Add Support for File Encoding Check on CRL Lints

[AaronP-ATS]

Section 4.2.1.13 (CRL Distribution Points) of RFC 5280 requires CRLs to be DER-encoded files:

If the DistributionPointName contains a general name of type URI, the following semantics MUST be assumed: the URI is a pointer to the current CRL for the associated reasons and will be issued by the associated cRLIssuer. When the HTTP or FTP URI scheme is used, the URI MUST point to a single DER encoded CRL as specified in [RFC2585].

It would be helpful if the CRL linting option within pkilint could check the encoding of the CRL file being linted and return a message that a non-DER-encoded file is not compliant with the BRs and RFC 5280.

[CBonnell]

Since the linter doesn't know whether the specified CRL file is referenced by a CRLDP URI, any findings that it reports in regard to expected format will raise false positives.

As an alternative solution, I think adding an "--input-format" flag to all the CLI tools that explicitly specifies the input format will help flag such format errors. In the general case, the automatic format detection logic (which is what is used now) will allow any of the three format (DER, PEM, and Base64) but the "--input-format" flag will allow the user to force "der", "pem", or "base64". If the input file is not in the specified format, then a fatal error will be raised.

This would allow this check: curl http://myca.example/crl.pem | lint_crl lint -p br -t crl --input-format der -

Assuming "crl.pem" is PEM-encoded, the tool will flag that the CRL at the specified URL is incorrectly formatted.

Would this solution satisfy your use case?

[CBonnell]

Proposed solution: https://github.com/digicert/pkilint/pull/115

[CBonnell]

Resolved by #115.