christopher-henderson
commented
6 months ago I'm pretty sure SMIME certs should only contain one organizationIdentifier but I think it makes the lint better this way?
Indeed, there is commonly a mismatch between what the ASN1 can technically encode and what requirements actually refer to. A best-effort attempt to at least consider these unlikely edge cases is always welcomed (although, sometimes we get bogged down with well, actually, technically... when considering some of these edge cases precisely because their behavior is not defined by the governing body in question...).
Following on from the comments on https://github.com/zmap/zlint/pull/768 and https://github.com/cabforum/smime/issues/216 this PR limits the organizationIdentifier country code lint to no longer compare the country codes in LEI and INT organizationIdentifiers to the subject:countryName. This should prevent zlint 3.6.0 breaking some SMIME issuance that is considered valid by the SMIME WG.
I think this PR, or something like it, is needed before #776
Regarding the change, I assume the SMIME WG are only expecting certs to contain a single organizationIdentifier but zcrypto/x509 supports having more than one in the certs it parses so I implemented accordingly. The discussion on the SMIME BR was saying that for INT/LEI schemes that the "XG" isn't part of identifying the scheme so need not match the countryName so I'm skipping the lint execution if all organizationIdentifiers are INT and/or LEI and if there are some organizationIdentifiers for which the check applies then it's applied but I skip the actual check against the countryName for any INT/LEI organizationIdentifiers. I don't think this is a realistic case, I'm pretty sure SMIME certs should only contain one organizationIdentifier but I think it makes the lint better this way?