From 356adc68c522067906e44d7f7867a93f9d41793a Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Mon, 14 Oct 2024 15:34:57 -0400 Subject: [PATCH] Fix typo in finding code for multiple reserved policy OIDs in TLS BR subscriber certificates (#123) --- CHANGELOG.md | 6 ++++ VERSION.txt | 2 +- pkilint/cabf/serverauth/finding_metadata.csv | 2 +- .../cabf/serverauth/serverauth_subscriber.py | 2 +- .../dv_and_ov_policy_oids.crttest | 35 +++++++++++++++++++ 5 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 tests/integration_certificate/tls_br/dv_final_certificate/dv_and_ov_policy_oids.crttest diff --git a/CHANGELOG.md b/CHANGELOG.md index ba08b39..f55d607 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project from version 0.9.3 onwards are documented in this file. +## 0.12.2 - 2024-10-14 + +### Fixes + +- Fix typo in finding code for multiple TLS BR policy OIDs in Subscriber certificates (#122 - found by @robstradling) + ## 0.12.1 - 2024-10-14 ### New features/enhancements diff --git a/VERSION.txt b/VERSION.txt index aac2dac..e96a871 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -0.12.1 \ No newline at end of file +0.12.2 \ No newline at end of file diff --git a/pkilint/cabf/serverauth/finding_metadata.csv b/pkilint/cabf/serverauth/finding_metadata.csv index 3dd23db..49deb90 100644 --- a/pkilint/cabf/serverauth/finding_metadata.csv +++ b/pkilint/cabf/serverauth/finding_metadata.csv @@ -70,7 +70,6 @@ ERROR,cabf.serverauth.ca_basic_constraints_ca_bit_not_set, ERROR,cabf.serverauth.ca_external_anypolicy,Validates that the content of the certificate policies extension complies with BR 7.1.2.10.5. ERROR,cabf.serverauth.ca_missing_reserved_policy_oid,Validates that the content of the certificate policies extension complies with BR 7.1.2.10.5. ERROR,cabf.serverauth.ca_multiple_reserved_policy_oids,Validates that the content of the certificate policies extension complies with BR 7.1.2.10.5. -ERROR,cabf.serverauth.ca_multiple_reserved_policy_oids,Validates that the certificate policy OID(s) conform to BR 7.1.2.7.9. ERROR,cabf.serverauth.ca_non_tls_has_reserved_policy_oid,A non-TLS CA certificate contains a CA/Browser Forum serverauth reserved policy OID. ERROR,cabf.serverauth.ca_precert_signing.precertsigning_eku_absent,Validates that the content of the extended key usage extension complies with BR 7.1.2.4.2.: A required element is absent ERROR,cabf.serverauth.ca_precert_signing.unknown_eku_present,Validates that the content of the extended key usage extension complies with BR 7.1.2.4.2.: A prohibited element is present @@ -182,6 +181,7 @@ ERROR,cabf.serverauth.subscriber_anypolicy_oid_present,Validates that the certif ERROR,cabf.serverauth.subscriber_basic_constraints_ca_bit_set, ERROR,cabf.serverauth.subscriber_common_name_unknown_source,Validates that the content of the commonName attribute conforms to BR 7.1.4.3. ERROR,cabf.serverauth.subscriber_missing_reserved_policy_oid,Validates that the certificate policy OID(s) conform to BR 7.1.2.7.9. +ERROR,cabf.serverauth.subscriber_multiple_reserved_policy_oids,Validates that the certificate policy OID(s) conform to BR 7.1.2.7.9. ERROR,cabf.serverauth.subscriber_prohibited_ku_present,Validates that the content of the key usage extension conforms with BR 7.1.2.7.11. ERROR,cabf.serverauth.subscriber_required_ku_missing,Validates that the content of the key usage extension conforms with BR 7.1.2.7.11. ERROR,cabf.serverauth.subscriber_stateprovince_and_locality_missing,"Validates that the stateOrProvinceName and/or localityName subject attributes are present, as per EVG 9.2.6, BR 7.1.2.7.3, and BR 7.1.2.7.4." diff --git a/pkilint/cabf/serverauth/serverauth_subscriber.py b/pkilint/cabf/serverauth/serverauth_subscriber.py index 606a388..55d52eb 100644 --- a/pkilint/cabf/serverauth/serverauth_subscriber.py +++ b/pkilint/cabf/serverauth/serverauth_subscriber.py @@ -467,7 +467,7 @@ class SubscriberPoliciesValidator(validation.Validator): VALIDATION_MULTIPLE_RESERVED_OIDS = validation.ValidationFinding( validation.ValidationFindingSeverity.ERROR, - 'cabf.serverauth.ca_multiple_reserved_policy_oids' + 'cabf.serverauth.subscriber_multiple_reserved_policy_oids' ) VALIDATION_NO_RESERVED_OID = validation.ValidationFinding( diff --git a/tests/integration_certificate/tls_br/dv_final_certificate/dv_and_ov_policy_oids.crttest b/tests/integration_certificate/tls_br/dv_final_certificate/dv_and_ov_policy_oids.crttest new file mode 100644 index 0000000..5804c1f --- /dev/null +++ b/tests/integration_certificate/tls_br/dv_final_certificate/dv_and_ov_policy_oids.crttest @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIFkTCCBHmgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD +VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV +cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow +ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP +y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK +1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG +tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks +HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA +CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV +iDkCAwEAAaOCAsYwggLCMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG +MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw +HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0wK6ApoCeG +JWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwHQYDVR0gBBYw +FDAIBgZngQwBAgEwCAYGZ4EMAQICMGsGCCsGAQUFBwEBBF8wXTAkBggrBgEFBQcw +AYYYaHR0cDovL29jc3AuY2VydHNydXMuY29tMDUGCCsGAQUFBzAChilodHRwOi8v +Y2FjZXJ0cy5jZXJ0c3J1cy5jb20vSXNzdWluZ0NBLmNydDAMBgNVHRMBAf8EAjAA +MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwB2/4g/Crb7lVHCYcz1h7o0tKTN +uyncaEIKn+ZnTFo6dAAAAYj4va8AAAAEAwBIMEYCIQCJ6/3b0IBPMTBz2BnztDtE +ljOplTKLJ+5aLpSnTMi8ngIhAKA5BuMfFW/zjdC20nLujmm1I/8rikIDoSd0M3jE +rK8YAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGI+L2vMgAA +BAMARjBEAiB5qzY/+SKx4S30VxZXnTiFcOcLigTLzDc7kV4XjQaPNwIgPriQx2hO +YEzeBPpy39G0lZM+FAshMq05FD9VRl6ygxYAdQA7U3d1Pi25gE6LMFsG/kA7Z9hP +w/THvQANLXJv4frUFwAAAYj4va8sAAAEAwBGMEQCIDr0klWCDh0GpiGQw5/1QT4n +T9HpWW7VUL6bHgwVSIAFAiBUYnRBYJul5ex58TJGovCji2tOebCmfGzb1cs6FIMH +JzANBgkqhkiG9w0BAQsFAAOCAQEAXff2RWIifpPcnlpiKzyK8Qabshh3zvk23Oox ++La7bed7/lIQIP/WEr/s5H1zxe4s3CU4358DLBmX93B9oMp+afrHPJl/ZkEAvVhE +OtM+OewoOljaoi8UmWC60imeGVT4NIZF7I3migmd8+8ruaMwDgafRZNwmbZD9S5W +0v4XhxnMsJ02Z6R209mD4sa5/PqovuWgGcj64YjSspyiNQuoYQm//E5l7u4dn99Z +dGYQ2fgBmTfP6smDPGmRsy6d4C7KVr3ztvwnnut23UJli+glDlKWhsRfHgMbLV2Q +h6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRkEIV75k1Onw== +-----END CERTIFICATE----- + +node_path,validator,severity,code,message +certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,SubscriberPoliciesValidator,ERROR,cabf.serverauth.subscriber_multiple_reserved_policy_oids,"Multiple reserved policy OIDs present: 2.23.140.1.2.1, 2.23.140.1.2.2"