Disallow Registration References in GOV and INT orgIDs #12
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CBonnell
pushed a commit
that referenced
this pull request
Jun 4, 2024
CBonnell
added a commit
that referenced
this pull request
Jun 14, 2024
* Bump version, add ASN.1 modules * Add determination of ETSI webauth cert type * Add EVCP * Better cert type determination, add validator for empty PSP roles * Add support for pre-certs and final certs * Rename NCP and QNCP legal person and natural person certificate types * STNDS-403 Refactor OrgId validators for better code sharing (subtask STNDS-404) * raised specific error for invalid country codes * added 3 tests for country codes * made code less redundant and put class for country codes all in one class * named class to be more specific * qcretention period checking done as well as added DS Store to the gitignore * STNDS-403 Implement OrgId attribute validator for legal persons (#4) * qc type ready for testing * Stnds 409 - Add lint to validate QcEuPDS statement (#6) --------- Co-authored-by: Alex Campbell <campbellalex321@gmail> * STNDS-412 Differentiate between EIDAS qualified and non-EIDAS qualified (#5) * STNDS-412 Differentiate between EIDAS qualified and non-EIDAS qualified * Bump download-artifact version * Fix finding filters for CABF cert types * Add ETSI linters to validation reporter test * Add PKIX/CABF findings to QcType crttest files * Add PKIX/CABF findings to PDS crttest files, address a few PEP warnings * almost there, got to figure out how to add the check only if the cert is psd2, right now it's every time, some reason it's classifying the cert as something else * got to change where it qualifies on a cert for the test run * Stnds 422 - Verify that NCAName is in "Latin" characters (#9) * requirements for queulimitvalue (#8) * added iso639 * added iso4217 --------- Co-authored-by: Alex Campbell <campbellalex321@gmail> * qc_eupds_missing works as expected * STNDS-430 Disallow policyMappings, policyConstrants, and inhibitAnyPolicy in EE certs (#10) * Stnds 423 - Verify the syntax of NCAId (#12) * STNDS-447 Flag use of id-qcs-pkixQCSyntax-v1 semanticsIdentifier (#15) * STNDS-447 A simpler implementation * STNDS-429 validate natural person IDs (#14) * natural person logic created * logic for multiple cn and country names work * added test files * STNDS-424 Check PSD OrgId format in EU PSD2 certs (#19) * Remove unused PSP role mapping * STNDS-449 Check for at least one URI in NRA in SemanticsInformation (#18) * STNDS 448 - Policy extension should not be marked critical (#16) * Stnds 454 - CRL distribution points not marked critical (#24) * Stnds 453 - Extended key usage not marked critical (#23) * Stnds 451 - Issuer alternative name not marked critical * Stnds 450 - Subject alternative name not marked critical * STNDS-444: The pseudonym attribute shall not be present if the givenName and surname attribute are present Co-authored-by: Alex Campbell <campbellalex321@gmail> * STNDS-452: Add PKIX validator for IAN criticality (#26) * Fix acknowledgements table formatting * Fix integration tests for VATEL, bump version to 0.11 * STNDS-442 (#27) * Simplify duplicate attribute detection logic * Simplify attribute count logic * STNDS-462 (#29) * Switch all uses of magic strings to new KeyUsage bit name class * STNDS-462 * Fix build * Rename ETSI cert smoke test * Add graceful decode error handling to ETSI CLI * STNDS-455 CRLDP + AIA lints (#32) * STNDS-465 Add Certificate Policies lint (#33) * STNDS-467: Add validators for EN 319 412-3 clause 4.2.1 (#35) * STNDS-467: Add validators for EN 319 412-3 clause 4.2.1 * Fix build * STNDS-469: Add support for unbounded value lengths for selected attributes (#36) * Add finding introduced after merge * STNDS-466 - qcStatements extension shall not be marked as critical (#34) --------- Co-authored-by: Michael Lettona <michael.lettona@DC-DMQGKVYJJ3.local> * STNDS-472: Create legal person Key Usage value validator (#37) * STNDS-472: Create legal person Key Usage value validator * STNDS-494: Add TS 119 312 public key validators (#39) * STNDS-494: Add TS 119 312 validators * Fix RSA exponent upper bound check * Clean up exponent check * STNDS-496: Add DNSName-specific CN value validator (#40) * STNDS-497: Add validator to check for presence of extensions (#41) * STNDS-498: Create ETSI internal name validators for QNCP-w-gen (#42) * Refactor internal name validators for better reuse * Create ETSI validators for QNCP-w-gen * Clean up validations a bit * referenced subscriber server auth for qncp-w-gen code (#38) * Merge remote-tracking branch 'origin/qualified' into STNDS-473 * removed no_eku * added qncpwgenextusage validator * qncp_w_gen_requirements done * added validators * Update pkilint/etsi/en_319_412_4.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * changed name of the validator Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update pkilint/etsi/en_319_412_4.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update pkilint/etsi/en_319_412_4.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update pkilint/etsi/en_319_412_4.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update pkilint/etsi/en_319_412_4.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update pkilint/etsi/en_319_412_4.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> --------- Co-authored-by: Alex Campbell <campbellalex321@gmail> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-72 implementation (#73) (#43) * SC-72 implementation * Improve static retriever class name * Prepare changelog * SC-72 implementation * Improve static retriever class name * Prepare changelog * Finalize 0.10.2 release * Clean up README language * Remove superfluous newline * STNDS-503: Allow transnational country codes in orgId and serialNumbers (#45) * SC-72 implementation (#73) * SC-72 implementation * Improve static retriever class name * Prepare changelog * SC-72 implementation * Improve static retriever class name * Prepare changelog * Finalize 0.10.2 release * Clean up README language * Remove superfluous newline * All transnational country codes in orgId and serialNumbers * Case-insensitive country codes, har har * Test case-insensitive country codes * STNDS-504: Flag unknown country codes in legal person certificates (#46) * STNDS-504: Flag unknown country codes in legal person certificates * Argh, case insensitivity * Merge v0.10.3 from upstream (#47) * SC-72 implementation (#73) * SC-72 implementation * Improve static retriever class name * Prepare changelog * SC-72 implementation * Improve static retriever class name * Prepare changelog * Finalize 0.10.2 release * Clean up README language * Remove superfluous newline * Flag invalid domain name length in GeneralName types (#78) * SMC-06 implementation (#74) * SMC-06 implementation * Update CHANGELOG, add test case for multi-OID string message * Change to more intuitive collection type * Add back new validator from botched merge * STNDS-505: Ignore CABF validity period findings for certs with PSD2 policy OID (#48) * Reformat and unused import cleanup * STNDS-507: Do not allow unbounded CN for webauth certificate types (#49) * STNDS-499: Add ETSI REST API linter group (#50) * STNDS-499: Add ETSI REST API linter group * Clean up certificate linter group init logic * Clean up some nits (#51) * Clean up some nits * Add test case, adjust a message * Add test case, adjust a message (part deux) * STNDS-445: Add allowance checking for QCStatements (#52) * STNDS-508: Add validator for eIDAS LegalPerson OrgId (#53) * Undo STNDS-505 (#55) * STNDS-509: Add check for TS 119 312 for sig alg (#54) * STNDS-509: Add check for TS 119 312 for sig alg * Move comment to better separate Schnorr vs. ECDSA * Stnds 468 (#58) * added class for np id validator * added validation for natural person * validation made but not working * put in subjects validator * eidas validator works * final validator works * Update pkilint/etsi/en_319_412_1.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update pkilint/etsi/en_319_412_1.py Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * stopped parsing if serial number length is too short * fixed Corey's comments --------- Co-authored-by: Alex Campbell <campbellalex321@gmail> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * STNDS-505, part trois (#57) * Various qualified cleanup (#60) * Ensure finding codes follow syntax * Add CLI docs * Change to use PDUNode children attribute * Tweak .gitignore * Prep CHANGELOG * Fix non-webauth cert detection and QcType validator (#64) * Fix non-webauth cert detection and QcType validator * Change class name to anticipate linting CABF <-> ETSI OID per EN 319 411 1 * Add validator for CABF OID <-> non-qualified ETSI OID matching * Don't add subject validators for DVCP * Init code cleanup * Massive fix for application of EN 319 412 -2 and -3 reqs for webauth certs * Perform case-sensitive country code comparison (#65) * Perform case-sensitive country code comparison * Fix presence of QcsCompliance statement for non-EIDAS certs * More fixes (#67) * Enable pyasn1-fasder if installed, fix format nit * Add support for additional validators * Set release candidate version (#68) * Some more nit cleanups (#69) * Remove errant whitespace in link * Remove reporting of duplicate OrgId syntax error finding (#70) * Remove reporting of duplicate OrgId syntax error finding * Clean up imports * Getting ready for the big release --------- Co-authored-by: Alex Campbell <campbellalex321@gmail> Co-authored-by: campbellalex321 <73143774+campbellalex321@users.noreply.github.com> Co-authored-by: Mike <michael.lettona@digicert.com> Co-authored-by: Michael Lettona <michael.lettona@DC-DMQGKVYJJ3.local>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #11.