zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
https://zmap.io
Apache License 2.0
361 stars 110 forks source link

Add lint to check for duplicate subject attributes (ATVs) #850

Closed defacto64 closed 5 months ago

defacto64 commented 5 months ago

This lint verifies that the Subject field of the certificate does not contain more than one instance of a given AttributeTypeAndValue across all RelativeDistinguishedNames (with a few exceptions), as per the CABF BRs (section 7.1.4.1). This was not expressly prohibited in the past, and numerous TLS certificates were issued (several years ago) with this weird feature as can be seen in TestCorpus, but it was then banned in CABF BRs v2.0.0.

This lint doesn't care about multi-valued RDNs, despite this being forbidden, as multi-valued RDNs are another lint's business.

I don't think it's very useful to have a similar lint that does the same check on the Issuer field, but I am open to discussion.