diff --git a/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go b/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go new file mode 100644 index 000000000..196f658e2 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go @@ -0,0 +1,83 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_ecpublickey_key_usages", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment.For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewECPublicKeyKeyUsages, + }) +} + +type ecPublicKeyKeyUsages struct{} + +func NewECPublicKeyKeyUsages() lint.LintInterface { + return &ecPublicKeyKeyUsages{} +} + +func (l *ecPublicKeyKeyUsages) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.ECDSA +} + +func (l *ecPublicKeyKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyAgreement) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyAgreement | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyAgreement | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages_test.go b/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages_test.go new file mode 100644 index 000000000..5aa04b112 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages_test.go @@ -0,0 +1,89 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestECPublicKeyKeyUsage(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with digitalSignature KU", + InputFilename: "smime/ec_legacy_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature and contentCommitment KUs", + InputFilename: "smime/ec_multipurpose_digital_signature_content_commitment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with keyAgreement KU", + InputFilename: "smime/ec_strict_key_agreement_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with keyAgreement and encipherOnly KUs", + InputFilename: "smime/ec_legacy_key_agreement_encipher_only_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with keyAgreement and decipherOnly KUs", + InputFilename: "smime/ec_multipurpose_key_agreement_decipher_only.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature, keyAgreement, contentCommitment, and encipherOnly KUs", + InputFilename: "smime/ec_strict_digital_signature_key_agreement_content_commitment_encipher_only_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature, keyAgreement, contentCommitment, and decipherOnly KUs", + InputFilename: "smime/ec_legacy_digital_signature_key_agreement_content_commitment_decipher_only_ku.pem", + ExpectedResult: lint.Pass, + }, { + Name: "NA - cert without KUs", + InputFilename: "smime/without_subject_alternative_name.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NA - Certificate without digitalSignature or keyAgreement KUs", + InputFilename: "smime/ec_strict_cert_sign_ku.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NE - certificate with valid KUs dated before 2020-09-01", + InputFilename: "smime/ec_multipurpose_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "Error - Signing Certificate with unexpected KU", + InputFilename: "smime/ec_strict_digital_signature_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + { + Name: "Error - Key Management Certificate with unexpected KU", + InputFilename: "smime/ec_legacy_key_agreement_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + { + Name: "Error - Dual Use Certificate with unexpected KU", + InputFilename: "smime/ec_multipurpose_digital_signature_key_agreement_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_ecpublickey_key_usages", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go b/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go new file mode 100644 index 000000000..612b2b27c --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go @@ -0,0 +1,54 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_ec_other_key_usages", + Description: "Other bit positions SHALL NOT be set.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewECOtherKeyUsages, + }) +} + +type ecOtherKeyUsages struct{} + +func NewECOtherKeyUsages() lint.LintInterface { + return &ecOtherKeyUsages{} +} + +func (l *ecOtherKeyUsages) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.ECDSA +} + +func (l *ecOtherKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !(util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) || util.HasKeyUsage(c, x509.KeyUsageKeyAgreement)) { + if c.KeyUsage != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages_test.go b/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages_test.go new file mode 100644 index 000000000..9a1d13183 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages_test.go @@ -0,0 +1,50 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestECOtherKeyUsages(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with digitalSignature KU", + InputFilename: "smime/ec_legacy_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "NE - certificate with valid KUs dated before 2020-09-01", + InputFilename: "smime/ec_multipurpose_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "NA - cert without KUs", + InputFilename: "smime/without_subject_alternative_name.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NA - cert with KU extension but no KU bits set", + InputFilename: "smime/ec_no_key_usages.pem", + ExpectedResult: lint.NA, + }, + { + Name: "Error - Certificate with non-zero KUs without digitalSignature or keyEncipherment KUs", + InputFilename: "smime/ec_strict_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_ec_other_key_usages", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go b/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go new file mode 100644 index 000000000..3b1d2cfaf --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go @@ -0,0 +1,56 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_edwardspublickey_key_usages", + Description: "Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewEdwardsPublicKeyKeyUsages, + }) +} + +type edwardsPublicKeyKeyUsages struct{} + +func NewEdwardsPublicKeyKeyUsages() lint.LintInterface { + return &edwardsPublicKeyKeyUsages{} +} + +func (l *edwardsPublicKeyKeyUsages) CheckApplies(c *x509.Certificate) bool { + // TODO add support for curve448 certificate linting + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.Ed25519 +} + +func (l *edwardsPublicKeyKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + return &lint.LintResult{Status: lint.Error} + } + + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages_test.go b/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages_test.go new file mode 100644 index 000000000..06cd06438 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages_test.go @@ -0,0 +1,55 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestEdwardsPublicKeyKeyUsages(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with digitalSignature KU", + InputFilename: "smime/ed25519_legacy_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature and contentCommitment KUs", + InputFilename: "smime/ed25519_multipurpose_digital_signature_content_commitment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "NA - non-SMIME BR cert", + InputFilename: "smime/domainValidatedWithEmailCommonName.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NA - RSA cert", + InputFilename: "smime/rsa_strict_digital_signature_ku.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NE - certificate with KU extension dated before 2020-09-01", + InputFilename: "smime/ed25519_strict_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "Error - Certificate without digitalSignature KU", + InputFilename: "smime/ed25519_strict_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_edwardspublickey_key_usages", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_smime_br/lint_key_usage_criticality.go b/v3/lints/cabf_smime_br/lint_key_usage_criticality.go new file mode 100644 index 000000000..3f092dc41 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_key_usage_criticality.go @@ -0,0 +1,52 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "w_key_usage_criticality", + Description: "keyUsage... This extension SHOULD be marked critical", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewKeyUsageCriticality, + }) +} + +type keyUsageCriticality struct{} + +func NewKeyUsageCriticality() lint.LintInterface { + return &keyUsageCriticality{} +} + +func (l *keyUsageCriticality) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) + +} + +func (l *keyUsageCriticality) Execute(c *x509.Certificate) *lint.LintResult { + kuExt := util.GetExtFromCert(c, util.KeyUsageOID) + if !kuExt.Critical { + return &lint.LintResult{Status: lint.Warn} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_key_usage_criticality_test.go b/v3/lints/cabf_smime_br/lint_key_usage_criticality_test.go new file mode 100644 index 000000000..8d5272b28 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_key_usage_criticality_test.go @@ -0,0 +1,45 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestKeyUsageCriticality(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with critical KU extension", + InputFilename: "smime/rsa_strict_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "NA - non-SMIME BR cert", + InputFilename: "smime/domainValidatedWithEmailCommonName.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NE - certificate with KU extension dated before 2020-09-01", + InputFilename: "smime/rsa_strict_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "Warn - certificate with non-critical KU extension", + InputFilename: "smime/with_non_critical_ku_extension.pem", + ExpectedResult: lint.Warn, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("w_key_usage_criticality", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_smime_br/lint_key_usage_presence.go b/v3/lints/cabf_smime_br/lint_key_usage_presence.go new file mode 100644 index 000000000..b4d529fe5 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_key_usage_presence.go @@ -0,0 +1,50 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_key_usage_presence", + Description: "keyUsage (SHALL be present)", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewKeyUsagePresence, + }) +} + +type keyUsagePresence struct{} + +func NewKeyUsagePresence() lint.LintInterface { + return &keyUsagePresence{} +} + +func (l *keyUsagePresence) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *keyUsagePresence) Execute(c *x509.Certificate) *lint.LintResult { + if util.HasKeyUsageOID(c) { + return &lint.LintResult{Status: lint.Pass} + } + + return &lint.LintResult{Status: lint.Error} +} diff --git a/v3/lints/cabf_smime_br/lint_key_usage_presence_test.go b/v3/lints/cabf_smime_br/lint_key_usage_presence_test.go new file mode 100644 index 000000000..fc18c23e4 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_key_usage_presence_test.go @@ -0,0 +1,45 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestKeyUsagePresence(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with KU extension", + InputFilename: "smime/rsa_strict_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "NA - non-SMIME BR cert", + InputFilename: "smime/domainValidatedWithEmailCommonName.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NE - certificate with KU extension dated before 2020-09-01", + InputFilename: "smime/rsa_strict_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "Error - certificate without KU extension", + InputFilename: "smime/mailboxValidatedLegacyWithCommonName.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_key_usage_presence", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go b/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go new file mode 100644 index 000000000..333ad8bd7 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go @@ -0,0 +1,90 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_rsa_key_usage_legacy_multipurpose", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment and MAY be set for dataEncipherment. For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation and dataEncipherment.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewRSAKeyUsageLegacyMultipurpose, + }) +} + +type rsaKeyUsageLegacyMultipurpose struct{} + +func NewRSAKeyUsageLegacyMultipurpose() lint.LintInterface { + return &rsaKeyUsageLegacyMultipurpose{} +} + +func (l *rsaKeyUsageLegacyMultipurpose) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaKeyUsageLegacyMultipurpose) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose_test.go b/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose_test.go new file mode 100644 index 000000000..1f8fb5a0a --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose_test.go @@ -0,0 +1,80 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestRSAKeyUsageLegacyMultipurpose(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with digitalSignature KU", + InputFilename: "smime/rsa_legacy_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature and contentCommitment KUs", + InputFilename: "smime/rsa_multipurpose_digital_signature_content_commitment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with keyEncipherment KU", + InputFilename: "smime/rsa_legacy_key_encipherment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with keyEncipherment and dataEncipherment KU", + InputFilename: "smime/rsa_multipurpose_key_encipherment_data_encipherment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature, keyEncipherment, contentCommitment, and dataEncipherment KUs", + InputFilename: "smime/rsa_legacy_digital_signature_key_encipherment_content_commitment_data_encipherment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "NA - cert without KUs", + InputFilename: "smime/without_subject_alternative_name.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NA - certificate without digitalSignature or keyEncipherment KUs", + InputFilename: "smime/rsa_multipurpose_cert_sign_ku.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NE - certificate with valid KUs dated before 2020-09-01", + InputFilename: "smime/rsa_multipurpose_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "Error - Signing Certificate with unexpected KU", + InputFilename: "smime/rsa_legacy_digital_signature_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + { + Name: "Error - Key Management Certificate with unexpected KU", + InputFilename: "smime/rsa_multipurpose_key_encipherment_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + { + Name: "Error - Dual Use Certificate with unexpected KU", + InputFilename: "smime/rsa_legacy_digital_signature_key_encipherment_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_rsa_key_usage_legacy_multipurpose", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go b/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go new file mode 100644 index 000000000..1239f4d8f --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go @@ -0,0 +1,90 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_rsa_key_usage_strict", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment. For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewRSAKeyUsageStrict, + }) +} + +type rsaKeyUsageStrict struct{} + +func NewRSAKeyUsageStrict() lint.LintInterface { + return &rsaKeyUsageStrict{} +} + +func (l *rsaKeyUsageStrict) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && util.IsStrictSMIMECertificate(c) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaKeyUsageStrict) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict_test.go b/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict_test.go new file mode 100644 index 000000000..599833d7b --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict_test.go @@ -0,0 +1,75 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestRSAKeyUsageStrict(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with digitalSignature KU", + InputFilename: "smime/rsa_strict_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature and contentCommitment KUs", + InputFilename: "smime/rsa_strict_digital_signature_content_commitment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with keyEncipherment KU", + InputFilename: "smime/rsa_strict_key_encipherment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - cert with digitalSignature, keyEncipherment, and contentCommitment KUs", + InputFilename: "smime/rsa_strict_digital_signature_key_encipherment_content_commitment_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "NA - cert without KUs", + InputFilename: "smime/without_subject_alternative_name.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NA - Certificate without digitalSignature or keyEncipherment KUs", + InputFilename: "smime/rsa_strict_cert_sign_ku.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NE - certificate with valid KUs dated before 2020-09-01", + InputFilename: "smime/rsa_strict_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "Error - Signing Certificate with unexpected KU", + InputFilename: "smime/rsa_strict_digital_signature_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + { + Name: "Error - Key Management Certificate with unexpected KU", + InputFilename: "smime/rsa_strict_key_encipherment_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + { + Name: "Error - Dual Use Certificate with unexpected KU", + InputFilename: "smime/rsa_strict_digital_signature_key_encipherment_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_rsa_key_usage_strict", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go b/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go new file mode 100644 index 000000000..9ceef5ab9 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go @@ -0,0 +1,61 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_rsa_other_key_usages", + Description: "Other bit positions SHALL NOT be set.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewRSAOtherKeyUsages, + }) +} + +type rsaOtherKeyUsages struct{} + +func NewRSAOtherKeyUsages() lint.LintInterface { + return &rsaOtherKeyUsages{} +} + +func (l *rsaOtherKeyUsages) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaOtherKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !(util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) || util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment)) { + if c.KeyUsage != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_rsa_other_key_usages_test.go b/v3/lints/cabf_smime_br/lint_rsa_other_key_usages_test.go new file mode 100644 index 000000000..f2a9b4e15 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_rsa_other_key_usages_test.go @@ -0,0 +1,50 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestRSAOtherKeyUsages(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with digitalSignature KU", + InputFilename: "smime/rsa_legacy_digital_signature_ku.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "NE - certificate with valid KUs dated before 2020-09-01", + InputFilename: "smime/rsa_multipurpose_valid_ku_august_2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "NA - cert without KUs", + InputFilename: "smime/without_subject_alternative_name.pem", + ExpectedResult: lint.NA, + }, + { + Name: "NA - cert with KU extension but no KU bits set", + InputFilename: "smime/rsa_no_key_usages.pem", + ExpectedResult: lint.NA, + }, + { + Name: "Error - Certificate with non-zero KUs without digitalSignature or keyEncipherment KUs", + InputFilename: "smime/rsa_multipurpose_cert_sign_ku.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_rsa_other_key_usages", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/testdata/smime/ec_legacy_digital_signature_key_agreement_content_commitment_decipher_only_ku.pem b/v3/testdata/smime/ec_legacy_digital_signature_key_agreement_content_commitment_decipher_only_ku.pem new file mode 100644 index 000000000..309d52af8 --- /dev/null +++ b/v3/testdata/smime/ec_legacy_digital_signature_key_agreement_content_commitment_decipher_only_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:7b:7c:7a:dc:e9:49:79:0c:91:ee:0e:84:7c:8b: + ee:ae:f2:cb:33:03:ea:e3:59:87:09:98:e3:13:20: + cf:fa:a7:1a:ea:6f:0d:06:0b:54:1f:57:b5:9c:09: + ce:0d:cc:85:68:8e:7a:1e:7b:a4:ca:16:55:95:dc: + 07:f1:d8:93:63 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Agreement, Decipher Only + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.4.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:4f:dd:da:4e:eb:05:f8:fa:bc:eb:02:7b:dc:dc: + 60:0a:65:9a:a9:a1:da:fe:d7:fd:4c:94:2c:75:35:0f:a0:dc: + 02:21:00:b7:d2:66:d8:f5:ea:27:f0:00:e2:0c:1f:be:63:e0: + 5c:17:29:20:69:ea:d5:74:1b:31:be:b1:92:79:c3:86:ff +-----BEGIN CERTIFICATE----- +MIIBGTCBwKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7fHrc +6Ul5DJHuDoR8i+6u8sszA+rjWYcJmOMTIM/6pxrqbw0GC1QfV7WcCc4NzIVojnoe +e6TKFlWV3Afx2JNjoykwJzAPBgNVHQ8BAf8EBQMDAMiAMBQGA1UdIAQNMAswCQYH +Z4EMAQUEATAKBggqhkjOPQQDAgNIADBFAiBP3dpO6wX4+rzrAnvc3GAKZZqpodr+ +1/1MlCx1NQ+g3AIhALfSZtj16ifwAOIMH75j4FwXKSBp6tV0GzG+sZJ5w4b/ +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_legacy_digital_signature_ku.pem b/v3/testdata/smime/ec_legacy_digital_signature_ku.pem new file mode 100644 index 000000000..8dc858e4f --- /dev/null +++ b/v3/testdata/smime/ec_legacy_digital_signature_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:78:5e:77:0b:51:ee:62:51:97:e8:4b:e0:ec:68: + ad:96:d0:7a:72:55:42:5c:70:3b:53:8b:de:3f:70: + 9e:67:1d:64:56:77:c6:88:39:07:f9:dc:9c:31:12: + ea:a7:83:6b:b1:07:2b:0e:b3:b4:8b:29:aa:dd:a5: + 02:92:d4:10:91 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:d3:50:94:c6:e1:23:7a:cd:fc:bd:09:c4:63: + 07:7a:cd:92:9c:4e:03:38:81:c7:07:07:64:23:d4:2f:d8:29: + 74:02:21:00:8c:05:f8:b4:09:c4:d6:d2:f6:29:c5:ef:58:66: + b7:a8:50:70:26:b5:c6:9c:8d:83:87:52:67:4f:35:73:3d:12 +-----BEGIN CERTIFICATE----- +MIIBGTCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR4XncL +Ue5iUZfoS+DsaK2W0HpyVUJccDtTi94/cJ5nHWRWd8aIOQf53JwxEuqng2uxBysO +s7SLKardpQKS1BCRoygwJjAOBgNVHQ8BAf8EBAMCAIAwFAYDVR0gBA0wCzAJBgdn +gQwBBQEBMAoGCCqGSM49BAMCA0kAMEYCIQDTUJTG4SN6zfy9CcRjB3rNkpxOAziB +xwcHZCPUL9gpdAIhAIwF+LQJxNbS9inF71hmt6hQcCa1xpyNg4dSZ081cz0S +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_legacy_key_agreement_cert_sign_ku.pem b/v3/testdata/smime/ec_legacy_key_agreement_cert_sign_ku.pem new file mode 100644 index 000000000..562e5baba --- /dev/null +++ b/v3/testdata/smime/ec_legacy_key_agreement_cert_sign_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:4c:54:52:a5:81:b1:08:22:25:5c:c1:7f:a2:eb: + 58:e8:25:83:6d:4f:fc:f1:19:8e:a5:dd:24:4c:9b: + 2e:9b:a8:51:f4:45:1a:71:a2:5f:f8:5d:6d:3f:ff: + d2:64:bc:ab:af:02:51:c2:63:2d:93:4b:d8:27:dd: + 52:85:e1:bc:67 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Key Agreement, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.4.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:e3:aa:e9:d3:60:c1:86:22:2c:a4:54:84:4b: + 62:06:8b:93:74:3a:5f:38:a0:fa:09:5f:98:c9:43:22:9d:7b: + bb:02:21:00:f0:b5:4c:3a:d0:3a:0d:e5:5e:65:02:bd:79:4f: + a7:01:f9:1c:8d:ee:ac:cf:75:06:e0:6a:c4:f8:a9:15:5c:16 +-----BEGIN CERTIFICATE----- +MIIBGTCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARMVFKl +gbEIIiVcwX+i61joJYNtT/zxGY6l3SRMmy6bqFH0RRpxol/4XW0//9JkvKuvAlHC +Yy2TS9gn3VKF4bxnoygwJjAOBgNVHQ8BAf8EBAMCAAwwFAYDVR0gBA0wCzAJBgdn +gQwBBQQBMAoGCCqGSM49BAMCA0kAMEYCIQDjqunTYMGGIiykVIRLYgaLk3Q6Xzig ++glfmMlDIp17uwIhAPC1TDrQOg3lXmUCvXlPpwH5HI3urM91BuBqxPipFVwW +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_legacy_key_agreement_encipher_only_ku.pem b/v3/testdata/smime/ec_legacy_key_agreement_encipher_only_ku.pem new file mode 100644 index 000000000..2738aa34b --- /dev/null +++ b/v3/testdata/smime/ec_legacy_key_agreement_encipher_only_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:4a:88:87:8c:6a:e1:e6:58:a9:a9:49:b8:59:27: + c7:0a:2c:a0:0e:f2:20:0a:f3:df:d8:8a:f4:95:ab: + f2:34:be:60:2f:b2:1a:49:35:de:b3:5c:2c:47:2c: + 9b:43:86:91:be:00:ca:90:d5:05:70:81:b3:93:cd: + a1:ab:5b:8e:e9 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Key Agreement, Encipher Only + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:0b:e6:e9:8a:f9:ea:18:0d:71:15:fc:fa:1b:66: + 04:05:6b:d5:da:ff:2c:c1:58:a6:2a:01:ce:87:28:34:ea:b1: + 02:21:00:90:fa:f2:02:7c:96:cb:2e:2b:38:61:23:8b:eb:6c: + e6:1e:a0:d0:14:ef:8f:86:d8:48:87:42:33:0a:67:da:30 +-----BEGIN CERTIFICATE----- +MIIBGDCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARKiIeM +auHmWKmpSbhZJ8cKLKAO8iAK89/YivSVq/I0vmAvshpJNd6zXCxHLJtDhpG+AMqQ +1QVwgbOTzaGrW47poygwJjAOBgNVHQ8BAf8EBAMCAAkwFAYDVR0gBA0wCzAJBgdn +gQwBBQEBMAoGCCqGSM49BAMCA0gAMEUCIAvm6Yr56hgNcRX8+htmBAVr1dr/LMFY +pioBzocoNOqxAiEAkPryAnyWyy4rOGEji+ts5h6g0BTvj4bYSIdCMwpn2jA= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_multipurpose_digital_signature_content_commitment_ku.pem b/v3/testdata/smime/ec_multipurpose_digital_signature_content_commitment_ku.pem new file mode 100644 index 000000000..32cd76ab8 --- /dev/null +++ b/v3/testdata/smime/ec_multipurpose_digital_signature_content_commitment_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:73:ff:7f:10:2d:7c:5d:57:30:59:9d:78:13:84: + da:d5:53:32:96:0b:90:6d:1a:ec:70:9b:db:e3:92: + ea:21:62:7a:6c:b1:78:25:94:6e:ef:17:69:ba:cc: + 8a:9f:e6:29:a6:ab:a3:21:26:39:f7:d3:99:22:6d: + aa:91:ab:19:79 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:6c:ca:14:2d:0e:4f:85:16:a4:42:99:0c:02:19: + 2a:e5:82:97:8f:e8:28:a0:47:fe:e1:42:d9:4f:91:71:74:29: + 02:21:00:e0:af:27:08:cf:b3:f7:c6:9a:1d:39:11:d3:59:b3: + 6e:02:6e:24:c8:d0:56:11:96:43:e8:0b:94:3c:1e:88:eb +-----BEGIN CERTIFICATE----- +MIIBGDCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARz/38Q +LXxdVzBZnXgThNrVUzKWC5BtGuxwm9vjkuohYnpssXgllG7vF2m6zIqf5immq6Mh +Jjn305kibaqRqxl5oygwJjAOBgNVHQ8BAf8EBAMCAMAwFAYDVR0gBA0wCzAJBgdn +gQwBBQMCMAoGCCqGSM49BAMCA0gAMEUCIGzKFC0OT4UWpEKZDAIZKuWCl4/oKKBH +/uFC2U+RcXQpAiEA4K8nCM+z98aaHTkR01mzbgJuJMjQVhGWQ+gLlDweiOs= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_multipurpose_digital_signature_key_agreement_cert_sign_ku.pem b/v3/testdata/smime/ec_multipurpose_digital_signature_key_agreement_cert_sign_ku.pem new file mode 100644 index 000000000..1a4c489e4 --- /dev/null +++ b/v3/testdata/smime/ec_multipurpose_digital_signature_key_agreement_cert_sign_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:09:b6:4c:a4:44:e0:1b:34:34:12:bc:03:b0:19: + 6c:09:10:9a:11:1d:cc:d0:d5:d4:5d:c1:2f:08:40: + df:43:ad:48:d9:67:e2:c3:a3:ba:a5:d7:21:f6:e9: + 67:f2:e5:25:e8:63:ce:4b:a8:11:98:2a:34:ca:9a: + bf:e4:ed:2d:1d + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Agreement, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.2.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:2a:83:34:80:cc:d6:7f:89:b7:99:27:47:d3:64: + bf:ad:de:db:8f:16:f4:0b:1d:e5:4f:c6:cc:40:f2:16:34:c5: + 02:21:00:9f:4e:0e:d3:1d:23:32:26:97:cb:45:d5:01:d0:02: + e6:3a:74:1d:da:92:59:72:32:2e:a8:b4:02:22:25:a8:08 +-----BEGIN CERTIFICATE----- +MIIBGDCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJtkyk +ROAbNDQSvAOwGWwJEJoRHczQ1dRdwS8IQN9DrUjZZ+LDo7ql1yH26Wfy5SXoY85L +qBGYKjTKmr/k7S0doygwJjAOBgNVHQ8BAf8EBAMCAIwwFAYDVR0gBA0wCzAJBgdn +gQwBBQICMAoGCCqGSM49BAMCA0gAMEUCICqDNIDM1n+Jt5knR9Nkv63e248W9Asd +5U/GzEDyFjTFAiEAn04O0x0jMiaXy0XVAdAC5jp0HdqSWXIyLqi0AiIlqAg= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_multipurpose_key_agreement_decipher_only.pem b/v3/testdata/smime/ec_multipurpose_key_agreement_decipher_only.pem new file mode 100644 index 000000000..3b087b67f --- /dev/null +++ b/v3/testdata/smime/ec_multipurpose_key_agreement_decipher_only.pem @@ -0,0 +1,41 @@ +-------------Leaf------------- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:40:f5:fd:b3:9b:ba:a6:96:2e:9f:21:9f:99:44: + 42:ac:69:e0:bd:b3:5c:85:00:5e:3e:2d:da:28:10: + 36:2d:ec:e9:44:a2:00:e7:27:ef:b8:5e:4a:4c:ca: + eb:71:bd:eb:71:2b:4e:f8:18:5d:13:72:27:e3:e0: + 50:9e:bc:53:84 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Key Agreement, Decipher Only + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:b5:80:a3:06:a0:f7:a4:72:8b:6a:a8:9a:0b: + 60:1b:00:37:51:68:04:7f:41:0a:2e:a4:34:32:8a:df:8c:34: + f3:02:21:00:a8:e5:f6:94:a3:fb:cd:17:49:ca:d5:05:4b:83: + 4e:df:57:c4:c1:e4:8f:18:97:ad:f8:78:79:e5:2c:78:1b:fb +-----BEGIN CERTIFICATE----- +MIIBGjCBwKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARA9f2z +m7qmli6fIZ+ZREKsaeC9s1yFAF4+LdooEDYt7OlEogDnJ++4XkpMyutxvetxK074 +GF0Tcifj4FCevFOEoykwJzAPBgNVHQ8BAf8EBQMDAAiAMBQGA1UdIAQNMAswCQYH +Z4EMAQUDAjAKBggqhkjOPQQDAgNJADBGAiEAtYCjBqD3pHKLaqiaC2AbADdRaAR/ +QQoupDQyit+MNPMCIQCo5faUo/vNF0nK1QVLg07fV8TB5I8Yl634eHnlLHgb+w== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_multipurpose_valid_ku_august_2023.pem b/v3/testdata/smime/ec_multipurpose_valid_ku_august_2023.pem new file mode 100644 index 000000000..9943a8765 --- /dev/null +++ b/v3/testdata/smime/ec_multipurpose_valid_ku_august_2023.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Aug 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:4d:5b:ae:de:83:84:c9:94:89:6a:18:9b:91:90: + 7e:71:09:83:fd:8d:40:de:7a:75:50:c4:de:86:86: + c9:d0:7c:74:fd:96:95:0d:a1:20:1f:e5:86:f5:cf: + 16:80:0a:e2:0b:1a:a9:15:fb:d4:7b:7e:5d:c2:d4: + 88:18:fe:6e:cd + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Key Agreement, Decipher Only + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.2.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:4e:06:a2:84:86:19:8d:fb:68:a9:da:dc:59:2f: + 03:2f:a7:e5:1f:f5:d5:73:53:13:57:f2:c7:9d:a0:a9:1e:b6: + 02:21:00:cf:b9:e0:5b:4d:07:4e:56:ee:48:55:1a:3b:8a:61: + 72:1a:70:45:a4:c4:16:e3:59:89:81:4b:a8:96:04:7e:a5 +-----BEGIN CERTIFICATE----- +MIIBGTCBwKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwODAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARNW67e +g4TJlIlqGJuRkH5xCYP9jUDeenVQxN6GhsnQfHT9lpUNoSAf5Yb1zxaACuILGqkV ++9R7fl3C1IgY/m7NoykwJzAPBgNVHQ8BAf8EBQMDAAiAMBQGA1UdIAQNMAswCQYH +Z4EMAQUCAjAKBggqhkjOPQQDAgNIADBFAiBOBqKEhhmN+2ip2txZLwMvp+Uf9dVz +UxNX8sedoKketgIhAM+54FtNB05W7khVGjuKYXIacEWkxBbjWYmBS6iWBH6l +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/ec_no_key_usages.pem b/v3/testdata/smime/ec_no_key_usages.pem new file mode 100644 index 000000000..f35e0c8c8 --- /dev/null +++ b/v3/testdata/smime/ec_no_key_usages.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:0a:52:2f:c4:c9:71:29:fa:16:08:93:a5:17:96: + 08:f7:9e:d0:bb:87:0d:6a:38:b4:5d:b0:55:bd:eb: + 8f:6b:6b:75:fb:41:e2:e2:c4:60:b8:13:6a:06:e0: + 80:4e:a8:cf:27:a6:7b:ff:9c:c6:b8:cf:6f:e2:7f: + 13:d2:df:6e:fa + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + .... + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:46:d7:1c:19:69:11:dc:dd:5b:ca:10:77:18:eb: + c9:8c:49:9b:a1:a9:e1:92:48:be:3d:3d:96:72:a6:74:69:bd: + 02:21:00:dc:3b:62:97:f5:15:73:d4:e3:5a:5f:60:6f:45:d4: + 10:d0:74:c8:7c:0c:d9:02:c9:65:10:14:00:a3:32:5f:14 +-----BEGIN CERTIFICATE----- +MIIBGDCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQKUi/E +yXEp+hYIk6UXlgj3ntC7hw1qOLRdsFW9649ra3X7QeLixGC4E2oG4IBOqM8npnv/ +nMa4z2/ifxPS3276oygwJjAOBgNVHQ8BAf8EBAMCAAAwFAYDVR0gBA0wCzAJBgdn +gQwBBQEDMAoGCCqGSM49BAMCA0gAMEUCIEbXHBlpEdzdW8oQdxjryYxJm6Gp4ZJI +vj09lnKmdGm9AiEA3Dtil/UVc9TjWl9gb0XUENB0yHwM2QLJZRAUAKMyXxQ= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_strict_cert_sign_ku.pem b/v3/testdata/smime/ec_strict_cert_sign_ku.pem new file mode 100644 index 000000000..db4b71626 --- /dev/null +++ b/v3/testdata/smime/ec_strict_cert_sign_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:3d:40:b7:9c:e1:16:09:bc:af:3e:03:36:03:fb: + 1e:ae:6b:80:26:fb:ef:3e:09:18:c7:1e:8c:21:2c: + 0f:b9:f9:56:54:42:aa:db:27:e2:5d:9c:16:55:47: + b3:c5:32:55:f4:12:b0:6e:ae:54:6b:00:37:81:41: + 13:a8:d2:7a:9b + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:cc:94:6e:b8:34:47:0e:ab:43:5f:fe:ac:4f: + 9a:00:fd:53:83:b9:f6:6e:27:57:98:05:42:1e:b2:9b:d3:07: + 9c:02:20:61:0c:76:51:ac:b0:1a:f2:cc:fe:e9:9e:86:13:9e: + 4e:e7:2a:58:28:53:57:c6:ca:90:6f:ea:aa:cb:99:8d:36 +-----BEGIN CERTIFICATE----- +MIIBGDCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9QLec +4RYJvK8+AzYD+x6ua4Am++8+CRjHHowhLA+5+VZUQqrbJ+JdnBZVR7PFMlX0ErBu +rlRrADeBQROo0nqboygwJjAOBgNVHQ8BAf8EBAMCAAQwFAYDVR0gBA0wCzAJBgdn +gQwBBQEDMAoGCCqGSM49BAMCA0gAMEUCIQDMlG64NEcOq0Nf/qxPmgD9U4O59m4n +V5gFQh6ym9MHnAIgYQx2UaywGvLM/umehhOeTucqWChTV8bKkG/qqsuZjTY= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_strict_digital_signature_cert_sign_ku.pem b/v3/testdata/smime/ec_strict_digital_signature_cert_sign_ku.pem new file mode 100644 index 000000000..17cdd3739 --- /dev/null +++ b/v3/testdata/smime/ec_strict_digital_signature_cert_sign_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:b5:0d:73:12:2c:12:f1:51:51:11:2e:7d:fc:35: + e9:8a:ab:a0:6e:0e:0e:83:1f:4f:5a:a1:0a:46:43: + 42:6e:1e:c9:0b:6c:94:63:6d:4e:ff:18:aa:ab:62: + 37:05:90:80:77:b8:26:9d:32:0f:96:01:56:22:93: + 2b:4d:ad:9d:13 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:ea:15:67:d1:53:99:50:2a:e8:07:7d:21:fe: + 9c:5a:2f:fc:e4:6a:1b:85:6d:c3:86:a4:0c:4f:95:d3:bb:05: + 66:02:21:00:b9:3f:aa:d6:c5:6f:85:6b:80:bd:b0:da:a3:08: + fd:5c:44:b4:47:fe:7c:bf:a1:32:28:76:0e:72:a7:0e:e6:22 +-----BEGIN CERTIFICATE----- +MIIBGTCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1DXMS +LBLxUVERLn38NemKq6BuDg6DH09aoQpGQ0JuHskLbJRjbU7/GKqrYjcFkIB3uCad +Mg+WAVYikytNrZ0ToygwJjAOBgNVHQ8BAf8EBAMCAIQwFAYDVR0gBA0wCzAJBgdn +gQwBBQEDMAoGCCqGSM49BAMCA0kAMEYCIQDqFWfRU5lQKugHfSH+nFov/ORqG4Vt +w4akDE+V07sFZgIhALk/qtbFb4VrgL2w2qMI/VxEtEf+fL+hMih2DnKnDuYi +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ec_strict_digital_signature_key_agreement_content_commitment_encipher_only_ku.pem b/v3/testdata/smime/ec_strict_digital_signature_key_agreement_content_commitment_encipher_only_ku.pem new file mode 100644 index 000000000..7163545cf --- /dev/null +++ b/v3/testdata/smime/ec_strict_digital_signature_key_agreement_content_commitment_encipher_only_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:47:18:e3:c2:8c:db:72:cb:a6:eb:5e:71:7c:ec: + c9:f6:f2:87:bd:b6:18:10:c1:c6:6b:a8:12:b7:c2: + f8:54:58:7c:46:54:60:9d:94:fb:8d:68:7f:84:97: + 51:e7:f9:21:22:a6:01:98:be:cc:b4:f9:4d:a2:06: + 0e:53:25:7d:58 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Agreement, Encipher Only + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:bc:8e:23:b0:e9:0e:d3:66:3d:96:be:70:0f: + 0e:83:b5:2d:d2:2b:30:2d:89:92:26:26:1c:ea:f1:6a:39:c3: + f2:02:21:00:91:95:b1:3c:59:a9:3a:39:ab:13:ed:8b:c3:1b: + 06:e2:5f:2e:51:61:11:89:b3:be:68:db:6c:b3:bb:b4:47:ce +-----BEGIN CERTIFICATE----- +MIIBGTCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARHGOPC +jNtyy6brXnF87Mn28oe9thgQwcZrqBK3wvhUWHxGVGCdlPuNaH+El1Hn+SEipgGY +vsy0+U2iBg5TJX1YoygwJjAOBgNVHQ8BAf8EBAMCAMkwFAYDVR0gBA0wCzAJBgdn +gQwBBQEDMAoGCCqGSM49BAMCA0kAMEYCIQC8jiOw6Q7TZj2WvnAPDoO1LdIrMC2J +kiYmHOrxajnD8gIhAJGVsTxZqTo5qxPti8MbBuJfLlFhEYmzvmjbbLO7tEfO +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/ec_strict_key_agreement_ku.pem b/v3/testdata/smime/ec_strict_key_agreement_ku.pem new file mode 100644 index 000000000..5d16d1ff3 --- /dev/null +++ b/v3/testdata/smime/ec_strict_key_agreement_ku.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:ca:8f:61:9f:69:89:94:08:66:75:15:39:41:d4: + 8c:8b:0a:1e:67:8a:47:15:17:3e:52:c9:41:84:d3: + 0f:2f:bd:39:d6:1c:ea:cb:3e:c1:d5:ed:cb:62:82: + ef:d1:17:ea:01:ec:f9:80:67:f2:e2:6d:91:51:6a: + a9:ad:fc:82:44 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Key Agreement + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:e5:0b:63:23:64:5c:b2:7c:b6:8d:3e:c9:29: + 61:e9:a7:9e:0d:a9:b7:40:b6:e2:a0:da:47:43:53:7a:2c:0b: + 56:02:21:00:d4:8b:31:42:8e:4f:2e:96:69:b3:2a:36:c1:10: + 1d:20:80:b3:34:1c:44:9c:2f:a9:15:70:67:79:fa:bf:7f:07 +-----BEGIN CERTIFICATE----- +MIIBGTCBv6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKj2Gf +aYmUCGZ1FTlB1IyLCh5nikcVFz5SyUGE0w8vvTnWHOrLPsHV7ctigu/RF+oB7PmA +Z/LibZFRaqmt/IJEoygwJjAOBgNVHQ8BAf8EBAMCAAgwFAYDVR0gBA0wCzAJBgdn +gQwBBQEDMAoGCCqGSM49BAMCA0kAMEYCIQDlC2MjZFyyfLaNPskpYemnng2pt0C2 +4qDaR0NTeiwLVgIhANSLMUKOTy6WabMqNsEQHSCAszQcRJwvqRVwZ3n6v38H +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ed25519_legacy_digital_signature_ku.pem b/v3/testdata/smime/ed25519_legacy_digital_signature_ku.pem new file mode 100644 index 000000000..546cbd1dd --- /dev/null +++ b/v3/testdata/smime/ed25519_legacy_digital_signature_ku.pem @@ -0,0 +1,35 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + f4:24:47:d2:35:b2:e2:25:d0:dd:10:0f:cc:7d:08: + 0e:7d:5d:87:ac:55:d3:f7:1f:ba:04:88:f9:ba:ac: + 14:ec + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.4.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:61:9d:b9:6b:8a:3b:82:2d:5e:79:06:de:1f:33: + db:81:91:79:47:0d:f7:bf:22:3f:29:4a:0f:3c:93:c6:f2:2b: + 02:20:60:09:2b:94:a2:47:26:e2:34:93:0a:17:b5:37:d6:27: + 62:a1:e7:3a:e6:c2:b1:d0:f1:57:97:9a:0e:b6:73:1b +-----BEGIN CERTIFICATE----- +MIHoMIGQoAMCAQICAQMwCgYIKoZIzj0EAwIwADAgFw0yMzA5MDIwMDAwMDBaGA85 +OTk4MTEzMDAwMDAwMFowADAqMAUGAytlcAMhAPQkR9I1suIl0N0QD8x9CA59XYes +VdP3H7oEiPm6rBTsoygwJjAOBgNVHQ8BAf8EBAMCAIAwFAYDVR0gBA0wCzAJBgdn +gQwBBQQBMAoGCCqGSM49BAMCA0cAMEQCIGGduWuKO4ItXnkG3h8z24GReUcN978i +PylKDzyTxvIrAiBgCSuUokcm4jSTChe1N9YnYqHnOubCsdDxV5eaDrZzGw== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ed25519_multipurpose_digital_signature_content_commitment_ku.pem b/v3/testdata/smime/ed25519_multipurpose_digital_signature_content_commitment_ku.pem new file mode 100644 index 000000000..bf273555a --- /dev/null +++ b/v3/testdata/smime/ed25519_multipurpose_digital_signature_content_commitment_ku.pem @@ -0,0 +1,35 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 6f:13:3a:27:3e:c6:2d:90:56:2d:d2:2b:87:e3:b8: + dd:3f:38:34:a9:2f:85:d2:88:df:61:3c:00:0f:21: + 9a:df + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:6d:2b:85:94:9a:0a:ad:5e:ba:a5:a4:d9:75:44: + 0f:3c:e7:e5:dc:72:d4:f4:dd:ff:c0:3f:4a:37:a7:76:dd:fa: + 02:20:3f:93:af:47:ad:ed:a4:9a:90:25:0f:4b:4e:e1:1d:ff: + 99:da:31:be:af:21:26:96:e1:cc:2d:5a:b5:f5:63:81 +-----BEGIN CERTIFICATE----- +MIHoMIGQoAMCAQICAQMwCgYIKoZIzj0EAwIwADAgFw0yMzA5MDIwMDAwMDBaGA85 +OTk4MTEzMDAwMDAwMFowADAqMAUGAytlcAMhAG8TOic+xi2QVi3SK4fjuN0/ODSp +L4XSiN9hPAAPIZrfoygwJjAOBgNVHQ8BAf8EBAMCAMAwFAYDVR0gBA0wCzAJBgdn +gQwBBQMCMAoGCCqGSM49BAMCA0cAMEQCIG0rhZSaCq1euqWk2XVEDzzn5dxy1PTd +/8A/Sjendt36AiA/k69Hre2kmpAlD0tO4R3/mdoxvq8hJpbhzC1atfVjgQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ed25519_strict_cert_sign_ku.pem b/v3/testdata/smime/ed25519_strict_cert_sign_ku.pem new file mode 100644 index 000000000..bd780e4df --- /dev/null +++ b/v3/testdata/smime/ed25519_strict_cert_sign_ku.pem @@ -0,0 +1,35 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 8e:84:60:a0:37:68:cc:d1:3b:d3:76:1d:7b:a6:f0: + 2f:ac:0c:2c:02:34:09:82:c0:bb:7d:8d:5a:3e:f1: + b6:b5 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:38:6b:11:7c:8d:02:f7:4c:a1:2c:f1:17:5b:d7: + 94:ca:2b:b7:1c:45:41:2a:b8:24:24:d7:e7:6a:4a:f3:92:ba: + 02:21:00:f3:bd:82:28:8f:e7:cf:c7:1e:bf:c0:a7:cf:ac:5d: + 29:3d:a0:fb:e9:6e:ed:12:4a:97:62:57:c8:f7:a9:56:c6 +-----BEGIN CERTIFICATE----- +MIHpMIGQoAMCAQICAQMwCgYIKoZIzj0EAwIwADAgFw0yMzA5MDIwMDAwMDBaGA85 +OTk4MTEzMDAwMDAwMFowADAqMAUGAytlcAMhAI6EYKA3aMzRO9N2HXum8C+sDCwC +NAmCwLt9jVo+8ba1oygwJjAOBgNVHQ8BAf8EBAMCAAQwFAYDVR0gBA0wCzAJBgdn +gQwBBQEDMAoGCCqGSM49BAMCA0gAMEUCIDhrEXyNAvdMoSzxF1vXlMortxxFQSq4 +JCTX52pK85K6AiEA872CKI/nz8cev8Cnz6xdKT2g++lu7RJKl2JXyPepVsY= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/ed25519_strict_valid_ku_august_2023.pem b/v3/testdata/smime/ed25519_strict_valid_ku_august_2023.pem new file mode 100644 index 000000000..c675425d6 --- /dev/null +++ b/v3/testdata/smime/ed25519_strict_valid_ku_august_2023.pem @@ -0,0 +1,35 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Aug 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + 83:35:c0:30:2d:14:8f:d7:54:2f:c0:a2:79:6c:eb: + b6:95:08:a1:c1:8d:cf:d6:2c:67:ee:11:dd:58:64: + 8d:a8 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:06:a7:70:b0:d1:e6:32:50:ba:e3:76:b6:ff:c0: + af:c1:77:03:4a:f0:33:7c:10:46:e8:d5:d3:b9:c7:cc:5b:fc: + 02:21:00:fd:a0:cf:6a:aa:7c:32:76:b0:fa:1c:d7:e4:e9:ad: + 0a:03:e1:24:83:ae:e0:19:12:76:9e:19:5b:18:cd:d7:9b +-----BEGIN CERTIFICATE----- +MIHpMIGQoAMCAQICAQMwCgYIKoZIzj0EAwIwADAgFw0yMzA4MDIwMDAwMDBaGA85 +OTk4MTEzMDAwMDAwMFowADAqMAUGAytlcAMhAIM1wDAtFI/XVC/Aonls67aVCKHB +jc/WLGfuEd1YZI2ooygwJjAOBgNVHQ8BAf8EBAMCAMAwFAYDVR0gBA0wCzAJBgdn +gQwBBQEDMAoGCCqGSM49BAMCA0gAMEUCIAancLDR5jJQuuN2tv/Ar8F3A0rwM3wQ +RujV07nHzFv8AiEA/aDPaqp8Mnaw+hzX5OmtCgPhJIOu4BkSdp4ZWxjN15s= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_legacy_digital_signature_cert_sign_ku.pem b/v3/testdata/smime/rsa_legacy_digital_signature_cert_sign_ku.pem new file mode 100644 index 000000000..7b358a16d --- /dev/null +++ b/v3/testdata/smime/rsa_legacy_digital_signature_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:af:a0:45:57:c3:db:83:d8:3b:3a:2b:bf:21:2b: + c3:ba:ec:ef:15:66:56:57:63:ab:cf:da:21:db:db: + 94:82:46:90:45:cc:57:a2:10:1c:21:bc:b9:b7:87: + 4b:dc:d3:df:19:41:dd:8a:43:ac:95:41:02:40:95: + 0c:8f:f3:d1:8e:3a:03:4f:67:d5:a2:95:11:76:2d: + 19:5d:4a:c9:b4:99:73:c0:87:dd:c8:c1:ab:80:bf: + a5:5e:7a:a3:b7:68:a7:8e:94:54:57:8f:f9:2c:e8: + 9b:fb:c8:68:7b:1b:59:66:96:13:fe:f0:09:ea:58: + 0b:5f:7b:e7:6d:ea:02:b8:9e:32:dd:1d:80:6d:2a: + 74:46:e0:cd:aa:b8:75:51:49:e6:a3:45:9e:18:8e: + fa:b0:f0:5a:59:d1:bf:ef:10:fd:17:ad:3b:c9:57: + 58:3b:b3:d2:b8:8d:f2:9e:73:ee:93:70:78:40:ad: + 20:98:3c:6e:62:7c:b2:f7:70:de:7f:15:d7:06:21: + 01:fc:6c:14:3f:69:58:ea:bd:f8:71:a1:57:88:25: + e3:a4:a9:4b:52:3b:df:3d:8e:94:b1:6f:a2:84:e9: + e1:1d:9f:05:e5:9e:20:2d:95:22:a0:4f:ec:6c:b9: + ab:d5:ec:5e:8f:a3:c2:bf:af:1d:2b:5d:00:5e:66: + b7:37 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:ec:b2:ef:8f:85:3b:c9:da:6c:28:43:22:8f: + 07:de:75:43:4e:c5:1e:d8:81:1f:50:36:07:9f:1b:b1:e4:00: + 5a:02:21:00:db:19:bf:1e:89:a0:f2:8a:ce:b7:b2:b5:c5:61: + 08:e0:2d:7e:1c:b3:59:a2:4b:65:3a:fa:6c:58:17:da:ef:61 +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAr6BFV8Pbg9g7Oiu/ISvDuuzvFWZWV2Orz9oh29uUgkaQRcxXohAcIby5t4dL +3NPfGUHdikOslUECQJUMj/PRjjoDT2fVopURdi0ZXUrJtJlzwIfdyMGrgL+lXnqj +t2injpRUV4/5LOib+8hoextZZpYT/vAJ6lgLX3vnbeoCuJ4y3R2AbSp0RuDNqrh1 +UUnmo0WeGI76sPBaWdG/7xD9F607yVdYO7PSuI3ynnPuk3B4QK0gmDxuYnyy93De +fxXXBiEB/GwUP2lY6r34caFXiCXjpKlLUjvfPY6UsW+ihOnhHZ8F5Z4gLZUioE/s +bLmr1exej6PCv68dK10AXma3NwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAIQwFAYD +VR0gBA0wCzAJBgdngQwBBQMBMAoGCCqGSM49BAMCA0kAMEYCIQDssu+PhTvJ2mwo +QyKPB951Q07FHtiBH1A2B58bseQAWgIhANsZvx6JoPKKzreytcVhCOAtfhyzWaJL +ZTr6bFgX2u9h +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_legacy_digital_signature_key_encipherment_cert_sign_ku.pem b/v3/testdata/smime/rsa_legacy_digital_signature_key_encipherment_cert_sign_ku.pem new file mode 100644 index 000000000..205212a84 --- /dev/null +++ b/v3/testdata/smime/rsa_legacy_digital_signature_key_encipherment_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:dc:c3:cf:83:4f:1e:1d:b7:4e:66:6e:15:82:99: + d2:7b:b4:0b:da:b2:0c:e6:c7:34:92:c7:74:6d:b4: + c9:52:34:1a:0e:0c:90:4f:7d:21:e4:c5:0a:d9:93: + 1f:b1:2d:82:70:30:80:83:4a:e9:10:a0:ca:45:53: + a4:f9:cf:47:3a:88:e9:9b:49:c1:1b:8e:be:de:f7: + 0a:4a:71:ae:e4:be:f4:dd:3b:8a:4f:58:99:59:01: + b8:f1:76:30:28:a0:9e:0b:13:7e:fc:0c:0e:86:9d: + 12:05:ad:6d:5e:43:44:ed:0a:e2:54:e1:9b:b9:db: + 06:76:fc:dc:35:de:2d:5f:0f:db:8b:fa:db:e0:a2: + bd:7f:a9:10:d5:18:8b:2d:ac:67:1c:63:72:8a:9c: + e8:aa:4f:e4:e8:79:96:ec:df:fc:60:f1:16:93:7f: + 59:a2:0b:0a:8e:69:1e:73:44:20:56:9c:72:97:ed: + b5:56:60:4c:9d:09:de:f8:8a:35:9c:6b:de:db:86: + 04:af:c8:39:33:85:0e:55:f9:ee:2b:6d:82:2e:1e: + 21:3e:a6:21:4a:fd:6e:6e:28:be:2d:6d:3e:5e:f7: + fe:d5:b4:35:5d:19:eb:74:c8:d5:5b:39:5e:1b:e8: + b0:93:f7:8a:6c:91:26:a0:d0:a3:ad:ad:85:dd:39: + 5d:9f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:50:f2:96:36:3a:7b:4d:46:eb:7a:cf:3c:6a:80: + 74:67:04:56:85:ee:08:0e:ba:cc:47:bc:49:65:27:5f:80:c2: + 02:20:2d:bf:56:45:e4:11:88:4e:6c:09:58:52:1d:7c:92:d7: + 2d:a8:28:b1:63:52:e4:3f:9c:e5:1e:c5:52:ed:96:ee +-----BEGIN CERTIFICATE----- +MIIB4zCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA3MPPg08eHbdOZm4VgpnSe7QL2rIM5sc0ksd0bbTJUjQaDgyQT30h5MUK2ZMf +sS2CcDCAg0rpEKDKRVOk+c9HOojpm0nBG46+3vcKSnGu5L703TuKT1iZWQG48XYw +KKCeCxN+/AwOhp0SBa1tXkNE7QriVOGbudsGdvzcNd4tXw/bi/rb4KK9f6kQ1RiL +LaxnHGNyipzoqk/k6HmW7N/8YPEWk39ZogsKjmkec0QgVpxyl+21VmBMnQne+Io1 +nGve24YEr8g5M4UOVfnuK22CLh4hPqYhSv1ubii+LW0+Xvf+1bQ1XRnrdMjVWzle +G+iwk/eKbJEmoNCjra2F3TldnwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAKQwFAYD +VR0gBA0wCzAJBgdngQwBBQEBMAoGCCqGSM49BAMCA0cAMEQCIFDyljY6e01G63rP +PGqAdGcEVoXuCA66zEe8SWUnX4DCAiAtv1ZF5BGITmwJWFIdfJLXLagosWNS5D+c +5R7FUu2W7g== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_legacy_digital_signature_key_encipherment_content_commitment_data_encipherment_ku.pem b/v3/testdata/smime/rsa_legacy_digital_signature_key_encipherment_content_commitment_data_encipherment_ku.pem new file mode 100644 index 000000000..6124dba6d --- /dev/null +++ b/v3/testdata/smime/rsa_legacy_digital_signature_key_encipherment_content_commitment_data_encipherment_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c7:fa:f2:92:71:49:4d:43:0a:ba:3b:e2:60:05: + 40:59:b4:78:97:49:15:0d:f4:c8:ba:07:17:a0:99: + 88:fd:b6:30:1c:73:a4:80:c5:43:da:96:69:66:a4: + 3c:af:db:36:1f:85:db:f1:4c:a7:b1:3c:d8:b7:57: + cd:20:8d:b6:bf:90:cf:c6:89:fd:e1:e2:48:2e:7f: + be:81:87:75:48:77:cc:d1:ee:f8:d9:56:f8:f2:73: + c5:b3:a3:df:0f:b2:df:e9:97:39:dd:7e:34:32:b5: + 63:db:0d:1b:aa:fc:72:6e:36:29:bb:da:9e:56:54: + bb:72:ff:c6:a4:b8:b5:32:d1:98:c3:8d:6c:06:85: + 03:c9:71:40:fb:64:be:c2:93:f7:b7:2c:7b:37:e9: + 40:20:3c:a0:7d:ba:ba:c4:ac:17:4e:f1:12:e4:1a: + f0:95:48:27:c3:b1:f3:51:35:f6:2d:40:50:83:8b: + fc:32:03:33:0d:4a:66:2d:65:d0:ef:95:bf:fe:75: + 4d:13:b9:5e:2e:3d:ae:97:d1:39:73:23:f9:ba:48: + 19:4f:49:3c:3b:81:48:f7:39:59:1b:c5:41:3c:e2: + cf:bf:0f:5e:a4:c9:5a:ee:37:27:67:26:12:46:4a: + 2e:7f:09:ef:ad:ca:f5:d9:ea:3a:bc:5b:43:af:ec: + 83:d3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:53:ad:0e:19:fa:8d:60:43:79:31:68:81:4a:fc: + 04:65:9c:dc:6e:3b:d1:50:df:59:ba:eb:f6:7d:a8:6f:23:fa: + 02:21:00:cb:46:68:e2:ba:d9:7c:90:65:03:cf:d5:da:46:55: + cd:82:5e:1f:8d:6e:67:d4:89:02:b0:4d:1a:13:cc:7b:03 +-----BEGIN CERTIFICATE----- +MIIB5DCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAx/ryknFJTUMKujviYAVAWbR4l0kVDfTIugcXoJmI/bYwHHOkgMVD2pZpZqQ8 +r9s2H4Xb8UynsTzYt1fNII22v5DPxon94eJILn++gYd1SHfM0e742Vb48nPFs6Pf +D7Lf6Zc53X40MrVj2w0bqvxybjYpu9qeVlS7cv/GpLi1MtGYw41sBoUDyXFA+2S+ +wpP3tyx7N+lAIDygfbq6xKwXTvES5BrwlUgnw7HzUTX2LUBQg4v8MgMzDUpmLWXQ +75W//nVNE7leLj2ul9E5cyP5ukgZT0k8O4FI9zlZG8VBPOLPvw9epMla7jcnZyYS +Rkoufwnvrcr12eo6vFtDr+yD0wIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAPAwFAYD +VR0gBA0wCzAJBgdngQwBBQMBMAoGCCqGSM49BAMCA0gAMEUCIFOtDhn6jWBDeTFo +gUr8BGWc3G470VDfWbrr9n2obyP6AiEAy0Zo4rrZfJBlA8/V2kZVzYJeH41uZ9SJ +ArBNGhPMewM= +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/rsa_legacy_digital_signature_ku.pem b/v3/testdata/smime/rsa_legacy_digital_signature_ku.pem new file mode 100644 index 000000000..fc5246de3 --- /dev/null +++ b/v3/testdata/smime/rsa_legacy_digital_signature_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b4:b0:1a:fd:58:b9:0b:d8:ef:00:aa:26:97:80: + 1d:d1:22:23:83:fd:3b:c7:ab:df:11:9f:b6:02:a7: + 16:3c:d4:f8:d8:5c:90:ee:60:0f:f7:03:4d:19:2a: + fe:ec:fe:f9:47:2e:06:69:15:a6:15:e9:ea:e4:bf: + 3c:c1:5d:e1:96:53:1f:82:d1:b7:ea:b2:18:c5:16: + 97:0a:ea:9b:f4:1e:bd:11:48:d8:05:8a:46:05:84: + 97:2e:a6:6a:e5:3f:b9:a9:db:d3:b4:ee:c0:28:51: + 93:09:8d:77:56:e5:f3:67:a2:db:17:14:50:a4:39: + 9f:f1:9a:3a:56:e8:62:c3:14:fa:6d:96:ea:68:24: + a1:6c:a9:85:f7:d5:b7:cc:d6:9e:fa:3a:19:27:70: + a4:32:a2:dd:75:f6:e2:4c:6b:7a:7b:fa:33:79:ee: + 42:cf:b8:1c:bc:f3:7b:19:92:e1:9e:37:de:b1:2b: + c3:f7:b7:d0:db:5e:45:b0:a0:4f:b2:69:81:79:2e: + 50:55:c0:1c:46:96:f9:6b:7d:65:c5:c8:cf:90:e2: + a5:3c:1d:ef:55:8e:0f:dc:5e:31:b3:88:c9:c3:c3: + 21:c6:16:12:ec:d1:08:2b:a1:65:21:9b:eb:a0:8e: + 65:f3:70:00:1a:66:a9:f3:74:39:ba:56:9d:df:9b: + b5:35 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.2.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:e5:37:ca:43:22:4a:96:c9:7c:77:fc:a2:83: + 26:a6:81:fd:5a:2a:b4:f2:3e:d9:73:04:c2:7b:05:26:55:d3: + ee:02:21:00:a1:a0:d2:4d:74:b2:d6:7b:08:b1:b0:35:d8:12: + 4b:29:05:b0:19:b6:33:a5:a5:65:bd:1a:38:33:51:95:43:07 +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAtLAa/Vi5C9jvAKoml4Ad0SIjg/07x6vfEZ+2AqcWPNT42FyQ7mAP9wNNGSr+ +7P75Ry4GaRWmFenq5L88wV3hllMfgtG36rIYxRaXCuqb9B69EUjYBYpGBYSXLqZq +5T+5qdvTtO7AKFGTCY13VuXzZ6LbFxRQpDmf8Zo6VuhiwxT6bZbqaCShbKmF99W3 +zNae+joZJ3CkMqLddfbiTGt6e/ozee5Cz7gcvPN7GZLhnjfesSvD97fQ215FsKBP +smmBeS5QVcAcRpb5a31lxcjPkOKlPB3vVY4P3F4xs4jJw8MhxhYS7NEIK6FlIZvr +oI5l83AAGmap83Q5ulad35u1NQIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAIAwFAYD +VR0gBA0wCzAJBgdngQwBBQIBMAoGCCqGSM49BAMCA0kAMEYCIQDlN8pDIkqWyXx3 +/KKDJqaB/VoqtPI+2XMEwnsFJlXT7gIhAKGg0k10stZ7CLGwNdgSSykFsBm2M6Wl +Zb0aODNRlUMH +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_legacy_key_encipherment_ku.pem b/v3/testdata/smime/rsa_legacy_key_encipherment_ku.pem new file mode 100644 index 000000000..33ef3e69b --- /dev/null +++ b/v3/testdata/smime/rsa_legacy_key_encipherment_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a8:2b:63:d1:76:68:8a:54:83:6f:89:e9:e8:c2: + f5:bd:78:c8:d6:d7:ca:a1:52:c1:93:5b:ff:29:5c: + 54:d0:6c:30:48:62:f8:07:59:1f:38:c0:6b:84:5b: + 75:8e:e7:55:6e:b1:d5:93:8b:e0:e8:44:33:74:85: + cb:60:89:32:92:1f:53:a7:64:31:f0:9f:a0:77:cd: + 95:14:af:a8:a0:d8:93:96:05:9e:00:a3:f5:b7:0b: + c0:d0:ce:ef:60:78:32:6b:9a:ad:f9:69:50:cb:66: + 7d:06:76:74:0a:ef:d1:7a:1a:40:28:eb:5c:a8:21: + 81:90:66:dc:bd:cc:cb:63:4a:60:07:38:f5:83:da: + 92:d6:02:e1:ef:a0:46:31:8d:3c:15:23:2e:54:34: + 30:f7:d7:fb:37:d1:9c:43:a9:88:56:34:77:d4:8b: + d0:0e:a5:eb:8c:b2:8a:e2:20:47:9d:f7:92:f1:52: + f1:fe:18:26:5f:8a:48:44:e5:c0:16:6e:4f:c8:53: + 94:16:7e:15:98:5d:26:33:b4:63:bd:f4:ed:21:d1: + 50:e6:63:5c:06:99:3c:cc:7e:69:40:73:53:52:a5: + 60:3e:67:1d:dd:8e:6a:da:48:98:8a:cc:a0:fa:05: + 8b:18:b4:7d:b9:4a:df:52:55:95:78:cb:ab:61:62: + ca:4b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Key Encipherment + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.2.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:e1:10:bb:07:b5:9b:d9:e5:c1:b2:4d:a6:29: + ec:5d:b9:2b:a2:5e:9f:9a:5b:a1:0d:d9:76:df:59:ff:b9:ef: + f3:02:21:00:97:9c:7d:33:f7:d5:83:b0:24:d1:b3:c8:4d:cd: + c6:84:d9:62:2a:f4:68:89:98:18:37:9e:4f:e7:3e:e7:bc:04 +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAqCtj0XZoilSDb4np6ML1vXjI1tfKoVLBk1v/KVxU0GwwSGL4B1kfOMBrhFt1 +judVbrHVk4vg6EQzdIXLYIkykh9Tp2Qx8J+gd82VFK+ooNiTlgWeAKP1twvA0M7v +YHgya5qt+WlQy2Z9BnZ0Cu/RehpAKOtcqCGBkGbcvczLY0pgBzj1g9qS1gLh76BG +MY08FSMuVDQw99f7N9GcQ6mIVjR31IvQDqXrjLKK4iBHnfeS8VLx/hgmX4pIROXA +Fm5PyFOUFn4VmF0mM7RjvfTtIdFQ5mNcBpk8zH5pQHNTUqVgPmcd3Y5q2kiYisyg ++gWLGLR9uUrfUlWVeMurYWLKSwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCACAwFAYD +VR0gBA0wCzAJBgdngQwBBQIBMAoGCCqGSM49BAMCA0kAMEYCIQDhELsHtZvZ5cGy +TaYp7F25K6Jen5pboQ3Zdt9Z/7nv8wIhAJecfTP31YOwJNGzyE3NxoTZYir0aImY +GDeeT+c+57wE +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_multipurpose_cert_sign_ku.pem b/v3/testdata/smime/rsa_multipurpose_cert_sign_ku.pem new file mode 100644 index 000000000..9caa707e2 --- /dev/null +++ b/v3/testdata/smime/rsa_multipurpose_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d1:13:ce:56:9f:0b:43:da:07:e0:56:87:69:37: + 31:51:d8:56:15:33:96:da:8e:67:c7:68:f6:68:a5: + 75:d5:de:14:78:81:8e:84:a3:6c:1f:f9:58:44:ea: + 27:cf:b1:d9:87:14:68:18:29:50:8b:75:2a:42:9c: + 98:1d:ed:85:6f:14:fc:99:85:70:6f:72:c2:a1:e5: + 75:83:90:dd:74:0c:ca:b9:49:a3:25:ae:49:ad:1f: + fc:6a:86:1b:cc:8a:e8:53:a6:e7:1f:14:36:48:3c: + f4:fa:d3:49:f8:2c:52:a4:bd:d0:78:3f:a8:8f:90: + 00:3b:96:70:87:c4:ee:f9:32:b4:64:99:3c:76:83: + d8:a7:01:20:1d:7e:79:a7:ac:a5:e5:d6:3b:86:47: + e8:24:b3:be:fd:65:4c:8e:ef:d6:78:fd:78:9a:9d: + 8a:6f:f4:49:6c:43:d4:92:9d:a3:00:61:9c:78:7d: + 8d:07:c2:e4:42:79:21:d5:4c:e7:07:ac:2a:6d:1b: + 7f:04:aa:b6:20:7c:61:b4:b3:d9:64:cd:ae:a4:96: + f5:0c:4f:79:ab:b1:bd:85:e8:f5:83:63:7c:7e:5f: + 68:f7:6d:0d:af:90:6c:5f:53:d4:5c:14:e5:20:d9: + bb:4a:81:a2:80:b4:7d:45:32:f1:b5:65:29:37:e8: + 43:cd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:2c:48:d6:16:5b:fe:db:2c:a9:a9:b1:4b:3e:d6: + 79:8e:e4:ff:45:35:93:20:b8:fa:89:5f:0d:00:80:ba:e7:23: + 02:21:00:ac:cc:8f:9b:28:ee:d7:22:1e:e4:37:fc:b0:86:97: + f0:53:ec:a2:da:86:9c:4b:33:af:de:9d:39:4b:d6:b0:0b +-----BEGIN CERTIFICATE----- +MIIB5DCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA0RPOVp8LQ9oH4FaHaTcxUdhWFTOW2o5nx2j2aKV11d4UeIGOhKNsH/lYROon +z7HZhxRoGClQi3UqQpyYHe2FbxT8mYVwb3LCoeV1g5DddAzKuUmjJa5JrR/8aoYb +zIroU6bnHxQ2SDz0+tNJ+CxSpL3QeD+oj5AAO5Zwh8Tu+TK0ZJk8doPYpwEgHX55 +p6yl5dY7hkfoJLO+/WVMju/WeP14mp2Kb/RJbEPUkp2jAGGceH2NB8LkQnkh1Uzn +B6wqbRt/BKq2IHxhtLPZZM2upJb1DE95q7G9hej1g2N8fl9o920Nr5BsX1PUXBTl +INm7SoGigLR9RTLxtWUpN+hDzQIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAAQwFAYD +VR0gBA0wCzAJBgdngQwBBQECMAoGCCqGSM49BAMCA0gAMEUCICxI1hZb/tssqamx +Sz7WeY7k/0U1kyC4+olfDQCAuucjAiEArMyPmyju1yIe5Df8sIaX8FPsotqGnEsz +r96dOUvWsAs= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_multipurpose_digital_signature_content_commitment_ku.pem b/v3/testdata/smime/rsa_multipurpose_digital_signature_content_commitment_ku.pem new file mode 100644 index 000000000..990da54d3 --- /dev/null +++ b/v3/testdata/smime/rsa_multipurpose_digital_signature_content_commitment_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:9a:4d:a0:dc:96:72:37:99:54:08:c9:3b:c8:78: + 5f:a6:ff:4a:95:e4:6c:28:24:76:20:65:69:b9:5e: + d9:5f:2a:89:f1:e9:18:3b:03:67:9c:bb:a8:21:15: + 2b:1f:35:83:8c:1a:04:50:92:b2:21:0a:7d:74:13: + 14:b3:aa:b4:ff:91:7e:34:0c:5d:b1:96:3b:e5:65: + 5a:65:09:5e:55:95:08:e6:b0:be:7b:9b:f4:fe:16: + d7:e4:c0:0a:a5:f6:84:aa:09:41:57:1f:79:91:fc: + fd:a9:e3:80:87:c2:fc:5e:51:74:39:15:e7:ca:e5: + 29:a0:3d:5e:98:26:e3:73:dc:0a:bb:f4:12:6f:4e: + f0:19:b6:82:40:c5:7f:4b:79:f6:d1:d7:44:f6:17: + f9:4d:01:36:b0:eb:6c:6b:96:74:18:cf:30:17:03: + 81:68:80:9a:8a:d5:83:9e:57:b8:69:94:d2:d6:03: + 93:38:67:51:eb:6e:bd:c5:17:05:b9:d7:0c:e3:6b: + 0f:fe:41:02:fb:19:1b:fb:0d:5b:6d:ee:21:6e:4c: + 1b:6d:51:c1:4b:b4:b2:66:dc:1a:67:4b:db:a4:ba: + 6a:9c:ad:d9:db:ec:87:7a:c3:73:da:7c:a9:12:62: + 5f:2d:64:59:b3:f7:9a:07:40:68:9a:95:b4:1a:fb: + 79:03 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:8d:16:49:a8:b0:84:66:e0:fd:59:4e:c5:c2: + 9f:51:c1:b8:53:ea:28:ed:e5:98:09:c1:67:ea:ec:90:90:05: + b1:02:20:46:fb:f8:7b:e1:48:15:ec:c3:54:6d:3f:56:65:bb: + e9:7a:50:0c:39:08:31:c9:9c:a3:f6:63:63:57:ec:a4:f8 +-----BEGIN CERTIFICATE----- +MIIB5DCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAmk2g3JZyN5lUCMk7yHhfpv9KleRsKCR2IGVpuV7ZXyqJ8ekYOwNnnLuoIRUr +HzWDjBoEUJKyIQp9dBMUs6q0/5F+NAxdsZY75WVaZQleVZUI5rC+e5v0/hbX5MAK +pfaEqglBVx95kfz9qeOAh8L8XlF0ORXnyuUpoD1emCbjc9wKu/QSb07wGbaCQMV/ +S3n20ddE9hf5TQE2sOtsa5Z0GM8wFwOBaICaitWDnle4aZTS1gOTOGdR6269xRcF +udcM42sP/kEC+xkb+w1bbe4hbkwbbVHBS7SyZtwaZ0vbpLpqnK3Z2+yHesNz2nyp +EmJfLWRZs/eaB0BompW0Gvt5AwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAMAwFAYD +VR0gBA0wCzAJBgdngQwBBQECMAoGCCqGSM49BAMCA0gAMEUCIQCNFkmosIRm4P1Z +TsXCn1HBuFPqKO3lmAnBZ+rskJAFsQIgRvv4e+FIFezDVG0/VmW76XpQDDkIMcmc +o/ZjY1fspPg= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_multipurpose_key_encipherment_cert_sign_ku.pem b/v3/testdata/smime/rsa_multipurpose_key_encipherment_cert_sign_ku.pem new file mode 100644 index 000000000..3ad253fb7 --- /dev/null +++ b/v3/testdata/smime/rsa_multipurpose_key_encipherment_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:df:c6:cd:ba:60:f4:bc:b2:e9:da:5f:9a:a8:d3: + 56:e7:e2:97:8d:95:c9:57:32:37:9f:30:06:09:55: + be:48:27:7c:95:71:7c:de:ea:b4:64:2a:42:3d:28: + 99:e7:82:00:6c:04:25:a9:24:24:d4:d3:54:71:81: + 5e:5c:02:48:4c:ea:3e:b1:71:b9:09:a6:66:25:52: + 4a:44:4e:ba:90:bc:ad:39:03:cd:f8:c1:8e:6e:a7: + ae:cc:d9:b1:3d:6d:db:ce:b8:a1:c4:4f:0a:f3:ae: + a9:22:5e:d7:c7:7e:a2:58:32:d8:3c:84:17:ac:5f: + 18:5e:e9:7c:17:5d:93:53:da:de:33:5a:65:66:1c: + 01:74:6c:11:51:9e:ac:a6:df:36:4b:5a:16:15:3c: + 94:93:1a:0f:c9:c4:d2:ae:06:96:cc:64:bb:cd:39: + 6a:0c:ba:93:53:e0:06:44:a5:39:f7:d8:29:5b:e2: + 0f:04:b9:32:c0:c4:b1:99:b7:72:4e:74:61:fa:65: + aa:95:6f:86:e9:7d:00:05:ec:f7:45:de:49:7f:98: + 60:d6:5a:af:e3:2f:f8:b2:92:21:30:57:33:d5:48: + d0:b8:96:59:68:e1:f2:fd:3e:c8:fc:70:64:5b:34: + 65:41:c9:47:e2:20:7f:d4:91:4c:5d:f3:d2:5d:6b: + ea:e3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Key Encipherment, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:43:02:20:4d:8d:e7:c7:6a:aa:99:13:f0:86:f4:4c:c9:8b: + d8:42:ea:b8:04:8e:49:9f:c7:40:78:b9:e7:73:50:e9:ac:ee: + 02:1f:6e:9b:79:23:20:36:81:32:75:26:18:22:3d:e9:fe:ad: + a7:80:3e:ed:14:b5:68:bf:36:95:01:b5:f2:54:47 +-----BEGIN CERTIFICATE----- +MIIB4jCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA38bNumD0vLLp2l+aqNNW5+KXjZXJVzI3nzAGCVW+SCd8lXF83uq0ZCpCPSiZ +54IAbAQlqSQk1NNUcYFeXAJITOo+sXG5CaZmJVJKRE66kLytOQPN+MGObqeuzNmx +PW3bzrihxE8K866pIl7Xx36iWDLYPIQXrF8YXul8F12TU9reM1plZhwBdGwRUZ6s +pt82S1oWFTyUkxoPycTSrgaWzGS7zTlqDLqTU+AGRKU599gpW+IPBLkywMSxmbdy +TnRh+mWqlW+G6X0ABez3Rd5Jf5hg1lqv4y/4spIhMFcz1UjQuJZZaOHy/T7I/HBk +WzRlQclH4iB/1JFMXfPSXWvq4wIDAQABoygwJjAOBgNVHQ8BAf8EBAMCACQwFAYD +VR0gBA0wCzAJBgdngQwBBQECMAoGCCqGSM49BAMCA0YAMEMCIE2N58dqqpkT8Ib0 +TMmL2ELquASOSZ/HQHi553NQ6azuAh9um3kjIDaBMnUmGCI96f6tp4A+7RS1aL82 +lQG18lRH +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_multipurpose_key_encipherment_data_encipherment_ku.pem b/v3/testdata/smime/rsa_multipurpose_key_encipherment_data_encipherment_ku.pem new file mode 100644 index 000000000..d828406e4 --- /dev/null +++ b/v3/testdata/smime/rsa_multipurpose_key_encipherment_data_encipherment_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:22:44:ae:d2:bc:ae:2c:03:55:c3:c7:91:e2: + fb:5a:06:eb:26:ca:c2:b3:b5:d4:ad:15:08:1d:4e: + 15:15:66:9f:12:f5:93:f2:29:0a:8d:a6:bb:74:23: + 0c:99:c8:62:d7:9c:a5:e3:91:19:d3:26:a4:b2:db: + d9:0a:d2:91:03:01:cd:c9:b1:4f:5c:a0:3e:c2:a1: + 03:28:e3:23:8e:3f:9d:72:20:73:4f:97:af:25:e5: + e6:c1:ed:31:6e:e7:b3:11:2a:71:d0:a6:da:ea:10: + 56:82:83:b6:8c:a9:39:31:43:fd:bc:39:09:ca:21: + c9:43:57:28:06:49:f5:b4:b3:50:42:95:d5:9b:fd: + e6:f7:51:0d:77:7b:cd:d1:d9:8a:d6:c8:1e:b3:be: + 0e:df:85:13:82:ed:29:c2:4d:01:92:22:f8:ff:ef: + f3:d8:10:45:50:c1:3e:10:63:2d:ad:78:cf:fb:4f: + df:08:0a:86:10:62:ff:8d:d0:77:78:e8:6a:1a:b4: + c1:5a:32:28:41:fe:b5:a2:92:df:12:54:25:fd:a9: + bd:84:fc:13:45:2e:fa:cb:50:88:52:74:a6:19:3c: + e2:64:0c:a1:40:15:b9:e6:18:47:16:1c:5d:62:f4: + f6:c9:7d:6b:47:fb:dc:17:1e:1e:0d:24:28:41:f8: + 18:61 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Key Encipherment, Data Encipherment + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:9c:47:22:9d:bd:0d:6c:ed:ed:96:96:2b:1e: + 8f:b2:02:7d:1b:0b:99:aa:b3:72:a7:8a:71:83:e8:a9:22:bb: + dd:02:21:00:f5:d2:f0:30:04:0e:f9:41:d5:17:21:e1:41:ec: + d6:57:62:c5:f5:fb:e1:88:9a:47:ea:6d:bd:5e:f2:a3:a4:6a +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAySJErtK8riwDVcPHkeL7WgbrJsrCs7XUrRUIHU4VFWafEvWT8ikKjaa7dCMM +mchi15yl45EZ0yakstvZCtKRAwHNybFPXKA+wqEDKOMjjj+dciBzT5evJeXmwe0x +buezESpx0Kba6hBWgoO2jKk5MUP9vDkJyiHJQ1coBkn1tLNQQpXVm/3m91ENd3vN +0dmK1sges74O34UTgu0pwk0BkiL4/+/z2BBFUME+EGMtrXjP+0/fCAqGEGL/jdB3 +eOhqGrTBWjIoQf61opLfElQl/am9hPwTRS76y1CIUnSmGTziZAyhQBW55hhHFhxd +YvT2yX1rR/vcFx4eDSQoQfgYYQIDAQABoygwJjAOBgNVHQ8BAf8EBAMCADAwFAYD +VR0gBA0wCzAJBgdngQwBBQECMAoGCCqGSM49BAMCA0kAMEYCIQCcRyKdvQ1s7e2W +lisej7ICfRsLmaqzcqeKcYPoqSK73QIhAPXS8DAEDvlB1Rch4UHs1ldixfX74Yia +R+ptvV7yo6Rq +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_multipurpose_valid_ku_august_2023.pem b/v3/testdata/smime/rsa_multipurpose_valid_ku_august_2023.pem new file mode 100644 index 000000000..2bd9bb02b --- /dev/null +++ b/v3/testdata/smime/rsa_multipurpose_valid_ku_august_2023.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Aug 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e0:9d:ef:99:d1:c5:1b:de:e8:04:24:ad:0e:21: + 9b:38:82:a2:63:fc:45:ef:57:4b:58:e0:4e:dd:f1: + fe:5e:e9:fe:8a:05:63:a5:14:85:86:34:af:c4:95: + 1c:1d:b2:5a:0b:09:e8:cb:ba:97:39:45:d6:47:6a: + d6:bb:8a:fd:7e:59:5f:53:3d:3c:b3:88:a3:43:ea: + ea:f5:4b:6f:6f:ad:dc:8c:e1:be:f8:4b:b4:41:e6: + 46:f2:45:67:7c:4a:ca:61:cf:b2:c8:cf:f9:d2:50: + ce:be:e6:b1:ce:92:d3:14:e5:5d:77:a9:9f:4a:46: + 35:27:ce:54:54:ae:2f:21:af:c9:64:a2:cf:e0:b8: + 92:41:3c:40:cd:00:61:a7:91:0a:25:43:e9:c9:cb: + 3e:33:a4:9a:6a:e4:f6:fe:68:a6:68:57:b6:e7:38: + 17:42:b0:fc:f2:ac:4b:46:99:14:92:cb:ef:92:79: + 9f:8b:f6:26:53:5b:bb:01:66:7b:f6:a2:ef:84:b1: + 55:15:7c:0d:38:14:b5:60:63:9e:89:78:46:db:db: + 63:2b:e9:41:3c:d1:fc:bd:2c:67:58:22:f3:41:8b: + f0:15:65:c5:91:73:2e:3a:a0:ed:10:ec:8f:1d:18: + a8:3d:57:5f:34:be:0c:f9:24:4f:40:da:34:a1:54: + 13:cf + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Key Encipherment, Data Encipherment + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:82:cd:ea:cd:c1:63:e5:c3:a4:c9:e0:b2:0d: + 3c:33:f4:9b:6b:a0:81:dc:b3:0c:0d:72:f5:25:67:27:51:10: + 50:02:21:00:9d:84:c7:d5:06:41:92:61:02:48:f8:3f:92:42: + b8:07:a7:b0:a4:32:c7:63:96:59:65:8e:98:b0:7d:86:bd:80 +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDgwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA4J3vmdHFG97oBCStDiGbOIKiY/xF71dLWOBO3fH+Xun+igVjpRSFhjSvxJUc +HbJaCwnoy7qXOUXWR2rWu4r9fllfUz08s4ijQ+rq9Utvb63cjOG++Eu0QeZG8kVn +fErKYc+yyM/50lDOvuaxzpLTFOVdd6mfSkY1J85UVK4vIa/JZKLP4LiSQTxAzQBh +p5EKJUPpycs+M6SaauT2/mimaFe25zgXQrD88qxLRpkUksvvknmfi/YmU1u7AWZ7 +9qLvhLFVFXwNOBS1YGOeiXhG29tjK+lBPNH8vSxnWCLzQYvwFWXFkXMuOqDtEOyP +HRioPVdfNL4M+SRPQNo0oVQTzwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCADAwFAYD +VR0gBA0wCzAJBgdngQwBBQECMAoGCCqGSM49BAMCA0kAMEYCIQCCzerNwWPlw6TJ +4LINPDP0m2uggdyzDA1y9SVnJ1EQUAIhAJ2Ex9UGQZJhAkj4P5JCuAensKQyx2OW +WWWOmLB9hr2A +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_no_key_usages.pem b/v3/testdata/smime/rsa_no_key_usages.pem new file mode 100644 index 000000000..b723baada --- /dev/null +++ b/v3/testdata/smime/rsa_no_key_usages.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bd:af:ac:89:ca:3a:fb:91:6a:57:f7:2e:de:55: + dd:7c:b1:13:64:d0:f6:26:05:59:64:f1:f8:29:0d: + dc:41:cd:12:8e:9f:79:b4:51:88:0b:b9:d8:d9:84: + f6:dc:42:c9:18:ed:90:fe:22:1f:2c:a2:2a:b3:a5: + 3a:b4:c4:f7:73:36:7f:fd:fc:ae:40:36:9d:27:11: + 0b:59:6c:ca:a4:d3:78:f9:c2:fa:97:dc:c3:41:f8: + 91:f5:7d:9a:6f:63:7f:c2:29:8e:05:ac:93:ed:0f: + b4:02:26:0b:9c:f3:31:98:9e:c4:a3:04:94:af:de: + 7f:1d:dc:22:fd:90:dd:0c:9b:5e:b4:04:e9:95:51: + af:99:e4:d0:21:5b:ce:c3:16:d3:d9:40:54:f7:a3: + 9e:d2:10:03:3f:62:ab:84:26:98:73:af:fc:e0:68: + 15:31:ee:f1:6f:41:25:42:ae:37:ef:91:fe:e1:7d: + 55:de:76:79:13:9d:c2:73:06:3c:82:c7:3e:17:bb: + 26:fa:74:70:f3:4d:b2:d5:cc:71:29:f1:81:b8:d1: + 16:af:0f:aa:5a:d7:6a:3c:ce:bb:a6:31:d7:64:bf: + c9:11:5f:b8:aa:2f:ac:44:c7:a8:e1:c2:8d:5b:a7: + 9d:a9:12:fc:58:da:1b:7f:11:19:e8:b8:07:ed:a3: + 42:f7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + .... + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:75:d4:9d:ab:37:38:c1:fd:56:ce:59:5a:ab:e9: + 32:cf:ae:c4:fe:4e:8f:0a:6b:3f:3b:59:bd:39:5f:b7:e4:e1: + 02:20:40:e6:33:ab:8c:74:06:4f:1f:0a:e1:f8:6a:2a:c2:8f: + cd:88:16:1e:59:7b:f5:5d:05:a6:62:69:03:29:6b:4d +-----BEGIN CERTIFICATE----- +MIIB4zCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAva+sico6+5FqV/cu3lXdfLETZND2JgVZZPH4KQ3cQc0Sjp95tFGIC7nY2YT2 +3ELJGO2Q/iIfLKIqs6U6tMT3czZ//fyuQDadJxELWWzKpNN4+cL6l9zDQfiR9X2a +b2N/wimOBayT7Q+0AiYLnPMxmJ7EowSUr95/Hdwi/ZDdDJtetATplVGvmeTQIVvO +wxbT2UBU96Oe0hADP2KrhCaYc6/84GgVMe7xb0ElQq4375H+4X1V3nZ5E53CcwY8 +gsc+F7sm+nRw802y1cxxKfGBuNEWrw+qWtdqPM67pjHXZL/JEV+4qi+sRMeo4cKN +W6edqRL8WNobfxEZ6LgH7aNC9wIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAAAwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0cAMEQCIHXUnas3OMH9Vs5Z +WqvpMs+uxP5OjwprPztZvTlft+ThAiBA5jOrjHQGTx8K4fhqKsKPzYgWHll79V0F +pmJpAylrTQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_cert_sign_ku.pem b/v3/testdata/smime/rsa_strict_cert_sign_ku.pem new file mode 100644 index 000000000..7918373e5 --- /dev/null +++ b/v3/testdata/smime/rsa_strict_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c3:50:d7:fd:6c:cf:ff:83:05:c2:8e:74:52:cc: + ec:1f:0a:2b:78:c1:00:e2:e6:bb:36:e9:f6:ee:13: + 75:79:f0:3f:53:5b:e6:58:10:de:a2:0f:d0:40:d2: + 48:ee:ac:59:47:71:4a:0b:c6:46:5a:f7:05:7b:a3: + fa:f0:a9:03:e7:70:df:49:61:9f:3a:77:2e:ad:fb: + ba:34:75:8a:07:22:50:56:ae:cb:dd:c1:b8:5f:dc: + f7:1d:d4:a5:d1:73:ac:6c:97:db:26:58:07:25:3f: + 0f:7f:d2:81:61:d4:32:47:f1:3b:3c:eb:e7:26:63: + 58:a9:15:80:09:09:09:64:89:24:5b:fd:a6:95:07: + 89:31:a3:53:7a:75:0d:95:47:a2:37:2c:a3:b7:f1: + 39:5b:5e:ab:14:99:09:f6:b1:09:04:43:c1:1f:ea: + f7:0f:e6:7a:13:25:26:11:26:23:ad:6c:e1:f7:63: + b8:dd:f0:7f:85:27:4e:36:80:31:6f:25:c2:d6:a8: + 41:30:8f:ef:46:9d:36:47:05:50:16:f8:ce:21:59: + c5:93:de:b6:74:b0:c7:3b:39:1b:f3:04:14:82:cf: + 86:56:36:ae:bd:95:bd:3b:e2:21:07:0d:4f:34:7d: + 07:42:cc:76:d0:f7:b3:63:1a:e8:1b:e9:f7:0e:d5: + 9b:1d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:aa:c4:cc:1b:c2:b0:78:71:fd:76:8c:55:f8: + 85:b9:ef:47:ed:7a:7f:31:87:73:1b:9e:c4:c2:c6:6f:52:42: + 91:02:20:2b:e6:2b:48:e1:ef:a5:69:00:39:39:82:00:87:fe: + 1e:aa:15:dc:63:72:6c:73:68:38:26:7a:47:fd:c9:d3:ac +-----BEGIN CERTIFICATE----- +MIIB5DCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAw1DX/WzP/4MFwo50UszsHworeMEA4ua7Nun27hN1efA/U1vmWBDeog/QQNJI +7qxZR3FKC8ZGWvcFe6P68KkD53DfSWGfOncurfu6NHWKByJQVq7L3cG4X9z3HdSl +0XOsbJfbJlgHJT8Pf9KBYdQyR/E7POvnJmNYqRWACQkJZIkkW/2mlQeJMaNTenUN +lUeiNyyjt/E5W16rFJkJ9rEJBEPBH+r3D+Z6EyUmESYjrWzh92O43fB/hSdONoAx +byXC1qhBMI/vRp02RwVQFvjOIVnFk962dLDHOzkb8wQUgs+GVjauvZW9O+IhBw1P +NH0HQsx20PezYxroG+n3DtWbHQIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAAQwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0gAMEUCIQCqxMwbwrB4cf12 +jFX4hbnvR+16fzGHcxuexMLGb1JCkQIgK+YrSOHvpWkAOTmCAIf+HqoV3GNybHNo +OCZ6R/3J06w= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_digital_signature_cert_sign_ku.pem b/v3/testdata/smime/rsa_strict_digital_signature_cert_sign_ku.pem new file mode 100644 index 000000000..fc968566b --- /dev/null +++ b/v3/testdata/smime/rsa_strict_digital_signature_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b6:6d:e4:2a:df:99:4b:71:b8:55:38:58:08:f7: + d0:cd:99:38:77:02:d3:51:0a:b7:28:4a:f7:5f:e6: + 68:62:65:34:91:17:9e:06:d5:e9:a8:b7:a9:1b:84: + d3:70:cc:c4:78:73:16:63:8d:71:a0:58:21:c0:eb: + 3a:8a:e0:5a:1b:aa:fb:16:a6:c7:c3:15:e9:7e:76: + b5:ba:6e:64:f7:df:9b:eb:51:b1:78:7e:f0:03:87: + 7d:42:82:7b:40:5d:b9:78:70:80:a3:60:72:a4:20: + 3e:b3:cf:a8:df:ed:75:10:1c:c3:2f:2a:67:84:ac: + 5d:69:a9:17:45:9b:8a:e7:9d:0a:a5:fc:b9:50:29: + 4f:25:a4:b4:cf:4d:c7:5e:6a:96:d1:e8:b7:47:52: + e2:26:f6:a0:7b:9c:5b:47:aa:dc:60:e5:86:ae:bd: + b9:9a:59:c4:e9:86:c1:fd:ae:94:a2:70:29:92:00: + fa:68:24:9c:ae:2a:a6:3e:79:f7:98:97:4f:63:dc: + 3d:33:32:e5:f0:5b:ff:66:fe:06:a6:21:53:65:2f: + b2:9b:5c:f3:6e:10:65:87:71:40:46:48:19:2e:ee: + 0f:06:09:4c:1c:88:50:47:93:07:c4:ef:a9:fd:38: + 48:88:73:62:04:f0:30:0d:61:56:7d:62:e1:49:3d: + bb:1f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:87:a1:e8:d1:2b:15:df:85:c5:3e:be:0a:0f: + 1b:18:e6:e3:be:f0:d4:f5:b4:70:58:42:ec:84:4a:dd:a9:ed: + b6:02:21:00:c5:7f:6a:42:68:e2:06:13:d1:ec:f8:e2:c7:3f: + de:d9:3b:78:05:9d:2c:0f:22:9a:68:92:07:10:0b:0a:bb:ba +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAtm3kKt+ZS3G4VThYCPfQzZk4dwLTUQq3KEr3X+ZoYmU0kReeBtXpqLepG4TT +cMzEeHMWY41xoFghwOs6iuBaG6r7FqbHwxXpfna1um5k99+b61GxeH7wA4d9QoJ7 +QF25eHCAo2BypCA+s8+o3+11EBzDLypnhKxdaakXRZuK550Kpfy5UClPJaS0z03H +XmqW0ei3R1LiJvage5xbR6rcYOWGrr25mlnE6YbB/a6UonApkgD6aCScriqmPnn3 +mJdPY9w9MzLl8Fv/Zv4GpiFTZS+ym1zzbhBlh3FARkgZLu4PBglMHIhQR5MHxO+p +/ThIiHNiBPAwDWFWfWLhST27HwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAIQwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0kAMEYCIQCHoejRKxXfhcU+ +vgoPGxjm477w1PW0cFhC7IRK3anttgIhAMV/akJo4gYT0ez44sc/3tk7eAWdLA8i +mmiSBxALCru6 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_digital_signature_content_commitment_ku.pem b/v3/testdata/smime/rsa_strict_digital_signature_content_commitment_ku.pem new file mode 100644 index 000000000..ca5e3fa53 --- /dev/null +++ b/v3/testdata/smime/rsa_strict_digital_signature_content_commitment_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:b8:07:83:0c:f2:91:6e:63:d7:e3:00:2d:6c:35: + 2b:c6:f3:9b:d9:0e:24:ba:86:4d:f3:74:8b:bc:59: + 72:03:13:26:f2:8a:ea:fb:ef:de:9e:25:9a:cc:a0: + 86:cb:19:6b:c0:de:a4:38:29:6b:a4:13:f0:94:77: + c6:6d:72:05:84:eb:63:86:7f:c7:36:c6:c0:51:10: + ec:b7:68:68:8e:02:24:be:1b:da:89:a1:e5:e7:c5: + 66:6d:31:77:56:19:21:5c:d7:10:b9:0a:52:6d:bf: + 49:4f:e6:bb:5a:09:14:2f:14:8c:de:76:8e:71:57: + 49:c1:93:cb:7d:79:b8:e6:cb:18:c3:3a:54:e3:16: + 97:40:b8:90:b2:4f:5a:a8:00:42:0e:66:34:f7:53: + 2b:02:aa:16:82:fc:65:01:08:2c:fd:26:ca:dc:25: + d5:8d:a0:e4:1c:36:94:a6:69:23:d6:de:5e:3a:06: + c1:df:05:4f:aa:b0:cd:60:e2:12:09:6c:3c:01:37: + d5:ef:9a:99:7e:70:7f:17:72:bf:71:85:31:0b:6c: + 8c:e5:01:f4:89:10:4e:9e:ff:7e:6a:a4:55:2f:55: + b7:5c:ac:c9:9d:ab:e8:5a:6d:14:50:87:a5:94:98: + 91:97:92:4e:6d:06:ff:32:0c:e6:1a:e8:d0:27:66: + a8:bb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:3f:43:91:e6:4c:fb:e8:81:8f:78:59:b4:dc:ff: + b2:68:1e:10:37:0d:54:e6:9b:b0:b2:69:c7:4a:05:fe:2c:33: + 02:20:43:ee:ed:75:62:e6:ca:e5:17:c1:8f:46:82:e8:a3:2f: + 85:6a:ac:b9:9e:c5:61:23:1c:cb:59:d1:8e:48:da:f8 +-----BEGIN CERTIFICATE----- +MIIB4zCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuAeDDPKRbmPX4wAtbDUrxvOb2Q4kuoZN83SLvFlyAxMm8orq++/eniWazKCG +yxlrwN6kOClrpBPwlHfGbXIFhOtjhn/HNsbAURDst2hojgIkvhvaiaHl58VmbTF3 +VhkhXNcQuQpSbb9JT+a7WgkULxSM3naOcVdJwZPLfXm45ssYwzpU4xaXQLiQsk9a +qABCDmY091MrAqoWgvxlAQgs/SbK3CXVjaDkHDaUpmkj1t5eOgbB3wVPqrDNYOIS +CWw8ATfV75qZfnB/F3K/cYUxC2yM5QH0iRBOnv9+aqRVL1W3XKzJnavoWm0UUIel +lJiRl5JObQb/MgzmGujQJ2aouwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAMAwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0cAMEQCID9DkeZM++iBj3hZ +tNz/smgeEDcNVOabsLJpx0oF/iwzAiBD7u11YubK5RfBj0aC6KMvhWqsuZ7FYSMc +y1nRjkja+A== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_digital_signature_key_encipherment_cert_sign_ku.pem b/v3/testdata/smime/rsa_strict_digital_signature_key_encipherment_cert_sign_ku.pem new file mode 100644 index 000000000..ed9011cc9 --- /dev/null +++ b/v3/testdata/smime/rsa_strict_digital_signature_key_encipherment_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d3:53:24:0f:13:92:20:33:5d:40:77:fb:ac:2b: + 8a:9d:78:60:8e:1a:e0:29:16:32:29:60:5c:01:15: + c6:83:0b:8d:77:d8:23:0b:b1:b5:2a:b0:71:cf:39: + d6:51:1f:54:25:30:88:f2:b5:7b:8c:f7:ba:08:a5: + fb:c3:bc:52:1a:f6:ae:1d:71:0b:2a:16:ff:81:56: + 69:88:3c:2d:74:d8:e0:c1:74:ab:e9:b7:fc:ea:c4: + 53:39:7b:3a:a5:d2:de:d9:8b:4e:0d:23:81:fb:c8: + aa:87:ff:5a:c0:98:e3:02:a5:fb:e8:19:28:0e:9a: + b2:3f:e7:e8:27:06:1b:34:94:9b:38:e9:96:73:20: + e5:f0:a9:2a:3b:4f:6e:f9:cc:40:18:a9:8c:f1:1d: + 5c:92:16:45:e9:67:5e:41:f3:a4:81:f1:28:0f:ad: + 40:a3:2d:b9:36:6c:d0:ff:37:7f:9e:a2:9b:25:6e: + 37:7b:1e:b3:76:f9:4d:5a:bb:bf:65:f8:1b:31:93: + d0:04:a2:50:21:21:11:7c:54:9e:a6:bc:b8:47:e2: + 60:ba:0f:fb:d7:5a:3b:2d:5a:37:11:a9:48:6f:88: + b2:b7:4a:e6:ea:db:27:cd:c6:0d:e1:17:42:58:f5: + 2b:a0:43:7a:0a:6c:04:37:5b:58:ac:14:46:25:c0: + 59:cf + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:74:e1:1f:02:b9:c3:b7:96:1a:bd:3b:4e:f8:db: + dd:a0:1a:ca:2f:73:cd:79:2c:c5:b6:20:75:4c:5a:f4:72:3a: + 02:21:00:dd:e6:cd:f0:b5:ad:26:78:eb:9f:1f:c9:d2:65:c6: + 27:c3:8d:c2:7a:67:b0:ec:cc:44:db:76:46:b0:b3:2d:d0 +-----BEGIN CERTIFICATE----- +MIIB5DCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA01MkDxOSIDNdQHf7rCuKnXhgjhrgKRYyKWBcARXGgwuNd9gjC7G1KrBxzznW +UR9UJTCI8rV7jPe6CKX7w7xSGvauHXELKhb/gVZpiDwtdNjgwXSr6bf86sRTOXs6 +pdLe2YtODSOB+8iqh/9awJjjAqX76BkoDpqyP+foJwYbNJSbOOmWcyDl8KkqO09u ++cxAGKmM8R1ckhZF6WdeQfOkgfEoD61Aoy25NmzQ/zd/nqKbJW43ex6zdvlNWru/ +ZfgbMZPQBKJQISERfFSepry4R+Jgug/711o7LVo3EalIb4iyt0rm6tsnzcYN4RdC +WPUroEN6CmwEN1tYrBRGJcBZzwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAKQwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0gAMEUCIHThHwK5w7eWGr07 +Tvjb3aAayi9zzXksxbYgdUxa9HI6AiEA3ebN8LWtJnjrnx/J0mXGJ8ONwnpnsOzM +RNt2RrCzLdA= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_digital_signature_key_encipherment_content_commitment_ku.pem b/v3/testdata/smime/rsa_strict_digital_signature_key_encipherment_content_commitment_ku.pem new file mode 100644 index 000000000..efbe95e74 --- /dev/null +++ b/v3/testdata/smime/rsa_strict_digital_signature_key_encipherment_content_commitment_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:be:fc:90:ee:59:94:8b:0a:62:5b:1e:a6:2f:87: + 6e:ad:dc:a3:64:eb:2f:ea:51:d4:00:3d:74:fb:c5: + d4:af:f1:61:a1:51:2a:b3:d2:df:f1:d1:6b:19:e6: + 6b:f0:b1:42:5f:25:ec:83:f1:c1:61:1e:c2:05:c9: + b9:7c:93:fd:7c:3a:3f:0a:64:bb:3c:0d:cf:22:d8: + be:6e:42:50:9d:ec:2c:f3:ec:04:27:3a:6d:c2:91: + ec:80:66:3d:de:94:1b:05:73:aa:26:4c:95:d5:6b: + bc:fb:2a:2e:f1:51:21:3f:5f:96:7d:c7:4d:c9:5c: + 4a:20:af:5e:85:59:35:5f:c8:99:5f:27:25:87:76: + 06:7a:02:57:80:79:44:fd:c8:59:5b:e4:74:54:77: + 67:2a:e4:9f:f3:91:c7:d0:77:96:9c:a6:8c:91:86: + 15:f4:c4:9d:11:5e:b8:22:f3:e8:a5:e8:12:e7:8f: + b4:9b:22:55:80:85:33:7b:b4:84:a6:01:05:d7:4e: + 22:b0:58:08:8c:47:96:c8:92:af:0d:9d:b0:5c:8c: + e2:21:57:10:df:06:f6:09:b8:c0:21:f4:c5:77:83: + c4:91:c0:8a:1f:b8:a8:a6:ee:49:c3:2a:5a:05:c9: + 55:e1:f1:8e:34:63:bc:a1:02:35:89:66:7a:bf:af: + 17:b3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:48:49:69:09:fd:23:b3:cc:36:59:bb:89:e9:b5: + 49:8b:cc:ec:b6:24:6d:a6:d3:9c:b7:f4:5c:bf:a2:e5:6d:f4: + 02:20:23:4e:40:9d:5b:92:63:9d:12:3e:54:3f:2e:83:da:18: + 49:62:38:da:25:43:60:8c:c1:c9:72:2a:0f:42:7a:eb +-----BEGIN CERTIFICATE----- +MIIB4zCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAvvyQ7lmUiwpiWx6mL4durdyjZOsv6lHUAD10+8XUr/FhoVEqs9Lf8dFrGeZr +8LFCXyXsg/HBYR7CBcm5fJP9fDo/CmS7PA3PIti+bkJQnews8+wEJzptwpHsgGY9 +3pQbBXOqJkyV1Wu8+you8VEhP1+WfcdNyVxKIK9ehVk1X8iZXyclh3YGegJXgHlE +/chZW+R0VHdnKuSf85HH0HeWnKaMkYYV9MSdEV64IvPopegS54+0myJVgIUze7SE +pgEF104isFgIjEeWyJKvDZ2wXIziIVcQ3wb2CbjAIfTFd4PEkcCKH7iopu5Jwypa +BclV4fGONGO8oQI1iWZ6v68XswIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAOAwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0cAMEQCIEhJaQn9I7PMNlm7 +iem1SYvM7LYkbabTnLf0XL+i5W30AiAjTkCdW5JjnRI+VD8ug9oYSWI42iVDYIzB +yXIqD0J66w== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_digital_signature_ku.pem b/v3/testdata/smime/rsa_strict_digital_signature_ku.pem new file mode 100644 index 000000000..01bb626a8 --- /dev/null +++ b/v3/testdata/smime/rsa_strict_digital_signature_ku.pem @@ -0,0 +1,58 @@ +-------------Leaf------------- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:af:30:a4:d5:84:42:74:29:1a:e9:f8:ff:1c:fd: + a0:37:89:50:8a:30:cd:4f:7a:ca:a1:4f:15:f0:c3: + 8d:f1:91:b9:59:c5:7f:8b:bd:0a:a7:b3:51:b7:69: + da:47:f9:f7:c6:cc:19:99:86:4c:98:92:69:7d:63: + 9c:2f:bc:7a:64:f5:6f:1b:67:23:a0:29:df:a6:75: + b1:4c:a5:ae:0e:a2:20:f1:4f:2a:71:08:13:83:36: + d9:ae:2f:a9:02:75:3e:82:c0:71:30:b7:88:f3:c7: + ca:c4:fe:85:98:d3:b1:32:37:a2:67:15:97:3e:ea: + 59:40:11:97:c1:42:7a:11:af:9e:cb:29:2b:16:44: + bf:63:6e:b6:1a:5b:6b:79:50:47:a3:df:12:2f:99: + bd:34:e6:75:b8:82:b4:d5:bc:7c:07:9a:df:9f:07: + 93:f0:57:72:e4:8d:7c:4c:36:81:6c:8f:33:57:5e: + 60:90:13:23:5f:04:07:56:13:29:0a:eb:7c:4e:5d: + 36:3c:46:a8:eb:ee:7e:85:ff:27:d9:9c:1b:86:44: + a6:e1:3d:4f:a9:9e:a9:58:6c:33:00:c6:04:31:d9: + cb:bd:91:88:b1:39:6d:e2:05:19:18:a9:9a:43:26: + 8c:0a:27:a8:88:74:85:80:25:2a:af:bc:2c:2e:d0: + 73:6f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:ec:31:80:3c:fd:9d:46:ff:e4:2e:7c:d7:02: + fb:a7:65:37:56:d3:16:aa:02:55:c8:43:ae:45:03:7a:85:3a: + a4:02:21:00:81:69:4b:33:3e:76:8d:a3:8a:f2:ae:a4:59:fe: + a7:4c:1a:a3:a7:45:58:a6:25:bc:d6:53:49:00:e3:60:9c:3d +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEArzCk1YRCdCka6fj/HP2gN4lQijDNT3rKoU8V8MON8ZG5WcV/i70Kp7NRt2na +R/n3xswZmYZMmJJpfWOcL7x6ZPVvG2cjoCnfpnWxTKWuDqIg8U8qcQgTgzbZri+p +AnU+gsBxMLeI88fKxP6FmNOxMjeiZxWXPupZQBGXwUJ6Ea+eyykrFkS/Y262Gltr +eVBHo98SL5m9NOZ1uIK01bx8B5rfnweT8Fdy5I18TDaBbI8zV15gkBMjXwQHVhMp +Cut8Tl02PEao6+5+hf8n2ZwbhkSm4T1PqZ6pWGwzAMYEMdnLvZGIsTlt4gUZGKma +QyaMCieoiHSFgCUqr7wsLtBzbwIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAIAwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0kAMEYCIQDsMYA8/Z1G/+Qu +fNcC+6dlN1bTFqoCVchDrkUDeoU6pAIhAIFpSzM+do2jivKupFn+p0wao6dFWKYl +vNZTSQDjYJw9 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_key_encipherment_cert_sign_ku.pem b/v3/testdata/smime/rsa_strict_key_encipherment_cert_sign_ku.pem new file mode 100644 index 000000000..9543529a9 --- /dev/null +++ b/v3/testdata/smime/rsa_strict_key_encipherment_cert_sign_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:1c:b7:96:a7:d9:8e:ec:ef:05:e6:c1:68:b8: + 86:4e:a4:7f:02:ff:23:97:d6:12:bd:b2:21:6a:fc: + 49:4e:5d:bb:eb:b5:e9:8a:ad:0b:d6:a6:e3:99:3a: + ed:09:16:c0:8e:15:10:e4:ff:83:4e:f7:56:f8:e1: + c8:d6:48:7b:06:ae:19:6d:ef:32:44:03:6d:da:c4: + 80:05:4e:1a:24:a9:27:9f:cb:de:28:90:2f:0e:ab: + fb:bd:79:b6:c2:af:9b:38:31:e6:33:a8:dd:e4:25: + 5c:47:02:b8:76:03:3d:7b:ae:f8:be:f7:3d:1f:48: + 3e:f5:56:21:c6:a5:5e:16:d1:cd:e4:2e:f7:4d:9f: + 57:6e:03:14:06:d1:5b:bb:56:8d:a0:9f:23:89:5c: + 38:65:0a:f3:e5:d2:2e:43:64:6b:33:76:ff:4e:62: + 32:f9:ad:d3:08:61:f7:1e:1f:ad:3d:fa:46:37:9f: + 23:4d:9d:89:bf:e8:1d:d9:11:a7:af:f6:37:ea:48: + 8d:eb:0a:43:9d:fc:fc:77:16:99:69:a4:fd:86:e0: + 0c:87:9b:37:3e:50:e7:18:67:8f:5a:9f:0e:ef:90: + 6b:6f:f9:db:e6:90:e8:d4:2b:a1:22:82:6d:6d:57: + 2b:90:26:06:05:e5:0f:c1:dc:e2:53:a3:95:b4:69: + fc:a5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Key Encipherment, Certificate Sign + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:f4:2e:db:09:c9:2a:2d:fd:a6:2b:b1:7f:3b: + 99:73:9f:eb:da:7f:a6:49:f5:37:f6:e3:98:eb:fd:44:3f:fd: + 77:02:20:75:e5:9c:9c:4d:fc:18:4e:7a:bc:de:4f:1f:e0:a3: + fe:4d:65:d2:22:9b:9c:db:cc:ae:6f:9e:a9:ea:dd:90:f6 +-----BEGIN CERTIFICATE----- +MIIB5DCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyRy3lqfZjuzvBebBaLiGTqR/Av8jl9YSvbIhavxJTl2767Xpiq0L1qbjmTrt +CRbAjhUQ5P+DTvdW+OHI1kh7Bq4Zbe8yRANt2sSABU4aJKknn8veKJAvDqv7vXm2 +wq+bODHmM6jd5CVcRwK4dgM9e674vvc9H0g+9VYhxqVeFtHN5C73TZ9XbgMUBtFb +u1aNoJ8jiVw4ZQrz5dIuQ2RrM3b/TmIy+a3TCGH3Hh+tPfpGN58jTZ2Jv+gd2RGn +r/Y36kiN6wpDnfz8dxaZaaT9huAMh5s3PlDnGGePWp8O75Brb/nb5pDo1CuhIoJt +bVcrkCYGBeUPwdziU6OVtGn8pQIDAQABoygwJjAOBgNVHQ8BAf8EBAMCACQwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0gAMEUCIQD0LtsJySot/aYr +sX87mXOf69p/pkn1N/bjmOv9RD/9dwIgdeWcnE38GE56vN5PH+Cj/k1l0iKbnNvM +rm+eqerdkPY= +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/rsa_strict_key_encipherment_ku.pem b/v3/testdata/smime/rsa_strict_key_encipherment_ku.pem new file mode 100644 index 000000000..0e03d8f8c --- /dev/null +++ b/v3/testdata/smime/rsa_strict_key_encipherment_ku.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e2:89:4c:9d:6b:19:06:70:1e:6e:3f:f1:83:cb: + 00:8e:f1:ff:19:bc:e1:3f:d0:23:a3:0b:4c:aa:05: + 2e:51:54:32:82:b3:d1:88:9a:d5:21:b2:96:92:20: + 0d:51:c5:d4:43:fa:0a:4e:05:e3:90:64:0f:11:49: + 82:ed:94:40:23:51:3a:34:04:59:9a:bf:49:36:bf: + bc:5c:b9:f8:0a:60:44:e9:13:67:6c:0a:1b:f5:d8: + 6a:03:8a:1b:9a:20:d9:11:de:75:76:dd:a6:88:e3: + 3a:d8:9b:af:ab:7f:ee:7a:5c:98:7a:06:e9:68:1f: + 09:d1:f4:97:ea:91:19:9a:5b:5a:5d:52:04:d2:86: + 67:f4:45:6a:31:a1:b1:6d:ab:99:62:55:f7:15:40: + a5:61:fa:27:e4:89:54:92:bb:e3:14:08:a4:e3:26: + 99:62:29:58:44:78:cb:87:f6:4f:9a:14:1d:79:d3: + 8d:a5:16:ef:1c:22:ea:a3:5a:1c:4f:de:9b:a8:c1: + 70:5c:48:61:4e:d6:8f:f6:fe:cd:e9:b7:ab:b0:20: + ed:5b:7d:a1:76:de:9c:f6:6a:2c:3e:ca:dd:4f:dc: + 10:9c:78:77:1d:68:98:4a:13:0e:f8:2c:0d:c8:fb: + 24:24:4f:68:2c:a2:8f:62:57:06:7f:15:09:10:41: + d1:eb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Key Encipherment + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:c9:b1:2c:56:88:0c:cb:71:24:57:75:a8:52: + 8b:22:53:0a:67:3c:6e:11:02:7c:7c:de:f8:89:d3:b9:7f:8e: + 1a:02:21:00:ef:cf:ce:49:2c:e4:a5:54:b9:0f:23:c0:f1:4f: + 12:28:82:e4:2e:2a:ad:9d:e7:bc:f9:df:6b:dc:97:d1:6c:a8 +-----BEGIN CERTIFICATE----- +MIIB5TCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA4olMnWsZBnAebj/xg8sAjvH/GbzhP9AjowtMqgUuUVQygrPRiJrVIbKWkiAN +UcXUQ/oKTgXjkGQPEUmC7ZRAI1E6NARZmr9JNr+8XLn4CmBE6RNnbAob9dhqA4ob +miDZEd51dt2miOM62Juvq3/uelyYegbpaB8J0fSX6pEZmltaXVIE0oZn9EVqMaGx +bauZYlX3FUClYfon5IlUkrvjFAik4yaZYilYRHjLh/ZPmhQdedONpRbvHCLqo1oc +T96bqMFwXEhhTtaP9v7N6bersCDtW32hdt6c9mosPsrdT9wQnHh3HWiYShMO+CwN +yPskJE9oLKKPYlcGfxUJEEHR6wIDAQABoygwJjAOBgNVHQ8BAf8EBAMCACAwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0kAMEYCIQDJsSxWiAzLcSRX +dahSiyJTCmc8bhECfHze+InTuX+OGgIhAO/Pzkks5KVUuQ8jwPFPEiiC5C4qrZ3n +vPnfa9yX0Wyo +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/rsa_strict_valid_ku_august_2023.pem b/v3/testdata/smime/rsa_strict_valid_ku_august_2023.pem new file mode 100644 index 000000000..90fadf501 --- /dev/null +++ b/v3/testdata/smime/rsa_strict_valid_ku_august_2023.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Aug 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:db:49:17:e2:a7:3d:74:f2:91:7d:5d:13:ca:ea: + 29:30:75:82:f5:f9:dd:38:97:60:d5:ca:5f:38:d2: + 47:eb:b0:ad:aa:1f:c9:06:a2:d7:f9:38:fd:a0:e9: + 35:73:ba:c8:60:3b:cd:83:46:6f:c8:b2:04:59:25: + ba:e3:ba:a5:7c:fb:dc:09:2f:8d:94:4d:a8:93:81: + 16:34:0c:91:a3:bf:12:cc:c4:a5:d5:d5:95:e7:dc: + 07:ba:6f:90:0f:77:6f:4f:f1:42:57:0e:ee:62:c1: + 27:c4:1d:ca:53:f4:af:e6:b3:f1:7d:e1:11:f7:6b: + 07:bb:75:49:1d:4f:f6:69:19:a5:0b:5d:9d:1f:7d: + cb:d7:a5:4b:82:e4:ce:93:46:74:f7:3a:4e:3d:cc: + ec:51:85:01:64:47:1b:38:8f:5b:97:da:2c:27:08: + 2b:7f:70:98:eb:1a:5b:64:ed:77:43:0e:26:95:7e: + 42:62:b8:ac:72:9a:86:5b:5a:8c:0c:33:f9:02:49: + b8:79:d3:7a:94:ee:13:c1:1c:87:83:00:2e:c1:92: + 7e:3c:a8:99:9f:9f:06:8e:31:ae:32:2b:a8:e6:67: + 8b:00:d2:52:48:c2:fd:3c:a0:5f:90:c9:f9:bf:4b: + 1d:2b:22:0b:36:bb:bc:bd:c4:b9:56:ee:ad:fc:79: + 33:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:6f:3f:78:8f:d0:1f:29:16:ca:85:43:ab:78:15: + 21:25:e3:9b:8d:af:f7:29:36:7b:1e:5f:70:71:8b:ac:1f:77: + 02:20:65:64:94:97:74:a7:fd:0d:84:1d:38:25:c4:d5:95:d5: + c5:ec:dc:d1:89:c4:7e:41:d6:3d:7b:01:02:74:0e:7a +-----BEGIN CERTIFICATE----- +MIIB4zCCAYqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDgwMjAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA20kX4qc9dPKRfV0TyuopMHWC9fndOJdg1cpfONJH67Ctqh/JBqLX+Tj9oOk1 +c7rIYDvNg0ZvyLIEWSW647qlfPvcCS+NlE2ok4EWNAyRo78SzMSl1dWV59wHum+Q +D3dvT/FCVw7uYsEnxB3KU/Sv5rPxfeER92sHu3VJHU/2aRmlC12dH33L16VLguTO +k0Z09zpOPczsUYUBZEcbOI9bl9osJwgrf3CY6xpbZO13Qw4mlX5CYriscpqGW1qM +DDP5Akm4edN6lO4TwRyHgwAuwZJ+PKiZn58GjjGuMiuo5meLANJSSML9PKBfkMn5 +v0sdKyILNru8vcS5Vu6t/Hkz/wIDAQABoygwJjAOBgNVHQ8BAf8EBAMCAIAwFAYD +VR0gBA0wCzAJBgdngQwBBQEDMAoGCCqGSM49BAMCA0cAMEQCIG8/eI/QHykWyoVD +q3gVISXjm42v9yk2ex5fcHGLrB93AiBlZJSXdKf9DYQdOCXE1ZXVxezc0YnEfkHW +PXsBAnQOeg== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/with_non_critical_ku_extension.pem b/v3/testdata/smime/with_non_critical_ku_extension.pem new file mode 100644 index 000000000..beb992a27 --- /dev/null +++ b/v3/testdata/smime/with_non_critical_ku_extension.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:80:18:7e:b2:c2:90:7e:83:ed:f3:ba:64:10:20: + ca:bb:7c:8a:7f:74:dd:e8:aa:fc:7b:59:06:91:5b: + 22:0d:f3:20:c3:b1:46:c3:b2:a5:a8:b9:c8:bc:e3: + 22:c1:9f:40:a4:e2:61:ba:44:df:6a:37:da:90:66: + eb:cf:30:0f:73 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: + Digital Signature + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:7b:d8:1d:c5:7f:57:b9:b2:71:7a:67:f4:52:ad: + 13:1c:5b:2a:6b:b6:8c:19:dc:d8:10:f4:dc:76:ee:e4:2a:26: + 02:20:3b:7b:b6:c7:8b:f3:20:05:cb:e5:d6:80:d0:56:c5:6b: + 24:16:c8:8a:81:f4:63:36:f2:86:31:ed:83:cd:18:d5 +-----BEGIN CERTIFICATE----- +MIIBFDCBvKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASAGH6y +wpB+g+3zumQQIMq7fIp/dN3oqvx7WQaRWyIN8yDDsUbDsqWouci84yLBn0Ck4mG6 +RN9qN9qQZuvPMA9zoyUwIzALBgNVHQ8EBAMCAIAwFAYDVR0gBA0wCzAJBgdngQwB +BQEDMAoGCCqGSM49BAMCA0cAMEQCIHvYHcV/V7mycXpn9FKtExxbKmu2jBnc2BD0 +3Hbu5ComAiA7e7bHi/MgBcvl1oDQVsVrJBbIioH0YzbyhjHtg80Y1Q== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/util/smime_policies.go b/v3/util/smime_policies.go index c8c5453af..6fb9a74b4 100644 --- a/v3/util/smime_policies.go +++ b/v3/util/smime_policies.go @@ -28,6 +28,10 @@ func IsMailboxValidatedCertificate(c *x509.Certificate) bool { return false } +func IsSMIMEBRCertificate(c *x509.Certificate) bool { + return IsLegacySMIMECertificate(c) || IsMultipurposeSMIMECertificate(c) || IsStrictSMIMECertificate(c) +} + func IsLegacySMIMECertificate(c *x509.Certificate) bool { for _, oid := range c.PolicyIdentifiers { if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedLegacyOID) {