Update finding metadata CSVs

digicert · Dec 18, 2023 · dba2d01 · dba2d01
1 parent bde3fc1
commit dba2d01
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/pkilint/cabf/serverauth/finding_metadata.csv b/pkilint/cabf/serverauth/finding_metadata.csv
@@ -308,3 +308,6 @@ NOTICE,pkix.ldap_uri_not_validated,": Notice that the linter encountered a LDAP
 NOTICE,pkix.unknown_subject_key_identifier_calculation_method,RFC 5280 4.2.1.2: The Subject key identifier was not calculated using one of the algorithms defined in RFC 5280
 INFO,pkix.subject_key_identifier_method_1_identified,RFC 5280 4.2.1.2: The Subject key identifier was calculated using the first algorithm defined in RFC 5280
 INFO,pkix.subject_key_identifier_method_2_identified,RFC 5280 4.2.1.2: The Subject key identifier was calculated using the second algorithm defined in RFC 5280
+INFO,pkix.subject_key_identifier_rfc7093_method_1_identified,"RFC 7093 2: The keyIdentifier is composed of the leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits)."
+INFO,pkix.subject_key_identifier_rfc7093_method_2_identified,"RFC 7093 2: The keyIdentifier is composed of the leftmost 160-bits of the SHA-384 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits)."
+INFO,pkix.subject_key_identifier_rfc7093_method_3_identified,"RFC 7093 2: The keyIdentifier is composed of the leftmost 160-bits of the SHA-512 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits)."
diff --git a/pkilint/cabf/smime/finding_metadata.csv b/pkilint/cabf/smime/finding_metadata.csv
@@ -23,7 +23,7 @@ ERROR,cabf.smime.adobe_timestamp_extension_critical,SMBR 7.1.2.3 (m),"""MAY be p
 ERROR,cabf.smime.adobe_timestamp_extension_prohibited,SMBR 7.1.2.3 (m),"""Strict: prohibited"""
 ERROR,cabf.smime.aia_prohibited_generalname_type,SMBR 7.1.2.3 (c),"""Allowed URI scheme"""
 ERROR,cabf.smime.aia_prohibited_uri_scheme,SMBR 7.1.2.3 (c),"Legacy: ""When provided, at least one accessMethod SHALL have the URI scheme HTTP"". MP and strict: ""When provided, every accessMethod SHALL have the URI scheme HTTP"""
-ERROR,cabf.smime.anypolicy_present,"An end-entity S/MIME certificate contains the anyPolicy policy identifier"
+ERROR,cabf.smime.anypolicy_present,An end-entity S/MIME certificate contains the anyPolicy policy identifier,
 ERROR,cabf.smime.certificate_policies_extension_missing,SMBR 7.1.2.3 (a),"""SHALL be present"""
 ERROR,cabf.smime.certificate_validity_period_exceeds_1185_days,SMBR 6.2.3,"""Legacy: 1185 days"""
 ERROR,cabf.smime.common_name_value_unknown_source,SMBR 7.1.4.2.2 (a),Common name attribute contains a value that does not correspond to any allowed value in the table in 7.1.4.2.2 (a)
@@ -107,7 +107,7 @@ ERROR,pkix.rdn_contains_unique_attribute_types,X.501 1997-08 9.3,"""The set that
 ERROR,pkix.rfc5280_certificate_policies_invalid_explicit_text_encoding,RFC 5280 4.2.1.4,"""Conforming CAs MUST NOT encode explicitText as VisibleString or BMPString."""
 ERROR,pkix.rfc6818_certificate_policies_invalid_explicit_text_encoding,RFC 6818 3,"""Conforming CAs MUST NOT encode explicitText as IA5String"""
 ERROR,pkix.san_extension_not_critical,RFC 5280 4.2.1.6,"""If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical"""
-ERROR,pkix.sct_list_empty,"RFC 6962 3.3: ""At least one SCT MUST be included"""
+ERROR,pkix.sct_list_empty,"RFC 6962 3.3: ""At least one SCT MUST be included""",
 ERROR,pkix.smime_capabilities_extension_critical,RFC 4262 2,"""This extension MUST NOT be marked critical."""
 ERROR,pkix.smtp_utf8_mailbox_has_bom,RFC 8398 3,"""The UTF8String encoding MUST NOT contain a Byte-Order-Mark (BOM) [RFC3629] to aid consistency across implementations, particularly for comparison."""
 ERROR,pkix.smtp_utf8_mailbox_has_uppercase,RFC 8398 3,"""In SmtpUTF8Mailbox, domain labels that solely use ASCII characters (meaning neither A- nor U-labels) SHALL use NR-LDH restrictions as specified by Section 2.3.1 of [RFC5890] and SHALL be restricted to lowercase letters."""
@@ -147,3 +147,6 @@ NOTICE,pkix.ldap_uri_not_validated,,"Notice that the linter encountered a LDAP U
 NOTICE,pkix.unknown_subject_key_identifier_calculation_method,RFC 5280 4.2.1.2,The Subject key identifier was not calculated using one of the algorithms defined in RFC 5280
 INFO,pkix.subject_key_identifier_method_1_identified,RFC 5280 4.2.1.2,The Subject key identifier was calculated using the first algorithm defined in RFC 5280
 INFO,pkix.subject_key_identifier_method_2_identified,RFC 5280 4.2.1.2,The Subject key identifier was calculated using the second algorithm defined in RFC 5280
+INFO,pkix.subject_key_identifier_rfc7093_method_1_identified,RFC 7093 2,"The keyIdentifier is composed of the leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits)."
+INFO,pkix.subject_key_identifier_rfc7093_method_2_identified,"RFC 7093 2: The keyIdentifier is composed of the leftmost 160-bits of the SHA-384 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).","The keyIdentifier is composed of the leftmost 160-bits of the SHA-384 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits)."
+INFO,pkix.subject_key_identifier_rfc7093_method_3_identified,"RFC 7093 2: The keyIdentifier is composed of the leftmost 160-bits of the SHA-512 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).","The keyIdentifier is composed of the leftmost 160-bits of the SHA-512 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits)."