Package de.mtg.jzlint.lints.cabf_br
package de.mtg.jzlint.lints.cabf_br
-
ClassesClassDescriptionThis lint refers to CAB Baseline Requirements (Version 1.7.4) chapter 7.1.3.1, which defines the required encodings of AlgorithmObjectIdentifiers inside a SubjectPublicKeyInfo field.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.1 If the Certificate complies with these requirements and lacks Subject identity information that has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.1 If the Certificate complies with these requirements and lacks Subject identity information that has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.1 If the Certificate complies with these requirements and lacks Subject identity information that has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.1 If the Certificate complies with these requirements and lacks Subject identity information that has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.7.1.2.7.2 Domain Validated The following table details the acceptable AttributeTypes that may appear within the type field of an AttributeTypeAndValue, as well as the contents permitted within the value field.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.3 If the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.3.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.2 If the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.2.1.BRs: 7.1.2.1e The Certificate Subject MUST contain the following: - countryName (OID 2.5.4.6).BRs: 7.1.2.1e The Certificate Subject MUST contain the following: - countryName (OID 2.5.4.6).BRs: 7.1.2.1b This extension MUST be present and MUST be marked critical.BRs: 7.1.2.1b: Root CA Certificate keyUsage This extension MUST be present and MUST be marked critical.BRs: 7.1.2.1b This extension MUST be present and MUST be marked critical.RFC 5280: 4.2.1.3 Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs.BRs: 7.1.2.1b This extension MUST be present and MUST be marked critical.BRs: 7.1.2.1e The Certificate Subject MUST contain the following: organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.3 If the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.3.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.3 If the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.3.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.2 If the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.2.1.BRs: 7.1.6.4 Certificate Policy Identifier: 2.23.140.1.2.2 If the Certificate complies with these Requirements and includes Subject Identity Information that is verified in accordance with Section 3.2.2.1.BRs: 6.1.5 Certificates MUST meet the following requirements for algorithm type and key size.Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present.7.1.4.2.1.7.1.4.2.1.BRs: 7.1.4.2.1 Subject Alternative Name Extension Certificate Field: extensions:subjectAltName Required/Optional: Required7.1.4.2.1.7.1.4.2.1.7.1.4.2.1.7.1.4.2.1.RFC5280 suggested the addition of SKI extension, but CABF BR SC62 marked the extension as NOT RECOMMENDED for subscriber certificates Warning: Users of zlint will trigger either `w_ext_subject_key_identifier_not_recommended_subscriber` (this lint) or `w_ext_subject_key_identifier_missing_sub_cert` the one enforcing RFC5280's behavior.Certificates MUST be of type X.509 v3.7.1.2.1.BRs: 7.1.2.1c certificatePolicies This extension SHOULD NOT be present.BRs: 7.1.2.1d extendedKeyUsage This extension MUST NOT be present.6.1.6."BRs: 6.1.6" RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more."BRs: 6.1.6" RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more."BRs: 6.1.6" RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more."BRs: 6.1.6" RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more.BRs: 7.1.2.2c This extension SHOULD be present.CAB 7.1.2.2c With the exception of stapling, which is noted below, this extension MUST be present.CAB BR 1.7.1 Section 7.1.2.2c - authorityInformationAccess This extension SHOULD be present.BRs: 7.1.2.2a certificatePolicies This extension MUST be present and SHOULD NOT be marked critical.BRs: 7.1.2.2a certificatePolicies This extension MUST be present and SHOULD NOT be marked critical.BRs: 7.1.2.2b cRLDistributionPoints This extension MUST be present and MUST NOT be marked critical.BRs: 7.1.2.2b cRLDistributionPoints This extension MUST be present and MUST NOT be marked critical.BRs: 7.1.2.2b cRLDistributionPoints This extension MUST be present and MUST NOT be marked critical.BRs: 7.1.2.2g extkeyUsage (optional) For Subordinate CA Certificates to be Technically constrained in line with section 7.1.5, then either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present.CA Brower Forum Baseline Requirements, Section 7.1.2.2: f. nameConstraints (optional) If present, this extension SHOULD be marked critical*.BRs: 7.1.2.10.3 CA Certificate Authority Information Access This extension MAY be present.BRs: 7.1.2.3 cRLDistributionPoints This extension MAY be present.BRs: 7.1.2.3 authorityInformationAccess This extension MUST be present.BRs: 7.1.2.3 authorityInformationAccess With the exception of stapling, which is noted below, this extension MUST be present.CA/Browser Forum BRs: 7.1.2.7.6 Subscriber Certificate Extensions | __Extension__ | __Presence__ | __Critical__ | __Description__ | | ---- | - | - | ----- | | `basicConstraints` | MAY | Y | See [Section 7.1.2.7.8](#71278-subscriber-certificate-basic-constraints) |BRs: 7.1.2.3 certificatePolicies This extension MUST be present and SHOULD NOT be marked critical.BRs: 7.1.2.3 certificatePolicies This extension MUST be present and SHOULD NOT be marked critical.BRs: 7.1.2.3 cRLDistributionPoints This extension MAY be present.BRs: 7.1.2.3 cRLDistributionPoints This extension MAY be present.BRs: 7.1.2.3 extKeyUsage (required) Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present.BRs: 7.1.2.3 extKeyUsage (required) Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present.BRs: 7.1.2.3 extKeyUsage (required) Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present.BRs: 7.1.2.3 keyUsage (optional) If present, bit positions for keyCertSign and cRLSign MUST NOT be set.BRs: 7.1.2.3 keyUsage (optional) If present, bit positions for keyCertSign and cRLSign MUST NOT be set.BRs: 7.1.3 SHA-1 MAY be used with RSA keys in accordance with the criteria defined in Section 7.1.3.Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January 2017 because Application Software Providers are in the process of deprecating and/or removing the SHA-1 algorithm from their software, and they have communicated that CAs and Subscribers using such certificates do so at their own risk.BRs: 7.1.4.2.2 Required/Optional: Deprecated (Discouraged, but not prohibited)BRs: 7.1.2.7.1 Required/Optional: NOT RECOMMENDEDIf present, this field MUST contain exactly one entry that is one of the values contained in the Certificate's `subjectAltName` extension If the [subject:commonName] is a Fully-Qualified Domain Name or Wildcard Domain Name, then the value MUST be encoded as a character-for-character copy of the dNSName entry value from the subjectAltName extension.BRs: 7.1.4.2.2 If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1).BRs: 7.1.4.2.2 Other Subject Attributes With the exception of the subject:organizationalUnitName (OU) attribute, optional attributes, when present within the subject field, MUST contain information that has been verified by the CA.BRs: 7.1.4.2.2 Certificate Field: subject:organizationalUnitName (OID: 2.5.4.11) Required/Optional: Deprecated.BRs: 7.1.4.2.2 Certificate Field: issuer:countryName (OID 2.5.4.6) Required/Optional: Required Contents: This field MUST contain the two-letter ISO 3166-1 country code for the country in which the issuer’s place of business is located.