STNDS-508: Add validator for eIDAS LegalPerson OrgId (#53)

pkilint/etsi/__init__.py

@@ -159,6 +159,7 @@ def create_validators(certificate_type: CertificateType) -> List[validation.Vali
     subject_validators = [
         en_319_412_1.LegalPersonOrganizationIdentifierValidator(),
         en_319_412_1.NaturalPersonIdentifierValidator(),
+        en_319_412_1.EidasLegalPersonIdentifierValidator(),
         organization_id.OrganizationIdentifierLeiValidator(),
     ]
 

pkilint/etsi/en_319_412_1.py

@@ -282,6 +282,62 @@ def validate(self, node):
         return validation.ValidationResult(self, node, findings)
 
 
+class EidasLegalPersonIdentifierValidator(validation.Validator):
+    """
+    LEG-5.1.6-03: Any organizationIdentifier attribute present in the subject field of the certificate shall
+    comply with the content requirement specified for the eIDAS LegalPersonIdentifier attribute.
+
+    From eIDAS SAML Attribute Profile v1.2 Final, section 2.5:
+    - The Unique Identifier MUST NOT contain any whitespace.
+    - The Unique Identifier MUST NOT exceed a total of 256 characters.
+    """
+    VALIDATION_EIDAS_LEGAL_PERSON_IDENTIFIER_WHITESPACE_PRESENT = validation.ValidationFinding(
+        validation.ValidationFindingSeverity.ERROR,
+        'etsi.en_319_412_1.leg-5.1.6-03.eidas_legal_person_identifier_whitespace_present'
+    )
+
+    VALIDATION_EIDAS_LEGAL_PERSON_IDENTIFIER_TOO_LONG = validation.ValidationFinding(
+        validation.ValidationFindingSeverity.ERROR,
+        'etsi.en_319_412_1.leg-5.1.6-03.eidas_legal_person_identifier_too_long'
+    )
+
+    _MAX_LENGTH = 256
+
+    def __init__(self):
+        super().__init__(
+            validations=[
+                self.VALIDATION_EIDAS_LEGAL_PERSON_IDENTIFIER_WHITESPACE_PRESENT,
+                self.VALIDATION_EIDAS_LEGAL_PERSON_IDENTIFIER_TOO_LONG,
+            ],
+            pdu_class=x520_name.X520OrganizationIdentifier
+        )
+
+    def match(self, node):
+        # noinspection PyTypeChecker
+        return super().match(node) and _cert_has_semantics_id(
+            en_319_412_1.id_etsi_qcs_SemanticsId_eIDASLegal,
+            node.document
+        )
+
+    def validate(self, node):
+        value = str(node.child[1].pdu)
+
+        if any(c.isspace() for c in value):
+            raise validation.ValidationFindingEncountered(
+                self.VALIDATION_EIDAS_LEGAL_PERSON_IDENTIFIER_WHITESPACE_PRESENT,
+                f'Whitespace present in organization identifier: "{value}"'
+            )
+
+        value_len = len(value)
+
+        if value_len > self._MAX_LENGTH:
+            raise validation.ValidationFindingEncountered(
+                self.VALIDATION_EIDAS_LEGAL_PERSON_IDENTIFIER_TOO_LONG,
+                f'Organization identifier "{value}" ({value_len} characters) exceeds maximum length of '
+                f'{self._MAX_LENGTH} characters'
+            )
+
+
 class NameRegistrationAuthoritiesValidatorBase(validation.Validator):
     def __init__(
             self,

tests/integration_certificate/etsi/qncp_w_gen_legal_person_eidas_final_certificate/eidas_legal_person_id_too_long.crttest

@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIIQTCCBimgAwIBAgIQVZHNRxiZp9LoR1nlajD1DDANBgkqhkiG9w0BAQsFADCB
+oTELMAkGA1UEBhMCR1IxNjA0BgNVBAoTLUhFTExFTklDIEVYQ0hBTkdFUyAtIEFU
+SEVOUyBTVE9DSyBFWENIQU5HRSBTQTEvMC0GA1UEAxMmQVRIRVggUXVhbGlmaWVk
+IFdFQiBDZXJ0aWZpY2F0ZXMgQ0EtRzMxDzANBgNVBAcTBkF0aGVuczEYMBYGA1UE
+YRMPVkFURUwtMDk5NzU1MTA4MB4XDTI0MDQxMTE0MTY1NVoXDTI1MDQxMTE0MTY1
+NVowggG7MQswCQYDVQQGEwJHUjE2MDQGA1UEChMtSEVMTEVOSUMgRVhDSEFOR0VT
+IC0gQVRIRU5TIFNUT0NLIEVYQ0hBTkdFIFNBMYIBDjCCAQoGA1UEYROCAQFhYWFh
+YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
+YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
+YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
+YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
+YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
+YWFhYWFhYWFhYWFhYTEdMBsGA1UEAxMUd2ViZHNzLmF0aGV4Z3JvdXAuZ3IxDzAN
+BgNVBAcTBkF0aGVuczETMBEGCysGAQQBgjc8AgEDEwJHUjEdMBsGA1UEDxMUUHJp
+dmF0ZSBPcmdhbml6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC4IRER3+RSdMkB84htWhzmrcFTqJ47yJtZAgvDxw0aWYWVtyW2SMtygVUZSfp5
+ewE8OA9tdCa6oIuap6hKgZpQnkxS9RP0JRyHrJjxOc4sUUtbOHMCV5hq4Lkonh01
+DAsad9tVqR4naUSHsPI8v+93fjigi3vBsf5nGeBRrCTBYs8IKqoCC+Z2WWbwRCB6
+ct+ODsqbLwRxT54WY9iTaCNc/71rUlvIo3nkd/H17MCkoBdv4Ec3NG1Jo18FnkAT
+yM12Xzhet+Wvvx0yjewRrFxak/wGZ4GGX1Dzy4wHfsceQjAtiZk2oWcn3/mk6oVA
+0ynF2a/4CmT1OZiWGOTqNnxTAgMBAAGjggJWMIICUjAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUIpkkVwZsVnWO2+t9eWWcUzWp0ZEw
+RAYIKwYBBQUHAQMEODA2MAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzAV
+BggrBgEFBQcLAjAJBgcEAIvsSQEEMIGXBggrBgEFBQcBAQSBijCBhzA4BggrBgEF
+BQcwAYYsaHR0cDovL29jc3AuYXRoZXhncm91cC5nci9BdGhleFF1YWxpZmllZENB
+RzMwSwYIKwYBBQUHMAKGP2h0dHA6Ly9yZXBvLmF0aGV4Z3JvdXAuZ3IvQVRIRVhR
+dWFsaWZpZWRXRUJDZXJ0aWZpY2F0ZXNDQUczLmNydDAlBgNVHSAEHjAcMA8GDSsG
+AQQBgeVaAQNkAQQwCQYHBACL7EABBjBPBgNVHR8ESDBGMESgQqBAhj5odHRwOi8v
+Y3JsLmF0aGV4Z3JvdXAuZ3IvQVRIRVhRdWFsaWZpZWRXRUJDZXJ0aWZpY2F0ZXND
+QUczLmNybDAdBgNVHQ4EFgQU07VGL6HuADDUGfAmLWYcVX4vqG0wDgYDVR0PAQH/
+BAQDAgeAMHsGA1UdEQR0MHKCFHdlYmRzcy5hdGhleGdyb3VwLmdyghh3ZWJkc3Nt
+b2NrLmF0aGV4Z3JvdXAuZ3KCGndlYmRzcy1ycHhyMS5pbmV0LmhlbGV4Lmdygg9k
+c3MuYXRoZXhuZXQuZ3KCE2Rzc21vY2suYXRoZXhuZXQuZ3IwDAYDVR0TAQH/BAIw
+ADANBgkqhkiG9w0BAQsFAAOCAgEAmXiG4SmvTWDGoaEXOQJuFlhbjwG/7MZCh18G
+eEhIfkOP0ClvalQImI8gbLo1DecfKDLLXLZpb7UTGtnpkKa2bDb+KyTyr3Aprg9L
++KnX4jM6KfrteZgDP63TcxGXnr3C3Mf5Y8vaFvlmazACRM/r830mnUj1yvK8c7Zk
+IRhmt5a2C8lBoMFD+q15QqdU0vK4mV72EBi+xYRuAg7GVZoPM+dZhiNm5dvKjAia
+aOG58XKsnaeDDCDDWwjRJ7m8Y5ZaP6L8oGotvCmnXUjJcAmSE1MlXEjkHsGkCqgw
+Y6Wp/jDh4KpT8dQov1kg4dIKU9PNpdLjmmk/Jv7PMsG7i+3Q8lMCHfCe6NxFnc3G
+Z62x6Gq6dKnIqDQzMvYUOnEPfVcfOaWmrmFAaBfVAXfRaXcgAPDknNPgCkdbi5yw
+uvbYckFOcVpv+1u+KqDYdxUMCSxSpls+o0J6c38FbcmuFfB7BYB8cTgucNAGUBur
+3ku6KO8fHcxpO3zLvA9I6LNhOmvLX24dPRprFd8uK+FiciNxbA3CjDGNUtJUErRM
+G8RRUXYPAM0tF9fZpKm3SurevG01yO8m/AcmsMuKjzJ9LIle7ioZtDc7C64ldoQ+
+IEA1QRyRo8qDml25rgvC3vTyQ4bngTunPPfEsSO04NT71G7va3DyV/VGVbCnlkj7
+sIHIPRY=
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.subject.rdnSequence.2.0.value.x520OrganizationIdentifier,EidasLegalPersonIdentifierValidator,ERROR,etsi.en_319_412_1.leg-5.1.6-03.eidas_legal_person_identifier_too_long,"Organization identifier ""aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"" (257 characters) exceeds maximum length of 256 characters"
+certificate.tbsCertificate.extensions.6.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,

tests/integration_certificate/etsi/qncp_w_gen_legal_person_eidas_final_certificate/eidas_legal_person_id_whitespace.crttest

@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIHSTCCBTGgAwIBAgIQVZHNRxiZp9LoR1nlajD1DDANBgkqhkiG9w0BAQsFADCB
+oTELMAkGA1UEBhMCR1IxNjA0BgNVBAoTLUhFTExFTklDIEVYQ0hBTkdFUyAtIEFU
+SEVOUyBTVE9DSyBFWENIQU5HRSBTQTEvMC0GA1UEAxMmQVRIRVggUXVhbGlmaWVk
+IFdFQiBDZXJ0aWZpY2F0ZXMgQ0EtRzMxDzANBgNVBAcTBkF0aGVuczEYMBYGA1UE
+YRMPVkFURUwtMDk5NzU1MTA4MB4XDTI0MDQxMTE0MTY1NVoXDTI1MDQxMTE0MTY1
+NVowgcQxCzAJBgNVBAYTAkdSMTYwNAYDVQQKEy1IRUxMRU5JQyBFWENIQU5HRVMg
+LSBBVEhFTlMgU1RPQ0sgRVhDSEFOR0UgU0ExGTAXBgNVBGETEFZBVEVMLTA5OTc1
+IDUxMDgxHTAbBgNVBAMTFHdlYmRzcy5hdGhleGdyb3VwLmdyMQ8wDQYDVQQHEwZB
+dGhlbnMxEzARBgsrBgEEAYI3PAIBAxMCR1IxHTAbBgNVBA8TFFByaXZhdGUgT3Jn
+YW5pemF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCEREd/k
+UnTJAfOIbVoc5q3BU6ieO8ibWQILw8cNGlmFlbcltkjLcoFVGUn6eXsBPDgPbXQm
+uqCLmqeoSoGaUJ5MUvUT9CUch6yY8TnOLFFLWzhzAleYauC5KJ4dNQwLGnfbVake
+J2lEh7DyPL/vd344oIt7wbH+ZxngUawkwWLPCCqqAgvmdllm8EQgenLfjg7Kmy8E
+cU+eFmPYk2gjXP+9a1JbyKN55Hfx9ezApKAXb+BHNzRtSaNfBZ5AE8jNdl84Xrfl
+r78dMo3sEaxcWpP8BmeBhl9Q88uMB37HHkIwLYmZNqFnJ9/5pOqFQNMpxdmv+Apk
+9TmYlhjk6jZ8UwIDAQABo4ICVjCCAlIwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMB8GA1UdIwQYMBaAFCKZJFcGbFZ1jtvrfXllnFM1qdGRMEQGCCsGAQUF
+BwEDBDgwNjAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFQYIKwYBBQUH
+CwIwCQYHBACL7EkBBDCBlwYIKwYBBQUHAQEEgYowgYcwOAYIKwYBBQUHMAGGLGh0
+dHA6Ly9vY3NwLmF0aGV4Z3JvdXAuZ3IvQXRoZXhRdWFsaWZpZWRDQUczMEsGCCsG
+AQUFBzAChj9odHRwOi8vcmVwby5hdGhleGdyb3VwLmdyL0FUSEVYUXVhbGlmaWVk
+V0VCQ2VydGlmaWNhdGVzQ0FHMy5jcnQwJQYDVR0gBB4wHDAPBg0rBgEEAYHlWgED
+ZAEEMAkGBwQAi+xAAQYwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5hdGhl
+eGdyb3VwLmdyL0FUSEVYUXVhbGlmaWVkV0VCQ2VydGlmaWNhdGVzQ0FHMy5jcmww
+HQYDVR0OBBYEFNO1Ri+h7gAw1BnwJi1mHFV+L6htMA4GA1UdDwEB/wQEAwIHgDB7
+BgNVHREEdDByghR3ZWJkc3MuYXRoZXhncm91cC5ncoIYd2ViZHNzbW9jay5hdGhl
+eGdyb3VwLmdyghp3ZWJkc3MtcnB4cjEuaW5ldC5oZWxleC5ncoIPZHNzLmF0aGV4
+bmV0LmdyghNkc3Ntb2NrLmF0aGV4bmV0LmdyMAwGA1UdEwEB/wQCMAAwDQYJKoZI
+hvcNAQELBQADggIBAJl4huEpr01gxqGhFzkCbhZYW48Bv+zGQodfBnhISH5Dj9Ap
+b2pUCJiPIGy6NQ3nHygyy1y2aW+1ExrZ6ZCmtmw2/isk8q9wKa4PS/ip1+IzOin6
+7XmYAz+t03MRl569wtzH+WPL2hb5ZmswAkTP6/N9Jp1I9cryvHO2ZCEYZreWtgvJ
+QaDBQ/qteUKnVNLyuJle9hAYvsWEbgIOxlWaDzPnWYYjZuXbyowImmjhufFyrJ2n
+gwwgw1sI0Se5vGOWWj+i/KBqLbwpp11IyXAJkhNTJVxI5B7BpAqoMGOlqf4w4eCq
+U/HUKL9ZIOHSClPTzaXS45ppPyb+zzLBu4vt0PJTAh3wnujcRZ3NxmetsehqunSp
+yKg0MzL2FDpxD31XHzmlpq5hQGgX1QF30Wl3IADw5JzT4ApHW4ucsLr22HJBTnFa
+b/tbviqg2HcVDAksUqZbPqNCenN/BW3JrhXwewWAfHE4LnDQBlAbq95LuijvHx3M
+aTt8y7wPSOizYTpry19uHT0aaxXfLivhYnIjcWwNwowxjVLSVBK0TBvEUVF2DwDN
+LRfX2aSpt0rq3rxtNcjvJvwHJrDLio8yfSyJXu4qGbQ3OwuuJXaEPiBANUEckaPK
+g5pdua4Lwt708kOG54E7pzz3xLEjtODU+9Ru72tw8lf1RlWwp5ZI+7CByD0W
+-----END CERTIFICATE-----
+
+node_path,validator,severity,code,message
+certificate.tbsCertificate.subject.rdnSequence.2.0.value.x520OrganizationIdentifier,EidasLegalPersonIdentifierValidator,ERROR,etsi.en_319_412_1.leg-5.1.6-03.eidas_legal_person_identifier_whitespace_present,"Whitespace present in organization identifier: ""VATEL-09975 5108"""
+certificate.tbsCertificate.extensions.6.extnValue.subjectKeyIdentifier,SubjectKeyIdentifierValidator,INFO,pkix.subject_key_identifier_method_1_identified,