Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers #781
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Following on from the comments on #768 and cabforum/smime#216 this PR limits the organizationIdentifier country code lint to no longer compare the country codes in LEI and INT organizationIdentifiers to the subject:countryName. This should prevent zlint 3.6.0 breaking some SMIME issuance that is considered valid by the SMIME WG.
I think this PR, or something like it, is needed before #776
Regarding the change, I assume the SMIME WG are only expecting certs to contain a single organizationIdentifier but zcrypto/x509 supports having more than one in the certs it parses so I implemented accordingly. The discussion on the SMIME BR was saying that for INT/LEI schemes that the "XG" isn't part of identifying the scheme so need not match the countryName so I'm skipping the lint execution if all organizationIdentifiers are INT and/or LEI and if there are some organizationIdentifiers for which the check applies then it's applied but I skip the actual check against the countryName for any INT/LEI organizationIdentifiers. I don't think this is a realistic case, I'm pretty sure SMIME certs should only contain one organizationIdentifier but I think it makes the lint better this way?