Package de.mtg.jzlint.lints.rfc
package de.mtg.jzlint.lints.rfc
-
ClassesClassDescriptionRFC 5280: 4.2.1.9 Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.RFC 5280: 4.1.2.6 The subject field identifies the entity associated with the public key stored in the subject public key field.These fields MUST only appear if the version is 2 or 3 (Section 4.1.2.1).4.1.2.1.RFC 5280: 4.1.1.2 [the Certificate signatureAlgorithm] field MUST contain the same algorithm identifier as the signature field in the sequence tbsCertificateRFC 5280: 4.1.2.8 These fields MUST only appear if the version is 2 or 3 (Section 4.1.2.1).RFC 5280: 5.1.2.5 Conforming CRL issuers MUST include the nextUpdate field in all CRLs.The cRLDistributionPoints extension is a SEQUENCE of DistributionPoint.RFC 5280: 4.2.1.13 When present, DistributionPointName SHOULD include at least one LDAP or HTTP URI.RFC 8813: 3.RFC 5280: 4.2.1.12 If a CA includes extended key usages to satisfy such applications, but does not wish to restrict usages of the key, the CA can include the special KeyPurposeId anyExtendedKeyUsage in addition to the particular key purposes required by the applications.RFC 5280: 4.2.2.1 An authorityInfoAccess extension may include multiple instances of the id-ad-caIssuers accessMethod.Authority Information Access The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears.RFC 5280: 4.2.1.1 Conforming CAs MUST mark this extension as non-critical.RFC 5280: 4.2.1.1 The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction.The user notice has two optional fields: the noticeRef field and the explicitText field.RFC 5280: 4.2.1.4 To promote interoperability, this profile RECOMMENDS that policy information terms consist of only an OID.The certificate policies extension contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers.An explicitText field includes the textual statement directly in the certificate.An explicitText field includes the textual statement directly in the certificate.When the UTF8String encoding is used, all character sequences SHOULD be normalized according to Unicode normalization form C (NFC) [NFC].https://tools.ietf.org/html/rfc6818#section-3 An explicitText field includes the textual statement directly in the certificate.An explicitText field includes the textual statement directly in the certificate.The CRL distribution points extension identifies how CRL information is obtained."A certificate MUST NOT include more than one instance of a particular extension."The freshest CRL extension identifies how delta CRL information is obtained.Issuer Alternative Name As with Section 4.2.1.6, this extension is used to associate Internet style identities with the certificate issuer.RFC 5280: 4.2.1.7 When the subjectAltName extension contains a domain name system label, the domain name MUST be stored in the DNSName (an IA5String).RFC 5280: 4.2.1.7 If the subjectAltName extension is present, the sequence MUST contain at least one entry.RFC 5280: 4.2.1.7 If the issuerAltName extension is present, the sequence MUST contain at least one entry.RFC 5280: 4.2.1.6 When the issuerAltName extension contains an Internet mail address, the address MUST be stored in the rfc822Name.RFC 5280: 4.2.1.7 When the issuerAltName extension contains a domain name system label, the domain name MUST be stored in the dNSName (an IA5String).The name MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.When the issuerAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String).When the issuerAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String).RFC 5280: 4.2.1.9 The cA boolean indicates whether the certified public key may be used to verify certificate signatures.This profile does not restrict the combinations of bits that may be set in an instantiation of the keyUsage extension.Restrictions are defined in terms of permitted or excluded name subtrees.RFC 5280: 4.2.1.10 The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located.RFC 5280: 4.2.1.11 Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence.RFC 5280: 4.2.1.11 Conforming CAs MUST mark this extension as critical.RFC 5280: 4.2.1.5 Each issuerDomainPolicy named in the policy mappings extension SHOULD also be asserted in a certificate policies extension in the same certificate.RFC 5280: 4.2.1.5.RFC 5280: 4.2.1.5 Each issuerDomainPolicy named in the policy mapping extension SHOULD also be asserted in a certificate policies extension in the same certificate.RFC 5280: 4.2.1.6 When the subjectAltName extension contains a domain name system label, the domain name MUST be stored in the dNSName (an IA5String).RFC 5280: 4.2.1.6 If the subjectAltName extension is present, the sequence MUST contain at least one entry.RFC 5280: 4.2.1.6 If the subjectAltName extension is present, the sequence MUST contain at least one entry.RFC 5280: 4.2.1.6 Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present.RFC 5280: 4.2.1.6 When the subjectAltName extension contains an Internet mail address, the address MUST be stored in the rfc822Name.RFC 5280: 4.2.1.6 When the subjectAltName extension contains a domain name system label, the domain name MUST be stored in the dNSName (an IA5String).The name MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.When the subjectAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String).When the subjectAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String).RFC 5280: 4.2.1.8 The subject directory attributes extension is used to convey identification attributes (e.g., nationality) of the subject.RFC 5280: 4.2.1.2 Conforming CAs MUST mark this extension as non-critical.To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (Section 4.2.1.9) where the value of cA is TRUE.To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (Section 4.2.1.9) where the value of cA is TRUE.4.1.2.5.2.4.1.2.5.2.4.2.1.14.RFC 5280: 4.1.2.4 The issuer field identifies the entity that has signed and issued the certificate.Restrictions are defined in terms of permitted or excluded name subtrees.RFC 5280: 4.2.1.10 Within this profile, the minimum and maximum fields are not used with any name forms, thus, the minimum MUST be zero, and maximum MUST be absent.RFC 5280: 4.2.1.10 Within this profile, the minimum and maximum fields are not used with any name forms, thus, the minimum MUST be zero, and maximum MUST be absent.RFC 5280: 4.2.1.10 Restrictions are defined in terms of permitted or excluded name subtrees.RFC 5280: 4.2.1.10 Restrictions are defined in terms of permitted or excluded name subtrees.RFC 5280: 4.2.1.10 Restrictions are defined in terms of permitted or excluded name subtrees.RFC 5280: 4.2.1.9 CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit.The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3).RFC 3279: 2.3.1 RSA Keys If the keyUsage extension is present in a CA or CRL issuer certificate which conveys an RSA public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; keyEncipherment; dataEncipherment; keyCertSign; and cRLSign.RFC 3279: 2.3.1 RSA Keys If the keyUsage extension is present in an end entity certificate which conveys an RSA public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; keyEncipherment; and dataEncipherment.RFC 3279: 2.3.1 RSA Keys If the keyUsage extension is present in a CA or CRL issuer certificate which conveys an RSA public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; keyEncipherment; dataEncipherment; keyCertSign; and cRLSign.RFC 5280: 4.1.2.2.4.1.2.2."RFC5280: RFC 4055, Section 1.2" RSA: Encoded algorithm identifier MUST have NULL parameters.RFC 5280: A.1 In this Appendix, there is a list of upperbounds for fields in a x509 Certificate. * ub-common-name INTEGER ::= 64RFC 5280: A.1 In this Appendix, there is a list of upperbounds for fields in a x509 Certificate. * ub-emailaddress-length INTEGER ::= 128 The ASN.1 modules in Appendix A are unchanged from RFC 3280, except that ub-emailaddress-length was changed from 128 to 255 in order to align with PKCS #9 [RFC2985].RFC 5280: 4.2 & 4.2.1.6 Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present.RFC 5280: A.1 -- Naming attributes of type X520name id-at-givenName AttributeType ::= { id-at 42 } -- Naming attributes of type X520Name: -- X520name ::= DirectoryString (SIZE (1..ub-name)) -- -- Expanded to avoid parameterized type: X520name ::= CHOICE { teletexString TeletexString (SIZE (1..ub-name)), printableString PrintableString (SIZE (1..ub-name)), universalString UniversalString (SIZE (1..ub-name)), utf8String UTF8String (SIZE (1..ub-name)), bmpString BMPString (SIZE (1..ub-name)) } -- specifications of Upper Bounds MUST be regarded as mandatory -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter -- Upper Bounds -- Upper Bounds ub-name INTEGER ::= 32768RFC 5280: A.1 -- specifications of Upper Bounds MUST be regarded as mandatory -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter -- Upper BoundsThe subject information access extension indicates how to access information and services for the subject of the certificate in which the extension appears.RFC 5280: A.1 In this Appendix, there is a list of upperbounds for fields in a x509 Certificate. * ub-locality-name INTEGER ::= 128RFC 5280: 4.1.2.6 Where it is non-empty, the subject field MUST contain an X.500 distinguished name (DN).RFC 5280: A.1 In this Appendix, there is a list of upperbounds for fields in a x509 Certificate. * ub-organizational-unit-name INTEGER ::= 64RFC 5280: A.1 In this Appendix, there is a list of upperbounds for fields in a x509 Certificate. * ub-organization-name INTEGER ::= 64RFC 5280: A.1 In this Appendix, there is a list of upperbounds for fields in a x509 Certificate. * ub-postal-code-length INTEGER ::= 16RFC 5280: A.1 In this Appendix, there is a list of upperbounds for fields in a x509 Certificate. * ub-state-name INTEGER ::= 128ITU-T X.520 (02/2001) UpperBounds ub-street-address INTEGER ::= 128RFC 5280: A.1 -- Naming attributes of type X520name id-at-surname AttributeType ::= { id-at 4 } -- Naming attributes of type X520Name: -- X520name ::= DirectoryString (SIZE (1..ub-name)) -- -- Expanded to avoid parameterized type: X520name ::= CHOICE { teletexString TeletexString (SIZE (1..ub-name)), printableString PrintableString (SIZE (1..ub-name)), universalString UniversalString (SIZE (1..ub-name)), utf8String UTF8String (SIZE (1..ub-name)), bmpString BMPString (SIZE (1..ub-name)) } -- specifications of Upper Bounds MUST be regarded as mandatory -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter -- Upper Bounds -- Upper Bounds ub-name INTEGER ::= 32768RFC 5280: A.1 -- specifications of Upper Bounds MUST be regarded as mandatory -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter -- Upper BoundsCAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime.