Fix typo in finding code for multiple reserved policy OIDs in TLS BR subscriber certificates (#123)

Author: CBonnell

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project from version 0.9.3 onwards are documented in this file.
 
+## 0.12.2 - 2024-10-14
+
+### Fixes
+
+- Fix typo in finding code for multiple TLS BR policy OIDs in Subscriber certificates (#122 - found by @robstradling)
+
 ## 0.12.1 - 2024-10-14
 
 ### New features/enhancements

VERSION.txt

@@ -1 +1 @@
-0.12.1
+0.12.2

pkilint/cabf/serverauth/finding_metadata.csv

@@ -70,7 +70,6 @@ ERROR,cabf.serverauth.ca_basic_constraints_ca_bit_not_set,
 ERROR,cabf.serverauth.ca_external_anypolicy,Validates that the content of the certificate policies extension complies with BR 7.1.2.10.5.
 ERROR,cabf.serverauth.ca_missing_reserved_policy_oid,Validates that the content of the certificate policies extension complies with BR 7.1.2.10.5.
 ERROR,cabf.serverauth.ca_multiple_reserved_policy_oids,Validates that the content of the certificate policies extension complies with BR 7.1.2.10.5.
-ERROR,cabf.serverauth.ca_multiple_reserved_policy_oids,Validates that the certificate policy OID(s) conform to BR 7.1.2.7.9.
 ERROR,cabf.serverauth.ca_non_tls_has_reserved_policy_oid,A non-TLS CA certificate contains a CA/Browser Forum serverauth reserved policy OID.
 ERROR,cabf.serverauth.ca_precert_signing.precertsigning_eku_absent,Validates that the content of the extended key usage extension complies with BR 7.1.2.4.2.: A required element is absent
 ERROR,cabf.serverauth.ca_precert_signing.unknown_eku_present,Validates that the content of the extended key usage extension complies with BR 7.1.2.4.2.: A prohibited element is present
@@ -182,6 +181,7 @@ ERROR,cabf.serverauth.subscriber_anypolicy_oid_present,Validates that the certif
 ERROR,cabf.serverauth.subscriber_basic_constraints_ca_bit_set,
 ERROR,cabf.serverauth.subscriber_common_name_unknown_source,Validates that the content of the commonName attribute conforms to BR 7.1.4.3.
 ERROR,cabf.serverauth.subscriber_missing_reserved_policy_oid,Validates that the certificate policy OID(s) conform to BR 7.1.2.7.9.
+ERROR,cabf.serverauth.subscriber_multiple_reserved_policy_oids,Validates that the certificate policy OID(s) conform to BR 7.1.2.7.9.
 ERROR,cabf.serverauth.subscriber_prohibited_ku_present,Validates that the content of the key usage extension conforms with BR 7.1.2.7.11.
 ERROR,cabf.serverauth.subscriber_required_ku_missing,Validates that the content of the key usage extension conforms with BR 7.1.2.7.11.
 ERROR,cabf.serverauth.subscriber_stateprovince_and_locality_missing,"Validates that the stateOrProvinceName and/or localityName subject attributes are present, as per EVG 9.2.6, BR 7.1.2.7.3, and BR 7.1.2.7.4."

pkilint/cabf/serverauth/serverauth_subscriber.py

@@ -467,7 +467,7 @@ class SubscriberPoliciesValidator(validation.Validator):
 
     VALIDATION_MULTIPLE_RESERVED_OIDS = validation.ValidationFinding(
         validation.ValidationFindingSeverity.ERROR,
-        'cabf.serverauth.ca_multiple_reserved_policy_oids'
+        'cabf.serverauth.subscriber_multiple_reserved_policy_oids'
     )
 
     VALIDATION_NO_RESERVED_OID = validation.ValidationFinding(

tests/integration_certificate/tls_br/dv_final_certificate/dv_and_ov_policy_oids.crttest

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIFkTCCBHmgAwIBAgIKd3d3d3d3d3d3dzANBgkqhkiG9w0BAQsFADBFMQswCQYD
+VQQGEwJVUzETMBEGA1UEChMKQ2VydHMgUiBVczEhMB8GA1UEAxMYQ2VydHMgUiBV
+cyBJc3N1aW5nIENBIEcxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYwMTIzNTk1OVow
+ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjfM1nBO6c4jF2eL+PP
+y+pQOjb+d6eYUk3CypR4j+bzV104d/LT12ukkEL3cR5YapINlZFfMnGxkxz12+AK
+1tKo2m8agDlXTeWvl1hS0axCGOGZL16wvR078oxejK2nmfWlUdFhSmWpFyOeuxCG
+tTaeqjOHjABvKOwqXNlRTlw0CCQ6j2GFqLGPbJ5yfqGLiDGBB+iVdS8oCQ6RtPks
+HH/FNBVeWbwhHE6jrH+yTHbkxJzZwc5W86YHH0PwmsXdCT9gdyfYD1UFm4Ly9iBA
+CgUEYbnXEeYmiZV40yDFbwkZ2JvhmtjN4zJpEc4/DP40wMolSZ1F0Gd+2XjJDjSV
+iDkCAwEAAaOCAsYwggLCMB8GA1UdIwQYMBaAFGpOUL+YaJ1beyB11FkBeUhmkjIG
+MB0GA1UdEQEB/wQTMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ8BAf8EBAMCB4Aw
+HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDYGA1UdHwQvMC0wK6ApoCeG
+JWh0dHA6Ly9jcmwuY2VydHNydXMuY29tL0lzc3VpbmdDQS5jcmwwHQYDVR0gBBYw
+FDAIBgZngQwBAgEwCAYGZ4EMAQICMGsGCCsGAQUFBwEBBF8wXTAkBggrBgEFBQcw
+AYYYaHR0cDovL29jc3AuY2VydHNydXMuY29tMDUGCCsGAQUFBzAChilodHRwOi8v
+Y2FjZXJ0cy5jZXJ0c3J1cy5jb20vSXNzdWluZ0NBLmNydDAMBgNVHRMBAf8EAjAA
+MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdwB2/4g/Crb7lVHCYcz1h7o0tKTN
+uyncaEIKn+ZnTFo6dAAAAYj4va8AAAAEAwBIMEYCIQCJ6/3b0IBPMTBz2BnztDtE
+ljOplTKLJ+5aLpSnTMi8ngIhAKA5BuMfFW/zjdC20nLujmm1I/8rikIDoSd0M3jE
+rK8YAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGI+L2vMgAA
+BAMARjBEAiB5qzY/+SKx4S30VxZXnTiFcOcLigTLzDc7kV4XjQaPNwIgPriQx2hO
+YEzeBPpy39G0lZM+FAshMq05FD9VRl6ygxYAdQA7U3d1Pi25gE6LMFsG/kA7Z9hP
+w/THvQANLXJv4frUFwAAAYj4va8sAAAEAwBGMEQCIDr0klWCDh0GpiGQw5/1QT4n
+T9HpWW7VUL6bHgwVSIAFAiBUYnRBYJul5ex58TJGovCji2tOebCmfGzb1cs6FIMH
+JzANBgkqhkiG9w0BAQsFAAOCAQEAXff2RWIifpPcnlpiKzyK8Qabshh3zvk23Oox
++La7bed7/lIQIP/WEr/s5H1zxe4s3CU4358DLBmX93B9oMp+afrHPJl/ZkEAvVhE
+OtM+OewoOljaoi8UmWC60imeGVT4NIZF7I3migmd8+8ruaMwDgafRZNwmbZD9S5W
+0v4XhxnMsJ02Z6R209mD4sa5/PqovuWgGcj64YjSspyiNQuoYQm//E5l7u4dn99Z
+dGYQ2fgBmTfP6smDPGmRsy6d4C7KVr3ztvwnnut23UJli+glDlKWhsRfHgMbLV2Q
+h6/eR0eovfk8bt18QqvHp8PzGVidY5hKeo163oRkEIV75k1Onw==
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies,SubscriberPoliciesValidator,ERROR,cabf.serverauth.subscriber_multiple_reserved_policy_oids,"Multiple reserved policy OIDs present: 2.23.140.1.2.1, 2.23.140.1.2.2"