From 015d2202056a6a35a3c2e4555426b942a50e1c23 Mon Sep 17 00:00:00 2001 From: Adriano Santoni Date: Sun, 14 Jul 2024 19:02:17 +0200 Subject: [PATCH] Add lint to check for a valid business category in EV certificates (#830) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Add files via upload * Update lint_ev_invalid_business_category.go * Add files via upload * Add files via upload * Set correct Error Count for new lint * Update config.json * Update config.json * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go * Delete v3/testdata/orgid_subj_and_ext_ko_01.pem * Delete v3/testdata/orgid_subj_and_ext_ko_02.pem * Delete v3/testdata/orgid_subj_and_ext_ko_03.pem * Delete v3/testdata/orgid_subj_and_ext_ok_01.pem * Delete v3/testdata/orgid_subj_and_ext_ok_02.pem * Delete v3/testdata/orgid_subj_and_ext_ok_03.pem * Delete v3/testdata/orgid_subj_and_ext_ok_04.pem * Delete v3/testdata/orgid_subj_and_ext_ok_05.pem * Update time.go * Update v3/lints/cabf_ev/lint_ev_invalid_business_category.go Co-authored-by: Martijn Katerbarg * Add files via upload * Update lint_ev_invalid_business_category.go * Update config.json --------- Co-authored-by: Christopher Henderson Co-authored-by: Martijn Katerbarg --- v3/integration/config.json | 3 + .../lint_ev_invalid_business_category.go | 69 ++++++++++++ .../lint_ev_invalid_business_category_test.go | 88 +++++++++++++++ v3/testdata/invalid_business_cat_ko_01.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ko_02.pem | 102 ++++++++++++++++++ v3/testdata/invalid_business_cat_ok_01.pem | 102 ++++++++++++++++++ v3/testdata/invalid_business_cat_ok_02.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_03.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_04.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_05.pem | 101 +++++++++++++++++ v3/testdata/invalid_business_cat_ok_06.pem | 102 ++++++++++++++++++ 11 files changed, 971 insertions(+) create mode 100644 v3/lints/cabf_ev/lint_ev_invalid_business_category.go create mode 100644 v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go create mode 100644 v3/testdata/invalid_business_cat_ko_01.pem create mode 100644 v3/testdata/invalid_business_cat_ko_02.pem create mode 100644 v3/testdata/invalid_business_cat_ok_01.pem create mode 100644 v3/testdata/invalid_business_cat_ok_02.pem create mode 100644 v3/testdata/invalid_business_cat_ok_03.pem create mode 100644 v3/testdata/invalid_business_cat_ok_04.pem create mode 100644 v3/testdata/invalid_business_cat_ok_05.pem create mode 100644 v3/testdata/invalid_business_cat_ok_06.pem diff --git a/v3/integration/config.json b/v3/integration/config.json index 52343e4ff..c6a4baee9 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -426,6 +426,9 @@ "ErrCount": 2 }, "e_ev_country_name_missing": {}, + "e_ev_invalid_business_category": { + "ErrCount": 10957 + }, "e_ev_not_wildcard": { "ErrCount": 1 }, diff --git a/v3/lints/cabf_ev/lint_ev_invalid_business_category.go b/v3/lints/cabf_ev/lint_ev_invalid_business_category.go new file mode 100644 index 000000000..9e57c207d --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_invalid_business_category.go @@ -0,0 +1,69 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_invalid_business_category", + Description: "Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3", + Citation: "EVGs 7.1.4.2.3", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewInvalidBusinessCategory, + }) +} + +type invalidBusinessCategory struct{} + +func NewInvalidBusinessCategory() lint.LintInterface { + return &invalidBusinessCategory{} +} + +func (l *invalidBusinessCategory) CheckApplies(c *x509.Certificate) bool { + return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) +} + +func (l *invalidBusinessCategory) Execute(c *x509.Certificate) *lint.LintResult { + + for _, v := range c.Subject.Names { + if util.BusinessOID.Equal(v.Type) { + businessCategory := v.Value + if (businessCategory == "Private Organization") || + (businessCategory == "Government Entity") || + (businessCategory == "Business Entity") || + (businessCategory == "Non-Commercial Entity") { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} + } + } + } + + // businessCategory missing: that's an error, but is not this lint's business + return &lint.LintResult{Status: lint.NA} +} diff --git a/v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go b/v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go new file mode 100644 index 000000000..7b708e1dc --- /dev/null +++ b/v3/lints/cabf_ev/lint_ev_invalid_business_category_test.go @@ -0,0 +1,88 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + === Pass test cases === + invalid_business_cat_ok_01.pem EV cert with valid businessCategory == "Private Organization" + invalid_business_cat_ok_04.pem EV cert with valid businessCategory == "Government Entity" + invalid_business_cat_ok_05.pem EV cert with valid businessCategory == "Business Entity" + invalid_business_cat_ok_06.pem EV cert with valid businessCategory == "Non‐Commercial Entity" + + === NA test cases === + invalid_business_cat_ok_02.pem EV cert without businessCategory + invalid_business_cat_ok_03.pem OV cert with invalid businessCategory + + === Fail test cases === + invalid_business_cat_ko_01.pem EV cert with slightly invalid businessCategory + invalid_business_cat_ko_02.pem EV cert with grossly invalid businessCategory +*/ + +package cabf_ev + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestInvalidBusinessCategory(t *testing.T) { + type Data struct { + input string + want lint.LintStatus + } + data := []Data{ + { + input: "invalid_business_cat_ok_01.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_04.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_05.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_06.pem", + want: lint.Pass, + }, + { + input: "invalid_business_cat_ok_02.pem", + want: lint.NA, + }, + { + input: "invalid_business_cat_ok_03.pem", + want: lint.NA, + }, + { + input: "invalid_business_cat_ko_01.pem", + want: lint.Error, + }, + { + input: "invalid_business_cat_ko_02.pem", + want: lint.Error, + }, + } + for _, testData := range data { + testData := testData + t.Run(testData.input, func(t *testing.T) { + out := test.TestLint("e_ev_invalid_business_category", testData.input) + if out.Status != testData.want { + t.Errorf("expected %s, got %s", testData.want, out.Status) + } + }) + } +} diff --git a/v3/testdata/invalid_business_cat_ko_01.pem b/v3/testdata/invalid_business_cat_ko_01.pem new file mode 100644 index 000000000..074c0a3d2 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ko_01.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2d:b9:12:bb:65:5d:81:3c:72:af:02:67:0f:05:5d:6b + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:59:35 2024 GMT + Not After : Apr 9 11:59:35 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organisation + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a3:e5:86:9a:c7:d8:f5:f7:84:22:0e:c7:e2:81: + 64:b3:9f:b6:8b:ab:30:be:50:64:be:60:a3:e5:e1: + 50:dc:36:e3:47:96:05:f0:01:60:9f:ea:de:19:b8: + 7f:8f:30:90:a3:98:8b:2f:d7:7a:f5:0b:30:16:07: + c0:15:54:08:fe:c7:20:41:f6:63:25:54:df:72:7f: + 2f:8f:10:a2:0c:f6:d7:c6:3a:a7:77:20:a1:5c:c1: + 98:fc:42:c4:8a:55:77:fc:b4:52:81:5c:eb:b6:00: + 79:21:ce:a8:7b:66:69:bc:b2:d5:8c:3f:a9:6d:4c: + 1b:6b:e1:85:cb:6f:3e:97:c7:79:f7:e7:00:6d:1a: + ca:98:e4:60:bc:fd:42:81:a9:ae:85:42:b2:1f:c2: + 32:32:5f:00:d2:ab:82:3a:03:52:7f:02:92:df:8b: + de:d1:05:cc:d7:27:2f:77:cd:e2:3e:37:a1:49:0c: + db:57:21:b4:9b:d1:0d:ae:00:e2:2c:d5:73:08:82: + 97:3d:d3:46:bc:4c:19:15:c9:b7:fe:70:95:47:71: + bc:b1:bc:61:22:e1:da:c6:38:fd:9c:f6:fd:bb:87: + ba:4c:94:c0:b9:cc:5d:fe:42:b3:aa:22:cb:bf:87: + e8:94:1e:f1:85:17:39:9c:e1:4c:98:69:94:96:53: + b1:49 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 97:F9:56:33:D9:8E:3E:D8:10:8F:7F:36:04:04:5E:73:04:F4:CE:F5 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 06:3d:2e:1a:b3:ea:07:bc:73:8c:fa:2d:37:ff:b7:93:d8:10: + a2:2e:3a:d7:f4:3a:8e:75:51:56:a2:9a:61:37:7b:15:80:1c: + 31:00:bc:27:35:8d:92:aa:54:5b:13:30:4a:76:65:3b:dd:0b: + 4d:8d:f3:df:76:54:97:fd:ec:e6:14:92:06:91:08:c5:6d:02: + ed:88:aa:c8:30:00:f8:12:9d:f9:4e:bc:f4:de:21:c5:ee:55: + e9:27:43:8c:13:a6:d2:a2:9a:cd:48:aa:e7:64:0a:88:91:78: + ae:f5:de:a2:b9:cd:6a:42:94:00:0c:49:3e:d9:8a:81:25:81: + d7:04:09:07:32:f9:dc:dd:76:e9:3c:1c:d7:65:74:b3:5c:fd: + b8:aa:f2:76:f8:59:97:a0:47:14:e7:8c:5e:ed:fd:af:41:dd: + d6:51:87:1e:0a:a7:35:d6:77:04:42:0a:b7:f2:aa:80:e9:62: + 27:0e:dd:b8:4d:7e:1a:af:75:1c:0a:f0:31:aa:c1:8e:cf:e7: + c6:bd:4a:7c:0a:c2:98:18:2e:a0:8d:76:a6:86:e2:0c:3f:4b: + bf:44:56:cf:2f:ad:02:6a:61:9e:0f:37:8a:91:1a:26:08:ca: + 31:ed:d1:78:fc:cf:fd:49:80:dc:64:fc:c0:53:9d:45:32:f4: + 6f:0d:07:f9 +-----BEGIN CERTIFICATE----- +MIIErDCCA5SgAwIBAgIQLbkSu2VdgTxyrwJnDwVdazANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MDkxMTU5MzVaFw0yNTA0MDkxMTU5 +MzVaMIGoMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pc2F0aW9uMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAo+WGmsfY9feEIg7H4oFks5+2i6swvlBkvmCj5eFQ3Dbj +R5YF8AFgn+reGbh/jzCQo5iLL9d69QswFgfAFVQI/scgQfZjJVTfcn8vjxCiDPbX +xjqndyChXMGY/ELEilV3/LRSgVzrtgB5Ic6oe2ZpvLLVjD+pbUwba+GFy28+l8d5 +9+cAbRrKmORgvP1CgamuhUKyH8IyMl8A0quCOgNSfwKS34ve0QXM1ycvd83iPjeh +SQzbVyG0m9ENrgDiLNVzCIKXPdNGvEwZFcm3/nCVR3G8sbxhIuHaxjj9nPb9u4e6 +TJTAucxd/kKzqiLLv4folB7xhRc5nOFMmGmUllOxSQIDAQABo4IBNDCCATAwDgYD +VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV +HQ4EFgQUl/lWM9mOPtgQj382BARecwT0zvUwHwYDVR0jBBgwFoAU6Lb2dkvQO+VG +pflU1H4Hs94NYD4wZAYIKwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8v +Y2Euc29tZWNhLWluYy5jb20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNv +bWVjYS1pbmMuY29tL3Jvb3QwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wEgYDVR0g +BAswCTAHBgVngQwBATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNh +LWluYy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAGPS4as+oHvHOM+i03/7eT +2BCiLjrX9DqOdVFWopphN3sVgBwxALwnNY2SqlRbEzBKdmU73QtNjfPfdlSX/ezm +FJIGkQjFbQLtiKrIMAD4Ep35Trz03iHF7lXpJ0OME6bSoprNSKrnZAqIkXiu9d6i +uc1qQpQADEk+2YqBJYHXBAkHMvnc3XbpPBzXZXSzXP24qvJ2+FmXoEcU54xe7f2v +Qd3WUYceCqc11ncEQgq38qqA6WInDt24TX4ar3UcCvAxqsGOz+fGvUp8CsKYGC6g +jXamhuIMP0u/RFbPL60CamGeDzeKkRomCMox7dF4/M/9SYDcZPzAU51FMvRvDQf5 +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ko_02.pem b/v3/testdata/invalid_business_cat_ko_02.pem new file mode 100644 index 000000000..efc6e93a4 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ko_02.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:ff:07:6c:93:bd:fe:38:fd:d7:97:f0:38:44:a3:41 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 12:02:34 2024 GMT + Not After : Apr 9 12:02:34 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Blasting & Demolition + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:3c:5c:aa:34:5e:88:e2:13:6d:46:11:7b:9b: + 76:b9:44:26:61:ca:a6:63:43:92:4f:3e:73:dd:f2: + 7d:92:ef:80:5f:26:44:ea:1f:69:58:5d:a9:f0:23: + 43:e5:2e:65:e9:2f:d9:5b:53:c9:13:ad:96:28:c6: + c3:6c:71:3c:56:3e:d6:c8:da:2e:a7:07:ca:da:51: + 0d:0f:13:2b:37:5c:1b:32:fd:55:d3:13:fb:83:db: + ca:23:0b:58:a0:ce:86:d1:77:7d:de:26:b1:61:93: + d8:d4:50:c4:63:ae:5e:74:3a:d6:73:a2:53:4c:22: + f0:74:e9:5d:6d:62:5b:be:cf:64:e8:cc:d0:0c:40: + a2:87:e0:af:eb:46:e1:70:91:ed:90:06:d9:8e:df: + 7f:f9:ab:e2:18:17:0a:9c:4a:7a:c1:f7:77:2e:91: + a0:f8:e2:89:d6:d1:46:33:a5:f7:39:1c:34:b3:08: + 04:b3:c7:ff:8d:f4:dc:83:cf:d4:ff:ca:7c:83:c8: + 38:0e:dc:9c:fe:e9:40:ba:86:bd:f0:61:2b:83:e2: + 45:e6:32:b3:40:17:64:0a:ca:be:c8:62:e2:69:af: + d5:28:76:86:d4:b4:19:fb:b9:47:24:18:67:dd:36: + ba:80:de:f6:4c:e8:30:1d:83:ce:d6:5e:d9:e8:e5: + ad:7b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 71:1E:1A:7E:6E:D5:EB:E3:B6:B4:C9:7B:B1:71:69:76:56:44:7E:4E + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 66:3b:aa:ff:45:a3:bf:0c:f0:53:f6:aa:f4:a3:8a:ca:73:1e: + d0:6e:92:63:19:9d:72:02:fe:a9:3c:1c:9e:2c:fb:54:3d:12: + ab:3e:fc:2b:3b:55:9b:3a:a9:97:85:df:a9:5c:b6:50:b8:af: + 52:f1:f7:8b:14:9f:db:87:7b:59:80:47:5d:e0:60:87:e9:1e: + 6c:a4:8a:76:6b:c4:13:e4:6e:55:32:c3:b6:47:d1:eb:cb:09: + 6e:01:54:c4:c2:3d:ea:db:c5:3b:d8:b3:04:42:81:d4:dc:c9: + cf:56:34:e5:d9:dd:01:a0:b4:04:37:e3:66:65:a6:27:a9:e6: + a1:61:e9:c3:94:a5:48:57:f7:7c:d7:7d:f9:e1:fb:6f:9b:65: + f3:3e:5f:86:bb:5a:d2:74:38:2b:23:b8:46:f1:75:50:fa:d0: + e5:e0:9b:35:06:a3:07:25:cd:78:43:30:a2:e0:96:96:93:a0: + 7c:ae:7d:55:34:11:d7:40:fc:2c:5f:eb:77:d6:17:65:cd:b7: + 11:53:b3:54:f0:03:f2:2c:ef:b0:09:b1:18:d5:c5:03:f3:3f: + be:93:33:c3:35:81:52:f1:93:db:01:5e:9b:c9:4e:fd:96:e3: + 73:29:da:44:b6:21:c5:92:27:d1:2d:e6:af:e5:74:e0:0f:76: + a7:a5:b9:d1 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIQCP8HbJO9/jj915fwOESjQTANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MDkxMjAyMzRaFw0yNTA0MDkxMjAy +MzRaMIGpMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HjAcBgNVBA8MFUJsYXN0aW5nICYgRGVtb2xpdGlvbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALw8XKo0XojiE21GEXubdrlEJmHKpmNDkk8+c93yfZLv +gF8mROofaVhdqfAjQ+UuZekv2VtTyROtlijGw2xxPFY+1sjaLqcHytpRDQ8TKzdc +GzL9VdMT+4PbyiMLWKDOhtF3fd4msWGT2NRQxGOuXnQ61nOiU0wi8HTpXW1iW77P +ZOjM0AxAoofgr+tG4XCR7ZAG2Y7ff/mr4hgXCpxKesH3dy6RoPjiidbRRjOl9zkc +NLMIBLPH/4303IPP1P/KfIPIOA7cnP7pQLqGvfBhK4PiReYys0AXZArKvshi4mmv +1Sh2htS0Gfu5RyQYZ902uoDe9kzoMB2DztZe2ejlrXsCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFHEeGn5u1evjtrTJe7FxaXZWRH5OMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAZjuq/0WjvwzwU/aq9KOK +ynMe0G6SYxmdcgL+qTwcniz7VD0Sqz78KztVmzqpl4XfqVy2ULivUvH3ixSf24d7 +WYBHXeBgh+kebKSKdmvEE+RuVTLDtkfR68sJbgFUxMI96tvFO9izBEKB1NzJz1Y0 +5dndAaC0BDfjZmWmJ6nmoWHpw5SlSFf3fNd9+eH7b5tl8z5fhrta0nQ4KyO4RvF1 +UPrQ5eCbNQajByXNeEMwouCWlpOgfK59VTQR10D8LF/rd9YXZc23EVOzVPAD8izv +sAmxGNXFA/M/vpMzwzWBUvGT2wFem8lO/ZbjcynaRLYhxZIn0S3mr+V04A92p6W5 +0Q== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_01.pem b/v3/testdata/invalid_business_cat_ok_01.pem new file mode 100644 index 000000000..78e1c92e4 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_01.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 93:9e:e2:63:3d:b5:42:c6:bd:a4:0b:4a:f3:d9:73:b2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:52:12 2024 GMT + Not After : Apr 9 11:52:12 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Private Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d0:20:3d:db:19:c5:19:75:8a:7d:ca:c3:cd:20: + 46:3d:de:f4:bc:c9:4b:e1:37:68:24:0d:9e:ed:6c: + f6:7a:b1:23:95:3b:56:60:75:09:bf:e7:dc:dd:c1: + 78:91:21:d7:dd:07:1b:c9:1e:e3:a3:ba:b9:0f:ee: + 15:84:95:a8:b0:b9:53:45:bc:ff:3d:e2:2a:1e:65: + 0b:59:43:e1:d7:76:7f:4e:e6:91:fb:23:34:6c:23: + 07:3b:45:52:eb:ee:8b:c2:58:ec:57:83:19:b5:dd: + f0:27:98:5d:c0:e4:a1:62:9f:66:a8:83:f1:8c:19: + f3:09:27:ad:93:e7:4a:51:7b:a1:10:48:68:bd:9d: + be:2c:05:0b:87:bb:e3:36:3c:54:b1:4a:85:10:98: + 11:9e:c9:05:b2:c1:d7:4d:e6:d9:9f:6b:b7:87:25: + 83:6e:5f:cb:2a:d1:f0:da:1e:69:fd:bf:1a:e5:af: + 75:0c:d3:ff:86:a6:72:19:a4:3a:15:b1:b6:44:87: + d0:a9:fd:1c:df:84:e0:38:55:74:32:dd:f4:ef:fd: + c2:64:ec:e1:ad:0f:8d:76:36:26:39:b7:cf:3b:ed: + 78:d1:8f:7b:65:42:8a:c5:cb:f8:83:59:6c:48:ff: + a7:f5:5b:c8:da:cb:57:b9:3f:de:9b:5e:f6:ae:c2: + d8:5f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 77:D2:6F:BF:CC:53:C5:ED:FA:3D:97:D8:E4:A5:36:7C:C7:FC:5D:9F + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 91:ad:45:08:34:ce:96:3f:40:fa:ac:e0:53:bf:f6:7a:9b:5b: + 45:91:44:13:d6:15:30:9f:20:8d:f8:60:1d:28:4d:7d:87:30: + 13:49:96:61:af:49:e1:9a:20:c4:2c:fd:23:ca:32:78:39:55: + fb:f9:91:07:c2:d9:c9:e5:37:4c:ab:d1:21:ab:ef:7e:d1:19: + 8c:cb:5d:ff:cd:07:65:34:49:90:35:35:69:cd:d7:e1:51:68: + 8c:70:ac:44:3f:0c:0d:16:f7:30:7e:22:d3:5b:64:89:13:20: + a5:db:7e:a8:05:04:47:0d:5a:23:29:06:61:71:af:a5:46:58: + 23:16:35:54:9b:de:33:06:d4:a4:f0:15:fb:ff:6c:d3:bb:bb: + 44:b3:a4:6c:08:ac:99:58:bc:54:70:43:7f:7a:7b:27:81:26: + 54:51:6b:49:a1:18:bb:d9:bf:8d:5e:02:3a:65:19:a8:18:da: + f1:d1:f7:58:bb:47:26:d9:5e:f0:00:81:1f:a6:5d:d4:75:92: + 7d:79:64:0f:6b:69:4c:4d:98:e3:6d:8d:6f:20:75:ff:00:fd: + 65:30:c5:15:26:1a:eb:9c:dc:16:7d:a9:25:d3:e5:ea:db:a6: + 94:29:cc:35:0c:71:a5:6a:61:a5:6c:6b:7f:30:a4:ee:36:18: + 58:8d:ba:66 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIRAJOe4mM9tULGvaQLSvPZc7IwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTE1MjEyWhcNMjUwNDA5MTE1 +MjEyWjCBqDELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANAgPdsZxRl1in3Kw80gRj3e9LzJS+E3aCQNnu1s9nqx +I5U7VmB1Cb/n3N3BeJEh190HG8ke46O6uQ/uFYSVqLC5U0W8/z3iKh5lC1lD4dd2 +f07mkfsjNGwjBztFUuvui8JY7FeDGbXd8CeYXcDkoWKfZqiD8YwZ8wknrZPnSlF7 +oRBIaL2dviwFC4e74zY8VLFKhRCYEZ7JBbLB103m2Z9rt4clg25fyyrR8Noeaf2/ +GuWvdQzT/4amchmkOhWxtkSH0Kn9HN+E4DhVdDLd9O/9wmTs4a0PjXY2Jjm3zzvt +eNGPe2VCisXL+INZbEj/p/VbyNrLV7k/3pte9q7C2F8CAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFHfSb7/MU8Xt+j2X2OSlNnzH/F2fMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAka1FCDTOlj9A+qzgU7/2 +eptbRZFEE9YVMJ8gjfhgHShNfYcwE0mWYa9J4ZogxCz9I8oyeDlV+/mRB8LZyeU3 +TKvRIavvftEZjMtd/80HZTRJkDU1ac3X4VFojHCsRD8MDRb3MH4i01tkiRMgpdt+ +qAUERw1aIykGYXGvpUZYIxY1VJveMwbUpPAV+/9s07u7RLOkbAismVi8VHBDf3p7 +J4EmVFFrSaEYu9m/jV4COmUZqBja8dH3WLtHJtle8ACBH6Zd1HWSfXlkD2tpTE2Y +422NbyB1/wD9ZTDFFSYa65zcFn2pJdPl6tumlCnMNQxxpWphpWxrfzCk7jYYWI26 +Zg== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_02.pem b/v3/testdata/invalid_business_cat_ok_02.pem new file mode 100644 index 000000000..0683e50e8 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_02.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:5d:0a:22:8a:49:d5:4c:d3:d2:b8:6a:7e:2d:11:bf + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:53:09 2024 GMT + Not After : Apr 9 11:53:09 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cd:b5:bf:94:0d:60:9d:3f:18:7b:ac:32:41:1e: + 7e:f3:4e:c4:5d:dd:a1:0a:4b:02:3b:3f:01:19:c7: + 56:10:c7:72:0c:db:5e:d9:2c:08:ea:47:c7:f6:e2: + 93:0f:f5:29:60:05:d0:65:dc:a9:99:b2:45:76:69: + 32:9e:e1:b4:f8:2b:12:38:9a:ae:48:e4:cc:74:bc: + 8b:d5:5c:49:2f:51:b6:27:78:98:46:ca:23:3f:f8: + 83:cb:86:6b:f2:1e:09:87:22:90:30:54:e7:bc:75: + 31:5c:42:5d:8a:e2:b7:30:1e:64:24:6e:40:a5:08: + 2b:d0:2e:8b:14:0a:28:00:06:6d:7a:e2:bf:e5:9e: + 9e:3d:6c:49:d9:13:e7:fe:4f:00:0c:e0:31:f8:cc: + 83:b0:56:79:f3:c1:3d:45:50:36:22:d2:02:b7:70: + c2:4b:28:05:98:bc:80:94:36:2a:3d:59:8b:f0:3c: + 20:06:54:1b:59:3b:a8:d7:7b:65:d5:7a:50:86:01: + a3:fd:71:1b:10:97:ed:8d:6d:1c:a4:91:c5:a8:db: + cf:d1:0a:b1:d4:aa:d2:bb:5c:44:cc:38:e6:51:9a: + 3c:a2:2e:be:0f:a1:fa:cc:51:ee:fc:f9:f3:e1:3f: + ce:51:54:5e:9c:10:8b:c9:16:bc:13:37:7b:8e:53: + 2d:59 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 73:22:B1:07:9F:AF:39:0C:31:A7:55:C1:DF:B0:D8:99:D4:A8:7D:F7 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + a9:42:c8:b9:43:d0:17:df:32:69:03:4d:e2:6a:73:19:63:e2: + ff:ac:93:ad:b0:dd:5b:b5:dc:4c:2f:47:3c:67:2b:b5:b2:bb: + 71:7a:4e:ee:9f:a3:3e:ab:a9:85:ac:bd:17:55:3d:0b:10:ff: + c0:2a:75:7d:23:81:91:db:17:9f:d0:20:a8:3a:cb:e6:dc:4f: + ba:15:cd:65:6b:80:6b:90:87:f0:b6:a6:32:f2:f3:e1:c8:54: + 0d:71:52:24:04:1c:e1:7a:07:53:ce:71:95:a4:6b:d6:16:d3: + 30:b3:74:48:f9:01:f0:9e:3c:d2:5b:59:48:81:7f:79:9a:54: + 99:43:80:29:99:10:3b:d2:45:d4:4b:29:fb:1e:33:c5:4a:20: + 4b:ad:74:87:de:6b:7c:c0:96:e8:d8:45:85:dc:45:68:31:9d: + d3:e2:5e:36:cd:df:7e:85:78:76:dc:7e:e8:ed:a8:5a:45:51: + 1a:2a:85:18:dc:a7:cd:ad:d7:fe:74:07:bc:1a:7c:74:00:79: + 21:68:1b:0b:ba:a6:b7:9a:1c:fd:f7:5c:19:ee:f4:d1:1a:b2: + 9e:16:da:67:99:f9:3b:94:00:a5:42:f8:82:96:53:c4:c6:74: + c4:5f:6f:5d:bc:0a:45:49:7d:63:c9:8c:2d:0f:24:62:f5:a0: + 6c:21:a7:6a +-----BEGIN CERTIFICATE----- +MIIEjTCCA3WgAwIBAgIQCl0KIopJ1UzT0rhqfi0RvzANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MDkxMTUzMDlaFw0yNTA0MDkxMTUz +MDlaMIGJMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNtb+UDWCdPxh7rDJBHn7z +TsRd3aEKSwI7PwEZx1YQx3IM217ZLAjqR8f24pMP9SlgBdBl3KmZskV2aTKe4bT4 +KxI4mq5I5Mx0vIvVXEkvUbYneJhGyiM/+IPLhmvyHgmHIpAwVOe8dTFcQl2K4rcw +HmQkbkClCCvQLosUCigABm164r/lnp49bEnZE+f+TwAM4DH4zIOwVnnzwT1FUDYi +0gK3cMJLKAWYvICUNio9WYvwPCAGVBtZO6jXe2XVelCGAaP9cRsQl+2NbRykkcWo +28/RCrHUqtK7XETMOOZRmjyiLr4PofrMUe78+fPhP85RVF6cEIvJFrwTN3uOUy1Z +AgMBAAGjggE0MIIBMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRzIrEHn685DDGnVcHfsNiZ1Kh99zAfBgNV +HSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYI +KwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUF +BzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAWBgNVHREEDzANggtl +eGFtcGxlLmNvbTASBgNVHSAECzAJMAcGBWeBDAEBMC0GA1UdHwQmMCQwIqAgoB6G +HGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEB +AKlCyLlD0BffMmkDTeJqcxlj4v+sk62w3Vu13EwvRzxnK7Wyu3F6Tu6foz6rqYWs +vRdVPQsQ/8AqdX0jgZHbF5/QIKg6y+bcT7oVzWVrgGuQh/C2pjLy8+HIVA1xUiQE +HOF6B1POcZWka9YW0zCzdEj5AfCePNJbWUiBf3maVJlDgCmZEDvSRdRLKfseM8VK +IEutdIfea3zAlujYRYXcRWgxndPiXjbN336FeHbcfujtqFpFURoqhRjcp82t1/50 +B7wafHQAeSFoGwu6preaHP33XBnu9NEasp4W2meZ+TuUAKVC+IKWU8TGdMRfb128 +CkVJfWPJjC0PJGL1oGwhp2o= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_03.pem b/v3/testdata/invalid_business_cat_ok_03.pem new file mode 100644 index 000000000..968b0d3fa --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_03.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e8:b9:b7:db:bd:e6:79:f2:f0:b3:2a:51:eb:ff:0f:a2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 11:56:08 2024 GMT + Not After : Apr 9 11:56:08 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Healthcare + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a3:73:4f:ed:5f:05:ff:8b:11:9e:a2:f7:a0:fb: + 86:39:50:cd:e6:7c:99:14:37:40:a2:43:46:9d:74: + ed:f9:6e:f3:c3:0a:68:20:11:1a:96:2a:70:89:6f: + 2a:cd:fb:af:f6:75:e0:8d:c0:fd:1d:4e:64:7a:66: + 81:c5:c3:34:fe:df:59:be:5c:56:0b:8f:8f:e7:4d: + 87:a5:b4:75:db:44:ea:0c:c9:fc:68:1d:00:b5:68: + 3b:83:47:6c:6b:23:dd:db:d0:b6:91:d6:e1:b8:6b: + d7:e5:4d:9e:7b:f6:c3:74:49:4a:59:bf:d9:60:30: + 39:b1:1b:fd:b3:74:e7:30:0a:18:ea:ef:d5:62:a8: + 35:3f:36:de:da:52:99:c8:18:27:f8:b0:5c:a5:3f: + f7:0b:89:8a:52:58:0c:85:cd:d6:29:0f:92:fc:7f: + 46:46:0f:4e:7d:8f:45:96:3f:8b:1a:6d:ca:47:5e: + 21:e9:9f:0a:1b:d2:a9:2f:37:0f:57:85:57:20:d9: + 58:b8:c3:79:4d:0d:a6:28:ba:a1:7f:39:fd:dc:d7: + 08:1d:91:f2:0d:79:e3:28:39:7f:19:3f:83:c0:4e: + cb:c8:9c:50:9a:04:4d:9d:f0:77:05:f3:75:77:2d: + 23:a9:fc:76:3e:97:ef:ae:99:5c:fa:43:15:82:26: + aa:e9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 35:8E:0E:FF:E7:6C:E2:31:A2:05:75:EF:DA:63:6C:1D:4F:CD:82:4C + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 0b:10:5f:47:66:d6:dc:58:c0:bb:41:95:c0:f0:fd:e0:4b:06: + 91:c5:ed:1b:25:02:de:d1:72:3a:da:96:fc:78:9a:62:e9:d6: + be:02:b7:30:1b:da:83:42:a9:99:f9:e3:df:fe:c2:0e:c1:71: + df:57:1f:2f:27:c3:57:4b:9d:aa:68:15:70:47:06:dd:0f:ef: + b9:40:49:50:47:63:a2:46:28:0c:93:5b:95:fb:23:12:85:5a: + 2a:8f:db:e9:7c:f3:0f:ec:ea:4b:3c:cf:e8:6c:cf:99:2e:16: + 2b:f2:71:26:fa:85:36:50:29:bc:06:45:c7:74:6b:2c:2a:10: + 0a:ec:ec:b4:12:57:0d:01:d8:38:bb:94:40:fe:f5:b9:3a:2f: + 63:fb:65:9c:ed:36:c2:45:63:08:b6:83:8c:85:92:17:20:3e: + 54:78:10:30:15:62:92:c2:a3:f4:00:6e:b3:b0:a6:68:de:1f: + de:73:25:6b:31:4c:8b:a6:44:39:f8:83:46:df:32:49:97:c2: + 51:ac:68:47:2b:c8:79:e3:de:92:f6:4a:33:78:32:31:e9:d3: + 33:34:d6:de:b6:d6:2e:00:e8:76:96:49:77:32:54:3c:f1:d0: + ff:8c:01:db:bd:80:0f:39:56:4f:a9:da:fc:c1:08:a6:ff:c9: + 9c:48:55:87 +-----BEGIN CERTIFICATE----- +MIIEpDCCA4ygAwIBAgIRAOi5t9u95nny8LMqUev/D6IwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTE1NjA4WhcNMjUwNDA5MTE1 +NjA4WjCBnjELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MRMwEQYDVQQPEwpIZWFsdGhjYXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAo3NP7V8F/4sRnqL3oPuGOVDN5nyZFDdAokNGnXTt+W7zwwpoIBEalipw +iW8qzfuv9nXgjcD9HU5kemaBxcM0/t9ZvlxWC4+P502HpbR120TqDMn8aB0AtWg7 +g0dsayPd29C2kdbhuGvX5U2ee/bDdElKWb/ZYDA5sRv9s3TnMAoY6u/VYqg1Pzbe +2lKZyBgn+LBcpT/3C4mKUlgMhc3WKQ+S/H9GRg9OfY9Flj+LGm3KR14h6Z8KG9Kp +LzcPV4VXINlYuMN5TQ2mKLqhfzn93NcIHZHyDXnjKDl/GT+DwE7LyJxQmgRNnfB3 +BfN1dy0jqfx2Ppfvrplc+kMVgiaq6QIDAQABo4IBNTCCATEwDgYDVR0PAQH/BAQD +AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUNY4O +/+ds4jGiBXXv2mNsHU/NgkwwHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94N +YD4wZAYIKwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMu +Y29tL3Jvb3QwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wEwYDVR0gBAwwCjAIBgZn +gQwBAgIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1pbmMuY29t +L2NybDANBgkqhkiG9w0BAQsFAAOCAQEACxBfR2bW3FjAu0GVwPD94EsGkcXtGyUC +3tFyOtqW/HiaYunWvgK3MBvag0Kpmfnj3/7CDsFx31cfLyfDV0udqmgVcEcG3Q/v +uUBJUEdjokYoDJNblfsjEoVaKo/b6XzzD+zqSzzP6GzPmS4WK/JxJvqFNlApvAZF +x3RrLCoQCuzstBJXDQHYOLuUQP71uTovY/tlnO02wkVjCLaDjIWSFyA+VHgQMBVi +ksKj9ABus7CmaN4f3nMlazFMi6ZEOfiDRt8ySZfCUaxoRyvIeePekvZKM3gyMenT +MzTW3rbWLgDodpZJdzJUPPHQ/4wB272ADzlWT6na/MEIpv/JnEhVhw== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_04.pem b/v3/testdata/invalid_business_cat_ok_04.pem new file mode 100644 index 000000000..de1fc6517 --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_04.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + f5:84:73:56:ba:ba:4f:ec:50:12:3d:e2:dc:d9:f3:41 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 15:58:07 2024 GMT + Not After : Apr 9 15:58:07 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Government Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c0:e4:64:9a:ae:8d:62:d8:41:48:49:bc:4a:3c: + 61:62:d8:cd:a2:ac:34:6d:f8:61:4a:ac:d2:28:d5: + 0e:31:10:cf:46:5a:4f:8d:36:4d:da:5b:30:c7:04: + 38:a3:45:44:28:ae:a8:7a:04:24:62:2c:75:c0:4b: + 39:c3:f2:73:27:8c:20:d4:93:d9:0b:92:85:61:77: + 56:88:69:a2:ce:ba:8c:48:2f:26:a8:07:1c:d7:b5: + 85:c3:96:5a:3b:c4:aa:e7:54:f1:54:c0:2a:0b:9d: + bf:e7:7f:2c:54:d6:23:e7:31:e6:4e:a3:4c:24:60: + 62:a6:53:5b:c1:b3:ea:92:23:dc:dc:0d:c1:24:27: + 66:d0:d9:47:fe:76:2c:e3:8e:98:66:78:69:26:2c: + 1c:c0:69:e1:84:31:8c:82:b8:71:3a:13:24:3e:c6: + 4b:ba:a0:bc:1d:de:e0:21:da:69:49:bd:06:e7:de: + 43:47:32:8c:c9:bf:b4:a9:41:6e:59:11:0b:ca:38: + 42:0c:2a:68:9c:f6:04:79:c3:02:d5:80:08:b0:69: + 76:a1:2d:eb:aa:6e:26:2e:52:66:a2:a5:c9:6d:69: + 30:3e:21:fe:b8:77:ab:03:7d:fe:74:2f:61:d3:c0: + 78:bb:91:b5:d3:b7:44:f0:b9:19:07:fc:eb:ea:04: + de:e9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 52:62:84:A0:C2:DF:01:00:50:94:AB:33:95:50:80:2E:14:86:F9:FD + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 3b:6a:06:c5:8c:53:40:a0:44:f4:9d:2e:91:00:f6:a0:8d:31: + 17:80:d4:92:c3:96:e2:eb:10:4b:bd:b2:f4:ed:6e:33:3e:eb: + fa:19:68:8e:06:d3:5c:ca:61:62:83:50:1b:76:b1:36:a2:1b: + af:54:1a:26:ac:54:ab:de:ef:cb:65:49:6d:04:82:2e:4b:17: + 98:f6:b4:28:eb:5d:5e:51:cd:ed:46:88:ae:a2:50:8b:71:15: + 95:af:55:d1:e1:68:5c:51:e6:76:3e:df:ca:75:98:11:68:ed: + 91:2f:d1:f7:e0:3e:03:2f:54:9f:31:eb:0c:ee:ee:ae:c4:83: + 5a:ff:9c:37:5e:17:82:ca:90:71:b7:ec:d1:11:93:a4:c2:f2: + 43:55:3d:e9:24:6b:7f:36:7f:c7:e1:54:b0:16:80:78:ea:f4: + 0b:44:2e:d2:6e:c8:f2:c8:24:9c:7f:7c:c8:42:76:d8:62:c7: + 98:ec:2e:65:8f:f1:b2:4b:4b:5a:7c:b3:c2:a7:8b:81:d3:f0: + bb:7b:43:af:dd:c5:87:fb:7c:44:02:9e:c0:30:3c:a8:ad:ee: + ba:50:f7:16:0d:68:b8:ce:0c:33:b0:f0:84:11:96:00:0e:e5: + 10:bf:ea:43:4c:8d:3e:3e:bc:e5:08:b4:6f:92:52:54:98:4e: + c9:fd:87:5a +-----BEGIN CERTIFICATE----- +MIIEqjCCA5KgAwIBAgIRAPWEc1a6uk/sUBI94tzZ80EwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTU1ODA3WhcNMjUwNDA5MTU1 +ODA3WjCBpTELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MRowGAYDVQQPExFHb3Zlcm5tZW50IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMDkZJqujWLYQUhJvEo8YWLYzaKsNG34YUqs0ijVDjEQz0Za +T402TdpbMMcEOKNFRCiuqHoEJGIsdcBLOcPycyeMINST2QuShWF3Vohpos66jEgv +JqgHHNe1hcOWWjvEqudU8VTAKgudv+d/LFTWI+cx5k6jTCRgYqZTW8Gz6pIj3NwN +wSQnZtDZR/52LOOOmGZ4aSYsHMBp4YQxjIK4cToTJD7GS7qgvB3e4CHaaUm9Bufe +Q0cyjMm/tKlBblkRC8o4QgwqaJz2BHnDAtWACLBpdqEt66puJi5SZqKlyW1pMD4h +/rh3qwN9/nQvYdPAeLuRtdO3RPC5GQf86+oE3ukCAwEAAaOCATQwggEwMA4GA1Ud +DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0O +BBYEFFJihKDC3wEAUJSrM5VQgC4Uhvn9MB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5 +VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2Nh +LnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21l +Y2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1UdIAQL +MAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1p +bmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAO2oGxYxTQKBE9J0ukQD2oI0x +F4DUksOW4usQS72y9O1uMz7r+hlojgbTXMphYoNQG3axNqIbr1QaJqxUq97vy2VJ +bQSCLksXmPa0KOtdXlHN7UaIrqJQi3EVla9V0eFoXFHmdj7fynWYEWjtkS/R9+A+ +Ay9UnzHrDO7ursSDWv+cN14XgsqQcbfs0RGTpMLyQ1U96SRrfzZ/x+FUsBaAeOr0 +C0Qu0m7I8sgknH98yEJ22GLHmOwuZY/xsktLWnyzwqeLgdPwu3tDr93Fh/t8RAKe +wDA8qK3uulD3Fg1ouM4MM7DwhBGWAA7lEL/qQ0yNPj685Qi0b5JSVJhOyf2HWg== +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_05.pem b/v3/testdata/invalid_business_cat_ok_05.pem new file mode 100644 index 000000000..62ae9bb9b --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_05.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ef:be:c6:73:71:37:14:07:6d:96:9a:13:02:d0:c1:f6 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 9 15:59:55 2024 GMT + Not After : Apr 9 15:59:55 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Business Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ac:a4:62:57:e7:a0:1e:db:bc:99:99:23:87:08: + 8d:04:ea:c6:e6:a8:ba:a5:22:20:52:de:3e:eb:70: + ae:3f:8f:51:02:c6:1e:a8:02:e2:a9:a7:50:b0:32: + 00:2c:16:9f:9a:06:76:33:68:14:eb:1e:69:c2:59: + dc:ee:58:cb:29:15:bc:5d:3c:7c:50:79:61:c0:fe: + 5d:f4:6e:33:79:21:bf:90:4a:9d:4f:75:7f:4f:89: + a3:1a:f7:48:c9:8f:d9:6d:59:d1:11:5e:8e:6b:74: + bf:02:0d:80:43:d4:8f:74:8c:12:2c:46:81:af:42: + 77:2a:e2:ae:3f:d8:2c:ed:5d:6a:24:2d:72:25:b9: + c5:ac:8b:84:8e:fe:76:98:db:77:97:80:a4:72:eb: + fe:f8:2c:7e:18:24:bf:fb:7f:11:ed:65:7e:cd:26: + 72:29:7b:0a:55:91:93:f0:a3:21:c5:70:46:f2:c0: + 60:fd:38:10:dc:78:7b:c2:8e:a6:2e:0e:64:e8:aa: + 4e:e8:ca:ed:31:75:e1:40:8b:8f:be:80:4a:e8:16: + 18:33:8c:c9:ea:81:41:c9:9f:77:4d:13:fb:94:d0: + cb:2e:45:4a:53:10:49:69:2b:9d:0c:ba:a6:40:04: + fd:5e:9d:d6:32:4b:bf:9a:25:57:d7:54:24:a1:96: + c1:bb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 81:03:DC:8F:0D:60:C9:8F:13:13:CF:5E:0E:28:DD:AD:7E:89:85:22 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 75:4a:48:5d:93:d1:b8:82:3f:69:85:3c:fe:9c:c8:25:eb:0b: + 31:0d:03:69:65:50:72:84:e1:b4:02:b1:87:87:be:84:ca:50: + 55:ef:03:88:b9:fb:c2:84:e8:06:c4:22:80:4d:7c:d7:a3:a4: + 02:03:67:66:f9:92:e3:f5:4a:30:ab:85:cd:90:52:80:63:b1: + 39:c7:24:6f:34:ce:92:71:41:6e:9b:11:c9:97:f8:00:12:bb: + b0:4f:65:c2:0b:7a:15:6c:ba:54:db:0a:ef:9f:d2:db:60:59: + 2c:07:71:29:a5:f0:48:c8:50:6c:1d:5e:bd:48:75:cf:a3:3d: + 84:92:ee:3c:f8:6e:f4:a2:d8:ec:30:35:df:90:55:f3:9b:99: + 22:ef:4d:a6:e3:b1:b7:bd:80:6b:f8:0c:b8:bc:c5:a8:31:75: + bc:62:f9:ed:6f:cf:8b:b7:c0:33:eb:43:57:81:9e:dc:1f:6b: + 63:1b:d9:d6:40:93:50:4b:f4:72:c9:e8:fa:37:6c:ab:95:e9: + 07:32:10:6a:b2:6d:fd:54:17:c2:83:fa:3a:05:17:fe:72:ea: + f2:cb:ab:eb:8a:3a:35:95:bb:12:77:ab:d6:bd:a0:93:b8:bd: + 08:e3:a0:a7:14:f9:08:bf:de:31:0f:74:05:86:f6:ac:28:58: + 88:82:d3:91 +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIRAO++xnNxNxQHbZaaEwLQwfYwDQYJKoZIhvcNAQELBQAw +QzELMAkGA1UEBhMCRVUxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug +Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDA5MTU1OTU1WhcNMjUwNDA5MTU1 +OTU1WjCBozELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv +dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55 +IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUuY29tMRMwEQYDVQQFEwoxMjM0NTY3ODkw +MRgwFgYDVQQPEw9CdXNpbmVzcyBFbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCspGJX56Ae27yZmSOHCI0E6sbmqLqlIiBS3j7rcK4/j1ECxh6o +AuKpp1CwMgAsFp+aBnYzaBTrHmnCWdzuWMspFbxdPHxQeWHA/l30bjN5Ib+QSp1P +dX9PiaMa90jJj9ltWdERXo5rdL8CDYBD1I90jBIsRoGvQncq4q4/2CztXWokLXIl +ucWsi4SO/naY23eXgKRy6/74LH4YJL/7fxHtZX7NJnIpewpVkZPwoyHFcEbywGD9 +OBDceHvCjqYuDmToqk7oyu0xdeFAi4++gEroFhgzjMnqgUHJn3dNE/uU0MsuRUpT +EElpK50MuqZABP1endYyS7+aJVfXVCShlsG7AgMBAAGjggE0MIIBMDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW +BBSBA9yPDWDJjxMTz14OKN2tfomFIjAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU +fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh +LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLmNvbTASBgNVHSAECzAJ +MAcGBWeBDAEBMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5j +LmNvbS9jcmwwDQYJKoZIhvcNAQELBQADggEBAHVKSF2T0biCP2mFPP6cyCXrCzEN +A2llUHKE4bQCsYeHvoTKUFXvA4i5+8KE6AbEIoBNfNejpAIDZ2b5kuP1SjCrhc2Q +UoBjsTnHJG80zpJxQW6bEcmX+AASu7BPZcILehVsulTbCu+f0ttgWSwHcSml8EjI +UGwdXr1Idc+jPYSS7jz4bvSi2OwwNd+QVfObmSLvTabjsbe9gGv4DLi8xagxdbxi ++e1vz4u3wDPrQ1eBntwfa2Mb2dZAk1BL9HLJ6Po3bKuV6QcyEGqybf1UF8KD+joF +F/5y6vLLq+uKOjWVuxJ3q9a9oJO4vQjjoKcU+Qi/3jEPdAWG9qwoWIiC05E= +-----END CERTIFICATE----- diff --git a/v3/testdata/invalid_business_cat_ok_06.pem b/v3/testdata/invalid_business_cat_ok_06.pem new file mode 100644 index 000000000..4efb5273b --- /dev/null +++ b/v3/testdata/invalid_business_cat_ok_06.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 12:a2:26:01:04:14:ff:24:0a:b8:c7:04:9a:78:c9:0a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing + Validity + Not Before: Apr 22 06:56:29 2024 GMT + Not After : Apr 22 06:56:29 2025 GMT + Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.com, serialNumber = 1234567890, businessCategory = Non-Commercial Entity + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b5:d2:96:c7:09:5d:80:8f:ad:30:b0:3f:fb:ca: + 1d:09:0b:13:e5:e6:24:14:b2:91:5e:bc:42:15:7d: + 47:24:3e:0e:e6:60:4e:04:0d:5d:3a:78:eb:b5:e1: + fd:4f:d9:b5:13:a8:ea:c0:63:66:b1:f4:68:af:7a: + 9b:c5:9f:dd:3d:cc:13:1b:75:58:91:e5:01:a8:d8: + b0:bb:a7:e3:92:65:9a:96:58:6d:54:42:8c:92:c2: + 8b:92:9b:e4:52:8a:b2:42:60:26:32:b5:5a:01:9b: + 73:67:23:39:b0:2a:0f:dd:d8:81:62:53:84:40:5a: + 91:3a:55:27:70:d5:34:62:cc:fd:d3:03:15:a3:4b: + c4:bc:53:c7:2c:09:9b:c9:c8:1b:57:24:aa:26:fc: + 29:5f:db:bb:18:ac:d2:3d:20:ce:8c:64:10:8f:a2: + 59:92:3d:ca:03:d3:35:43:49:2e:bb:ec:f7:90:6d: + 72:10:88:9e:05:63:e7:8e:42:e5:6c:36:61:32:8f: + 9a:87:7e:44:aa:05:90:7a:b8:1d:2b:06:ab:ce:9e: + 06:29:66:97:1d:51:60:a5:59:07:54:0a:f3:c4:e5: + 17:75:a1:2f:ee:ac:53:59:08:f6:3e:fe:5c:c1:b4: + 17:aa:4a:28:e2:3c:e9:2a:59:25:59:a3:d2:23:6a: + fc:77 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Key Identifier: + 27:4C:59:23:A0:44:FE:B8:95:AB:E1:66:55:97:DB:2C:22:42:68:85 + X509v3 Authority Key Identifier: + keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E + + Authority Information Access: + OCSP - URI:http://ca.someca-inc.com/ocsp + CA Issuers - URI:http://ca.someca-inc.com/root + + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://ca.someca-inc.com/crl + + Signature Algorithm: sha256WithRSAEncryption + 37:61:27:c7:b0:10:5b:9f:fe:7e:61:b4:a5:98:c3:8b:1c:3f: + 46:99:21:da:bc:c9:c0:8b:0f:30:18:0a:d2:c7:64:cc:32:3c: + 3e:13:f2:17:c4:fb:a8:47:f2:4b:f6:40:7b:2a:88:1d:ea:6d: + c1:07:6f:f4:f4:08:b9:31:ea:d2:97:c0:e8:a7:fa:97:1e:08: + 39:6a:c7:78:e6:6a:92:9b:dc:93:75:88:19:cb:0a:27:0f:16: + 0c:0e:bd:a3:2d:3e:c1:5c:5c:89:85:f6:b1:5d:fc:6c:82:3f: + fb:a4:45:67:a5:9d:43:f8:a1:85:cf:fe:5f:ff:c6:99:d6:da: + 2f:f3:b2:11:0b:80:46:3a:2f:8e:4e:66:b0:29:62:31:6b:ea: + 54:0a:2f:9b:b0:0c:a7:cf:06:9e:48:ee:5b:81:d8:0c:07:7f: + 58:d3:f0:5e:b4:da:99:93:7e:32:f6:d4:a5:af:da:5c:a0:71: + eb:91:4b:1c:80:22:ba:14:e0:db:65:50:8f:8e:da:76:90:94: + 68:45:43:7a:97:29:13:6e:a5:cf:ce:d3:64:c5:35:f6:32:f4: + d6:af:0c:ce:0f:e5:6e:08:7d:51:3e:92:3c:6f:80:4e:c7:38: + 3c:9f:68:b2:72:ca:98:f7:bd:e3:67:75:fb:16:e9:8e:84:db: + aa:a1:d5:09 +-----BEGIN CERTIFICATE----- +MIIErTCCA5WgAwIBAgIQEqImAQQU/yQKuMcEmnjJCjANBgkqhkiG9w0BAQsFADBD +MQswCQYDVQQGEwJFVTEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD +QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MjIwNjU2MjlaFw0yNTA0MjIwNjU2 +MjlaMIGpMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92 +aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg +THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20xEzARBgNVBAUTCjEyMzQ1Njc4OTAx +HjAcBgNVBA8TFU5vbi1Db21tZXJjaWFsIEVudGl0eTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALXSlscJXYCPrTCwP/vKHQkLE+XmJBSykV68QhV9RyQ+ +DuZgTgQNXTp467Xh/U/ZtROo6sBjZrH0aK96m8Wf3T3MExt1WJHlAajYsLun45Jl +mpZYbVRCjJLCi5Kb5FKKskJgJjK1WgGbc2cjObAqD93YgWJThEBakTpVJ3DVNGLM +/dMDFaNLxLxTxywJm8nIG1ckqib8KV/buxis0j0gzoxkEI+iWZI9ygPTNUNJLrvs +95BtchCIngVj545C5Ww2YTKPmod+RKoFkHq4HSsGq86eBilmlx1RYKVZB1QK88Tl +F3WhL+6sU1kI9j7+XMG0F6pKKOI86SpZJVmj0iNq/HcCAwEAAaOCATQwggEwMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYD +VR0OBBYEFCdMWSOgRP64lavhZlWX2ywiQmiFMB8GA1UdIwQYMBaAFOi29nZL0Dvl +RqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDov +L2NhLnNvbWVjYS1pbmMuY29tL29jc3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5z +b21lY2EtaW5jLmNvbS9yb290MBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMBIGA1Ud +IAQLMAkwBwYFZ4EMAQEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVj +YS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAN2Enx7AQW5/+fmG0pZjD +ixw/Rpkh2rzJwIsPMBgK0sdkzDI8PhPyF8T7qEfyS/ZAeyqIHeptwQdv9PQIuTHq +0pfA6Kf6lx4IOWrHeOZqkpvck3WIGcsKJw8WDA69oy0+wVxciYX2sV38bII/+6RF +Z6WdQ/ihhc/+X//GmdbaL/OyEQuARjovjk5msCliMWvqVAovm7AMp88GnkjuW4HY +DAd/WNPwXrTamZN+MvbUpa/aXKBx65FLHIAiuhTg22VQj47adpCUaEVDepcpE26l +z87TZMU19jL01q8Mzg/lbgh9UT6SPG+ATsc4PJ9osnLKmPe942d1+xbpjoTbqqHV +CQ== +-----END CERTIFICATE-----