This lint verifies that Subordinate CA certificates do not have illegal values in their EKU extension according to the CABF BRs, and generates an error in case they do. This kind of problem has happened a few times in the past, as can be seen on https://bugzilla.mozilla.org, but apparently not in recent times; at any rate, it's better to prevent it.
This lint does not discriminate between normal SubCA certificates and cross-certificates, this being impossible in the absence of an extra input (which could be passed through a specific lint-configuration, but I find it preferable to do without it). However, this is not necessary in order to do a few essential checks that were missing until now.
The lint's logic is as follows: in the CABF BR context, if the anyExtendedKeyUsage is present in a SubCA cert, then it can be inferred that it's actually an unrestricted cross certificate; if instead anyExtendedKeyUsage is not present, then it must be either a restricted cross certificate or a normal SubCA (non cross), and in both these cases the same rules apply to the EKU extension.
This lint verifies that Subordinate CA certificates do not have illegal values in their EKU extension according to the CABF BRs, and generates an error in case they do. This kind of problem has happened a few times in the past, as can be seen on https://bugzilla.mozilla.org, but apparently not in recent times; at any rate, it's better to prevent it.
This lint does not discriminate between normal SubCA certificates and cross-certificates, this being impossible in the absence of an extra input (which could be passed through a specific lint-configuration, but I find it preferable to do without it). However, this is not necessary in order to do a few essential checks that were missing until now.
The lint's logic is as follows: in the CABF BR context, if the anyExtendedKeyUsage is present in a SubCA cert, then it can be inferred that it's actually an unrestricted cross certificate; if instead anyExtendedKeyUsage is not present, then it must be either a restricted cross certificate or a normal SubCA (non cross), and in both these cases the same rules apply to the EKU extension.