From 26ab5b0a05d2a70c1a5e98c38fc8a08794fcf950 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sat, 11 May 2024 20:04:08 +0200 Subject: [PATCH 1/4] Add lint for checking that the 'critical' field is properly DER-encoded in extensions (#839) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Delete v3/lints/rfc/lint_empty_sct_list.go * Delete v3/lints/rfc/lint_empty_sct_list_test.go * Delete v3/testdata/empty_sct_list_ko_01.pem * Delete v3/testdata/empty_sct_list_na_01.pem * Delete v3/testdata/empty_sct_list_na_02.pem * Delete v3/testdata/empty_sct_list_ok_01.pem * Delete v3/testdata/empty_sct_list_ok_02.pem * Update source.go * Update time.go --------- Co-authored-by: Christopher Henderson --- v3/lints/rfc/lint_cert_ext_invalid_der.go | 119 ++++++++++++++++++ .../rfc/lint_cert_ext_invalid_der_test.go | 42 +++++++ v3/testdata/cert_ext_invalid_der_ko_01.pem | 100 +++++++++++++++ v3/testdata/cert_ext_invalid_der_ok_01.pem | 100 +++++++++++++++ 4 files changed, 361 insertions(+) create mode 100644 v3/lints/rfc/lint_cert_ext_invalid_der.go create mode 100644 v3/lints/rfc/lint_cert_ext_invalid_der_test.go create mode 100644 v3/testdata/cert_ext_invalid_der_ko_01.pem create mode 100644 v3/testdata/cert_ext_invalid_der_ok_01.pem diff --git a/v3/lints/rfc/lint_cert_ext_invalid_der.go b/v3/lints/rfc/lint_cert_ext_invalid_der.go new file mode 100644 index 000000000..578444af6 --- /dev/null +++ b/v3/lints/rfc/lint_cert_ext_invalid_der.go @@ -0,0 +1,119 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "crypto/x509/pkix" + "encoding/asn1" + "fmt" + "math/big" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_ext_invalid_der", + Description: "Checks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)", + Citation: "RFC 5280 $4.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCertExtensionInvalidDER, + }) +} + +type certExtensionInvalidDER struct{} + +/* + * Modified syntax w/respect to RFC 5280, so we can detect whether + * the critical field is actually present in the DER encoding + */ +type Extension struct { + Id asn1.ObjectIdentifier + // This is either the 'critical' or the 'extnValue' field (see RFC 5280 section 4.1) + // We can discriminate based on tag, since the two fields are of different ASN.1 types + Field2 asn1.RawValue + // If this is present, it can only be the 'extnValue' field + // We need to be able to capture it, but we do not deal with it + Field3 asn1.RawValue `asn1:"optional"` +} + +// This is just plain RFC 5280 +type Certificate struct { + TbsCertificate TBSCertificate + SignatureAlgorithm pkix.AlgorithmIdentifier + SignatureValue asn1.BitString +} + +// Simplified with respect to RFC 5280, as we are not interested in most fields here +type TBSCertificate struct { + Version int `asn1:"optional,explicit,default:0,tag:0"` + SerialNumber *big.Int + SignatureAlgo pkix.AlgorithmIdentifier + Issuer asn1.RawValue + Validity asn1.RawValue + Subject asn1.RawValue + PublicKey asn1.RawValue + IssuerUniqueId asn1.BitString `asn1:"optional,tag:1"` + SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` + Extensions []Extension `asn1:"omitempty,optional,explicit,tag:3"` +} + +func NewCertExtensionInvalidDER() lint.LintInterface { + return &certExtensionInvalidDER{} +} + +func (l *certExtensionInvalidDER) CheckApplies(c *x509.Certificate) bool { + // This lint applies to any kind of certificate + return true +} + +func (l *certExtensionInvalidDER) Execute(c *x509.Certificate) *lint.LintResult { + + // Re-decode certificate based on an ad-hoc target struct + var cert Certificate + _, err := asn1.Unmarshal(c.Raw, &cert) + + // This should never happen + if err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Failed to decode certificate", + } + } + + for _, ext := range cert.TbsCertificate.Extensions { + if ext.Field2.Tag == asn1.TagBoolean { + // This is the 'critical' flag + if ext.Field2.Bytes[0] == 0 { + // This a BOOLEAN FALSE + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("The %v extension is not properly DER-encoded ('critical' must be absent when FALSE)", ext.Id), + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/rfc/lint_cert_ext_invalid_der_test.go b/v3/lints/rfc/lint_cert_ext_invalid_der_test.go new file mode 100644 index 000000000..9e265788c --- /dev/null +++ b/v3/lints/rfc/lint_cert_ext_invalid_der_test.go @@ -0,0 +1,42 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package rfc + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestCertExtensionInvalidDEROK(t *testing.T) { + // Regular certificate in proper DER encoding all over + inputPath := "cert_ext_invalid_der_ok_01.pem" + expected := lint.Pass + out := test.TestLint("e_cert_ext_invalid_der", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} + +func TestCertExtensionInvalidDERKO(t *testing.T) { + // Certificate with improperly DER-encoded SAN extension + inputPath := "cert_ext_invalid_der_ko_01.pem" + expected := lint.Error + out := test.TestLint("e_cert_ext_invalid_der", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} diff --git a/v3/testdata/cert_ext_invalid_der_ko_01.pem b/v3/testdata/cert_ext_invalid_der_ko_01.pem new file mode 100644 index 000000000..733c240a8 --- /dev/null +++ b/v3/testdata/cert_ext_invalid_der_ko_01.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 7b:7f:53:2d:75:09:15:8d:0a:81:17:0f:c6:79:d4:5d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: May 1 11:20:27 2024 GMT + Not After : May 1 11:20:27 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ae:c4:6d:71:3d:45:0a:2f:39:d5:dc:9d:0b:11: + 9f:6e:c2:0b:26:6b:e9:1d:9e:a0:8d:51:48:7f:0f: + 08:63:fc:fb:01:75:68:a1:dd:fc:a5:7b:3c:c5:c2: + b2:f2:15:7a:24:cd:c0:f3:d5:6b:5b:d8:97:9d:ab: + 01:80:05:06:07:bc:0d:89:30:2d:f7:4f:75:33:12: + 23:f5:35:9a:ac:bd:c4:80:1f:ba:e2:17:e8:3a:22: + 99:0f:14:f8:68:08:3a:fc:99:eb:67:8a:63:57:fb: + de:1f:64:15:bb:25:91:ee:c2:0e:36:7a:c8:88:f5: + 35:09:b5:a8:83:c4:8e:32:f7:9a:c8:05:40:bb:81: + 6f:1f:c9:a3:b7:19:12:f4:b7:44:bb:8b:4a:51:de: + 05:ca:54:37:f4:7a:f2:c0:67:0f:92:0f:85:f4:b9: + f3:d3:33:d1:54:f5:9f:5f:77:f6:ee:48:1b:57:d9: + fa:ac:5a:28:3d:fe:32:a3:37:1f:3e:29:10:f1:72: + 24:90:19:84:cf:70:30:21:3b:bf:5b:cf:a3:f0:e1: + 0a:13:cd:0d:6b:b0:42:a7:e4:1a:67:71:b2:49:64: + 46:81:1f:d3:2e:a9:5b:f9:46:b6:7e:01:af:a7:cb: + 79:de:9a:f9:0c:f8:c1:a5:47:1e:a7:d7:7b:0a:82: + 75:91 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + CD:88:D5:FB:92:31:3B:17:A1:6F:DA:1F:55:D5:A1:FE:56:FE:0E:21 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + X509v3 Subject Alternative Name: + DNS:example.org + Signature Algorithm: sha256WithRSAEncryption + 59:19:cf:67:22:d4:c7:d3:9f:57:bd:7c:d2:49:d0:6a:31:84: + fe:3c:31:09:5a:36:5c:e7:63:0c:0c:68:e0:ef:18:f9:c6:24: + 4f:c0:55:d0:b9:c6:6a:63:5c:fc:1d:27:23:15:b1:59:2f:0c: + 73:d1:d1:18:98:46:06:c1:05:ca:38:15:2d:26:7e:77:32:5e: + b6:83:72:ba:dc:33:15:54:6b:58:db:c1:a1:60:46:ec:de:8e: + d9:3b:00:de:6f:90:fa:c3:52:50:6d:1c:dd:46:ed:30:77:a8: + af:d1:b9:42:e7:2a:ff:46:9d:ca:b1:5a:b9:d3:81:13:37:4a: + 47:7b:97:ea:15:f6:ca:9a:0b:24:31:e4:a7:6c:74:db:e5:8a: + 7b:cf:7f:00:b6:9e:22:90:06:7f:78:f9:79:ed:71:ee:f0:f2: + 47:18:98:6e:d7:1c:d8:74:a3:c0:84:13:3d:7e:4d:af:9d:21: + 4f:ce:7d:a8:70:88:f6:b3:76:ca:72:ea:ff:7a:32:e0:4c:4a: + 3a:46:4d:fe:6b:94:4e:32:28:d6:c0:c3:37:6b:20:b1:79:cd: + e0:ee:cc:1e:ac:e2:a9:48:ad:7a:24:14:e2:a9:16:9a:93:a0: + da:a6:47:81:c7:dc:7c:d4:30:e9:6a:78:ab:ee:ce:77:98:57: + 71:1b:ed:51 +-----BEGIN CERTIFICATE----- +MIIEezCCA2OgAwIBAgIQe39TLXUJFY0KgRcPxnnUXTANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA1MDExMTIwMjdaFw0yNTA1MDExMTIw +MjdaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAK7EbXE9RQovOdXcnQsRn27CCyZr6R2eoI1RSH8PCGP8+wF1aKHd +/KV7PMXCsvIVeiTNwPPVa1vYl52rAYAFBge8DYkwLfdPdTMSI/U1mqy9xIAfuuIX +6DoimQ8U+GgIOvyZ62eKY1f73h9kFbslke7CDjZ6yIj1NQm1qIPEjjL3msgFQLuB +bx/Jo7cZEvS3RLuLSlHeBcpUN/R68sBnD5IPhfS589Mz0VT1n1939u5IG1fZ+qxa +KD3+MqM3Hz4pEPFyJJAZhM9wMCE7v1vPo/DhChPNDWuwQqfkGmdxsklkRoEf0y6p +W/lGtn4Br6fLed6a+Qz4waVHHqfXewqCdZECAwEAAaOCATgwggE0MA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FM2I1fuSMTsXoW/aH1XVof5W/g4hMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBMGA1UdIAQMMAowCAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAg +oB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwGQYDVR0RAQEABA8wDYIL +ZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAFkZz2ci1MfTn1e9fNJJ0Gox +hP48MQlaNlznYwwMaODvGPnGJE/AVdC5xmpjXPwdJyMVsVkvDHPR0RiYRgbBBco4 +FS0mfncyXraDcrrcMxVUa1jbwaFgRuzejtk7AN5vkPrDUlBtHN1G7TB3qK/RuULn +Kv9GncqxWrnTgRM3Skd7l+oV9sqaCyQx5KdsdNvlinvPfwC2niKQBn94+Xntce7w +8kcYmG7XHNh0o8CEEz1+Ta+dIU/OfahwiPazdspy6v96MuBMSjpGTf5rlE4yKNbA +wzdrILF5zeDuzB6s4qlIrXokFOKpFpqToNqmR4HH3HzUMOlqeKvuzneYV3Eb7VE= +-----END CERTIFICATE----- diff --git a/v3/testdata/cert_ext_invalid_der_ok_01.pem b/v3/testdata/cert_ext_invalid_der_ok_01.pem new file mode 100644 index 000000000..98c21b1c5 --- /dev/null +++ b/v3/testdata/cert_ext_invalid_der_ok_01.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 89:01:de:57:1b:88:8c:65:db:bc:b2:cd:b9:dd:9c:37 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: May 1 11:25:59 2024 GMT + Not After : May 1 11:25:59 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:eb:66:77:b4:a3:c1:71:4c:28:a6:7c:52:e3:cd: + d2:04:68:fa:cf:52:59:d5:af:7b:90:6e:7d:ce:51: + d7:39:f0:f1:42:c8:8b:bc:8d:d0:7b:bb:7f:a2:e0: + 3f:bf:af:58:e7:c5:f4:19:d3:36:2b:ba:95:17:2e: + 76:bf:4f:69:71:a6:0b:0a:ea:67:fd:80:fb:7b:9d: + ac:da:93:d2:96:eb:69:66:f8:cf:6c:c1:61:c4:6f: + 9d:6d:11:9f:68:1a:c0:ae:7d:79:60:89:f3:e0:3c: + 8d:6c:45:55:78:27:0b:e8:4c:81:13:72:7d:fa:f8: + bd:ba:87:db:99:e2:f4:87:c1:a2:a9:3f:fc:41:e1: + 4e:ca:92:67:11:18:23:ae:43:e9:e8:c4:2a:d4:22: + 40:03:1f:46:ec:c6:07:b1:aa:a7:9e:a4:ee:90:5b: + 22:af:bb:87:26:0b:5a:5e:6d:be:54:5d:b8:e6:99: + 9e:0c:a8:aa:74:b0:db:90:65:d4:7f:23:8c:12:e7: + b9:b6:57:90:3e:64:a2:ee:e0:46:79:f3:1c:97:be: + 1a:b3:77:5c:84:a5:5e:fd:fb:1e:0f:c6:2f:a3:0f: + bf:0f:30:bd:50:0a:35:7f:65:b6:05:d9:1d:82:a3: + 7c:d3:e5:f6:1b:bc:50:8d:8d:b6:67:f5:bb:17:bf: + 7f:57 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + C3:B8:E3:E7:7C:A5:AE:48:78:0D:4D:82:06:D1:28:88:B5:66:BB:E7 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + b1:40:68:3c:5e:32:0d:40:a0:7a:28:3f:fa:83:69:e5:06:0c: + 25:7c:2f:71:8e:06:28:ff:e2:6d:be:5c:85:e5:e6:8b:77:0e: + 89:74:33:a0:f5:bd:b3:f5:2f:04:52:f1:08:66:75:0f:0f:78: + 64:6d:cc:94:36:e6:97:37:40:3f:4d:f2:73:59:66:01:fd:67: + da:12:23:99:dc:d4:fb:f9:f3:5e:39:42:a5:c7:4c:df:43:08: + 2b:8b:db:65:34:ad:2f:99:f8:d6:9d:3b:ef:63:16:12:54:ec: + 21:08:b9:0a:54:6c:0b:d0:4f:a2:7d:03:51:d3:6f:1f:6b:18: + e7:1b:59:81:25:a0:01:a3:ec:bf:62:ff:b8:39:ef:73:3f:df: + 5b:04:2b:a1:ab:f8:6c:2e:f7:f7:93:d7:f9:41:51:98:6e:bf: + 7c:3d:42:4c:34:32:26:ca:5d:60:dc:0f:fa:82:0e:35:fe:78: + da:94:73:be:07:51:13:8d:f2:51:6f:5b:67:e2:e7:e0:37:92: + 9c:8d:85:a2:c1:88:c2:dd:4f:83:c6:f4:ac:20:f5:e5:fb:6e: + 4d:ac:d5:8a:5b:23:65:5b:14:40:df:cf:57:20:fd:c4:9f:04: + 02:02:c8:71:b9:82:ef:90:b5:ea:49:f5:5f:0d:e1:e5:6b:a8: + f0:44:93:27 +-----BEGIN CERTIFICATE----- +MIIEeTCCA2GgAwIBAgIRAIkB3lcbiIxl27yyzbndnDcwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNTAxMTEyNTU5WhcNMjUwNTAxMTEy +NTU5WjB0MQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDrZne0o8FxTCimfFLjzdIEaPrPUlnVr3uQbn3OUdc58PFCyIu8 +jdB7u3+i4D+/r1jnxfQZ0zYrupUXLna/T2lxpgsK6mf9gPt7nazak9KW62lm+M9s +wWHEb51tEZ9oGsCufXlgifPgPI1sRVV4JwvoTIETcn36+L26h9uZ4vSHwaKpP/xB +4U7KkmcRGCOuQ+noxCrUIkADH0bsxgexqqeepO6QWyKvu4cmC1pebb5UXbjmmZ4M +qKp0sNuQZdR/I4wS57m2V5A+ZKLu4EZ58xyXvhqzd1yEpV79+x4Pxi+jD78PML1Q +CjV/ZbYF2R2Co3zT5fYbvFCNjbZn9bsXv39XAgMBAAGjggE1MIIBMTAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBTDuOPnfKWuSHgNTYIG0SiItWa75zAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK +MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu +Yy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCxQGg8XjINQKB6KD/6g2nlBgwl +fC9xjgYo/+JtvlyF5eaLdw6JdDOg9b2z9S8EUvEIZnUPD3hkbcyUNuaXN0A/TfJz +WWYB/WfaEiOZ3NT7+fNeOUKlx0zfQwgri9tlNK0vmfjWnTvvYxYSVOwhCLkKVGwL +0E+ifQNR028faxjnG1mBJaABo+y/Yv+4Oe9zP99bBCuhq/hsLvf3k9f5QVGYbr98 +PUJMNDImyl1g3A/6gg41/njalHO+B1ETjfJRb1tn4ufgN5KcjYWiwYjC3U+DxvSs +IPXl+25NrNWKWyNlWxRA389XIP3EnwQCAshxuYLvkLXqSfVfDeHla6jwRJMn +-----END CERTIFICATE----- From c73f78bfa648887dffe592f02fd6519b514fbb36 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 19 May 2024 19:09:17 +0200 Subject: [PATCH 2/4] Add lint to check that precertificates do not contain an SCT list (#841) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_precert_with_sct_list.go * Update source.go As per Chris' request * Update source.go * Update registration_test.go * Update registration_test.go --------- Co-authored-by: Christopher Henderson --- v3/lint/registration_test.go | 11 ++ v3/lint/source.go | 5 +- v3/lints/rfc/lint_precert_with_sct_list.go | 59 ++++++++ .../rfc/lint_precert_with_sct_list_test.go | 60 ++++++++ v3/testdata/precert_with_sct_list_ko.pem | 133 ++++++++++++++++++ v3/testdata/precert_with_sct_list_na1.pem | 100 +++++++++++++ v3/testdata/precert_with_sct_list_na2.pem | 131 +++++++++++++++++ v3/testdata/precert_with_sct_list_ok.pem | 99 +++++++++++++ v3/util/time.go | 1 + 9 files changed, 598 insertions(+), 1 deletion(-) create mode 100644 v3/lints/rfc/lint_precert_with_sct_list.go create mode 100644 v3/lints/rfc/lint_precert_with_sct_list_test.go create mode 100644 v3/testdata/precert_with_sct_list_ko.pem create mode 100644 v3/testdata/precert_with_sct_list_na1.pem create mode 100644 v3/testdata/precert_with_sct_list_na2.pem create mode 100644 v3/testdata/precert_with_sct_list_ok.pem diff --git a/v3/lint/registration_test.go b/v3/lint/registration_test.go index e8aee5e79..c23240ede 100644 --- a/v3/lint/registration_test.go +++ b/v3/lint/registration_test.go @@ -131,6 +131,17 @@ func TestRegister(t *testing.T) { expectNames: []string{"goodLint", egLint.Name}, expectSources: SourceList{egLint.Source, MozillaRootStorePolicy}, }, + { + name: "new lint source category", + lint: &Lint{ + Name: "sct", + Lint: func() LintInterface { return &mockLint{} }, + Source: RFC6962, + }, + registry: dupeReg, + expectNames: []string{"goodLint", egLint.Name, "sct"}, + expectSources: SourceList{egLint.Source, MozillaRootStorePolicy, RFC6962}, + }, } for _, tc := range testCases { diff --git a/v3/lint/source.go b/v3/lint/source.go index 2486cb0a9..48ad2be5f 100644 --- a/v3/lint/source.go +++ b/v3/lint/source.go @@ -32,6 +32,7 @@ const ( RFC5280 LintSource = "RFC5280" RFC5480 LintSource = "RFC5480" RFC5891 LintSource = "RFC5891" + RFC6962 LintSource = "RFC6962" RFC8813 LintSource = "RFC8813" CABFBaselineRequirements LintSource = "CABF_BR" CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR" @@ -51,7 +52,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error { } switch LintSource(throwAway) { - case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi: + case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi, RFC6962: *s = LintSource(throwAway) return nil default: @@ -87,6 +88,8 @@ func (s *LintSource) FromString(src string) { *s = AppleRootStorePolicy case Community: *s = Community + case RFC6962: + *s = RFC6962 case EtsiEsi: *s = EtsiEsi } diff --git a/v3/lints/rfc/lint_precert_with_sct_list.go b/v3/lints/rfc/lint_precert_with_sct_list.go new file mode 100644 index 000000000..a84b7a417 --- /dev/null +++ b/v3/lints/rfc/lint_precert_with_sct_list.go @@ -0,0 +1,59 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_precert_with_sct_list", + Description: "SCTs must be embedded in the final certificate, not in a precertificate", + Citation: "RFC 6962 ยง3.3", + Source: lint.RFC6962, + EffectiveDate: util.RFC6962Date, + }, + Lint: NewPreCertWithSCTList, + }) +} + +type preCertWithSCTList struct{} + +func NewPreCertWithSCTList() lint.LintInterface { + return &preCertWithSCTList{} +} + +func (l *preCertWithSCTList) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.CtPoisonOID) +} + +func (l *preCertWithSCTList) Execute(c *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(c, util.TimestampOID) { + return &lint.LintResult{ + Status: lint.Error, + Details: "Precertificates must not contain the SignedCertificateTimestampList extension", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/v3/lints/rfc/lint_precert_with_sct_list_test.go b/v3/lints/rfc/lint_precert_with_sct_list_test.go new file mode 100644 index 000000000..7bbe7666d --- /dev/null +++ b/v3/lints/rfc/lint_precert_with_sct_list_test.go @@ -0,0 +1,60 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package rfc + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestPreCertWithSCTList(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + // Final certificate + input: "precert_with_sct_list_na1.pem", + want: lint.NA, + }, + { + // Final certificate with SCTs + input: "precert_with_sct_list_na2.pem", + want: lint.NA, + }, + { + // Precertificate + input: "precert_with_sct_list_ok.pem", + want: lint.Pass, + }, + { + // Precertificate with SCTs + input: "precert_with_sct_list_ko.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_precert_with_sct_list", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/testdata/precert_with_sct_list_ko.pem b/v3/testdata/precert_with_sct_list_ko.pem new file mode 100644 index 000000000..8ba08dc6e --- /dev/null +++ b/v3/testdata/precert_with_sct_list_ko.pem @@ -0,0 +1,133 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 79:87:e8:bf:16:ea:82:3a:01:6e:32:50:14:4d:5d:c6 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: May 11 08:45:35 2024 GMT + Not After : May 11 08:45:35 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a5:b6:9d:98:44:d5:88:04:a6:04:7b:bc:27:12: + 1d:e3:28:59:71:12:25:02:ce:c9:42:8b:10:54:2c: + c8:75:83:d5:a1:4c:22:79:97:40:24:e8:8b:29:d4: + b4:1f:0d:26:d2:e2:b0:51:48:36:95:72:de:c3:29: + e8:a4:3e:e7:f4:a8:08:0e:ae:b0:ce:66:9e:11:27: + fb:c0:4c:7f:58:0e:89:a0:8c:d8:4c:be:97:2b:10: + af:ab:73:37:90:64:69:36:7e:7c:95:ce:05:f6:3d: + 58:92:53:c5:4d:e0:36:54:9a:84:78:0f:35:cc:c2: + 80:02:51:c3:42:9b:14:0a:eb:b7:9e:76:04:88:d6: + 63:81:d7:7f:0d:d8:4c:4d:0b:86:0a:4e:1b:f0:9e: + c1:66:87:c5:ec:b6:cc:8f:2c:ba:d3:d6:0c:97:35: + 68:ed:39:5d:87:65:f1:47:64:2b:bc:68:47:68:f5: + ca:c3:82:3b:17:69:72:02:5e:68:b6:19:eb:ef:08: + 5c:f0:f5:14:0d:2f:ac:c6:b5:86:98:a4:e4:0f:b4: + df:7b:fe:12:a4:22:28:75:4e:21:5b:92:df:66:f2: + 6f:81:1a:4c:e4:25:2b:7c:4c:d7:1e:48:44:e3:c0: + 5a:74:5b:6a:6c:7c:14:5b:0c:b3:59:66:3a:97:d8: + e7:09 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + EA:73:3B:62:41:EA:D3:BE:6B:10:6E:5E:C9:03:5C:A9:A4:93:9E:E4 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + CT Precertificate SCTs: + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C: + 5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99 + Timestamp : Feb 16 23:48:16.194 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:20:71:A9:CF:F3:7B:85:D8:FB:AE:8E:E6:51: + 9A:73:1B:43:55:80:37:02:5D:81:4E:D9:57:B4:30:92: + D3:2E:F0:0C:02:21:00:C0:F3:25:A9:38:F0:D2:29:89: + B6:9E:74:05:43:33:E0:3B:EB:16:8B:E8:F1:F2:35:C2: + C8:87:FE:50:5A:44:2B + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A: + B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A + Timestamp : Feb 16 23:48:16.223 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:20:5A:59:95:CA:3D:67:45:EC:6F:D8:5C:E2: + A1:0D:C7:68:CC:BF:C2:29:9B:64:DF:B4:19:0A:79:8D: + F6:EA:9C:22:02:21:00:CC:FA:2B:B0:25:0D:1B:17:D6: + 41:91:52:7C:D5:AF:B1:C9:35:FC:CC:2A:A6:8B:CC:66: + 06:DD:5A:2A:C2:A5:86 + CT Precertificate Poison: critical + NULL + Signature Algorithm: sha256WithRSAEncryption + a1:76:ff:56:01:8f:5b:dd:c2:42:61:eb:5a:d3:70:3a:d4:b4: + 12:b0:30:2a:43:d5:96:34:d5:a4:ad:a8:8d:e5:1c:88:ef:12: + 93:00:b0:e4:03:71:ed:c2:9e:71:84:d9:52:2d:7e:1d:0a:44: + 73:d3:14:f8:02:2e:f9:f7:c4:09:fe:bd:45:e6:9d:23:33:c1: + 1e:73:f8:5e:be:e8:65:16:94:8c:4b:db:17:75:80:a5:b6:a7: + 8c:d6:6c:66:90:5c:37:08:bc:e1:15:b4:1b:ff:c6:d6:4d:91: + 2d:30:5d:32:ea:51:86:e3:5c:cd:b5:38:2a:f9:1f:6f:e5:24: + ca:ae:6b:b1:48:cf:4c:f4:ae:e3:54:b9:b8:b4:c4:2b:0d:73: + e0:98:f5:ce:cd:0a:34:f5:cb:f1:fa:d9:a5:5b:c0:d1:b1:e9: + 64:14:fd:b5:1b:1b:1a:2e:bc:1f:8b:52:b4:a4:ba:ea:27:03: + a1:e3:f8:0b:f3:9f:71:09:87:32:0a:c8:d7:a9:dd:cf:21:eb: + 25:e9:76:88:5f:4a:e1:53:aa:25:5b:72:f0:8e:9d:35:41:ee: + 34:90:8a:e0:0c:e0:ee:0d:d7:46:4c:25:0d:12:a4:05:8d:c8: + d8:4c:d9:7a:bd:eb:86:2d:ed:01:bb:1b:cb:7e:06:12:77:ed: + 00:b9:54:84 +-----BEGIN CERTIFICATE----- +MIIFlTCCBH2gAwIBAgIQeYfovxbqgjoBbjJQFE1dxjANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA1MTEwODQ1MzVaFw0yNTA1MTEwODQ1 +MzVaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKW2nZhE1YgEpgR7vCcSHeMoWXESJQLOyUKLEFQsyHWD1aFMInmX +QCToiynUtB8NJtLisFFINpVy3sMp6KQ+5/SoCA6usM5mnhEn+8BMf1gOiaCM2Ey+ +lysQr6tzN5BkaTZ+fJXOBfY9WJJTxU3gNlSahHgPNczCgAJRw0KbFArrt552BIjW +Y4HXfw3YTE0LhgpOG/CewWaHxey2zI8sutPWDJc1aO05XYdl8UdkK7xoR2j1ysOC +OxdpcgJeaLYZ6+8IXPD1FA0vrMa1hpik5A+033v+EqQiKHVOIVuS32byb4EaTOQl +K3xM1x5IROPAWnRbamx8FFsMs1lmOpfY5wkCAwEAAaOCAlIwggJOMA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FOpzO2JB6tO+axBuXskDXKmkk57kMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBMGA1UdIAQMMAow +CAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgC3Pvsk35xNunXyOcW6 +WPRsXfxCz3qfNcSeHQmBJe20mQAAAYZcoO7CAAAEAwBHMEUCIHGpz/N7hdj7ro7m +UZpzG0NVgDcCXYFO2Ve0MJLTLvAMAiEAwPMlqTjw0imJtp50BUMz4DvrFovo8fI1 +wsiH/lBaRCsAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYZc +oO7fAAAEAwBHMEUCIFpZlco9Z0Xsb9hc4qENx2jMv8Ipm2TftBkKeY326pwiAiEA +zPorsCUNGxfWQZFSfNWvsck1/MwqpovMZgbdWirCpYYwEwYKKwYBBAHWeQIEAwEB +/wQCBQAwDQYJKoZIhvcNAQELBQADggEBAKF2/1YBj1vdwkJh61rTcDrUtBKwMCpD +1ZY01aStqI3lHIjvEpMAsOQDce3CnnGE2VItfh0KRHPTFPgCLvn3xAn+vUXmnSMz +wR5z+F6+6GUWlIxL2xd1gKW2p4zWbGaQXDcIvOEVtBv/xtZNkS0wXTLqUYbjXM21 +OCr5H2/lJMqua7FIz0z0ruNUubi0xCsNc+CY9c7NCjT1y/H62aVbwNGx6WQU/bUb +GxouvB+LUrSkuuonA6Hj+Avzn3EJhzIKyNep3c8h6yXpdohfSuFTqiVbcvCOnTVB +7jSQiuAM4O4N10ZMJQ0SpAWNyNhM2Xq964Yt7QG7G8t+BhJ37QC5VIQ= +-----END CERTIFICATE----- diff --git a/v3/testdata/precert_with_sct_list_na1.pem b/v3/testdata/precert_with_sct_list_na1.pem new file mode 100644 index 000000000..75f044d5a --- /dev/null +++ b/v3/testdata/precert_with_sct_list_na1.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 43:1f:cd:15:f2:6a:a3:07:2b:58:c1:bb:7d:26:fa:21 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: May 11 08:32:10 2024 GMT + Not After : May 11 08:32:10 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ca:c8:38:9d:32:a0:45:f8:4b:02:8a:b3:eb:61: + 6d:40:94:84:4e:3f:64:37:da:a3:46:d6:81:38:82: + e9:4e:8a:81:5d:0f:f4:2e:a1:27:b9:04:90:a6:ec: + c8:3e:8c:a2:9e:63:91:bb:d6:17:1e:00:70:49:ef: + 09:24:d8:49:9a:ee:1a:50:75:f7:fe:ef:f9:ac:e2: + ca:71:ce:3b:65:5b:df:87:b2:9c:34:1c:fe:65:15: + 13:34:d3:59:e5:d5:c7:7c:c4:79:4c:60:66:03:e8: + 8c:d1:13:e5:0f:67:25:5b:ed:5b:5e:ae:f4:0c:f4: + 7c:69:b1:56:4c:bd:35:ee:c4:04:a1:da:e6:54:38: + 9a:fa:7a:51:25:b0:44:7c:af:97:d1:bc:b3:fd:0f: + 6d:1d:17:a1:e1:37:dd:b5:f4:da:51:04:88:de:70: + 87:28:e5:79:cf:f5:17:d0:34:3d:80:2c:26:34:df: + 3c:a4:2f:1b:3e:54:d2:7f:75:6a:0c:75:0f:e8:f2: + 78:43:1a:2d:95:1d:27:79:f1:b9:72:13:11:70:a9: + 6b:18:d1:2d:68:e8:56:87:27:73:30:d8:d0:d7:98: + 3e:5b:59:7b:e1:c9:07:7e:1f:14:19:30:4f:bf:ab: + 35:b7:ff:dd:d6:c0:cf:7f:1b:e2:c1:65:39:65:b0: + 7b:03 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 42:F2:68:19:47:A4:C3:DF:A4:01:80:1F:81:36:64:E1:F7:CB:53:7F + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 85:eb:bf:69:d4:c2:44:fa:d8:ee:48:9e:df:7e:83:cd:19:66: + 46:20:d0:15:fc:f8:15:f6:c1:55:52:e2:d5:83:24:60:d7:aa: + 7a:19:87:a7:f3:a1:f7:98:64:b3:3a:b7:23:21:5a:82:34:16: + 97:a2:7b:d0:e8:68:2c:c1:f0:4a:8e:61:7e:5d:70:ec:d5:e7: + c3:25:ac:09:31:bf:77:8a:57:1a:f8:23:be:dd:9c:bb:91:9d: + e5:30:8d:8a:03:74:2d:1e:2f:8e:19:f2:d0:79:69:1c:c1:01: + 2c:bb:46:5c:56:12:1c:00:21:69:75:3f:46:ab:b2:38:e4:93: + ab:d3:91:86:0f:1b:0c:e3:eb:21:0b:97:52:ec:64:7e:48:40: + 36:b3:d8:b4:d8:17:a1:88:b8:30:2c:db:45:86:ab:fb:5c:bc: + 72:32:20:59:22:b3:a6:68:af:a8:df:b7:97:9f:9e:50:39:cc: + ca:63:74:49:92:83:16:6f:ed:fc:60:f5:91:e5:6e:41:62:0a: + c0:7b:56:a6:03:ea:82:06:03:97:2a:d6:e5:ae:ec:10:ac:9f: + c4:63:63:08:64:02:85:e7:fe:0a:58:fc:ca:2f:b9:73:5c:34: + 6b:b6:a7:31:a7:7c:4d:70:2a:37:70:d8:c8:0d:37:bf:f9:78: + 9d:5c:43:43 +-----BEGIN CERTIFICATE----- +MIIEeDCCA2CgAwIBAgIQQx/NFfJqowcrWMG7fSb6ITANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA1MTEwODMyMTBaFw0yNTA1MTEwODMy +MTBaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMrIOJ0yoEX4SwKKs+thbUCUhE4/ZDfao0bWgTiC6U6KgV0P9C6h +J7kEkKbsyD6Mop5jkbvWFx4AcEnvCSTYSZruGlB19/7v+aziynHOO2Vb34eynDQc +/mUVEzTTWeXVx3zEeUxgZgPojNET5Q9nJVvtW16u9Az0fGmxVky9Ne7EBKHa5lQ4 +mvp6USWwRHyvl9G8s/0PbR0XoeE33bX02lEEiN5whyjlec/1F9A0PYAsJjTfPKQv +Gz5U0n91agx1D+jyeEMaLZUdJ3nxuXITEXCpaxjRLWjoVocnczDY0NeYPltZe+HJ +B34fFBkwT7+rNbf/3dbAz38b4sFlOWWwewMCAwEAAaOCATUwggExMA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FELyaBlHpMPfpAGAH4E2ZOH3y1N/MB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBMGA1UdIAQMMAow +CAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBAIXrv2nUwkT62O5Int9+g80ZZkYg +0BX8+BX2wVVS4tWDJGDXqnoZh6fzofeYZLM6tyMhWoI0Fpeie9DoaCzB8EqOYX5d +cOzV58MlrAkxv3eKVxr4I77dnLuRneUwjYoDdC0eL44Z8tB5aRzBASy7RlxWEhwA +IWl1P0arsjjkk6vTkYYPGwzj6yELl1LsZH5IQDaz2LTYF6GIuDAs20WGq/tcvHIy +IFkis6Zor6jft5efnlA5zMpjdEmSgxZv7fxg9ZHlbkFiCsB7VqYD6oIGA5cq1uWu +7BCsn8RjYwhkAoXn/gpY/MovuXNcNGu2pzGnfE1wKjdw2MgNN7/5eJ1cQ0M= +-----END CERTIFICATE----- diff --git a/v3/testdata/precert_with_sct_list_na2.pem b/v3/testdata/precert_with_sct_list_na2.pem new file mode 100644 index 000000000..400a627bc --- /dev/null +++ b/v3/testdata/precert_with_sct_list_na2.pem @@ -0,0 +1,131 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 84:97:14:6f:b4:6f:b1:bd:05:33:3d:db:d2:d0:2a:cc + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: May 11 08:39:52 2024 GMT + Not After : May 11 08:39:52 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ca:90:1a:5a:62:87:2a:d1:c2:a0:6b:85:54:18: + f4:77:48:9f:42:56:34:4b:74:c6:59:6d:46:bc:29: + 2c:28:49:03:37:c0:e3:79:af:0f:f8:bd:a3:19:a1: + 76:6d:00:d5:df:70:66:1c:86:22:99:56:85:dc:72: + 2e:7a:32:2b:d4:38:cd:a5:c4:bc:19:a7:02:dd:03: + d4:ba:50:c8:2d:79:32:de:5e:dc:3b:8b:41:ae:c9: + cd:cb:f0:c7:5b:28:3b:76:02:99:46:67:1f:9a:68: + 5f:b3:ca:9a:88:85:53:54:9b:cf:e2:b8:c2:76:ee: + bc:63:9b:55:06:b1:5e:5b:8a:0b:f8:a9:7e:63:78: + 5d:1d:89:d1:fa:dc:f9:23:10:5f:1a:be:c3:e3:0d: + 17:a0:e8:45:7b:06:28:65:b0:ef:27:2b:c7:11:7b: + ef:2f:1f:e2:9a:61:c6:7d:da:aa:45:da:b7:16:35: + d0:ec:e4:7d:f4:bd:ed:60:c0:ce:e4:86:45:11:ec: + bb:b4:c0:49:71:b9:1a:e2:8a:6f:f2:0f:15:d9:bd: + e4:14:a3:f2:c2:49:cb:7e:97:7e:9a:5e:7b:a0:dd: + f2:96:32:57:60:57:5a:52:52:3e:11:9f:3d:c2:5a: + fc:96:9f:ea:a2:92:fb:c2:b8:ae:9f:dd:73:31:18: + 42:73 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 88:DB:B7:FC:9D:FF:6C:80:D4:46:49:DA:7A:46:8F:3F:5F:C3:30:37 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + CT Precertificate SCTs: + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C: + 5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99 + Timestamp : Feb 16 23:48:16.194 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:20:71:A9:CF:F3:7B:85:D8:FB:AE:8E:E6:51: + 9A:73:1B:43:55:80:37:02:5D:81:4E:D9:57:B4:30:92: + D3:2E:F0:0C:02:21:00:C0:F3:25:A9:38:F0:D2:29:89: + B6:9E:74:05:43:33:E0:3B:EB:16:8B:E8:F1:F2:35:C2: + C8:87:FE:50:5A:44:2B + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A: + B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A + Timestamp : Feb 16 23:48:16.223 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:20:5A:59:95:CA:3D:67:45:EC:6F:D8:5C:E2: + A1:0D:C7:68:CC:BF:C2:29:9B:64:DF:B4:19:0A:79:8D: + F6:EA:9C:22:02:21:00:CC:FA:2B:B0:25:0D:1B:17:D6: + 41:91:52:7C:D5:AF:B1:C9:35:FC:CC:2A:A6:8B:CC:66: + 06:DD:5A:2A:C2:A5:86 + Signature Algorithm: sha256WithRSAEncryption + c4:3e:6e:d0:27:e4:4e:92:f1:df:d5:21:c7:41:42:e8:8f:15: + ae:dc:50:4b:e7:00:bb:0b:c4:e4:93:6b:3b:84:d3:78:24:fa: + 01:d1:ec:51:14:54:c5:3a:ee:48:2a:27:ba:66:bc:24:f8:08: + cd:12:e4:6e:58:7f:03:da:14:4e:20:67:79:77:3c:4b:94:ce: + 8d:64:99:8d:9a:7b:61:8b:aa:e3:7c:6c:65:ab:e2:0d:ff:3c: + 03:9a:e0:17:ca:6a:29:f0:77:1e:66:ff:3f:23:be:08:33:2e: + 2b:57:6b:35:c4:ea:50:ae:3f:b1:cb:04:4f:5e:ad:6b:01:73: + 0f:25:f0:9b:d6:46:8b:48:f8:09:4f:2d:f9:ae:9e:e7:49:3a: + e6:76:68:89:37:23:38:0a:e8:cc:56:b2:1f:a9:2c:98:ff:76: + 40:ef:ef:dc:73:58:f3:d2:e6:71:2b:8d:9a:2b:ec:6b:1d:1b: + 22:be:65:23:33:f1:04:28:01:c6:9b:82:7e:e1:7f:3f:25:88: + e5:b7:86:a7:39:8b:8d:9e:04:a3:da:8e:45:52:6d:05:5a:dc: + 33:af:fb:fd:1e:5e:51:d8:3e:b6:a8:a7:a6:ef:a9:67:65:8b: + d0:2d:cd:28:51:c2:30:89:ee:09:ef:23:3d:6b:0a:83:8d:df: + ff:68:bc:c9 +-----BEGIN CERTIFICATE----- +MIIFgTCCBGmgAwIBAgIRAISXFG+0b7G9BTM929LQKswwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNTExMDgzOTUyWhcNMjUwNTExMDgz +OTUyWjB0MQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDKkBpaYocq0cKga4VUGPR3SJ9CVjRLdMZZbUa8KSwoSQM3wON5 +rw/4vaMZoXZtANXfcGYchiKZVoXcci56MivUOM2lxLwZpwLdA9S6UMgteTLeXtw7 +i0Guyc3L8MdbKDt2AplGZx+aaF+zypqIhVNUm8/iuMJ27rxjm1UGsV5bigv4qX5j +eF0didH63PkjEF8avsPjDReg6EV7BihlsO8nK8cRe+8vH+KaYcZ92qpF2rcWNdDs +5H30ve1gwM7khkUR7Lu0wElxuRriim/yDxXZveQUo/LCSct+l36aXnug3fKWMldg +V1pSUj4Rnz3CWvyWn+qikvvCuK6f3XMxGEJzAgMBAAGjggI9MIICOTAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBSI27f8nf9sgNRGSdp6Ro8/X8MwNzAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK +MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu +Yy5jb20vY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAtz77JN+cTbp18jnF +ulj0bF38Qs96nzXEnh0JgSXttJkAAAGGXKDuwgAABAMARzBFAiBxqc/ze4XY+66O +5lGacxtDVYA3Al2BTtlXtDCS0y7wDAIhAMDzJak48NIpibaedAVDM+A76xaL6PHy +NcLIh/5QWkQrAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGG +XKDu3wAABAMARzBFAiBaWZXKPWdF7G/YXOKhDcdozL/CKZtk37QZCnmN9uqcIgIh +AMz6K7AlDRsX1kGRUnzVr7HJNfzMKqaLzGYG3VoqwqWGMA0GCSqGSIb3DQEBCwUA +A4IBAQDEPm7QJ+ROkvHf1SHHQULojxWu3FBL5wC7C8Tkk2s7hNN4JPoB0exRFFTF +Ou5IKie6Zrwk+AjNEuRuWH8D2hROIGd5dzxLlM6NZJmNmnthi6rjfGxlq+IN/zwD +muAXymop8HceZv8/I74IMy4rV2s1xOpQrj+xywRPXq1rAXMPJfCb1kaLSPgJTy35 +rp7nSTrmdmiJNyM4CujMVrIfqSyY/3ZA7+/cc1jz0uZxK42aK+xrHRsivmUjM/EE +KAHGm4J+4X8/JYjlt4anOYuNngSj2o5FUm0FWtwzr/v9Hl5R2D62qKem76lnZYvQ +Lc0oUcIwie4J7yM9awqDjd//aLzJ +-----END CERTIFICATE----- diff --git a/v3/testdata/precert_with_sct_list_ok.pem b/v3/testdata/precert_with_sct_list_ok.pem new file mode 100644 index 000000000..f9de99cf0 --- /dev/null +++ b/v3/testdata/precert_with_sct_list_ok.pem @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 60:dd:ee:ef:f2:f4:28:42:35:aa:89:b3:53:7a:3a:1f + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: May 11 08:42:16 2024 GMT + Not After : May 11 08:42:16 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ce:f4:81:cf:15:e3:4e:f5:38:b0:4a:b9:a2:8b: + 65:d3:d8:5f:ca:b0:37:52:d3:58:11:97:7c:06:50: + 69:47:45:a0:96:05:1e:a0:17:91:af:7f:5d:d3:ac: + ae:d2:15:40:20:84:df:06:92:f1:70:cb:0f:84:e0: + 1e:70:96:d6:99:5e:8c:a1:96:84:b0:17:e2:88:30: + aa:d3:13:e9:68:25:fc:cc:24:74:30:c1:c1:6e:d7: + 81:d0:98:20:27:d5:43:b3:55:fb:f2:52:98:1a:99: + bb:5a:df:15:85:82:10:e7:e0:a6:a3:d4:46:0d:b1: + fb:01:32:9c:a9:ab:b1:45:22:c5:42:42:b2:ef:96: + ee:3a:30:01:09:53:64:28:ca:58:37:b9:16:86:76: + ac:c7:ea:97:e4:3c:67:32:01:8b:38:39:5f:ba:57: + 5d:07:ac:17:56:07:91:b9:da:53:a7:cb:eb:6e:0f: + ce:1e:d4:00:82:5d:b8:e1:8b:7f:4a:af:4f:36:c3: + 12:37:7d:ae:97:77:77:99:f2:15:6f:eb:59:b3:f3: + 2b:b4:c0:cb:11:76:e8:0c:83:71:85:51:6e:20:60: + 04:19:a9:28:17:d3:64:f3:c3:9a:52:2a:b3:98:ea: + ba:22:90:d6:23:7e:06:ae:44:90:b0:f1:01:e5:3b: + 69:2d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + EA:B1:D9:0C:E6:0A:3C:0E:3F:19:69:5B:8F:C6:37:E9:6F:35:54:5B + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + CT Precertificate Poison: critical + NULL + Signature Algorithm: sha256WithRSAEncryption + 26:aa:fb:03:8e:5b:01:26:2c:7d:75:8b:d3:9c:b4:98:cd:0c: + 30:52:d7:82:9a:61:b0:5f:4c:8a:6e:c0:36:2d:27:64:16:7a: + 3e:e8:e8:d5:39:a2:7c:d8:6f:55:0c:fd:28:b9:64:21:20:95: + a8:b8:e0:dd:93:d3:7f:aa:22:97:e3:da:88:a3:9d:7d:50:6b: + aa:3e:5a:0a:98:29:fb:32:d3:30:35:0f:6b:67:bb:51:d0:bd: + 0b:38:70:cb:4c:88:f3:72:40:da:7b:5b:f0:a6:eb:e6:7a:31: + 6d:75:46:4e:b5:af:3d:fd:66:a4:2d:dc:c3:14:02:b7:02:52: + f6:46:4b:d8:72:44:7d:f1:e2:d1:d4:a9:3b:e1:88:1a:d0:87: + 90:a9:db:c9:cf:06:f1:eb:f2:9f:b3:7a:53:4c:c2:5a:d8:49: + ec:3f:d8:d9:49:f0:5f:0e:3c:0a:72:e3:1a:9d:b8:5a:a6:1e: + 3d:93:04:90:5d:a4:53:b9:05:41:a6:81:85:23:3a:85:8e:04: + 8f:01:49:de:59:93:01:a2:da:9b:e5:3b:50:d0:8e:16:fd:d3: + 82:91:82:b3:65:55:a2:4a:41:f2:72:b0:57:42:54:64:fe:40: + 50:da:59:32:a1:46:24:5c:5d:2c:49:e8:85:3b:d8:c5:d3:21: + 1f:8a:6d:38 +-----BEGIN CERTIFICATE----- +MIIEeDCCA2CgAwIBAgIQYN3u7/L0KEI1qomzU3o6HzANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA1MTEwODQyMTZaFw0yNTA1MTEwODQy +MTZaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM70gc8V4071OLBKuaKLZdPYX8qwN1LTWBGXfAZQaUdFoJYFHqAX +ka9/XdOsrtIVQCCE3waS8XDLD4TgHnCW1plejKGWhLAX4ogwqtMT6Wgl/MwkdDDB +wW7XgdCYICfVQ7NV+/JSmBqZu1rfFYWCEOfgpqPURg2x+wEynKmrsUUixUJCsu+W +7jowAQlTZCjKWDe5FoZ2rMfql+Q8ZzIBizg5X7pXXQesF1YHkbnaU6fL624Pzh7U +AIJduOGLf0qvTzbDEjd9rpd3d5nyFW/rWbPzK7TAyxF26AyDcYVRbiBgBBmpKBfT +ZPPDmlIqs5jquiKQ1iN+Bq5EkLDxAeU7aS0CAwEAAaOCATUwggExMA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FOqx2QzmCjwOPxlpW4/GN+lvNVRbMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMC0GA1UdHwQmMCQw +IqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwEwYKKwYBBAHWeQIE +AwEB/wQCBQAwDQYJKoZIhvcNAQELBQADggEBACaq+wOOWwEmLH11i9OctJjNDDBS +14KaYbBfTIpuwDYtJ2QWej7o6NU5onzYb1UM/Si5ZCEglai44N2T03+qIpfj2oij +nX1Qa6o+WgqYKfsy0zA1D2tnu1HQvQs4cMtMiPNyQNp7W/Cm6+Z6MW11Rk61rz39 +ZqQt3MMUArcCUvZGS9hyRH3x4tHUqTvhiBrQh5Cp28nPBvHr8p+zelNMwlrYSew/ +2NlJ8F8OPApy4xqduFqmHj2TBJBdpFO5BUGmgYUjOoWOBI8BSd5ZkwGi2pvlO1DQ +jhb904KRgrNlVaJKQfJysFdCVGT+QFDaWTKhRiRcXSxJ6IU72MXTIR+KbTg= +-----END CERTIFICATE----- diff --git a/v3/util/time.go b/v3/util/time.go index 3a385e6bb..75b321aa6 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -37,6 +37,7 @@ var ( RFC4630Date = time.Date(2006, time.August, 1, 0, 0, 0, 0, time.UTC) RFC5280Date = time.Date(2008, time.May, 1, 0, 0, 0, 0, time.UTC) RFC6818Date = time.Date(2013, time.January, 1, 0, 0, 0, 0, time.UTC) + RFC6962Date = time.Date(2013, time.June, 1, 0, 0, 0, 0, time.UTC) RFC8813Date = time.Date(2020, time.August, 1, 0, 0, 0, 0, time.UTC) CABEffectiveDate = time.Date(2012, time.July, 1, 0, 0, 0, 0, time.UTC) CABReservedIPDate = time.Date(2016, time.October, 1, 0, 0, 0, 0, time.UTC) From 456dc01dad591ddaaf005f6a955fbca032379c0f Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 19 May 2024 20:09:35 +0200 Subject: [PATCH 3/4] Add lint to check that an SCT list is not empty (#837) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Add files via upload --------- Co-authored-by: Christopher Henderson --- v3/lints/rfc/lint_empty_sct_list.go | 99 ++++++++++++++++ v3/lints/rfc/lint_empty_sct_list_test.go | 73 ++++++++++++ v3/testdata/empty_sct_list_ko_01.pem | 103 ++++++++++++++++ v3/testdata/empty_sct_list_na_01.pem | 99 ++++++++++++++++ v3/testdata/empty_sct_list_na_02.pem | 142 +++++++++++++++++++++++ v3/testdata/empty_sct_list_ok_01.pem | 100 ++++++++++++++++ v3/testdata/empty_sct_list_ok_02.pem | 131 +++++++++++++++++++++ 7 files changed, 747 insertions(+) create mode 100644 v3/lints/rfc/lint_empty_sct_list.go create mode 100644 v3/lints/rfc/lint_empty_sct_list_test.go create mode 100644 v3/testdata/empty_sct_list_ko_01.pem create mode 100644 v3/testdata/empty_sct_list_na_01.pem create mode 100644 v3/testdata/empty_sct_list_na_02.pem create mode 100644 v3/testdata/empty_sct_list_ok_01.pem create mode 100644 v3/testdata/empty_sct_list_ok_02.pem diff --git a/v3/lints/rfc/lint_empty_sct_list.go b/v3/lints/rfc/lint_empty_sct_list.go new file mode 100644 index 000000000..d6f47a2c8 --- /dev/null +++ b/v3/lints/rfc/lint_empty_sct_list.go @@ -0,0 +1,99 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "encoding/asn1" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_empty_sct_list", + Description: "At least one SCT MUST be included in the SignedCertificateTimestampList extension", + Citation: "RFC 6962 section 3.3", + Source: lint.RFC6962, + EffectiveDate: util.RFC6962Date, + }, + Lint: NewEmptySCTList, + }) +} + +type emptySCTList struct{} + +func NewEmptySCTList() lint.LintInterface { + return &emptySCTList{} +} + +// CheckApplies returns true for any subscriber certificates that are not precertificates +// (i.e. that do not have the CT poison extension defined in RFC 6962) +func (l *emptySCTList) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && !util.IsExtInCert(c, util.CtPoisonOID) +} + +func (l *emptySCTList) Execute(c *x509.Certificate) *lint.LintResult { + + var sctListExtValue []byte + + for _, e := range c.Extensions { + if e.Id.Equal(util.TimestampOID) { + sctListExtValue = e.Value + break + } + } + + // SCT extension not found, so there is nothing to check + if sctListExtValue == nil { + return &lint.LintResult{Status: lint.Pass} + } + + var octetString []byte + + _, err := asn1.Unmarshal(sctListExtValue, &octetString) + if err != nil { + // This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Error decoding the SignedCertificateTimestampList extension", + } + } + + // Per RFC 5246, the SCT list must begin with a two-bytes length field + if len(octetString) < 2 { + // This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Invalid SCT list encoding (missing length field)", + } + } + + // If the SCT list length (first two bytes) is zero, then it's an invalid SCT list per RFC 6962 + if octetString[0] == 0 && octetString[1] == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "At least one SCT MUST be included in the SignedCertificateTimestampList extension", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/rfc/lint_empty_sct_list_test.go b/v3/lints/rfc/lint_empty_sct_list_test.go new file mode 100644 index 000000000..4267cd0a2 --- /dev/null +++ b/v3/lints/rfc/lint_empty_sct_list_test.go @@ -0,0 +1,73 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package rfc + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + === Pass test cases === + empty_sct_list_ok_01.pem SCTList extension NOT present + empty_sct_list_ok_02.pem SCTList extension present, with length > 0 + + === NA test cases === + empty_sct_list_na_01.pem Precertificate (Poison extension present) + empty_sct_list_na_02.pem CA certificate + + === Fail test cases === + empty_sct_list_ko_01.pem SCTList extension present, with zero length +*/ + +func TestEmptySCTList(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "empty_sct_list_ok_01.pem", + want: lint.Pass, + }, + { + input: "empty_sct_list_ok_02.pem", + want: lint.Pass, + }, + { + input: "empty_sct_list_na_01.pem", + want: lint.NA, + }, + { + input: "empty_sct_list_na_02.pem", + want: lint.NA, + }, + { + input: "empty_sct_list_ko_01.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_empty_sct_list", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/testdata/empty_sct_list_ko_01.pem b/v3/testdata/empty_sct_list_ko_01.pem new file mode 100644 index 000000000..ec63b86d3 --- /dev/null +++ b/v3/testdata/empty_sct_list_ko_01.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 15:5d:5d:77:7e:9c:cd:57:03:5b:bb:65:0a:db:70:19 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 29 07:50:51 2024 GMT + Not After : Apr 29 07:50:51 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ca:dc:be:ac:45:65:b0:1f:3e:48:bc:f7:8c:a0: + 74:ff:b0:12:81:e0:c3:56:54:ca:2e:98:ef:9e:2f: + a1:b1:3f:35:8b:e7:bc:2a:a6:00:15:39:c2:a0:a7: + 8d:82:69:40:64:c8:2b:4b:e3:02:83:8e:fc:ff:5b: + 38:f1:e6:cd:d2:2d:97:c6:bb:16:9a:21:83:e5:4f: + 45:20:f8:02:e8:a3:54:20:bd:80:26:f7:e4:6e:6e: + 1b:97:de:e6:aa:36:be:1e:7a:5a:1e:23:d4:40:8a: + 59:67:9d:39:b7:2d:58:56:9d:f9:d0:f1:d7:19:47: + ed:66:d2:2f:00:79:cd:ee:52:4c:da:35:27:b4:1e: + 4c:27:f5:66:d5:8a:f3:fe:77:bd:93:e4:49:06:dd: + 2c:f4:9e:64:b8:a7:be:f4:bb:10:54:d5:7f:88:a9: + 8d:1d:36:cd:45:47:72:41:de:32:25:11:ec:e5:74: + 58:9f:1e:ad:19:7a:85:49:71:27:4c:95:f0:b7:4e: + 18:f1:ef:4a:4f:00:e2:db:bb:f9:fc:26:cd:12:a9: + 4a:13:b4:8f:70:08:9b:69:0b:c8:7e:33:42:28:f0: + 3a:59:59:7b:aa:7e:d3:9f:d5:6f:c4:b2:67:c6:c2: + bd:67:33:a2:01:3d:5b:ec:a1:98:b4:17:de:b8:df: + 53:07 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 71:C2:DE:BD:F0:7E:64:F8:06:3E:92:29:54:90:C8:24:34:A8:EC:02 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + CT Precertificate SCTs: + + Signature Algorithm: sha256WithRSAEncryption + a7:02:df:31:70:db:35:d2:3c:c3:ab:f0:b8:bb:5a:4c:7f:74: + 97:3c:83:6a:f4:ec:e9:7a:ff:0c:40:4f:8e:21:11:7e:cf:2c: + 6d:00:ed:0b:b4:db:ed:1a:e6:f6:c9:8b:6f:19:e6:98:0e:07: + d7:b8:1e:bf:10:54:3f:88:82:ae:83:76:53:a8:b2:91:b9:88: + 12:45:c9:8b:4e:02:e0:b4:55:41:7b:6e:c9:e1:83:79:db:f5: + 67:63:b9:58:d7:d7:ca:d5:95:b4:ba:03:dc:d2:e9:d1:ac:34: + 26:38:52:41:02:de:07:ef:62:1b:9a:00:b0:41:b0:b6:9e:14: + f1:44:92:ba:cd:d7:91:9d:12:94:50:1a:90:7d:d5:3e:d3:b4: + 24:88:f3:7e:26:d2:fa:cb:3f:e5:fa:07:80:69:60:09:41:2b: + 49:62:f9:b7:da:a0:89:ee:17:ea:95:ba:d1:9c:59:7d:00:d3: + d9:af:2f:f9:a9:b2:83:6a:22:7b:df:6a:59:5d:e0:0c:79:ee: + af:c2:03:70:20:f1:1f:02:c0:72:d5:d8:cf:84:e8:16:8d:bf: + 21:3c:42:e3:72:46:de:e2:7c:e4:5a:9d:f4:76:81:44:03:05: + 3f:38:1e:c5:50:1f:41:84:bd:40:83:10:90:2a:ea:6a:8b:06: + 37:6b:50:91 +-----BEGIN CERTIFICATE----- +MIIEojCCA4qgAwIBAgIQFV1dd36czVcDW7tlCttwGTANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MjkwNzUwNTFaFw0yNTA0MjkwNzUw +NTFaMIGJMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK3L6sRWWwHz5IvPeMoHT/ +sBKB4MNWVMoumO+eL6GxPzWL57wqpgAVOcKgp42CaUBkyCtL4wKDjvz/Wzjx5s3S +LZfGuxaaIYPlT0Ug+ALoo1QgvYAm9+RubhuX3uaqNr4eeloeI9RAillnnTm3LVhW +nfnQ8dcZR+1m0i8Aec3uUkzaNSe0Hkwn9WbVivP+d72T5EkG3Sz0nmS4p770uxBU +1X+IqY0dNs1FR3JB3jIlEezldFifHq0ZeoVJcSdMlfC3Thjx70pPAOLbu/n8Js0S +qUoTtI9wCJtpC8h+M0Io8DpZWXuqftOf1W/EsmfGwr1nM6IBPVvsoZi0F96431MH +AgMBAAGjggFJMIIBRTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRxwt698H5k+AY+kilUkMgkNKjsAjAfBgNV +HSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYI +KwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUF +BzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAWBgNVHREEDzANggtl +eGFtcGxlLm9yZzATBgNVHSAEDDAKMAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAe +hhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMBIGCisGAQQB1nkCBAIEBAQC +AAAwDQYJKoZIhvcNAQELBQADggEBAKcC3zFw2zXSPMOr8Li7Wkx/dJc8g2r07Ol6 +/wxAT44hEX7PLG0A7Qu02+0a5vbJi28Z5pgOB9e4Hr8QVD+Igq6DdlOospG5iBJF +yYtOAuC0VUF7bsnhg3nb9WdjuVjX18rVlbS6A9zS6dGsNCY4UkEC3gfvYhuaALBB +sLaeFPFEkrrN15GdEpRQGpB91T7TtCSI834m0vrLP+X6B4BpYAlBK0li+bfaoInu +F+qVutGcWX0A09mvL/mpsoNqInvfalld4Ax57q/CA3Ag8R8CwHLV2M+E6BaNvyE8 +QuNyRt7ifORanfR2gUQDBT84HsVQH0GEvUCDEJAq6mqLBjdrUJE= +-----END CERTIFICATE----- diff --git a/v3/testdata/empty_sct_list_na_01.pem b/v3/testdata/empty_sct_list_na_01.pem new file mode 100644 index 000000000..4f582c422 --- /dev/null +++ b/v3/testdata/empty_sct_list_na_01.pem @@ -0,0 +1,99 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 85:74:a7:82:8c:9e:37:4d:ff:68:09:28:3a:10:be:b0 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 29 07:32:42 2024 GMT + Not After : Apr 29 07:32:42 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:f6:cb:84:c2:39:69:2d:4b:f1:90:18:15:62: + bf:4d:b2:0b:86:e4:fa:c2:15:7d:06:29:5c:2c:4e: + 9b:8c:17:60:6c:49:18:46:7e:01:f2:a8:31:71:45: + 5b:e9:52:b1:22:15:8b:7c:64:84:90:ad:61:55:b8: + 90:07:a4:4c:70:cb:a1:d4:bd:c4:d5:6f:73:3f:30: + 53:1b:85:5c:7b:0b:ed:4a:d2:2d:1e:3f:f7:57:6a: + ad:49:89:d5:7f:b6:83:02:52:c7:cc:b5:68:42:20: + 69:84:7e:f6:a1:79:26:3e:21:57:16:93:47:08:0b: + 54:4b:b4:db:a8:59:0f:ea:af:ea:68:7d:b4:5d:f4: + bd:22:f8:8d:f2:c7:ec:38:ca:3f:a9:79:e8:c0:b3: + 77:1f:87:3d:e2:52:44:9f:0e:98:07:a3:56:35:c9: + 12:57:9c:95:2c:a1:e4:71:64:26:13:83:3b:29:8c: + 1d:7a:f0:fa:1b:81:c5:ac:b1:cd:51:99:7d:46:0d: + d8:3e:f4:d5:90:d4:5f:16:db:85:84:2b:d0:42:8f: + 85:8a:9b:85:39:0c:df:19:5a:b9:d9:ab:a0:0f:22: + 64:2b:90:88:1b:a1:6f:42:e7:66:a3:c0:2a:88:d4: + c6:40:5f:49:df:a9:85:5b:7b:e7:72:64:80:8d:4d: + 65:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 07:23:84:22:FA:B0:66:0F:62:49:26:90:FE:0B:E8:33:1B:5B:82:01 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + CT Precertificate Poison: critical + NULL + Signature Algorithm: sha256WithRSAEncryption + 08:6d:c4:48:6f:4b:e9:a4:8c:f0:0a:0b:33:7c:45:14:e1:1c: + 81:ec:54:67:e2:5f:94:57:61:11:86:b7:c1:80:4c:c0:70:a1: + 7f:1e:58:7e:4e:09:b2:8a:3a:d4:b1:fd:63:8a:d7:61:2e:bc: + 60:72:04:af:68:66:a5:bd:45:52:9d:e3:43:64:5a:ff:48:48: + c4:e2:62:f3:e9:a3:f7:3a:32:f5:e3:85:d7:4e:99:f0:2e:3a: + a2:43:09:51:43:8b:80:f7:34:16:b8:1a:57:fb:8b:d0:3d:e2: + 73:12:42:a6:eb:4a:ca:5c:21:6e:1b:cf:5b:cb:5b:2e:d3:0b: + c7:01:6c:0b:a7:81:24:61:7c:7c:f4:b7:d3:4b:e4:ec:04:71: + 97:d2:68:55:b1:ef:a7:2b:ce:ac:2e:bf:23:fa:31:ff:86:c6: + 82:ab:87:b8:2e:92:66:46:44:5a:bb:aa:09:8b:f1:4c:75:f7: + 45:79:9a:25:5f:42:2a:61:7b:5e:d8:50:5f:37:8b:66:ee:0d: + dc:f0:f1:2b:08:24:93:bd:33:3f:06:48:d8:78:ac:cd:5c:92: + ab:a5:78:59:b0:14:26:f9:42:91:4c:fb:a1:fc:de:1b:18:51: + 66:26:d5:86:f9:13:00:24:22:e3:27:29:49:9e:36:f6:b1:87: + 89:82:14:a5 +-----BEGIN CERTIFICATE----- +MIIEeTCCA2GgAwIBAgIRAIV0p4KMnjdN/2gJKDoQvrAwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDI5MDczMjQyWhcNMjUwNDI5MDcz +MjQyWjB0MQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDJ9suEwjlpLUvxkBgVYr9NsguG5PrCFX0GKVwsTpuMF2BsSRhG +fgHyqDFxRVvpUrEiFYt8ZISQrWFVuJAHpExwy6HUvcTVb3M/MFMbhVx7C+1K0i0e +P/dXaq1JidV/toMCUsfMtWhCIGmEfvaheSY+IVcWk0cIC1RLtNuoWQ/qr+pofbRd +9L0i+I3yx+w4yj+peejAs3cfhz3iUkSfDpgHo1Y1yRJXnJUsoeRxZCYTgzspjB16 +8PobgcWssc1RmX1GDdg+9NWQ1F8W24WEK9BCj4WKm4U5DN8ZWrnZq6APImQrkIgb +oW9C52ajwCqI1MZAX0nfqYVbe+dyZICNTWWVAgMBAAGjggE1MIIBMTAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBQHI4Qi+rBmD2JJJpD+C+gzG1uCATAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzAtBgNVHR8EJjAk +MCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMBMGCisGAQQB1nkC +BAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQAIbcRIb0vppIzwCgszfEUU4RyB +7FRn4l+UV2ERhrfBgEzAcKF/Hlh+TgmyijrUsf1jitdhLrxgcgSvaGalvUVSneND +ZFr/SEjE4mLz6aP3OjL144XXTpnwLjqiQwlRQ4uA9zQWuBpX+4vQPeJzEkKm60rK +XCFuG89by1su0wvHAWwLp4EkYXx89LfTS+TsBHGX0mhVse+nK86sLr8j+jH/hsaC +q4e4LpJmRkRau6oJi/FMdfdFeZolX0IqYXte2FBfN4tm7g3c8PErCCSTvTM/BkjY +eKzNXJKrpXhZsBQm+UKRTPuh/N4bGFFmJtWG+RMAJCLjJylJnjb2sYeJghSl +-----END CERTIFICATE----- diff --git a/v3/testdata/empty_sct_list_na_02.pem b/v3/testdata/empty_sct_list_na_02.pem new file mode 100644 index 000000000..2adf8ecad --- /dev/null +++ b/v3/testdata/empty_sct_list_na_02.pem @@ -0,0 +1,142 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + db:68:f5:a2:88:67:05:43:93:8f:53:41:52:3c:c1:31 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing + Validity + Not Before: Apr 29 07:47:21 2024 GMT + Not After : Apr 27 07:47:21 2034 GMT + Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, CN = Fake CA for zlint testing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4096 bit) + Modulus: + 00:cc:85:e5:66:50:f4:42:73:53:8b:0c:25:c6:22: + 35:50:b4:74:67:4c:86:7c:b3:f3:ae:b1:5a:d6:93: + 27:b5:a1:38:14:7d:f2:51:ec:73:2f:d3:df:f0:c0: + 63:dc:e7:c9:3c:71:79:b2:ad:36:ca:89:c2:b3:28: + 02:00:77:d9:ad:dd:9b:6e:c9:7c:64:bb:26:3d:df: + d2:8f:80:a6:9d:a9:39:95:a9:cc:d8:ee:dc:74:4e: + 46:9a:bf:de:89:96:44:ea:78:d1:86:a4:51:41:cd: + bd:ff:8c:47:5c:be:77:f9:a5:d3:cf:76:13:b6:8e: + 8d:8f:58:b4:fd:22:3a:26:b9:4a:be:81:0e:17:b6: + 8d:93:c1:75:19:c8:1e:8a:e9:d9:46:b8:77:9d:2a: + 60:e5:71:24:04:7b:bb:cb:b6:f0:73:55:cc:66:e7: + ab:38:2b:2c:01:b4:f0:38:4f:66:ef:11:b8:ad:fc: + ea:6d:d2:86:8f:48:ed:2b:6c:c7:cc:15:27:2f:7f: + 42:fd:91:4a:5f:40:92:d0:cb:4e:be:3c:55:b2:32: + 88:d9:18:5e:38:9d:ee:3c:d9:2f:85:a6:f6:66:7d: + 09:98:76:da:1e:72:d0:b8:76:18:93:f6:e8:43:5a: + 16:a7:90:df:90:8f:11:66:c0:17:cf:c7:35:09:71: + 65:b3:64:43:30:85:4d:8e:d6:5d:e5:a3:de:99:72: + 8f:9c:09:72:71:97:b1:01:96:4b:19:9a:6d:ea:e3: + 49:e6:19:45:22:f8:26:f2:99:74:74:43:16:ed:2e: + 0c:81:bb:a8:65:b8:26:a1:7e:7e:89:67:4f:94:7b: + c3:f6:d4:0d:3c:2e:c9:e0:eb:9e:3a:65:ef:58:94: + 69:b3:4a:b4:a7:b9:27:89:c1:e8:45:0e:e7:f5:d1: + ac:c2:4b:a6:30:20:83:94:46:17:74:81:89:e0:4b: + 69:80:82:2f:85:19:f2:dd:00:22:84:03:8f:ee:f6: + cb:50:b0:88:12:1d:f2:7a:0e:93:d7:4c:d2:a2:98: + 37:dc:ef:27:02:4e:9c:e5:64:26:e0:89:9c:5c:0b: + 9d:23:7b:b6:f7:e5:62:9b:32:6d:96:e9:02:e5:25: + f6:4f:9c:8a:fc:46:8e:d8:9a:5d:e0:44:04:c4:23: + 83:54:6e:1e:35:db:38:2a:4b:1e:e9:75:8f:5a:06: + b8:3f:d6:e2:81:df:66:3d:dc:a1:24:8c:16:fa:3d: + 20:c4:90:1e:92:70:f0:99:c7:3e:cf:96:6f:6e:85: + 42:e4:4b:bb:94:02:8c:95:c6:57:22:a3:01:ca:74: + c5:38:80:db:b9:67:f6:e2:d3:54:6d:80:4b:2f:b1: + c2:5e:d7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 8C:4B:9D:C7:F4:BF:F3:8C:6C:D3:BF:57:22:D9:58:18:7A:79:CB:2F + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 31:de:99:68:d6:04:9c:41:79:c9:d0:33:2d:a3:45:2d:72:69: + 9f:dc:de:49:eb:b0:e7:7a:24:a7:f6:89:96:5c:d9:0a:3f:f9: + 15:4f:0f:0f:66:3d:4c:93:01:df:49:99:2e:f5:10:f9:ed:b3: + 21:7a:1e:da:67:82:64:f4:8d:a7:5a:6f:73:4e:e4:29:df:99: + 11:94:61:06:ec:04:7a:c5:f8:fb:8c:3c:0b:23:21:ea:78:b8: + 04:47:c9:0c:0a:9e:43:45:9c:f2:40:08:92:60:b1:76:72:55: + bc:8d:3e:b7:ce:f3:71:a8:f4:ec:77:66:cb:ff:02:7f:09:8a: + c7:21:af:75:6a:18:9d:33:4e:5b:81:ea:04:9d:22:dd:49:ba: + db:65:0f:c6:be:3e:2d:75:52:d5:92:b4:56:da:44:64:80:cf: + 03:1f:17:d0:59:e9:a2:13:a2:ed:86:96:8c:65:2c:4b:b3:a8: + 51:e1:1f:9a:8d:48:ac:65:62:78:60:c7:69:00:d3:21:25:fd: + 27:cb:3e:39:fc:62:41:2a:cf:18:56:88:45:e2:34:79:d6:a0: + a8:c1:28:af:08:64:e2:ad:4a:2e:b9:ae:2e:39:c0:10:09:5d: + 5b:50:01:e5:77:21:a5:91:db:88:ef:f3:b4:5d:41:dc:6c:c5: + c7:4e:f4:b8:d2:72:7b:90:04:b7:98:d7:4d:85:36:e3:bb:5e: + 5f:14:fd:6f:fb:c8:2b:ff:fd:c3:20:af:7a:1e:72:a1:71:d9: + 12:cb:f0:dd:c1:9b:b7:8f:d3:45:21:55:3b:90:6f:a2:0c:a0: + c3:e5:55:6e:ac:be:7d:50:5c:66:e8:f3:a3:19:00:d9:94:86: + ad:75:ef:7a:b6:54:77:76:65:55:16:8f:7e:e0:40:7b:40:5d: + 0b:de:60:f8:94:c6:9b:f5:31:d6:68:44:7a:6a:f9:6e:ac:f8: + bc:1b:75:47:57:d9:de:db:a1:f9:50:f4:e2:96:b5:92:9c:bd: + 63:37:c9:49:44:d0:b6:81:2f:3b:50:f8:55:bb:74:69:00:8e: + 35:cc:9c:81:56:55:19:b0:aa:97:2a:d2:5c:74:0e:a6:58:3d: + 78:c1:88:a8:96:6f:f2:68:98:9c:68:91:d0:68:1d:3d:0d:d2: + 7d:56:d8:45:f8:53:aa:d5:8d:85:a8:88:c2:ca:63:cb:55:2a: + 3f:db:68:fb:2a:a9:c4:82:e8:09:eb:15:96:14:75:8e:88:c9: + 20:e3:fa:33:af:81:4d:3a:a8:70:d6:85:bd:98:37:9d:f7:fd: + ee:a0:83:a7:79:49:99:38:4b:df:34:d2:bc:c0:1a:68:f8:d3: + 32:51:95:6d:26:4b:e1:2d +-----BEGIN CERTIFICATE----- +MIIGcTCCBFmgAwIBAgIRANto9aKIZwVDk49TQVI8wTEwDQYJKoZIhvcNAQELBQAw +SDELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExJzAlBgNVBAMTHkZha2Ug +Um9vdCBDQSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MjkwNzQ3MjFaFw0zNDA0 +MjcwNzQ3MjFaMHAxCzAJBgNVBAYTAlhYMRMwEQYDVQQIEwpTb21lIFN0YXRlMRYw +FAYDVQQHEw1Tb21lIExvY2FsaXR5MRAwDgYDVQQKEwdTb21lIENBMSIwIAYDVQQD +ExlGYWtlIENBIGZvciB6bGludCB0ZXN0aW5nMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEAzIXlZlD0QnNTiwwlxiI1ULR0Z0yGfLPzrrFa1pMntaE4FH3y +UexzL9Pf8MBj3OfJPHF5sq02yonCsygCAHfZrd2bbsl8ZLsmPd/Sj4Cmnak5lanM +2O7cdE5Gmr/eiZZE6njRhqRRQc29/4xHXL53+aXTz3YTto6Nj1i0/SI6JrlKvoEO +F7aNk8F1GcgeiunZRrh3nSpg5XEkBHu7y7bwc1XMZuerOCssAbTwOE9m7xG4rfzq +bdKGj0jtK2zHzBUnL39C/ZFKX0CS0MtOvjxVsjKI2RheOJ3uPNkvhab2Zn0JmHba +HnLQuHYYk/boQ1oWp5DfkI8RZsAXz8c1CXFls2RDMIVNjtZd5aPemXKPnAlycZex +AZZLGZpt6uNJ5hlFIvgm8pl0dEMW7S4MgbuoZbgmoX5+iWdPlHvD9tQNPC7J4Oue +OmXvWJRps0q0p7knicHoRQ7n9dGswkumMCCDlEYXdIGJ4EtpgIIvhRny3QAihAOP +7vbLULCIEh3yeg6T10zSopg33O8nAk6c5WQm4ImcXAudI3u29+VimzJtlukC5SX2 +T5yK/EaO2Jpd4EQExCODVG4eNds4Kkse6XWPWga4P9bigd9mPdyhJIwW+j0gxJAe +knDwmcc+z5ZvboVC5Eu7lAKMlcZXIqMBynTFOIDbuWf24tNUbYBLL7HCXtcCAwEA +AaOCASwwggEoMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYI +KwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjEudx/S/84xs079X +ItlYGHp5yy8wHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYB +BQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20v +b2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3Qw +EQYDVR0gBAowCDAGBgRVHSAAMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggIBADHemWjWBJxBecnQ +My2jRS1yaZ/c3knrsOd6JKf2iZZc2Qo/+RVPDw9mPUyTAd9JmS71EPntsyF6Htpn +gmT0jadab3NO5CnfmRGUYQbsBHrF+PuMPAsjIep4uARHyQwKnkNFnPJACJJgsXZy +VbyNPrfO83Go9Ox3Zsv/An8Jischr3VqGJ0zTluB6gSdIt1JuttlD8a+Pi11UtWS +tFbaRGSAzwMfF9BZ6aITou2GloxlLEuzqFHhH5qNSKxlYnhgx2kA0yEl/SfLPjn8 +YkEqzxhWiEXiNHnWoKjBKK8IZOKtSi65ri45wBAJXVtQAeV3IaWR24jv87RdQdxs +xcdO9LjScnuQBLeY102FNuO7Xl8U/W/7yCv//cMgr3oecqFx2RLL8N3Bm7eP00Uh +VTuQb6IMoMPlVW6svn1QXGbo86MZANmUhq1173q2VHd2ZVUWj37gQHtAXQveYPiU +xpv1MdZoRHpq+W6s+LwbdUdX2d7boflQ9OKWtZKcvWM3yUlE0LaBLztQ+FW7dGkA +jjXMnIFWVRmwqpcq0lx0DqZYPXjBiKiWb/JomJxokdBoHT0N0n1W2EX4U6rVjYWo +iMLKY8tVKj/baPsqqcSC6AnrFZYUdY6IySDj+jOvgU06qHDWhb2YN533/e6gg6d5 +SZk4S9800rzAGmj40zJRlW0mS+Et +-----END CERTIFICATE----- diff --git a/v3/testdata/empty_sct_list_ok_01.pem b/v3/testdata/empty_sct_list_ok_01.pem new file mode 100644 index 000000000..c563c2ce1 --- /dev/null +++ b/v3/testdata/empty_sct_list_ok_01.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 7d:90:82:5f:d9:d7:43:03:70:45:fa:ce:ac:73:54:e7 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 29 06:51:17 2024 GMT + Not After : Apr 29 06:51:17 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:fa:99:2b:33:e1:39:f6:a1:bc:ae:4a:98:72:d6: + 81:cb:64:56:90:fa:13:8b:1e:bf:56:bb:c2:63:e8: + 4f:b9:7f:79:28:4c:60:17:30:2e:8c:2e:38:d8:7d: + bd:00:29:55:10:7c:63:d5:95:20:73:f4:4d:e0:bf: + 94:be:9c:1d:ec:c3:b8:cc:af:39:1d:c2:1f:c2:bd: + fa:1c:fa:5f:d6:9d:3d:a4:de:8a:43:34:8b:7c:aa: + a4:d7:3e:08:b1:10:ec:5d:3e:d0:30:64:d8:21:6e: + e3:38:ca:35:a7:60:07:80:ed:6d:a5:5e:83:9a:8a: + 06:3e:75:82:87:43:0c:8d:e2:ae:16:e1:49:83:1b: + f9:d5:6b:a8:f4:61:12:0b:8b:95:db:d3:b6:e7:97: + b3:30:85:8d:f5:d3:bf:63:9d:08:a2:80:24:67:ac: + 0a:a9:7f:28:82:16:ed:d7:8e:60:32:f9:2c:72:33: + 59:67:27:13:14:39:c6:49:b8:57:a5:df:ad:c3:bd: + fc:81:e3:2c:fb:98:52:ba:af:ed:3a:e2:65:f7:ee: + 48:a9:6f:fd:bd:1b:2c:1e:db:c8:99:31:ec:04:7e: + 02:e4:26:bd:d3:0d:e0:ec:8a:11:27:b2:1a:26:a3: + e7:48:99:70:ce:00:ac:37:4f:c8:ab:0e:55:62:7a: + 7e:9b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 48:32:48:23:6E:B1:1D:04:21:66:06:F2:7A:5F:90:41:C5:D9:CF:B4 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 15:57:1f:2f:d9:d5:b7:67:f9:0f:b1:09:2b:e1:37:4d:02:9f: + 47:0d:0d:fd:20:4c:fe:c9:43:a2:e4:ab:4c:07:74:bc:d1:bd: + 95:b5:a5:01:2d:c6:53:3a:55:1c:76:53:08:c4:92:fa:85:4d: + 0e:73:7e:b5:46:a8:36:ab:2f:c3:69:c4:68:11:34:0d:b1:76: + 73:7b:28:cb:e7:5f:96:c6:25:7a:49:6f:15:54:c0:b3:33:fb: + b8:16:ba:db:78:f4:39:65:20:5a:9c:b0:72:d1:bd:3a:57:38: + 0c:85:d0:58:5d:cd:26:67:b0:4b:89:c7:e7:74:57:f9:a8:8c: + 4c:b1:e5:9b:a8:4d:fd:14:c6:fe:6f:55:aa:1c:33:23:ab:aa: + aa:68:1d:49:77:71:ee:5f:e7:d8:3a:a1:22:85:93:ca:42:68: + c0:a1:0f:e0:7e:4c:c1:29:d7:ce:33:a8:19:a9:5a:56:e8:7c: + 09:e6:7d:35:0e:95:f9:ec:83:af:53:b8:cd:98:ec:ab:d6:88: + cd:81:82:1e:f7:70:ef:f7:23:4e:07:04:8f:21:24:4f:9b:0a: + e3:f5:43:fa:67:93:1a:87:68:68:47:1c:3b:c2:11:bf:b1:ce: + 96:86:75:b6:8d:0b:54:01:01:9b:b7:80:4f:96:38:82:67:bd: + cb:b8:e4:33 +-----BEGIN CERTIFICATE----- +MIIEeDCCA2CgAwIBAgIQfZCCX9nXQwNwRfrOrHNU5zANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MjkwNjUxMTdaFw0yNTA0MjkwNjUx +MTdaMHQxCzAJBgNVBAYTAklUMR8wHQYDVQQIExZTb21lIFN0YXRlIG9yIFByb3Zp +bmNlMRIwEAYDVQQHEwlTb21ld2hlcmUxGjAYBgNVBAoTEVNvbWUgQ29tcGFueSBM +dGQuMRQwEgYDVQQDEwtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAPqZKzPhOfahvK5KmHLWgctkVpD6E4sev1a7wmPoT7l/eShMYBcw +LowuONh9vQApVRB8Y9WVIHP0TeC/lL6cHezDuMyvOR3CH8K9+hz6X9adPaTeikM0 +i3yqpNc+CLEQ7F0+0DBk2CFu4zjKNadgB4DtbaVeg5qKBj51godDDI3irhbhSYMb ++dVrqPRhEguLldvTtueXszCFjfXTv2OdCKKAJGesCql/KIIW7deOYDL5LHIzWWcn +ExQ5xkm4V6XfrcO9/IHjLPuYUrqv7TriZffuSKlv/b0bLB7byJkx7AR+AuQmvdMN +4OyKESeyGiaj50iZcM4ArDdPyKsOVWJ6fpsCAwEAAaOCATUwggExMA4GA1UdDwEB +/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYE +FEgySCNusR0EIWYG8npfkEHF2c+0MB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+ +B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2Et +aW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMBMGA1UdIAQMMAow +CAYGZ4EMAQICMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBABVXHy/Z1bdn+Q+xCSvhN00Cn0cN +Df0gTP7JQ6Lkq0wHdLzRvZW1pQEtxlM6VRx2UwjEkvqFTQ5zfrVGqDarL8NpxGgR +NA2xdnN7KMvnX5bGJXpJbxVUwLMz+7gWutt49DllIFqcsHLRvTpXOAyF0FhdzSZn +sEuJx+d0V/mojEyx5ZuoTf0Uxv5vVaocMyOrqqpoHUl3ce5f59g6oSKFk8pCaMCh +D+B+TMEp184zqBmpWlbofAnmfTUOlfnsg69TuM2Y7KvWiM2Bgh73cO/3I04HBI8h +JE+bCuP1Q/pnkxqHaGhHHDvCEb+xzpaGdbaNC1QBAZu3gE+WOIJnvcu45DM= +-----END CERTIFICATE----- diff --git a/v3/testdata/empty_sct_list_ok_02.pem b/v3/testdata/empty_sct_list_ok_02.pem new file mode 100644 index 000000000..37aa7b0a5 --- /dev/null +++ b/v3/testdata/empty_sct_list_ok_02.pem @@ -0,0 +1,131 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + f4:e0:73:3f:6b:8c:f9:95:e7:9e:d6:69:46:2c:31:6f + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 29 06:56:35 2024 GMT + Not After : Apr 29 06:56:35 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b9:91:c7:f2:c2:62:be:cd:00:d5:70:1b:2f:ef: + 4c:52:d9:59:a7:f2:68:15:a4:6f:94:37:45:3b:1b: + 0b:4b:83:ff:9d:84:76:b6:0b:21:a4:5d:4d:2a:35: + aa:71:b4:d5:6b:f9:69:ce:6e:a0:4d:16:6a:31:e9: + 4b:2b:66:44:74:df:81:81:bd:0f:b1:4e:df:1f:24: + f2:8a:8c:91:34:64:1f:ac:16:ca:54:fc:1f:4b:49: + 44:1a:3a:c3:1a:09:4a:19:d6:3a:e9:8f:3a:e1:e8: + 47:2c:98:8e:c4:4b:9f:51:fd:00:a6:68:1d:11:b9: + c3:08:be:c6:96:47:f4:2b:61:dd:25:b1:62:f7:e3: + 8e:a9:12:ed:ae:c0:21:bc:38:09:70:e0:6e:32:f3: + ed:65:bf:9d:ee:8b:e3:45:0e:ab:c9:03:c2:62:b3: + 3b:82:b3:55:3f:fb:d9:ab:a5:f9:f3:83:2d:e2:22: + 6d:86:e9:3e:b3:9b:9e:62:6d:31:5f:a0:2e:d4:14: + 61:40:5c:60:53:93:2d:c2:69:70:be:17:d9:b4:25: + a7:a0:c8:30:db:15:f1:69:0f:20:ea:e3:11:5f:f3: + 7d:a3:aa:f3:a1:96:5f:8b:90:d1:38:a5:ea:9c:81: + 85:24:ff:6d:33:d7:d8:af:7e:63:55:85:af:60:be: + e9:d5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 69:E0:A8:FB:6C:3E:6D:A8:77:9E:47:C4:44:20:91:C8:24:71:14:40 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.org + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + CT Precertificate SCTs: + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C: + 5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99 + Timestamp : Feb 16 23:48:16.194 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:20:71:A9:CF:F3:7B:85:D8:FB:AE:8E:E6:51: + 9A:73:1B:43:55:80:37:02:5D:81:4E:D9:57:B4:30:92: + D3:2E:F0:0C:02:21:00:C0:F3:25:A9:38:F0:D2:29:89: + B6:9E:74:05:43:33:E0:3B:EB:16:8B:E8:F1:F2:35:C2: + C8:87:FE:50:5A:44:2B + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A: + B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A + Timestamp : Feb 16 23:48:16.223 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:20:5A:59:95:CA:3D:67:45:EC:6F:D8:5C:E2: + A1:0D:C7:68:CC:BF:C2:29:9B:64:DF:B4:19:0A:79:8D: + F6:EA:9C:22:02:21:00:CC:FA:2B:B0:25:0D:1B:17:D6: + 41:91:52:7C:D5:AF:B1:C9:35:FC:CC:2A:A6:8B:CC:66: + 06:DD:5A:2A:C2:A5:86 + Signature Algorithm: sha256WithRSAEncryption + 50:f3:35:88:4f:96:c4:ae:de:e9:5d:72:73:1e:55:29:69:85: + 45:f3:d9:91:e5:32:97:29:08:67:0f:b7:68:16:62:b6:5c:f2: + b2:7c:70:74:4a:3f:ff:13:45:1e:d3:72:0a:a6:8e:3b:c7:f1: + d2:95:b9:8a:ca:39:76:99:99:be:0c:b2:d9:4e:7d:f6:bb:56: + f9:43:7b:71:6f:44:72:25:52:e4:bb:98:d3:6e:46:59:ca:b3: + f2:af:42:a9:92:35:ba:7f:34:dc:44:7a:be:ab:cc:4f:0b:8d: + ce:64:31:5e:84:36:e3:a8:53:23:28:be:08:74:10:90:16:a5: + 14:ca:2e:86:36:dd:87:76:df:10:d6:bf:64:e5:43:72:ab:be: + 6f:71:b2:eb:35:2c:fd:4f:03:db:04:dc:48:0e:b1:f5:1d:05: + 45:35:74:97:5d:5a:75:a8:66:94:4f:eb:c4:82:ef:99:d7:e0: + 81:99:9e:af:bd:be:ec:08:80:48:53:9e:30:38:d3:75:da:3e: + 33:6b:88:57:33:1e:ed:cf:70:c9:08:ec:38:30:3b:02:d3:1e: + e2:ca:3f:6a:47:c8:bd:00:ee:9d:2a:9c:90:79:44:09:04:34: + 11:64:22:e9:6d:2d:b2:94:44:c6:1e:82:56:83:f3:62:01:b0: + 59:ee:4a:42 +-----BEGIN CERTIFICATE----- +MIIFgTCCBGmgAwIBAgIRAPTgcz9rjPmV557WaUYsMW8wDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDI5MDY1NjM1WhcNMjUwNDI5MDY1 +NjM1WjB0MQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC5kcfywmK+zQDVcBsv70xS2Vmn8mgVpG+UN0U7GwtLg/+dhHa2 +CyGkXU0qNapxtNVr+WnObqBNFmox6UsrZkR034GBvQ+xTt8fJPKKjJE0ZB+sFspU +/B9LSUQaOsMaCUoZ1jrpjzrh6EcsmI7ES59R/QCmaB0RucMIvsaWR/QrYd0lsWL3 +446pEu2uwCG8OAlw4G4y8+1lv53ui+NFDqvJA8JiszuCs1U/+9mrpfnzgy3iIm2G +6T6zm55ibTFfoC7UFGFAXGBTky3CaXC+F9m0JaegyDDbFfFpDyDq4xFf832jqvOh +ll+LkNE4peqcgYUk/20z19ivfmNVha9gvunVAgMBAAGjggI9MIICOTAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBRp4Kj7bD5tqHeeR8REIJHIJHEUQDAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK +MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu +Yy5jb20vY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAtz77JN+cTbp18jnF +ulj0bF38Qs96nzXEnh0JgSXttJkAAAGGXKDuwgAABAMARzBFAiBxqc/ze4XY+66O +5lGacxtDVYA3Al2BTtlXtDCS0y7wDAIhAMDzJak48NIpibaedAVDM+A76xaL6PHy +NcLIh/5QWkQrAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGG +XKDu3wAABAMARzBFAiBaWZXKPWdF7G/YXOKhDcdozL/CKZtk37QZCnmN9uqcIgIh +AMz6K7AlDRsX1kGRUnzVr7HJNfzMKqaLzGYG3VoqwqWGMA0GCSqGSIb3DQEBCwUA +A4IBAQBQ8zWIT5bErt7pXXJzHlUpaYVF89mR5TKXKQhnD7doFmK2XPKyfHB0Sj// +E0Ue03IKpo47x/HSlbmKyjl2mZm+DLLZTn32u1b5Q3txb0RyJVLku5jTbkZZyrPy +r0KpkjW6fzTcRHq+q8xPC43OZDFehDbjqFMjKL4IdBCQFqUUyi6GNt2Hdt8Q1r9k +5UNyq75vcbLrNSz9TwPbBNxIDrH1HQVFNXSXXVp1qGaUT+vEgu+Z1+CBmZ6vvb7s +CIBIU54wONN12j4za4hXMx7tz3DJCOw4MDsC0x7iyj9qR8i9AO6dKpyQeUQJBDQR +ZCLpbS2ylETGHoJWg/NiAbBZ7kpC +-----END CERTIFICATE----- From 8523152e2c47c83321a145b1e777a9996bd714dd Mon Sep 17 00:00:00 2001 From: Rob Stradling Date: Fri, 24 May 2024 22:58:46 +0100 Subject: [PATCH 4/4] Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated (#845) * Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated * Add test case for no commonName attribute present --- .../lint_commonname_mailbox_validated.go | 5 +++- .../lint_commonname_mailbox_validated_test.go | 5 ++++ .../mailbox_validated_common_name_absent.pem | 30 +++++++++++++++++++ 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 v3/testdata/smime/mailbox_validated_common_name_absent.pem diff --git a/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go b/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go index 06df676fd..d622f7466 100644 --- a/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go +++ b/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go @@ -44,7 +44,10 @@ func (l *commonNameMailboxValidated) CheckApplies(c *x509.Certificate) bool { } func (l *commonNameMailboxValidated) Execute(c *x509.Certificate) *lint.LintResult { - commonNames := []string{c.Subject.CommonName} + var commonNames []string + if c.Subject.CommonName != "" { + commonNames = append(commonNames, c.Subject.CommonName) + } commonNames = append(commonNames, c.Subject.CommonNames...) for _, cn := range commonNames { if !util.IsMailboxAddress(cn) { diff --git a/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated_test.go b/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated_test.go index 77fa56221..727d9774b 100644 --- a/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated_test.go +++ b/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated_test.go @@ -27,6 +27,11 @@ func TestCommonNameMailboxValidated(t *testing.T) { InputFilename string ExpectedResult lint.LintStatus }{ + { + Name: "pass - no commonName attribute present", + InputFilename: "smime/mailbox_validated_common_name_absent.pem", + ExpectedResult: lint.Pass, + }, { Name: "pass - valid email in commonName", InputFilename: "smime/mailbox_validated_common_name_good_email.pem", diff --git a/v3/testdata/smime/mailbox_validated_common_name_absent.pem b/v3/testdata/smime/mailbox_validated_common_name_absent.pem new file mode 100644 index 000000000..de5970a6d --- /dev/null +++ b/v3/testdata/smime/mailbox_validated_common_name_absent.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFODCCBCCgAwIBAgIRAIe9uh1DAJY6+ckykEvuYmAwDQYJKoZIhvcNAQELBQAw +gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO +BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UE +AxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUg +RW1haWwgQ0EwHhcNMjQwMTAyMDAwMDAwWhcNMjUxMjIyMjM1OTU5WjAuMSwwKgYJ +KoZIhvcNAQkBFh1tYXJ0aWpuLmthdGVyYmFyZ0BzZWN0aWdvLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALQMuh2c7ECmRnd1XLJShvJEZnoR3MyI +e8RJ+Or/QfjTEAF4XYWnS+d4wO9L0Se5pCsdo/WysGjRsQGBvyaiQiSf3XLjCGyF +9R9STrSFomKSkev1fHdoOzQI0PsnjbNmyiBhJJdqFluzr2y6jQxn81WjVaGylMEn +SHF3rLtLgsOMJA2T233mkKtnlitBNA1Hf83QEdSfnilgr0z7WBp+4EiZVIJycjF8 +pNTzOSgPPSMFZe8O6HAjAwRwi4e0s/EmL9AI0fwqaKBaI0OTSt1SyforbZHvMwPZ +I041fF3qa6htrLSjzMitoyaV2A6xXV2dFhGz+2I0bAWCPX2tEv17UUsCAwEAAaOC +AeYwggHiMB8GA1UdIwQYMBaAFAnA8vwL2pTbX/4r36iZQs/J4K0AMB0GA1UdDgQW +BBR9V1qzZfoGq21Yj/3IPgibG+PQozAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/ +BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwUAYDVR0gBEkwRzA6 +BgwrBgEEAbIxAQIBCgEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9zZWN0aWdvLmNv +bS9TTUlNRUNQUzAJBgdngQwBBQECMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9j +cmwuc2VjdGlnby5jb20vU2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5k +U2VjdXJlRW1haWxDQS5jcmwwgYoGCCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJ +aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ2xpZW50QXV0aGVudGlj +YXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29j +c3Auc2VjdGlnby5jb20wKAYDVR0RBCEwH4EdbWFydGlqbi5rYXRlcmJhcmdAc2Vj +dGlnby5jb20wDQYJKoZIhvcNAQELBQADggEBAKnvAa8vJTFT05bt8qVa+KaLiXPa +qmbfMvtXDU0OyZD5tJxp5kxpaT7IP4n5cOchFbNqI9rNyny3XNHBTd5eKtPoUein +ynP7tgJfrzG7YRzPfz/tOC2Y2VAhSAuaQ8bAmvNUq8xU3rgWyKtDTYBMraWFSIaK +g+VwORwFn2cv0FqOhDa0vlheSBFleuyxuEiFi40pnA5fvCFNUQes5SVorBSSydiM +hjyu0EoeVlvUiScP96PIeZL04HfBzA4KtAFAGwhA18GrtO4aWux2DNXYPs+saiNq +V3bMmP5h8JfwRoGKiLm7b37wfKlSkRlIrDY6WpBTOdidGc6gEuSOugJ0X3g= +-----END CERTIFICATE-----