 2024 GMT + Not After : Jul 4 04:25:41 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, businessCategory = Non-Commercial Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:9b:1b:85:2f:53:fb:08:40:6a:2a:40:a1:cc:6d: + f2:d5:bb:4a:86:f9:12:03:e4:55:0b:c6:dc:70:ec: + 91:f1:3f:b7:44:4f:05:53:2b:68:31:8e:9c:27:92: + 17:b6:ea:43:02:88:12:76:80:00:b7:5f:60:9f:47: + 02:e6:19:f9:4f:65:3a:f6:6c:54:b2:41:14:a0:0f: + 9b:a0:bd:ca:ff:d9:bb:bf:51:58:eb:37:66:57:38: + 8c:86:30:77:d1:b8:63:73:9f:0a:83:73:1e:ae:ab: + f4:0c:f4:53:dc:18:20:2a:19:1f:f2:53:60:9a:b9: + 49:e3:be:54:d9:e1:ff:60:7b:d3:aa:df:3c:eb:bc: + 8c:15:12:fd:fc:98:ce:5f:f6:5a:b8:27:38:2f:60: + 84:f8:fc:3a:4e:81:7a:bb:63:41:70:c8:46:76:55: + 4b:dc:14:94:0a:84:9c:87:99:ca:d7:74:3c:62:22: + c0:58:e3:21:60:4f:4a:f3:d8:eb:fd:fa:a2:35:45: + eb:5f:bf:33:1c:10:71:62:9d:68:3b:86:95:de:fb: + a9:18:22:e9:30:d5:22:aa:1b:df:28:03:21:fd:1d: + 6b:38:fc:52:e1:53:48:aa:4d:85:5d:92:71:43:63: + 28:79:ca:a1:ea:c6:8d:ee:9a:b9:a6:8d:c7:c7:eb: + 94:9b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 81:2F:1F:10:DF:33:E6:9B:E4:2C:0F:AE:E6:F4:8D:51:BC:63:E1:BA + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 72:26:40:51:65:5b:b9:f0:d0:df:12:73:28:8b:57:63:f9:e6: + c4:5c:32:02:3d:63:32:eb:04:6c:71:aa:11:39:98:8c:09:0c: + 42:b9:90:7f:21:a1:c1:1e:37:46:5a:4a:77:d7:c6:29:c6:20: + 98:87:a5:6b:ff:31:de:4d:ad:90:42:ef:93:62:a7:23:df:29: + 50:00:1b:d4:b4:be:8a:1b:87:d2:58:b0:31:ec:1a:1f:98:ab: + 0d:03:ce:72:b3:a8:fd:59:47:83:39:ed:44:0f:96:a6:96:df: + ba:3e:94:74:c7:e1:41:ef:d5:5b:65:1e:ff:2a:8d:c5:74:8d: + aa:3f:e6:27:ab:54:0a:57:ae:72:7a:4c:48:55:58:0a:8f:f1: + f2:bc:14:d3:fc:af:7a:82:e8:61:bf:ac:91:c3:6b:5c:52:7b: + 69:39:78:04:39:ba:ec:c6:68:55:12:57:b9:1b:dd:0f:0b:5d: + 65:09:ff:e7:d3:d5:c6:ae:66:e7:b5:df:42:f8:64:32:d6:30: + 7a:ef:53:95:c5:38:e1:43:b3:9b:13:57:7e:6e:b6:7f:48:58: + 6d:8f:d3:fb:03:bf:dc:8d:92:72:b6:5a:33:92:d3:8a:9c:a8: + 7a:f6:a0:5e:ba:04:2e:54:fb:65:88:df:6c:87:95:e5:13:20: + 1f:b3:7c:f6 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIQAIEkXqeaBJCuQMq4iSwElzANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MDQwNDI1NDFaFw0yNTA3MDQwNDI1 +NDFaMIGpMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HjAcBgNVBA8TFU5vbi1Db21tZXJjaWFsIEVudGl0eTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAJsbhS9T+whAaipAocxt8tW7Sob5EgPkVQvG3HDskfE/ +t0RPBVMraDGOnCeSF7bqQwKIEnaAALdfYJ9HAuYZ+U9lOvZsVLJBFKAPm6C9yv/Z +u79RWOs3Zlc4jIYwd9G4Y3OfCoNzHq6r9Az0U9wYICoZH/JTYJq5SeO+VNnh/2B7 +06rfPOu8jBUS/fyYzl/2WrgnOC9ghPj8Ok6BertjQXDIRnZVS9wUlAqEnIeZytd0 +PGIiwFjjIWBPSvPY6/36ojVF61+/MxwQcWKdaDuGld77qRgi6TDVIqob3ygDIf0d +azj8UuFTSKpNhV2ScUNjKHnKoerGje6auaaNx8frlJsCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFIEvHxDfM+ab5CwPrub0jVG8Y+G6MB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAciZAUWVbufDQ3xJzKItX +Y/nmxFwyAj1jMusEbHGqETmYjAkMQrmQfyGhwR43RlpKd9fGKcYgmIela/8x3k2t +kELvk2KnI98pUAAb1LS+ihuH0liwMewaH5irDQPOcrOo/VlHgzntRA+Wppbfuj6U +dMfhQe/VW2Ue/yqNxXSNqj/mJ6tUCleucnpMSFVYCo/x8rwU0/yveoLoYb+skcNr +XFJ7aTl4BDm67MZoVRJXuRvdDwtdZQn/59PVxq5m57XfQvhkMtYweu9TlcU44UOz +mxNXfm62f0hYbY/T+wO/3I2ScrZaM5LTipyoevagXroELlT7ZYjfbIeV5RMgH7N8 +9g== +-----END CERTIFICATE----- From 62bebc7ad27b540d191eef793df8f81ce91ec789 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Thu, 5 Dec 2024 16:46:32 +0100 Subject: [PATCH 26/29] Update config.json --- v3/integration/config.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/v3/integration/config.json b/v3/integration/config.json index c6a4baee9..d2854202f 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -976,6 +976,9 @@ }, "e_subj_country_not_uppercase": { "ErrCount": 1303 + }, + "e_ev_extra_subject_attribs": { + "ErrCount": 63 } } } From 12ff6edab0558da0b8186cc536eb21381a078e85 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Fri, 6 Dec 2024 07:13:46 +0100 Subject: [PATCH 27/29] Add files via upload --- v3/lints/cabf_ev/lint_extra_subject_attribs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs.go b/v3/lints/cabf_ev/lint_extra_subject_attribs.go index c2a99f894..2072ab27a 100644 --- a/v3/lints/cabf_ev/lint_extra_subject_attribs.go +++ b/v3/lints/cabf_ev/lint_extra_subject_attribs.go @@ -58,7 +58,7 @@ func (l *extraSubjectAttribs) CheckApplies(c *x509.Certificate) bool { * * The organizationIdentifier attribute is only permitted starting from 21-may-2019 (EVGL 1.7.0), * that is slightly later than SC16 came into force, however any certificates that contain this - * attribute and were issued before that date have long since expired, so let's not split hairs. + * attribute and were issued before that date have long since expired, so it makes no difference. */ var allowedAttribs = map[string]bool{ "1.3.6.1.4.1.311.60.2.1.1": true, // joiLocalityName From f7dd6bc782af899df67aa53ead60a43f1266943d Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 7 Dec 2024 10:02:50 +0100 Subject: [PATCH 28/29] Update lint_extra_subject_attribs.go --- v3/lints/cabf_ev/lint_extra_subject_attribs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs.go b/v3/lints/cabf_ev/lint_extra_subject_attribs.go index 2072ab27a..1a161db2a 100644 --- a/v3/lints/cabf_ev/lint_extra_subject_attribs.go +++ b/v3/lints/cabf_ev/lint_extra_subject_attribs.go @@ -57,7 +57,7 @@ func (l *extraSubjectAttribs) CheckApplies(c *x509.Certificate) bool { * and there is already another lint that deals with the OU attribute specifically. * * The organizationIdentifier attribute is only permitted starting from 21-may-2019 (EVGL 1.7.0), - * that is slightly later than SC16 came into force, however any certificates that contain this + * which is slightly after SC16 came into force, however any certificates that contain this * attribute and were issued before that date have long since expired, so it makes no difference. */ var allowedAttribs = map[string]bool{ From 07ea7525433250c6ba109c3f3112a657feaabcc5 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 7 Dec 2024 10:12:28 +0100 Subject: [PATCH 29/29] Update time.go --- v3/util/time.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/util/time.go b/v3/util/time.go index 451585b00..c91de7a20 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -86,6 +86,7 @@ var ( CABFBRs_2_0_8_Date = time.Date(2024, time.October, 2, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + SC16EffectiveDate = time.Date(2019, time.April, 16, 0, 0, 0, 0, time.UTC) SC17EffectiveDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) // Enforcement date of CRL reason codes from Ballot SC 061