Open cwjnkins opened 7 months ago
I believe at the time I last touched this lint, the focus of it was more targeted at specific problems seen in public PKI certs. Splitting into different buckets took place later. I agree with your argument that the RFC lint should be able to handle a wider range of data compliant with RFC 5280. Check the linked PR to see changes that will fix the problem for the cert in question but some other examples would be helpful. As usual, generating the test data to use as a basis for testing the changes is the hardest part 😄
but some other examples would be helpful.
I only have two others, this one with common name "172_19_32_13" and another with the same common name "SSL_Self_Signed_Fallback" (both are BMPString).
From the recent discussion on PR #819, I take it the plan will be to add a lint for prohibiting the optional string encoding types based on restrictions from the CA/B forum (seems sensible to me!), so hopefully these certs will be useful as test cases for that.
This concerns changes introduced by PR #249, specifically lint
e_subject_dn_not_printable_characters
. Some attribute values for subject DNs are declared asDirectoryString
types, such asX520CommonName
which in particular includes the non-UTF8 encoded strings
BMPString
(a subset of UTF16) andUniversalString
.Here is an example of a certificate using
BMPString
, for which I have confirmed ZLint (v3.6.1) flags as failing this lint. TheX520CommonName
decodes to "SSL_Self_Signed_Fallback", with each codepoint consisting of two bytes where the leading byte is 0x00. I suspect that the culprit is thatutf8.DecodeRune
(used in the lint) treats the leading 0x00 byte as its own codepoint, and that the fix should be to decode with UTF16 whenBMPString
is encountered.Alternatively, Section 7.1 of RFC5280 states that while support for
PrintableString
andUTF8String
is required of conforming implementations, support for the otherDirectoryString
types is optional, so a new lint could be introduced that flags the optional string types.I do not have an example on hand for
UniversalString
, but I suspect it could also cause an issue.