Skip to content

Commit

Permalink
v0.11.0 (#82)
Browse files Browse the repository at this point in the history 
* Bump version, add ASN.1 modules

* Add determination of ETSI webauth cert type

* Add EVCP

* Better cert type determination, add validator for empty PSP roles

* Add support for pre-certs and final certs

* Rename NCP and QNCP legal person and natural person certificate types

* STNDS-403 Refactor OrgId validators for better code sharing (subtask STNDS-404)

* raised specific error for invalid country codes

* added 3 tests for country codes

* made code less redundant and put class for country codes all in one class

* named class to be more specific

* qcretention period checking done as well as added DS Store to the gitignore

* STNDS-403 Implement OrgId attribute validator for legal persons (#4)

* qc type ready for testing

* Stnds 409 - Add lint to validate QcEuPDS statement (#6)

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>

* STNDS-412 Differentiate between EIDAS qualified and non-EIDAS qualified (#5)

* STNDS-412 Differentiate between EIDAS qualified and non-EIDAS qualified

* Bump download-artifact version

* Fix finding filters for CABF cert types

* Add ETSI linters to validation reporter test

* Add PKIX/CABF findings to QcType crttest files

* Add PKIX/CABF findings to PDS crttest files, address a few PEP warnings

* almost there, got to figure out how to add the check only if the cert is psd2, right now it's every time, some reason it's classifying the cert as something else

* got to change where it qualifies on a cert for the test run

* Stnds 422 - Verify that NCAName is in "Latin" characters (#9)

* requirements for queulimitvalue (#8)

* added iso639

* added iso4217

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>

* qc_eupds_missing works as expected

* STNDS-430 Disallow policyMappings, policyConstrants, and inhibitAnyPolicy in EE certs (#10)

* Stnds 423 - Verify the syntax of NCAId (#12)

* STNDS-447 Flag use of id-qcs-pkixQCSyntax-v1 semanticsIdentifier (#15)

* STNDS-447 A simpler implementation

* STNDS-429 validate natural person IDs (#14)

* natural person logic created

* logic for multiple cn and country names work

* added test files

* STNDS-424 Check PSD OrgId format in EU PSD2 certs (#19)

* Remove unused PSP role mapping

* STNDS-449 Check for at least one URI in NRA in SemanticsInformation (#18)

* STNDS 448 - Policy extension should not be marked critical (#16)

* Stnds 454 - CRL distribution points not marked critical (#24)

* Stnds 453 - Extended key usage not marked critical (#23)

* Stnds 451 - Issuer alternative name not marked critical

* Stnds 450 - Subject alternative name not marked critical

* STNDS-444: The pseudonym attribute shall not be present if the givenName and surname attribute are present

Co-authored-by: Alex Campbell <campbellalex321@gmail>

* STNDS-452: Add PKIX validator for IAN criticality (#26)

* Fix acknowledgements table formatting

* Fix integration tests for VATEL, bump version to 0.11

* STNDS-442 (#27)

* Simplify duplicate attribute detection logic

* Simplify attribute count logic

* STNDS-462 (#29)

* Switch all uses of magic strings to new KeyUsage bit name class

* STNDS-462

* Fix build

* Rename ETSI cert smoke test

* Add graceful decode error handling to ETSI CLI

* STNDS-455 CRLDP + AIA lints (#32)

* STNDS-465 Add Certificate Policies lint (#33)

* STNDS-467: Add validators for EN 319 412-3 clause 4.2.1 (#35)

* STNDS-467: Add validators for EN 319 412-3 clause 4.2.1

* Fix build

* STNDS-469: Add support for unbounded value lengths for selected attributes (#36)

* Add finding introduced after merge

* STNDS-466 - qcStatements extension shall not be marked as critical (#34)

---------

Co-authored-by: Michael Lettona <[email protected]>

* STNDS-472: Create legal person Key Usage value validator (#37)

* STNDS-472: Create legal person Key Usage value validator

* STNDS-494: Add TS 119 312 public key validators (#39)

* STNDS-494: Add TS 119 312 validators

* Fix RSA exponent upper bound check

* Clean up exponent check

* STNDS-496: Add DNSName-specific CN value validator (#40)

* STNDS-497: Add validator to check for presence of extensions (#41)

* STNDS-498: Create ETSI internal name validators for QNCP-w-gen (#42)

* Refactor internal name validators for better reuse

* Create ETSI validators for QNCP-w-gen

* Clean up validations a bit

* referenced subscriber server auth for qncp-w-gen code (#38)

* Merge remote-tracking branch 'origin/qualified' into STNDS-473

* removed no_eku

* added qncpwgenextusage validator

* qncp_w_gen_requirements done

* added validators

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* changed name of the validator

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>
Co-authored-by: Corey Bonnell <[email protected]>

* SC-72 implementation (#73) (#43)

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* Finalize 0.10.2 release

* Clean up README language

* Remove superfluous newline

* STNDS-503: Allow transnational country codes in orgId and serialNumbers (#45)

* SC-72 implementation (#73)

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* Finalize 0.10.2 release

* Clean up README language

* Remove superfluous newline

* All transnational country codes in orgId and serialNumbers

* Case-insensitive country codes, har har

* Test case-insensitive country codes

* STNDS-504: Flag unknown country codes in legal person certificates (#46)

* STNDS-504: Flag unknown country codes in legal person certificates

* Argh, case insensitivity

* Merge v0.10.3 from upstream (#47)

* SC-72 implementation (#73)

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* Finalize 0.10.2 release

* Clean up README language

* Remove superfluous newline

* Flag invalid domain name length in GeneralName types (#78)

* SMC-06 implementation (#74)

* SMC-06 implementation

* Update CHANGELOG, add test case for multi-OID string message

* Change to more intuitive collection type

* Add back new validator from botched merge

* STNDS-505: Ignore CABF validity period findings for certs with PSD2 policy OID (#48)

* Reformat and unused import cleanup

* STNDS-507: Do not allow unbounded CN for webauth certificate types (#49)

* STNDS-499: Add ETSI REST API linter group (#50)

* STNDS-499: Add ETSI REST API linter group

* Clean up certificate linter group init logic

* Clean up some nits (#51)

* Clean up some nits

* Add test case, adjust a message

* Add test case, adjust a message (part deux)

* STNDS-445: Add allowance checking for QCStatements (#52)

* STNDS-508: Add validator for eIDAS LegalPerson OrgId (#53)

* Undo STNDS-505 (#55)

* STNDS-509: Add check for TS 119 312 for sig alg (#54)

* STNDS-509: Add check for TS 119 312 for sig alg

* Move comment to better separate Schnorr vs. ECDSA

* Stnds 468 (#58)

* added class for np id validator

* added validation for natural person

* validation made but not working

* put in subjects validator

* eidas validator works

* final validator works

* Update pkilint/etsi/en_319_412_1.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_1.py

Co-authored-by: Corey Bonnell <[email protected]>

* stopped parsing if serial number length is too short

* fixed Corey's comments

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>
Co-authored-by: Corey Bonnell <[email protected]>

* STNDS-505, part trois (#57)

* Various qualified cleanup (#60)

* Ensure finding codes follow syntax

* Add CLI docs

* Change to use PDUNode children attribute

* Tweak .gitignore

* Prep CHANGELOG

* Fix non-webauth cert detection and QcType validator (#64)

* Fix non-webauth cert detection and QcType validator

* Change class name to anticipate linting CABF <-> ETSI OID per EN 319 411 1

* Add validator for CABF OID <-> non-qualified ETSI OID matching

* Don't add subject validators for DVCP

* Init code cleanup

* Massive fix for application of EN 319 412 -2 and -3 reqs for webauth certs

* Perform case-sensitive country code comparison (#65)

* Perform case-sensitive country code comparison

* Fix presence of QcsCompliance statement for non-EIDAS certs

* More fixes (#67)

* Enable pyasn1-fasder if installed, fix format nit

* Add support for additional validators

* Set release candidate version (#68)

* Some more nit cleanups (#69)

* Remove errant whitespace in link

* Remove reporting of duplicate OrgId syntax error finding (#70)

* Remove reporting of duplicate OrgId syntax error finding

* Clean up imports

* Getting ready for the big release

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>
Co-authored-by: campbellalex321 <[email protected]>
Co-authored-by: Mike <[email protected]>
Co-authored-by: Michael Lettona <[email protected]>
  • Loading branch information
@CBonnell @campbellalex321 @michael-lettona
5 people authored Jun 14, 2024
1 parent cfc1b6b commit 8626d59
Show file tree
Hide file tree
Showing 187 changed files with 10,202 additions and 881 deletions.
4 changes: 4 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,7 @@ dmypy.json

.vscode/
.idea/

# Apple-specific
.DS_Store

7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@

All notable changes to this project from version 0.9.3 onwards are documented in this file.

## 0.11.0 - 2024-06-14

### New features/enhancements

- Add support for linting ETSI website authentication certificates (#80)
- Add opt-in support for using [pyasn1-fasder](https://github.com/CBonnell/pyasn1-fasder) to decode DER (#81)

## 0.10.3 - 2024-05-13

### New features/enhancements
Expand Down
74 changes: 74 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ The list of command line linters bundled with pkilint:
* [lint_pkix_cert](#lintpkixcert)
* [lint_cabf_smime_cert](#lintcabfsmimecert)
* [lint_cabf_serverauth_cert](#lintcabfserverauthcert)
* [lint_etsi_cert](#lintetsicert)
* [lint_crl](#lintcrl)
* [lint_ocsp_response](#lintocspresponse)
* [lint_pkix_signer_signee_cert_chain](#lintpkixsignersigneecertchain)
Expand Down Expand Up @@ -302,6 +303,77 @@ $ lint_cabf_serverauth_cert lint -d dv_final_clean.pem
$
```
### lint_etsi_cert
For further information on this linter, see [the Wiki page](https://github.com/digicert/pkilint/wiki/lint_etsi_cert).
This tool lints certificates against the profiles specified in ETSI EN 319 412 and TS 119 495. Currently, the tool
has the most comprehensive support for website authentication certificates, but support for electronic signature,
electronic seal, and timestamping certificates is planned.
The `lint` sub-command requires that the user provide the certificate type/profile of the certificate so that the appropriate
validations are performed. There are two options:
1. Explicitly specify the type of certificate using the `-t`/`--type` option.
2. Have the linter detect the type of certificate using the `-d`/`--detect` option. In this case, the linter will determine the certificate type using the values of various extensions and fields included in the certificate. The detection procedure may not always be accurate, so it is recommended to use the `--type` option for the best results.
Several parts of EN 319 412 and TS 119 495 supersede requirements specified in the TLS Baseline Requirements and RFC 5280. For example, the TLS Baseline Requirements requires that certificate validity periods be 398 days or less. However, this requirement need not be followed for PSD2 website authentication certificates that are not trusted
by browsers. By default, such findings are not reported. To report superseded findings, specify the `--report-all` option.
The `-o`/`--output` option is used to specify that the certificate type used by the linter is written to standard error. This is useful when using the `--detect` option to see which certificate type was determined by the heuristics logic.
#### Example command execution
```shell
$ echo '-----BEGIN CERTIFICATE-----
MIIHMTCCBRmgAwIBAgIQVZHNRxiZp9LoR1nlajD1DDANBgkqhkiG9w0BAQsFADCB
oTELMAkGA1UEBhMCR1IxNjA0BgNVBAoTLUhFTExFTklDIEVYQ0hBTkdFUyAtIEFU
SEVOUyBTVE9DSyBFWENIQU5HRSBTQTEvMC0GA1UEAxMmQVRIRVggUXVhbGlmaWVk
IFdFQiBDZXJ0aWZpY2F0ZXMgQ0EtRzMxDzANBgNVBAcTBkF0aGVuczEYMBYGA1UE
YRMPVkFURUwtMDk5NzU1MTA4MB4XDTI0MDQxMTE0MTY1NVoXDTI1MDQxMTE0MTY1
NVowgcMxCzAJBgNVBAYTAkdSMTYwNAYDVQQKEy1IRUxMRU5JQyBFWENIQU5HRVMg
LSBBVEhFTlMgU1RPQ0sgRVhDSEFOR0UgU0ExGDAWBgNVBGETD1ZBVEVMLTA5OTc1
NTEwODEdMBsGA1UEAxMUd2ViZHNzLmF0aGV4Z3JvdXAuZ3IxDzANBgNVBAcTBkF0
aGVuczETMBEGCysGAQQBgjc8AgEDEwJHUjEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdh
bml6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4IRER3+RS
dMkB84htWhzmrcFTqJ47yJtZAgvDxw0aWYWVtyW2SMtygVUZSfp5ewE8OA9tdCa6
oIuap6hKgZpQnkxS9RP0JRyHrJjxOc4sUUtbOHMCV5hq4Lkonh01DAsad9tVqR4n
aUSHsPI8v+93fjigi3vBsf5nGeBRrCTBYs8IKqoCC+Z2WWbwRCB6ct+ODsqbLwRx
T54WY9iTaCNc/71rUlvIo3nkd/H17MCkoBdv4Ec3NG1Jo18FnkATyM12Xzhet+Wv
vx0yjewRrFxak/wGZ4GGX1Dzy4wHfsceQjAtiZk2oWcn3/mk6oVA0ynF2a/4CmT1
OZiWGOTqNnxTAgMBAAGjggI/MIICOzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwHwYDVR0jBBgwFoAUIpkkVwZsVnWO2+t9eWWcUzWp0ZEwLQYIKwYBBQUH
AQMEITAfMAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzCBlwYIKwYBBQUH
AQEEgYowgYcwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwLmF0aGV4Z3JvdXAuZ3Iv
QXRoZXhRdWFsaWZpZWRDQUczMEsGCCsGAQUFBzAChj9odHRwOi8vcmVwby5hdGhl
eGdyb3VwLmdyL0FUSEVYUXVhbGlmaWVkV0VCQ2VydGlmaWNhdGVzQ0FHMy5jcnQw
JQYDVR0gBB4wHDAPBg0rBgEEAYHlWgEDZAEEMAkGBwQAi+xAAQYwTwYDVR0fBEgw
RjBEoEKgQIY+aHR0cDovL2NybC5hdGhleGdyb3VwLmdyL0FUSEVYUXVhbGlmaWVk
V0VCQ2VydGlmaWNhdGVzQ0FHMy5jcmwwHQYDVR0OBBYEFNO1Ri+h7gAw1BnwJi1m
HFV+L6htMA4GA1UdDwEB/wQEAwIHgDB7BgNVHREEdDByghR3ZWJkc3MuYXRoZXhn
cm91cC5ncoIYd2ViZHNzbW9jay5hdGhleGdyb3VwLmdyghp3ZWJkc3MtcnB4cjEu
aW5ldC5oZWxleC5ncoIPZHNzLmF0aGV4bmV0LmdyghNkc3Ntb2NrLmF0aGV4bmV0
LmdyMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAJl4huEpr01gxqGh
FzkCbhZYW48Bv+zGQodfBnhISH5Dj9Apb2pUCJiPIGy6NQ3nHygyy1y2aW+1ExrZ
6ZCmtmw2/isk8q9wKa4PS/ip1+IzOin67XmYAz+t03MRl569wtzH+WPL2hb5Zmsw
AkTP6/N9Jp1I9cryvHO2ZCEYZreWtgvJQaDBQ/qteUKnVNLyuJle9hAYvsWEbgIO
xlWaDzPnWYYjZuXbyowImmjhufFyrJ2ngwwgw1sI0Se5vGOWWj+i/KBqLbwpp11I
yXAJkhNTJVxI5B7BpAqoMGOlqf4w4eCqU/HUKL9ZIOHSClPTzaXS45ppPyb+zzLB
u4vt0PJTAh3wnujcRZ3NxmetsehqunSpyKg0MzL2FDpxD31XHzmlpq5hQGgX1QF3
0Wl3IADw5JzT4ApHW4ucsLr22HJBTnFab/tbviqg2HcVDAksUqZbPqNCenN/BW3J
rhXwewWAfHE4LnDQBlAbq95LuijvHx3MaTt8y7wPSOizYTpry19uHT0aaxXfLivh
YnIjcWwNwowxjVLSVBK0TBvEUVF2DwDNLRfX2aSpt0rq3rxtNcjvJvwHJrDLio8y
fSyJXu4qGbQ3OwuuJXaEPiBANUEckaPKg5pdua4Lwt708kOG54E7pzz3xLEjtODU
+9Ru72tw8lf1RlWwp5ZI+7CByD0W
-----END CERTIFICATE-----' > qncp_w_gen.pem
$ lint_etsi_cert lint -d qncp_w_gen.pem
SubjectKeyIdentifierValidator @ certificate.tbsCertificate.extensions.6.extnValue.subjectKeyIdentifier
pkix.subject_key_identifier_method_1_identified (INFO)
$
```
### lint_crl
This tool lints CRLs against the RFC 5280 as well as against the CA/Browser Forum profile for CRLs. It is anticipated that this
Expand Down Expand Up @@ -353,10 +425,12 @@ pkilint is built on several open source packages. In particular, these packages
| cryptography | Apache Software License; BSD License | The Python Cryptographic Authority and individual contributors | https://github.com/pyca/cryptography |
| fastapi | MIT License | Sebastián Ramírez | https://github.com/tiangolo/fastapi |
| iso3166 | MIT License | Mike Spindel | http://github.com/deactivated/python-iso3166 |
| iso4217 | Public Domain | Hong Minhee | https://github.com/dahlia/iso4217 |
| publicsuffixlist | Mozilla Public License 2.0 (MPL 2.0) | ko-zu | https://github.com/ko-zu/psl |
| pyasn1 | BSD License | Christian Heimes and Simon Pichugin | https://github.com/pyasn1/pyasn1 |
| pyasn1-alt-modules | BSD License | Russ Housley | https://github.com/russhousley/pyasn1-alt-modules |
| python-dateutil | Apache Software License; BSD License | Gustavo Niemeyer | https://github.com/dateutil/dateutil |
| python-iso639 | Apache Software License | Jackson L. Lee | https://github.com/jacksonllee/iso639 |
| validators | MIT License | Konsta Vesterinen | https://github.com/kvesteri/validators |
The pkilint maintainers are grateful to the authors of these open source contributions.
2 changes: 1 addition & 1 deletion VERSION.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.10.3
0.11.0
105 changes: 105 additions & 0 deletions pkilint/bin/lint_etsi_cert.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
#!/usr/bin/env python

import argparse
import sys

from pkilint import etsi
from pkilint import loader, report, util, finding_filter
from pkilint.etsi import etsi_constants
from pkilint.pkix import certificate

_CERTIFICATE_TYPE_OPTIONS = [str(t).replace('_', '-') for t in etsi_constants.CertificateType]


class EtsiCertificateTypeAction(argparse.Action):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)

def __call__(self, parser, namespace, values, option_string=None):
cert_type = etsi_constants.CertificateType.from_option_str(values)

setattr(namespace, self.dest, cert_type)


def main(cli_args=None) -> int:
parser = argparse.ArgumentParser(
description=f'ETSI v{etsi_constants.EN_319_412_VERSION} Certificate Linter'
)

subparsers = parser.add_subparsers(dest='command', required=True)

validations_parser = subparsers.add_parser('validations',
help='Output the set of validations which this linter performs')
validations_parser.add_argument('-t', '--type', required=True,
type=str.upper,
action=EtsiCertificateTypeAction,
help='The type of certificate',
choices=_CERTIFICATE_TYPE_OPTIONS)

lint_parser = subparsers.add_parser('lint', help='Lint the specified certificate')

detect_options_group = lint_parser.add_mutually_exclusive_group(required=True)
detect_options_group.add_argument('-d', '--detect', action='store_true',
help='Detect the type of certificate from reserved CA/B Forum policy '
'OIDs and qualified certificate statements.')
detect_options_group.add_argument('-t', '--type',
type=str.upper,
action=EtsiCertificateTypeAction,
help='The type of certificate',
choices=_CERTIFICATE_TYPE_OPTIONS)
lint_parser.add_argument('-o', '--output', action='store_true',
help='Output the type of certificate to standard error. This option may be '
'useful when using the --detect option.')
lint_parser.add_argument('-r', '--report-all', action='store_true', help='Report all findings without filtering '
'any findings that are superseded by other requirements')

util.add_standard_args(lint_parser)
lint_parser.add_argument('file', type=argparse.FileType('rb'),
help='The certificate to lint'
)

args = parser.parse_args(cli_args)

if args.command == 'validations':
doc_validator = certificate.create_pkix_certificate_validator_container(
etsi.create_decoding_validators(args.type),
etsi.create_validators(args.type)
)

print(report.report_included_validations(doc_validator))

return 0
else:
try:
cert = loader.load_certificate(args.file, args.file.name)
except ValueError as e:
print(f'Failed to load certificate: {e}', file=sys.stderr)
return 1

if args.type:
certificate_type = args.type
else:
certificate_type = etsi.determine_certificate_type(cert)

if args.output:
print(certificate_type.to_option_str, file=sys.stderr)

doc_validator = certificate.create_pkix_certificate_validator_container(
etsi.create_decoding_validators(certificate_type),
etsi.create_validators(certificate_type)
)

results = doc_validator.validate(cert.root)

if not args.report_all:
results, _ = finding_filter.filter_results(
etsi.create_etsi_finding_filters(certificate_type), results
)

print(args.format(results, args.severity))

return util.clamp_exit_code(report.get_findings_count(results, args.severity))


if __name__ == "__main__":
sys.exit(main())
9 changes: 5 additions & 4 deletions pkilint/cabf/cabf_ca.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

from pkilint import validation
from pkilint.itu import bitstring
from pkilint.pkix.certificate.certificate_extension import KeyUsageBitName


# BR 7.1.2.10.7
Expand All @@ -23,7 +24,7 @@ class CaKeyUsageValidator(validation.Validator):

_PROHIBITED_KUS = {
str(n) for n in rfc5280.KeyUsage.namedValues
} - {'digitalSignature', 'keyCertSign', 'cRLSign'}
} - {KeyUsageBitName.DIGITAL_SIGNATURE, KeyUsageBitName.KEY_CERT_SIGN, KeyUsageBitName.CRL_SIGN}

def __init__(self):
super().__init__(
Expand All @@ -36,12 +37,12 @@ def __init__(self):
)

def validate(self, node):
if not bitstring.has_named_bit(node, 'keyCertSign'):
if not bitstring.has_named_bit(node, KeyUsageBitName.KEY_CERT_SIGN):
raise validation.ValidationFindingEncountered(
self.VALIDATION_CA_CERT_REQUIRED_BIT_MISSING,
'keyCertSign not asserted'
)
if not bitstring.has_named_bit(node, 'cRLSign'):
if not bitstring.has_named_bit(node, KeyUsageBitName.CRL_SIGN):
raise validation.ValidationFindingEncountered(
self.VALIDATION_CA_CERT_REQUIRED_BIT_MISSING,
'cRLSign not asserted'
Expand All @@ -55,7 +56,7 @@ def validate(self, node):
f'Prohibited KUs present: {prohibited_kus_str}'
)

if not bitstring.has_named_bit(node, 'digitalSignature'):
if not bitstring.has_named_bit(node, KeyUsageBitName.DIGITAL_SIGNATURE):
raise validation.ValidationFindingEncountered(self.VALIDATION_CA_CERT_NO_DIG_SIG)


Expand Down
22 changes: 0 additions & 22 deletions pkilint/cabf/cabf_constants.py
View file

This file was deleted.

Loading

0 comments on commit 8626d59

Please sign in to comment.