Missing NULL parameters for AlgorithmIdentifiers in signatures that require NULL are not reported

[briansmith]

If I read the source code correctly, the parser for signature AlgorithmIdentifiers (and probably other uses of AlgorithmIdentifier) doesn't distinguish between valid and invalid encodings of the AlgorithmIdentifier. For example, RFC 4055 says "When any of these four object identifiers appears within an AlgorithmIdentifier, the parameters MUST be NULL."

https://github.com/briansmith/webpki/tree/master/src/data attempts to document the one and only valid allowed encoding for the AlgorithmIdentifiers that appear in X.509 certificates.

It would be good for certlint to report when a different encoding is used.

(RE: https://github.com/briansmith/webpki/issues/97#issuecomment-485563703)

[pzb]

https://github.com/awslabs/certlint/blob/master/lib/certlint/certlint.rb#L324 tries to handle this (and related issues)

[briansmith]

Sorry. I looked in cablint by habit but I didn't realize certlint had most of the checks. I agree that it looks to be doing these checks!