CBonnell
commented
1 year ago Hi @kjur, thank you for trying out pkilint!
I took a look at the certificate, and the fatal decoding errors appear to be correct (not false positives). In that certificate, the DomainComponent attributes are encoded as PrintableString, whereas the ASN.1 module for RFC 5280 defines DomainComponent as IA5String:
id-domainComponent AttributeType ::= { 0 9 2342 19200300 100 1 25 }
DomainComponent ::= IA5StringI modified your certificate to use IA5String and linted it:
echo '-----BEGIN CERTIFICATE-----
MIIHEzCCBPugAwIBAgIUBKdDVm4KxQ4u7Pu9Oe1mGCGySUowDQYJKoZIhvcNAQEL
BQAwSDELMAkGA1UEBhMCVVMxHzAdBgNVBAoMFkZvbyBJbmR1c3RyaWVzIExpbWl0
ZWQxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMzA0MDEwMDAwMDBaFw0y
NjA2MjgyMzU5NTlaMIHXMSMwIQYDVQRhExpMRUlYRy1BRVlFMDBFS1hFU1ZaVVVF
QlA2NzEeMBwGA1UEChMVQWNtZSBJbmR1c3RyaWVzLCBMdGQuMRMwEQYKCZImiZPy
LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEPMA0GA1UEBAwGWWFt
YWRhMQ8wDQYDVQQqDAZIYW5ha28xFjAUBgNVBAMMDVlBTUFEQSBIYW5ha28xKDAm
BgkqhkiG9w0BCQEWGWhhbmFrby55YW1hZGFAZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/tL4FI5sjq
ont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv8JmM/Y5v
Qt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY7JRVcbB4
khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjdi8mH6uG/
icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSEonWW4HtL
btmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMBAAGjggJj
MIICXzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAfBgNVHSMEGDAWgBTW
RAAyfKgN/6xPa2buta6bLMU4VDAdBgNVHQ4EFgQUiRlZXg7xafXLvUfhNPzimMxp
MJEwFAYDVR0gBA0wCzAJBgdngQwBBQMBMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6
Ly9jcmwuY2EuZXhhbXBsZS5jb20vaXNzdWluZ19jYV9jcmwuY3JsMEsGCCsGAQUF
BwEBBD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3JlcG9zaXRvcnkuY2EuZXhhbXBs
ZS5jb20vaXNzdWluZ19jYS5kZXIwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUF
BwMCMIIBAwYDVR0RBIH7MIH4gRloYW5ha28ueWFtYWRhQGV4YW1wbGUuY29toCkG
CisGAQQBgjcUAgOgGwwZaGFuYWtvLnlhbWFkYUBleGFtcGxlLmNvbaAmBggrBgEF
BQcICaAaDBjlsbHnlLDoirHlrZBAZXhhbXBsZS5jb22kgYcwgYQxIzAhBgNVBGET
GkxFSVhHLUFFWUUwMEVLWEVTVlpVVUVCUDY3MSQwIgYDVQQKDBvjgqLjgq/jg5/l
t6Xmpa3moKrlvI/kvJrnpL4xDzANBgNVBAQMBuWxseeUsDEPMA0GA1UEKgwG6Iqx
5a2QMRUwEwYDVQQDDAzlsbHnlLDoirHlrZAwIwYJKwYBBAGDmCoBBBYTFEFFWUUw
MEVLWEVTVlpVVUVCUDY3MBIGCSsGAQQBg5gqAgQFEwNDRU8wDQYJKoZIhvcNAQEL
BQADggIBAEoUeOBUyS8TZnupriBTl6+fQtIbaGtgzZJ3E6pxQu5shdmw3pv751hW
IjAZIQhYkOV1Ymq5L51/jXyWk2S353AnMFL2rAxirRYbzZ4YygnxWVoy7Mi7DdfJ
mqtb/nIVz1JsjtC2y9YJCR0FP2ZC1bw5j/RFNlC30DcRrn6Pz9oTxBeD4Fa5uMjs
pQH5GXKSO4v0nqjuE95gte6gvre/mOIrM//uZ+DfNAPczgVe0PCGPLseycvsC8N/
oEFe6yeiXIVl1j2OwwUIchxt3yGVdugt/ocpBxO3SCaLhl6pmIACpj2oEtJPhncs
xy385ZFYRXkWBliW12goFFBuSZqj/XmL+PGRXZw6U8nFt3puZjzc4D2pKFZxk2+T
KDE75UgfupXZAbo1wDCpBu5Ghs5tAWsJnQEeZ6Dg71hzFT4BLEqXMOvpT89aCe52
QByUrCp1gAFsdTPt0MBk01WMMaCMygC71kue/v/g2muDQriU/+H8HjjB6ziRS777
KUEkbO0HK0Ko4Go97oJJov3dEhh+ToZmpOWwf3r5jJUpOoriYkEkMzAmG0vgmzDG
oKbmlfasezOfvTuInFWwBLYFDg9j6mWDhVbNmwWE405NNJ20UVjb/7k+a7rW3ck0
c0yTPWAgMNFpk/sHwalbtQG8/1hD/c/6UXnF4+aKKtqgD9P8P6HP
-----END CERTIFICATE-----' | lint_cabf_smime_cert lint -d /dev/stdin
ValidityPeriodRangeValidator @ certificate.tbsCertificate.validity.notBefore
cabf.smime.certificate_validity_period_at_maximum (WARNING): Validity period of 1185 days, 0:00:00 exceeds maximum value of relativedelta(days=+1184, hours=+23, minutes=+59, seconds=+59)
SubjectKeyIdentifierValidator @ certificate.tbsCertificate.extensions.3.extnValue.subjectKeyIdentifier
pkix.subject_key_identifier_method_1_identified (INFO)Given this, I believe the current behavior of the linter is correct. I'll keep this issue open for a few days in case you see anything that I missed, but at this point I don't think any changes are needed. And of course, if see any other bugs, please feel free to report them as issues.
kjur
Hi, thank you for your cool tool. SMIME BR legacy profiles permit other attribute types such as domainComponent in subject distinguished name. https://github.com/cabforum/smime/blob/main/SBR.md#71425-subject-dn-attributes-for-sponsor-validated-profile However pkitool raises parse error for such certificate:
Tested certificate is here:
I'm afraid other attribute types not in the list will also raise error.