diff --git a/v3/cmd/genTestCerts/go.sum b/v3/cmd/genTestCerts/go.sum index c3ec2324f..d8f2d3c92 100644 --- a/v3/cmd/genTestCerts/go.sum +++ b/v3/cmd/genTestCerts/go.sum @@ -49,6 +49,7 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -65,6 +66,7 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -85,6 +87,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -93,6 +97,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= diff --git a/v3/go.sum b/v3/go.sum index e4c06379f..69f03aef6 100644 --- a/v3/go.sum +++ b/v3/go.sum @@ -51,6 +51,8 @@ golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -65,6 +67,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -83,6 +87,9 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= @@ -90,12 +97,17 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/v3/integration/config.json b/v3/integration/config.json index 52343e4ff..85e54f85b 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -817,6 +817,7 @@ "ErrCount": 23 }, "e_cab_dv_subject_invalid_values": {}, + "e_qcstatem_psd2_national_scheme": {}, "e_aia_must_contain_permitted_access_method": {}, "e_aia_ocsp_must_have_http_only": {}, "e_aia_unique_access_locations": {}, diff --git a/v3/integration/small.config.json b/v3/integration/small.config.json index 06c78dff2..58249fd4c 100644 --- a/v3/integration/small.config.json +++ b/v3/integration/small.config.json @@ -326,6 +326,7 @@ "e_incorrect_ku_encoding": { "ErrCount": 239 }, + "e_qcstatem_psd2_national_scheme": {}, "n_ca_digital_signature_not_set": { "NoticeCount": 29 }, diff --git a/v3/lints/etsi/lint_qcstatem_psd2_national_scheme.go b/v3/lints/etsi/lint_qcstatem_psd2_national_scheme.go new file mode 100644 index 000000000..453159370 --- /dev/null +++ b/v3/lints/etsi/lint_qcstatem_psd2_national_scheme.go @@ -0,0 +1,101 @@ +package etsi + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "regexp" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type qcStatemPsd2NationalScheme struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_psd2_national_scheme", + Description: "This lint applies if in a PSD2 certificate (i.e. featuring the PSD2 QcStatement) the subject:organizationIdentifier has a prefix of the form: 2 arbitrary initial characters followed by a colon. In this case it checks that the remainder of the string also fulfills the national scheme syntax.", + Citation: "ETSI TS 119 495, '5.2.1 PSD2 Authorization Number or other recognized identifier'", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiPSD2Date, + }, + Lint: NewQcStatemPsd2NationalScheme, + }) +} + +func NewQcStatemPsd2NationalScheme() lint.LintInterface { + return &qcStatemPsd2NationalScheme{} +} + +func (l *qcStatemPsd2NationalScheme) CheckApplies(c *x509.Certificate) bool { + _, isPresent := util.IsQcStatemPresent(c, &util.IdEtsiPsd2Statem) + if !isPresent { + return false + } + + orgId := util.GetSubjectOrgId(c.RawSubject) + re := regexp.MustCompile(`^.{2}:`) + return re.MatchString(orgId.Value) +} + +func (l *qcStatemPsd2NationalScheme) Execute(c *x509.Certificate) *lint.LintResult { + + orgId := util.GetSubjectOrgId(c.RawSubject) + if !orgId.IsPresent { + return &lint.LintResult{Status: lint.Error, Details: "missing mandatory subject:OrganizationIdentifier"} + } + if orgId.ErrorString != "" { + return &lint.LintResult{Status: lint.Error, Details: orgId.ErrorString} + } + if !util.CheckNationalScheme(orgId.Value) { + return &lint.LintResult{Status: lint.Error, Details: "invalid format of subject:organizationIdentifier for national scheme"} + } + errStr, isPresent := util.IsQcStatemPresent(c, &util.IdQcsPkixQCSyntaxV2) + if errStr != "" { + return &lint.LintResult{Status: lint.Error, Details: "error parsing IdQcsPkixQCSyntaxV2 Qc Statement"} + } + + if !isPresent { + return &lint.LintResult{Status: lint.Error, Details: "national scheme requires URI in IdQcsPkixQCSyntaxV2 Qc Statement, but this Qc Statement is not present"} + } + qcs2Generic := util.ParseQcStatem(util.GetQcStatemExtValue(c), util.IdQcsPkixQCSyntaxV2) + if qcs2Generic.GetErrorInfo() != "" { + return &lint.LintResult{Status: lint.Error, Details: qcs2Generic.GetErrorInfo()} + } + qcs2 := qcs2Generic.(util.DecodedQcS2) + for _, x := range qcs2.Decoded.NameRegAuthorities { + if len(x.FullBytes) < 3 { // have at least tag, length, value one byte each + continue + } + if x.FullBytes[0] != 0x86 { + continue + } + var decodedUri string // + rest, err := asn1.UnmarshalWithParams(x.FullBytes, &decodedUri, "tag:6") + if err != nil { + return &lint.LintResult{Status: lint.Error, Details: err.Error()} + } + if len(rest) != 0 { + return &lint.LintResult{Status: lint.Error, Details: "Trailing bytes after URI"} + } + return &lint.LintResult{Status: lint.Pass} + + } + + return &lint.LintResult{Status: lint.Error, Details: "did not find URI element within IdQcsPkixQCSyntaxV2 Qc Statement, which is mandatory for the national scheme format of the subject:organizationIdentifier"} +} diff --git a/v3/lints/etsi/lint_qcstatem_psd2_national_scheme_test.go b/v3/lints/etsi/lint_qcstatem_psd2_national_scheme_test.go new file mode 100644 index 000000000..2c00203fe --- /dev/null +++ b/v3/lints/etsi/lint_qcstatem_psd2_national_scheme_test.go @@ -0,0 +1,50 @@ +package etsi + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestQcStatemPsd2NationalScheme(t *testing.T) { + m := map[string]lint.LintStatus{ + "QcStmtPsd2Cert01InvalidRoles.pem": lint.NA, + "QcStmtPsd2Cert02Psd2ExtInvNcaId.pem": lint.NA, + "QcStmtPsd2Cert05Valid.pem": lint.NA, + "QcStmtPsd2Cert07MissingRoleName.pem": lint.NA, + "QcStmtPsd2Cert08NcaNameMissing.pem": lint.NA, + "QcStmtPsd2Cert09NcaNameZeroLength.pem": lint.NA, + "QcStmtPsd2Cert10RoleNameMissing.pem": lint.NA, + "QcStmtPsd2Cert11RoleNameZeroLength.pem": lint.NA, + "QcStmtPsd2Cert13Psd2ExtNcaIdZeroLength.pem": lint.NA, + "QcStmtPsd2Cert14Valid.pem": lint.NA, + "QcStmtPsd2Cert16RoleIdAndNameInconsistent.pem": lint.NA, + "QcStmtPsd2Cert47MissingUri.pem": lint.Error, + "QcStmtPsd2Cert48LegalPersonSyntaxViolated.pem": lint.NA, + "QcStmtPsd2Cert49ValidNationalScheme.pem": lint.Pass, + "EvAltRegNumCert56JurCountryNotMatching.pem": lint.NA, + "EvAltRegNumCert52NoOrgId.pem": lint.NA, + } + for inputPath, expected := range m { + out := test.TestLint("e_qcstatem_psd2_national_scheme", inputPath) + + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } + } +} diff --git a/v3/testdata/EvAltRegNumCert52NoOrgId.pem b/v3/testdata/EvAltRegNumCert52NoOrgId.pem new file mode 100644 index 000000000..3a1bea860 --- /dev/null +++ b/v3/testdata/EvAltRegNumCert52NoOrgId.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0c:c5:96:7f:f3:7e:ac:5c:b4:e5:d3:89:2d + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: O = MTG, L = Darmstadt, ST = Hessen, C = DE, businessCategory = Private Organization, serialNumber = HRB 123456, jurisdictionC = DE, jurisdictionST = Hessen + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + Policy: 1.3.6.1.4.1.7879.13.24.1 + CPS: http://www.telesec.de/serverpass/cps.html + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: sha256WithRSAEncryption + 2e:c6:ac:44:0a:17:61:4b:bc:98:30:95:86:86:6f:2d:c5:dc: + f1:73:91:ac:25:fc:84:61:11:18:a7:6e:ba:23:ff:db:6c:7e: + d8:e9:4d:7e:b5:05:2c:4f:7c:75:90:46:da:10:e6:21:4a:ed: + aa:77:2a:e2:00:8b:be:d4:28:df:c4:76:8d:4a:db:bb:8d:e8: + 71:79:09:50:9a:da:ad:aa:6c:26:91:b1:90:df:19:65:15:f8: + 3c:00:32:ea:d1:25:16:4f:9e:c3:ea:ed:bd:8e:f3:f4:84:5c: + 98:d2:bb:08:06:12:d3:3c:20:f9:4d:e3:18:f2:57:08:eb:9b: + 7b:53:3e:9f:12:e5:3a:82:78:b9:13:c2:9f:ce:61:aa:ea:f5: + 4a:98:cc:f5:0a:3e:e8:bc:e5:1f:92:70:d9:54:47:53:6b:04: + 7e:dc:53:a8:23:f7:02:16:14:88:a7:1c:9a:aa:78:22:10:52: + 04:33:0f:1e:eb:59:f5:a0:12:e9:d6:6c:3b:56:68:e5:c5:ba: + 95:f1:71:33:e9:63:e7:9d:6f:02:69:e7:96:08:f7:47:a9:cc: + 27:39:0a:ae:71:c4:85:32:9f:f7:20:c3:8e:c8:32:d5:d9:fb: + 1d:2f:80:e2:1e:13:3e:7c:2a:4a:f3:7d:0e:f5:cd:ee:3d:62: + 1b:53:db:3e +-----BEGIN CERTIFICATE----- +MIIEyTCCA7GgAwIBAgINDMWWf/N+rFy05dOJLTANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjCB +ojEMMAoGA1UECgwDTVRHMRIwEAYDVQQHDAlEYXJtc3RhZHQxDzANBgNVBAgMBkhl +c3NlbjELMAkGA1UEBhMCREUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9u +MRMwEQYDVQQFEwpIUkIgMTIzNDU2MRMwEQYLKwYBBAGCNzwCAQMMAkRFMRcwFQYL +KwYBBAGCNzwCAQIMBkhlc3NlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSK +ummj68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nb +i8M1DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTt +LWQkd+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYO +rl/8zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0 +cXCA09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAVwwggFYMB8GA1UdIwQYMBaAFAxe +nP66SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZD +OzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cu +ZXhhbXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8v +Y2EuZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5l +eGFtcGxlLmNvbS9vY3NwMFkGA1UdIARSMFAwBwYFZ4EMAQEwRQYKKwYBBAG9Rw0Y +ATA3MDUGCCsGAQUFBwIBFilodHRwOi8vd3d3LnRlbGVzZWMuZGUvc2VydmVycGFz +cy9jcHMuaHRtbDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZI +hvcNAQELBQADggEBAC7GrEQKF2FLvJgwlYaGby3F3PFzkawl/IRhERinbroj/9ts +ftjpTX61BSxPfHWQRtoQ5iFK7ap3KuIAi77UKN/Edo1K27uN6HF5CVCa2q2qbCaR +sZDfGWUV+DwAMurRJRZPnsPq7b2O8/SEXJjSuwgGEtM8IPlN4xjyVwjrm3tTPp8S +5TqCeLkTwp/OYarq9UqYzPUKPui85R+ScNlUR1NrBH7cU6gj9wIWFIinHJqqeCIQ +UgQzDx7rWfWgEunWbDtWaOXFupXxcTPpY+edbwJp55YI90epzCc5Cq5xxIUyn/cg +w47IMtXZ+x0vgOIeEz58KkrzfQ71ze49YhtT2z4= +-----END CERTIFICATE----- diff --git a/v3/testdata/EvAltRegNumCert56JurCountryNotMatching.pem b/v3/testdata/EvAltRegNumCert56JurCountryNotMatching.pem new file mode 100644 index 000000000..a71f8671f --- /dev/null +++ b/v3/testdata/EvAltRegNumCert56JurCountryNotMatching.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 02:62:35:a7:7d:ac:f7:2a:53:e4:00:0d:67 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: O = MTG, L = Darmstadt, ST = Hessen, C = DE, businessCategory = Private Organization, organizationIdentifier = NTRDE-12345678, serialNumber = 12345678, jurisdictionC = GB + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 2.23.140.1.1 + Policy: 1.3.6.1.4.1.7879.13.24.1 + CPS: http://www.telesec.de/serverpass/cps.html + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: sha256WithRSAEncryption + 5f:b4:a1:1e:4c:7e:39:f0:ce:fd:66:b8:5f:f6:fa:05:f3:04: + c6:22:1e:40:12:e0:3c:25:3f:db:37:6c:10:0e:ec:aa:7a:a9: + 9e:fd:0b:94:5f:b0:88:bb:65:b0:b0:f6:f3:f0:21:5e:d9:0d: + 52:28:f3:39:80:c9:53:1a:e7:db:fd:b7:a1:6b:8c:c2:5a:a3: + 3c:35:76:f8:b7:f8:52:34:39:03:f7:6d:ba:b3:91:56:de:54: + f7:4f:36:c3:47:09:7e:7b:29:2b:b0:85:03:58:42:18:ca:f8: + 3a:24:8e:e0:2b:fe:75:d9:06:de:4e:7d:77:d6:52:24:52:40: + 67:b9:9f:5b:ee:43:77:70:f4:34:7a:48:9c:ac:29:3c:16:36: + 73:df:f1:f6:d6:6e:c1:76:f4:93:17:43:a6:05:4b:1e:4d:ca: + c7:dd:ac:ca:c2:a9:f6:00:7f:d1:01:eb:49:98:8f:56:ec:74: + 04:85:4b:a7:3c:a3:3e:75:25:bf:35:05:03:f4:1d:43:32:cf: + 5c:f1:6d:7c:bc:e5:a7:9e:be:41:7f:34:bb:93:22:31:87:f4: + dd:ef:bc:10:7f:21:a5:31:a0:5e:62:8a:bb:ba:85:e3:8d:2f: + 02:b1:57:7e:02:f6:e1:a5:d6:be:e3:b8:3d:8d:94:3d:e0:77: + 32:83:de:a8 +-----BEGIN CERTIFICATE----- +MIIExzCCA6+gAwIBAgINAmI1p32s9ypT5AANZzANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjCB +oDEMMAoGA1UECgwDTVRHMRIwEAYDVQQHDAlEYXJtc3RhZHQxDzANBgNVBAgMBkhl +c3NlbjELMAkGA1UEBhMCREUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9u +MRcwFQYDVQRhDA5OVFJERS0xMjM0NTY3ODERMA8GA1UEBRMIMTIzNDU2NzgxEzAR +BgsrBgEEAYI3PAIBAwwCR0IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDCDYFxtJQFvM+ZiqpiCPIuY7IeRvkrhZjDg9DOJq12j1znWwUgJSYyGcIkirpp +o+vKEKTzz7XGHvZwWJZbiFJqiEIzhbjGFkhPAUU5P+FquQa17zfbeZ5QkFdDW4vD +NQ2zQfQbwkp/GDw5LU+/K6VxB3MzAOWNNp7+j3LFclYIzIa277ri/Ztcxi2U7S1k +JHfmZ01i25QuKY7dHXrKvGj7FSyAVtPd5zqPmBgUSxHZxAEfuXrQ2a1pEQX2Dq5f +/M3Gs8tNro5FGAqowEARKNzNn3omZ1pHgJvZTPfaX20TgxqRktG5RPdya5dHdHFw +gNPWc792M1xwuG+HNz5+jnXlAgMBAAGjggFcMIIBWDAfBgNVHSMEGDAWgBQMXpz+ +ukshbAQdwlq344hfWd5MEjAdBgNVHQ4EFgQUDmuqg6myTVyFzbHSL4f3IMs2Qzsw +DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4 +YW1wbGUuY29tMGIGCCsGAQUFBwEBBFYwVDAoBggrBgEFBQcwAoYcaHR0cDovL2Nh +LmV4YW1wbGUuY29tL2NhLmNydDAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AuZXhh +bXBsZS5jb20vb2NzcDBZBgNVHSAEUjBQMAcGBWeBDAEBMEUGCisGAQQBvUcNGAEw +NzA1BggrBgEFBQcCARYpaHR0cDovL3d3dy50ZWxlc2VjLmRlL3NlcnZlcnBhc3Mv +Y3BzLmh0bWwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3 +DQEBCwUAA4IBAQBftKEeTH458M79Zrhf9voF8wTGIh5AEuA8JT/bN2wQDuyqeqme +/QuUX7CIu2WwsPbz8CFe2Q1SKPM5gMlTGufb/beha4zCWqM8NXb4t/hSNDkD9226 +s5FW3lT3TzbDRwl+eykrsIUDWEIYyvg6JI7gK/512QbeTn131lIkUkBnuZ9b7kN3 +cPQ0ekicrCk8FjZz3/H21m7BdvSTF0OmBUseTcrH3azKwqn2AH/RAetJmI9W7HQE +hUunPKM+dSW/NQUD9B1DMs9c8W18vOWnnr5BfzS7kyIxh/Td77wQfyGlMaBeYoq7 +uoXjjS8CsVd+Avbhpda+47g9jZQ94Hcyg96o +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert01InvalidRoles.pem b/v3/testdata/QcStmtPsd2Cert01InvalidRoles.pem new file mode 100644 index 000000000..9023af143 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert01InvalidRoles.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0c:02:fd:2a:9d:b9:49:14:ff:cc:3d:a8:1f + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0R......'.0H0.0.......'....PSP_PI.'Federal Financial Supervisory Authority..DE-BAFIN + Signature Algorithm: sha256WithRSAEncryption + 20:4e:b7:a4:1d:8e:05:8a:d9:a9:ac:20:59:a6:7f:db:7b:72: + 7c:2d:a6:28:13:7b:70:4b:9c:49:ac:3c:03:f0:d1:30:54:e4: + 6d:29:83:55:2d:7a:9e:dd:be:bd:24:fb:e9:4c:32:a0:07:cb: + 11:99:f1:e5:31:8f:15:e7:fd:55:05:4d:18:ac:bf:0b:a4:d0: + 67:03:89:88:7b:8f:d0:ff:bb:24:c7:b2:00:f9:20:eb:ee:00: + 35:9c:c4:74:3a:91:1c:80:59:5a:ae:e5:e2:eb:50:8c:b4:97: + 6d:52:7e:95:35:58:62:e2:a8:21:b5:e1:1c:f3:96:30:de:ee: + 38:16:47:8b:ee:29:46:e4:e3:f2:d6:6a:f4:42:11:73:de:8c: + 32:7b:32:f4:3a:43:c2:70:8f:8b:73:74:56:57:51:dc:31:41: + 42:7f:ca:9e:a9:c0:d3:b7:fa:a9:1a:ee:a8:b9:ac:70:fc:f2: + d3:41:3f:25:1e:bd:5d:fb:86:e9:ac:2e:37:c3:cc:71:48:36: + cf:43:d4:13:03:a9:98:b1:74:60:1f:3a:bf:eb:31:dc:3a:a5: + 49:40:50:cd:27:15:c8:98:10:ae:b3:b0:e2:7d:7e:72:5c:19: + 32:96:8c:97:82:f1:72:a8:38:f5:b2:07:42:1e:d2:93:f2:db: + 53:39:87:14 +-----BEGIN CERTIFICATE----- +MIIE+TCCA+GgAwIBAgINDAL9Kp25SRT/zD2oHzANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAb8wggG7MB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmgYIKwYBBQUHAQMEgY0wgYow +CAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQA +i+xJAQIwUgYGBACBmCcCMEgwEzARBgcEAIGYJwEBDAZQU1BfUEkMJ0ZlZGVyYWwg +RmluYW5jaWFsIFN1cGVydmlzb3J5IEF1dGhvcml0eQwIREUtQkFGSU4wDQYJKoZI +hvcNAQELBQADggEBACBOt6QdjgWK2amsIFmmf9t7cnwtpigTe3BLnEmsPAPw0TBU +5G0pg1Utep7dvr0k++lMMqAHyxGZ8eUxjxXn/VUFTRisvwuk0GcDiYh7j9D/uyTH +sgD5IOvuADWcxHQ6kRyAWVqu5eLrUIy0l21SfpU1WGLiqCG14RzzljDe7jgWR4vu +KUbk4/LWavRCEXPejDJ7MvQ6Q8Jwj4tzdFZXUdwxQUJ/yp6pwNO3+qka7qi5rHD8 +8tNBPyUevV37humsLjfDzHFINs9D1BMDqZixdGAfOr/rMdw6pUlAUM0nFciYEK6z +sOJ9fnJcGTKWjJeC8XKoOPWyB0Ie0pPy21M5hxQ= +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert02Psd2ExtInvNcaId.pem b/v3/testdata/QcStmtPsd2Cert02Psd2ExtInvNcaId.pem new file mode 100644 index 000000000..23965fc0d --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert02Psd2ExtInvNcaId.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 01:35:07:86:fc:68:ad:69:ee:f0:20:00:d7 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0R......'.0H0.0.......'....PSP_AS.'Federal Financial Supervisory Authority..DE+BAFIN + Signature Algorithm: sha256WithRSAEncryption + 35:01:43:87:0d:cb:63:43:a5:ad:5b:a4:07:06:c6:08:a4:f2: + 5d:cf:08:4a:32:36:9f:95:c8:3a:4a:3f:11:9d:a0:3e:2f:d2: + e3:bf:7c:d9:55:dc:04:55:33:2b:6f:4d:1e:e3:a2:74:0d:40: + e7:7d:75:29:95:8f:f8:fd:87:af:7f:96:bb:77:9d:36:93:1c: + 2d:9b:90:0c:bd:3d:ab:20:ba:41:f4:88:63:ab:3c:84:2b:07: + a8:5e:09:0b:94:cf:58:e7:e8:6a:a0:7d:26:c5:11:38:2d:e8: + e4:17:d2:2a:35:4b:05:07:87:51:7a:66:b3:c7:b5:d6:f6:18: + e8:e7:45:e9:c0:c6:41:fe:a8:b0:16:6d:80:c9:38:03:7a:e3: + 45:c7:b1:8e:5a:07:e2:6c:b0:15:2a:f3:1d:4b:d4:74:4b:65: + 7d:a6:28:0a:e6:02:a0:01:ce:de:c4:15:eb:d8:4c:d6:08:3f: + b8:8b:24:c8:ff:82:5b:fa:a4:6b:73:04:c8:c8:7d:e3:d3:84: + ea:c9:10:b9:6f:fb:e9:bc:2a:1e:ad:a2:71:d8:78:d0:bf:c4: + 4f:94:69:37:34:45:42:4a:45:02:25:51:48:96:a5:6b:8a:07: + d7:ac:01:b9:16:bf:28:17:2c:fe:bc:8b:6a:8f:a7:b3:17:81: + bd:0b:73:82 +-----BEGIN CERTIFICATE----- +MIIE+TCCA+GgAwIBAgINATUHhvxorWnu8CAA1zANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAb8wggG7MB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmgYIKwYBBQUHAQMEgY0wgYow +CAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQA +i+xJAQIwUgYGBACBmCcCMEgwEzARBgcEAIGYJwEBDAZQU1BfQVMMJ0ZlZGVyYWwg +RmluYW5jaWFsIFN1cGVydmlzb3J5IEF1dGhvcml0eQwIREUrQkFGSU4wDQYJKoZI +hvcNAQELBQADggEBADUBQ4cNy2NDpa1bpAcGxgik8l3PCEoyNp+VyDpKPxGdoD4v +0uO/fNlV3ARVMytvTR7jonQNQOd9dSmVj/j9h69/lrt3nTaTHC2bkAy9PasgukH0 +iGOrPIQrB6heCQuUz1jn6GqgfSbFETgt6OQX0io1SwUHh1F6ZrPHtdb2GOjnRenA +xkH+qLAWbYDJOAN640XHsY5aB+JssBUq8x1L1HRLZX2mKArmAqABzt7EFevYTNYI +P7iLJMj/glv6pGtzBMjIfePThOrJELlv++m8Kh6tonHYeNC/xE+UaTc0RUJKRQIl +UUiWpWuKB9esAbkWvygXLP68i2qPp7MXgb0Lc4I= +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert05Valid.pem b/v3/testdata/QcStmtPsd2Cert05Valid.pem new file mode 100644 index 000000000..b31aa247c --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert05Valid.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:a5:4c:bc:8d:c8:b4:cd:e0:dd:75:76:70 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0R......'.0H0.0.......'....PSP_AS.'Federal Financial Supervisory Authority..DE-BAFIN + Signature Algorithm: sha256WithRSAEncryption + 19:9b:16:eb:73:05:9b:2c:66:73:33:50:33:18:7f:46:d8:81: + 2b:5e:cb:a0:8c:75:d5:78:ac:a8:61:50:30:6a:c4:6f:6c:c6: + 0f:b1:2d:b5:cd:98:41:dd:27:a9:52:71:12:b7:87:69:90:db: + 6d:af:3e:c7:9b:2e:0b:a2:b5:c8:ac:6a:a0:0c:20:32:27:61: + f4:52:eb:9e:f2:11:79:92:79:d8:f2:58:85:52:ae:d0:9a:00: + 00:98:a0:2c:0e:3c:4c:a6:9e:3a:da:ed:6b:11:bb:65:99:67: + ee:73:93:b7:e5:a0:3c:7a:a3:94:17:2d:de:f7:0c:e2:6b:aa: + bf:eb:ea:92:fd:34:f7:f9:7b:b8:3e:be:55:6a:00:64:21:0b: + a6:74:b3:ba:e2:e5:72:27:3c:17:99:10:ca:31:d8:0b:b6:64: + 5f:d4:58:d4:5f:d3:43:27:46:f9:d8:02:5d:93:90:34:b0:1d: + c6:d4:e8:bf:01:b7:32:f1:26:56:66:2b:0d:f7:05:f4:e6:8b: + ef:90:3a:64:8f:66:3a:44:2e:99:e9:51:a9:ab:0e:62:ae:16: + 5c:6e:e7:f4:01:57:3e:91:4b:fb:17:e6:d6:64:41:33:e0:e9: + 4b:45:96:44:ad:83:d2:cb:24:49:04:bd:d4:f4:c4:c9:11:bd: + cc:f3:4c:f3 +-----BEGIN CERTIFICATE----- +MIIE+TCCA+GgAwIBAgINCqVMvI3ItM3g3XV2cDANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAb8wggG7MB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmgYIKwYBBQUHAQMEgY0wgYow +CAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQA +i+xJAQIwUgYGBACBmCcCMEgwEzARBgcEAIGYJwEBDAZQU1BfQVMMJ0ZlZGVyYWwg +RmluYW5jaWFsIFN1cGVydmlzb3J5IEF1dGhvcml0eQwIREUtQkFGSU4wDQYJKoZI +hvcNAQELBQADggEBABmbFutzBZssZnMzUDMYf0bYgStey6CMddV4rKhhUDBqxG9s +xg+xLbXNmEHdJ6lScRK3h2mQ222vPsebLguitcisaqAMIDInYfRS657yEXmSedjy +WIVSrtCaAACYoCwOPEymnjra7WsRu2WZZ+5zk7floDx6o5QXLd73DOJrqr/r6pL9 +NPf5e7g+vlVqAGQhC6Z0s7ri5XInPBeZEMox2Au2ZF/UWNRf00MnRvnYAl2TkDSw +HcbU6L8BtzLxJlZmKw33BfTmi++QOmSPZjpELpnpUamrDmKuFlxu5/QBVz6RS/sX +5tZkQTPg6UtFlkStg9LLJEkEvdT0xMkRvczzTPM= +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert07MissingRoleName.pem b/v3/testdata/QcStmtPsd2Cert07MissingRoleName.pem new file mode 100644 index 000000000..b39edcd03 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert07MissingRoleName.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 02:7d:f8:92:27:17:f8:07:44:26:a3:c4:5c + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0J......'.0@0.0.......'...'Federal Financial Supervisory Authority..DE-bafin + Signature Algorithm: sha256WithRSAEncryption + 07:cd:3a:dd:a8:6a:f0:3b:46:0d:97:35:01:c9:b9:20:6a:26: + 91:47:e8:93:7e:97:b5:80:11:f0:3a:82:f7:84:4e:ae:d7:1a: + 30:8f:75:a8:cd:7e:9b:75:78:be:c1:3e:23:8b:2e:a2:a6:c4: + 82:50:4d:ac:33:08:41:08:81:91:9e:eb:89:ce:50:fa:b4:8a: + 89:f3:cb:40:2f:41:35:dd:3b:cb:da:25:ba:22:f1:fd:a5:43: + 3a:64:c7:c4:87:b7:a3:21:77:b6:29:13:d7:d2:50:ae:6a:24: + f0:19:76:72:e8:1e:04:12:df:ef:07:99:1d:a2:aa:03:0c:bc: + 7b:cc:36:14:2b:2a:14:7a:d3:7d:6e:5e:f9:5f:91:23:9e:99: + 99:d5:bf:af:81:50:ae:8b:6e:b5:1c:59:b0:0a:0f:99:c4:41: + 66:6e:c9:b1:df:e0:a7:74:eb:c5:53:28:22:87:d6:dd:84:81: + 23:e9:8e:ad:95:94:be:4b:de:7c:5e:c5:90:c1:dc:16:9c:f2: + 08:0a:de:bc:c8:2c:63:61:97:d0:e5:f3:a2:41:ae:0e:7e:86: + 7c:da:e7:a4:25:3a:fb:a4:ce:b7:27:00:24:f7:b1:8f:b7:e3: + 07:00:57:b1:8a:49:c2:97:a1:51:56:ec:91:40:75:e4:42:44: + 0c:49:f7:46 +-----BEGIN CERTIFICATE----- +MIIE8TCCA9mgAwIBAgINAn34kicX+AdEJqPEXDANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAbcwggGzMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBkgYIKwYBBQUHAQMEgYUwgYIw +CAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQA +i+xJAQIwSgYGBACBmCcCMEAwCzAJBgcEAIGYJwEEDCdGZWRlcmFsIEZpbmFuY2lh +bCBTdXBlcnZpc29yeSBBdXRob3JpdHkMCERFLWJhZmluMA0GCSqGSIb3DQEBCwUA +A4IBAQAHzTrdqGrwO0YNlzUBybkgaiaRR+iTfpe1gBHwOoL3hE6u1xowj3WozX6b +dXi+wT4jiy6ipsSCUE2sMwhBCIGRnuuJzlD6tIqJ88tAL0E13TvL2iW6IvH9pUM6 +ZMfEh7ejIXe2KRPX0lCuaiTwGXZy6B4EEt/vB5kdoqoDDLx7zDYUKyoUetN9bl75 +X5EjnpmZ1b+vgVCui261HFmwCg+ZxEFmbsmx3+CndOvFUygih9bdhIEj6Y6tlZS+ +S958XsWQwdwWnPIICt68yCxjYZfQ5fOiQa4OfoZ82uekJTr7pM63JwAk97GPt+MH +AFexiknCl6FRVuyRQHXkQkQMSfdG +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert08NcaNameMissing.pem b/v3/testdata/QcStmtPsd2Cert08NcaNameMissing.pem new file mode 100644 index 000000000..b9701b6ee --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert08NcaNameMissing.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:07:10:9f:9e:67:80:c7:8d:98:e6:61:a7 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0a0......F..0......F..0......F...0...+.......0.......I..0)......'.0.0.0.......'....PSP_AI..DE-BAFIN + Signature Algorithm: sha256WithRSAEncryption + 4d:90:16:97:d4:b9:90:b8:2e:e3:c3:f5:fa:8a:e0:70:60:2b: + cc:c0:25:0c:8e:e7:41:6b:7c:21:53:45:34:8d:28:7c:56:5c: + dc:04:0b:b8:75:81:a0:97:2c:e1:12:38:9b:1a:d1:e3:05:1f: + 95:5b:79:9e:96:cd:4f:09:32:1e:e8:1e:01:3e:c2:30:9d:9d: + f3:b6:d8:c4:04:73:3e:1f:fb:9a:4a:15:54:fb:ad:42:cb:ac: + 4e:08:65:11:d0:d5:72:cd:64:e1:c2:7d:2a:c2:2e:a9:a3:44: + 2a:9f:cf:ac:5b:9d:ed:7d:33:91:b1:79:aa:68:2c:e6:96:70: + e5:2e:25:49:21:8e:1e:25:86:f5:8a:e1:2e:71:07:49:dc:a5: + 16:76:e2:6c:24:52:47:38:ef:82:a0:92:ac:a1:a9:fe:d6:0d: + 9c:2b:fd:cd:64:2f:9e:2d:1f:de:f5:a0:bf:b3:c4:a7:c8:62: + 01:7f:62:71:5d:70:d0:51:8d:4d:c7:a1:9b:ed:bd:fd:65:af: + d3:6b:a1:f3:bb:b5:1e:d4:51:bf:61:8d:ef:3b:01:e7:11:20: + 33:98:d6:15:d5:78:91:40:bb:48:25:b6:a0:e3:9c:4f:31:6c: + d0:57:96:9f:a7:48:17:45:15:f8:84:d1:3e:0e:46:79:db:35: + 81:30:54:ec +-----BEGIN CERTIFICATE----- +MIIEzTCCA7WgAwIBAgINBgcQn55ngMeNmOZhpzANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAZMwggGPMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBvBggrBgEFBQcBAwRjMGEwCAYG +BACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQAi+xJ +AQIwKQYGBACBmCcCMB8wEzARBgcEAIGYJwEDDAZQU1BfQUkMCERFLUJBRklOMA0G +CSqGSIb3DQEBCwUAA4IBAQBNkBaX1LmQuC7jw/X6iuBwYCvMwCUMjudBa3whU0U0 +jSh8VlzcBAu4dYGglyzhEjibGtHjBR+VW3mels1PCTIe6B4BPsIwnZ3zttjEBHM+ +H/uaShVU+61Cy6xOCGUR0NVyzWThwn0qwi6po0Qqn8+sW53tfTORsXmqaCzmlnDl +LiVJIY4eJYb1iuEucQdJ3KUWduJsJFJHOO+CoJKsoan+1g2cK/3NZC+eLR/e9aC/ +s8SnyGIBf2JxXXDQUY1Nx6Gb7b39Za/Ta6Hzu7Ue1FG/YY3vOwHnESAzmNYV1XiR +QLtIJbag45xPMWzQV5afp0gXRRX4hNE+DkZ52zWBMFTs +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert09NcaNameZeroLength.pem b/v3/testdata/QcStmtPsd2Cert09NcaNameZeroLength.pem new file mode 100644 index 000000000..891f2ed5b --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert09NcaNameZeroLength.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0e:c2:b3:32:0b:6c:e5:d3:88:2d:cc:99:cb + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0c0......F..0......F..0......F...0...+.......0.......I..0+......'.0!0.0.......'....PSP_PI....DE-BAFIN + Signature Algorithm: sha256WithRSAEncryption + 4f:88:bf:d9:9f:ee:c6:41:82:76:12:83:bd:fd:76:4f:2e:1d: + 13:e9:36:79:24:3b:a7:31:0e:f6:aa:ab:40:b1:ca:55:fa:e9: + 77:54:a1:73:32:b6:f8:d5:07:52:3e:0b:6b:b9:b6:60:95:61: + c6:58:b6:ff:91:9b:57:2d:03:91:4f:b2:06:c9:35:bf:01:90: + a1:fb:c0:d0:b8:67:ae:18:4a:97:43:03:98:4d:dd:2d:6d:b9: + d0:0a:94:6d:09:b1:76:54:a4:ea:1e:bc:35:6a:a9:a3:8d:9c: + 17:90:2f:d6:99:48:5e:f5:9c:50:e2:44:f5:86:cb:f3:b1:08: + 26:1c:40:83:5d:81:1c:3a:29:4e:ba:6f:7d:d0:7b:3f:68:79: + d4:6f:bf:d4:b3:01:0b:f6:eb:91:f9:00:26:57:27:e7:7c:8f: + 48:95:ca:91:8a:50:6c:61:a9:e4:13:ff:aa:35:12:0d:f9:b2: + b6:0a:c8:4b:64:61:70:64:de:b3:b2:73:1a:f3:f5:4c:7a:66: + 10:02:cd:b8:b7:bf:63:20:88:15:61:e4:c7:58:b9:49:f6:5a: + 50:6c:6f:db:70:17:b6:af:b4:5d:fc:11:3a:d1:a7:1e:2a:f0: + 0c:ac:0f:fb:dc:90:e0:f2:bc:de:b3:07:73:d3:11:e2:4f:4b: + ca:3b:62:bd +-----BEGIN CERTIFICATE----- +MIIEzzCCA7egAwIBAgINDsKzMgts5dOILcyZyzANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAZUwggGRMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBxBggrBgEFBQcBAwRlMGMwCAYG +BACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQAi+xJ +AQIwKwYGBACBmCcCMCEwEzARBgcEAIGYJwECDAZQU1BfUEkMAAwIREUtQkFGSU4w +DQYJKoZIhvcNAQELBQADggEBAE+Iv9mf7sZBgnYSg739dk8uHRPpNnkkO6cxDvaq +q0CxylX66XdUoXMytvjVB1I+C2u5tmCVYcZYtv+Rm1ctA5FPsgbJNb8BkKH7wNC4 +Z64YSpdDA5hN3S1tudAKlG0JsXZUpOoevDVqqaONnBeQL9aZSF71nFDiRPWGy/Ox +CCYcQINdgRw6KU66b33Qez9oedRvv9SzAQv265H5ACZXJ+d8j0iVypGKUGxhqeQT +/6o1Eg35srYKyEtkYXBk3rOycxrz9Ux6ZhACzbi3v2MgiBVh5MdYuUn2WlBsb9tw +F7avtF38ETrRpx4q8AysD/vckODyvN6zB3PTEeJPS8o7Yr0= +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert10RoleNameMissing.pem b/v3/testdata/QcStmtPsd2Cert10RoleNameMissing.pem new file mode 100644 index 000000000..a359cf7a1 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert10RoleNameMissing.pem @@ -0,0 +1,104 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0f:13:c2:9d:40:6a:8e:fe:42:9f:b6:15:a1 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0I......'.0?0 +0...PSP_AI.'Federal Financial Supervisory Authority..DE-BAFIN + Signature Algorithm: sha256WithRSAEncryption + 0b:5d:bf:42:b8:ea:31:79:e7:93:39:21:46:bf:fe:22:cc:93: + a6:d7:9e:aa:e5:04:48:db:b9:53:00:0f:64:6a:e8:5b:c8:13: + 9e:ae:83:86:10:7d:85:88:f3:97:f4:ec:98:42:9e:72:9d:c3: + 59:e9:c7:dc:05:f5:ab:cb:58:d8:20:98:da:57:4c:f7:45:d7: + 48:82:5c:01:38:bd:81:0e:b5:5c:bc:c6:36:20:30:f9:36:b3: + 0a:1c:56:00:33:0d:94:12:3c:08:fc:9c:d4:12:12:06:25:a4: + bb:f9:a3:c2:10:3c:13:1b:3f:ab:8a:8e:30:e2:95:51:c4:a4: + 83:dc:94:39:48:87:1e:ed:7c:fb:46:1b:8f:fd:3e:fc:76:14: + ab:67:0f:9d:99:af:9a:90:bc:bf:39:20:2e:50:cb:6c:48:22: + 2c:e7:2e:dd:a9:e4:4d:77:d4:4b:2c:67:5c:c2:1c:3a:b3:a3: + 79:98:a7:56:12:f3:52:63:96:8c:08:65:4b:44:20:28:6d:ed: + fd:09:bb:6f:d1:68:a8:1d:c2:2b:c9:da:32:87:3a:1d:b7:0c: + d9:0f:5a:c4:03:6e:a8:0c:65:2d:a8:40:21:20:8a:45:6e:e1: + fd:dd:e9:f1:ed:e2:71:82:a5:01:9c:ea:32:60:d8:7d:e7:d8: + a4:77:3b:dc +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgINDxPCnUBqjv5Cn7YVoTANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAbYwggGyMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBkQYIKwYBBQUHAQMEgYQwgYEw +CAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQA +i+xJAQIwSQYGBACBmCcCMD8wCjAIDAZQU1BfQUkMJ0ZlZGVyYWwgRmluYW5jaWFs +IFN1cGVydmlzb3J5IEF1dGhvcml0eQwIREUtQkFGSU4wDQYJKoZIhvcNAQELBQAD +ggEBAAtdv0K46jF555M5IUa//iLMk6bXnqrlBEjbuVMAD2Rq6FvIE56ug4YQfYWI +85f07JhCnnKdw1npx9wF9avLWNggmNpXTPdF10iCXAE4vYEOtVy8xjYgMPk2swoc +VgAzDZQSPAj8nNQSEgYlpLv5o8IQPBMbP6uKjjDilVHEpIPclDlIhx7tfPtGG4/9 +Pvx2FKtnD52Zr5qQvL85IC5Qy2xIIiznLt2p5E131EssZ1zCHDqzo3mYp1YS81Jj +lowIZUtEICht7f0Ju2/RaKgdwivJ2jKHOh23DNkPWsQDbqgMZS2oQCEgikVu4f3d +6fHt4nGCpQGc6jJg2H3n2KR3O9w= +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert11RoleNameZeroLength.pem b/v3/testdata/QcStmtPsd2Cert11RoleNameZeroLength.pem new file mode 100644 index 000000000..90ce40f27 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert11RoleNameZeroLength.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:69:f3:36:bc:cb:02:fb:02:6d:63:30:26 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0~0......F..0......F..0......F...0...+.......0.......I..0F......'.0<0 0.......'.....'Federal Financial Supervisory Authority..DE + Signature Algorithm: sha256WithRSAEncryption + 3e:29:8a:d8:e1:48:1d:30:b6:95:6b:fa:fb:13:74:95:48:3a: + 71:d9:72:66:4d:53:ec:dd:e2:04:5f:74:5a:88:06:d4:78:c3: + 08:a9:d8:94:82:dc:bc:e3:39:f3:5a:76:c6:57:ae:d6:8a:c6: + 2f:f5:40:70:98:34:4d:ef:6b:97:d6:78:8e:ee:b3:d5:be:17: + b2:31:57:49:8d:50:04:cc:48:f2:05:8f:d9:ac:45:62:5c:5c: + 8d:14:bb:b0:c8:e4:9b:b9:73:40:be:b7:a8:60:09:9b:be:86: + af:55:da:b5:cc:7b:a5:ea:b0:80:e3:26:98:b3:7d:7b:45:84: + 4b:ee:33:d9:ac:36:0a:4b:14:82:c6:90:da:8b:b3:11:1e:2b: + 85:72:6d:54:27:a6:87:33:4a:71:b7:80:fb:cc:91:38:3d:11: + 39:e9:ea:0c:23:6a:70:01:88:18:9e:18:35:2a:7d:d1:69:69: + eb:76:da:c6:ee:ae:dc:f2:60:32:bf:52:2f:ab:19:cd:a8:a6: + 68:51:0f:63:a8:20:8b:0e:cf:89:80:0a:c6:6b:32:6c:a1:41: + 5c:62:41:3c:46:99:e4:c0:78:7c:31:8a:6d:ee:27:10:68:84: + b0:ce:7a:20:c0:6a:ec:33:0a:34:10:7a:ee:3e:2d:c6:65:20: + db:1b:5d:eb +-----BEGIN CERTIFICATE----- +MIIE7DCCA9SgAwIBAgINCGnzNrzLAvsCbWMwJjANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAbIwggGuMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjQYIKwYBBQUHAQMEgYAwfjAI +BgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFQYIKwYBBQUHCwIwCQYHBACL +7EkBAjBGBgYEAIGYJwIwPDANMAsGBwQAgZgnAQEMAAwnRmVkZXJhbCBGaW5hbmNp +YWwgU3VwZXJ2aXNvcnkgQXV0aG9yaXR5DAJERTANBgkqhkiG9w0BAQsFAAOCAQEA +PimK2OFIHTC2lWv6+xN0lUg6cdlyZk1T7N3iBF90WogG1HjDCKnYlILcvOM581p2 +xleu1orGL/VAcJg0Te9rl9Z4ju6z1b4XsjFXSY1QBMxI8gWP2axFYlxcjRS7sMjk +m7lzQL63qGAJm76Gr1Xatcx7peqwgOMmmLN9e0WES+4z2aw2CksUgsaQ2ouzER4r +hXJtVCemhzNKcbeA+8yROD0ROenqDCNqcAGIGJ4YNSp90Wlp63baxu6u3PJgMr9S +L6sZzaimaFEPY6ggiw7PiYAKxmsybKFBXGJBPEaZ5MB4fDGKbe4nEGiEsM56IMBq +7DMKNBB67j4txmUg2xtd6w== +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert13Psd2ExtNcaIdZeroLength.pem b/v3/testdata/QcStmtPsd2Cert13Psd2ExtNcaIdZeroLength.pem new file mode 100644 index 000000000..db6b0f2d0 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert13Psd2ExtNcaIdZeroLength.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 03:73:5e:16:82:36:9a:ab:88:7e:f4:a3:be + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0J......'.0@0.0.......'....PSP_IC.'Federal Financial Supervisory Authority.. + Signature Algorithm: sha256WithRSAEncryption + 5a:90:e6:20:9e:ac:61:1f:10:a4:ef:f1:c1:2b:91:8e:84:b7: + 37:0a:87:fd:7b:ff:e3:ae:22:2f:03:58:e3:84:53:be:88:ef: + 9e:d6:95:4c:67:db:4a:ed:51:4c:05:27:be:bf:45:f3:37:da: + 15:b9:21:06:76:57:5e:6c:c8:40:9c:b0:73:af:e1:11:87:39: + 63:bd:76:82:b8:7c:e1:f7:ab:b6:30:36:d2:78:4a:df:17:88: + 7d:db:90:40:a1:eb:9a:82:52:a8:50:24:7f:ab:5c:3c:40:c8: + b0:5b:72:31:95:b7:56:31:e5:1c:dc:70:15:15:24:81:66:dc: + 40:a9:f8:7a:58:4e:71:51:a0:49:05:6c:39:6f:c7:62:c5:c4: + 1c:0c:df:57:b1:e7:42:89:9b:23:23:33:d4:36:57:5c:e2:e4: + 01:12:99:6a:15:b7:ad:56:35:06:c8:f5:60:a7:3c:0c:c8:7a: + 2b:0b:21:38:91:a7:62:51:75:f6:18:db:7b:7a:b2:14:80:49: + 9e:d0:48:26:bb:52:77:fd:1e:e5:90:d8:d7:2a:d7:e9:7a:34: + ee:c4:bb:55:e9:8c:85:f8:ae:65:d9:9b:16:29:b0:d4:1c:d1: + 48:e3:a4:e4:b2:bd:3a:25:c9:8c:c3:a9:29:59:4e:76:bc:40: + 21:fa:7e:15 +-----BEGIN CERTIFICATE----- +MIIE8TCCA9mgAwIBAgINA3NeFoI2mquIfvSjvjANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAbcwggGzMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBkgYIKwYBBQUHAQMEgYUwgYIw +CAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQA +i+xJAQIwSgYGBACBmCcCMEAwEzARBgcEAIGYJwEEDAZQU1BfSUMMJ0ZlZGVyYWwg +RmluYW5jaWFsIFN1cGVydmlzb3J5IEF1dGhvcml0eQwAMA0GCSqGSIb3DQEBCwUA +A4IBAQBakOYgnqxhHxCk7/HBK5GOhLc3Cof9e//jriIvA1jjhFO+iO+e1pVMZ9tK +7VFMBSe+v0XzN9oVuSEGdldebMhAnLBzr+ERhzljvXaCuHzh96u2MDbSeErfF4h9 +25BAoeuaglKoUCR/q1w8QMiwW3IxlbdWMeUc3HAVFSSBZtxAqfh6WE5xUaBJBWw5 +b8dixcQcDN9XsedCiZsjIzPUNldc4uQBEplqFbetVjUGyPVgpzwMyHorCyE4kadi +UXX2GNt7erIUgEme0Egmu1J3/R7lkNjXKtfpejTuxLtV6YyF+K5l2ZsWKbDUHNFI +46Tksr06JcmMw6kpWU52vEAh+n4V +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert14Valid.pem b/v3/testdata/QcStmtPsd2Cert14Valid.pem new file mode 100644 index 000000000..c2e5cd430 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert14Valid.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0f:9d:ff:53:4f:05:7f:85:32:7c:f6:bb:f5 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0h0......F..0......F..0......F...0...+.......0.......I..00......'.0&0.0.......'....PSP_IC..12345..DE-BAFIN + Signature Algorithm: sha256WithRSAEncryption + 1e:58:7a:f2:67:24:4b:2b:25:b2:6d:90:fa:29:fc:4d:6d:f2: + 16:18:d9:db:fe:a7:d4:3f:ef:3f:38:da:d0:b5:1b:96:49:4d: + c0:a3:74:67:16:b7:4e:c5:a4:28:26:61:e4:4f:c2:c1:a2:e9: + b3:fa:31:35:45:c3:7f:6e:f7:23:d1:05:4e:76:8d:63:4c:0e: + d9:b7:13:6f:04:31:91:e3:4a:67:b3:87:71:09:65:f2:cc:1d: + 0f:7b:e1:97:c9:28:00:a0:2f:1c:fb:86:24:2e:f5:a2:b5:a8: + 73:80:9b:cf:ab:ad:9b:67:be:21:4e:17:53:5b:76:3e:03:0f: + 1f:b1:a1:37:f4:cb:fc:2a:b3:d3:16:c8:71:1a:a4:99:f2:c8: + e9:d7:26:72:44:17:f8:73:41:7a:78:79:e3:a8:93:fe:40:d8: + de:4e:a0:ea:d1:07:20:f1:e3:e7:40:35:be:09:2c:8e:2e:4b: + ac:b7:c5:86:2c:0c:c7:45:f9:b7:fd:5b:3d:84:1a:64:c2:b0: + 83:cc:3f:9a:be:3c:aa:5d:20:2d:3e:3c:52:72:cf:b7:68:e0: + 84:c9:25:c1:b5:ac:32:7f:2d:4c:05:aa:43:70:b3:18:ab:60: + 98:93:bd:45:65:85:c9:4f:e3:72:df:87:af:b9:05:af:33:c6: + fa:3e:1b:3e +-----BEGIN CERTIFICATE----- +MIIE1DCCA7ygAwIBAgIND53/U08Ff4UyfPa79TANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAZowggGWMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAwRqMGgwCAYG +BACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQAi+xJ +AQIwMAYGBACBmCcCMCYwEzARBgcEAIGYJwEEDAZQU1BfSUMMBTEyMzQ1DAhERS1C +QUZJTjANBgkqhkiG9w0BAQsFAAOCAQEAHlh68mckSyslsm2Q+in8TW3yFhjZ2/6n +1D/vPzja0LUblklNwKN0Zxa3TsWkKCZh5E/CwaLps/oxNUXDf273I9EFTnaNY0wO +2bcTbwQxkeNKZ7OHcQll8swdD3vhl8koAKAvHPuGJC71orWoc4Cbz6utm2e+IU4X +U1t2PgMPH7GhN/TL/Cqz0xbIcRqkmfLI6dcmckQX+HNBenh546iT/kDY3k6g6tEH +IPHj50A1vgksji5LrLfFhiwMx0X5t/1bPYQaZMKwg8w/mr48ql0gLT48UnLPt2jg +hMklwbWsMn8tTAWqQ3CzGKtgmJO9RWWFyU/jct+Hr7kFrzPG+j4bPg== +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert16RoleIdAndNameInconsistent.pem b/v3/testdata/QcStmtPsd2Cert16RoleIdAndNameInconsistent.pem new file mode 100644 index 000000000..901056ea1 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert16RoleIdAndNameInconsistent.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:56:2c:58:4a:6f:61:ef:47:53:e0:96:29 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: OU = Test, O = MTG, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = PSDDE-BAFIN-1234567890 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0m0......F..0......F..0......F...0...+.......0.......I..05......'.0+0.0.......'....PSP_IC. +Federal$%&..DE-BAFIN + Signature Algorithm: sha256WithRSAEncryption + 56:bc:54:0f:91:a6:a2:76:ea:79:a2:ed:93:87:0c:9b:f5:37: + ef:b0:dc:6c:e7:55:fe:75:18:c6:d1:f4:fb:07:f8:4d:fa:ae: + 29:de:a6:ae:55:14:60:be:a0:92:29:54:e1:5c:04:f0:9c:9f: + 2e:f0:fb:f9:59:ff:29:a0:34:c6:22:90:ba:81:7d:50:38:f9: + 05:84:29:25:cf:c5:62:b2:b0:47:8b:3d:8a:fa:26:37:54:34: + 4a:c8:cf:ed:3a:1c:13:a3:d1:43:c2:ae:5d:b7:4e:87:bf:be: + d7:e9:74:5d:77:d2:14:e5:34:ee:25:bb:ed:f8:83:3a:8c:ae: + 0b:a0:c9:ac:2f:91:19:d7:38:da:48:ae:88:e3:6e:30:de:e1: + 46:c2:98:8f:fa:d8:7e:d8:af:08:de:fb:e7:84:cb:0c:0f:92: + ac:7c:72:92:e1:2d:0d:49:93:bb:fa:90:ce:f8:bc:56:10:f7: + 7e:bc:58:af:5d:a7:54:5f:b1:58:e3:58:ed:a1:fc:b7:2d:48: + 6e:3c:9b:19:0a:b0:35:f6:d5:4f:90:f5:b8:9d:6b:99:38:e4: + 97:80:ed:0b:23:d6:65:ae:92:3f:db:85:ef:da:df:9d:db:ff: + a7:42:2d:87:9e:46:51:ac:5f:2d:09:d3:70:00:87:32:f6:66: + c8:94:78:35 +-----BEGIN CERTIFICATE----- +MIIE2TCCA8GgAwIBAgINBlYsWEpvYe9HU+CWKTANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBw +MQ0wCwYDVQQLDARUZXN0MQwwCgYDVQQKDANNVEcxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEfMB0GA1UEYQwWUFNEREUt +QkFGSU4tMTIzNDU2Nzg5MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj +68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1 +DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQk +d+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8 +zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA +09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAZ8wggGbMB8GA1UdIwQYMBaAFAxenP66 +SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAO +BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh +bXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu +ZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFt +cGxlLmNvbS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BggrBgEFBQcBAwRvMG0wCAYG +BACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQAi+xJ +AQIwNQYGBACBmCcCMCswEzARBgcEAIGYJwEDDAZQU1BfSUMMCkZlZGVyYWwkJSYM +CERFLUJBRklOMA0GCSqGSIb3DQEBCwUAA4IBAQBWvFQPkaaidup5ou2Thwyb9Tfv +sNxs51X+dRjG0fT7B/hN+q4p3qauVRRgvqCSKVThXATwnJ8u8Pv5Wf8poDTGIpC6 +gX1QOPkFhCklz8VisrBHiz2K+iY3VDRKyM/tOhwTo9FDwq5dt06Hv77X6XRdd9IU +5TTuJbvt+IM6jK4LoMmsL5EZ1zjaSK6I424w3uFGwpiP+th+2K8I3vvnhMsMD5Ks +fHKS4S0NSZO7+pDO+LxWEPd+vFivXadUX7FY41jtofy3LUhuPJsZCrA19tVPkPW4 +nWuZOOSXgO0LI9ZlrpI/24Xv2t+d2/+nQi2HnkZRrF8tCdNwAIcy9mbIlHg1 +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert47MissingUri.pem b/v3/testdata/QcStmtPsd2Cert47MissingUri.pem new file mode 100644 index 000000000..ab74b5a1d --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert47MissingUri.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:4c:25:84:8a:c5:be:e7:81:59:82:d3:24 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: O = MTG, OU = Test, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = EI:SE-5567971433 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0Q......'.0G0.0.......'....PSP_IC.'Federal Financial Supervisory Authority..SE-FINA + Signature Algorithm: sha256WithRSAEncryption + 46:83:b0:4d:fd:0d:a2:a8:bd:aa:af:f7:f0:c2:dc:be:de:fb: + fe:43:07:86:70:ec:66:82:8b:f2:2f:0d:d7:a4:ea:e4:9e:8d: + 0d:3a:5b:ea:55:a0:33:5e:3d:bf:0b:c5:9e:7b:61:9d:22:df: + ea:d5:b9:be:48:a9:c3:8b:ba:52:c2:78:d9:d6:97:77:37:1e: + 58:4c:09:1c:33:0f:ba:21:e4:a6:bf:11:2c:12:5c:03:93:43: + bb:10:52:3e:e2:de:5f:6d:dd:45:2b:f7:6e:c3:6b:bf:3f:93: + 3d:d3:ba:b9:6d:77:8c:7e:42:d4:52:b7:1c:e7:db:87:cf:0b: + e3:21:70:04:83:e7:5f:89:e7:7c:7c:bc:05:17:96:ca:6f:0b: + 0a:40:b9:bc:45:b5:fc:36:53:31:c4:5c:0e:cd:ba:0c:9c:ad: + fc:fe:e1:dd:12:0b:1a:dd:51:9d:24:6a:35:34:11:7b:48:4f: + 72:83:03:58:3a:be:6c:77:f3:ee:33:c2:ef:d4:51:04:ac:86: + dc:90:e1:de:9a:f3:73:b5:91:73:31:a7:84:ed:92:5d:d9:33: + 18:aa:e4:2b:07:80:40:ad:01:b9:6d:83:f4:e6:bc:b2:7c:b7: + 65:c6:73:36:2f:03:79:07:74:1d:e0:1b:18:22:81:ba:9e:5f: + 24:87:b7:bf +-----BEGIN CERTIFICATE----- +MIIE8jCCA9qgAwIBAgINCEwlhIrFvueBWYLTJDANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBq +MQwwCgYDVQQKDANNVEcxDTALBgNVBAsMBFRlc3QxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEZMBcGA1UEYQwQRUk6U0Ut +NTU2Nzk3MTQzMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMINgXG0 +lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj68oQpPPP +tcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1DbNB9BvC +Sn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQkd+ZnTWLb +lC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8zcazy02u +jkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA09Zzv3Yz +XHC4b4c3Pn6OdeUCAwEAAaOCAb4wggG6MB8GA1UdIwQYMBaAFAxenP66SyFsBB3C +WrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAOBgNVHQ8B +Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5j +b20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2EuZXhhbXBs +ZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFtcGxlLmNv +bS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0GA1UdJQQW +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmQYIKwYBBQUHAQMEgYwwgYkwCAYGBACO +RgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMBUGCCsGAQUFBwsCMAkGBwQAi+xJAQIw +UQYGBACBmCcCMEcwEzARBgcEAIGYJwEEDAZQU1BfSUMMJ0ZlZGVyYWwgRmluYW5j +aWFsIFN1cGVydmlzb3J5IEF1dGhvcml0eQwHU0UtRklOQTANBgkqhkiG9w0BAQsF +AAOCAQEARoOwTf0Noqi9qq/38MLcvt77/kMHhnDsZoKL8i8N16Tq5J6NDTpb6lWg +M149vwvFnnthnSLf6tW5vkipw4u6UsJ42daXdzceWEwJHDMPuiHkpr8RLBJcA5ND +uxBSPuLeX23dRSv3bsNrvz+TPdO6uW13jH5C1FK3HOfbh88L4yFwBIPnX4nnfHy8 +BReWym8LCkC5vEW1/DZTMcRcDs26DJyt/P7h3RILGt1RnSRqNTQRe0hPcoMDWDq+ +bHfz7jPC79RRBKyG3JDh3przc7WRczGnhO2SXdkzGKrkKweAQK0BuW2D9Oa8sny3 +ZcZzNi8DeQd0HeAbGCKBup5fJIe3vw== +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert48LegalPersonSyntaxViolated.pem b/v3/testdata/QcStmtPsd2Cert48LegalPersonSyntaxViolated.pem new file mode 100644 index 000000000..a6fa34817 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert48LegalPersonSyntaxViolated.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0b:19:fc:8e:3f:f2:7f:7a:2d:db:0d:1f:9c + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: O = MTG, OU = Test, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = EIS:SE-5567971433 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0...+.......0.......I..0Q......'.0G0.0.......'....PSP_IC.'Federal Financial Supervisory Authority..SE-FINA + Signature Algorithm: sha256WithRSAEncryption + 27:ff:6a:2e:a8:77:ff:ab:c0:e4:af:fc:8b:db:6b:5c:6a:7c: + c8:70:5c:bd:b0:6c:1c:4a:87:fb:28:af:fe:02:98:fa:98:4f: + 69:d0:0b:8e:b3:52:f0:dd:43:2a:54:68:13:4c:23:43:98:f9: + 6e:10:65:7a:1b:df:61:ed:36:b2:09:5a:91:d0:1d:6d:e1:5b: + d1:0e:61:74:64:b7:bf:9a:c7:06:12:35:9f:8a:34:87:92:9b: + 96:62:1d:1f:a3:05:93:b9:8e:47:eb:71:06:b7:d7:66:53:29: + da:f0:35:fe:6a:53:63:59:cc:59:34:68:01:df:4a:c3:24:9d: + 57:d7:0c:86:ee:2e:b1:46:7a:b4:82:47:33:d8:6e:a1:b1:05: + a2:fb:13:5c:5f:96:ac:ef:2b:1d:9c:e4:d0:a6:f7:66:03:da: + c1:be:4c:0d:e7:2a:8b:6e:d9:38:a2:a1:6f:ec:6d:13:46:b6: + fe:cb:7a:2a:8c:cd:66:90:51:9c:6b:53:a5:db:bd:8e:29:c8: + 39:2c:ad:b6:64:32:06:26:ec:2c:3e:cd:74:14:62:2a:06:cd: + a5:f7:26:73:91:80:d9:cf:79:b6:fd:8c:38:32:98:9c:cd:61: + 30:b6:f0:6e:d0:d9:46:60:75:75:49:d4:d9:82:c7:c8:64:da: + 93:c1:e0:10 +-----BEGIN CERTIFICATE----- +MIIE8zCCA9ugAwIBAgINCxn8jj/yf3ot2w0fnDANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBr +MQwwCgYDVQQKDANNVEcxDTALBgNVBAsMBFRlc3QxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEaMBgGA1UEYQwRRUlTOlNF +LTU1Njc5NzE0MzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCDYFx +tJQFvM+ZiqpiCPIuY7IeRvkrhZjDg9DOJq12j1znWwUgJSYyGcIkirppo+vKEKTz +z7XGHvZwWJZbiFJqiEIzhbjGFkhPAUU5P+FquQa17zfbeZ5QkFdDW4vDNQ2zQfQb +wkp/GDw5LU+/K6VxB3MzAOWNNp7+j3LFclYIzIa277ri/Ztcxi2U7S1kJHfmZ01i +25QuKY7dHXrKvGj7FSyAVtPd5zqPmBgUSxHZxAEfuXrQ2a1pEQX2Dq5f/M3Gs8tN +ro5FGAqowEARKNzNn3omZ1pHgJvZTPfaX20TgxqRktG5RPdya5dHdHFwgNPWc792 +M1xwuG+HNz5+jnXlAgMBAAGjggG+MIIBujAfBgNVHSMEGDAWgBQMXpz+ukshbAQd +wlq344hfWd5MEjAdBgNVHQ4EFgQUDmuqg6myTVyFzbHSL4f3IMs2QzswDgYDVR0P +AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUu +Y29tMGIGCCsGAQUFBwEBBFYwVDAoBggrBgEFBQcwAoYcaHR0cDovL2NhLmV4YW1w +bGUuY29tL2NhLmNydDAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AuZXhhbXBsZS5j +b20vb2NzcDAfBgNVHSAEGDAWMAkGBwQAi+xAAQQwCQYHBACBmCcDATAdBgNVHSUE +FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZkGCCsGAQUFBwEDBIGMMIGJMAgGBgQA +jkYBATATBgYEAI5GAQYwCQYHBACORgEGAzAVBggrBgEFBQcLAjAJBgcEAIvsSQEC +MFEGBgQAgZgnAjBHMBMwEQYHBACBmCcBBAwGUFNQX0lDDCdGZWRlcmFsIEZpbmFu +Y2lhbCBTdXBlcnZpc29yeSBBdXRob3JpdHkMB1NFLUZJTkEwDQYJKoZIhvcNAQEL +BQADggEBACf/ai6od/+rwOSv/Ivba1xqfMhwXL2wbBxKh/sor/4CmPqYT2nQC46z +UvDdQypUaBNMI0OY+W4QZXob32HtNrIJWpHQHW3hW9EOYXRkt7+axwYSNZ+KNIeS +m5ZiHR+jBZO5jkfrcQa312ZTKdrwNf5qU2NZzFk0aAHfSsMknVfXDIbuLrFGerSC +RzPYbqGxBaL7E1xflqzvKx2c5NCm92YD2sG+TA3nKotu2TiioW/sbRNGtv7LeiqM +zWaQUZxrU6XbvY4pyDksrbZkMgYm7Cw+zXQUYioGzaX3JnORgNnPebb9jDgymJzN +YTC28G7Q2UZgdXVJ1NmCx8hk2pPB4BA= +-----END CERTIFICATE----- diff --git a/v3/testdata/QcStmtPsd2Cert49ValidNationalScheme.pem b/v3/testdata/QcStmtPsd2Cert49ValidNationalScheme.pem new file mode 100644 index 000000000..8d9e42174 --- /dev/null +++ b/v3/testdata/QcStmtPsd2Cert49ValidNationalScheme.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 01:da:28:7a:e2:eb:48:f0:c4:48:a9:4b:ec + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE + Validity + Not Before: Nov 1 08:03:01 2019 GMT + Not After : Nov 1 08:03:01 2020 GMT + Subject: O = MTG, OU = Test, L = Darmstadt, ST = Hessen, C = DE, organizationIdentifier = EI:SE-5567971433 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08: + f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26: + ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a: + ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58: + 96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01: + 45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90: + 57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18: + 3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36: + 9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd: + 9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db: + 94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56: + d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9: + 7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3: + cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f: + 7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83: + 1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80: + d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e: + 75:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12 + + X509v3 Subject Key Identifier: + 0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Alternative Name: + DNS:www.example.com + Authority Information Access: + CA Issuers - URI:http://ca.example.com/ca.crt + OCSP - URI:http://ocsp.example.com/ocsp + + X509v3 Certificate Policies: + Policy: 0.4.0.194112.1.4 + Policy: 0.4.0.19495.3.1 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + qcStatements: + 0..0......F..0......F..0......F...0/..+.......0#......I..0...http://www.example.de/0Q......'.0G0.0.......'....PSP_IC.'Federal Financial Supervisory Authority..SE-FINA + Signature Algorithm: sha256WithRSAEncryption + 14:cf:0e:55:25:b5:50:a2:76:a6:d0:43:cc:4f:5d:bd:ab:c3: + 30:42:b1:7f:70:b4:72:91:4b:8e:4a:51:9f:ab:ea:01:23:60: + 03:84:7b:05:10:84:dd:02:bf:44:6a:73:e1:71:b4:be:3f:2d: + 36:b7:b0:50:1e:fc:1f:b9:14:a4:6b:c2:7e:ff:1f:44:6d:f1: + 86:52:62:95:43:78:a4:0f:cc:05:29:a6:a1:62:88:1a:0c:54: + 13:d1:b6:74:29:57:b4:f4:8d:5a:f2:aa:46:8d:7f:d9:6d:fd: + fe:18:02:e2:ac:83:72:28:01:66:3c:fd:ee:a2:ae:ad:d2:fa: + 39:e8:bd:8b:fd:cb:0a:aa:36:28:b8:71:bc:4b:70:f0:8d:4b: + ec:2d:4b:6b:5b:63:ac:af:2c:61:00:dd:c3:ca:fc:47:cb:23: + cc:c4:00:33:37:d4:c9:cb:f5:12:42:1e:ea:48:be:b5:9e:14: + fe:ec:77:a0:b6:24:15:b1:e9:ea:8e:56:e2:df:11:42:27:3a: + cd:42:d9:c4:e4:63:4c:19:52:91:03:1b:bd:af:b5:b4:80:0c: + ce:9d:49:c8:ce:b7:b3:5c:ef:6c:fd:20:8d:18:ab:b1:d6:89: + f9:73:b0:b8:4a:8b:f9:f2:0b:8f:e1:22:a7:30:ff:fd:9f:f5: + c4:dc:b4:2b +-----BEGIN CERTIFICATE----- +MIIFDDCCA/SgAwIBAgINAdooeuLrSPDESKlL7DANBgkqhkiG9w0BAQsFADBBMRUw +EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U +RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjBq +MQwwCgYDVQQKDANNVEcxDTALBgNVBAsMBFRlc3QxEjAQBgNVBAcMCURhcm1zdGFk +dDEPMA0GA1UECAwGSGVzc2VuMQswCQYDVQQGEwJERTEZMBcGA1UEYQwQRUk6U0Ut +NTU2Nzk3MTQzMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMINgXG0 +lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSKummj68oQpPPP +tcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nbi8M1DbNB9BvC +Sn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTtLWQkd+ZnTWLb +lC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYOrl/8zcazy02u +jkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0cXCA09Zzv3Yz +XHC4b4c3Pn6OdeUCAwEAAaOCAdgwggHUMB8GA1UdIwQYMBaAFAxenP66SyFsBB3C +WrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZDOzAOBgNVHQ8B +Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5j +b20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8vY2EuZXhhbXBs +ZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5leGFtcGxlLmNv +bS9vY3NwMB8GA1UdIAQYMBYwCQYHBACL7EABBDAJBgcEAIGYJwMBMB0GA1UdJQQW +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBswYIKwYBBQUHAQMEgaYwgaMwCAYGBACO +RgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYDMC8GCCsGAQUFBwsCMCMGBwQAi+xJAQIw +GIYWaHR0cDovL3d3dy5leGFtcGxlLmRlLzBRBgYEAIGYJwIwRzATMBEGBwQAgZgn +AQQMBlBTUF9JQwwnRmVkZXJhbCBGaW5hbmNpYWwgU3VwZXJ2aXNvcnkgQXV0aG9y +aXR5DAdTRS1GSU5BMA0GCSqGSIb3DQEBCwUAA4IBAQAUzw5VJbVQonam0EPMT129 +q8MwQrF/cLRykUuOSlGfq+oBI2ADhHsFEITdAr9EanPhcbS+Py02t7BQHvwfuRSk +a8J+/x9EbfGGUmKVQ3ikD8wFKaahYogaDFQT0bZ0KVe09I1a8qpGjX/Zbf3+GALi +rINyKAFmPP3uoq6t0vo56L2L/csKqjYouHG8S3DwjUvsLUtrW2OsryxhAN3DyvxH +yyPMxAAzN9TJy/USQh7qSL61nhT+7HegtiQVsenqjlbi3xFCJzrNQtnE5GNMGVKR +Axu9r7W0gAzOnUnIzrezXO9s/SCNGKux1on5c7C4Sov58guP4SKnMP/9n/XE3LQr +-----END CERTIFICATE----- diff --git a/v3/util/alt_reg_num_ev.go b/v3/util/alt_reg_num_ev.go new file mode 100644 index 000000000..5d0033c08 --- /dev/null +++ b/v3/util/alt_reg_num_ev.go @@ -0,0 +1,75 @@ +package util + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/encoding/asn1" +) + +type RDNSequence []RelativeDistinguishedNameSET + +type RelativeDistinguishedNameSET []AttributeTypeAndValue + +type AttributeTypeAndValue struct { + Type asn1.ObjectIdentifier + Value asn1.RawValue +} + +type parsedSubjectElement struct { + IsPresent bool + Value string + Asn1RawValue asn1.RawValue + ErrorString string +} + +type ParsedEvOrgId struct { + Rsi, Country, StateOrProvince, RegRef string +} + +func GetSubjectOrgId(rawSubject []byte) parsedSubjectElement { + return GetSubjectElement(rawSubject, CabfSubjectOrganizationIdentifier) +} +func GetSubjectElement(rawSubject []byte, soughtOid asn1.ObjectIdentifier) parsedSubjectElement { + result := parsedSubjectElement{IsPresent: false, Value: "", ErrorString: ""} + var nl RDNSequence + + rest, err := asn1.Unmarshal(rawSubject, &nl) // parse the sequence of sets, i.e. each list element in nl will be a set + if err != nil { + return parsedSubjectElement{IsPresent: false, Value: "", ErrorString: "error parsing outer SEQ of subject DN"} + } + if len(rest) != 0 { + return parsedSubjectElement{IsPresent: false, ErrorString: "rest len of outer seq != 0 in subject DN", Value: ""} + } + for _, item := range nl { + for _, typeAndValue := range item { + if typeAndValue.Type.Equal(soughtOid) { + if result.IsPresent { + AppendToStringSemicolonDelim(&result.ErrorString, "double AVA found in subject:... encountered, this is not expected") + return result + } + result.IsPresent = true + var parsedString string + _, _ = asn1.Unmarshal(typeAndValue.Value.FullBytes, &parsedString) + result.Value = parsedString + result.Asn1RawValue = typeAndValue.Value + } + } + } + return result +} + +type ParsedOrgId struct { + Rsi, Country, SubDiv, RegRef string +} diff --git a/v3/util/oid.go b/v3/util/oid.go index ec81a9041..35742ad8c 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -95,27 +95,40 @@ var ( SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} SHA512OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} // other OIDs - OidRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} - OidRSASSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} - OidMD2WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} - OidMD5WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} - OidSHA1WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} - OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14} - OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} - OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} - OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} - AnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32, 0} - UserNoticeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2} - CpsOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1} - IdEtsiQcsQcCompliance = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1} - IdEtsiQcsQcLimitValue = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2} - IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3} - IdEtsiQcsQcSSCD = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4} - IdEtsiQcsQcEuPDS = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5} - IdEtsiQcsQcType = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6} - IdEtsiQcsQctEsign = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1} - IdEtsiQcsQctEseal = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2} - IdEtsiQcsQctWeb = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3} + OidRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} + OidRSASSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} + OidMD2WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} + OidMD5WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} + OidSHA1WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} + OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14} + OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} + OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} + OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} + AnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32, 0} + UserNoticeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2} + CpsOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1} + IdEtsiQcsQcCompliance = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1} + IdEtsiQcsQcLimitValue = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2} + IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3} + IdEtsiQcsQcSSCD = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4} + IdEtsiQcsQcEuPDS = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5} + IdEtsiQcsQcType = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6} + IdEtsiQcsQctEsign = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1} + IdEtsiQcsQctEseal = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2} + IdEtsiQcsQctWeb = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3} + IdEtsiPsd2Statem = asn1.ObjectIdentifier{0, 4, 0, 19495, 2} + IdEtsiPsd2RolePspAs = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 1} + IdEtsiPsd2RolePspPi = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 2} + IdEtsiPsd2RolePspAi = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 3} + IdEtsiPsd2RolePspIc = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 4} + IdEtsiQcsSemanticsIdLegal = asn1.ObjectIdentifier{0, 4, 0, 194121, 1, 2} + IdEtsiPolicyQcpNatural = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 0} + IdEtsiPolicyQcpLegal = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 1} + IdEtsiPolicyQcpNaturalQscd = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 2} + IdEtsiPolicyQcpLegalQscd = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 3} + IdEtsiPolicyQcpWeb = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 4} + IdQcsPkixQCSyntaxV2 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 11, 2} + CabfSubjectOrganizationIdentifier = asn1.ObjectIdentifier{2, 5, 4, 97} ) const ( diff --git a/v3/util/qc_stmt.go b/v3/util/qc_stmt.go index b258053d7..d46853f15 100644 --- a/v3/util/qc_stmt.go +++ b/v3/util/qc_stmt.go @@ -18,10 +18,24 @@ import ( "bytes" "fmt" "reflect" + "regexp" + "strings" + "unicode" "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" ) +var EtsiQcStmtOidList = [...]*asn1.ObjectIdentifier{ + &IdEtsiQcsQcCompliance, + &IdEtsiQcsQcLimitValue, + &IdEtsiQcsQcRetentionPeriod, + &IdEtsiQcsQcSSCD, + &IdEtsiQcsQcEuPDS, + &IdEtsiQcsQcType, + &IdEtsiPsd2Statem, +} + type anyContent struct { Raw asn1.RawContent } @@ -30,10 +44,12 @@ type qcStatementWithInfoField struct { Oid asn1.ObjectIdentifier Any asn1.RawValue } + type qcStatementWithoutInfoField struct { Oid asn1.ObjectIdentifier } +// === etsi base ==> type etsiBase struct { errorInfo string isPresent bool @@ -47,6 +63,8 @@ func (this etsiBase) IsPresent() bool { return this.isPresent } +// <== etsi base === + type EtsiQcStmtIf interface { GetErrorInfo() string IsPresent() bool @@ -98,16 +116,76 @@ type EtsiQcPds struct { PdsLocations []PdsLocation } -func AppendToStringSemicolonDelim(this *string, s string) { - if len(*this) > 0 && len(s) > 0 { - (*this) += "; " +// ==== QcStatement 2 (RFC3739)types ===> + +type DecodedQcS2 struct { + etsiBase + Decoded QcStatemt2 +} +type QcStatemt2 struct { + SemanticsId asn1.ObjectIdentifier `asn1:"optional"` + NameRegAuthorities NameRegistrationAuthorities `asn1:"optional"` +} + +type NameRegistrationAuthorities []asn1.RawValue + +// <=== QcStatement 2 (RFC3739)types ==== + +// ==== PSD2 QcStatement types ===> +type Psd2RoleOfPspType int + +const ( + RoleAs Psd2RoleOfPspType = 1 + RolePi Psd2RoleOfPspType = 2 + RoleAi Psd2RoleOfPspType = 3 + RoleIc Psd2RoleOfPspType = 4 +) + +// === ASN.1 Types ==> +type Psd2RoleOfPsp struct { + RoleType asn1.ObjectIdentifier + RoleOfPspName string `asn1:"utf8"` +} + +type EtsiPsd2QcStatem struct { + Roles []Psd2RoleOfPsp + NCAName string `asn1:"utf8"` + CountryAndNCAId string `asn1:"utf8"` +} + +// <== ASN.1 Types === + +type EtsiPsd2 struct { + etsiBase + DecodedPsd2Statm EtsiPsd2QcStatem +} + +func (this EtsiPsd2) getCountryAndNcaId() (string, string) { + runes := []rune(this.DecodedPsd2Statm.CountryAndNCAId) + if len(this.DecodedPsd2Statm.CountryAndNCAId) < 4 || !unicode.IsUpper(runes[0]) || !unicode.IsUpper(runes[1]) || runes[2] != '-' { + return "", "" } - (*this) += s + return string(runes[0:2]), string(runes[3:]) } -func checkAsn1Reencoding(i interface{}, originalEncoding []byte, appendIfComparisonFails string) string { +func (this EtsiPsd2) GetNcaCountry() string { + co, _ := this.getCountryAndNcaId() + return co +} +func (this EtsiPsd2) GetNcaId() string { + _, ncaId := this.getCountryAndNcaId() + return ncaId +} + +// <=== PSD2 QcStatement types ==== + +func CheckAsn1Reencoding(i interface{}, originalEncoding []byte, appendIfComparisonFails string) string { + return CheckAsn1ReencodingWithParams(i, originalEncoding, appendIfComparisonFails, "") +} + +func CheckAsn1ReencodingWithParams(i interface{}, originalEncoding []byte, appendIfComparisonFails string, params string) string { result := "" - reencoded, marshErr := asn1.Marshal(i) + reencoded, marshErr := asn1.MarshalWithParams(i, params) if marshErr != nil { AppendToStringSemicolonDelim(&result, fmt.Sprintf("error reencoding ASN1 value of statementInfo field: %s", marshErr)) @@ -118,15 +196,122 @@ func checkAsn1Reencoding(i interface{}, originalEncoding []byte, appendIfCompari return result } +func CertHasSubjectOrgIdWithPrefix(c *x509.Certificate, prefix string) bool { + + if !IsExtInCert(c, QcStateOid) { + return false + } + if !ParseQcStatem(GetExtFromCert(c, QcStateOid).Value, IdEtsiPsd2Statem).IsPresent() { + return false + } + + orgId := GetSubjectOrgId(c.RawSubject) + if len(orgId.ErrorString) != 0 || !orgId.IsPresent { + return false + } + runes := []rune(orgId.Value) + prefixLen := len(prefix) + if len(runes) < prefixLen || string(runes[0:prefixLen]) != prefix { + return false + } + return true +} + +type EtsiPsd2OrgId struct { + Rsi, Country, NcaId, PspId string +} + +func ParseEtsiPsd2OrgId(oi *string) (string, EtsiPsd2OrgId) { + var result EtsiPsd2OrgId + re_psd := regexp.MustCompile(`^(PSD)([A-Z]{2})-([A-Z]{2,8})-(.+)$`) + re_generic := regexp.MustCompile(`^(.{3})([A-Z]{2})()-(.+)$`) + var sm []string + if re_psd.MatchString(*oi) { + sm = re_psd.FindStringSubmatch(*oi) + } else if !strings.HasPrefix(*oi, "PSD") && re_generic.MatchString(*oi) { + sm = re_generic.FindStringSubmatch(*oi) + } else { + return "invalid format of PSD2 organizationIdentifier", result + } + result.Rsi = sm[1] + result.Country = sm[2] + result.NcaId = sm[3] + result.PspId = sm[4] + return "", result +} + +func CheckEtsiPsd2OrgIdPsd(oi *string) string { + errStr, x := ParseEtsiPsd2OrgId(oi) + if len(errStr) != 0 { + return errStr + } + if x.Rsi != "PSD" { + return "ETSI PSD2 OrganizationIdentifier does not start with 'PSD'" + } + return "" +} + +func GetEtsiQcTypes(c *x509.Certificate) []asn1.ObjectIdentifier { + var result []asn1.ObjectIdentifier + ext := GetExtFromCert(c, QcStateOid) + if ext == nil { + return nil + } + s := ParseQcStatem(ext.Value, IdEtsiQcsQcType) + if len(s.GetErrorInfo()) != 0 { + return nil + } + if !s.IsPresent() { + return result + } + qcType := s.(Etsi423QcType) + result = append(result, qcType.TypeOids...) + return result +} + +func HasCertAnyEtsiQcpPolicy(c *x509.Certificate) bool { + for _, p := range c.PolicyIdentifiers { + if p.Equal(IdEtsiPolicyQcpNatural) || p.Equal(IdEtsiPolicyQcpLegal) || p.Equal(IdEtsiPolicyQcpNaturalQscd) || p.Equal(IdEtsiPolicyQcpLegalQscd) || p.Equal(IdEtsiPolicyQcpWeb) { + return true + } + } + return false + +} + +func HasCertPolicy(c *x509.Certificate, soughtPolicyOid asn1.ObjectIdentifier) bool { + + for _, policyOid := range c.PolicyIdentifiers { + if policyOid.Equal(soughtPolicyOid) { + return true + } + } + return false +} + +func HasCertEtsiQcType(c *x509.Certificate, soughtTypeOid asn1.ObjectIdentifier) bool { + typeList := GetEtsiQcTypes(c) + if typeList == nil { + return false + } + for _, typeOid := range typeList { + if typeOid.Equal(soughtTypeOid) { + return true + } + } + return false +} + +func HasCertAnyEtsiQcStatement(c *x509.Certificate) bool { + ext := GetExtFromCert(c, QcStateOid) + if ext == nil { + return false + } + return IsAnyEtsiQcStatementPresent(ext.Value) +} + func IsAnyEtsiQcStatementPresent(extVal []byte) bool { - oidList := make([]*asn1.ObjectIdentifier, 6) - oidList[0] = &IdEtsiQcsQcCompliance - oidList[1] = &IdEtsiQcsQcLimitValue - oidList[2] = &IdEtsiQcsQcRetentionPeriod - oidList[3] = &IdEtsiQcsQcSSCD - oidList[4] = &IdEtsiQcsQcEuPDS - oidList[5] = &IdEtsiQcsQcType - for _, oid := range oidList { + for _, oid := range EtsiQcStmtOidList { r := ParseQcStatem(extVal, *oid) if r.IsPresent() { return true @@ -135,7 +320,29 @@ func IsAnyEtsiQcStatementPresent(extVal []byte) bool { return false } -//nolint:gocyclo +func IsQcStatemPresent(c *x509.Certificate, oid *asn1.ObjectIdentifier) (string, bool) { + if !IsExtInCert(c, QcStateOid) { + return "", false + } + qcs := ParseQcStatem(GetExtFromCert(c, QcStateOid).Value, *oid) + if qcs.GetErrorInfo() != "" { + return qcs.GetErrorInfo(), qcs.IsPresent() + } + return "", qcs.IsPresent() +} + +func CheckNationalScheme(oi string) bool { + if len(oi) < 6 { + return false + } + re := regexp.MustCompile(`^.{2}:[A-Z]{2}-.+$`) + return re.MatchString(oi) +} + +func GetQcStatemExtValue(c *x509.Certificate) []byte { + return GetExtFromCert(c, QcStateOid).Value +} + func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf { sl := make([]anyContent, 0) rest, err := asn1.Unmarshal(extVal, &sl) @@ -170,85 +377,155 @@ func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf { continue } if statem.Oid.Equal(IdEtsiQcsQcCompliance) { - etsiObj := Etsi421QualEuCert{etsiBase: etsiBase{isPresent: true}} - statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} - AppendToStringSemicolonDelim(&etsiObj.errorInfo, checkAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, - "invalid format of ETSI Complicance statement")) - return etsiObj + return handleIdEtsiQcsQcCompliance(statem, raw) } else if statem.Oid.Equal(IdEtsiQcsQcLimitValue) { - etsiObj := EtsiQcLimitValue{etsiBase: etsiBase{isPresent: true}} - numErr := false - alphErr := false - var numeric EtsiMonetaryValueNum - var alphabetic EtsiMonetaryValueAlph - restNum, errNum := asn1.Unmarshal(statem.Any.FullBytes, &numeric) - if len(restNum) != 0 || errNum != nil { - numErr = true - } else { - etsiObj.IsNum = true - etsiObj.Amount = numeric.Amount - etsiObj.Exponent = numeric.Exponent - etsiObj.CurrencyNum = numeric.Iso4217CurrencyCodeNum - - } - if numErr { - restAlph, errAlph := asn1.Unmarshal(statem.Any.FullBytes, &alphabetic) - if len(restAlph) != 0 || errAlph != nil { - alphErr = true - } else { - etsiObj.IsNum = false - etsiObj.Amount = alphabetic.Amount - etsiObj.Exponent = alphabetic.Exponent - etsiObj.CurrencyAlph = alphabetic.Iso4217CurrencyCodeAlph - AppendToStringSemicolonDelim(&etsiObj.errorInfo, - checkAsn1Reencoding(reflect.ValueOf(alphabetic).Interface(), - statem.Any.FullBytes, "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) - } - } - if numErr && alphErr { - etsiObj.errorInfo = "error parsing the ETSI Qc Statement statementInfo field" - } - return etsiObj - + return handleIdEtsiQcsQcLimitValue(statem) } else if statem.Oid.Equal(IdEtsiQcsQcRetentionPeriod) { - etsiObj := EtsiQcRetentionPeriod{etsiBase: etsiBase{isPresent: true}} - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.Period) - - if len(rest) != 0 || err != nil { - etsiObj.errorInfo = "error parsing the statementInfo field" - } - return etsiObj + return handleIdEtsiQcsQcRetentionPeriod(statem) } else if statem.Oid.Equal(IdEtsiQcsQcSSCD) { - etsiObj := EtsiQcSscd{etsiBase: etsiBase{isPresent: true}} - statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} - AppendToStringSemicolonDelim(&etsiObj.errorInfo, checkAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, - "invalid format of ETSI SCSD statement")) - return etsiObj + return handleIdEtsiQcsQcSSCD(statem, raw) } else if statem.Oid.Equal(IdEtsiQcsQcEuPDS) { - etsiObj := EtsiQcPds{etsiBase: etsiBase{isPresent: true}} - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.PdsLocations) - if len(rest) != 0 || err != nil { - etsiObj.errorInfo = "error parsing the statementInfo field" - } else { - AppendToStringSemicolonDelim(&etsiObj.errorInfo, - checkAsn1Reencoding(reflect.ValueOf(etsiObj.PdsLocations).Interface(), statem.Any.FullBytes, - "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) - } - return etsiObj + return handleIdEtsiQcsQcEuPDS(statem) } else if statem.Oid.Equal(IdEtsiQcsQcType) { - var qcType Etsi423QcType - qcType.isPresent = true - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &qcType.TypeOids) - if len(rest) != 0 || err != nil { - return etsiBase{errorInfo: "error parsing IdEtsiQcsQcType extension statementInfo field", isPresent: true} - } - return qcType + return handleIdEtsiQcsQcType(statem) + } else if statem.Oid.Equal(IdEtsiPsd2Statem) { + return handleIdEtsiPsd2Statem(statem) + } else if statem.Oid.Equal(IdQcsPkixQCSyntaxV2) { + return handleIdQcsPkixQCSyntaxV2(statem) } else { return etsiBase{errorInfo: "", isPresent: true} } - } return etsiBase{errorInfo: "", isPresent: false} } + +func handleIdQcsPkixQCSyntaxV2(statem qcStatementWithInfoField) EtsiQcStmtIf { + var qcs2Statem DecodedQcS2 + qcs2Statem.isPresent = true + if len(statem.Any.FullBytes) == 0 { + return qcs2Statem + } + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &qcs2Statem.Decoded) + if err != nil { + AppendToStringSemicolonDelim(&qcs2Statem.errorInfo, "error parsing statement: "+err.Error()) + } + if len(rest) != 0 { + AppendToStringSemicolonDelim(&qcs2Statem.errorInfo, "trailing bytes after QcStatement") + } + return qcs2Statem +} + +func handleIdEtsiPsd2Statem(statem qcStatementWithInfoField) EtsiQcStmtIf { + var psd2Statem EtsiPsd2 + psd2Statem.isPresent = true + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &psd2Statem.DecodedPsd2Statm) + if len(rest) != 0 || err != nil { + return etsiBase{errorInfo: "error parsing IdEtsiPsd2Statem extension statementInfo field", isPresent: true} + } + if psd2Statem.DecodedPsd2Statm.CountryAndNCAId == "" || psd2Statem.DecodedPsd2Statm.NCAName == "" { + AppendToStringSemicolonDelim(&psd2Statem.errorInfo, "field has length 0") + } + for _, role := range psd2Statem.DecodedPsd2Statm.Roles { + if role.RoleOfPspName == "" { + AppendToStringSemicolonDelim(&psd2Statem.errorInfo, "field has length 0") + } + } + AppendToStringSemicolonDelim(&psd2Statem.errorInfo, + CheckAsn1Reencoding(reflect.ValueOf(psd2Statem.DecodedPsd2Statm).Interface(), statem.Any.FullBytes, + "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) + return psd2Statem +} + +func handleIdEtsiQcsQcType(statem qcStatementWithInfoField) EtsiQcStmtIf { + var qcType Etsi423QcType + qcType.isPresent = true + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &qcType.TypeOids) + if len(rest) != 0 || err != nil { + return etsiBase{errorInfo: "error parsing IdEtsiQcsQcType extension statementInfo field", isPresent: true} + } + return qcType +} + +func handleIdEtsiQcsQcEuPDS(statem qcStatementWithInfoField) EtsiQcStmtIf { + etsiObj := EtsiQcPds{etsiBase: etsiBase{isPresent: true}} + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.PdsLocations) + if len(rest) != 0 || err != nil { + etsiObj.errorInfo = "error parsing the statementInfo field" + } else { + AppendToStringSemicolonDelim(&etsiObj.errorInfo, + CheckAsn1Reencoding(reflect.ValueOf(etsiObj.PdsLocations).Interface(), statem.Any.FullBytes, + "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) + } + return etsiObj +} + +func handleIdEtsiQcsQcSSCD(statem qcStatementWithInfoField, raw anyContent) EtsiQcStmtIf { + etsiObj := EtsiQcSscd{etsiBase: etsiBase{isPresent: true}} + statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} + AppendToStringSemicolonDelim(&etsiObj.errorInfo, CheckAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, + "invalid format of ETSI SCSD statement")) + return etsiObj +} + +func handleIdEtsiQcsQcRetentionPeriod(statem qcStatementWithInfoField) EtsiQcStmtIf { + etsiObj := EtsiQcRetentionPeriod{etsiBase: etsiBase{isPresent: true}} + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.Period) + + if len(rest) != 0 || err != nil { + etsiObj.errorInfo = "error parsing the statementInfo field" + } + return etsiObj +} + +func handleIdEtsiQcsQcLimitValue(statem qcStatementWithInfoField) EtsiQcStmtIf { + etsiObj := EtsiQcLimitValue{etsiBase: etsiBase{isPresent: true}} + numErr := false + alphErr := false + var numeric EtsiMonetaryValueNum + var alphabetic EtsiMonetaryValueAlph + restNum, errNum := asn1.Unmarshal(statem.Any.FullBytes, &numeric) + if len(restNum) != 0 || errNum != nil { + numErr = true + } else { + etsiObj.IsNum = true + etsiObj.Amount = numeric.Amount + etsiObj.Exponent = numeric.Exponent + etsiObj.CurrencyNum = numeric.Iso4217CurrencyCodeNum + + } + if numErr { + restAlph, errAlph := asn1.Unmarshal(statem.Any.FullBytes, &alphabetic) + if len(restAlph) != 0 || errAlph != nil { + alphErr = true + } else { + etsiObj.IsNum = false + etsiObj.Amount = alphabetic.Amount + etsiObj.Exponent = alphabetic.Exponent + etsiObj.CurrencyAlph = alphabetic.Iso4217CurrencyCodeAlph + AppendToStringSemicolonDelim(&etsiObj.errorInfo, + CheckAsn1Reencoding(reflect.ValueOf(alphabetic).Interface(), + statem.Any.FullBytes, "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) + } + } + if numErr && alphErr { + etsiObj.errorInfo = "error parsing the ETSI Qc Statement statementInfo field" + } + return etsiObj +} + +func handleIdEtsiQcsQcCompliance(statem qcStatementWithInfoField, raw anyContent) EtsiQcStmtIf { + etsiObj := Etsi421QualEuCert{etsiBase: etsiBase{isPresent: true}} + statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} + AppendToStringSemicolonDelim(&etsiObj.errorInfo, CheckAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, + "invalid format of ETSI Complicance statement")) + return etsiObj +} + +func AppendToStringSemicolonDelim(this *string, s string) { + if len(*this) > 0 && len(s) > 0 { + (*this) += "; " + } + (*this) += s +} diff --git a/v3/util/time.go b/v3/util/time.go index 0f3a1948c..64500dbf8 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -78,8 +78,12 @@ var ( CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) - SC17EffectiveDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) - CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) + EtsiPSD2Date = time.Date(2018, time.November, 1, 0, 0, 0, 0, time.UTC) + CABAltRegNumEvExtMandDate = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) + CABAltRegNumEvDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) + + SC17EffectiveDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) + CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) // Enforcement date of CRL reason codes from Ballot SC 061 CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/