├── .github └── workflows │ └── build_and_publish.yml ├── .gitignore ├── CHANGELOG.md ├── LICENSE ├── README.md ├── VERSION.txt ├── docker ├── Dockerfile ├── cosign_public_key.pem └── entrypoint.py ├── pkilint ├── __init__.py ├── adobe │ ├── __init__.py │ ├── adobe_validator.py │ └── asn1 │ │ └── __init__.py ├── bin │ ├── __init__.py │ ├── lint_cabf_serverauth_cert.py │ ├── lint_cabf_smime_cert.py │ ├── lint_crl.py │ ├── lint_etsi_cert.py │ ├── lint_ocsp_response.py │ ├── lint_pkix_cert.py │ └── lint_pkix_signer_signee_cert_chain.py ├── cabf │ ├── __init__.py │ ├── asn1 │ │ ├── __init__.py │ │ ├── ev_guidelines.asn1 │ │ └── ev_guidelines.py │ ├── cabf_ca.py │ ├── cabf_crl.py │ ├── cabf_extension.py │ ├── cabf_key.py │ ├── cabf_name.py │ ├── serverauth │ │ ├── __init__.py │ │ ├── finding_metadata.csv │ │ ├── serverauth_ca.py │ │ ├── serverauth_constants.py │ │ ├── serverauth_cross_ca.py │ │ ├── serverauth_extension.py │ │ ├── serverauth_finding_filter.py │ │ ├── serverauth_key.py │ │ ├── serverauth_name.py │ │ ├── serverauth_ocsp.py │ │ ├── serverauth_root.py │ │ └── serverauth_subscriber.py │ └── smime │ │ ├── __init__.py │ │ ├── finding_metadata.csv │ │ ├── smime_constants.py │ │ ├── smime_extension.py │ │ ├── smime_key.py │ │ ├── smime_name.py │ │ └── smime_validity.py ├── cli_util.py ├── common │ ├── __init__.py │ ├── alternative_name.py │ ├── common_name.py │ └── organization_id.py ├── document.py ├── etsi │ ├── __init__.py │ ├── asn1 │ │ ├── __init__.py │ │ ├── en_319_411_1.py │ │ ├── en_319_411_2.py │ │ ├── en_319_412_1.py │ │ ├── en_319_412_5.py │ │ └── ts_119_495.py │ ├── en_319_411_1.py │ ├── en_319_412_1.py │ ├── en_319_412_2.py │ ├── en_319_412_3.py │ ├── en_319_412_4.py │ ├── en_319_412_5.py │ ├── etsi_constants.py │ ├── etsi_finding_filter.py │ ├── etsi_shared.py │ ├── finding_metadata.csv │ ├── ts_119_312.py │ └── ts_119_495.py ├── finding_filter.py ├── iso │ ├── __init__.py │ └── lei.py ├── itu │ ├── __init__.py │ ├── asn1_util.py │ ├── bitstring.py │ ├── x520_name.py │ └── x520_name_unbounded.py ├── loader.py ├── msft │ ├── __init__.py │ ├── asn1 │ │ └── __init__.py │ ├── msft_extension.py │ └── msft_name.py ├── nist │ ├── __init__.py │ └── asn1 │ │ ├── __init__.py │ │ ├── csor.py │ │ ├── fips_203.py │ │ ├── fips_204.py │ │ └── fips_205.py ├── oid.py ├── pkix │ ├── __init__.py │ ├── algorithm.py │ ├── certificate │ │ ├── __init__.py │ │ ├── certificate_extension.py │ │ ├── certificate_key.py │ │ ├── certificate_name.py │ │ ├── certificate_transparency.py │ │ ├── certificate_validator.py │ │ └── certificate_validity.py │ ├── crl │ │ ├── __init__.py │ │ ├── crl_extension.py │ │ ├── crl_validator.py │ │ └── crl_validity.py │ ├── extension.py │ ├── general_name.py │ ├── key.py │ ├── name.py │ ├── ocsp │ │ ├── __init__.py │ │ ├── ocsp_basic_response.py │ │ ├── ocsp_response.py │ │ └── ocsp_validity.py │ └── time.py ├── report.py ├── rest │ ├── __init__.py │ ├── cabf_serverauth.py │ ├── cabf_smime.py │ ├── crl.py │ ├── etsi.py │ ├── model.py │ ├── ocsp.py │ └── pkix.py ├── util.py └── validation.py ├── setup.cfg ├── setup.py └── tests ├── __init__.py ├── cabf ├── smbr │ ├── test_smime_type_determiner.py │ └── test_smime_type_guesser.py └── tlsbr │ └── test_tls_type_determiner.py ├── etsi ├── test_en_319_412_1.py ├── test_en_319_412_2.py └── test_etsi_type_determiner.py ├── integration_certificate ├── README.txt ├── __init__.py ├── etsi │ ├── evcp_pre_certificate │ │ ├── multiple_etsi_policy_oids.crttest │ │ └── prohibited_etsi_policy_oid.crttest │ ├── ncp_legal_person_certificate │ │ ├── aia_ca_issuers_missing.crttest │ │ ├── aia_ca_issuers_not_http_uri.crttest │ │ ├── aia_ocsp_missing_crldp_absent.crttest │ │ ├── aia_ocsp_missing_crldp_present.crttetst │ │ ├── aia_ocsp_not_http_uri_crldp_absent.crttest │ │ ├── bad_ecdsa_curve.crttest │ │ ├── crl_critical.crttest │ │ ├── crldp_ldap_uri_scheme.crttest │ │ ├── crldp_prohibited_uri_scheme.crttest │ │ └── extensions_field_absent.crttest │ ├── qevcp_w_eidas_final_certificate │ │ ├── queulimitexponent_negative_amount.crttest │ │ ├── queulimitvalue.crttest │ │ ├── queulimitvalue_invalid_currency.crttest │ │ ├── queulimitvalue_negative_amount.crttest │ │ └── queulimitvalue_not_alpha.crttest │ ├── qevcp_w_eidas_pre_certificate │ │ ├── almost_clean.crttest │ │ ├── cc_legislation_present.crttest │ │ ├── mismatched_certificate_type_policy_oid.crttest │ │ ├── missing_certificate_type_policy_identifier.crttest │ │ ├── multiple_certificate_type_policy_identifiers.crttest │ │ ├── orgname_too_long.crttest │ │ ├── pds_language_code_invalid.crttest │ │ ├── psd2_policy_oid_present.crttest │ │ ├── qc_sscd_present.crttest │ │ ├── qc_type_missing.crttest │ │ ├── qcstatements_marked_critical.crttest │ │ ├── qctype_bad_encoding.crttest │ │ └── same_orgname_and_orgid.crttest │ ├── qevcp_w_non_eidas_pre_certificate │ │ ├── country_code_bad.crttest │ │ ├── country_code_empty.crttest │ │ ├── country_code_good.crttest │ │ ├── more_than_one_qctype.crttest │ │ ├── none_qctype.crttest │ │ ├── qc_cc_legislation_missing.crttest │ │ ├── second_country_code_bad.crttest │ │ └── wrong_qctype.crttest │ ├── qevcp_w_psd2_eidas_final_certificate │ │ └── invalid_orgid_scheme.crttest │ ├── qevcp_w_psd2_eidas_non_browser_pre_certificate │ │ ├── validity_period_too_long.crttest │ │ └── validity_period_too_long_with_psd2_policy.crttest │ ├── qevcp_w_psd2_eidas_pre_certificate │ │ ├── badurl.crttest │ │ ├── iso639.crttest │ │ ├── nca_id_badiso.crttest │ │ ├── nca_id_badstructure.crttest │ │ ├── nca_id_invalidid.crttest │ │ ├── nca_name_not_latin.crttest │ │ ├── obsolete_qualified_statement.crttest │ │ ├── psp_invalid_oid.crttest │ │ ├── psp_invalid_role.crttest │ │ ├── psp_not_unspecified.crttest │ │ ├── psp_role_mismatch.crttest │ │ ├── psp_roles_empty.crttest │ │ ├── psp_roles_good.crttest │ │ ├── qc_eupds_good.crttest │ │ ├── qc_eupds_missing.crttest │ │ ├── semantics_info_nra_missing.crttest │ │ ├── semantics_info_nra_uri_missing.crttest │ │ ├── validity_period_too_long.crttest │ │ └── validity_period_too_long_with_psd2_policy.crttest │ ├── qncp_w_gen_legal_person_eidas_final_certificate │ │ ├── bad_ecdsa_curve.crttest │ │ ├── clean.crttest │ │ ├── clean_with_wildcard_san.crttest │ │ ├── eidas_legal_person_id_too_long.crttest │ │ ├── eidas_legal_person_id_whitespace.crttest │ │ ├── eidas_natural_person_id.crttest │ │ ├── eidas_natural_person_id_invalid_serial.crttest │ │ ├── eidas_natural_person_id_valid_length_hyphen_invalid_iso.crttest │ │ ├── internal_names.crttest │ │ ├── invalid_dnsname_syntax_san.crttest │ │ ├── ip_addr_common_name_value.crttest │ │ ├── long_orgname.crttest │ │ ├── missing_san.crttest │ │ ├── no_eku.crttest │ │ ├── prohibited_criticality.crttest │ │ ├── prohibited_eku.crttest │ │ ├── prohibited_plabel_san.crttest │ │ ├── prohibited_reservered_label_san.crttest │ │ ├── prohibited_san_type.crttest │ │ ├── rsapss_bad_salt_length.crttest │ │ ├── rsapss_sig_alg.crttest │ │ ├── small_rsa_key.crttest │ │ └── unknown_common_name_value.crttest │ ├── qncp_w_gen_legal_person_eidas_pre_certificate │ │ ├── duplicate_cn.crttest │ │ ├── extkeyusage_critical.crttest │ │ ├── ian_critical.crttest │ │ ├── non_https_pds_url_scheme.crttest │ │ ├── policy_critical.crttest │ │ ├── san_critical.crttest │ │ └── unknown_country_code.crttest │ ├── qncp_w_gen_natural_person_eidas_final_certificate │ │ ├── missing_subject_cn_and_c.crttest │ │ ├── multiple_common_names_np.crttest │ │ ├── multiple_countries_np.crttest │ │ ├── natural_person.crttest │ │ ├── pseudonymn_np.crttest │ │ └── subject_name_and_pseudonym_attributes_missing.crttest │ ├── qncp_w_iv_eidas_final_certificate │ │ ├── invalid_natural_person_id_country.crttest │ │ ├── semantics_info_nra_missing.crttest │ │ └── semantics_info_nra_uri_missing.crttest │ ├── qncp_w_ov_eidas_final_certificate │ │ ├── qcretention_0_value.crttest │ │ └── qcretention_good.crttest │ └── qncp_w_ov_eidas_pre_certificate │ │ └── bad_bc_extension_encoding.crttest ├── pkix │ ├── bad_san_encoding.crttest │ ├── ca_no_ku.crttest │ ├── crldp_dp_is_empty.crttest │ ├── crldp_dp_reasons_not_der.crttest │ ├── cross_ca_no_aki.crttest │ ├── dilithium_ipd_root.crttest │ ├── dilithium_round3.crttest │ ├── ecdsa_self_signed_no_aki.crttest │ ├── ecdsa_with_null_sigalg_param.crttest │ ├── ed25519_bad_ku.crttest │ ├── ed25519_self_signed_root.crttest │ ├── ee_no_ku.crttest │ ├── ee_policy_mappings_present.crttest │ ├── hash_mldsa_ca.crttest │ ├── hash_mldsa_ee_bad_ku.crttest │ ├── method2_skid.crttest │ ├── mldsa44_root.crttest │ ├── mldsa_44_bad_keylength.crttest │ ├── mldsa_44_root_clean.crttest │ ├── mldsa_bad_ku.crttest │ ├── mldsa_null_param.crttest │ ├── mlkem_512_clean.crttest │ ├── mlkem_bad_ku.crttest │ ├── negative_validity_period.crttest │ ├── old_lamps_smime_example.crttest │ ├── rfc7093_method_1.crttest │ ├── rfc7093_method_2.crttest │ ├── rfc7093_method_3.crttest │ ├── rfc822name_nc_double_period.crttest │ ├── rfc822name_nc_single_period.crttest │ ├── root_bad_ku_encoding.crttest │ ├── rsa_self_signed_no_aki.crttest │ ├── san_domain_names_too_long.crttest │ ├── sct_list_empty.crttest │ ├── slhdsa_root_clean.crttest │ ├── smtputf8mailbox_ulabel_domain_part.crttest │ ├── trailing_octet_in_ku_value.crttest │ ├── unknown_key_type_cross_ca_no_aki.crttest │ ├── unknown_key_type_self_issued_no_aki.crttest │ ├── unknown_skid_method.crttest │ ├── v1_root_signed_with_md2.crttest │ └── x25519_bad_ku.crttest ├── smime_br │ ├── individual │ │ ├── legacy │ │ │ ├── common_name_only.crttest │ │ │ ├── issued_after_legacy_sunset.crttest │ │ │ ├── no_aia_extension.crttest │ │ │ ├── no_aia_issuers.crttest │ │ │ ├── no_crldp_extension.crttest │ │ │ ├── no_san.crttest │ │ │ ├── org_name.crttest │ │ │ ├── rsa_key_no_param.crttest │ │ │ ├── sha1_signature.crttest │ │ │ ├── smbr-cert-factory-individual-legacy.crttest │ │ │ ├── subject_email_not_in_san.crttest │ │ │ ├── validity_period_at_maximum.crttest │ │ │ └── validity_period_too_long.crttest │ │ ├── multipurpose │ │ │ ├── common_name_only.crttest │ │ │ ├── decipheronly_no_keyagreement.crttest │ │ │ ├── ecdsa_dual_use.crttest │ │ │ ├── mixed_pseudonym_and_name.crttest │ │ │ ├── rsa_dataencipherment.crttest │ │ │ ├── rsa_kus_in_ecdsa_cert.crttest │ │ │ ├── smbr-cert-factory-individual-multipurpose.crttest │ │ │ ├── validity_period_at_maximum.crttest │ │ │ └── validity_period_too_long.crttest │ │ └── strict │ │ │ ├── clientauth_eku_and_othername.crttest │ │ │ ├── insignificant_attribute_value.crttest │ │ │ ├── prohibited_lei_extensions.crttest │ │ │ ├── pseudonym_cn_case_mismatch.crttest │ │ │ ├── pseudonym_cn_match.crttest │ │ │ ├── rsa_dataencipherment.crttest │ │ │ └── smbr-cert-factory-individual-strict.crttest │ ├── mailbox │ │ ├── legacy │ │ │ └── invalid_ku_for_ecdsa.crttest │ │ ├── multipurpose │ │ │ ├── smbr-cert-factory-mailbox-multipurpose.crttest │ │ │ ├── smtputf8mailbox_only.crttest │ │ │ └── smtputf8mailbox_only_cn_mismatch.crttest │ │ └── strict │ │ │ ├── prohibited_eku_and_ku.crttest │ │ │ └── smbr-cert-factory-mailbox-strict.crttest │ ├── organization │ │ ├── multipurpose │ │ │ ├── adobe_critical_extensions.crttest │ │ │ ├── adobe_timestamp_invalid_generalname_type.crttest │ │ │ ├── bad_crldp_no_scheme.crttest │ │ │ ├── bad_lei_checksum.crttest │ │ │ ├── bad_qc_statementinfo_encoding.crttest │ │ │ ├── country_code_xx.crttest │ │ │ ├── gov_orgid_invalid_country.crttest │ │ │ ├── gov_orgid_no_country.crttest │ │ │ ├── gov_orgid_with_state.crttest │ │ │ ├── gov_orgid_with_valid_country.crttest │ │ │ ├── int_orgid_and_countryname.crttest │ │ │ ├── int_orgid_with_reference.crttest │ │ │ ├── int_with_country.crttest │ │ │ ├── int_with_xg_country.crttest │ │ │ ├── int_with_xg_country_and_state.crttest │ │ │ ├── invalid_country_code.crttest │ │ │ ├── invalid_email_address_domain_part_lengths.crttest │ │ │ ├── lei_orgid_with_no_reference.crttest │ │ │ ├── no_local_parts.crttest │ │ │ ├── ntr_orgid_with_no_reference.crttest │ │ │ ├── orgid_and_countryname_inconsistent.crttest │ │ │ ├── orgid_and_countryname_inconsistent_multiple_orgid_attrs.crttest │ │ │ ├── orgid_and_countryname_same_different_case.crttest │ │ │ ├── orgid_gov_has_state.crttest │ │ │ ├── orgid_has_unknown_scheme.crttest │ │ │ ├── orgid_lei_has_state.crttest │ │ │ ├── orgid_lei_has_wrong_country_code.crttest │ │ │ ├── orgid_ntr.crttest │ │ │ ├── orgid_ntr_de_correct_euid.crttest │ │ │ ├── orgid_ntr_de_has_state_province.crttest │ │ │ ├── orgid_ntr_de_invalid_euid_format.crttest │ │ │ ├── orgid_ntr_de_mismatched_country_code.crttest │ │ │ ├── orgid_ntr_eu_country_with_state.crttest │ │ │ ├── orgid_ntr_with_3letter_state.crttest │ │ │ ├── orgid_ntr_with_4letter_state.crttest │ │ │ ├── orgid_unknown_country.crttest │ │ │ ├── smbr-cert-factory-organization-multipurpose.crttest │ │ │ ├── state_present_no_country.crttest │ │ │ ├── street_address_present_state_and_locality_not_present.crttest │ │ │ ├── vat_el_org_id.crttest │ │ │ ├── vat_invalid_country.crttest │ │ │ └── vat_with_state.crttest │ │ └── strict │ │ │ ├── adobe_extensions_present.crttest │ │ │ ├── orgname_cn_case_mismatch.crttest │ │ │ ├── orgname_cn_match.crttest │ │ │ └── smbr-cert-factory-organization-strict.crttest │ └── sponsored │ │ ├── legacy │ │ └── author.crttest │ │ ├── multipurpose │ │ ├── smbr-cert-factory-sponsored-multipurpose.crttest │ │ └── trustasia_inclusion.crttest │ │ └── strict │ │ ├── multiple_reserved_policy_oids.crttest │ │ ├── prohibited_attribute_in_strict.crttest │ │ ├── san_dirname_attribute_with_email_not_in_san.crttest │ │ ├── smbr-cert-factory-sponsored-strict.crttest │ │ └── subject_attribute_with_email_not_in_san.crttest ├── test_cabf_serverauth_cert.py ├── test_cabf_smime_cert.py ├── test_etsi_cert.py ├── test_pkix_cert.py └── tls_br │ ├── dv_final_certificate │ ├── aia_dnsname_location.crttest │ ├── anypolicy_present.crttest │ ├── bad_ku_der.crttest │ ├── bad_sct_length.crttest │ ├── clean.crttest │ ├── cn_ipv4_addr_also_in_san_good.crttest │ ├── cn_ipv4_addr_not_in_san.crttest │ ├── critical_aki.crttest │ ├── critical_ski.crttest │ ├── crldp_dpname_name_rel_to_issuer.crttest │ ├── duplicate_aia_location_uri.crttest │ ├── dv_and_ov_policy_oids.crttest │ ├── ecdsa_keyencipherment.crttest │ ├── ecdsa_no_digsig.crttest │ ├── ee_bc_ca_set.crttest │ ├── fake_a_label_in_dnsname.crttest │ ├── internal_ip_address.crttest │ ├── invalid_torv3_checksum.crttest │ ├── issued_2026_03_15_366_day_validity.crttest │ ├── issued_2027_03_15_367_day_validity.crttest │ ├── issued_2029_03_15_366_day_validity.crttest │ ├── long_lived_no_rev_info.crttest │ ├── long_lived_no_rev_info_issued_in_2026.crttest │ ├── missing_reserved_policy_oid.crttest │ ├── no_ocsp_pointer_but_has_crldp.crttest │ ├── no_serverauth_eku.crttest │ ├── non_empty_subject_critical_san.crttest │ ├── prohibited_aia_access_method.crttest │ ├── prohibited_eku_present.crttest │ ├── r_ldh_label.crttest │ ├── rfc822name_san.crttest │ ├── rsa_missing_null_param.crttest │ ├── rsa_no_digsig.crttest │ ├── short_lived_no_rev_info_before_effective_date.crttest │ ├── short_lived_no_rev_info_issued_in_2024.crttest │ ├── short_lived_no_rev_info_issued_in_2026.crttest │ ├── tor_version4.crttest │ ├── underscore_in_dnsname.crttest │ └── unknown_eku.crttest │ ├── dv_pre_certificate │ ├── both_precert_poison_and_sct_present.crttest │ └── validity_period_397_days_one_sec.crttest │ ├── ev_final_certificate │ ├── bad_jurisc.crttest │ ├── cabf_orgid_bad_country.crttest │ ├── cabf_orgid_bad_scheme.crttest │ ├── cabf_orgid_extension_missing.crttest │ ├── cabf_orgid_invalid_state_for_scheme.crttest │ ├── dirty_pre_cleanup_ballot.crttest │ ├── ev_jurisL_present_jurisST_missing.crttest │ ├── invalid_business_category.crttest │ ├── invalid_subject_orgid_country.crttest │ ├── ip_address_present.crttest │ ├── ntr_el_org_id.crttest │ ├── onion_v2_dnsname.crttest │ ├── orgid_bad_state_format.crttest │ ├── orgid_teletex_string.crttest │ └── vat_el_org_id.crttest │ ├── ev_pre_certificate │ ├── aki_issuer_cert_info_present.crttest │ ├── invalid_orgid_syntax.crttest │ ├── mismatched_country_code.crttest │ ├── mismatched_registration_reference.crttest │ ├── mismatched_scheme.crttest │ ├── mismatched_state_province.crttest │ ├── mismatched_state_province_extension_absent.crttest │ ├── mismatched_state_province_subject_absent.crttest │ ├── missing_business_category_and_jurisC.crttest │ ├── no_cpsuri_qualifier.crttest │ ├── no_cpsuri_qualifier_after_ineffective_date.crttest │ ├── no_eku.crttest │ ├── onion_wildcard.crttest │ ├── subject_orgid_vat_with_state.crttest │ ├── usernotice_explicittext_present.crttest │ └── wildcard_san.crttest │ ├── external_constrained_tls_ca │ ├── nameconstraints_invalid_cidr.crttest │ └── no_nc_dirname_permitted_subtree.crttest │ ├── external_cross_ca │ ├── anyeku.crttest │ └── no_eku.crttest │ ├── external_unconstrained_ev_tls_ca │ └── cps_uri_missing │ ├── external_unconstrained_tls_ca │ ├── external_subca_with_anypolicy.crttest │ ├── nc_dnsname_non_preferred_syntax.crttest │ ├── nc_dnsname_wildcard.crttest │ ├── no_reserved_policy_oid.crttest │ └── non_reserved_oid_first_policy.crttest │ ├── internal_constrained_tls_ca │ ├── bad_onion_name.crttest │ ├── clean.crttest │ ├── clean_cannot_issue_anything.crttest │ ├── incomplete_dnsname_constraints.crttest │ └── incomplete_ipaddress_constraints.crttest │ ├── internal_cross_ca │ ├── anyeku_with_serverauth.crttest │ ├── clean.crttest │ ├── clean_anyeku.crttest │ ├── discouraged_extension.crttest │ ├── missing_required_eku.crttest │ ├── multiple_reserved_policy_oids.crttest │ ├── no_eku.crttest │ ├── prohibited_eku.crttest │ └── unknown_eku.crttest │ ├── internal_subscriber_issuing_cross_ca │ └── multiple_reserved_policy_oids.crttest │ ├── internal_unconstrained_tls_ca │ ├── aia_extension_missing.crttest │ ├── anypolicy_with_other_policy_oid.crttest │ ├── cert_policies_not_der.crttest │ ├── certificate_policies_missing.crttest │ ├── clean.crttest │ ├── critical_aia.crttest │ ├── discouraged_extension.crttest │ ├── missing_serverauth_eku.crttest │ ├── multiple_reserved_policy_oids.crttest │ ├── probhited_aia_access_method.crttest │ ├── prohibited_ku.crttest │ ├── rfc822name_constraints_present.crttest │ ├── rsa_modulus_too_short.crttest │ ├── subject_email_address_no_san.crttest │ └── unknown_eku.crttest │ ├── iv_final_certificate │ ├── givenname_too_long.crttest │ ├── no_extensions.crttest │ └── ou_present.crttest │ ├── iv_pre_certificate │ └── missing_surname_givenname.crttest │ ├── non_tls_ca │ ├── clean.crttest │ ├── explicittext_has_control_char.crttest │ ├── first_policy_oid_not_reserved.crttest │ ├── has_serverauth_policy_oid.crttest │ ├── nameconstraints_dirname_in_excluded_subtrees.crttest │ ├── nameconstraints_double_quote_dnsname.crttest │ ├── no_keycertsign_bit.crttest │ ├── ocspsigning_eku.crttest │ └── unknown_orgid_registration_scheme.crttest │ ├── ocsp_responder │ ├── aia_ca_issuers_present.crttest │ ├── aia_ocsp_present.crttest │ ├── bad_eku.crttest │ ├── ca.crttest │ ├── certificate_policies_present.crttest │ ├── clean.crttest │ ├── crldp_present.crttest │ ├── digsig_ku_missing.crttest │ ├── nonrepudiation_ku_present.crttest │ └── ocsp_nocheck_missing.crttest │ ├── ov_final_certificate │ ├── bad_rsa_exponent.crttest │ ├── clean.crttest │ ├── cps_uri_with_port_number.crttest │ ├── multiple_atv_in_rdn.crttest │ ├── no_state_and_locality.crttest │ ├── org_name_contains_html_chrs.crttest │ ├── reverse_attribute_order.crttest │ ├── subject_dc_value_too_long.crttest │ └── u_label_in_common_name.crttest │ ├── ov_pre_certificate │ ├── cn_ipv6_addr_also_in_san_good.crttest │ ├── cn_ipv6_addr_not_in_san.crttest │ ├── ecdsa_keyagreement.crttest │ ├── explicit_text_present.crttest │ ├── invalid_cpsuri_syntax.crttest │ ├── ku_extension_absent.crttest │ ├── ldap_aia_location.crttest │ ├── locality_contains_html_chrs.crttest │ ├── no_aia_ca_issuers.crttest │ ├── prohibited_printablestring_char.crttest │ ├── rdn_reverse_order.crttest │ └── validity_period_one_sec_too_long.crttest │ ├── precert_signing_ca │ ├── missing_required_eku.crttest │ └── prohibited_eku.crttest │ └── root_ca │ ├── aki_ski_not_equal.crttest │ ├── basic_constraints_not_critical.crttest │ ├── basicconstraints_pathlenconstraint_present.crttest │ ├── clean.crttest │ ├── crldp_has_crlissuer.crttest │ ├── eku_present.crttest │ ├── has_explicit_text_with_invalid_encoding.crttest │ ├── invalid_country_code.crttest │ ├── issuer_unique_id_present.crttest │ ├── missing_skid_extension.crttest │ ├── no_aki_extension.crttest │ ├── no_bc_ca_bit.crttest │ ├── no_ku_extension.crttest │ ├── no_subject_org_name.crttest │ ├── not_self_issued.crttest │ ├── rsa_exponent_not_in_recommended_range.crttest │ ├── subject_unique_id_present.crttest │ ├── teletex_attribute.crttest │ ├── validity_period_no_seconds.crttest │ ├── validity_period_too_long.crttest │ ├── validity_period_too_short.crttest │ └── validity_period_wrong_useful_type.crttest ├── integration_crl ├── __init__.py ├── cabf │ └── arl │ │ └── unspecified_reason_code.crltest ├── pkix │ └── crl │ │ ├── bad_idp_uri.crltest │ │ └── negative_validity_period.crltest ├── test_cabf_arl.py └── test_pkix_crl.py ├── integration_test_common.py ├── pkix ├── certificate │ ├── test_certificate_properties.py │ ├── test_certificate_transparency.py │ ├── test_extension.py │ └── test_serial_number.py ├── crl │ ├── test_crl_properties.py │ └── test_pkix_crl.py └── test_time.py ├── test_cli_smoke.py ├── test_finding_metadata_csv_smoke.py ├── test_loader.py ├── test_report.py ├── test_server.py ├── test_validation_report.py └── util.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020-2025 DigiCert, Inc. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /VERSION.txt: -------------------------------------------------------------------------------- 1 | 0.12.11 -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.13-slim 2 | 3 | LABEL authors="DigiCert, Inc." 4 | 5 | ARG WHEELFILE 6 | 7 | WORKDIR /usr/src/app 8 | 9 | COPY dist/$WHEELFILE ./ 10 | 11 | RUN pip install --no-cache-dir "$WHEELFILE[rest]" uvicorn gunicorn 12 | 13 | RUN rm $WHEELFILE 14 | 15 | COPY entrypoint.py ./ 16 | 17 | ENTRYPOINT ["python", "entrypoint.py"] 18 | -------------------------------------------------------------------------------- /docker/cosign_public_key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhOqVwQczkXH/AVUzwdG6XUKdKgn0 3 | c5I1YiBb6FKurgQoj7cfCASQea5fgLoKoGKDOSieK4ucECR9GVMlE3FxHA== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /docker/entrypoint.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | import os 5 | import importlib 6 | 7 | 8 | def main(): 9 | if len(sys.argv) < 2: 10 | print("Executable not specified", file=sys.stderr) 11 | 12 | return 1 13 | 14 | cmd = sys.argv[1] 15 | args = sys.argv[2:] 16 | 17 | try: 18 | module = importlib.import_module(f"pkilint.bin.{cmd}") 19 | 20 | main_func = getattr(module, "main") 21 | except (ImportError, AttributeError): 22 | os.execvp(cmd, [cmd] + args) 23 | 24 | return main_func(args) 25 | 26 | 27 | if __name__ == "__main__": 28 | sys.exit(main()) 29 | -------------------------------------------------------------------------------- /pkilint/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/__init__.py -------------------------------------------------------------------------------- /pkilint/adobe/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/adobe/__init__.py -------------------------------------------------------------------------------- /pkilint/adobe/adobe_validator.py: -------------------------------------------------------------------------------- 1 | from pkilint import validation 2 | from pkilint.adobe import asn1 3 | 4 | 5 | class AdobeTimestampValidator(validation.Validator): 6 | VALIDATION_INVALID_GENERALNAME_TYPE = validation.ValidationFinding( 7 | validation.ValidationFindingSeverity.ERROR, 8 | "adbe.invalid_timestamp_location_type", 9 | ) 10 | 11 | def __init__(self): 12 | super().__init__( 13 | validations=[self.VALIDATION_INVALID_GENERALNAME_TYPE], 14 | pdu_class=asn1.AdobeTimestamp, 15 | ) 16 | 17 | def validate(self, node): 18 | gn = node.children["location"] 19 | 20 | gn_type, _ = gn.child 21 | 22 | if gn_type != "uniformResourceIdentifier": 23 | raise validation.ValidationFindingEncountered( 24 | self.VALIDATION_INVALID_GENERALNAME_TYPE, 25 | f"Invalid Adobe timestamp location type: {gn_type}", 26 | ) 27 | -------------------------------------------------------------------------------- /pkilint/adobe/asn1/__init__.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type import univ, namedtype, namedval 2 | from pyasn1_alt_modules import rfc5280 3 | 4 | 5 | _ADOBE_X509_OID_ARC = univ.ObjectIdentifier("1.2.840.113583.1.1.9") 6 | 7 | 8 | id_adobe_timestamp = univ.ObjectIdentifier(_ADOBE_X509_OID_ARC.asTuple() + (1,)) 9 | 10 | 11 | class AdobeExtensionVersion(univ.Integer): 12 | pass 13 | 14 | 15 | AdobeExtensionVersion.componentType = namedval.NamedValues( 16 | ("v1", 1), 17 | ) 18 | 19 | 20 | class AdobeTimestamp(univ.Sequence): 21 | pass 22 | 23 | 24 | AdobeTimestamp.componentType = namedtype.NamedTypes( 25 | namedtype.NamedType("version", AdobeExtensionVersion()), 26 | namedtype.NamedType("location", rfc5280.GeneralName()), 27 | namedtype.DefaultedNamedType("requiresAuth", univ.Boolean().subtype(value=False)), 28 | ) 29 | 30 | 31 | id_adobe_archiverevinfo = univ.ObjectIdentifier(_ADOBE_X509_OID_ARC.asTuple() + (2,)) 32 | 33 | 34 | class AdobeArchiveRevInfo(univ.Sequence): 35 | pass 36 | 37 | 38 | AdobeArchiveRevInfo.componentType = namedtype.NamedTypes( 39 | namedtype.NamedType("version", AdobeExtensionVersion()) 40 | ) 41 | 42 | 43 | EXTENSION_MAPPINGS = { 44 | id_adobe_timestamp: AdobeTimestamp(), 45 | id_adobe_archiverevinfo: AdobeArchiveRevInfo(), 46 | } 47 | -------------------------------------------------------------------------------- /pkilint/bin/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/bin/__init__.py -------------------------------------------------------------------------------- /pkilint/bin/lint_ocsp_response.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import argparse 4 | import sys 5 | 6 | from pkilint import pkix 7 | from pkilint import cli_util, loader, report 8 | from pkilint.pkix import extension, name, ocsp 9 | 10 | 11 | def main(cli_args=None) -> int: 12 | parser = argparse.ArgumentParser(description="RFC 6960 OCSP Response Linter") 13 | 14 | subparsers = parser.add_subparsers(dest="command", required=True) 15 | subparsers.add_parser( 16 | "validations", help="Output the set of validations which this linter performs" 17 | ) 18 | 19 | lint_parser = subparsers.add_parser("lint", help="Lint the specified OCSP response") 20 | cli_util.add_standard_args(lint_parser) 21 | 22 | lint_parser.add_argument( 23 | "file", type=argparse.FileType("rb"), help="The OCSP response to lint" 24 | ) 25 | 26 | args = parser.parse_args(cli_args) 27 | 28 | doc_validator = ocsp.create_pkix_ocsp_response_validator_container( 29 | [ 30 | ocsp.create_response_decoder(), 31 | pkix.create_attribute_decoder(name.ATTRIBUTE_TYPE_MAPPINGS), 32 | pkix.create_extension_decoder(extension.EXTENSION_MAPPINGS), 33 | ], 34 | [], 35 | ) 36 | 37 | if args.command == "validations": 38 | print(report.report_included_validations(doc_validator)) 39 | 40 | return 0 41 | else: 42 | try: 43 | ocsp_response = ( 44 | loader.RFC6960OCSPResponseDocumentLoader().get_file_loader_func( 45 | args.document_format 46 | )(args.file, args.file.name) 47 | ) 48 | except ValueError as e: 49 | print(f"Failed to load OCSP response: {e}", file=sys.stderr) 50 | return 1 51 | 52 | results = doc_validator.validate(ocsp_response.root) 53 | 54 | print(args.format(results, args.severity)) 55 | 56 | return cli_util.clamp_exit_code( 57 | report.get_findings_count(results, args.severity) 58 | ) 59 | 60 | 61 | if __name__ == "__main__": 62 | sys.exit(main()) 63 | -------------------------------------------------------------------------------- /pkilint/bin/lint_pkix_cert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import argparse 4 | import sys 5 | 6 | from pkilint import loader 7 | from pkilint import report, cli_util 8 | from pkilint.pkix import certificate, name, extension 9 | 10 | 11 | def main(cli_args=None) -> int: 12 | parser = argparse.ArgumentParser(description="RFC 5280 Certificate Linter") 13 | 14 | subparsers = parser.add_subparsers(dest="command", required=True) 15 | subparsers.add_parser( 16 | "validations", help="Output the set of validations which this linter performs" 17 | ) 18 | 19 | lint_parser = subparsers.add_parser("lint", help="Lint the specified certificate") 20 | cli_util.add_standard_args(lint_parser) 21 | 22 | lint_parser.add_argument( 23 | "file", type=argparse.FileType("rb"), help="The certificate to lint" 24 | ) 25 | 26 | args = parser.parse_args(cli_args) 27 | 28 | doc_validator = certificate.create_pkix_certificate_validator_container( 29 | certificate.create_decoding_validators( 30 | name.ATTRIBUTE_TYPE_MAPPINGS, extension.EXTENSION_MAPPINGS 31 | ), 32 | [ 33 | certificate.create_issuer_validator_container([]), 34 | certificate.create_validity_validator_container(), 35 | certificate.create_subject_validator_container([]), 36 | certificate.create_extensions_validator_container([]), 37 | certificate.create_spki_validator_container([]), 38 | ], 39 | ) 40 | 41 | if args.command == "validations": 42 | print(report.report_included_validations(doc_validator)) 43 | 44 | return 0 45 | else: 46 | try: 47 | cert = loader.RFC5280CertificateDocumentLoader().get_file_loader_func( 48 | args.document_format 49 | )(args.file, args.file.name) 50 | except ValueError as e: 51 | print(f"Failed to load certificate: {e}", file=sys.stderr) 52 | return 1 53 | 54 | results = doc_validator.validate(cert.root) 55 | 56 | print(args.format(results, args.severity)) 57 | 58 | return cli_util.clamp_exit_code( 59 | report.get_findings_count(results, args.severity) 60 | ) 61 | 62 | 63 | if __name__ == "__main__": 64 | sys.exit(main()) 65 | -------------------------------------------------------------------------------- /pkilint/cabf/__init__.py: -------------------------------------------------------------------------------- 1 | from pyasn1_alt_modules import rfc3739, rfc2985 2 | 3 | from pkilint.cabf.asn1 import ev_guidelines as ev_guidelines_asn1 4 | from pkilint.itu import x520_name 5 | from pkilint.pkix import extension, name 6 | 7 | NAME_ATTRIBUTE_MAPPINGS = { 8 | **rfc2985._certificateAttributesMapUpdate, 9 | **x520_name.ATTRIBUTE_TYPE_MAPPINGS, 10 | **name.ATTRIBUTE_TYPE_MAPPINGS, 11 | **ev_guidelines_asn1.ATTRIBUTE_TYPE_MAPPINGS, 12 | } 13 | 14 | EXTENSION_MAPPINGS = { 15 | **extension.EXTENSION_MAPPINGS, 16 | **ev_guidelines_asn1.EXTENSION_MAPPINGS, 17 | **rfc3739.certificateExtensionsMap, 18 | } 19 | -------------------------------------------------------------------------------- /pkilint/cabf/asn1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/cabf/asn1/__init__.py -------------------------------------------------------------------------------- /pkilint/cabf/asn1/ev_guidelines.asn1: -------------------------------------------------------------------------------- 1 | EVGExtensions 2 | 3 | DEFINITIONS ::= 4 | 5 | BEGIN 6 | 7 | -- EXPORTS ALL - 8 | 9 | id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) inter-national-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organizationIdentifier(1) } 10 | 11 | CABFOrganizationIdentifier ::= SEQUENCE { 12 | registrationSchemeIdentifier PrintableString (SIZE(3)), 13 | registrationCountry PrintableString (SIZE(2)), 14 | registrationStateOrProvince [0] IMPLICIT PrintableString (SIZE(0..128)) OPTIONAL, 15 | registrationReference UTF8String 16 | } 17 | 18 | END 19 | -------------------------------------------------------------------------------- /pkilint/cabf/cabf_crl.py: -------------------------------------------------------------------------------- 1 | import operator 2 | from datetime import timedelta 3 | 4 | from pyasn1_alt_modules import rfc5280 5 | 6 | from pkilint import validation 7 | from pkilint.pkix import crl, time 8 | from pkilint.pkix.crl import crl_extension 9 | 10 | 11 | def create_validity_period_validator(crl_type: crl.CertificateRevocationListType): 12 | if crl_type == crl.CertificateRevocationListType.CRL: 13 | max_validity_days = 10 14 | finding = "cabf.crl_invalid_validity_period" 15 | else: 16 | max_validity_days = 365 # TODO: handle leap years? 17 | finding = "cabf.arl_invalid_validity_period" 18 | 19 | thresholds = [ 20 | ( 21 | operator.le, 22 | timedelta(days=max_validity_days), 23 | validation.ValidationFinding( 24 | validation.ValidationFindingSeverity.ERROR, finding 25 | ), 26 | ) 27 | ] 28 | 29 | return time.ValidityPeriodThresholdsValidator( 30 | path="certificateList.tbsCertList.thisUpdate", 31 | end_validity_node_retriever=lambda n: n.navigate("^.nextUpdate"), 32 | validity_period_thresholds=thresholds, 33 | ) 34 | 35 | 36 | class CabfCrlReasonCodeAllowlistValidator( 37 | crl_extension.CrlReasonCodeAllowlistValidator 38 | ): 39 | VALIDATION_PROHIBITED_CRL_REASON_CODE = validation.ValidationFinding( 40 | validation.ValidationFindingSeverity.ERROR, "cabf.crl_prohibited_reason_code" 41 | ) 42 | 43 | def __init__(self, crl_type: crl.CertificateRevocationListType): 44 | allowed_reasons = [ 45 | rfc5280.CRLReason.namedValues[r] 46 | for r in [ 47 | "keyCompromise", 48 | "affiliationChanged", 49 | "superseded", 50 | "cessationOfOperation", 51 | "privilegeWithdrawn", 52 | ] 53 | ] 54 | 55 | if crl_type == crl.CertificateRevocationListType.ARL: 56 | allowed_reasons.append(rfc5280.CRLReason.namedValues["cACompromise"]) 57 | 58 | super().__init__(allowed_reasons, self.VALIDATION_PROHIBITED_CRL_REASON_CODE) 59 | -------------------------------------------------------------------------------- /pkilint/cabf/serverauth/serverauth_finding_filter.py: -------------------------------------------------------------------------------- 1 | from pkilint import finding_filter 2 | from pkilint.pkix import general_name 3 | from pkilint.pkix.certificate import certificate_extension 4 | 5 | 6 | class NameConstraintsCriticalityFilter(finding_filter.ValidationFindingFilter): 7 | def __init__(self): 8 | super().__init__( 9 | certificate_extension.NameConstraintsCriticalityValidator.VALIDATION_NC_NOT_CRITICAL 10 | ) 11 | 12 | 13 | class DnsNameGeneralNamePreferredNameSyntaxFilter( 14 | finding_filter.ValidationFindingFilter 15 | ): 16 | def __init__(self): 17 | super().__init__( 18 | general_name.GeneralNameDnsNameSyntaxValidator.VALIDATION_NOT_PREFERRED_NAME_SYNTAX 19 | ) 20 | 21 | 22 | class EndEntitySubjectKeyIdentifierMissingFilter( 23 | finding_filter.ValidationFindingFilter 24 | ): 25 | def __init__(self): 26 | super().__init__( 27 | certificate_extension.SubjectKeyIdentifierPresenceValidator.VALIDATION_EE_SKID_MISSING 28 | ) 29 | 30 | 31 | class PolicyQualifierPresentFilter(finding_filter.ValidationFindingFilter): 32 | def __init__(self): 33 | super().__init__( 34 | certificate_extension.CertificatePolicyQualifierValidator.VALIDATION_POLICY_HAS_QUALIFIER 35 | ) 36 | -------------------------------------------------------------------------------- /pkilint/cabf/smime/smime_constants.py: -------------------------------------------------------------------------------- 1 | import enum 2 | import math 3 | import sys 4 | 5 | from pyasn1.type.univ import ObjectIdentifier 6 | 7 | 8 | BR_VERSION = "1.0.9" 9 | 10 | 11 | CABF_SMIME_OID_ARC = ObjectIdentifier("2.23.140.1.5") 12 | 13 | 14 | @enum.unique 15 | class ValidationLevel(enum.IntEnum): 16 | MAILBOX = 1 17 | ORGANIZATION = 2 18 | SPONSORED = 4 19 | INDIVIDUAL = 8 20 | 21 | def __str__(self): 22 | return self.name 23 | 24 | 25 | [ 26 | setattr( 27 | sys.modules[__name__], 28 | f"CABF_SMIME_{v.name}_OID_ARC", 29 | CABF_SMIME_OID_ARC + (int(math.log2(v)) + 1,), 30 | ) 31 | for v in ValidationLevel 32 | ] 33 | 34 | 35 | @enum.unique 36 | class Generation(enum.IntEnum): 37 | LEGACY = 1 << 8 38 | MULTIPURPOSE = 1 << 9 39 | STRICT = 1 << 10 40 | 41 | def __str__(self): 42 | return self.name 43 | 44 | 45 | def _define_oids(validation_level): 46 | [ 47 | setattr( 48 | sys.modules[__name__], 49 | f"CABF_SMIME_{validation_level.name}_{g.name}_OID", 50 | CABF_SMIME_OID_ARC 51 | + ( 52 | int(math.log2(validation_level)) + 1, 53 | int(math.log2(g >> 8)) + 1, 54 | ), 55 | ) 56 | for g in Generation 57 | ] 58 | 59 | 60 | [_define_oids(v) for v in ValidationLevel] 61 | 62 | 63 | def get_policy_oid(validation_level, generation): 64 | return CABF_SMIME_OID_ARC + ( 65 | int(math.log2(validation_level)) + 1, 66 | int(math.log2(generation >> 8)) + 1, 67 | ) 68 | -------------------------------------------------------------------------------- /pkilint/cabf/smime/smime_validity.py: -------------------------------------------------------------------------------- 1 | import datetime 2 | 3 | from pyasn1_alt_modules import rfc5280 4 | 5 | from pkilint import validation, document 6 | 7 | 8 | class LegacyGenerationSunsetValidator(validation.Validator): 9 | """ 10 | SMBR, section 7.1.6.1: 11 | Effective July 15, 2025 S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles 12 | 2.23.140.1.5.1.1, 2.23.140.1.5.2.1, 2.23.140.1.5.3.1, or 2.23.140.1.5.4.1. 13 | """ 14 | 15 | VALIDATION_LEGACY_GENERATION_CERTIFICATE_ISSUED_AFTER_PROHIBITION = ( 16 | validation.ValidationFinding( 17 | validation.ValidationFindingSeverity.ERROR, 18 | "cabf.smime.legacy_generation_certificate_issued_after_prohibition", 19 | ) 20 | ) 21 | 22 | _LEGACY_GENERATION_SUNSET_DATE = datetime.datetime( 23 | 2025, 7, 15, 0, 0, 0, tzinfo=datetime.timezone.utc 24 | ) 25 | 26 | def __init__( 27 | self, validity_period_start_retriever: document.ValidityPeriodStartRetriever 28 | ): 29 | super().__init__( 30 | validations=[ 31 | self.VALIDATION_LEGACY_GENERATION_CERTIFICATE_ISSUED_AFTER_PROHIBITION 32 | ], 33 | pdu_class=rfc5280.Validity, 34 | ) 35 | 36 | self._validity_period_start_retriever = validity_period_start_retriever 37 | 38 | def validate(self, node): 39 | if ( 40 | self._validity_period_start_retriever(node.document) 41 | >= self._LEGACY_GENERATION_SUNSET_DATE 42 | ): 43 | raise validation.ValidationFindingEncountered( 44 | self.VALIDATION_LEGACY_GENERATION_CERTIFICATE_ISSUED_AFTER_PROHIBITION 45 | ) 46 | -------------------------------------------------------------------------------- /pkilint/etsi/asn1/__init__.py: -------------------------------------------------------------------------------- 1 | from pyasn1_alt_modules import rfc3739 2 | 3 | from pkilint import document 4 | from pkilint.etsi.asn1 import en_319_412_5, ts_119_495, en_319_411_2 5 | 6 | ETSI_QC_STATEMENTS_MAPPINGS = { 7 | en_319_412_5.id_etsi_qcs_QcCompliance: document.ValueDecoder.VALUE_NODE_ABSENT, 8 | en_319_412_5.id_etsi_qcs_QcLimitValue: en_319_412_5.QcEuLimitValue(), 9 | en_319_412_5.id_etsi_qcs_QcRetentionPeriod: en_319_412_5.QcEuRetentionPeriod(), 10 | en_319_412_5.id_etsi_qcs_QcSSCD: document.ValueDecoder.VALUE_NODE_ABSENT, 11 | en_319_412_5.id_etsi_qcs_QcPDS: en_319_412_5.QcEuPDS(), 12 | en_319_412_5.id_etsi_qcs_QcType: en_319_412_5.QcType(), 13 | en_319_412_5.id_etsi_qcs_QcCClegislation: en_319_412_5.QcCClegislation(), 14 | ts_119_495.id_etsi_psd2_qcStatement: ts_119_495.PSD2QcType(), 15 | rfc3739.id_qcs_pkixQCSyntax_v1: document.OptionalAsn1TypeWrapper( 16 | rfc3739.SemanticsInformation() 17 | ), 18 | rfc3739.id_qcs_pkixQCSyntax_v2: document.OptionalAsn1TypeWrapper( 19 | rfc3739.SemanticsInformation() 20 | ), 21 | } 22 | -------------------------------------------------------------------------------- /pkilint/etsi/asn1/en_319_411_1.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type import univ 2 | 3 | 4 | _ARC = univ.ObjectIdentifier("0.4.0.2042.1") 5 | 6 | id_ncp = _ARC + (1,) 7 | 8 | id_ncp_plus = _ARC + (2,) 9 | 10 | id_lcp = _ARC + (3,) 11 | 12 | id_evcp = _ARC + (4,) 13 | 14 | id_dvcp = _ARC + (6,) 15 | 16 | id_ovcp = _ARC + (7,) 17 | 18 | id_ivcp = _ARC + (8,) 19 | 20 | POLICY_OIDS = { 21 | id_ncp, 22 | id_ncp_plus, 23 | id_lcp, 24 | id_evcp, 25 | id_dvcp, 26 | id_ovcp, 27 | id_ivcp, 28 | } 29 | -------------------------------------------------------------------------------- /pkilint/etsi/asn1/en_319_411_2.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type.univ import ObjectIdentifier 2 | 3 | 4 | _ARC = ObjectIdentifier("0.4.0.194112.1") 5 | 6 | 7 | id_qcp_natural = _ARC + (0,) 8 | 9 | id_qcp_legal = _ARC + (1,) 10 | 11 | id_qcp_natural_qscd = _ARC + (2,) 12 | 13 | id_qcp_legal_qscd = _ARC + (3,) 14 | 15 | id_qcp_web = _ARC + (4,) 16 | 17 | id_qncp_web = _ARC + (5,) 18 | 19 | id_qncp_web_gen = _ARC + (6,) 20 | 21 | QUALIFIED_POLICY_OIDS = { 22 | id_qcp_natural, 23 | id_qcp_legal, 24 | id_qcp_natural_qscd, 25 | id_qcp_legal_qscd, 26 | id_qcp_web, 27 | id_qncp_web, 28 | id_qncp_web_gen, 29 | } 30 | -------------------------------------------------------------------------------- /pkilint/etsi/asn1/en_319_412_1.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type import univ 2 | 3 | 4 | def _OID(*components): 5 | output = [] 6 | for x in tuple(components): 7 | if isinstance(x, univ.ObjectIdentifier): 8 | output.extend(list(x)) 9 | else: 10 | output.append(int(x)) 11 | 12 | return univ.ObjectIdentifier(output) 13 | 14 | 15 | _ID_ETSI_ARC = _OID(0, 4, 0, 194121) 16 | 17 | 18 | id_etsi_qcs_semantics_identifiers = _OID(_ID_ETSI_ARC, 1) 19 | 20 | 21 | id_etsi_qcs_semanticsId_Natural = _OID(id_etsi_qcs_semantics_identifiers, 1) 22 | 23 | 24 | id_etsi_qcs_SemanticsId_Legal = _OID(id_etsi_qcs_semantics_identifiers, 2) 25 | 26 | 27 | id_etsi_qcs_semanticsId_eIDASNatural = _OID(id_etsi_qcs_semantics_identifiers, 3) 28 | 29 | 30 | id_etsi_qcs_SemanticsId_eIDASLegal = _OID(id_etsi_qcs_semantics_identifiers, 4) 31 | 32 | 33 | id_etsi_ext = _OID(_ID_ETSI_ARC, 2) 34 | 35 | 36 | id_etsi_ext_valassured_ST_certs = _OID(id_etsi_ext, 1) 37 | 38 | 39 | EXTENSION_MAPPINGS = { 40 | id_etsi_ext_valassured_ST_certs: univ.Null(), 41 | } 42 | -------------------------------------------------------------------------------- /pkilint/etsi/asn1/ts_119_495.py: -------------------------------------------------------------------------------- 1 | # Auto-generated by asn1ate v.0.6.0 from ts_119_495.asn1 2 | # (last modified on 2023-03-15 09:20:01.431627) 3 | 4 | from pyasn1.type import univ, char, namedtype, constraint 5 | 6 | 7 | def _OID(*components): 8 | output = [] 9 | for x in tuple(components): 10 | if isinstance(x, univ.ObjectIdentifier): 11 | output.extend(list(x)) 12 | else: 13 | output.append(int(x)) 14 | 15 | return univ.ObjectIdentifier(output) 16 | 17 | 18 | class NCAId(char.UTF8String): 19 | pass 20 | 21 | 22 | NCAId.subtypeSpec = constraint.ValueSizeConstraint(1, 256) 23 | 24 | 25 | class NCAName(char.UTF8String): 26 | pass 27 | 28 | 29 | NCAName.subtypeSpec = constraint.ValueSizeConstraint(1, 256) 30 | 31 | 32 | class RoleOfPspOid(univ.ObjectIdentifier): 33 | pass 34 | 35 | 36 | class RoleOfPspName(char.UTF8String): 37 | pass 38 | 39 | 40 | RoleOfPspName.subtypeSpec = constraint.ValueSizeConstraint(1, 256) 41 | 42 | 43 | class RoleOfPSP(univ.Sequence): 44 | pass 45 | 46 | 47 | RoleOfPSP.componentType = namedtype.NamedTypes( 48 | namedtype.NamedType("roleOfPspOid", RoleOfPspOid()), 49 | namedtype.NamedType("roleOfPspName", RoleOfPspName()), 50 | ) 51 | 52 | 53 | class RolesOfPSP(univ.SequenceOf): 54 | pass 55 | 56 | 57 | RolesOfPSP.componentType = RoleOfPSP() 58 | 59 | 60 | class PSD2QcType(univ.Sequence): 61 | pass 62 | 63 | 64 | PSD2QcType.componentType = namedtype.NamedTypes( 65 | namedtype.NamedType("rolesOfPSP", RolesOfPSP()), 66 | namedtype.NamedType("nCAName", NCAName()), 67 | namedtype.NamedType("nCAId", NCAId()), 68 | ) 69 | 70 | 71 | etsi_psd2_policy = _OID(0, 4, 0, 19495, 3) 72 | 73 | 74 | etsi_psd2_roles = _OID(0, 4, 0, 19495, 1) 75 | 76 | 77 | id_etsi_psd2_qcStatement = _OID(0, 4, 0, 19495, 2) 78 | 79 | 80 | id_psd2_role_psp_ai = _OID(0, 4, 0, 19495, 1, 3) 81 | 82 | 83 | id_psd2_role_psp_as = _OID(0, 4, 0, 19495, 1, 1) 84 | 85 | 86 | id_psd2_role_psp_ic = _OID(0, 4, 0, 19495, 1, 4) 87 | 88 | 89 | id_psd2_role_psp_pi = _OID(0, 4, 0, 19495, 1, 2) 90 | 91 | 92 | id_psd2_role_psp_unspecified = _OID(0, 4, 0, 19495, 1, 0) 93 | 94 | 95 | qcp_web_psd2 = _OID(0, 4, 0, 19495, 3, 1) 96 | -------------------------------------------------------------------------------- /pkilint/etsi/etsi_finding_filter.py: -------------------------------------------------------------------------------- 1 | from pkilint import finding_filter 2 | from pkilint.cabf.serverauth import serverauth_subscriber 3 | from pkilint.etsi.asn1 import ts_119_495 as ts_119_495_asn1 4 | 5 | 6 | class Psd2CabfServerauthValidityPeriodFilter(finding_filter.FindingDescriptionFilter): 7 | _TARGET_VALIDATIONS = { 8 | serverauth_subscriber.SubscriberValidityPeriodValidator.VALIDATION_VALIDITY_PERIOD_EXCEEDS_397_DAYS, 9 | serverauth_subscriber.SubscriberValidityPeriodValidator.VALIDATION_VALIDITY_PERIOD_EXCEEDS_398_DAYS, 10 | } 11 | 12 | def filter(self, result, finding_description): 13 | if finding_description.finding in self._TARGET_VALIDATIONS: 14 | """ 15 | OVR-6.1-3: TSPs issuing certificates for EU PSD2 may use the following policy identifier to augment the 16 | policy requirements associated with policy identifier QEVCP-w or QNCP-w as specified in 17 | ETSI EN 319 411-2 [5] giving precedence to the requirements defined in the present document. 18 | """ 19 | return ts_119_495_asn1.qcp_web_psd2 not in result.node.document.policy_oids 20 | else: 21 | return True 22 | -------------------------------------------------------------------------------- /pkilint/etsi/finding_metadata.csv: -------------------------------------------------------------------------------- 1 | severity,code,description 2 | -------------------------------------------------------------------------------- /pkilint/iso/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/iso/__init__.py -------------------------------------------------------------------------------- /pkilint/itu/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/itu/__init__.py -------------------------------------------------------------------------------- /pkilint/itu/asn1_util.py: -------------------------------------------------------------------------------- 1 | from typing import Optional 2 | 3 | from pyasn1.type import univ 4 | 5 | from pkilint import document 6 | 7 | 8 | def get_string_value_from_attribute_node(node: document.PDUNode) -> Optional[str]: 9 | node = node.children["value"] 10 | 11 | try: 12 | _, node = node.child 13 | except ValueError: 14 | # attribute value has not been decoded 15 | return None 16 | 17 | # handle DirectoryString CHOICE 18 | if isinstance(node.pdu, univ.Choice): 19 | _, node = node.child 20 | 21 | return str(node.pdu) 22 | -------------------------------------------------------------------------------- /pkilint/itu/bitstring.py: -------------------------------------------------------------------------------- 1 | def has_named_bit(node, bit_name): 2 | bit = node.pdu.namedValues[bit_name] 3 | return len(node.pdu) > bit and node.pdu[bit] != 0 4 | 5 | 6 | def get_asserted_bit_set(node): 7 | return {str(b) for b in node.pdu.namedValues if has_named_bit(node, str(b))} 8 | -------------------------------------------------------------------------------- /pkilint/itu/x520_name_unbounded.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type import namedtype, constraint, char 2 | from pyasn1_alt_modules import rfc5280 3 | 4 | MAX = float("inf") 5 | 6 | 7 | def _create_unbounded_directory_string_namedtypes(): 8 | return namedtype.NamedTypes( 9 | namedtype.NamedType( 10 | "teletexString", 11 | char.TeletexString().subtype( 12 | subtypeSpec=constraint.ValueSizeConstraint(1, MAX) 13 | ), 14 | ), 15 | namedtype.NamedType( 16 | "printableString", 17 | char.PrintableString().subtype( 18 | subtypeSpec=constraint.ValueSizeConstraint(1, MAX) 19 | ), 20 | ), 21 | namedtype.NamedType( 22 | "universalString", 23 | char.UniversalString().subtype( 24 | subtypeSpec=constraint.ValueSizeConstraint(1, MAX) 25 | ), 26 | ), 27 | namedtype.NamedType( 28 | "utf8String", 29 | char.UTF8String().subtype( 30 | subtypeSpec=constraint.ValueSizeConstraint(1, MAX) 31 | ), 32 | ), 33 | namedtype.NamedType( 34 | "bmpString", 35 | char.BMPString().subtype( 36 | subtypeSpec=constraint.ValueSizeConstraint(1, MAX) 37 | ), 38 | ), 39 | ) 40 | 41 | 42 | class X520OrganizationNameUnbounded(rfc5280.X520OrganizationName): 43 | componentType = _create_unbounded_directory_string_namedtypes() 44 | 45 | 46 | class X520OrganizationalUnitNameUnbounded(rfc5280.X520OrganizationalUnitName): 47 | componentType = _create_unbounded_directory_string_namedtypes() 48 | 49 | 50 | class X520CommonNameUnbounded(rfc5280.X520CommonName): 51 | componentType = _create_unbounded_directory_string_namedtypes() 52 | 53 | 54 | class X520PseudonymUnbounded(rfc5280.X520Pseudonym): 55 | componentType = _create_unbounded_directory_string_namedtypes() 56 | 57 | 58 | UNBOUNDED_ATTRIBUTE_TYPE_MAPPINGS = { 59 | rfc5280.id_at_organizationName: X520OrganizationNameUnbounded(), 60 | rfc5280.id_at_organizationalUnitName: X520OrganizationalUnitNameUnbounded(), 61 | rfc5280.id_at_commonName: X520CommonNameUnbounded(), 62 | rfc5280.id_at_pseudonym: X520PseudonymUnbounded(), 63 | } 64 | -------------------------------------------------------------------------------- /pkilint/msft/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/msft/__init__.py -------------------------------------------------------------------------------- /pkilint/msft/asn1/__init__.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type import univ, char, constraint 2 | 3 | MAX = float("inf") 4 | 5 | id_on_UserPrincipalName = univ.ObjectIdentifier("1.3.6.1.4.1.311.20.2.3") 6 | 7 | 8 | class UserPrincipalName(char.UTF8String): 9 | subtypeSpec = constraint.ValueSizeConstraint(1, MAX) 10 | -------------------------------------------------------------------------------- /pkilint/msft/msft_name.py: -------------------------------------------------------------------------------- 1 | import validators 2 | 3 | from pkilint import validation 4 | from pkilint.msft import asn1 5 | 6 | 7 | class UserPrincipalNameSyntaxValidator(validation.Validator): 8 | VALIDATION_INVALID_UPN_SYNTAX = validation.ValidationFinding( 9 | validation.ValidationFindingSeverity.ERROR, 10 | "msft.invalid_user_principal_name_syntax", 11 | ) 12 | 13 | def __init__(self): 14 | super().__init__( 15 | validations=[self.VALIDATION_INVALID_UPN_SYNTAX], 16 | pdu_class=asn1.UserPrincipalName, 17 | ) 18 | 19 | def validate(self, node): 20 | value = str(node.pdu) 21 | 22 | if not validators.email(value): 23 | raise validation.ValidationFindingEncountered( 24 | self.VALIDATION_INVALID_UPN_SYNTAX, f'Invalid UPN syntax: "{value}"' 25 | ) 26 | -------------------------------------------------------------------------------- /pkilint/nist/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/nist/__init__.py -------------------------------------------------------------------------------- /pkilint/nist/asn1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/pkilint/nist/asn1/__init__.py -------------------------------------------------------------------------------- /pkilint/nist/asn1/fips_203.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type import univ 2 | from pyasn1.type.constraint import ValueSizeConstraint 3 | 4 | from pkilint import document 5 | from pkilint.nist.asn1 import csor 6 | 7 | 8 | ML_KEM_512_PublicKeySize = 800 9 | ML_KEM_768_PublicKeySize = 1184 10 | ML_KEM_1024_PublicKeySize = 1568 11 | 12 | 13 | class MlKem512PublicKey(univ.OctetString): 14 | subtypeSpec = ValueSizeConstraint( 15 | ML_KEM_512_PublicKeySize, ML_KEM_512_PublicKeySize 16 | ) 17 | 18 | 19 | class MlKem768PublicKey(univ.OctetString): 20 | subtypeSpec = ValueSizeConstraint( 21 | ML_KEM_768_PublicKeySize, ML_KEM_768_PublicKeySize 22 | ) 23 | 24 | 25 | class MlKem1024PublicKey(univ.OctetString): 26 | subtypeSpec = ValueSizeConstraint( 27 | ML_KEM_1024_PublicKeySize, ML_KEM_1024_PublicKeySize 28 | ) 29 | 30 | 31 | ALGORITHM_OID_TO_KEY_MAPPINGS = { 32 | csor.id_alg_ml_kem_512: MlKem512PublicKey(), 33 | csor.id_alg_ml_kem_768: MlKem768PublicKey(), 34 | csor.id_alg_ml_kem_1024: MlKem1024PublicKey(), 35 | } 36 | 37 | ALGORITHM_OID_TO_PARAMETER_MAPPINGS = { 38 | k: document.ValueDecoder.VALUE_NODE_ABSENT 39 | for k in ALGORITHM_OID_TO_KEY_MAPPINGS.keys() 40 | } 41 | -------------------------------------------------------------------------------- /pkilint/nist/asn1/fips_204.py: -------------------------------------------------------------------------------- 1 | from pyasn1.type import univ 2 | from pyasn1.type.constraint import ValueSizeConstraint 3 | 4 | from pkilint import document 5 | from pkilint.nist.asn1 import csor 6 | 7 | 8 | ML_DSA_44_PublicKeySize = 1312 9 | ML_DSA_65_PublicKeySize = 1952 10 | ML_DSA_87_PublicKeySize = 2592 11 | 12 | 13 | class MlDsa44PublicKey(univ.OctetString): 14 | subtypeSpec = ValueSizeConstraint(ML_DSA_44_PublicKeySize, ML_DSA_44_PublicKeySize) 15 | 16 | 17 | class MlDsa65PublicKey(univ.OctetString): 18 | subtypeSpec = ValueSizeConstraint(ML_DSA_65_PublicKeySize, ML_DSA_65_PublicKeySize) 19 | 20 | 21 | class MlDsa87PublicKey(univ.OctetString): 22 | subtypeSpec = ValueSizeConstraint(ML_DSA_87_PublicKeySize, ML_DSA_87_PublicKeySize) 23 | 24 | 25 | ALGORITHM_OID_TO_KEY_MAPPINGS = { 26 | # pure 27 | csor.id_ml_dsa_44: MlDsa44PublicKey(), 28 | csor.id_ml_dsa_65: MlDsa65PublicKey(), 29 | csor.id_ml_dsa_87: MlDsa87PublicKey(), 30 | # pre-hashed 31 | csor.id_hash_ml_dsa_44_with_sha512: MlDsa44PublicKey(), 32 | csor.id_hash_ml_dsa_65_with_sha512: MlDsa65PublicKey(), 33 | csor.id_hash_ml_dsa_87_with_sha512: MlDsa87PublicKey(), 34 | } 35 | 36 | ALGORITHM_OID_TO_PARAMETER_MAPPINGS = { 37 | k: document.ValueDecoder.VALUE_NODE_ABSENT 38 | for k in ALGORITHM_OID_TO_KEY_MAPPINGS.keys() 39 | } 40 | -------------------------------------------------------------------------------- /pkilint/oid.py: -------------------------------------------------------------------------------- 1 | from typing import Iterable 2 | 3 | from pyasn1.type.univ import ObjectIdentifier 4 | 5 | 6 | def format_oids(oids: Iterable[ObjectIdentifier]) -> str: 7 | return ", ".join(sorted(map(str, oids))) 8 | -------------------------------------------------------------------------------- /pkilint/pkix/certificate/certificate_name.py: -------------------------------------------------------------------------------- 1 | from pyasn1_alt_modules import rfc5280 2 | 3 | from pkilint import validation 4 | from pkilint.pkix import general_name 5 | 6 | 7 | class SubjectEmailAddressInSanValidator(validation.Validator): 8 | VALIDATION_SUBJECT_EMAIL_NOT_IN_SAN = validation.ValidationFinding( 9 | validation.ValidationFindingSeverity.ERROR, 10 | "pkix.subject_email_address_not_in_san", 11 | ) 12 | 13 | def __init__(self): 14 | super().__init__( 15 | pdu_class=rfc5280.EmailAddress, 16 | validations=[self.VALIDATION_SUBJECT_EMAIL_NOT_IN_SAN], 17 | ) 18 | 19 | def validate(self, node): 20 | san_ext_idx = node.document.get_extension_by_oid(rfc5280.id_ce_subjectAltName) 21 | 22 | if san_ext_idx is None: 23 | raise validation.ValidationFindingEncountered( 24 | self.VALIDATION_SUBJECT_EMAIL_NOT_IN_SAN, 25 | "Certificate does not have SAN extension", 26 | ) 27 | 28 | ext, _ = san_ext_idx 29 | 30 | email_address = str(node.pdu) 31 | 32 | if not any( 33 | str(rfc822name_node.pdu) == email_address 34 | for rfc822name_node in node.document.get_san_general_names_by_type( 35 | general_name.GeneralNameTypeName.RFC822_NAME 36 | ) 37 | ): 38 | raise validation.ValidationFindingEncountered( 39 | self.VALIDATION_SUBJECT_EMAIL_NOT_IN_SAN, 40 | f'Subject DN e-mail address "{email_address}" not found in SAN', 41 | ) 42 | -------------------------------------------------------------------------------- /pkilint/pkix/certificate/certificate_validator.py: -------------------------------------------------------------------------------- 1 | from pyasn1_alt_modules import rfc5280 2 | 3 | from pkilint import validation 4 | 5 | 6 | class CorrectVersionValidator(validation.ScalarFieldValueEqualityValidator): 7 | def __init__(self): 8 | super().__init__( 9 | path="certificate.tbsCertificate.version", 10 | value=rfc5280.Version.namedValues["v3"], 11 | validations=validation.ValidationFinding( 12 | validation.ValidationFindingSeverity.ERROR, 13 | "pkix.certificate_version_is_not_v3", 14 | ), 15 | ) 16 | 17 | 18 | class SignatureAlgorithmMatchValidator(validation.DEREqualityValidator): 19 | def __init__(self): 20 | super().__init__( 21 | other_node_retriever=(lambda n: n.navigate("^.tbsCertificate.signature")), 22 | path="certificate.signatureAlgorithm", 23 | validation=validation.ValidationFinding( 24 | validation.ValidationFindingSeverity.ERROR, 25 | "pkix.certificate_signature_algorithm_mismatch", 26 | ), 27 | ) 28 | 29 | 30 | class IssuerUniqueIdAbsenceValidator(validation.NodePresenceValidator): 31 | VALIDATION_ISSUER_UNIQUE_ID_PRESENT = validation.ValidationFinding( 32 | validation.ValidationFindingSeverity.ERROR, "pkix.issuer_unique_id_present" 33 | ) 34 | 35 | def __init__(self): 36 | super().__init__( 37 | node_retriever=lambda n: n.navigate("issuerUniqueID"), 38 | presence_finding=self.VALIDATION_ISSUER_UNIQUE_ID_PRESENT, 39 | pdu_class=rfc5280.TBSCertificate, 40 | ) 41 | 42 | 43 | class SubjectUniqueIdAbsenceValidator(validation.NodePresenceValidator): 44 | VALIDATION_SUBJECT_UNIQUE_ID_PRESENT = validation.ValidationFinding( 45 | validation.ValidationFindingSeverity.ERROR, "pkix.subject_unique_id_present" 46 | ) 47 | 48 | def __init__(self): 49 | super().__init__( 50 | node_retriever=lambda n: n.navigate("subjectUniqueID"), 51 | presence_finding=self.VALIDATION_SUBJECT_UNIQUE_ID_PRESENT, 52 | pdu_class=rfc5280.TBSCertificate, 53 | ) 54 | -------------------------------------------------------------------------------- /pkilint/pkix/certificate/certificate_validity.py: -------------------------------------------------------------------------------- 1 | import datetime 2 | 3 | from pkilint import validation, document 4 | from pkilint.pkix import time 5 | 6 | 7 | class CertificateSaneValidityPeriodValidator(time.SaneValidityPeriodValidator): 8 | VALIDATION_NEGATIVE_VALIDITY_PERIOD = validation.ValidationFinding( 9 | validation.ValidationFindingSeverity.ERROR, 10 | "pkix.certificate_negative_validity_period", 11 | ) 12 | 13 | def __init__(self): 14 | super().__init__( 15 | end_validity_node_retriever=lambda n: n.navigate("^.notAfter"), 16 | path="certificate.tbsCertificate.validity.notBefore", 17 | validation=self.VALIDATION_NEGATIVE_VALIDITY_PERIOD, 18 | ) 19 | 20 | 21 | class CertificateValidityPeriodStartRetriever(document.ValidityPeriodStartRetriever): 22 | def __call__(self, certificate, *args, **kwargs) -> datetime.datetime: 23 | return certificate.not_before 24 | -------------------------------------------------------------------------------- /pkilint/pkix/crl/crl_validator.py: -------------------------------------------------------------------------------- 1 | from pyasn1_alt_modules import rfc5280 2 | 3 | from pkilint import validation 4 | 5 | 6 | class VersionPresenceValidator(validation.NodePresenceValidator): 7 | VALIDATION_VERSION_MISSING = validation.ValidationFinding( 8 | validation.ValidationFindingSeverity.ERROR, "pkix.crl_version_missing" 9 | ) 10 | 11 | def __init__(self): 12 | node_retriever = lambda n: n.navigate("version") 13 | 14 | super().__init__( 15 | node_retriever=node_retriever, 16 | absence_finding=self.VALIDATION_VERSION_MISSING, 17 | pdu_class=rfc5280.TBSCertList, 18 | ) 19 | 20 | 21 | class CorrectVersionValidator(validation.ScalarFieldValueEqualityValidator): 22 | def __init__(self): 23 | super().__init__( 24 | path="certificateList.tbsCertList.version", 25 | value=rfc5280.Version.namedValues["v2"], 26 | validations=validation.ValidationFinding( 27 | validation.ValidationFindingSeverity.ERROR, "pkix.crl_version_is_not_v2" 28 | ), 29 | ) 30 | 31 | 32 | class SignatureAlgorithmMatchValidator(validation.DEREqualityValidator): 33 | def __init__(self): 34 | super().__init__( 35 | other_node_retriever=(lambda n: n.navigate("^.tbsCertList.signature")), 36 | path="signatureAlgorithm", 37 | validation=validation.ValidationFinding( 38 | validation.ValidationFindingSeverity.ERROR, 39 | "pkix.crl_signature_algorithm_match", 40 | ), 41 | ) 42 | 43 | 44 | class RevokedCertificatesEmptyValidator(validation.Validator): 45 | VALIDATION_REVOKED_CERTIFICATES_EMPTY = validation.ValidationFinding( 46 | validation.ValidationFindingSeverity.ERROR, 47 | "pkix.crl_revoked_certificates_empty", 48 | ) 49 | 50 | def __init__(self): 51 | super().__init__( 52 | validations=[self.VALIDATION_REVOKED_CERTIFICATES_EMPTY], 53 | pdu_class=rfc5280.TBSCertList, 54 | ) 55 | 56 | def validate(self, node): 57 | revoked_certificates = node.children.get("revokedCertificates") 58 | 59 | if revoked_certificates is not None and not any(revoked_certificates.pdu): 60 | raise validation.ValidationFindingEncountered( 61 | self.VALIDATION_REVOKED_CERTIFICATES_EMPTY 62 | ) 63 | -------------------------------------------------------------------------------- /pkilint/pkix/crl/crl_validity.py: -------------------------------------------------------------------------------- 1 | from pkilint import validation 2 | from pkilint.pkix import time 3 | 4 | 5 | class CrlSaneValidityPeriodValidator(time.SaneValidityPeriodValidator): 6 | VALIDATION_NEGATIVE_VALIDITY_PERIOD = validation.ValidationFinding( 7 | validation.ValidationFindingSeverity.ERROR, "pkix.crl_negative_validity_period" 8 | ) 9 | 10 | def __init__(self): 11 | super().__init__( 12 | end_validity_node_retriever=lambda n: n.navigate("^.nextUpdate"), 13 | path="certificateList.tbsCertList.thisUpdate", 14 | validation=self.VALIDATION_NEGATIVE_VALIDITY_PERIOD, 15 | ) 16 | -------------------------------------------------------------------------------- /pkilint/pkix/ocsp/__init__.py: -------------------------------------------------------------------------------- 1 | from pyasn1_alt_modules import rfc6960 2 | 3 | from pkilint import document, validation 4 | from pkilint.pkix import time 5 | from pkilint.pkix.ocsp import ocsp_response, ocsp_basic_response, ocsp_validity 6 | 7 | 8 | class RFC6960OCSPResponse(document.Document): 9 | def __init__(self, substrate_source, substrate, name=None, parent=None): 10 | super().__init__( 11 | rfc6960.OCSPResponse(), substrate_source, substrate, name, parent 12 | ) 13 | 14 | 15 | def create_response_decoder(): 16 | decoder = ocsp_response.OCSPResponseDecoder(type_mappings=rfc6960.ocspResponseMap) 17 | 18 | return ocsp_response.OCSPResponseDecodingValidator(decode_func=decoder) 19 | 20 | 21 | def create_pkix_ocsp_response_validator_container(decoding_validators, validators): 22 | decoding_validator_containers = [ 23 | validation.ValidatorContainer( 24 | validators=decoding_validators, path="oCSPResponse" 25 | ) 26 | ] 27 | 28 | validators += [ 29 | ocsp_response.OCSPResponseStatusValidator(), 30 | ocsp_response.OCSPResponseIsBasicValidator(), 31 | ocsp_basic_response.OCSPBasicResponseCertsNotPresentValidator(), 32 | ocsp_basic_response.ResponderKeyHashIsSHA1HashValidator(), 33 | ocsp_validity.OCSPSaneValidityPeriodValidator(), 34 | time.UtcTimeCorrectSyntaxValidator(), 35 | time.GeneralizedTimeCorrectSyntaxValidator(), 36 | ] 37 | 38 | return validation.ValidatorContainer( 39 | validators=decoding_validator_containers + validators 40 | ) 41 | -------------------------------------------------------------------------------- /pkilint/pkix/ocsp/ocsp_basic_response.py: -------------------------------------------------------------------------------- 1 | from cryptography.hazmat.primitives import hashes 2 | from pyasn1_alt_modules import rfc6960 3 | 4 | from pkilint import validation 5 | 6 | 7 | class OCSPBasicResponseCertsNotPresentValidator(validation.Validator): 8 | VALIDATION_CERTS_IS_EMPTY = validation.ValidationFinding( 9 | validation.ValidationFindingSeverity.WARNING, 10 | "pkix.ocsp_certs_sequence_is_empty", 11 | ) 12 | 13 | def __init__(self): 14 | super().__init__( 15 | validations=[self.VALIDATION_CERTS_IS_EMPTY], 16 | pdu_class=rfc6960.BasicOCSPResponse, 17 | ) 18 | 19 | def validate(self, node): 20 | certs_node = node.children.get("certs") 21 | 22 | if certs_node is not None and len(certs_node.children) == 0: 23 | raise validation.ValidationFindingEncountered( 24 | self.VALIDATION_CERTS_IS_EMPTY 25 | ) 26 | 27 | 28 | class ResponderKeyHashIsSHA1HashValidator(validation.Validator): 29 | VALIDATION_KEY_HASH_IS_NOT_SHA1 = validation.ValidationFinding( 30 | validation.ValidationFindingSeverity.ERROR, 31 | "pkix.ocsp_responderid_keyhash_is_not_sha1", 32 | ) 33 | 34 | def __init__(self): 35 | super().__init__( 36 | validations=[self.VALIDATION_KEY_HASH_IS_NOT_SHA1], 37 | pdu_class=rfc6960.ResponderID, 38 | predicate=lambda n: "byKey" in n.children, 39 | ) 40 | 41 | def validate(self, node): 42 | _, by_key_node = node.child 43 | 44 | hash_octets = by_key_node.pdu.asOctets() 45 | hash_len = len(hash_octets) 46 | 47 | if hash_len != hashes.SHA1.digest_size: 48 | raise validation.ValidationFindingEncountered( 49 | self.VALIDATION_KEY_HASH_IS_NOT_SHA1, 50 | f"Key hash length of {hash_len} octets is not SHA-1", 51 | ) 52 | -------------------------------------------------------------------------------- /pkilint/pkix/ocsp/ocsp_validity.py: -------------------------------------------------------------------------------- 1 | from pkilint import validation, document 2 | from pkilint.pkix import time 3 | 4 | 5 | class OCSPSaneValidityPeriodValidator(time.SaneValidityPeriodValidator): 6 | VALIDATION_NEGATIVE_VALIDITY_PERIOD = validation.ValidationFinding( 7 | validation.ValidationFindingSeverity.ERROR, "pkix.ocsp_negative_validity_period" 8 | ) 9 | 10 | def __init__(self): 11 | super().__init__( 12 | end_validity_node_retriever=lambda n: n.navigate("^.nextUpdate"), 13 | path_re=document.get_re_for_path_glob( 14 | "oCSPResponse.responseBytes.response.basicOCSPResponse.tbsResponseData.responses.*.thisUpdate" 15 | ), 16 | predicate=lambda n: "nextUpdate" in n.parent.children, 17 | validation=self.VALIDATION_NEGATIVE_VALIDITY_PERIOD, 18 | ) 19 | -------------------------------------------------------------------------------- /pkilint/rest/cabf_serverauth.py: -------------------------------------------------------------------------------- 1 | from fastapi import HTTPException 2 | from pyasn1.error import PyAsn1Error 3 | from starlette import status 4 | 5 | from pkilint.cabf import serverauth 6 | from pkilint.cabf.serverauth import serverauth_constants 7 | from pkilint.pkix import certificate 8 | from pkilint.rest import model 9 | 10 | 11 | class CabfServerauthLinterGroup(model.LinterGroup): 12 | def __init__(self, linters): 13 | super().__init__(name="cabf-serverauth", linters=linters) 14 | 15 | def determine_linter(self, doc): 16 | try: 17 | cert_type = serverauth.determine_certificate_type(doc) 18 | except (ValueError, PyAsn1Error) as e: 19 | message = f"Parsing error occurred: {e}" 20 | 21 | raise HTTPException( 22 | status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, 23 | detail=model.create_unprocessable_entity_error_detail(message), 24 | ) 25 | 26 | # this doesn't fail, so we don't need to guard against not being able to determine the certificate type 27 | return next( 28 | ( 29 | l 30 | for l in self.linters 31 | if l.name.casefold() == cert_type.to_option_str.casefold() 32 | ) 33 | ) 34 | 35 | 36 | def create_linter_group_instance(): 37 | return CabfServerauthLinterGroup( 38 | [ 39 | model.Linter( 40 | validator=certificate.create_pkix_certificate_validator_container( 41 | serverauth.create_decoding_validators(), 42 | serverauth.create_validators(cert_type), 43 | ), 44 | finding_filters=serverauth.create_serverauth_finding_filters(cert_type), 45 | name=cert_type.to_option_str, 46 | ) 47 | for cert_type in serverauth_constants.CertificateType 48 | ] 49 | ) 50 | -------------------------------------------------------------------------------- /pkilint/rest/cabf_smime.py: -------------------------------------------------------------------------------- 1 | from fastapi import HTTPException 2 | from pyasn1.error import PyAsn1Error 3 | from starlette import status 4 | 5 | from pkilint.cabf import smime 6 | from pkilint.cabf.smime import smime_constants 7 | from pkilint.pkix import certificate 8 | from pkilint.rest import model 9 | 10 | 11 | class CabfSmimeLinterGroup(model.LinterGroup): 12 | def __init__(self, linters): 13 | super().__init__(name="cabf-smime", linters=linters) 14 | 15 | def determine_linter(self, doc): 16 | try: 17 | v_g = smime.determine_validation_level_and_generation(doc) 18 | except (ValueError, PyAsn1Error) as e: 19 | message = f"Parsing error occurred: {e}" 20 | 21 | raise HTTPException( 22 | status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, 23 | detail=model.create_unprocessable_entity_error_detail(message), 24 | ) 25 | 26 | if v_g is None: 27 | raise HTTPException( 28 | status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, 29 | detail=model.create_unprocessable_entity_error_detail( 30 | "Could not determine certificate type" 31 | ), 32 | ) 33 | 34 | v, g = v_g 35 | 36 | name = f"{v}-{g}" 37 | 38 | return next((l for l in self.linters if l.name.casefold() == name.casefold())) 39 | 40 | 41 | _V_G_PAIRS = [] 42 | for v in smime_constants.ValidationLevel: 43 | for g in smime_constants.Generation: 44 | _V_G_PAIRS.append((v, g)) 45 | 46 | 47 | def create_linter_group_instance(): 48 | return CabfSmimeLinterGroup( 49 | [ 50 | model.Linter( 51 | validator=certificate.create_pkix_certificate_validator_container( 52 | smime.create_decoding_validators(), 53 | smime.create_subscriber_validators(v, g), 54 | ), 55 | name=f"{v}-{g}", 56 | ) 57 | for v, g in _V_G_PAIRS 58 | ] 59 | ) 60 | -------------------------------------------------------------------------------- /pkilint/rest/crl.py: -------------------------------------------------------------------------------- 1 | from pkilint import pkix 2 | 3 | from pkilint.pkix import crl, extension, name 4 | from pkilint.rest import model 5 | 6 | 7 | def create_crl_linter( 8 | validity_additional_validators=None, doc_additional_validators=None 9 | ): 10 | if doc_additional_validators is None: 11 | doc_additional_validators = [] 12 | if validity_additional_validators is None: 13 | validity_additional_validators = [] 14 | 15 | return model.Linter( 16 | validator=crl.create_pkix_crl_validator_container( 17 | [ 18 | pkix.create_attribute_decoder(name.ATTRIBUTE_TYPE_MAPPINGS), 19 | pkix.create_extension_decoder(extension.EXTENSION_MAPPINGS), 20 | ], 21 | [ 22 | crl.create_issuer_validator_container([]), 23 | crl.create_validity_validator_container(validity_additional_validators), 24 | crl.create_extensions_validator_container([]), 25 | ] 26 | + doc_additional_validators, 27 | ), 28 | name="crl_linter", 29 | ) 30 | -------------------------------------------------------------------------------- /pkilint/rest/etsi.py: -------------------------------------------------------------------------------- 1 | from fastapi import HTTPException 2 | from pyasn1.error import PyAsn1Error 3 | from starlette import status 4 | 5 | from pkilint import etsi 6 | from pkilint.pkix import certificate 7 | from pkilint.rest import model 8 | 9 | 10 | class EtsiLinterGroup(model.LinterGroup): 11 | def __init__(self, linters): 12 | super().__init__(name="etsi", linters=linters) 13 | 14 | def determine_linter(self, doc): 15 | try: 16 | cert_type = etsi.determine_certificate_type(doc) 17 | except (ValueError, PyAsn1Error) as e: 18 | message = f"Parsing error occurred: {e}" 19 | 20 | raise HTTPException( 21 | status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, 22 | detail=model.create_unprocessable_entity_error_detail(message), 23 | ) 24 | 25 | # this doesn't fail, so we don't need to guard against not being able to determine the certificate type 26 | return next( 27 | ( 28 | l 29 | for l in self.linters 30 | if l.name.casefold() == cert_type.to_option_str.casefold() 31 | ) 32 | ) 33 | 34 | 35 | def create_linter_group_instance(): 36 | return EtsiLinterGroup( 37 | [ 38 | model.Linter( 39 | validator=certificate.create_pkix_certificate_validator_container( 40 | etsi.create_decoding_validators(cert_type), 41 | etsi.create_validators(cert_type), 42 | ), 43 | finding_filters=etsi.create_etsi_finding_filters(cert_type), 44 | name=cert_type.to_option_str, 45 | ) 46 | for cert_type in etsi.CertificateType 47 | ] 48 | ) 49 | -------------------------------------------------------------------------------- /pkilint/rest/ocsp.py: -------------------------------------------------------------------------------- 1 | from pkilint.pkix import ( 2 | ocsp, 3 | create_attribute_decoder, 4 | create_extension_decoder, 5 | extension, 6 | name, 7 | ) 8 | from pkilint.rest import model 9 | 10 | 11 | def create_ocsp_response_linter(): 12 | return model.Linter( 13 | validator=ocsp.create_pkix_ocsp_response_validator_container( 14 | [ 15 | ocsp.create_response_decoder(), 16 | create_attribute_decoder(name.ATTRIBUTE_TYPE_MAPPINGS), 17 | create_extension_decoder(extension.EXTENSION_MAPPINGS), 18 | ], 19 | [], 20 | ), 21 | name="ocsp_linter", 22 | ) 23 | -------------------------------------------------------------------------------- /pkilint/rest/pkix.py: -------------------------------------------------------------------------------- 1 | from pkilint.pkix import certificate, name, extension 2 | from pkilint.rest import model 3 | 4 | 5 | class PkixCertificateLinterGroup(model.LinterGroup): 6 | def __init__(self, linters): 7 | super().__init__(name="pkix", linters=linters) 8 | 9 | def determine_linter(self, doc): 10 | return self.linters[0] 11 | 12 | 13 | def create_linter_group_instance(): 14 | return PkixCertificateLinterGroup( 15 | [ 16 | model.Linter( 17 | validator=certificate.create_pkix_certificate_validator_container( 18 | certificate.create_decoding_validators( 19 | name.ATTRIBUTE_TYPE_MAPPINGS, extension.EXTENSION_MAPPINGS 20 | ), 21 | [ 22 | certificate.create_issuer_validator_container([]), 23 | certificate.create_validity_validator_container(), 24 | certificate.create_subject_validator_container([]), 25 | certificate.create_extensions_validator_container([]), 26 | certificate.create_spki_validator_container([]), 27 | ], 28 | ), 29 | name="certificate", 30 | ) 31 | ] 32 | ) 33 | -------------------------------------------------------------------------------- /pkilint/util.py: -------------------------------------------------------------------------------- 1 | from cryptography.hazmat.primitives import hashes 2 | 3 | 4 | def calculate_hash(octets: bytes, hash_algo: hashes.HashAlgorithm) -> bytes: 5 | h = hashes.Hash(hash_algo) 6 | h.update(octets) 7 | 8 | return h.finalize() 9 | 10 | 11 | def calculate_sha1_hash(octets: bytes) -> bytes: 12 | return calculate_hash(octets, hashes.SHA1()) 13 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [metadata] 2 | name = pkilint 3 | author = DigiCert, Inc. 4 | version = file: VERSION.txt 5 | author_email = corey.bonnell@digicert.com 6 | url = https://github.com/digicert/pkilint 7 | description = A framework for verifying PKI structures 8 | long_description = file: README.md 9 | long_description_content_type = text/markdown 10 | license = MIT 11 | platform = any 12 | classifiers = 13 | Development Status :: 5 - Production/Stable 14 | Intended Audience :: Information Technology 15 | License :: OSI Approved :: MIT License 16 | Operating System :: OS Independent 17 | Programming Language :: Python :: 3 18 | Programming Language :: Python :: 3 :: Only 19 | Programming Language :: Python :: 3.9 20 | Programming Language :: Python :: 3.10 21 | Programming Language :: Python :: 3.11 22 | Programming Language :: Python :: 3.12 23 | Programming Language :: Python :: 3.13 24 | 25 | [options] 26 | zip_safe = True 27 | packages = find: 28 | python_requires = >=3.9 29 | install_requires = 30 | pyasn1 31 | pyasn1-alt-modules >=0.4.3 32 | pyasn1-fasder 33 | cryptography >=39 34 | iso3166 35 | # version is pinned due to https://github.com/python-validators/validators/issues/346 36 | validators==0.22 37 | python-dateutil 38 | publicsuffixlist 39 | iso4217 40 | python-iso639 41 | 42 | [options.packages.find] 43 | exclude = 44 | tests* 45 | 46 | [options.extras_require] 47 | rest = 48 | fastapi 49 | dev = 50 | pytest 51 | %(rest)s 52 | httpx <1 53 | black 54 | 55 | [options.entry_points] 56 | console_scripts = 57 | lint_cabf_serverauth_cert = pkilint.bin.lint_cabf_serverauth_cert:main 58 | lint_crl = pkilint.bin.lint_crl:main 59 | lint_pkix_cert = pkilint.bin.lint_pkix_cert:main 60 | lint_pkix_signer_signee_cert_chain = pkilint.bin.lint_pkix_signer_signee_cert_chain:main 61 | lint_cabf_smime_cert = pkilint.bin.lint_cabf_smime_cert:main 62 | lint_ocsp_response = pkilint.bin.lint_ocsp_response:main 63 | lint_etsi_cert = pkilint.bin.lint_etsi_cert:main 64 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import setuptools 4 | 5 | setuptools.setup() 6 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/digicert/pkilint/914a02f4fec51d751ac0f9d63fdfd590615610f6/tests/__init__.py -------------------------------------------------------------------------------- /tests/integration_certificate/README.txt: -------------------------------------------------------------------------------- 1 | The integration tests use certificates obtained from a variety of public sources, in addition to certifictes that 2 | were created specifically for testing purposes. Notably, some of the certificates obtained from public sources 3 | have been modified to trigger specific test conditions. The flagging of error conditions, etc. for a given certificate 4 | does not necessarily mean that the given certificate is mis-issued. 5 | -------------------------------------------------------------------------------- /tests/integration_certificate/__init__.py: -------------------------------------------------------------------------------- 1 | import functools 2 | from pathlib import Path 3 | 4 | from pkilint import loader 5 | from tests import integration_test_common 6 | 7 | _FIXTURE_DIR = Path(__file__).parent.resolve() 8 | 9 | _CERT_END_ASCII_ARMOR = "-----END CERTIFICATE-----" 10 | 11 | 12 | def register_test(module, file, test_name, validator, filters=None): 13 | if hasattr(module, test_name): 14 | raise ValueError(f"Duplicate test name in {module}: {test_name}") 15 | 16 | setattr( 17 | module, 18 | test_name, 19 | functools.partial( 20 | integration_test_common.run_test, 21 | _CERT_END_ASCII_ARMOR, 22 | loader.load_pem_certificate, 23 | file, 24 | validator, 25 | filters, 26 | ), 27 | ) 28 | -------------------------------------------------------------------------------- /tests/integration_certificate/etsi/ncp_legal_person_certificate/extensions_field_absent.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDwDCCAqigAwIBAgIKTITWVCAMG9n4rDANBgkqhkiG9w0BAQsFADBLMQswCQYD 3 | VQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMM 4 | FEJ1eXBhc3MgQ2xhc3MgMyBDQSAyMB4XDTI0MDIxNDEwMzQyMFoXDTI1MDIxMzIy 5 | NTkwMFowgfIxCzAJBgNVBAYTAk5PMQ0wCwYDVQQHDARPU0xPMQ0wCwYDVQQRDAQw 6 | OTc4MT8wPQYDVQQKDDZNQVNURVJDQVJEIFBBWU1FTlQgU0VSVklDRVMgSU5GUkFT 7 | VFJVQ1RVUkUgKE5PUldBWSkgQVMxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0 8 | aW9uMRMwEQYLKwYBBAGCNzwCAQMTAk5PMRIwEAYDVQQFEwk5MjI5ODg4NjIxGDAW 9 | BgNVBGETD05UUk5PLTkyMjk4ODg2MjEiMCAGA1UEAxMZbXRmLm1jZW5ldHQubWFz 10 | dGVyY2FyZC5ubzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPkzQWj 11 | 5Z5lDiodPsk7pYN7j9g9n1lYhzCepFMHJgiyacdcQxVkunYgGlB8m6CcFUcTVbu7 12 | qkkhN1g1gEKX3wMZVjwrSfmSoAuGsUciOS90T30HkOiDvzVxmnE9TuyhDHRKvANp 13 | OpNNcUlJHbPondkslHvf3xEO3Q+40M65NjH9GEtepU0aEixKCjPSxnWiwiMM6PFC 14 | NRtLJu+aQrP1wHOj2eHbaAstiTf20NKTfGbAFGVlskQcPTkNOYe2unZCUsVNyQwW 15 | KKbaa4Dk1g8SNpiIbyeovsVMS41Ul+/wg3qoT6G7CJd5UBzUFyjnKPz/OFjALOwW 16 | YCwNDKkmNEOtA/UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAp2ou9Z776IUXDZb4 17 | QX+zkEgyI1FzS5H7WrO6+/eISlnlw69lYIy6YG3iAfZa4wLb25syo5rdgagL6085 18 | kiLtRKVg5qilW6CJpQQjSQVl45VsSHJq2FVN17cUYysQ2AlBGNmifFDdLL0AoY6d 19 | ObhJiSO5/1r/1BTW2V1/bIS1PzsKrrUwN3NKmgsy/y7tzocdnxQDlodtBYK0VdE6 20 | TaxjA1Y7dmgWAOR0dygHRq2XzjWS05PWLQsv2GLM680uqKrxw/X6qXSqu3pZF50R 21 | 1rGSGwNFpobXQISAjsZL5B4lX+Ce+adzcpMPs8JeilUVlnBqfgTOeYs+EvLTYn2D 22 | pPuDbg== 23 | -----END CERTIFICATE----- 24 | 25 | node_path,validator,severity,code,message 26 | certificate.tbsCertificate,ExtensionsPresenceValidator,ERROR,etsi.extensions_field_absent, 27 | certificate,SubjectKeyIdentifierPresenceValidator,WARNING,pkix.certificate_skid_end_entity_missing, 28 | certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, 29 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/ca_no_ku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEZzCCBA2gAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCARAwggEMMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUW3CnmBf3 19 | n/Y30vfj3ERsIQnXu9QwHQYDVR0OBBYEFNZEADJ8qA3/rE9rZu61rpssxThUMBEG 20 | A1UdIAQKMAgwBgYEVR0gADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmNh 21 | LmV4YW1wbGUuY29tL3Jvb3RfY2FfY3JsLmNybDBIBggrBgEFBQcBAQQ8MDowOAYI 22 | KwYBBQUHMAKGLGh0dHA6Ly9yZXBvc2l0b3J5LmNhLmV4YW1wbGUuY29tL3Jvb3Rf 23 | Y2EuZGVyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAKBggqhkjOPQQD 24 | AgNIADBFAiEA4K+AzyG95SO8G8R2Eln0/Wt7+aqi713qj1/tdy5s/b0CIAwDVqo0 25 | ALOVl0C+EeTWjZ+MJhih1JZstsB3lw0DM9+3 26 | -----END CERTIFICATE----- 27 | 28 | node_path,validator,severity,code,message 29 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 30 | certificate.tbsCertificate.extensions,KeyUsagePresenceValidator,ERROR,pkix.ca_certificate_no_ku_extension, 31 | 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/cross_ca_no_aki.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIERDCCA+qgAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOB7jCB6zASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTWRAAyfKgN/6xP 19 | a2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2gK4Yp 20 | aHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYB 21 | BQUHAQEEPDA6MDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFt 22 | cGxlLmNvbS9yb290X2NhLmRlcjAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUH 23 | AwIwCgYIKoZIzj0EAwIDSAAwRQIhAOCvgM8hveUjvBvEdhJZ9P1re/mqou9d6o9f 24 | 7XcubP29AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbAd5cNAzPftw== 25 | -----END CERTIFICATE----- 26 | 27 | node_path,validator,severity,code,message 28 | certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, 29 | certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 30 | certificate.tbsCertificate.extensions,KeyUsagePresenceValidator,ERROR,pkix.ca_certificate_no_ku_extension, 31 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/ecdsa_self_signed_no_aki.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDEL 3 | MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl 4 | eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT 5 | JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAx 6 | MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT 7 | Ck5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg 8 | VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlm 9 | aWNhdGlvbiBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqflo 10 | I+d61SRvU8Za2EurxtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinng 11 | o4N+LZfQYcTxmdwlkWOrfzCjtHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0G 12 | A1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYD 13 | VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBBHU6+4WMB 14 | zzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbW 15 | RNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg= 16 | -----END CERTIFICATE----- 17 | 18 | node_path,validator,severity,code,message 19 | certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 20 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/ecdsa_with_null_sigalg_param.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID6zCCA3KgAwIBAgIUEuptorghJNZWoEmXnuVIyVYrqkowDAYIKoZIzj0EAwMF 3 | ADBeMQswCQYDVQQGEwJDTjElMCMGA1UECgwcVHJ1c3RBc2lhIFRlY2hub2xvZ2ll 4 | cywgSW5jLjEoMCYGA1UEAwwfVHJ1c3RBc2lhIERWIFRMUyBFQ0MgVGVzdCBDQSBH 5 | NDAeFw0yNDEwMjIxNjAwMDBaFw0yNDEwMjMxNjAwMDBaMCUxIzAhBgNVBAMMGm9v 6 | bDVldnpzd3AuY3QtdGVzdC5zc2wucHViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD 7 | QgAE429f0qXaS9E9goewIIJLabuQZBw18mgbLueve9JmfTq4p2Poo+7dACkXG8AF 8 | v9nxvGKBm61nP8WWMeJQYc6IQqOCAkMwggI/MAwGA1UdEwEB/wQCMAAwHwYDVR0j 9 | BBgwFoAUr4S1dCdw3xSnKsw6Wtz3PAQJU5swgaUGCCsGAQUFBwEBBIGYMIGVMEoG 10 | CCsGAQUFBzAChj5odHRwOi8vaWNhLnd0LXRlc3QudHJ1c3Rhc2lhLmNvbS9UcnVz 11 | dEFzaWFEVlRMU0VDQ1Rlc3RDQUc0LmNydDBHBggrBgEFBQcwAYY7aHR0cDovL29j 12 | c3Aud3QtdGVzdC50cnVzdGFzaWEuY29tL1RydXN0QXNpYURWVExTRUNDVGVzdENB 13 | RzQwJQYDVR0RBB4wHIIab29sNWV2enN3cC5jdC10ZXN0LnNzbC5wdWIwEwYDVR0g 14 | BAwwCjAIBgZngQwBAgEwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBME8G 15 | A1UdHwRIMEYwRKBCoECGPmh0dHA6Ly9jcmwud3QtdGVzdC50cnVzdGFzaWEuY29t 16 | L1RydXN0QXNpYURWVExTRUNDVGVzdENBRzQuY3JsMB0GA1UdDgQWBBSANcwZGY1l 17 | mwNdmlipDOiex1EAHDAOBgNVHQ8BAf8EBAMCBaAwgYoGCisGAQQB1nkCBAIEfAR6 18 | AHgAdgCHT7UNwCnZkx3lc+nyiZ6ORTOzktOLCkYldL8P7rL8HgAAAYQHSgxQAAAE 19 | AwBHMEUCIQD0WQOyiEHIPoanzn+5Y8QfYR1sQIkAb8gHO1/EOTIF+QIgF3zyCELh 20 | /Uzp8MDiQbXeDWXHhFZqXMRxlHwQSqDbr3cwCgYIKoZIzj0EAwMDZwAwZAIwOWCs 21 | D/aGz0c/M4+e/iMor9OSw4K+O2OXKoM/HRrT9bw6/Rtgy+ZdWGRP0XHzCuyWAjAW 22 | N/XpkkZPgkKC941PAOnMsPEdkTVLdx+zn5NZ7qSzCub9BuSLN+GViPErWm7FPdM= 23 | -----END CERTIFICATE----- 24 | 25 | node_path,validator,severity,code,message 26 | certificate.tbsCertificate.signature,AlgorithmIdentifierDecodingValidator,FATAL,itu.invalid_asn1_syntax,"Value node is present, but type OID 1.2.840.10045.4.3.3 specifies that it must be absent" 27 | certificate.tbsCertificate.extensions.7.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 28 | certificate.signatureAlgorithm,SignatureAlgorithmMatchValidator,ERROR,pkix.certificate_signature_algorithm_mismatch,DER encoding of certificate.signatureAlgorithm and certificate.tbsCertificate.signature are not equal 29 | certificate.tbsCertificate.extensions.8.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_ec,Prohibited key usage value(s) present: keyEncipherment 30 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/ed25519_bad_ku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBtzCCAWmgAwIBAgITH59R65FuWGNFHoyc0N3iWesrXzAFBgMrZXAwWTENMAsG 3 | A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM 4 | QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx 5 | MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjBZMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL 6 | EwhMQU1QUyBXRzE1MDMGA1UEAxMsU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlm 7 | aWNhdGlvbiBBdXRob3JpdHkwKjAFBgMrZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+ 8 | RKE3URyp+eN2TxJDBKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC 9 | ARYwHQYDVR0OBBYEFGuilX26FJvkLQTRB6TRguQua4y1MAUGAytlcANBAFAJrlWo 10 | QjzwT0ph7rXe023x3GaLPMXMwQI2Of+apkdG2mH9ID6PE1bu3gRRqIH5w2tyS+xF 11 | Jw0ouxcJyAyXEQ4= 12 | -----END CERTIFICATE----- 13 | 14 | node_path,validator,severity,code,message 15 | certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, 16 | certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_edwards_curve,Prohibited key usage value(s) present: dataEncipherment 17 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/ed25519_self_signed_root.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBtzCCAWmgAwIBAgITH59R65FuWGNFHoyc0N3iWesrXzAFBgMrZXAwWTENMAsG 3 | A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM 4 | QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx 5 | MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjBZMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL 6 | EwhMQU1QUyBXRzE1MDMGA1UEAxMsU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlm 7 | aWNhdGlvbiBBdXRob3JpdHkwKjAFBgMrZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+ 8 | RKE3URyp+eN2TxJDBKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC 9 | AQYwHQYDVR0OBBYEFGuilX26FJvkLQTRB6TRguQua4y1MAUGAytlcANBAFAJrlWo 10 | QjzwT0ph7rXe023x3GaLPMXMwQI2Of+apkdG2mH9ID6PE1bu3gRRqIH5w2tyS+xF 11 | Jw0ouxcJyAyXEQ4= 12 | -----END CERTIFICATE----- 13 | 14 | node_path,validator,severity,code,message 15 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, 16 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/old_lamps_smime_example.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDbTCCAlWgAwIBAgIT3r7MRJB7qx35ms1tFWj7th3y5jANBgkqhkiG9w0BAQ0F 3 | ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 4 | MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5B 5 | bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqV 6 | KfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfID 7 | lB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdS 8 | NRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1 9 | ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv 10 | 9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIB 11 | aVv4wPxAf1iPsIVKarUCAwEAAaOBlzCBlDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX 12 | MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDwYD 13 | VR0PAQH/BAUDAwcgADAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYD 14 | VR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEB 15 | AEi3/4eQPCAAbdgVMVbA7CplI+5LIV+7qUrORNdN8E53zu1oBkxktmDPWpQGiGYJ 16 | fsQD2Gu1sz0Ofpqzaw0QHo90ghEcz3GOb9/JFEBRwV8Ern1rHXKRis56PPdBAlTg 17 | 3D7QKgwkGolETHH1TFv4mY/XC1CWzWq/wKPActIDt1cujjUKk2ILsa1kqYfbEQol 18 | ZGil0pxx9jdMS5qaTdjb66GvPpkQI1uH4E9xiYbJu5bD+SX0Sgzih79GEhaP8vjc 19 | w6+P//nJ3ExJkVT7OvIJmwGvV0ULtmsghoigcd2BBc/fOKdbyIBmJBe152dd02EW 20 | 6FwMfHKDtHO8k+/XBeZcxF0= 21 | -----END CERTIFICATE----- 22 | 23 | node_path,validator,severity,code,message 24 | certificate.tbsCertificate.serialNumber,CertificateSerialNumberValidator,ERROR,pkix.certificate_serial_number_out_of_range,"ASN.1 constraint failed: Invalid value outside range 1 - 730750818665451459101842416358141509827966271487 on content ""-741604493682452113825656873529250578000121114""" 25 | certificate.tbsCertificate.extensions.4.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, 26 | certificate.tbsCertificate.extensions.3,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.3.extnValue"" with schema ""KeyUsage"" corresponding to type OID 2.5.29.15: Error decoding ""KeyUsage"" TLV near substrate offset 0: Trailing zero bit in named BIT STRING" 27 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/rfc7093_method_1.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICyjCCAlCgAwIBAgIQY1zINBzZ6YS8yyP57Ql/HjAKBggqhkjOPQQDAzBWMQsw 3 | CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg 4 | R3JvdXAxHDAaBgNVBAMTEyhGQUtFKSBJU1JHIFJvb3QgWDIwHhcNMjMwOTI1MDAw 5 | MDAwWhcNMjYwOTI0MjM1OTU5WjBAMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUKEZB 6 | S0UpIExldCdzIEVuY3J5cHQxEjAQBgNVBAMTCShGQUtFKSBFNzB2MBAGByqGSM49 7 | AgEGBSuBBAAiA2IABOn6Rxf8w7JMveol0MqmodXTPkxfQDCCuZIWo7NsL9nFSVrp 8 | FNOajWXg1uxujC25VK62gNRP5OSoiAAnlZ6CUI6/cWWHF78QWyLk3SS6mrPrlBUl 9 | TZr3DrFi67X4+R93GaOB+DCB9TAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYI 10 | KwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE 11 | FLmhijFtd+cJnmo9dqY7HHRulw77MB8GA1UdIwQYMBaAFDnxnbEOFolx9/jcKlXc 12 | CcyDWni7MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmku 13 | bGVuY3Iub3JnLzATBgNVHSAEDDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAY 14 | hhZodHRwOi8veDIuYy5sZW5jci5vcmcvMAoGCCqGSM49BAMDA2gAMGUCMAO7SkY9 15 | m1jgu8HC/+WQEPKzhU1Eze+AZF3yCjbxc08xIThaxIL3m3syDXAMyfbtfQIxAMLy 16 | AZvTbDmzq9nfzN4wz4KGkMuy0Ab7nuguoYht4LNEZG/M+uz3eh6rCEzoxIoy8w== 17 | -----END CERTIFICATE----- 18 | 19 | node_path,validator,severity,code,message 20 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_rfc7093_method_1_identified 21 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/rfc7093_method_2.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFwjCCA6qgAwIBAgIUH/nOhctN2lspZ2LasyeIMEixJzEwDQYJKoZIhvcNAQEL 3 | BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 4 | ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MTkwMDAwMDBaFw0y 5 | MzA3MTgyMzU5NTlaME4xIjAgBgNVBAMMGWhhbmFrby55YW1hZGFAZXhhbXBsZS5j 6 | b20xKDAmBgkqhkiG9w0BCQEWGWhhbmFrby55YW1hZGFAZXhhbXBsZS5jb20wggEi 7 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/t 8 | L4FI5sjqont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv 9 | 8JmM/Y5vQt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY 10 | 7JRVcbB4khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjd 11 | i8mH6uG/icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSE 12 | onWW4HtLbtmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMB 13 | AAGjggGcMIIBmDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAfBgNVHSME 14 | GDAWgBTWRAAyfKgN/6xPa2buta6bLMU4VDAdBgNVHQ4EFgQU3omPCXKXVhKhLmjb 15 | NT6C2kVHzt8wFAYDVR0gBA0wCzAJBgdngQwBBQECMD0GA1UdHwQ2MDQwMqAwoC6G 16 | LGh0dHA6Ly9jcmwuY2EuZXhhbXBsZS5jb20vaXNzdWluZ19jYV9jcmwuY3JsMEsG 17 | CCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3JlcG9zaXRvcnkuY2Eu 18 | ZXhhbXBsZS5jb20vaXNzdWluZ19jYS5kZXIwHQYDVR0lBBYwFAYIKwYBBQUHAwQG 19 | CCsGAQUFBwMCMHcGA1UdEQRwMG6BGWhhbmFrby55YW1hZGFAZXhhbXBsZS5jb22g 20 | KQYKKwYBBAGCNxQCA6AbDBloYW5ha28ueWFtYWRhQGV4YW1wbGUuY29toCYGCCsG 21 | AQUFBwgJoBoMGOWxseeUsOiKseWtkEBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF 22 | AAOCAgEAg4rIcKGMfLh347FX/Y12lx7b9/iVrjsX7lsliirpITuPmfCli76JVrO0 23 | Fqypfdd2P4ZVvH9WTpQUhRBv06kwHkJRkgpqNPO0WOpNVnsK8vcP1/RylDiJGryz 24 | u6AzOSDqsxomFD6hm71XRYcsgBXXNPUzSGhbqUeuBuZwZe1WmP/yuvNpghMvlWFc 25 | jAHktC9FuNpHhQ/3zZ20GUc6AQwwtn8rviFSwQihVJDJkGiGaJUc7lVVoswx87bS 26 | oGpVluEIY/RK2HsXU0kmek4qq2t9v1OgRL98ZqUgOS26ooOXxqnR3QMx1S5KSLy9 27 | +hK6y2gPhyiHoaPVTk4s54Es/YDtbCz7piyyyp3DEIzmgrwB/mG2IbOv6dT8Za5B 28 | R7A+ggB7uwo3zYxKd2SFIDmXb+n9ML/s6/3aeyKJms4FmRq+fX8icb+lvVeLMhlC 29 | Re5MFL2tkb72BFku0eeUde4iUnw93fzG6+Wl8VPCzYOwV0j+UTiyygcXaEZW+TpT 30 | EmyY/fQ/7TCbGp+8Ur3rLlY5Okt5T83MmZdMFIHLQxaZUXkT2dBaSnh3VfNKFi0a 31 | re9xdiBQZGkMkvWiKTjrUOwLXSNBnP6TXO9zn51tTK4KPZnQvNvULtn4H7z3FhfW 32 | kie/jPNYkFvMzOaawwPAhG9R6G2ZB7cTOuG0Uu863Hkh5XX2oAo= 33 | -----END CERTIFICATE----- 34 | 35 | node_path,validator,severity,code,message 36 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_rfc7093_method_2_identified, 37 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/rfc7093_method_3.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFwjCCA6qgAwIBAgIUH/nOhctN2lspZ2LasyeIMEixJzEwDQYJKoZIhvcNAQEL 3 | BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 4 | ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MTkwMDAwMDBaFw0y 5 | MzA3MTgyMzU5NTlaME4xIjAgBgNVBAMMGWhhbmFrby55YW1hZGFAZXhhbXBsZS5j 6 | b20xKDAmBgkqhkiG9w0BCQEWGWhhbmFrby55YW1hZGFAZXhhbXBsZS5jb20wggEi 7 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/t 8 | L4FI5sjqont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv 9 | 8JmM/Y5vQt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY 10 | 7JRVcbB4khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjd 11 | i8mH6uG/icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSE 12 | onWW4HtLbtmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMB 13 | AAGjggGcMIIBmDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAfBgNVHSME 14 | GDAWgBTWRAAyfKgN/6xPa2buta6bLMU4VDAdBgNVHQ4EFgQUY8emM7B5J41rU5mX 15 | UlMU8cq/Rg8wFAYDVR0gBA0wCzAJBgdngQwBBQECMD0GA1UdHwQ2MDQwMqAwoC6G 16 | LGh0dHA6Ly9jcmwuY2EuZXhhbXBsZS5jb20vaXNzdWluZ19jYV9jcmwuY3JsMEsG 17 | CCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3JlcG9zaXRvcnkuY2Eu 18 | ZXhhbXBsZS5jb20vaXNzdWluZ19jYS5kZXIwHQYDVR0lBBYwFAYIKwYBBQUHAwQG 19 | CCsGAQUFBwMCMHcGA1UdEQRwMG6BGWhhbmFrby55YW1hZGFAZXhhbXBsZS5jb22g 20 | KQYKKwYBBAGCNxQCA6AbDBloYW5ha28ueWFtYWRhQGV4YW1wbGUuY29toCYGCCsG 21 | AQUFBwgJoBoMGOWxseeUsOiKseWtkEBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF 22 | AAOCAgEAg4rIcKGMfLh347FX/Y12lx7b9/iVrjsX7lsliirpITuPmfCli76JVrO0 23 | Fqypfdd2P4ZVvH9WTpQUhRBv06kwHkJRkgpqNPO0WOpNVnsK8vcP1/RylDiJGryz 24 | u6AzOSDqsxomFD6hm71XRYcsgBXXNPUzSGhbqUeuBuZwZe1WmP/yuvNpghMvlWFc 25 | jAHktC9FuNpHhQ/3zZ20GUc6AQwwtn8rviFSwQihVJDJkGiGaJUc7lVVoswx87bS 26 | oGpVluEIY/RK2HsXU0kmek4qq2t9v1OgRL98ZqUgOS26ooOXxqnR3QMx1S5KSLy9 27 | +hK6y2gPhyiHoaPVTk4s54Es/YDtbCz7piyyyp3DEIzmgrwB/mG2IbOv6dT8Za5B 28 | R7A+ggB7uwo3zYxKd2SFIDmXb+n9ML/s6/3aeyKJms4FmRq+fX8icb+lvVeLMhlC 29 | Re5MFL2tkb72BFku0eeUde4iUnw93fzG6+Wl8VPCzYOwV0j+UTiyygcXaEZW+TpT 30 | EmyY/fQ/7TCbGp+8Ur3rLlY5Okt5T83MmZdMFIHLQxaZUXkT2dBaSnh3VfNKFi0a 31 | re9xdiBQZGkMkvWiKTjrUOwLXSNBnP6TXO9zn51tTK4KPZnQvNvULtn4H7z3FhfW 32 | kie/jPNYkFvMzOaawwPAhG9R6G2ZB7cTOuG0Uu863Hkh5XX2oAo= 33 | -----END CERTIFICATE----- 34 | 35 | node_path,validator,severity,code,message 36 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_rfc7093_method_3_identified, 37 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/root_bad_ku_encoding.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYDVQQGEwJVUzER 3 | MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBI 4 | b2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZp 5 | Y2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYD 6 | VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRy 7 | dXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1 8 | NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH77bOYj 9 | 43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoNFWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqm 10 | P62jQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt 11 | 0UrrdaVKEJmzsaGLSvcwCgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjz 12 | RM4q3wghDDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 17 | certificate.tbsCertificate.extensions.1,ExtensionsDecodingValidator,FATAL,itu.invalid_asn1_syntax,"ASN.1 decoding failure occurred at ""certificate.tbsCertificate.extensions.1.extnValue"" with schema ""KeyUsage"" corresponding to type OID 2.5.29.15: Error decoding ""KeyUsage"" TLV near substrate offset 0: Trailing zero bit in named BIT STRING" 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/rsa_self_signed_no_aki.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw 3 | TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh 4 | cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 5 | WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu 6 | ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY 7 | MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc 8 | h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 9 | 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U 10 | A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW 11 | T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH 12 | B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC 13 | B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv 14 | KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn 15 | OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn 16 | jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw 17 | qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI 18 | rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV 19 | HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq 20 | hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL 21 | ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ 22 | 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK 23 | NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 24 | ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur 25 | TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC 26 | jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc 27 | oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq 28 | 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA 29 | mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d 30 | emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= 31 | -----END CERTIFICATE----- 32 | 33 | node_path,validator,severity,code,message 34 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/unknown_key_type_cross_ca_no_aki.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIERjCCA+ygAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICJDAPBgsqhkiG9w0BAQGHZwUA 7 | A4ICDwAwggIKAoICAQCzi0lg5jvmqNuomoKXjvH2MkTlV32M9YYW1cpXWdScyNk2 8 | wziqPLmxEcFJfltRr2kvJhHmifdnVIDAsPTDZU9Dr4X+jIrXNOBCqK2gX9dlCOAL 9 | oPdWw0Q7voM+p9EA1Ps2fuvWC9tkhnf8feuUJE2tGvju0cZYEsA+fHP381jpQbxm 10 | RY/3u5ekmpihGAfgLBo7mtM6VzrhgOH/QyrlWAzJyr+rYC8yW82gl+h7x6bXTjSo 11 | fWCKQ/6y5P/x9LjnaGqYR121Gm69CBcqV0F3SSSLIVXIuQbg1UDoyyj0wArcn+R1 12 | ihrDZKs55OFVKJhURBU/7satTFNIsuOP9VD1+lgzl5M3MMgIgb8R7uj+OG1bUShJ 13 | qYOZQ6vz2XIgdpe47CQRomGdVcoEIzxaLO3G8obYKdDoNyB7dlKaokSHISaNwBUL 14 | t7B+czE6cT5YlbqvOt/6YDlYxWf4XPJbHYCid1ajDRpQoeRpjtqaEiuwqnpg980i 15 | bLEWXPz5yoMKYGzA+xSH8knl4McciGJsVxKAgd52wSOEttRItn8OcSOu73SohZYD 16 | dHVUg/KQp95mRl4ieysXMY+KSQUrAUX7ooN3K8KaW1gSrM7jq2KBcBnlSAfyiJcS 17 | t7jzA7pf4Uf5wvNDSrcDwdlGc0OCoKNT9ODLvqJqS78hzp61551HV9feAn8g5QID 18 | AQABo4HuMIHrMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNZEADJ8qA3/ 19 | rE9rZu61rpssxThUMBEGA1UdIAQKMAgwBgYEVR0gADA6BgNVHR8EMzAxMC+gLaAr 20 | hilodHRwOi8vY3JsLmNhLmV4YW1wbGUuY29tL3Jvb3RfY2FfY3JsLmNybDBIBggr 21 | BgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly9yZXBvc2l0b3J5LmNhLmV4 22 | YW1wbGUuY29tL3Jvb3RfY2EuZGVyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF 23 | BQcDAjAKBggqhkjOPQQDAgNIADBFAiEA4K+AzyG95SO8G8R2Eln0/Wt7+aqi713q 24 | j1/tdy5s/b0CIAwDVqo0ALOVl0C+EeTWjZ+MJhih1JZstsB3lw0DM9+3 25 | -----END CERTIFICATE----- 26 | 27 | node_path,validator,severity,code,message 28 | certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, 29 | certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 30 | certificate.tbsCertificate.extensions,KeyUsagePresenceValidator,ERROR,pkix.ca_certificate_no_ku_extension, 31 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/unknown_key_type_self_issued_no_aki.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEPjCCA+SgAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTCCAiQwDwYLKoZIhvcNAQEBh2cFAAOCAg8AMIIC 7 | CgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4qjy5sRHB 8 | SX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3VsNEO76D 9 | PqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP97uXpJqY 10 | oRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1gikP+suT/ 11 | 8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoaw2SrOeTh 12 | VSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamDmUOr89ly 13 | IHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ewfnMxOnE+ 14 | WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyxFlz8+cqD 15 | CmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1VIPykKfe 16 | ZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre48wO6X+FH 17 | +cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEAAaOB7jCB 18 | 6zASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTWRAAyfKgN/6xPa2buta6b 19 | LMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov 20 | L2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYBBQUHAQEE 21 | PDA6MDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFtcGxlLmNv 22 | bS9yb290X2NhLmRlcjAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwCgYI 23 | KoZIzj0EAwIDSAAwRQIhAOCvgM8hveUjvBvEdhJZ9P1re/mqou9d6o9f7XcubP29 24 | AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbAd5cNAzPftw== 25 | -----END CERTIFICATE----- 26 | 27 | node_path,validator,severity,code,message 28 | certificate.tbsCertificate.extensions.1.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 29 | certificate,AuthorityKeyIdentifierPresenceValidator,NOTICE,pkix.aki_absent_self_issued_and_unsupported_algorithm,Self-issued CA certificate uses unsupported public key algorithm: 1.2.840.113549.1.1.1.999 30 | certificate.tbsCertificate.extensions,KeyUsagePresenceValidator,ERROR,pkix.ca_certificate_no_ku_extension, 31 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/v1_root_signed_with_md2.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG 3 | A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz 4 | cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 5 | MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV 6 | BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt 7 | YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN 8 | ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE 9 | BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is 10 | I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G 11 | CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do 12 | lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc 13 | AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k 14 | -----END CERTIFICATE----- 15 | 16 | node_path,validator,severity,code,message 17 | certificate,SubjectKeyIdentifierPresenceValidator,WARNING,pkix.certificate_skid_end_entity_missing, 18 | certificate.tbsCertificate.version,CorrectVersionValidator,ERROR,pkix.certificate_version_is_not_v3,"Expected=""2"", actual=""v1""" 19 | certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, 20 | -------------------------------------------------------------------------------- /tests/integration_certificate/pkix/x25519_bad_ku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICNDCCAeagAwIBAgITfz0Bv+b1OMAT79aCh3arViNvhDAFBgMrZXAwWTENMAsG 3 | A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM 4 | QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx 5 | MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA6MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL 6 | EwhMQU1QUyBXRzEWMBQGA1UEAxMNQ2FybG9zIFR1cmluZzAqMAUGAytlbgMhAC5o 7 | MczTIMiddTUYTc/WymEqXw8hZm1QbIz2xX2gFDx0o4HdMIHaMCsGCSqGSIb3DQEJ 8 | DwQeMBwwGgYLKoZIhvcNAQkQAxMwCwYJYIZIAWUDBAEFMAwGA1UdEwEB/wQCMAAw 9 | FwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB8GA1UdEQQYMBaBFGNhcmxvc0BzbWlt 10 | ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIDyDAd 11 | BgNVHQ4EFgQUgSmg+iOgSyCMDXgA3u3aFss0JbkwHwYDVR0jBBgwFoAUa6KVfboU 12 | m+QtBNEHpNGC5C5rjLUwBQYDK2VwA0EAzss75UzFuADPfd4hQdo5jyAQ3GvkyyvI 13 | BdBGnWtJ1eT1WuMaIMhi1rH4vPGPd9scwW+sqd9fG+pv3MShl+zKAQ== 14 | -----END CERTIFICATE----- 15 | 16 | node_path,validator,severity,code,message 17 | certificate.tbsCertificate.extensions.5.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_edwards_curve,"Prohibited key usage value(s) present: digitalSignature, nonRepudiation" 18 | certificate.tbsCertificate.extensions.6.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,NOTICE,pkix.unknown_subject_key_identifier_calculation_method, 19 | -------------------------------------------------------------------------------- /tests/integration_certificate/smime_br/individual/multipurpose/ecdsa_dual_use.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFTjCCAzagAwIBAgIUNKtQG7H2vz92MQSN7dVbE5+ZnzgwDQYJKoZIhvcNAQEL 3 | BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 4 | ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA1MDEwMDAwMDBaFw0y 5 | MzA3MzAyMzU5NTlaMGQxDzANBgNVBAQMBllhbWFkYTEPMA0GA1UEKgwGSGFuYWtv 6 | MRYwFAYDVQQDDA1ZQU1BREEgSGFuYWtvMSgwJgYJKoZIhvcNAQkBFhloYW5ha28u 7 | eWFtYWRhQGV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQiVI 8 | +I+3gv+17KN0RFLHKh5Vj71vc75eSOkyMsxFxbFsTNEMTLjVuKFxOelIgsiZJXKZ 9 | NCX0FBmrfpCkKklCcqOCAd0wggHZMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUD 10 | AwfIgDAfBgNVHSMEGDAWgBTWRAAyfKgN/6xPa2buta6bLMU4VDAdBgNVHQ4EFgQU 11 | W3CnmBf3n/Y30vfj3ERsIQnXu9QwFAYDVR0gBA0wCzAJBgdngQwBBQQCMD0GA1Ud 12 | HwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwuY2EuZXhhbXBsZS5jb20vaXNzdWluZ19j 13 | YV9jcmwuY3JsMEsGCCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3Jl 14 | cG9zaXRvcnkuY2EuZXhhbXBsZS5jb20vaXNzdWluZ19jYS5kZXIwHQYDVR0lBBYw 15 | FAYIKwYBBQUHAwQGCCsGAQUFBwMCMIG2BgNVHREEga4wgauBGWhhbmFrby55YW1h 16 | ZGFAZXhhbXBsZS5jb22gKQYKKwYBBAGCNxQCA6AbDBloYW5ha28ueWFtYWRhQGV4 17 | YW1wbGUuY29toCYGCCsGAQUFBwgJoBoMGOWxseeUsOiKseWtkEBleGFtcGxlLmNv 18 | baQ7MDkxDzANBgNVBAQMBuWxseeUsDEPMA0GA1UEKgwG6Iqx5a2QMRUwEwYDVQQD 19 | DAzlsbHnlLDoirHlrZAwDQYJKoZIhvcNAQELBQADggIBADI2xgYKQ91nwOM8U7D8 20 | EvHimv/FSI+UfmwxVMNbBYH8+xdD+BpAXAnZPx2j5yod5o1HD2mz/RxIzXwsK7o5 21 | /a204E131AZ135Ls8mjkAxUOBk2M6zqrLJFAB7W4KP9OBH/ZjEzjEhwIxqwHn7di 22 | NbRjuGeTyL0pzubeaBVNdpzwKPodExcGwkbYHWjNJ0GE9cRWA5CNuoi8hkmoO/pj 23 | 0evrO2eiBZiPaRY6ev4vmEMAer8KkEomICPoxKtuQ/mHxmeV7X0N/KaGBL23IE9x 24 | AtH717R6FaEiJfq9M8uX6asRxiZjY7HZx+vP5k8C+26EeMhK8EwahuCZ4gQVEh/R 25 | bcuvGr4BbpJ3pYJtk4CWzr3ScWKB2hj+Il88WjhOo4d9UiCLHHPHZugkcSsK5dcD 26 | wG9cKYN+RmYqLSRjNVduhX5yZ6tq0MnsopissR0dfB1CeFirb2XpfakEcLypQcSe 27 | 4shj//bxTus2ucfAJ6OXRKbLkJV1G9cCtMahxSoRBL8fi1OGtPJwBk2tg5RjCcK+ 28 | W4XUKg/4GnMcQ78k2xEDK547x2nv4sf3wqtWqv7lzAjaZuQzm0YIxliQkbNV6bMj 29 | I3rLGtI01L+cYFQAZHrhuEzxDCiA/wiXR/m3JCWkRxju7kYUtFeJlXOMNhMQTsRi 30 | 9J45tfhl9StQoPiiR+u/zcRj 31 | -----END CERTIFICATE----- 32 | node_path,validator,severity,code,message 33 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 34 | 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/smime_br/mailbox/multipurpose/smtputf8mailbox_only.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFUTCCAzmgAwIBAgIUH/nOhctN2lspZ2LasyeIMEixJzEwDQYJKoZIhvcNAQEL 3 | BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 4 | ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MTkwMDAwMDBaFw0y 5 | MzA3MTgyMzU5NTlaMCMxITAfBgNVBAMMGOWxseeUsOiKseWtkEBleGFtcGxlLmNv 6 | bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALD56BlDp66YkqreF8p8 7 | QPh0T+0vgUjmyOqie30AFUj7UZKrKLVsUGCxGMzRMeWUh0xsqYm1bCcpbwn7k6A0 8 | 3zLpfG/wmYz9jm9C3aWKzR+peYbxRPPRVNZ2UBdeaFSzqVIAO8Boh7hFWsKxn3sv 9 | dlBOvJjslFVxsHiSFQ3canTKD7zTVJfOgVNNr5QYhEsTrqMfnVprlVe732Ge/U6I 10 | fy1CuN2LyYfq4b+Jyrhe4h41YwXfbAeog44+9BxZXczkPa/EkSPvTYq7qT05BeQC 11 | jXupFISidZbge0tu2ZLwd7Uk09z+fd1VSb58zo2gNc+gs/uPnkb3MrKoa0YBZcCP 12 | UxMCAwEAAaOCAVYwggFSMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB8G 13 | A1UdIwQYMBaAFNZEADJ8qA3/rE9rZu61rpssxThUMB0GA1UdDgQWBBSJGVleDvFp 14 | 9cu9R+E0/OKYzGkwkTAUBgNVHSAEDTALMAkGB2eBDAEFAQIwPQYDVR0fBDYwNDAy 15 | oDCgLoYsaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9pc3N1aW5nX2NhX2NybC5j 16 | cmwwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vcmVwb3NpdG9y 17 | eS5jYS5leGFtcGxlLmNvbS9pc3N1aW5nX2NhLmRlcjAdBgNVHSUEFjAUBggrBgEF 18 | BQcDBAYIKwYBBQUHAwIwMQYDVR0RBCowKKAmBggrBgEFBQcICaAaDBjlsbHnlLDo 19 | irHlrZBAZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggIBAIOKyHChjHy4d+Ox 20 | V/2Ndpce2/f4la47F+5bJYoq6SE7j5nwpYu+iVaztBasqX3Xdj+GVbx/Vk6UFIUQ 21 | b9OpMB5CUZIKajTztFjqTVZ7CvL3D9f0cpQ4iRq8s7ugMzkg6rMaJhQ+oZu9V0WH 22 | LIAV1zT1M0hoW6lHrgbmcGXtVpj/8rrzaYITL5VhXIwB5LQvRbjaR4UP982dtBlH 23 | OgEMMLZ/K74hUsEIoVSQyZBohmiVHO5VVaLMMfO20qBqVZbhCGP0Sth7F1NJJnpO 24 | Kqtrfb9ToES/fGalIDktuqKDl8ap0d0DMdUuSki8vfoSustoD4coh6Gj1U5OLOeB 25 | LP2A7Wws+6YsssqdwxCM5oK8Af5htiGzr+nU/GWuQUewPoIAe7sKN82MSndkhSA5 26 | l2/p/TC/7Ov92nsiiZrOBZkavn1/InG/pb1XizIZQkXuTBS9rZG+9gRZLtHnlHXu 27 | IlJ8Pd38xuvlpfFTws2DsFdI/lE4ssoHF2hGVvk6UxJsmP30P+0wmxqfvFK96y5W 28 | OTpLeU/NzJmXTBSBy0MWmVF5E9nQWkp4d1XzShYtGq3vcXYgUGRpDJL1oik461Ds 29 | C10jQZz+k1zvc5+dbUyuCj2Z0Lzb1C7Z+B+89xYX1pInv4zzWJBbzMzmmsMDwIRv 30 | UehtmQe3EzrhtFLvOtx5IeV19qAK 31 | -----END CERTIFICATE----- 32 | 33 | node_path,validator,severity,code,message 34 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/smime_br/mailbox/strict/smbr-cert-factory-mailbox-strict.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFjTCCA3WgAwIBAgIUd6S3Xz8ATQGFzml1vs49vkKoG3owDQYJKoZIhvcNAQEL 3 | BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0 4 | ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MTkwMDAwMDBaFw0y 5 | MzA3MTgyMzU5NTlaME4xIjAgBgNVBAMMGWhhbmFrby55YW1hZGFAZXhhbXBsZS5j 6 | b20xKDAmBgkqhkiG9w0BCQEWGWhhbmFrby55YW1hZGFAZXhhbXBsZS5jb20wggEi 7 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/t 8 | L4FI5sjqont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv 9 | 8JmM/Y5vQt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY 10 | 7JRVcbB4khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjd 11 | i8mH6uG/icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSE 12 | onWW4HtLbtmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMB 13 | AAGjggFnMIIBYzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAfBgNVHSME 14 | GDAWgBTWRAAyfKgN/6xPa2buta6bLMU4VDAdBgNVHQ4EFgQUiRlZXg7xafXLvUfh 15 | NPzimMxpMJEwFAYDVR0gBA0wCzAJBgdngQwBBQEDMD0GA1UdHwQ2MDQwMqAwoC6G 16 | LGh0dHA6Ly9jcmwuY2EuZXhhbXBsZS5jb20vaXNzdWluZ19jYV9jcmwuY3JsMEsG 17 | CCsGAQUFBwEBBD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3JlcG9zaXRvcnkuY2Eu 18 | ZXhhbXBsZS5jb20vaXNzdWluZ19jYS5kZXIwEwYDVR0lBAwwCgYIKwYBBQUHAwQw 19 | TAYDVR0RBEUwQ4EZaGFuYWtvLnlhbWFkYUBleGFtcGxlLmNvbaAmBggrBgEFBQcI 20 | CaAaDBjlsbHnlLDoirHlrZBAZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggIB 21 | AGLGFYwy/Y2171NnkReQGX7DrgsoOpQAcl2g92D3SVBdrI2yr5hf2W8Dh7c/lDQ2 22 | nmSLEGuRdc2PqhQK4gDXCgzgQ5BJQsDDxNj7+5Kj6HOi8u1FdQRSNDD/odIjGp6j 23 | 8B9dvU6+j622Xx2MmIgX7fYzpd36P5MOWhFN9pWpXQ/eH/lgOAonzgVmnhr0rQ4E 24 | 5u3zHzYxSInRrERvjG5LfStqckh04OZF8K9Px5vprfFkvNgIMqGu+3fwhcJQG40W 25 | 9ibIDOfvMpHPNn6TyV0/6KPTPqTtR0mLNbyWNDG8NrElSD4ShpswsFuxRAQcMuHP 26 | 0AXarijVphATvNlypZVb4ihoGKmX86FFRR0T7JjUGxOYoCCvyBO1ZzAfeKgNdFwb 27 | x8JKhRkSUwHiDvgwgUwKpwmzwNTu9uMlltHO/LMcw45kMFiQOWRJ9sv0SkQnKqkM 28 | aC6xo1NWC71JON4Y/3L9Av/Az3lZFxJWLB8V1H+Fs/x/7o8J9Y44tclOUNeC8y50 29 | ymzJEAxidCk4vBgpDnlF3u2Rai9jZi0o2NxF2LhIuKyahnSi/1+V8jxZuWkEiuRJ 30 | ptBsXGFt2pgFvQC9+87LV/J5R+H81/wNVnHlb0S+3HNgSJrU17MFnjUSy3+OvHmL 31 | oWizcbrR/04H1p8d9PYC4Qdtu3htzrgJImFgWZZtBYPb 32 | -----END CERTIFICATE----- 33 | node_path,validator,severity,code,message 34 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/test_cabf_serverauth_cert.py: -------------------------------------------------------------------------------- 1 | import glob 2 | import sys 3 | from os import path 4 | 5 | from pkilint.cabf import serverauth 6 | from pkilint.cabf.serverauth import serverauth_constants 7 | from pkilint.pkix import certificate 8 | from tests.integration_certificate import register_test 9 | 10 | this_module = sys.modules[__name__] 11 | 12 | 13 | for certificate_type in serverauth_constants.CertificateType: 14 | cur_dir = path.dirname(__file__) 15 | 16 | test_dir = path.join(cur_dir, "tls_br", certificate_type.name.lower()) 17 | 18 | files = glob.glob(path.join(test_dir, "*.crttest")) 19 | 20 | for file in files: 21 | validator = certificate.create_pkix_certificate_validator_container( 22 | serverauth.create_decoding_validators(), 23 | serverauth.create_validators(certificate_type), 24 | ) 25 | filters = serverauth.create_serverauth_finding_filters(certificate_type) 26 | 27 | file_no_ext, _ = path.splitext(path.basename(file)) 28 | 29 | test_name = f"test_{certificate_type}_{file_no_ext}" 30 | 31 | register_test(this_module, file, test_name, validator, filters) 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/test_cabf_smime_cert.py: -------------------------------------------------------------------------------- 1 | import glob 2 | import sys 3 | from os import path 4 | 5 | from pkilint.cabf import smime 6 | from pkilint.cabf.smime import smime_constants 7 | from pkilint.pkix import certificate 8 | from tests.integration_certificate import register_test 9 | 10 | this_module = sys.modules[__name__] 11 | 12 | 13 | for validation_level in smime_constants.ValidationLevel: 14 | for generation in smime_constants.Generation: 15 | cur_dir = path.dirname(__file__) 16 | 17 | test_dir = path.join( 18 | cur_dir, "smime_br", validation_level.name.lower(), generation.name.lower() 19 | ) 20 | 21 | files = glob.glob(path.join(test_dir, "*.crttest")) 22 | 23 | for file in files: 24 | validator = certificate.create_pkix_certificate_validator_container( 25 | smime.create_decoding_validators(), 26 | smime.create_subscriber_validators(validation_level, generation), 27 | ) 28 | 29 | file_no_ext, _ = path.splitext(path.basename(file)) 30 | 31 | test_name = f"test_{validation_level}-{generation}_{file_no_ext}" 32 | 33 | register_test(this_module, file, test_name, validator) 34 | -------------------------------------------------------------------------------- /tests/integration_certificate/test_etsi_cert.py: -------------------------------------------------------------------------------- 1 | import glob 2 | import sys 3 | from os import path 4 | 5 | from pkilint import etsi 6 | from pkilint.etsi import etsi_constants 7 | from pkilint.pkix import certificate 8 | from tests.integration_certificate import register_test 9 | 10 | this_module = sys.modules[__name__] 11 | 12 | 13 | for certificate_type in etsi_constants.CertificateType: 14 | cur_dir = path.dirname(__file__) 15 | 16 | test_dir = path.join(cur_dir, "etsi", certificate_type.name.lower()) 17 | 18 | files = glob.glob(path.join(test_dir, "*.crttest")) 19 | 20 | for file in files: 21 | validator = certificate.create_pkix_certificate_validator_container( 22 | etsi.create_decoding_validators(certificate_type), 23 | etsi.create_validators(certificate_type), 24 | ) 25 | filters = etsi.create_etsi_finding_filters(certificate_type) 26 | 27 | file_no_ext, _ = path.splitext(path.basename(file)) 28 | 29 | test_name = f"test_{certificate_type}_{file_no_ext}" 30 | 31 | register_test(this_module, file, test_name, validator, filters) 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/test_pkix_cert.py: -------------------------------------------------------------------------------- 1 | import glob 2 | import sys 3 | from os import path 4 | 5 | from pkilint.pkix import certificate, name, extension 6 | from tests.integration_certificate import register_test 7 | 8 | cur_dir = path.dirname(__file__) 9 | test_dir = path.join(cur_dir, "pkix") 10 | this_module = sys.modules[__name__] 11 | 12 | files = glob.glob(path.join(test_dir, "*.crttest")) 13 | 14 | for file in files: 15 | validator = certificate.create_pkix_certificate_validator_container( 16 | certificate.create_decoding_validators( 17 | name.ATTRIBUTE_TYPE_MAPPINGS, extension.EXTENSION_MAPPINGS 18 | ), 19 | [ 20 | certificate.create_issuer_validator_container([]), 21 | certificate.create_validity_validator_container(), 22 | certificate.create_subject_validator_container([]), 23 | certificate.create_extensions_validator_container([]), 24 | certificate.create_spki_validator_container([]), 25 | ], 26 | ) 27 | 28 | file_no_ext, _ = path.splitext(path.basename(file)) 29 | 30 | test_name = f"test_{file_no_ext}" 31 | 32 | register_test(this_module, file, test_name, validator) 33 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/anypolicy_present.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFjzCCBHegAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAsQwggLAMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0wK6ApoCeG 14 | JWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwGwYDVR0gBBQw 15 | EjAIBgZngQwBAgEwBgYEVR0gADBrBggrBgEFBQcBAQRfMF0wJAYIKwYBBQUHMAGG 16 | GGh0dHA6Ly9vY3NwLmNlcnRzcnVzLmNvbTA1BggrBgEFBQcwAoYpaHR0cDovL2Nh 17 | Y2VydHMuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCC 18 | AX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp 19 | 3GhCCp/mZ0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYz 20 | qZUyiyfuWi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyv 21 | GAB1AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQD 22 | AEYwRAIgeas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM 23 | 3gT6ct/RtJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0 24 | x70ADS1yb+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R 25 | 6Vlu1VC+mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycw 26 | DQYJKoZIhvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2 27 | u23ne/5SECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrT 28 | PjnsKDpY2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+ 29 | F4cZzLCdNmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRm 30 | ENn4AZk3z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev 31 | 3kdHqL35PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,SubscriberPoliciesValidator,ERROR,cabf.serverauth.subscriber_anypolicy_oid_present, 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/clean.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFhzCCBG+gAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCArwwggK4MB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0wK6ApoCeG 14 | JWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwEwYDVR0gBAww 15 | CjAIBgZngQwBAgEwawYIKwYBBQUHAQEEXzBdMCQGCCsGAQUFBzABhhhodHRwOi8v 16 | b2NzcC5jZXJ0c3J1cy5jb20wNQYIKwYBBQUHMAKGKWh0dHA6Ly9jYWNlcnRzLmNl 17 | cnRzcnVzLmNvbS9Jc3N1aW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF9BgorBgEE 18 | AdZ5AgQCBIIBbQSCAWkBZwB3AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdM 19 | Wjp0AAABiPi9rwAAAAQDAEgwRgIhAInr/dvQgE8xMHPYGfO0O0SWM6mVMosn7lou 20 | lKdMyLyeAiEAoDkG4x8Vb/ON0LbScu6OabUj/yuKQgOhJ3QzeMSsrxgAdQBIsONr 21 | 2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYj4va8yAAAEAwBGMEQCIHmr 22 | Nj/5IrHhLfRXFledOIVw5wuKBMvMNzuRXheNBo83AiA+uJDHaE5gTN4E+nLf0bSV 23 | kz4UCyEyrTkUP1VGXrKDFgB1ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h 24 | +tQXAAABiPi9rywAAAQDAEYwRAIgOvSSVYIOHQamIZDDn/VBPidP0elZbtVQvpse 25 | DBVIgAUCIFRidEFgm6Xl7HnxMkai8KOLa055sKZ8bNvVyzoUgwcnMA0GCSqGSIb3 26 | DQEBCwUAA4IBAQBd9/ZFYiJ+k9yeWmIrPIrxBpuyGHfO+Tbc6jH4trtt53v+UhAg 27 | /9YSv+zkfXPF7izcJTjfnwMsGZf3cH2gyn5p+sc8mX9mQQC9WEQ60z457Cg6WNqi 28 | LxSZYLrSKZ4ZVPg0hkXsjeaKCZ3z7yu5ozAOBp9Fk3CZtkP1LlbS/heHGcywnTZn 29 | pHbT2YPixrn8+qi+5aAZyPrhiNKynKI1C6hhCb/8TmXu7h2f31l0ZhDZ+AGZN8/q 30 | yYM8aZGzLp3gLspWvfO2/Cee63bdQmWL6CUOUpaGxF8eAxstXZCHr95HR6i9+Txu 31 | 3XxCq8enw/MZWJ1jmEp6jXrehGQQhXvmTU6f 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/crldp_dpname_name_rel_to_issuer.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFczCCBFugAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAqgwggKkMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdHwQbMBkwF6AVoRMw 14 | EQYDVQQDEwpDUkwgSXNzdWVyMBMGA1UdIAQMMAowCAYGZ4EMAQIBMGsGCCsGAQUF 15 | BwEBBF8wXTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY2VydHNydXMuY29tMDUG 16 | CCsGAQUFBzAChilodHRwOi8vY2FjZXJ0cy5jZXJ0c3J1cy5jb20vSXNzdWluZ0NB 17 | LmNydDAMBgNVHRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwB2 18 | /4g/Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAYj4va8AAAAEAwBIMEYC 19 | IQCJ6/3b0IBPMTBz2BnztDtEljOplTKLJ+5aLpSnTMi8ngIhAKA5BuMfFW/zjdC2 20 | 0nLujmm1I/8rikIDoSd0M3jErK8YAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB 21 | 2bu/qznYhHMAAAGI+L2vMgAABAMARjBEAiB5qzY/+SKx4S30VxZXnTiFcOcLigTL 22 | zDc7kV4XjQaPNwIgPriQx2hOYEzeBPpy39G0lZM+FAshMq05FD9VRl6ygxYAdQA7 23 | U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAYj4va8sAAAEAwBGMEQC 24 | IDr0klWCDh0GpiGQw5/1QT4nT9HpWW7VUL6bHgwVSIAFAiBUYnRBYJul5ex58TJG 25 | ovCji2tOebCmfGzb1cs6FIMHJzANBgkqhkiG9w0BAQsFAAOCAQEAXff2RWIifpPc 26 | nlpiKzyK8Qabshh3zvk23Oox+La7bed7/lIQIP/WEr/s5H1zxe4s3CU4358DLBmX 27 | 93B9oMp+afrHPJl/ZkEAvVhEOtM+OewoOljaoi8UmWC60imeGVT4NIZF7I3migmd 28 | 8+8ruaMwDgafRZNwmbZD9S5W0v4XhxnMsJ02Z6R209mD4sa5/PqovuWgGcj64YjS 29 | spyiNQuoYQm//E5l7u4dn99ZdGYQ2fgBmTfP6smDPGmRsy6d4C7KVr3ztvwnnut2 30 | 3UJli+glDlKWhsRfHgMbLV2Qh6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRk 31 | EIV75k1Onw== 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.4.extnValue.cRLDistributionPoints.0.distributionPoint,CrlDpDistributionPointNameValidator,ERROR,cabf.serverauth.crldp_dpname_prohibited_field_present, 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/internal_ip_address.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFjTCCBHWgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAsIwggK+MB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MCMGA1UdEQEB/wQZMBeCD3d3dy5leGFtcGxlLmNvbYcEwKgAATAOBgNVHQ8BAf8E 13 | BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0w 14 | K6ApoCeGJWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwEwYD 15 | VR0gBAwwCjAIBgZngQwBAgEwawYIKwYBBQUHAQEEXzBdMCQGCCsGAQUFBzABhhho 16 | dHRwOi8vb2NzcC5jZXJ0c3J1cy5jb20wNQYIKwYBBQUHMAKGKWh0dHA6Ly9jYWNl 17 | cnRzLmNlcnRzcnVzLmNvbS9Jc3N1aW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF9 18 | BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB3AHb/iD8KtvuVUcJhzPWHujS0pM27Kdxo 19 | Qgqf5mdMWjp0AAABiPi9rwAAAAQDAEgwRgIhAInr/dvQgE8xMHPYGfO0O0SWM6mV 20 | Mosn7loulKdMyLyeAiEAoDkG4x8Vb/ON0LbScu6OabUj/yuKQgOhJ3QzeMSsrxgA 21 | dQBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYj4va8yAAAEAwBG 22 | MEQCIHmrNj/5IrHhLfRXFledOIVw5wuKBMvMNzuRXheNBo83AiA+uJDHaE5gTN4E 23 | +nLf0bSVkz4UCyEyrTkUP1VGXrKDFgB1ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9 24 | AA0tcm/h+tQXAAABiPi9rywAAAQDAEYwRAIgOvSSVYIOHQamIZDDn/VBPidP0elZ 25 | btVQvpseDBVIgAUCIFRidEFgm6Xl7HnxMkai8KOLa055sKZ8bNvVyzoUgwcnMA0G 26 | CSqGSIb3DQEBCwUAA4IBAQBd9/ZFYiJ+k9yeWmIrPIrxBpuyGHfO+Tbc6jH4trtt 27 | 53v+UhAg/9YSv+zkfXPF7izcJTjfnwMsGZf3cH2gyn5p+sc8mX9mQQC9WEQ60z45 28 | 7Cg6WNqiLxSZYLrSKZ4ZVPg0hkXsjeaKCZ3z7yu5ozAOBp9Fk3CZtkP1LlbS/heH 29 | GcywnTZnpHbT2YPixrn8+qi+5aAZyPrhiNKynKI1C6hhCb/8TmXu7h2f31l0ZhDZ 30 | +AGZN8/qyYM8aZGzLp3gLspWvfO2/Cee63bdQmWL6CUOUpaGxF8eAxstXZCHr95H 31 | R6i9+Txu3XxCq8enw/MZWJ1jmEp6jXrehGQQhXvmTU6f 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.1.extnValue.subjectAltName.1.iPAddress,GeneralNameInternalIpAddressValidator,ERROR,cabf.internal_ip_address,"Internal IP address: ""192.168.0.1""" 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM 14 | AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu 15 | Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG 16 | AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m 17 | Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu 18 | Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw 19 | 42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg 20 | eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R 21 | tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y 22 | b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ 23 | mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI 24 | hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S 25 | ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY 26 | 2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd 27 | NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 28 | z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 29 | PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= 30 | -----END CERTIFICATE----- 31 | 32 | node_path,validator,severity,code,message 33 | certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, 34 | certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent, 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/long_lived_no_rev_info_issued_in_2026.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTI2MDMxNTAwMDAwMFoXDTI2MDMyMjAwMDAwMFow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM 14 | AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu 15 | Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG 16 | AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m 17 | Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu 18 | Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw 19 | 42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg 20 | eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R 21 | tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y 22 | b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ 23 | mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI 24 | hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S 25 | ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY 26 | 2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd 27 | NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 28 | z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 29 | PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= 30 | -----END CERTIFICATE----- 31 | 32 | node_path,validator,severity,code,message 33 | certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent 34 | certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/missing_reserved_policy_oid.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFhzCCBG+gAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCArwwggK4MB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0wK6ApoCeG 14 | JWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwEwYDVR0gBAww 15 | CjAIBgZngQ0BAgEwawYIKwYBBQUHAQEEXzBdMCQGCCsGAQUFBzABhhhodHRwOi8v 16 | b2NzcC5jZXJ0c3J1cy5jb20wNQYIKwYBBQUHMAKGKWh0dHA6Ly9jYWNlcnRzLmNl 17 | cnRzcnVzLmNvbS9Jc3N1aW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF9BgorBgEE 18 | AdZ5AgQCBIIBbQSCAWkBZwB3AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdM 19 | Wjp0AAABiPi9rwAAAAQDAEgwRgIhAInr/dvQgE8xMHPYGfO0O0SWM6mVMosn7lou 20 | lKdMyLyeAiEAoDkG4x8Vb/ON0LbScu6OabUj/yuKQgOhJ3QzeMSsrxgAdQBIsONr 21 | 2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYj4va8yAAAEAwBGMEQCIHmr 22 | Nj/5IrHhLfRXFledOIVw5wuKBMvMNzuRXheNBo83AiA+uJDHaE5gTN4E+nLf0bSV 23 | kz4UCyEyrTkUP1VGXrKDFgB1ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h 24 | +tQXAAABiPi9rywAAAQDAEYwRAIgOvSSVYIOHQamIZDDn/VBPidP0elZbtVQvpse 25 | DBVIgAUCIFRidEFgm6Xl7HnxMkai8KOLa055sKZ8bNvVyzoUgwcnMA0GCSqGSIb3 26 | DQEBCwUAA4IBAQBd9/ZFYiJ+k9yeWmIrPIrxBpuyGHfO+Tbc6jH4trtt53v+UhAg 27 | /9YSv+zkfXPF7izcJTjfnwMsGZf3cH2gyn5p+sc8mX9mQQC9WEQ60z457Cg6WNqi 28 | LxSZYLrSKZ4ZVPg0hkXsjeaKCZ3z7yu5ozAOBp9Fk3CZtkP1LlbS/heHGcywnTZn 29 | pHbT2YPixrn8+qi+5aAZyPrhiNKynKI1C6hhCb/8TmXu7h2f31l0ZhDZ+AGZN8/q 30 | yYM8aZGzLp3gLspWvfO2/Cee63bdQmWL6CUOUpaGxF8eAxstXZCHr95HR6i9+Txu 31 | 3XxCq8enw/MZWJ1jmEp6jXrehGQQhXvmTU6f 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,SubscriberPoliciesValidator,ERROR,cabf.serverauth.subscriber_missing_reserved_policy_oid,"Required policy OID ""2.23.140.1.2.1"" missing" 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/no_ocsp_pointer_but_has_crldp.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFYTCCBEmgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCApYwggKSMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0wK6ApoCeG 14 | JWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwEwYDVR0gBAww 15 | CjAIBgZngQwBAgEwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzAChilodHRwOi8v 16 | Y2FjZXJ0cy5jZXJ0c3J1cy5jb20vSXNzdWluZ0NBLmNydDAMBgNVHRMBAf8EAjAA 17 | MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwB2/4g/Crb7lVHCYcz1h7o0tKTN 18 | uyncaEIKn+ZnTFo6dAAAAYj4va8AAAAEAwBIMEYCIQCJ6/3b0IBPMTBz2BnztDtE 19 | ljOplTKLJ+5aLpSnTMi8ngIhAKA5BuMfFW/zjdC20nLujmm1I/8rikIDoSd0M3jE 20 | rK8YAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGI+L2vMgAA 21 | BAMARjBEAiB5qzY/+SKx4S30VxZXnTiFcOcLigTLzDc7kV4XjQaPNwIgPriQx2hO 22 | YEzeBPpy39G0lZM+FAshMq05FD9VRl6ygxYAdQA7U3d1Pi25gE6LMFsG/kA7Z9hP 23 | w/THvQANLXJv4frUFwAAAYj4va8sAAAEAwBGMEQCIDr0klWCDh0GpiGQw5/1QT4n 24 | T9HpWW7VUL6bHgwVSIAFAiBUYnRBYJul5ex58TJGovCji2tOebCmfGzb1cs6FIMH 25 | JzANBgkqhkiG9w0BAQsFAAOCAQEAXff2RWIifpPcnlpiKzyK8Qabshh3zvk23Oox 26 | +La7bed7/lIQIP/WEr/s5H1zxe4s3CU4358DLBmX93B9oMp+afrHPJl/ZkEAvVhE 27 | OtM+OewoOljaoi8UmWC60imeGVT4NIZF7I3migmd8+8ruaMwDgafRZNwmbZD9S5W 28 | 0v4XhxnMsJ02Z6R209mD4sa5/PqovuWgGcj64YjSspyiNQuoYQm//E5l7u4dn99Z 29 | dGYQ2fgBmTfP6smDPGmRsy6d4C7KVr3ztvwnnut23UJli+glDlKWhsRfHgMbLV2Q 30 | h6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRkEIV75k1Onw== 31 | -----END CERTIFICATE----- 32 | 33 | node_path,validator,severity,code,message 34 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/no_serverauth_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFfTCCBGWgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCArIwggKuMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | EwYDVR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny 14 | bC5jZXJ0c3J1cy5jb20vSXNzdWluZ0NBLmNybDATBgNVHSAEDDAKMAgGBmeBDAEC 15 | ATBrBggrBgEFBQcBAQRfMF0wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNlcnRz 16 | cnVzLmNvbTA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMuY2VydHNydXMuY29t 17 | L0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFt 18 | BIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGI+L2v 19 | AAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfuWi6Up0zIvJ4CIQCg 20 | OQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw42vapkc0D+VqAvqd 21 | MOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIgeas2P/kiseEt9FcW 22 | V504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/RtJWTPhQLITKtORQ/ 23 | VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGI+L2v 24 | LAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+mx4MFUiABQIgVGJ0 25 | QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZIhvcNAQELBQADggEB 26 | AF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5SECD/1hK/7OR9c8Xu 27 | LNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY2qIvFJlgutIpnhlU 28 | +DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCdNmekdtPZg+LGufz6 29 | qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3z+rJgzxpkbMuneAu 30 | yla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35PG7dfEKrx6fD8xlY 31 | nWOYSnqNet6EZBCFe+ZNTp8= 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.3.extnValue.extKeyUsageSyntax,SubscriberEkuAllowanceValidator,ERROR,cabf.serverauth.subscriber.serverauth_eku_absent, 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/prohibited_eku_present.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFkTCCBHmgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAsYwggLCMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | JwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAzA2BgNVHR8E 14 | LzAtMCugKaAnhiVodHRwOi8vY3JsLmNlcnRzcnVzLmNvbS9Jc3N1aW5nQ0EuY3Js 15 | MBMGA1UdIAQMMAowCAYGZ4EMAQIBMGsGCCsGAQUFBwEBBF8wXTAkBggrBgEFBQcw 16 | AYYYaHR0cDovL29jc3AuY2VydHNydXMuY29tMDUGCCsGAQUFBzAChilodHRwOi8v 17 | Y2FjZXJ0cy5jZXJ0c3J1cy5jb20vSXNzdWluZ0NBLmNydDAMBgNVHRMBAf8EAjAA 18 | MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwB2/4g/Crb7lVHCYcz1h7o0tKTN 19 | uyncaEIKn+ZnTFo6dAAAAYj4va8AAAAEAwBIMEYCIQCJ6/3b0IBPMTBz2BnztDtE 20 | ljOplTKLJ+5aLpSnTMi8ngIhAKA5BuMfFW/zjdC20nLujmm1I/8rikIDoSd0M3jE 21 | rK8YAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGI+L2vMgAA 22 | BAMARjBEAiB5qzY/+SKx4S30VxZXnTiFcOcLigTLzDc7kV4XjQaPNwIgPriQx2hO 23 | YEzeBPpy39G0lZM+FAshMq05FD9VRl6ygxYAdQA7U3d1Pi25gE6LMFsG/kA7Z9hP 24 | w/THvQANLXJv4frUFwAAAYj4va8sAAAEAwBGMEQCIDr0klWCDh0GpiGQw5/1QT4n 25 | T9HpWW7VUL6bHgwVSIAFAiBUYnRBYJul5ex58TJGovCji2tOebCmfGzb1cs6FIMH 26 | JzANBgkqhkiG9w0BAQsFAAOCAQEAXff2RWIifpPcnlpiKzyK8Qabshh3zvk23Oox 27 | +La7bed7/lIQIP/WEr/s5H1zxe4s3CU4358DLBmX93B9oMp+afrHPJl/ZkEAvVhE 28 | OtM+OewoOljaoi8UmWC60imeGVT4NIZF7I3migmd8+8ruaMwDgafRZNwmbZD9S5W 29 | 0v4XhxnMsJ02Z6R209mD4sa5/PqovuWgGcj64YjSspyiNQuoYQm//E5l7u4dn99Z 30 | dGYQ2fgBmTfP6smDPGmRsy6d4C7KVr3ztvwnnut23UJli+glDlKWhsRfHgMbLV2Q 31 | h6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRkEIV75k1Onw== 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.3.extnValue.extKeyUsageSyntax,SubscriberEkuAllowanceValidator,ERROR,cabf.serverauth.subscriber.codesigning_eku_present, 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/rsa_no_digsig.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFhzCCBG+gAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCArwwggK4MB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCBSAw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0wK6ApoCeG 14 | JWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwEwYDVR0gBAww 15 | CjAIBgZngQwBAgEwawYIKwYBBQUHAQEEXzBdMCQGCCsGAQUFBzABhhhodHRwOi8v 16 | b2NzcC5jZXJ0c3J1cy5jb20wNQYIKwYBBQUHMAKGKWh0dHA6Ly9jYWNlcnRzLmNl 17 | cnRzcnVzLmNvbS9Jc3N1aW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF9BgorBgEE 18 | AdZ5AgQCBIIBbQSCAWkBZwB3AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdM 19 | Wjp0AAABiPi9rwAAAAQDAEgwRgIhAInr/dvQgE8xMHPYGfO0O0SWM6mVMosn7lou 20 | lKdMyLyeAiEAoDkG4x8Vb/ON0LbScu6OabUj/yuKQgOhJ3QzeMSsrxgAdQBIsONr 21 | 2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYj4va8yAAAEAwBGMEQCIHmr 22 | Nj/5IrHhLfRXFledOIVw5wuKBMvMNzuRXheNBo83AiA+uJDHaE5gTN4E+nLf0bSV 23 | kz4UCyEyrTkUP1VGXrKDFgB1ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h 24 | +tQXAAABiPi9rywAAAQDAEYwRAIgOvSSVYIOHQamIZDDn/VBPidP0elZbtVQvpse 25 | DBVIgAUCIFRidEFgm6Xl7HnxMkai8KOLa055sKZ8bNvVyzoUgwcnMA0GCSqGSIb3 26 | DQEBCwUAA4IBAQBd9/ZFYiJ+k9yeWmIrPIrxBpuyGHfO+Tbc6jH4trtt53v+UhAg 27 | /9YSv+zkfXPF7izcJTjfnwMsGZf3cH2gyn5p+sc8mX9mQQC9WEQ60z457Cg6WNqi 28 | LxSZYLrSKZ4ZVPg0hkXsjeaKCZ3z7yu5ozAOBp9Fk3CZtkP1LlbS/heHGcywnTZn 29 | pHbT2YPixrn8+qi+5aAZyPrhiNKynKI1C6hhCb/8TmXu7h2f31l0ZhDZ+AGZN8/q 30 | yYM8aZGzLp3gLspWvfO2/Cee63bdQmWL6CUOUpaGxF8eAxstXZCHr95HR6i9+Txu 31 | 3XxCq8enw/MZWJ1jmEp6jXrehGQQhXvmTU6f 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.2.extnValue.keyUsage,SubscriberKeyUsageValidator,WARNING,cabf.serverauth.subscriber_recommended_ku_missing,Recommended KU missing: digitalSignature 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_before_effective_date.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTIzMDYwMzIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM 14 | AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu 15 | Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG 16 | AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m 17 | Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu 18 | Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw 19 | 42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg 20 | eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R 21 | tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y 22 | b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ 23 | mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI 24 | hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S 25 | ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY 26 | 2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd 27 | NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 28 | z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 29 | PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= 30 | -----END CERTIFICATE----- 31 | 32 | node_path,validator,severity,code,message 33 | certificate.tbsCertificate.extensions,SubscriberRevocationInformationPresenceValidator,ERROR,cabf.serverauth.subscriber.revocation_information_absent, 34 | certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, 35 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2024.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTI0MDYwMjAwMDAwMFoXDTI0MDYxMDIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM 14 | AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu 15 | Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG 16 | AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m 17 | Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu 18 | Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw 19 | 42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg 20 | eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R 21 | tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y 22 | b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ 23 | mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI 24 | hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S 25 | ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY 26 | 2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd 27 | NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 28 | z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 29 | PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= 30 | -----END CERTIFICATE----- 31 | 32 | node_path,validator,severity,code,message 33 | certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, 34 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/short_lived_no_rev_info_issued_in_2026.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFKTCCBBGgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTI2MDMxNTAwMDAwMFoXDTI2MDMyMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAl4wggJaMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBMGA1UdIAQMMAowCAYGZ4EM 14 | AQIBMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cDovL2NhY2VydHMu 15 | Y2VydHNydXMuY29tL0lzc3VpbmdDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisG 16 | AQQB1nkCBAIEggFtBIIBaQFnAHcAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/m 17 | Z0xaOnQAAAGI+L2vAAAABAMASDBGAiEAiev929CATzEwc9gZ87Q7RJYzqZUyiyfu 18 | Wi6Up0zIvJ4CIQCgOQbjHxVv843QttJy7o5ptSP/K4pCA6EndDN4xKyvGAB1AEiw 19 | 42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiPi9rzIAAAQDAEYwRAIg 20 | eas2P/kiseEt9FcWV504hXDnC4oEy8w3O5FeF40GjzcCID64kMdoTmBM3gT6ct/R 21 | tJWTPhQLITKtORQ/VUZesoMWAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1y 22 | b+H61BcAAAGI+L2vLAAABAMARjBEAiA69JJVgg4dBqYhkMOf9UE+J0/R6Vlu1VC+ 23 | mx4MFUiABQIgVGJ0QWCbpeXsefEyRqLwo4trTnmwpnxs29XLOhSDBycwDQYJKoZI 24 | hvcNAQELBQADggEBAF339kViIn6T3J5aYis8ivEGm7IYd875NtzqMfi2u23ne/5S 25 | ECD/1hK/7OR9c8XuLNwlON+fAywZl/dwfaDKfmn6xzyZf2ZBAL1YRDrTPjnsKDpY 26 | 2qIvFJlgutIpnhlU+DSGReyN5ooJnfPvK7mjMA4Gn0WTcJm2Q/UuVtL+F4cZzLCd 27 | NmekdtPZg+LGufz6qL7loBnI+uGI0rKcojULqGEJv/xOZe7uHZ/fWXRmENn4AZk3 28 | z+rJgzxpkbMuneAuyla987b8J57rdt1CZYvoJQ5SlobEXx4DGy1dkIev3kdHqL35 29 | PG7dfEKrx6fD8xlYnWOYSnqNet6EZBCFe+ZNTp8= 30 | -----END CERTIFICATE----- 31 | 32 | node_path,validator,severity,code,message 33 | certificate.tbsCertificate.extensions,EndEntityRevocationInformationPresenceValidator,ERROR,msft.end_entity.revocation_information_absent, 34 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/dv_final_certificate/unknown_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFkTCCBHmgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD 3 | VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV 4 | cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow 5 | ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP 6 | y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK 7 | 1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG 8 | tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks 9 | HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA 10 | CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV 11 | iDkCAwEAAaOCAsYwggLCMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG 12 | MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw 13 | JwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDYzA2BgNVHR8E 14 | LzAtMCugKaAnhiVodHRwOi8vY3JsLmNlcnRzcnVzLmNvbS9Jc3N1aW5nQ0EuY3Js 15 | MBMGA1UdIAQMMAowCAYGZ4EMAQIBMGsGCCsGAQUFBwEBBF8wXTAkBggrBgEFBQcw 16 | AYYYaHR0cDovL29jc3AuY2VydHNydXMuY29tMDUGCCsGAQUFBzAChilodHRwOi8v 17 | Y2FjZXJ0cy5jZXJ0c3J1cy5jb20vSXNzdWluZ0NBLmNydDAMBgNVHRMBAf8EAjAA 18 | MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwB2/4g/Crb7lVHCYcz1h7o0tKTN 19 | uyncaEIKn+ZnTFo6dAAAAYj4va8AAAAEAwBIMEYCIQCJ6/3b0IBPMTBz2BnztDtE 20 | ljOplTKLJ+5aLpSnTMi8ngIhAKA5BuMfFW/zjdC20nLujmm1I/8rikIDoSd0M3jE 21 | rK8YAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGI+L2vMgAA 22 | BAMARjBEAiB5qzY/+SKx4S30VxZXnTiFcOcLigTLzDc7kV4XjQaPNwIgPriQx2hO 23 | YEzeBPpy39G0lZM+FAshMq05FD9VRl6ygxYAdQA7U3d1Pi25gE6LMFsG/kA7Z9hP 24 | w/THvQANLXJv4frUFwAAAYj4va8sAAAEAwBGMEQCIDr0klWCDh0GpiGQw5/1QT4n 25 | T9HpWW7VUL6bHgwVSIAFAiBUYnRBYJul5ex58TJGovCji2tOebCmfGzb1cs6FIMH 26 | JzANBgkqhkiG9w0BAQsFAAOCAQEAXff2RWIifpPcnlpiKzyK8Qabshh3zvk23Oox 27 | +La7bed7/lIQIP/WEr/s5H1zxe4s3CU4358DLBmX93B9oMp+afrHPJl/ZkEAvVhE 28 | OtM+OewoOljaoi8UmWC60imeGVT4NIZF7I3migmd8+8ruaMwDgafRZNwmbZD9S5W 29 | 0v4XhxnMsJ02Z6R209mD4sa5/PqovuWgGcj64YjSspyiNQuoYQm//E5l7u4dn99Z 30 | dGYQ2fgBmTfP6smDPGmRsy6d4C7KVr3ztvwnnut23UJli+glDlKWhsRfHgMbLV2Q 31 | h6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRkEIV75k1Onw== 32 | -----END CERTIFICATE----- 33 | 34 | node_path,validator,severity,code,message 35 | certificate.tbsCertificate.extensions.3.extnValue.extKeyUsageSyntax,SubscriberEkuAllowanceValidator,WARNING,cabf.serverauth.subscriber.unknown_eku_present,Unknown EKU present: 1.3.6.1.5.5.7.3.99 36 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/external_cross_ca/anyeku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEozCCBEmgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAUwwggFIMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDAZBgNVHSAEEjAQMAcGBWeBDAEBMAUGAyoDBDA6BgNVHR8E 21 | MzAxMC+gLaArhilodHRwOi8vY3JsLmNhLmV4YW1wbGUuY29tL3Jvb3RfY2FfY3Js 22 | LmNybDB6BggrBgEFBQcBAQRuMGwwOAYIKwYBBQUHMAKGLGh0dHA6Ly9yZXBvc2l0 23 | b3J5LmNhLmV4YW1wbGUuY29tL3Jvb3RfY2EuZGVyMDAGCCsGAQUFBzABhiRodHRw 24 | Oi8vb2NzcC5jYS5leGFtcGxlLmNvbS90ZXN0LmFzcHgwDwYDVR0lBAgwBgYEVR0l 25 | ADAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywywdWa0XRriIAT 26 | ymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm28hW7y9dIWaBWeFzCtz1 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,CrossCertificateAllowedEkuValidator,ERROR,cabf.serverauth.cross_ca.external_anyeku_present, 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/external_cross_ca/no_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEUzCCA/mgAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOB/TCB+jAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFFtwp5gX95/2N9L3 19 | 49xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN/6xPa2buta6bLMU4VDARBgNVHSAE 20 | CjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5jYS5leGFt 21 | cGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUF 22 | BzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFtcGxlLmNvbS9yb290X2NhLmRl 23 | cjAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDSAAwRQIhAOCvgM8hveUjvBvE 24 | dhJZ9P1re/mqou9d6o9f7XcubP29AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbA 25 | d5cNAzPftw== 26 | -----END CERTIFICATE----- 27 | 28 | node_path,validator,severity,code,message 29 | certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,ERROR,cabf.serverauth.cross_ca.extended_key_usage_extension_absent, 30 | certificate.tbsCertificate.extensions.3.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_external_anypolicy, 31 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/external_unconstrained_tls_ca/external_subca_with_anypolicy.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICqDCCAk+gAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWQmFyIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D 7 | AQcDQgAEQiVI+I+3gv+17KN0RFLHKh5Vj71vc75eSOkyMsxFxbFsTNEMTLjVuKFx 8 | OelIgsiZJXKZNCX0FBmrfpCkKklCcqOCAR0wggEZMA8GA1UdEwEB/wQFMAMBAf8w 9 | DgYDVR0PAQH/BAQDAgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vU 10 | MB0GA1UdDgQWBBRbcKeYF/ef9jfS9+PcRGwhCde71DAdBgNVHSUEFjAUBggrBgEF 11 | BQcDAQYIKwYBBQUHAwIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5jYS5l 12 | eGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYBBQUHAQEEPDA6MDgGCCsG 13 | AQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFtcGxlLmNvbS9yb290X2Nh 14 | LmRlcjARBgNVHSAECjAIMAYGBFUdIAAwCgYIKoZIzj0EAwIDRwAwRAIgCRHf+9P7 15 | 7CmxrdqZHXZ0kB7YJWyIAr6uCo8lQMWE9J8CIBvdHNB6tRjb15PaovGCuvsCiZ28 16 | ZftJooiIjmMh425+ 17 | -----END CERTIFICATE----- 18 | 19 | node_path,validator,severity,code,message 20 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 21 | certificate.tbsCertificate.extensions.7.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_external_anypolicy, 22 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/external_unconstrained_tls_ca/no_reserved_policy_oid.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICqDCCAk+gAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWQmFyIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D 7 | AQcDQgAEQiVI+I+3gv+17KN0RFLHKh5Vj71vc75eSOkyMsxFxbFsTNEMTLjVuKFx 8 | OelIgsiZJXKZNCX0FBmrfpCkKklCcqOCAR0wggEZMA8GA1UdEwEB/wQFMAMBAf8w 9 | DgYDVR0PAQH/BAQDAgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vU 10 | MB0GA1UdDgQWBBRbcKeYF/ef9jfS9+PcRGwhCde71DAdBgNVHSUEFjAUBggrBgEF 11 | BQcDAQYIKwYBBQUHAwIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5jYS5l 12 | eGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYBBQUHAQEEPDA6MDgGCCsG 13 | AQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFtcGxlLmNvbS9yb290X2Nh 14 | LmRlcjARBgNVHSAECjAIMAYGBFUdIAEwCgYIKoZIzj0EAwIDRwAwRAIgCRHf+9P7 15 | 7CmxrdqZHXZ0kB7YJWyIAr6uCo8lQMWE9J8CIBvdHNB6tRjb15PaovGCuvsCiZ28 16 | ZftJooiIjmMh425+ 17 | -----END CERTIFICATE----- 18 | 19 | node_path,validator,severity,code,message 20 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 21 | certificate.tbsCertificate.extensions.7.extnValue.certificatePolicies,CaCertificatePoliciesValidator,ERROR,cabf.serverauth.ca_missing_reserved_policy_oid, 22 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/external_unconstrained_tls_ca/non_reserved_oid_first_policy.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICsTCCAligAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWQmFyIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D 7 | AQcDQgAEQiVI+I+3gv+17KN0RFLHKh5Vj71vc75eSOkyMsxFxbFsTNEMTLjVuKFx 8 | OelIgsiZJXKZNCX0FBmrfpCkKklCcqOCASYwggEiMA8GA1UdEwEB/wQFMAMBAf8w 9 | DgYDVR0PAQH/BAQDAgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vU 10 | MB0GA1UdDgQWBBRbcKeYF/ef9jfS9+PcRGwhCde71DAdBgNVHSUEFjAUBggrBgEF 11 | BQcDAQYIKwYBBQUHAwIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5jYS5l 12 | eGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYBBQUHAQEEPDA6MDgGCCsG 13 | AQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFtcGxlLmNvbS9yb290X2Nh 14 | LmRlcjAaBgNVHSAEEzARMAYGBFUdIAEwBwYFZ4EMAQEwCgYIKoZIzj0EAwIDRwAw 15 | RAIgCRHf+9P77CmxrdqZHXZ0kB7YJWyIAr6uCo8lQMWE9J8CIBvdHNB6tRjb15Pa 16 | ovGCuvsCiZ28ZftJooiIjmMh425+ 17 | -----END CERTIFICATE----- 18 | 19 | node_path,validator,severity,code,message 20 | certificate.tbsCertificate.extensions.7.extnValue.certificatePolicies,CaCertificatePoliciesValidator,WARNING,cabf.serverauth.ca_first_policy_oid_not_reserved, 21 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 22 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/anyeku_with_serverauth.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEpTCCBEugAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAU4wggFKMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MBkGA1UdJQQSMBAGBFUdJQAGCCsGAQUF 25 | BwMBMAoGCCqGSM49BAMCA0gAMEUCIQDSiA0s4TMn/GmPaeTf4yf3LDLB1ZrRdGuI 26 | gBPKZpx5HQIgFMyslDWHoJSn9625F8FpUmbbyFbvL10hZoFZ4XMK3PU= 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,CrossCertificateAllowedEkuValidator,ERROR,cabf.serverauth.cross_ca.internal_with_anyeku_and_other_eku, 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/clean.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEqTCCBE+gAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVIwggFOMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr 25 | BgEFBQcDAjAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywywdWa 26 | 0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm28hW7y9dIWaBWeFzCtz1 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/clean_anyeku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEmzCCBEGgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAUQwggFAMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MA8GA1UdJQQIMAYGBFUdJQAwCgYIKoZI 25 | zj0EAwIDSAAwRQIhANKIDSzhMyf8aY9p5N/jJ/csMsHVmtF0a4iAE8pmnHkdAiAU 26 | zKyUNYeglKf3rbkXwWlSZtvIVu8vXSFmgVnhcwrc9Q== 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/discouraged_extension.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEvjCCBGSgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAWcwggFjMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr 25 | BgEFBQcDAjATBgorBgEEAdZ5AgQDAQH/BAIFADAKBggqhkjOPQQDAgNIADBFAiEA 26 | 0ogNLOEzJ/xpj2nk3+Mn9ywywdWa0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfB 27 | aVJm28hW7y9dIWaBWeFzCtz1 28 | -----END CERTIFICATE----- 29 | 30 | node_path,validator,severity,code,message 31 | certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.cross_ca.unknown_extension_present,Unknown extension present: 1.3.6.1.4.1.11129.2.4.3 32 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 33 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/missing_required_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEnzCCBEWgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAUgwggFEMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAoG 25 | CCqGSM49BAMCA0gAMEUCIQDSiA0s4TMn/GmPaeTf4yf3LDLB1ZrRdGuIgBPKZpx5 26 | HQIgFMyslDWHoJSn9625F8FpUmbbyFbvL10hZoFZ4XMK3PU= 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,CrossCertificateAllowedEkuValidator,ERROR,cabf.serverauth.cross_ca.serverauth_eku_absent, 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/no_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEUzCCA/mgAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOB/TCB+jAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFFtwp5gX95/2N9L3 19 | 49xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN/6xPa2buta6bLMU4VDARBgNVHSAE 20 | CjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5jYS5leGFt 21 | cGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUF 22 | BzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFtcGxlLmNvbS9yb290X2NhLmRl 23 | cjAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDSAAwRQIhAOCvgM8hveUjvBvE 24 | dhJZ9P1re/mqou9d6o9f7XcubP29AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbA 25 | d5cNAzPftw== 26 | -----END CERTIFICATE----- 27 | 28 | node_path,validator,severity,code,message 29 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 30 | certificate.tbsCertificate.extensions,CrossCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.cross_ca.extended_key_usage_extension_absent, 31 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/prohibited_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEszCCBFmgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVwwggFYMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggr 25 | BgEFBQcDAgYIKwYBBQUHAwkwCgYIKoZIzj0EAwIDSAAwRQIhANKIDSzhMyf8aY9p 26 | 5N/jJ/csMsHVmtF0a4iAE8pmnHkdAiAUzKyUNYeglKf3rbkXwWlSZtvIVu8vXSFm 27 | gVnhcwrc9Q== 28 | -----END CERTIFICATE----- 29 | 30 | node_path,validator,severity,code,message 31 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,CrossCertificateAllowedEkuValidator,ERROR,cabf.serverauth.cross_ca.ocspsigning_eku_present, 32 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 33 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_cross_ca/unknown_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEqTCCBE+gAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVIwggFOMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr 25 | BgEFBQcDYzAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywywdWa 26 | 0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm28hW7y9dIWaBWeFzCtz1 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,CrossCertificateAllowedEkuValidator,WARNING,cabf.serverauth.cross_ca.unknown_eku_present,Unknown EKU present: 1.3.6.1.5.5.7.3.99 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/aia_extension_missing.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEKzCCA9GgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOB1TCB0jASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAfBgNV 19 | HSMEGDAWgBRbcKeYF/ef9jfS9+PcRGwhCde71DAdBgNVHQ4EFgQU1kQAMnyoDf+s 20 | T2tm7rWumyzFOFQwEQYDVR0gBAowCDAGBgRVHSAAMDoGA1UdHwQzMDEwL6AtoCuG 21 | KWh0dHA6Ly9jcmwuY2EuZXhhbXBsZS5jb20vcm9vdF9jYV9jcmwuY3JsMB0GA1Ud 22 | JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgNIADBFAiEA0ogN 23 | LOEzJ/xpj2nk3+Mn9ywywdWa0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm 24 | 28hW7y9dIWaBWeFzCtz1 25 | -----END CERTIFICATE----- 26 | 27 | node_path,validator,severity,code,message 28 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 29 | certificate.tbsCertificate.extensions,CaCertificateExtensionAllowanceValidator,WARNING,cabf.serverauth.ca.authority_info_access_extension_absent, 30 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/certificate_policies_missing.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIClTCCAjygAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWQmFyIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D 7 | AQcDQgAEQiVI+I+3gv+17KN0RFLHKh5Vj71vc75eSOkyMsxFxbFsTNEMTLjVuKFx 8 | OelIgsiZJXKZNCX0FBmrfpCkKklCcqOCAQowggEGMA8GA1UdEwEB/wQFMAMBAf8w 9 | DgYDVR0PAQH/BAQDAgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vU 10 | MB0GA1UdDgQWBBRbcKeYF/ef9jfS9+PcRGwhCde71DAdBgNVHSUEFjAUBggrBgEF 11 | BQcDAQYIKwYBBQUHAwIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5jYS5l 12 | eGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwSAYIKwYBBQUHAQEEPDA6MDgGCCsG 13 | AQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5leGFtcGxlLmNvbS9yb290X2Nh 14 | LmRlcjAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt2pkddnSQHtglbIgCvq4K 15 | jyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0miiIiOYyHjbn4= 16 | -----END CERTIFICATE----- 17 | 18 | node_path,validator,severity,code,message 19 | certificate.tbsCertificate.extensions,CaCertificateExtensionAllowanceValidator,ERROR,cabf.serverauth.ca.certificate_policies_extension_absent, 20 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 21 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/clean.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEqTCCBE+gAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVIwggFOMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr 25 | BgEFBQcDAjAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywywdWa 26 | 0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm28hW7y9dIWaBWeFzCtz1 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/critical_aia.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIErDCCBFKgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVUwggFRMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwfQYI 22 | KwYBBQUHAQEBAf8EbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5j 23 | YS5leGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29j 24 | c3AuY2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MB0GA1UdJQQWMBQGCCsGAQUFBwMB 25 | BggrBgEFBQcDAjAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywy 26 | wdWa0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm28hW7y9dIWaBWeFzCtz1 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.6,AuthorityInformationAccessCriticalityValidator,ERROR,pkix.authority_information_access_extension_critical,Extension 1.3.6.1.5.5.7.1.1 is critical 31 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 32 | certificate.tbsCertificate.extensions.6,CaCertificateExtensionCriticalityValidator,ERROR,cabf.serverauth.ca.critical_authority_info_access_extension, 33 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/missing_serverauth_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEsDCCBFagAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwgYAG 22 | CCsGAQUFBwEBBHQwcjA4BggrBgEFBQcwAoYsaHR0cDovL3JlcG9zaXRvcnkuY2Eu 23 | ZXhhbXBsZS5jb20vcm9vdF9jYS5kZXIwNgYIKwYBBQUHMAGGKmh0dHA6Ly9yZXBv 24 | c2l0b3J5LmNhLmV4YW1wbGUuY29tL29jc3AuYXNweDAdBgNVHSUEFjAUBggrBgEF 25 | BQcDBAYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSAAwRQIhAOCvgM8hveUjvBvEdhJZ 26 | 9P1re/mqou9d6o9f7XcubP29AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbAd5cN 27 | AzPftw== 28 | -----END CERTIFICATE----- 29 | 30 | node_path,validator,severity,code,message 31 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,TlsCaCertificateAllowedEkuValidator,ERROR,cabf.serverauth.ca.emailprotection_eku_present, 32 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 33 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,TlsCaCertificateAllowedEkuValidator,ERROR,cabf.serverauth.ca.serverauth_eku_absent, 34 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/probhited_aia_access_method.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEqTCCBE+gAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVIwggFOMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzADhixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr 25 | BgEFBQcDAjAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywywdWa 26 | 0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm28hW7y9dIWaBWeFzCtz1 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | certificate.tbsCertificate.extensions.6.extnValue.authorityInfoAccessSyntax,CaCertificateAuthorityInformationAccessAccessMethodPresenceValidator,ERROR,cabf.serverauth.ca.unknown_aia_access_method_present,Unknown access method present: 1.3.6.1.5.5.7.48.3 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/prohibited_ku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEqTCCBE+gAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVIwggFOMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGOMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr 25 | BgEFBQcDAjAKBggqhkjOPQQDAgNIADBFAiEA0ogNLOEzJ/xpj2nk3+Mn9ywywdWa 26 | 0XRriIATymaceR0CIBTMrJQ1h6CUp/etuRfBaVJm28hW7y9dIWaBWeFzCtz1 27 | -----END CERTIFICATE----- 28 | 29 | node_path,validator,severity,code,message 30 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 31 | certificate.tbsCertificate.extensions.1.extnValue.keyUsage,CaKeyUsageValidator,ERROR,cabf.ca_certificate_prohibited_ku_present,Prohibited KUs present: keyAgreement 32 | certificate.tbsCertificate.extensions.1.extnValue.keyUsage,SpkiKeyUsageConsistencyValidator,ERROR,pkix.key_usage_value_prohibited_for_rsa,Prohibited key usage value(s) present: keyAgreement 33 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/internal_unconstrained_tls_ca/unknown_eku.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEszCCBFmgAwIBAgIUOVIapcdUSrnN9mVhkYrkAfpWTiswCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNDE5MDAwMDAwWhcNMjMxMDE2MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVwwggFYMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwegYI 22 | KwYBBQUHAQEEbjBsMDgGCCsGAQUFBzAChixodHRwOi8vcmVwb3NpdG9yeS5jYS5l 23 | eGFtcGxlLmNvbS9yb290X2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au 24 | Y2EuZXhhbXBsZS5jb20vdGVzdC5hc3B4MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggr 25 | BgEFBQcDAgYIKwYBBQUHA2MwCgYIKoZIzj0EAwIDSAAwRQIhANKIDSzhMyf8aY9p 26 | 5N/jJ/csMsHVmtF0a4iAE8pmnHkdAiAUzKyUNYeglKf3rbkXwWlSZtvIVu8vXSFm 27 | gVnhcwrc9Q== 28 | -----END CERTIFICATE----- 29 | 30 | node_path,validator,severity,code,message 31 | certificate.tbsCertificate.extensions.7.extnValue.extKeyUsageSyntax,TlsCaCertificateAllowedEkuValidator,WARNING,cabf.serverauth.ca.unknown_eku_present,Unknown EKU present: 1.3.6.1.5.5.7.3.99 32 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 33 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/iv_final_certificate/no_extensions.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEFjCCAf6gAwIBAgIMS9Kjc1CWWKwCO6fGMA0GCSqGSIb3DQEBCwUAMEUxCzAJ 3 | BgNVBAYTAlVTMRMwEQYDVQQKEwpDZXJ0cyBSIFVzMSEwHwYDVQQDExhDZXJ0cyBS 4 | IFVzIElzc3VpbmcgQ0EgRzEwHhcNMjIwODE4MDgwNjI3WhcNMjMwOTE5MDgwNjI2 5 | WjBNMQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlz 6 | MQ8wDQYDVQQEEwZEdXBvbnQxDTALBgNVBCoTBEplYW4wggEiMA0GCSqGSIb3DQEB 7 | AQUAA4IBDwAwggEKAoIBAQDvZ1Q8OLrqa82H/K/yWS55h9ENxRkGwl4A/TgKdd4p 8 | SycLdEeTRGYz56qTy4J28fIJZ+JUFsezN8DkQXa/io60DYQWrAupCw5qos+HnVHZ 9 | S4Fbr/WgsN22b9Wf7lseUchIEG1Av6QcOMt6ozL2dnY+fCTRKprRI7BpG5RReDId 10 | UaL49JMl++XniXI/8dFUADeMfCh1mKb9QsBHgYXLj7u+UFG/vBzhBLw30Jbc88dG 11 | tfx9KMP+CNCS4JQjlDC8F/EAFlMKAr2QApOkZ1taPkJUnFfAGdd6rZhyZY7/64UI 12 | Tkxf1xmeDWjR2ghC/1j8DpYeRSq1iKB/TKJ3hAlSrAmLAgMBAAEwDQYJKoZIhvcN 13 | AQELBQADggIBADw51aSHH5iLQZ3u5Qip0trL6fYNbx/zAWIsI4yW3MFIydqzBZhS 14 | grGLXKCAH5VF04TSIz7m3Gn1ydlhvTics3GzkvL0yAHTcfKOTzC15AAmzOM5gBzr 15 | 1LVz5YksLVS7xCOyLXFhH/j3a+athBNCcAei63LwHCcCYtiqfGQ551smkziPCwl6 16 | Pn2c4dBdwMHhUmKQ44yB/yrDpC4jYoOYVLWiNWUaGCC6AfxaxMTDlEV8CbJGR3BF 17 | jG491CacRaHNhgINsbYvMRi3RTtUsT8zY4CqF2zrMYbplJEzpHFWCQ5KpA7H4SZX 18 | tFsbjn2OTg/Jw4Bt3U0W6RIimHPHOsIdQQbD9mf2Nz6IDIpvUCF5lqF/3++3otMr 19 | 5cYveffCk658s+41aC1hOqT92ezDVOXrDLPqQbwFWN2D9t0EOmMYzzIEZTiQlqk3 20 | gFpZs8EeZsLpOynO6Q2kYNNZY9itlGb6SprKTJxq5FFsTc00Ng+Jt/lK3AeTa61J 21 | t4HCLLqV8QsyHfT/ZwEs7OWIJfsacTgnUUSFiJSQZuZBe0iR655xCCfE/012rbkQ 22 | sq1muGGsaXHZ+nBW3Hfd2pJyB3fU3vGdr/LGkT3i0ArRYgk3ufSJ3TCyfMMK7tDh 23 | 3KPKi+EH/VXLgzKTVlGRg6eqPRGgCYM5ThxkbJOTWUwmZF6TmlI5DUrO 24 | -----END CERTIFICATE----- 25 | 26 | node_path,validator,severity,code,message 27 | certificate.tbsCertificate,CabfExtensionsPresenceValidator,ERROR,cabf.certificate_extensions_missing, 28 | certificate,AuthorityKeyIdentifierPresenceValidator,ERROR,pkix.authority_key_identifier_extension_absent, 29 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/non_tls_ca/clean.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEsDCCBFagAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwgYAG 22 | CCsGAQUFBwEBBHQwcjA4BggrBgEFBQcwAoYsaHR0cDovL3JlcG9zaXRvcnkuY2Eu 23 | ZXhhbXBsZS5jb20vcm9vdF9jYS5kZXIwNgYIKwYBBQUHMAGGKmh0dHA6Ly9yZXBv 24 | c2l0b3J5LmNhLmV4YW1wbGUuY29tL29jc3AuYXNweDAdBgNVHSUEFjAUBggrBgEF 25 | BQcDBAYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSAAwRQIhAOCvgM8hveUjvBvEdhJZ 26 | 9P1re/mqou9d6o9f7XcubP29AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbAd5cN 27 | AzPftw== 28 | -----END CERTIFICATE----- 29 | 30 | node_path,validator,severity,code,message 31 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/non_tls_ca/no_keycertsign_bit.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEsDCCBFagAwIBAgIUOZ3slKUGXk92D1qRTpltfNEfd80wCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjMxMDI4MjM1OTU5 5 | WjBIMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOC 7 | Ag8AMIICCgKCAgEAs4tJYOY75qjbqJqCl47x9jJE5Vd9jPWGFtXKV1nUnMjZNsM4 8 | qjy5sRHBSX5bUa9pLyYR5on3Z1SAwLD0w2VPQ6+F/oyK1zTgQqitoF/XZQjgC6D3 9 | VsNEO76DPqfRANT7Nn7r1gvbZIZ3/H3rlCRNrRr47tHGWBLAPnxz9/NY6UG8ZkWP 10 | 97uXpJqYoRgH4CwaO5rTOlc64YDh/0Mq5VgMycq/q2AvMlvNoJfoe8em1040qH1g 11 | ikP+suT/8fS452hqmEddtRpuvQgXKldBd0kkiyFVyLkG4NVA6Mso9MAK3J/kdYoa 12 | w2SrOeThVSiYVEQVP+7GrUxTSLLjj/VQ9fpYM5eTNzDICIG/Ee7o/jhtW1EoSamD 13 | mUOr89lyIHaXuOwkEaJhnVXKBCM8WiztxvKG2CnQ6Dcge3ZSmqJEhyEmjcAVC7ew 14 | fnMxOnE+WJW6rzrf+mA5WMVn+FzyWx2AondWow0aUKHkaY7amhIrsKp6YPfNImyx 15 | Flz8+cqDCmBswPsUh/JJ5eDHHIhibFcSgIHedsEjhLbUSLZ/DnEjru90qIWWA3R1 16 | VIPykKfeZkZeInsrFzGPikkFKwFF+6KDdyvCmltYEqzO46tigXAZ5UgH8oiXEre4 17 | 8wO6X+FH+cLzQ0q3A8HZRnNDgqCjU/Tgy76iaku/Ic6eteedR1fX3gJ/IOUCAwEA 18 | AaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGCMB8G 19 | A1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBTWRAAyfKgN 20 | /6xPa2buta6bLMU4VDARBgNVHSAECjAIMAYGBFUdIAAwOgYDVR0fBDMwMTAvoC2g 21 | K4YpaHR0cDovL2NybC5jYS5leGFtcGxlLmNvbS9yb290X2NhX2NybC5jcmwwgYAG 22 | CCsGAQUFBwEBBHQwcjA4BggrBgEFBQcwAoYsaHR0cDovL3JlcG9zaXRvcnkuY2Eu 23 | ZXhhbXBsZS5jb20vcm9vdF9jYS5kZXIwNgYIKwYBBQUHMAGGKmh0dHA6Ly9yZXBv 24 | c2l0b3J5LmNhLmV4YW1wbGUuY29tL29jc3AuYXNweDAdBgNVHSUEFjAUBggrBgEF 25 | BQcDBAYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSAAwRQIhAOCvgM8hveUjvBvEdhJZ 26 | 9P1re/mqou9d6o9f7XcubP29AiAMA1aqNACzlZdAvhHk1o2fjCYYodSWbLbAd5cN 27 | AzPftw== 28 | -----END CERTIFICATE----- 29 | 30 | node_path,validator,severity,code,message 31 | certificate.tbsCertificate.extensions.1.extnValue.keyUsage,CaKeyUsageValidator,ERROR,cabf.ca_certificate_required_ku_missing,keyCertSign not asserted 32 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 33 | certificate.tbsCertificate.extensions.1.extnValue.keyUsage,KeyUsageValidator,ERROR,pkix.ca_certificate_keycertsign_keyusage_not_set, 34 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/ocsp_responder/certificate_policies_present.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIE5jCCAs6gAwIBAgIUfLYbDIdrGlOE1mReAeGnClpAHSQwDQYJKoZIhvcNAQEL 3 | BQAwXTELMAkGA1UEBhMCTkwxIDAeBgNVBAoMF1F1b1ZhZGlzIFRydXN0bGluayBC 4 | LlYuMSwwKgYDVQQDDCNRdW9WYWRpcyBQS0lvdmVyaGVpZCBTZXJ2ZXIgQ0EgMjAy 5 | MDAeFw0yMTEwMDUxOTA5MjFaFw0yMjEwMDUxOTA5MjBaMFsxCzAJBgNVBAYTAk5M 6 | MSAwHgYDVQQKDBdRdW9WYWRpcyBUcnVzdGxpbmsgQi5WLjEqMCgGA1UEAwwhUXVv 7 | VmFkaXMgT0NTUCBBdXRob3JpdHkgU2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEF 8 | AAOCAQ8AMIIBCgKCAQEApaX2P2u9vF2vnv7vSthWbJXNVR2nejFQegxsrowoTVHr 9 | ilVYSDYZr5IzPE3K+ifjSGywbISycdvoZUdbT/WIsG3PMiAEWpU5Z8dA4chLtQNU 10 | aAJpzuRaa7yKmaB4l/OSi6YCpsgaK6FTPsaV0+1uDEKxbuYT6QBoKdgpybW7a2xW 11 | Y0tIIOSX743RdW9BJ+kHgPJxQsNRC3xKVCHdoq8mJaBO677fwx//fxurH8fa11Su 12 | E7SAfFE8igAB6IhrmASu2LzUjoJRTr2jjFjHomtoCoyeqD3Mvx3VLZZ1Jdintg8r 13 | 82sMChQ2RLIE7zaJqcGvyBS9ROwbohhzWOwm9QMVoQIDAQABo4GfMIGcMAwGA1Ud 14 | EwEB/wQCMAAwHwYDVR0jBBgwFoAUIrc9wE5mb1ioc7AS3/+7044TmOcwFgYDVR0g 15 | BA8wDTALBglghBABh2sBAgcwDwYJKwYBBQUHMAEFBAIFADATBgNVHSUEDDAKBggr 16 | BgEFBQcDCTAdBgNVHQ4EFgQUrNsRFLDBgHnB3Sx0uldlq+t7L44wDgYDVR0PAQH/ 17 | BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQCVy8WApNgZiPOzlsBsHsLQVwlvn+yv 18 | wHb7A1xhqO06Q1DIrQOn6+FL7z9EQqOshabFY8dpvAhgvroyxseWAX+JYERo6ZHa 19 | vjet4layaf1bJTTfBsYQ38pskFPgN8GngbAjZR5Cs5J3XB/KveKMKHjWiw7PvGmG 20 | mKQrD0sMCcwhU30MWSMooMBwebm3XVNFQMMUJk54GvSgoUXqr6bhOQnXjN4hwnI7 21 | b5MMP687F3SfTqAglaJlBbvHhXedZNjV46dU906MU3Bk/gUZZB9ZkrLOMGwJ6cRo 22 | tJNh1nAGwXbr4VHlJuZEci7ahIpOgYzG+o3CqSEhUX+sPQt9gtIy/5mtx1FHjdlr 23 | xkfDRYSDUtmHfuHeNho4a7cR6Xi1qEMp7GxzJaeoE7RycCjx1DnESQY35CxC2TlJ 24 | bSL6YYptny5+jriFKftyaNTW1wrlwAsesP3W8FJhhhqk3Jqyw3xwHkfAt+PCYoMv 25 | CFYRWuWovQTIJHkAxB3T0yVKaMETLL84oVtnmUz5Pza5PpQcblt5E/fZw5jnPKYy 26 | ZsWniTagBnFsoLle23qhOzzNdYMU942mkz2r4+h49y7ea/Ar+pSICz1q/cCjZBSc 27 | hj/r4FrfgQ0kWsm0qu0+MyfTIqmb+MqXvpniFDMg+hGQB7FQmmc36cZ8Rfk+3dPu 28 | 3DCcfrdQvirO2g== 29 | -----END CERTIFICATE----- 30 | 31 | node_path,validator,severity,code,message 32 | certificate.tbsCertificate.extensions.5.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 33 | certificate.tbsCertificate.extensions,OcspExtensionAllowanceValidator,ERROR,cabf.serverauth.ocsp_responder.certificate_policies_extension_present, 34 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/ocsp_responder/clean.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIE0TCCArmgAwIBAgIUTVurD3tDHZq3FW2Yo/KgCyRteOkwDQYJKoZIhvcNAQEL 3 | BQAwYDELMAkGA1UEBhMCVVMxMDAuBgNVBAoMJ0h5ZHJhbnRJRCAoQXZhbGFuY2hl 4 | IENsb3VkIENvcnBvcmF0aW9uKTEfMB0GA1UEAwwWSHlkcmFudElEIEVWIFNTTCBD 5 | QSBHMjAeFw0yMjA3MDYxMzI3NTBaFw0yMzA3MDYxMzI3NDlaMFsxCzAJBgNVBAYT 6 | Ak5MMSAwHgYDVQQKDBdRdW9WYWRpcyBUcnVzdGxpbmsgQi5WLjEqMCgGA1UEAwwh 7 | UXVvVmFkaXMgT0NTUCBBdXRob3JpdHkgU2lnbmF0dXJlMIIBIjANBgkqhkiG9w0B 8 | AQEFAAOCAQ8AMIIBCgKCAQEArsE6wD5L8d0DZpEFGIF2mPYvO1Yvh9wfqRA2Hfjd 9 | bVJYO2CPNYdLoaoazM6EGUa4TnPtvOAVlRT4FKz3xUecDGbfz+b2iXQNvgzFBU4/ 10 | jpLMhKgpRHC+6o+ISAxT86svevlzPapLggMEoYoJBPMFGJK5wyA3iR0JYL1sEyZf 11 | jF7a1TnP9FrskxK7k+Qrj936B8Vs4c+73LSaWmffwicru2CHqvk2pMH5WBmLXc+n 12 | RmqRJ5rGOvAFp9hq9WMgvqVDG7ZJxpR6pD4QKMAcEUoPQHpvo2hLf2urTQKVoDtu 13 | zfJcZtMQKz2VleQOZYY4A7KF6dooGL6pdEbf0b4MaBgqLQIDAQABo4GHMIGEMAwG 14 | A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUtoWFXyB8D8FScaKE9a6DsBXg0EIwDwYJ 15 | KwYBBQUHMAEFBAIFADATBgNVHSUEDDAKBggrBgEFBQcDCTAdBgNVHQ4EFgQURMGd 16 | Q2lFSy8cL4i1rI7Kxn+ES90wDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUA 17 | A4ICAQBydsrhGSaa6Iyl1HJI4RZ7/K+jk/MxzAdHBKIGMcJsFFDMQmVzsq4OUXdP 18 | EaBSSwxzzZGvCQnhwDqIDrSTw3EeJm5gMIkrBY8LnQucr9tJi7LRvIfkiO90MGLM 19 | UkRYhuC7sslPS1ukkM4PuJ4/nzutYI+tb7hJspS81F17a6cVJjKMJGkSUiNa23ur 20 | 68OD/klYBJcNFSR6AmLldXFQpXP74iDlksiGL/dXkSOU70m+4/HFoXc6Ow8aE2nz 21 | 15Icm7d33wmcikU5Esvl7A5PQm+zdgcVdJarmylMmG4SC9vFyLIv9c1icZZpmznd 22 | cfXEM/wKgqai1hz3iJ8sbo3jo2yYD1CF1Qo8bd0nNWuFu9KvM2dVd0cDtE2W3+GA 23 | JSCd47x90DCaelsxTH3z3BraaJH2eHUyr+Z3tXZMwLVICjwjalIDy+aOXIHZqRRK 24 | Xzhmb9Wiw9lbkxJ82mReCqOkG7BSZcvik7tM9GPINmie+2BQNYp9OKqpZdLfS578 25 | r6T7OGla9Wt5djbFnC7I7YG5wUy5gnMvjpBKz0frbY0fmDUwtZkZFvn5hlREU/5Q 26 | XKHH3e78oa2THM02VaZD/O2EiFIYHSF3iaV+Wl40ZLUEeYla08fGBGKWEwYhZM5q 27 | 4X1LgeIZkiwVTG8t904g/3tHmoRAskFCIJI1+hRi1ZQWh3xMYw== 28 | -----END CERTIFICATE----- 29 | 30 | node_path,validator,severity,code,message 31 | certificate.tbsCertificate.extensions.4.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 32 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/ocsp_responder/nonrepudiation_ku_present.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID8TCCAtmgAwIBAgIQFxH6oMhSQeXXZPvR6pKC9zANBgkqhkiG9w0BAQsFADB7 3 | MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMgUy5B 4 | LjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MR8wHQYD 5 | VQQDExZDZXJ0dW0gQ29kZSBTaWduaW5nIENBMB4XDTIyMDkxNTA4NTAzN1oXDTIz 6 | MDkxNTA4NTAzNlowZDELMAkGA1UEBhMCUEwxITAfBgNVBAoMGEFzc2VjbyBEYXRh 7 | IFN5c3RlbXMgUy5BLjEyMDAGA1UEAwwpQ2VydHVtIENvZGUgU2lnbmluZyBDQSBW 8 | YWxpZGF0aW9uIFNlcnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB 9 | AQDRThvqzqpOoQe2rKTf8PsjbO03dY0mVcNU+E9VQ5x6f+qzTnOg02MmPnPLp88y 10 | BGPONqDwpG0AVJNNMNTqPnP9ZL4lyfvBIl5iBX40x8KbkaepFUWT94LNnhttIOm/ 11 | mFubxmRXwTumS9jrTixHHkxrCeMoWG8/f80gWLEMUNoM6zuc4I+HB45UaXWe/HO4 12 | Za4n4gikx3INBsQs7sbNgtCS+PtfrwQ9Ohjll48DO0jxFs8I+xr8iKsZEGVfddTX 13 | UuNtLq/dyaiAr8VoM3DLIInIyNWRbklDmfLDSsRxeDpP9u3XqXuQMZM8uMNWXwMT 14 | 5l1h1X3NnHQgPgLSG+/c2s5rAgMBAAGjgYcwgYQwDAYDVR0TAQH/BAIwADAfBgNV 15 | HSMEGDAWgBR4L5DxSlzMNFEdgCPyEht9GiPBjzAdBgNVHQ4EFgQUArFuDlbev+0i 16 | KSHgT9AauYv4tlMwDgYDVR0PAQH/BAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMJ 17 | MA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQELBQADggEBAMeBr3R8s3idQqHi 18 | t7JdZucW7EZh1xBV+WGp+U5IY53jbf/3b7TOt2trStpPwp0tvvxHytQpnRC0x3Gs 19 | OOCbS7EuJsh0v8ey65gcSuh7eqGEmJ1UN6zYHw4oI27ojhJU+cj9i2CHNwaofhhm 20 | vcpYMrfnNZOOAo5nWvp09vbI0oGodlYa/4QXKgtcZ9o7zNjXgXs0H86PjwT2s+xw 21 | osGvC1pPgvf66eCEd56dP5OrHvXn+CtDsZASvjp6cmFVz4Zr4U3HODDQHADPnRgK 22 | MGUco4BJl+/wjHlCqItEp5D/Bo5SCDHFrqE53ZlQmOXbzKVEaxtqsZWwBM7ozKlN 23 | /RJCpL8= 24 | -----END CERTIFICATE----- 25 | 26 | node_path,validator,severity,code,message 27 | certificate.tbsCertificate.extensions.3.extnValue.keyUsage,OcspResponderKeyUsageValidator,ERROR,cabf.serverauth.ocsp_responder.prohibited_ku_present,Prohibited KUs present: nonRepudiation 28 | certificate.tbsCertificate.extensions.2.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 29 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/aki_ski_not_equal.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB5DCCAYugAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD 9 | AgGGMB8GA1UdIwQYMBaAFGtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBRb 10 | cKeYF/ef9jfS9+PcRGwhCde71DAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt 11 | 2pkddnSQHtglbIgCvq4KjyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0mi 12 | iIiOYyHjbn4= 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 17 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,RootAkiSkiEqualityValidator,ERROR,cabf.serverauth.root_aki_ski_not_equal,"SKI octets: ""5b70a79817f79ff637d2f7e3dc446c2109d7bbd4"", AKI octets: ""6b70a79817f79ff637d2f7e3dc446c2109d7bbd4""" 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/clean.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB5DCCAYugAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD 9 | AgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBRb 10 | cKeYF/ef9jfS9+PcRGwhCde71DAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt 11 | 2pkddnSQHtglbIgCvq4KjyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0mi 12 | iIiOYyHjbn4= 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 17 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/eku_present.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICBTCCAaygAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKjgYMwgYAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E 9 | BAMCAYYwHwYDVR0jBBgwFoAUW3CnmBf3n/Y30vfj3ERsIQnXu9QwHQYDVR0OBBYE 10 | FFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF 11 | BQcDAjAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt2pkddnSQHtglbIgCvq4K 12 | jyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0miiIiOYyHjbn4= 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 17 | certificate.tbsCertificate.extensions,RootExtensionAllowanceValidator,ERROR,cabf.serverauth.root.extended_key_usage_extension_present, 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/issuer_unique_id_present.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB6DCCAY+gAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKBAgGGo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB 9 | /wQEAwIBhjAfBgNVHSMEGDAWgBRbcKeYF/ef9jfS9+PcRGwhCde71DAdBgNVHQ4E 10 | FgQUW3CnmBf3n/Y30vfj3ERsIQnXu9QwCgYIKoZIzj0EAwIDRwAwRAIgCRHf+9P7 11 | 7CmxrdqZHXZ0kB7YJWyIAr6uCo8lQMWE9J8CIBvdHNB6tRjb15PaovGCuvsCiZ28 12 | ZftJooiIjmMh425+ 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 17 | certificate.tbsCertificate,IssuerUniqueIdAbsenceValidator,ERROR,pkix.issuer_unique_id_present, 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/no_aki_extension.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ 3 | RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD 4 | VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX 5 | DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y 6 | ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy 7 | VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr 8 | mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr 9 | IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK 10 | mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu 11 | XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy 12 | dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye 13 | jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1 14 | BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 15 | DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 16 | 9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx 17 | jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0 18 | Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz 19 | ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS 20 | R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp 21 | -----END CERTIFICATE----- 22 | 23 | node_path,validator,severity,code,message 24 | certificate.tbsCertificate.extensions.1.extnValue.basicConstraints,RootBasicConstraintsValidator,WARNING,cabf.serverauth.root_basic_constraints_pathlenconstraint_present, 25 | certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.organizational_unit_name_attribute_present, 26 | certificate.tbsCertificate.signature,ServerauthAllowedSignatureAlgorithmEncodingValidator,ERROR,cabf.serverauth.prohibited_signature_algorithm_encoding,Prohibited encoding: 300d06092a864886f70d0101050500 27 | certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 28 | certificate.tbsCertificate.extensions,RootExtensionAllowanceValidator,WARNING,cabf.serverauth.root.authority_key_identifier_extension_absent, 29 | certificate.tbsCertificate.extensions.2.extnValue.keyUsage,CaKeyUsageValidator,NOTICE,cabf.ca_certificate_no_digital_signature_bit, 30 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/no_bc_ca_bit.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB4TCCAYigAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgGG 9 | MB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBRbcKeY 10 | F/ef9jfS9+PcRGwhCde71DAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt2pkd 11 | dnSQHtglbIgCvq4KjyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0miiIiO 12 | YyHjbn4= 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.0.extnValue.basicConstraints,CaBasicConstraintsValidator,ERROR,cabf.serverauth.ca_basic_constraints_ca_bit_not_set, 17 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 18 | certificate.tbsCertificate.extensions.1.extnValue.keyUsage,KeyUsageValidator,ERROR,pkix.ee_certificate_keycertsign_keyusage_set, 19 | certificate.tbsCertificate.extensions.0.extnValue.basicConstraints,RootBasicConstraintsValidator,ERROR,cabf.serverauth.root_basic_constraints_ca_not_present, 20 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/no_ku_extension.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDdTCCAl2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJLUjEN 3 | MAsGA1UECgwES0lTQTEuMCwGA1UECwwlS29yZWEgQ2VydGlmaWNhdGlvbiBBdXRo 4 | b3JpdHkgQ2VudHJhbDEWMBQGA1UEAwwNS0lTQSBSb290Q0EgNDAeFw0xMDA3MTIw 5 | OTI2MjFaFw0zMDA3MTIwOTI2MjFaMGQxCzAJBgNVBAYTAktSMQ0wCwYDVQQKDARL 6 | SVNBMS4wLAYDVQQLDCVLb3JlYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBDZW50 7 | cmFsMRYwFAYDVQQDDA1LSVNBIFJvb3RDQSA0MIIBIjANBgkqhkiG9w0BAQEFAAOC 8 | AQ8AMIIBCgKCAQEAxepOYmiYpxFdu6SCSVgMCrAgswLbRSYg/+0tah/CjIHMn2Ja 9 | 506fpsyfhyN/pX4nfEFXhQsVtTaGNAkB+/cfrPOaupueh4pbwZc7KYo4maUtK7tD 10 | j3F6iuxaa7jwAWW2/FKY0jQfBkVV9V+jfPVDJokEFGNn63zYiLcIQBaoPcQ/mJ8P 11 | KR+gGBhgUFxIWKQvi+5croilzcu+Igm/nv93uqdBUCroBo3ttTo+IfUHuj13nOO8 12 | VbABGRA53JPV4V3iDQBG3WPgSVjak/AQf7MP8F7HyGr42/oFI8Lb+O9W4MWGMamy 13 | YkidxGBdrcb61qcjQQnDNWrbFsOrmKwJYv28MwIDAQABozIwMDAdBgNVHQ4EFgQU 14 | yNCOx0muHyBCskt/E8l3WAyhzcEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B 15 | AQsFAAOCAQEAm/GuDMpPb886Fk8nTUHVaG8gWq8JwN2sONS84IrQOn0KqM1zYGXu 16 | Xhv8H2HKeBahLKRBQKfXqfo9WSdtdTLw3Awo1EGVQDnMYpaNMHI3fulEJ8ZCWwPC 17 | zu4BsG583iYnG+54Oatjr5AUU0vZGMNBsMVkZf0aFg9PCJ0PSKg/iFQb48prJ0Iy 18 | 5k7KXllIisQNuZlyreATdtNU0ajYW9WHXFYC/warjyd7bSz9KmUuMjQ3xA5LW3dk 19 | C1QLa+RHgg5lNlMNMr+sq3+cFY8LncxMby9jqL7Wx37fjdqbQ5kwjHcnSHFe9AHu 20 | 6GSd/425e2ApHFXDYnh6+m0bGkNNrg8/GQ== 21 | -----END CERTIFICATE----- 22 | 23 | node_path,validator,severity,code,message 24 | certificate.tbsCertificate.subject.rdnSequence,CaRequiredSubjectAttributesValidator,ERROR,cabf.serverauth.ca.organizational_unit_name_attribute_present, 25 | certificate.tbsCertificate.extensions.0.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 26 | certificate.tbsCertificate.extensions,RootExtensionAllowanceValidator,WARNING,cabf.serverauth.root.authority_key_identifier_extension_absent, 27 | certificate.tbsCertificate.extensions,RootExtensionAllowanceValidator,ERROR,cabf.serverauth.root.key_usage_extension_absent, 28 | certificate.tbsCertificate.extensions,KeyUsagePresenceValidator,ERROR,pkix.ca_certificate_no_ku_extension, 29 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/not_self_issued.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB5DCCAYugAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkJhciBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD 9 | AgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBRb 10 | cKeYF/ef9jfS9+PcRGwhCde71DAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt 11 | 2pkddnSQHtglbIgCvq4KjyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0mi 12 | iIiOYyHjbn4= 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.subject,RootSubjectIssuerIdenticalEncodingValidator,ERROR,cabf.serverauth.root_subject_issuer_name_encoding_not_equal,DER encoding of certificate.tbsCertificate.subject and certificate.tbsCertificate.issuer are not equal 17 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/subject_unique_id_present.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB6DCCAY+gAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMzMwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKCAgGGo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB 9 | /wQEAwIBhjAfBgNVHSMEGDAWgBRbcKeYF/ef9jfS9+PcRGwhCde71DAdBgNVHQ4E 10 | FgQUW3CnmBf3n/Y30vfj3ERsIQnXu9QwCgYIKoZIzj0EAwIDRwAwRAIgCRHf+9P7 11 | 7CmxrdqZHXZ0kB7YJWyIAr6uCo8lQMWE9J8CIBvdHNB6tRjb15PaovGCuvsCiZ28 12 | ZftJooiIjmMh425+ 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 17 | certificate.tbsCertificate,SubjectUniqueIdAbsenceValidator,ERROR,pkix.subject_unique_id_present, 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/validity_period_too_long.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB5DCCAYugAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNNDkwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD 9 | AgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBRb 10 | cKeYF/ef9jfS9+PcRGwhCde71DAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt 11 | 2pkddnSQHtglbIgCvq4KjyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0mi 12 | iIiOYyHjbn4= 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.validity.notBefore,RootValidityPeriodValidator,ERROR,cabf.serverauth.root_validity_period_too_long,"Validity period of 9492 days, 0:00:00 exceeds maximum value of relativedelta(days=+9132)" 17 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 18 | -------------------------------------------------------------------------------- /tests/integration_certificate/tls_br/root_ca/validity_period_too_short.crttest: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB5DCCAYugAwIBAgIUc/TEV61o3Z3SDDrpgo/kfWsJlRAwCgYIKoZIzj0EAwIw 3 | QDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0ZWQx 4 | EDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwNTAxMDAwMDAwWhcNMjQwNDI1MjM1OTU5 5 | WjBAMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWRm9vIEluZHVzdHJpZXMgTGltaXRl 6 | ZDEQMA4GA1UEAwwHUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIl 7 | SPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVy 8 | mTQl9BQZq36QpCpJQnKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD 9 | AgGGMB8GA1UdIwQYMBaAFFtwp5gX95/2N9L349xEbCEJ17vUMB0GA1UdDgQWBBRb 10 | cKeYF/ef9jfS9+PcRGwhCde71DAKBggqhkjOPQQDAgNHADBEAiAJEd/70/vsKbGt 11 | 2pkddnSQHtglbIgCvq4KjyVAxYT0nwIgG90c0Hq1GNvXk9qi8YK6+wKJnbxl+0mi 12 | iIiOYyHjbn4= 13 | -----END CERTIFICATE----- 14 | 15 | node_path,validator,severity,code,message 16 | certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified, 17 | certificate.tbsCertificate.validity.notBefore,RootValidityPeriodValidator,ERROR,cabf.serverauth.root_validity_period_too_short,"Validity period of 361 days, 0:00:00 is below minimum value of relativedelta(days=+2922)" 18 | -------------------------------------------------------------------------------- /tests/integration_crl/__init__.py: -------------------------------------------------------------------------------- 1 | import functools 2 | from pathlib import Path 3 | 4 | from pkilint import loader 5 | from tests import integration_test_common 6 | 7 | _FIXTURE_DIR = Path(__file__).parent.resolve() 8 | 9 | _CRL_END_ASCII_ARMOR = "-----END X509 CRL-----" 10 | 11 | 12 | def register_test(module, file, test_name, validator): 13 | if hasattr(module, test_name): 14 | raise ValueError(f"Duplicate test name in {module}: {test_name}") 15 | 16 | setattr( 17 | module, 18 | test_name, 19 | functools.partial( 20 | integration_test_common.run_test, 21 | _CRL_END_ASCII_ARMOR, 22 | loader.load_pem_crl, 23 | file, 24 | validator, 25 | ), 26 | ) 27 | -------------------------------------------------------------------------------- /tests/integration_crl/cabf/arl/unspecified_reason_code.crltest: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBsDCCATcCAQEwCgYIKoZIzj0EAwMwRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT 3 | GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0 4 | Fw0yNDA3MjUwOTAwMDBaFw0yNTA3MDEwMDAwMDBaMIGNMC8CEG5Hqc5PRsI94knq 5 | zDiUU3MXDTE5MDkzMDAwMDAwMFowDDAKBgNVHRUEAwoBBTAsAg0B8JxbcAWm3Ibi 6 | +Z7zFw0yMDAxMzEwMDAwMDBaMAwwCgYDVR0VBAMKAQUwLAINAf6lgUR+O/07uBwk 7 | mBcNMjMwNjEzMDAwMDAwWjAMMAoGA1UdFQQDCgEAoC8wLTAKBgNVHRQEAwIBFjAf 8 | BgNVHSMEGDAWgBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNnADBk 9 | AjA5X1pgTcj5bS+WsuSa4wEph63mswxZzAABv48n5Eux2mivldbo/H5r5whnYuHB 10 | Y70CMCAZb2XUaCri3uaxtNbLp1nwCD/G7eRY0sdhpqVUAeqFNQ8MZPT+mMZo1B4C 11 | c762xg== 12 | -----END X509 CRL----- 13 | 14 | node_path,validator,severity,code,message 15 | certificateList.tbsCertList.revokedCertificates.2.crlEntryExtensions.0.extnValue.cRLReason,CabfCrlReasonCodeAllowlistValidator,ERROR,cabf.crl_prohibited_reason_code,"Prohibited reason code ""unspecified""" 16 | -------------------------------------------------------------------------------- /tests/integration_crl/pkix/crl/bad_idp_uri.crltest: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJYWDETMBEGA1UE 3 | CgwKQ1JMcyAnciBVcxcNMjQwMzI1MTg0NzAwWhcNMjQwNDAxMTg0NzAwWqBPME0w 4 | CgYDVR0UBAMCAQEwHwYDVR0jBBgwFoAU/NE0t8uklbG2WeoLBWIe6JqPtDowHgYD 5 | VR0cAQH/BBQwEqANoAuGCWxvY2FsaG9zdIQB/zANBgkqhkiG9w0BAQsFAAOCAQEA 6 | DfKA0r1rINyb1CeDJF73M2hW+9lR9Cf1S+T1dnAUpjH2lQSp1LDa9SHMU9OihfID 7 | aw06SqifX3rTtvdLMGX3D7fbBFVAVUFKXZUHN7cmtY2FphZAN7ZKah+awQkGtwgZ 8 | tQoPHGxQbcFoFq+9DbFb3w+nrYwBD/WXvjEl5xldKcPRHjldOx50g/zxkMKgomkp 9 | +Q3SA1aB/HhUhpoDS8Pm+EsFI5s/D6rGcLx8Sb5XldQ/HI+83UeMsIETIxHyWfAa 10 | fk3buuBr9HaA0tIhCSLISx2JHFtaJKav7T5vJCgGw63qWq3jzUMIUnFXA4ki+93h 11 | ASD6JIBt0IaIYrnD+THhdQ== 12 | -----END X509 CRL----- 13 | 14 | node_path,validator,severity,code,message 15 | certificateList.tbsCertList.crlExtensions.2.extnValue.issuingDistributionPoint.distributionPoint.fullName.0.uniformResourceIdentifier,GeneralNameUriSyntaxValidator,ERROR,pkix.invalid_uri_syntax,"Invalid URI syntax: ""localhost""" 16 | -------------------------------------------------------------------------------- /tests/integration_crl/pkix/crl/negative_validity_period.crltest: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBnDCBhQIBATANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJYWDETMBEGA1UE 3 | CgwKQ1JMcyAnciBVcxcNMjQwMzI1MTg0NzAwWhcNMjMwNDAxMTg0NzAwWqAvMC0w 4 | CgYDVR0UBAMCAQEwHwYDVR0jBBgwFoAU/NE0t8uklbG2WeoLBWIe6JqPtDowDQYJ 5 | KoZIhvcNAQELBQADggEBAA3ygNK9ayDcm9QngyRe9zNoVvvZUfQn9Uvk9XZwFKYx 6 | 9pUEqdSw2vUhzFPTooXyA2sNOkqon19607b3SzBl9w+32wRVQFVBSl2VBze3JrWN 7 | haYWQDe2SmofmsEJBrcIGbUKDxxsUG3BaBavvQ2xW98Pp62MAQ/1l74xJecZXSnD 8 | 0R45XTsedIP88ZDCoKJpKfkN0gNWgfx4VIaaA0vD5vhLBSObPw+qxnC8fEm+V5XU 9 | PxyPvN1HjLCBEyMR8lnwGn5N27rga/R2gNLSIQkiyEsdiRxbWiSmr+0+byQoBsOt 10 | 6lqt481DCFJxVwOJIvvd4QEg+iSAbdCGiGK5w/kx4XU= 11 | -----END X509 CRL----- 12 | 13 | node_path,validator,severity,code,message 14 | certificateList.tbsCertList.thisUpdate,CrlSaneValidityPeriodValidator,ERROR,pkix.crl_negative_validity_period,"Start of validity period ""2024-03-25 18:47:00+00:00"" is greater than end of validity period ""2023-04-01 18:47:00+00:00""" 15 | -------------------------------------------------------------------------------- /tests/integration_crl/test_cabf_arl.py: -------------------------------------------------------------------------------- 1 | import glob 2 | import sys 3 | from os import path 4 | 5 | from pkilint import pkix 6 | from pkilint.cabf import cabf_crl 7 | from pkilint.pkix import name, extension, crl 8 | from tests.integration_crl import register_test 9 | 10 | cur_dir = path.dirname(__file__) 11 | test_dir = path.join(cur_dir, "cabf", "arl") 12 | this_module = sys.modules[__name__] 13 | 14 | files = glob.glob(path.join(test_dir, "*.crltest")) 15 | 16 | 17 | for file in files: 18 | validator = crl.create_pkix_crl_validator_container( 19 | [ 20 | pkix.create_attribute_decoder(name.ATTRIBUTE_TYPE_MAPPINGS), 21 | pkix.create_extension_decoder(extension.EXTENSION_MAPPINGS), 22 | ], 23 | [ 24 | crl.create_issuer_validator_container([]), 25 | crl.create_validity_validator_container( 26 | [ 27 | cabf_crl.create_validity_period_validator( 28 | crl.CertificateRevocationListType.ARL 29 | ) 30 | ] 31 | ), 32 | crl.create_extensions_validator_container([]), 33 | ] 34 | + [ 35 | cabf_crl.CabfCrlReasonCodeAllowlistValidator( 36 | crl.CertificateRevocationListType.ARL 37 | ) 38 | ], 39 | ) 40 | 41 | file_no_ext, _ = path.splitext(path.basename(file)) 42 | 43 | test_name = f"test_{file_no_ext}" 44 | 45 | register_test(this_module, file, test_name, validator) 46 | -------------------------------------------------------------------------------- /tests/integration_crl/test_pkix_crl.py: -------------------------------------------------------------------------------- 1 | import glob 2 | import sys 3 | from os import path 4 | 5 | from pkilint import pkix 6 | from pkilint.pkix import name, extension, crl 7 | from tests.integration_crl import register_test 8 | 9 | cur_dir = path.dirname(__file__) 10 | test_dir = path.join(cur_dir, "pkix", "crl") 11 | this_module = sys.modules[__name__] 12 | 13 | files = glob.glob(path.join(test_dir, "*.crltest")) 14 | 15 | 16 | for file in files: 17 | validator = crl.create_pkix_crl_validator_container( 18 | [ 19 | pkix.create_attribute_decoder(name.ATTRIBUTE_TYPE_MAPPINGS), 20 | pkix.create_extension_decoder(extension.EXTENSION_MAPPINGS), 21 | ], 22 | [ 23 | crl.create_issuer_validator_container([]), 24 | crl.create_validity_validator_container([]), 25 | crl.create_extensions_validator_container([]), 26 | ], 27 | ) 28 | 29 | file_no_ext, _ = path.splitext(path.basename(file)) 30 | 31 | test_name = f"test_{file_no_ext}" 32 | 33 | register_test(this_module, file, test_name, validator) 34 | -------------------------------------------------------------------------------- /tests/pkix/crl/test_crl_properties.py: -------------------------------------------------------------------------------- 1 | from pkilint import loader, pkix 2 | 3 | _BAD_VALIDITY_TIMES_CRL_PEM = """-----BEGIN X509 CRL----- 4 | MIIBzTCBtgIBATANBgkqhkiG9w0BAQsFADAiMQswCQYDVQQGEwJYWDETMBEGA1UE 5 | CgwKQ1JMcyAnciBVcxcNWDQwMzI1MTg0NzAwWhcNWDQwNDAxMTg0NzAwWqBgMF4w 6 | CgYDVR0UBAMCAQEwHwYDVR0jBBgwFoAU/NE0t8uklbG2WeoLBWIe6JqPtDowLwYD 7 | VR0cAQH/BCUwI6AeoByGGmh0dHA6Ly9mb28uZXhhbXBsZS9jcmwuZGxshAH/MA0G 8 | CSqGSIb3DQEBCwUAA4IBAQAN8oDSvWsg3JvUJ4MkXvczaFb72VH0J/VL5PV2cBSm 9 | MfaVBKnUsNr1IcxT06KF8gNrDTpKqJ9fetO290swZfcPt9sEVUBVQUpdlQc3tya1 10 | jYWmFkA3tkpqH5rBCQa3CBm1Cg8cbFBtwWgWr70NsVvfD6etjAEP9Ze+MSXnGV0p 11 | w9EeOV07HnSD/PGQwqCiaSn5DdIDVoH8eFSGmgNLw+b4SwUjmz8PqsZwvHxJvleV 12 | 1D8cj7zdR4ywgRMjEfJZ8Bp+Tdu64Gv0doDS0iEJIshLHYkcW1okpq/tPm8kKAbD 13 | reparePNQwhScVcDiSL73eEBIPokgG3QhohiucP5MeF1 14 | -----END X509 CRL-----""" 15 | 16 | 17 | def test_bad_time(): 18 | crl = loader.load_pem_crl(_BAD_VALIDITY_TIMES_CRL_PEM) 19 | 20 | assert crl.this_update == pkix.MAXIMUM_TIME_DATETIME 21 | assert crl.next_update == pkix.MAXIMUM_TIME_DATETIME 22 | -------------------------------------------------------------------------------- /tests/pkix/test_time.py: -------------------------------------------------------------------------------- 1 | from datetime import datetime, timezone 2 | 3 | import pytest 4 | 5 | from pkilint.pkix import time 6 | 7 | 8 | def test_parse_generalizedtime_nocentury(): 9 | val = "990101000000Z" 10 | 11 | with pytest.raises(ValueError): 12 | time.parse_generalizedtime(val) 13 | 14 | 15 | def test_parse_generalizedtime_wrongtimezone(): 16 | val = "19990101000000E" 17 | 18 | with pytest.raises(ValueError): 19 | time.parse_generalizedtime(val) 20 | 21 | 22 | def test_parse_generalizedtime_notimezone(): 23 | val = "19990101000000" 24 | 25 | with pytest.raises(ValueError): 26 | time.parse_generalizedtime(val) 27 | 28 | 29 | def test_parse_generalizedtime(): 30 | val = "19990101000000Z" 31 | 32 | parsed = time.parse_generalizedtime(val) 33 | expected = datetime(1999, 1, 1, 0, 0, 0, 0, timezone.utc) 34 | 35 | assert parsed == expected 36 | 37 | 38 | def test_parse_utctime_wrongtimezone(): 39 | val = "990101000000E" 40 | 41 | with pytest.raises(ValueError): 42 | time.parse_utctime(val) 43 | 44 | 45 | def test_parse_utctime_notimezeone(): 46 | val = "990101000000" 47 | 48 | with pytest.raises(ValueError): 49 | time.parse_utctime(val) 50 | 51 | 52 | def test_parse_utctime_49(): 53 | val = "490101000000Z" 54 | 55 | parsed = time.parse_utctime(val) 56 | expected = datetime(2049, 1, 1, 0, 0, 0, 0, timezone.utc) 57 | 58 | assert parsed == expected 59 | 60 | 61 | def test_parse_utctime_50(): 62 | val = "500101000000Z" 63 | 64 | parsed = time.parse_utctime(val) 65 | expected = datetime(1950, 1, 1, 0, 0, 0, 0, timezone.utc) 66 | 67 | assert parsed == expected 68 | -------------------------------------------------------------------------------- /tests/test_finding_metadata_csv_smoke.py: -------------------------------------------------------------------------------- 1 | import csv 2 | from os import path 3 | 4 | 5 | def _test_csv(filename, expected_fieldnames): 6 | cur_dir = path.dirname(__file__) 7 | filename = path.join(cur_dir, "..", filename) 8 | 9 | with open(filename, "r", encoding="utf8") as csvfile: 10 | reader = csv.DictReader(csvfile, restkey="extra") 11 | 12 | assert reader.fieldnames == expected_fieldnames 13 | 14 | for row_idx, row in enumerate(reader): 15 | lineno = row_idx + 1 + 1 # 1-based index and header row 16 | 17 | extra = row.pop("extra", None) 18 | assert extra is None, f'Row "{row}" (line {lineno}) has extra fields' 19 | 20 | assert all( 21 | c is not None for c in row.values() 22 | ), f'Row "{row}" (line {lineno}) has a None value' 23 | 24 | 25 | def test_cabf_smime_finding_metadata(): 26 | _test_csv( 27 | "pkilint/cabf/smime/finding_metadata.csv", 28 | ["severity", "code", "source", "description"], 29 | ) 30 | 31 | 32 | def test_cabf_serverauth_finding_metadata(): 33 | _test_csv( 34 | "pkilint/cabf/serverauth/finding_metadata.csv", 35 | ["severity", "code", "description"], 36 | ) 37 | 38 | 39 | def test_etsi_finding_metadata(): 40 | _test_csv("pkilint/etsi/finding_metadata.csv", ["severity", "code", "description"]) 41 | --------------------------------------------------------------------------------