This introduces a new lint called e_sub_cert_eku_check and sets the ineffective date for e_sub_cert_eku_server_auth_client_auth_missing and w_sub_cert_eku_extra_values.
This update only covers subscriber certificates, the lints for CA certificates will also need to be reviewed.
The util.IsServerAuthCert did not consider certificates that attest the CA/Browser Forum Reserved Certificate Policy Identifiers as specified in section 7.1.6.1 of the BRs, but who did not include the serverAuth EKU. This has been addressed to cover the expectations of attesting a policy and to cover all test scenario's of this lint.
This introduces a new lint called
e_sub_cert_eku_checkand sets the ineffective date fore_sub_cert_eku_server_auth_client_auth_missingandw_sub_cert_eku_extra_values.This update only covers subscriber certificates, the lints for CA certificates will also need to be reviewed.
The
util.IsServerAuthCertdid not consider certificates that attest the CA/Browser Forum Reserved Certificate Policy Identifiers as specified in section 7.1.6.1 of the BRs, but who did not include theserverAuthEKU. This has been addressed to cover the expectations of attesting a policy and to cover all test scenario's of this lint.