pkimetalとは
pkimetalとは、PKI(公開鍵基盤)アーティファクト(証明書、プレ証明書、CRL、OCSP応答など)の前処理と後処理のためのメタリンターである。このツールは、複数のリンター(Linter)を統合し、単一のREST API呼び出しで複数のリンターを実行することができる。
公式サイト
pkimetal | PKI Meta-Linter
pkimet.al
API詳細
Lint a Certificate | pkimetal
Lints a X.509 certificate Powered by Stoplight.
pkimetal.stoplight.io
インストール方法
pkimetal/doc/INSTALL.md at main · pkimetal/pkimetal
PKI Meta-Linter. Contribute to pkimetal/pkimetal development by creating an account on GitHub.
github.com
pkimetalの主な機能
- 複数のリンターの統合: Ruby(Certlint)、C(x509lint)、Go(ZLint)、Python(pkilint)など、異なるプログラミング言語で開発されたリンターを統合する機能を持つ。
- 前処理と後処理のサポート: 証明書の前処理(pre-issuance linting)と後処理(post-issuance linting)の両方をサポートしている。
- パフォーマンスとスケーラビリティ: 複数のCPUコアを活用して高いパフォーマンスとスケーラビリティを提供する。
- シンプルなAPI: 単一のAPI呼び出しで複数のリンターを実行できるため、設定が簡単である。
pkimetalは、PKIアーティファクトの品質を確保するための強力なツールである。複数のリンターを統合し、シンプルなAPIを提供することで、証明書の前処理と後処理を効率的に行うことができる。このツールを活用することで、証明書の技術的な適合性を確認し、安全なネットワーク環境を維持することが可能である。
リンター一覧
| No. | リンター | 機能概要 |
|---|---|---|
| 1 | badkeys | 弱い鍵や脆弱な鍵の検出を行うツール。 |
| 2 | certlint | 証明書の構造と内容をチェックするRubyで実装されたリンター。 |
| 3 | dwklint | Debianの弱い鍵に関連するX.509証明書のリンター。 |
| 4 | ftfy | 文字エンコーディングの問題を検出するツール。 |
| 5 | pkilint | ASN.1構造を使用して証明書の検証を行うPythonで実装されたリンター。 |
| 6 | pwnedkeys | 既知の漏洩鍵リストと照合して、鍵の安全性をチェックするツール。 |
| 7 | rocacheck | Goで実装されたツールで、RSA鍵がReturn of Coppersmith’s Attack (ROCA) によって脆弱であるかどうかをチェック。ROCAは、特定の条件下でRSA鍵を効率的に因数分解できる攻撃手法である。 |
| 8 | x509lint | X.509証明書の検証を行うCで実装されたリンター。 |
| 9 | zlint | 証明書の構造と内容を詳細にチェックするGoで実装されたリンター。 |
インストール方法
Rocky Linux9にインストール
リモートリポジトリの内容をローカルマシンにコピー
git clone は、リポジトリの複製(クローン)を作成するためのGitコマンド。このコマンドを使用することで、リモートリポジトリの内容をローカルマシンにコピーすることができる。
[root@localhost ~]# git clone https://github.com/pkimetal/pkimetal
bash: git: コマンドが見つかりませんでした...
コマンド git' を提供するためにパッケージ 'git-core' をインストールしますか? [N/y] y
* キューで待機中...
* パッケージの一覧をロード中。...
以下のパッケージはインストールされるべきものです:
git-core-2.43.5-2.el9_5.x86_64 Core package of git with minimal functionality
変更したまま継続しますか? [N/y] y
* キューで待機中...
* 認証を待ち受け中...
* キューで待機中...
* パッケージをダウンロード中...
* データを要求中...
* 変更をテスト中...
* パッケージのインストール中...
Cloning into 'pkimetal'...
remote: Enumerating objects: 2014, done.
remote: Counting objects: 100% (42/42), done.
remote: Compressing objects: 100% (36/36), done.
remote: Total 2014 (delta 15), reused 8 (delta 6), pack-reused 1972 (from 2)
Receiving objects: 100% (2014/2014), 600.39 KiB | 6.46 MiB/s, done.
Resolving deltas: 100% (1406/1406), done.Dockerイメージをビルド
[root@localhost ~]# ls
anaconda-ks.cfg pkimetal ダウンロード テンプレート デスクトップ ドキュメント ビデオ 音楽 画像 公開
[root@localhost ~]# cd pkimetal
[root@localhost pkimetal]# docker build -t pkimetal .
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
WARN[0000] missing "gomodfile" build argument. Try adding "--build-arg gomodfile=<VALUE>" to the command line
[1/2] STEP 1/7: FROM docker.io/library/golang:1.23.3-alpine AS build
Trying to pull docker.io/library/golang:1.23.3-alpine...
Getting image source signatures
Copying blob da9db072f522 done |
Copying blob 4f4fb700ef54 done |
Copying blob 5418e60db87d done |
Copying blob c79bddf330f7 done |
Copying blob f115f9222c8e done |
Copying config 98069ee7ef done |
Writing manifest to image destination
[1/2] STEP 2/7: ARG gomodfile
--> 81eb40cc98ba
[1/2] STEP 3/7: RUN apk add --no-cache --update gcc git g++ make ruby ruby-dev pipx rustup openssl-dev
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz
(1/71) Upgrading libcrypto3 (3.3.2-r0 -> 3.3.2-r1)
(2/71) Upgrading libssl3 (3.3.2-r0 -> 3.3.2-r1)
(3/71) Installing libgcc (13.2.1_git20240309-r0)
(4/71) Installing libstdc++ (13.2.1_git20240309-r0)
(5/71) Installing libstdc++-dev (13.2.1_git20240309-r0)
(6/71) Installing jansson (2.14-r4)
(7/71) Installing zstd-libs (1.5.6-r0)
(8/71) Installing binutils (2.42-r0)
(9/71) Installing libgomp (13.2.1_git20240309-r0)
(10/71) Installing libatomic (13.2.1_git20240309-r0)
(11/71) Installing gmp (6.3.0-r1)
(12/71) Installing isl26 (0.26-r1)
(13/71) Installing mpfr4 (4.2.1-r0)
(14/71) Installing mpc1 (1.3.1-r1)
(15/71) Installing gcc (13.2.1_git20240309-r0)
(16/71) Installing musl-dev (1.2.5-r0)
(17/71) Installing g++ (13.2.1_git20240309-r0)
(18/71) Installing brotli-libs (1.1.0-r2)
(19/71) Installing c-ares (1.33.1-r0)
(20/71) Installing libunistring (1.2-r0)
(21/71) Installing libidn2 (2.3.7-r0)
(22/71) Installing nghttp2-libs (1.62.1-r0)
(23/71) Installing libpsl (0.21.5-r1)
(24/71) Installing libcurl (8.11.1-r0)
(25/71) Installing libexpat (2.6.4-r0)
(26/71) Installing pcre2 (10.43-r0)
(27/71) Installing git (2.45.2-r0)
(28/71) Installing git-init-template (2.45.2-r0)
(29/71) Installing make (4.4.1-r2)
(30/71) Installing pkgconf (2.2.0-r0)
(31/71) Installing openssl-dev (3.3.2-r1)
(32/71) Installing libbz2 (1.0.8-r6)
(33/71) Installing libffi (3.4.6-r0)
(34/71) Installing gdbm (1.23-r1)
(35/71) Installing xz-libs (5.6.2-r0)
(36/71) Installing mpdecimal (4.0.0-r0)
(37/71) Installing ncurses-terminfo-base (6.4_p20240420-r2)
(38/71) Installing libncursesw (6.4_p20240420-r2)
(39/71) Installing libpanelw (6.4_p20240420-r2)
(40/71) Installing readline (8.2.10-r0)
(41/71) Installing sqlite-libs (3.45.3-r1)
(42/71) Installing python3 (3.12.8-r1)
(43/71) Installing python3-pycache-pyc0 (3.12.8-r1)
(44/71) Installing pyc (3.12.8-r1)
(45/71) Installing py3-colorama (0.4.6-r5)
(46/71) Installing py3-colorama-pyc (0.4.6-r5)
(47/71) Installing py3-parsing (3.1.2-r1)
(48/71) Installing py3-parsing-pyc (3.1.2-r1)
(49/71) Installing py3-packaging (24.0-r1)
(50/71) Installing py3-packaging-pyc (24.0-r1)
(51/71) Installing py3-platformdirs (4.2.2-r0)
(52/71) Installing py3-platformdirs-pyc (4.2.2-r0)
(53/71) Installing py3-click (8.1.7-r2)
(54/71) Installing py3-click-pyc (8.1.7-r2)
(55/71) Installing py3-userpath (1.9.2-r1)
(56/71) Installing py3-userpath-pyc (1.9.2-r1)
(57/71) Installing pipx-pyc (1.6.0-r0)
(58/71) Installing py3-argcomplete-pyc (3.3.0-r0)
(59/71) Installing python3-pyc (3.12.8-r1)
(60/71) Installing py3-argcomplete (3.3.0-r0)
(61/71) Installing pipx (1.6.0-r0)
(62/71) Installing yaml (0.2.5-r2)
(63/71) Installing ruby-libs (3.3.6-r0)
(64/71) Installing libucontext (1.2-r3)
(65/71) Installing ruby (3.3.6-r0)
(66/71) Installing ruby-rdoc (3.3.6-r0)
(67/71) Installing libgmpxx (6.3.0-r1)
(68/71) Installing gmp-dev (6.3.0-r1)
(69/71) Installing libucontext-dev (1.2-r3)
(70/71) Installing ruby-dev (3.3.6-r0)
(71/71) Installing rustup (1.25.2-r5)
Executing busybox-1.36.1-r29.trigger
Executing ca-certificates-20240705-r0.trigger
OK: 305 MiB in 84 packages
--> 783fe8ac68c8
[1/2] STEP 4/7: ENV PATH="/root/.local/bin:/root/.cargo/bin:${PATH}"
--> f6a0b5492f50
[1/2] STEP 5/7: WORKDIR /app
--> 5b44988ab5e1
[1/2] STEP 6/7: COPY . .
--> 4ea2076af4cf
[1/2] STEP 7/7: RUN git fetch --depth=2147483647 && mkdir /usr/local/build && mkdir /usr/local/pkimetal && go get -modfile=$gomodfile github.com/badkeys/badkeys && cp -R $(go list -modfile=$gomodfile -m -f '{{.Dir}}' github.com/badkeys/badkeys) /usr/local/build/badkeys/ && go get -modfile=$gomodfile github.com/certlint/certlint && cp -R $(go list -modfile=$gomodfile -m -f '{{.Dir}}' github.com/certlint/certlint) /usr/local/pkimetal/certlint/ && go get -modfile=$gomodfile github.com/CVE-2008-0166/dwk_blocklists_sqlite3 && cp -R $(go list -modfile=$gomodfile -m -f '{{.Dir}}' github.com/CVE-2008-0166/dwk_blocklists_sqlite3) /usr/local/pkimetal/dwk_blocklists_sqlite3/ && go get -modfile=$gomodfile github.com/rspeer/python-ftfy && cp -R $(go list -modfile=$gomodfile -m -f '{{.Dir}}' github.com/rspeer/python-ftfy) /usr/local/build/ftfy/ && go get -modfile=$gomodfile github.com/digicert/pkilint && cp -R $(go list -modfile=$gomodfile -m -f '{{.Dir}}' github.com/digicert/pkilint) /usr/local/build/pkilint/ && go get -modfile=$gomodfile github.com/kroeckx/x509lint && cp -R $(go list -modfile=$gomodfile -m -f '{{.Dir}}' github.com/kroeckx/x509lint) /usr/local/build/x509lint/ && wget https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv2 && pipx install poetry && pipx inject poetry poetry-plugin-bundle && cd /usr/local/build/badkeys && cp /app/linter/badkeys/pyproject.toml . && poetry bundle venv --python=/usr/bin/python3 --only=main /usr/local/pkimetal/badkeys && cp badkeys-cli /usr/local/pkimetal/badkeys/bin && cd /usr/local/pkimetal/certlint/ext && ruby extconf.rb && make && cd /usr/local/build/ftfy && cp /app/linter/ftfy/pyproject.toml . && poetry lock --no-update && poetry bundle venv --python=/usr/bin/python3 --only=main /usr/local/pkimetal/ftfy && rustup-init -y && source "$HOME/.cargo/env" && cd /usr/local/build/pkilint && cp /app/linter/pkilint/pyproject.toml . && poetry bundle venv --python=/usr/bin/python3 --only=main /usr/local/pkimetal/pkilint && cp pkilint/cabf/smime/finding_metadata.csv /app/finding_metadata.csv.smime && cp pkilint/cabf/serverauth/finding_metadata.csv /app/finding_metadata.csv.serverauth && cp pkilint/etsi/finding_metadata.csv /app/finding_metadata.csv.etsi && cd /usr/local/build/x509lint && cp asn1_time.c asn1_time.h checks.c checks.h messages.c messages.h /app/linter/x509lint && cd /app && CGO_ENABLED=1 GOOS=linux go build -modfile=$gomodfile -o pkimetal -ldflags " -X github.com/pkimetal/pkimetal/config.BuildTimestamp=`date --utc +%Y-%m-%dT%H:%M:%SZ` -X github.com/pkimetal/pkimetal/config.PkimetalVersion=`git describe --tags --always` -X github.com/pkimetal/pkimetal/linter/badkeys.Version=`go list -modfile=$gomodfile -m -f '{{.Version}}' github.com/badkeys/badkeys | sed 's/+incompatible//g'` -X github.com/pkimetal/pkimetal/linter/badkeys.PythonDir=`find /usr/local/pkimetal/badkeys/lib/python*/site-packages -maxdepth 0` -X github.com/pkimetal/pkimetal/linter/certlint.Version=`go list -modfile=$gomodfile -m -f '{{.Version}}' github.com/certlint/certlint | sed 's/+incompatible//g'` -X github.com/pkimetal/pkimetal/linter/certlint.RubyDir=/usr/local/pkimetal/certlint -X github.com/pkimetal/pkimetal/linter/dwklint.BlocklistDBPath=/usr/local/pkimetal/dwk_blocklists_sqlite3/dwk_blocklists.sqlite3 -X github.com/pkimetal/pkimetal/linter/ftfy.Version=`go list -modfile=$gomodfile -m -f '{{.Version}}' github.com/rspeer/python-ftfy | sed 's/+incompatible//g'` -X github.com/pkimetal/pkimetal/linter/ftfy.PythonDir=`find /usr/local/pkimetal/ftfy/lib/python*/site-packages -maxdepth 0` -X github.com/pkimetal/pkimetal/linter/pkilint.Version=`go list -modfile=$gomodfile -m -f '{{.Version}}' github.com/digicert/pkilint | sed 's/+incompatible//g'` -X github.com/pkimetal/pkimetal/linter/pkilint.PythonDir=`find /usr/local/pkimetal/pkilint/lib/python*/site-packages -maxdepth 0` -X github.com/pkimetal/pkimetal/linter/x509lint.Version=`go list -modfile=$gomodfile -m -f '{{.Version}}' github.com/kroeckx/x509lint | sed 's/+incompatible//g'`" /app/.
go: downloading github.com/badkeys/badkeys v0.0.12
go: downloading github.com/certlint/certlint v1.7.5
go: downloading github.com/CVE-2008-0166/dwk_blocklists_sqlite3 v0.0.0-20241104144956-b20aa84afe4c
go: downloading github.com/rspeer/python-ftfy v6.3.1+incompatible
go: downloading github.com/digicert/pkilint v0.12.5
go: downloading github.com/kroeckx/x509lint v0.0.0-20210110132446-e2d7fe9b9a48
Connecting to ccadb.my.salesforce-sites.com (44.227.61.91:443)
saving to 'AllCertificateRecordsCSVFormatv2'
AllCertificateRecord 415k --:--:-- ETA
AllCertificateRecord 4543k --:--:-- ETA
AllCertificateRecord 100% |********************************| 8062k 0:00:00 ETA
'AllCertificateRecordsCSVFormatv2' saved
creating virtual environment...
creating shared libraries...
upgrading shared libraries...
installing poetry...
done! ✨ 🌟 ✨
installed package poetry 1.8.5, installed using Python 3.12.8
These apps are now globally available
- poetry
installing poetry-plugin-bundle...
done! ✨ 🌟 ✨
injected package poetry-plugin-bundle into venv poetry
• Bundling badkeys (0.0.12) into /usr/local/pkimetal/badkeys
• Bundling badkeys (0.0.12) into /usr/local/pkimetal/badkeys: Creating a virtual environment using Python /usr/bin/python3
• Bundling badkeys (0.0.12) into /usr/local/pkimetal/badkeys: Installing dependencies
• Bundling badkeys (0.0.12) into /usr/local/pkimetal/badkeys: Installing badkeys (0.0.12)
• Bundled badkeys (0.0.12) into /usr/local/pkimetal/badkeys
creating Makefile
compiling ANY.c
compiling AccessDescription.c
compiling AdministrationDomainName.c
compiling AlgorithmIdentifier.c
compiling AnotherName.c
compiling Attribute.c
compiling AttributeType.c
compiling AttributeTypeAndValue.c
compiling AttributeValue.c
compiling AuthorityInfoAccessSyntax.c
compiling AuthorityKeyIdentifier.c
compiling BIT_STRING.c
compiling BMPString.c
compiling BOOLEAN.c
compiling BaseCRLNumber.c
compiling BaseDistance.c
compiling BasicConstraints.c
compiling BiometricData.c
compiling BiometricSyntax.c
compiling BuiltInDomainDefinedAttribute.c
compiling BuiltInDomainDefinedAttributes.c
compiling BuiltInStandardAttributes.c
compiling CABFOrganizationIdentifier.c
compiling CPSuri.c
compiling CRLDistributionPoints.c
compiling CRLNumber.c
compiling CRLReason.c
compiling CertPolicyId.c
compiling Certificate.c
compiling CertificateIssuer.c
compiling CertificateList.c
compiling CertificatePolicies.c
compiling CertificateSerialNumber.c
compiling Characteristic-two.c
compiling CommonName.c
compiling CountryName.c
compiling CountryOfCitizenship.c
compiling CountryOfResidence.c
compiling Curve.c
compiling DHPublicKey.c
compiling DSAPublicKey.c
compiling DateOfBirth.c
compiling DirectoryString.c
compiling DisplayText.c
compiling DistinguishedName.c
compiling DistributionPoint.c
compiling DistributionPointName.c
compiling DomainComponent.c
compiling DomainParameters.c
compiling Dss-Parms.c
compiling Dss-Sig-Value.c
compiling ECDSA-Sig-Value.c
compiling ECPVer.c
compiling ECParameters.c
compiling ECPoint.c
compiling EDIPartyName.c
compiling ENUMERATED.c
compiling EcpkParameters.c
compiling EmailAddress.c
compiling ExtKeyUsageSyntax.c
compiling ExtendedNetworkAddress.c
compiling Extension.c
compiling ExtensionAttribute.c
compiling ExtensionAttributes.c
compiling ExtensionORAddressComponents.c
compiling ExtensionPhysicalDeliveryAddressComponents.c
compiling Extensions.c
compiling Features.c
compiling FieldElement.c
compiling FieldID.c
compiling FreshestCRL.c
compiling Gender.c
compiling GeneralName.c
compiling GeneralNames.c
compiling GeneralSubtree.c
compiling GeneralSubtrees.c
compiling GeneralizedTime.c
GeneralizedTime.c:85:2: warning: #warning "PLEASE STOP AND READ!" [-Wcpp]
85 | #warning "PLEASE STOP AND READ!"
| ^~~~~~~
GeneralizedTime.c:86:2: warning: #warning " timegm() is implemented via getenv(\"TZ\")/setenv(\"TZ\"), which may be not thread-safe." [-Wcpp]
86 | #warning " timegm() is implemented via getenv(\"TZ\")/setenv(\"TZ\"), which may be not thread-safe."
| ^~~~~~~
GeneralizedTime.c:87:2: warning: #warning " " [-Wcpp]
87 | #warning " "
| ^~~~~~~
GeneralizedTime.c:88:2: warning: #warning " You must fix the code by inserting appropriate locking" [-Wcpp]
88 | #warning " You must fix the code by inserting appropriate locking"
| ^~~~~~~
GeneralizedTime.c:89:2: warning: #warning " if you want to use asn_GT2time() or asn_UT2time()." [-Wcpp]
89 | #warning " if you want to use asn_GT2time() or asn_UT2time()."
| ^~~~~~~
GeneralizedTime.c:90:2: warning: #warning "PLEASE STOP AND READ!" [-Wcpp]
90 | #warning "PLEASE STOP AND READ!"
| ^~~~~~~
compiling HashAlgAndValue.c
compiling HoldInstructionCode.c
compiling IA5String.c
compiling INTEGER.c
compiling InhibitAnyPolicy.c
compiling InvalidityDate.c
compiling IssuerAltName.c
compiling IssuingDistributionPoint.c
compiling KEA-Parms-Id.c
compiling KeyIdentifier.c
compiling KeyPurposeId.c
compiling KeyUsage.c
compiling LocalPostalAttributes.c
compiling LogotypeAudio.c
compiling LogotypeAudioInfo.c
compiling LogotypeData.c
compiling LogotypeDetails.c
compiling LogotypeExtn.c
compiling LogotypeImage.c
compiling LogotypeImageInfo.c
compiling LogotypeImageResolution.c
compiling LogotypeImageType.c
compiling LogotypeInfo.c
compiling LogotypeReference.c
compiling NULL.c
compiling Name.c
compiling NameConstraints.c
compiling NameRegistrationAuthorities.c
compiling NativeEnumerated.c
compiling NativeInteger.c
compiling NetworkAddress.c
compiling NoticeReference.c
compiling NumericString.c
compiling NumericUserIdentifier.c
compiling OBJECT_IDENTIFIER.c
compiling OCTET_STRING.c
compiling OPEN_TYPE.c
compiling ORAddress.c
compiling OrganizationName.c
compiling OrganizationalUnitName.c
compiling OrganizationalUnitNames.c
compiling OtherLogotypeInfo.c
compiling PDSName.c
compiling PDSParameter.c
compiling PKCS9String.c
compiling Pentanomial.c
compiling PersonalName.c
compiling PhysicalDeliveryCountryName.c
compiling PhysicalDeliveryOfficeName.c
compiling PhysicalDeliveryOfficeNumber.c
compiling PhysicalDeliveryOrganizationName.c
compiling PhysicalDeliveryPersonalName.c
compiling PlaceOfBirth.c
compiling PolicyConstraints.c
compiling PolicyInformation.c
compiling PolicyMappings.c
compiling PolicyQualifierId.c
compiling PolicyQualifierInfo.c
compiling PostOfficeBoxAddress.c
compiling PostalAddress.c
compiling PostalCode.c
compiling PosteRestanteAddress.c
compiling PredefinedBiometricType.c
compiling PresentationAddress.c
compiling Prime-p.c
compiling PrintableString.c
compiling PrivateDomainName.c
compiling PrivateKeyUsagePeriod.c
compiling QCStatement.c
compiling QCStatements.c
compiling RDNSequence.c
compiling RSAPublicKey.c
compiling ReasonFlags.c
compiling RelativeDistinguishedName.c
compiling SMIMECapabilities.c
compiling SMIMECapability.c
compiling SemanticsInformation.c
compiling SkipCerts.c
compiling StreetAddress.c
compiling SubjectAltName.c
compiling SubjectDirectoryAttributes.c
compiling SubjectInfoAccessSyntax.c
compiling SubjectKeyIdentifier.c
compiling SubjectPublicKeyInfo.c
compiling TBSCertList.c
compiling TBSCertificate.c
compiling TeletexCommonName.c
compiling TeletexDomainDefinedAttribute.c
compiling TeletexDomainDefinedAttributes.c
compiling TeletexOrganizationName.c
compiling TeletexOrganizationalUnitName.c
compiling TeletexOrganizationalUnitNames.c
compiling TeletexPersonalName.c
compiling TeletexString.c
compiling TerminalIdentifier.c
compiling TerminalType.c
compiling Time.c
compiling TorServiceDescriptorHash.c
compiling TorServiceDescriptorSyntax.c
compiling Trinomial.c
compiling TypeOfBiometricData.c
compiling UTCTime.c
compiling UTF8String.c
compiling UnformattedPostalAddress.c
compiling UniqueIdentifier.c
compiling UniquePostalName.c
compiling UniversalString.c
compiling UserNotice.c
compiling ValidationParms.c
compiling Validity.c
compiling Version.c
compiling VisibleString.c
compiling X121Address.c
compiling X520CommonName.c
compiling X520LocalityName.c
compiling X520OrganizationName.c
compiling X520OrganizationalUnitName.c
compiling X520Pseudonym.c
compiling X520SerialNumber.c
compiling X520StateOrProvinceName.c
compiling X520Title.c
compiling X520countryName.c
compiling X520dnQualifier.c
compiling X520name.c
compiling asn1validator.c
compiling asn_SEQUENCE_OF.c
compiling asn_SET_OF.c
compiling asn_application.c
compiling asn_bit_data.c
compiling asn_codecs_prim.c
compiling asn_internal.c
compiling asn_random_fill.c
compiling ber_decoder.c
compiling ber_tlv_length.c
compiling ber_tlv_tag.c
compiling constr_CHOICE.c
compiling constr_SEQUENCE.c
compiling constr_SEQUENCE_OF.c
compiling constr_SET.c
compiling constr_SET_OF.c
compiling constr_TYPE.c
compiling constraints.c
compiling der_encoder.c
compiling pdu_collection.c
compiling per_decoder.c
compiling per_encoder.c
compiling per_opentype.c
compiling per_support.c
compiling xer_decoder.c
compiling xer_encoder.c
compiling xer_support.c
linking shared-object asn1validator.so
Creating virtualenv ftfy-nQAKAzcs-py3.12 in /root/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies...
Writing lock file
• Bundling ftfy (6.3.0) into /usr/local/pkimetal/ftfy
• Bundling ftfy (6.3.0) into /usr/local/pkimetal/ftfy: Creating a virtual environment using Python /usr/bin/python3
• Bundling ftfy (6.3.0) into /usr/local/pkimetal/ftfy: Installing dependencies
• Bundling ftfy (6.3.0) into /usr/local/pkimetal/ftfy: Installing ftfy (6.3.0)
• Bundled ftfy (6.3.0) into /usr/local/pkimetal/ftfy
info: profile set to 'default'
info: default host triple is x86_64-unknown-linux-musl
info: syncing channel updates for 'stable-x86_64-unknown-linux-musl'
info: latest update on 2024-11-28, rust version 1.83.0 (90b35a623 2024-11-26)
info: downloading component 'cargo'
info: downloading component 'clippy'
info: downloading component 'rust-docs'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: downloading component 'rustfmt'
info: installing component 'cargo'
info: installing component 'clippy'
info: installing component 'rust-docs'
info: installing component 'rust-std'
info: installing component 'rustc'
info: installing component 'rustfmt'
info: default toolchain set to 'stable-x86_64-unknown-linux-musl'
stable-x86_64-unknown-linux-musl installed - rustc 1.83.0 (90b35a623 2024-11-26)
Rust is installed now. Great!
To get started you may need to restart your current shell.
This would reload your PATH environment variable to include
Cargo's bin directory ($HOME/.cargo/bin).
To configure your current shell, run:
source "$HOME/.cargo/env"
• Bundling pkilint (0.11.4) into /usr/local/pkimetal/pkilint
• Bundling pkilint (0.11.4) into /usr/local/pkimetal/pkilint: Creating a virtual environment using Python /usr/bin/python3
• Bundling pkilint (0.11.4) into /usr/local/pkimetal/pkilint: Installing dependencies
• Bundling pkilint (0.11.4) into /usr/local/pkimetal/pkilint: Installing pkilint (0.11.4)
• Bundled pkilint (0.11.4) into /usr/local/pkimetal/pkilint
go: downloading go.uber.org/automaxprocs v1.6.0
go: downloading github.com/goccy/go-json v0.10.4
go: downloading github.com/prometheus/client_golang v1.20.5
go: downloading go.uber.org/zap v1.27.0
go: downloading github.com/CVE-2008-0166/dwklint/v2 v2.0.1
go: downloading github.com/sergi/go-diff v1.3.1
go: downloading github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
go: downloading github.com/zmap/zcrypto v0.0.0-20241218205341-e47c4f4da3a4
go: downloading github.com/zmap/zlint/v3 v3.6.4
go: downloading github.com/valyala/fasthttp v1.58.0
go: downloading github.com/spf13/viper v1.19.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/client_model v0.6.1
go: downloading github.com/prometheus/common v0.61.0
go: downloading github.com/prometheus/procfs v0.15.1
go: downloading google.golang.org/protobuf v1.36.0
go: downloading go.uber.org/multierr v1.11.0
go: downloading zombiezen.com/go/sqlite v1.4.0
go: downloading github.com/weppos/publicsuffix-go v0.40.3-0.20241218111332-1518a6f1cb34
go: downloading golang.org/x/crypto v0.31.0
go: downloading github.com/pelletier/go-toml v1.9.5
go: downloading github.com/andybalholm/brotli v1.1.1
go: downloading github.com/klauspost/compress v1.17.11
go: downloading github.com/valyala/bytebufferpool v1.0.0
go: downloading github.com/fsnotify/fsnotify v1.8.0
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading github.com/spf13/afero v1.11.0
go: downloading github.com/spf13/cast v1.7.1
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading golang.org/x/sys v0.28.0
go: downloading modernc.org/libc v1.61.4
go: downloading modernc.org/sqlite v1.34.3
go: downloading golang.org/x/net v0.33.0
go: downloading golang.org/x/text v0.21.0
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.9
go: downloading github.com/pelletier/go-toml/v2 v2.2.3
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/dustin/go-humanize v1.0.1
go: downloading github.com/google/uuid v1.6.0
go: downloading golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67
go: downloading modernc.org/mathutil v1.6.0
go: downloading modernc.org/memory v1.8.0
go: downloading github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec
# github.com/pkimetal/pkimetal/linter/x509lint
checks.c: In function 'CheckPublicKey':
checks.c:1691:17: warning: 'EVP_PKEY_get1_RSA' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1691 | RSA *rsa = EVP_PKEY_get1_RSA(pkey);
| ^~~
In file included from /usr/include/openssl/x509.h:29,
from checks.c:33:
/usr/include/openssl/evp.h:1358:16: note: declared here
1358 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
| ^~~~~~~~~~~~~~~~~
checks.c:1696:25: warning: 'RSA_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1696 | RSA_free(rsa);
| ^~~~~~~~
In file included from /usr/include/openssl/x509.h:36:
/usr/include/openssl/rsa.h:304:28: note: declared here
304 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r);
| ^~~~~~~~
checks.c:1701:17: warning: 'RSA_get0_key' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1701 | RSA_get0_key(rsa, &n, &e, NULL);
| ^~~~~~~~~~~~
/usr/include/openssl/rsa.h:228:28: note: declared here
228 | OSSL_DEPRECATEDIN_3_0 void RSA_get0_key(const RSA *r,
| ^~~~~~~~~~~~
checks.c:1705:25: warning: 'RSA_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1705 | RSA_free(rsa);
| ^~~~~~~~
/usr/include/openssl/rsa.h:304:28: note: declared here
304 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r);
| ^~~~~~~~
checks.c:1764:17: warning: 'RSA_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1764 | RSA_free(rsa);
| ^~~~~~~~
/usr/include/openssl/rsa.h:304:28: note: declared here
304 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r);
| ^~~~~~~~
checks.c:1768:17: warning: 'EVP_PKEY_get1_EC_KEY' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1768 | EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(pkey);
| ^~~~~~
/usr/include/openssl/evp.h:1384:19: note: declared here
1384 | struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
| ^~~~~~~~~~~~~~~~~~~~
checks.c:1769:17: warning: 'EC_KEY_get0_group' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1769 | const EC_GROUP *group = EC_KEY_get0_group(ec_key);
| ^~~~~
In file included from /usr/include/openssl/x509.h:33:
/usr/include/openssl/ec.h:1053:39: note: declared here
1053 | OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
| ^~~~~~~~~~~~~~~~~
checks.c:1770:17: warning: 'EC_KEY_get0_public_key' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1770 | const EC_POINT *point = EC_KEY_get0_public_key(ec_key);
| ^~~~~
/usr/include/openssl/ec.h:1081:39: note: declared here
1081 | OSSL_DEPRECATEDIN_3_0 const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
| ^~~~~~~~~~~~~~~~~~~~~~
checks.c:1822:17: warning: 'EC_KEY_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1822 | EC_KEY_free(ec_key);
| ^~~~~~~~~~~
/usr/include/openssl/ec.h:1022:28: note: declared here
1022 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
| ^~~~~~~~~~~
--> 58632a9e76f0
[2/2] STEP 1/9: FROM alpine:edge AS runtime
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:edge...
Getting image source signatures
Copying blob 0ee5700e4ed5 done |
Copying config 95d9f7cd46 done |
Writing manifest to image destination
[2/2] STEP 2/9: COPY --from=build /usr/local/pkimetal /usr/local/pkimetal
--> edc06f671f39
[2/2] STEP 3/9: RUN apk add --no-cache --update python3 ruby && gem install public_suffix simpleidn && adduser -D pkimetal
fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
(1/23) Installing libbz2 (1.0.8-r6)
(2/23) Installing libexpat (2.6.4-r0)
(3/23) Installing libffi (3.4.6-r0)
(4/23) Installing gdbm (1.24-r0)
(5/23) Installing xz-libs (5.6.3-r0)
(6/23) Installing libgcc (14.2.0-r4)
(7/23) Installing libstdc++ (14.2.0-r4)
(8/23) Installing mpdecimal (4.0.0-r0)
(9/23) Installing ncurses-terminfo-base (6.5_p20241006-r3)
(10/23) Installing libncursesw (6.5_p20241006-r3)
(11/23) Installing libpanelw (6.5_p20241006-r3)
(12/23) Installing readline (8.2.13-r0)
(13/23) Installing sqlite-libs (3.47.2-r0)
(14/23) Installing python3 (3.12.8-r1)
(15/23) Installing python3-pycache-pyc0 (3.12.8-r1)
(16/23) Installing pyc (3.12.8-r1)
(17/23) Installing python3-pyc (3.12.8-r1)
(18/23) Installing ca-certificates (20241010-r0)
(19/23) Installing gmp (6.3.0-r2)
(20/23) Installing yaml (0.2.5-r2)
(21/23) Installing ruby-libs (3.3.6-r0)
(22/23) Installing libucontext (1.3.2-r0)
(23/23) Installing ruby (3.3.6-r0)
Executing busybox-1.36.1-r32.trigger
Executing ca-certificates-20241010-r0.trigger
OK: 64 MiB in 37 packages
Successfully installed public_suffix-6.0.1
Successfully installed simpleidn-0.2.3
2 gems installed
--> f694eccbc3b5
[2/2] STEP 4/9: USER pkimetal:pkimetal
--> dcf75ba4010d
[2/2] STEP 5/9: WORKDIR /usr/local/pkimetal/badkeys/bin
--> d1cf655211ab
[2/2] STEP 6/9: RUN ./python3 badkeys-cli --update-bl
Writing new badkeysdata.json...
Downloading blocklist.dat...
--> a2310625ceea
[2/2] STEP 7/9: WORKDIR /app
--> 5ffaedff4ede
[2/2] STEP 8/9: COPY --from=build /app/pkimetal /app/AllCertificateRecordsCSVFormatv2 /app/finding_metadata.csv.* /app/
--> 62e1bedfeb70
[2/2] STEP 9/9: CMD ["/app/pkimetal"]
[2/2] COMMIT pkimetal
--> 2bce112d0cc0
Successfully tagged localhost/pkimetal:latest
2bce112d0cc0d41092105ad3fe19e5933423516acfcbf2b53120b0e46d3a0fbbpkimetalを待ち受け状態にする
docker run -p 8080:8080 -it pkimetalインストール完了
http://127.0.0.1:8080
GUIの利用方法
入力画面
http://127.0.0.1:8080証明書のPEMデータを貼り付けて、「lintcert」を実行。
(例)Git hubのTLSサーバー証明書。
-----BEGIN CERTIFICATE-----
MIIEozCCBEmgAwIBAgIQTij3hrZsGjuULNLEDrdCpTAKBggqhkjOPQQDAjCBjzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5T
ZWN0aWdvIEVDQyBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMB4X
DTI0MDMwNzAwMDAwMFoXDTI1MDMwNzIzNTk1OVowFTETMBEGA1UEAxMKZ2l0aHVi
LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARO/Ho9XdkY1qh9mAgjOUkW
mXTb05jgRulKciMVBuKB3ZHexvCdyoiCRHEMBfFXoZhWkQVMogNLo/lW215X3pGj
ggL+MIIC+jAfBgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4E
FgQUO2g/NDr1RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw
NAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv
bS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0
dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25T
ZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3Rp
Z28uY29tMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDPEVbu1S58r/OHW9lp
LpvpGnFnSrAX7KwB0lt3zsw7CAAAAY4WOvAZAAAEAwBIMEYCIQD7oNz/2oO8VGaW
WrqrsBQBzQH0hRhMLm11oeMpg1fNawIhAKWc0q7Z+mxDVYV/6ov7f/i0H/aAcHSC
Ii/QJcECraOpAHYAouMK5EXvva2bfjjtR2d3U9eCW4SU1yteGyzEuVCkR+cAAAGO
Fjrv+AAABAMARzBFAiEAyupEIVAMk0c8BVVpF0QbisfoEwy5xJQKQOe8EvMU4W8C
IGAIIuzjxBFlHpkqcsa7UZy24y/B6xZnktUw/Ne5q5hCAHcATnWjJ1yaEMM4W2zU
3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGOFjrv9wAABAMASDBGAiEA+8OvQzpgRf31
uLBsCE8ktCUfvsiRT7zWSqeXliA09TUCIQDcB7Xn97aEDMBKXIbdm5KZ9GjvRyoF
9skD5/4GneoMWzAlBgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNv
bTAKBggqhkjOPQQDAgNIADBFAiEAru2McPr0eNwcWNuDEY0a/rGzXRfRrm+6XfZe
SzhYZewCIBq4TUEBCgapv7xvAtRKdVdi/b4m36Uyej1ggyJsiesA
-----END CERTIFICATE-----結果画面
curlでのクリエスト
curl(クライアントURL)とは、コマンドラインツールおよびライブラリであり、データをURLに送信または取得するために使用される。
curlを使用して問い合わせする方法。( –data severity=warning オプション付き)
curl --request POST --url http://127.0.0.1:8080/lintcert --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode "b64input=MIIEozCCBEmgAwIBAgIQTij3hrZsGjuULNLEDrdCpTAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIEVDQyBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMB4XDTI0MDMwNzAwMDAwMFoXDTI1MDMwNzIzNTk1OVowFTETMBEGA1UEAxMKZ2l0aHViLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARO/Ho9XdkY1qh9mAgjOUkWmXTb05jgRulKciMVBuKB3ZHexvCdyoiCRHEMBfFXoZhWkQVMogNLo/lW215X3pGjggL+MIIC+jAfBgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4EFgQUO2g/NDr1RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDPEVbu1S58r/OHW9lpLpvpGnFnSrAX7KwB0lt3zsw7CAAAAY4WOvAZAAAEAwBIMEYCIQD7oNz/2oO8VGaWWrqrsBQBzQH0hRhMLm11oeMpg1fNawIhAKWc0q7Z+mxDVYV/6ov7f/i0H/aAcHSCIi/QJcECraOpAHYAouMK5EXvva2bfjjtR2d3U9eCW4SU1yteGyzEuVCkR+cAAAGOFjrv+AAABAMARzBFAiEAyupEIVAMk0c8BVVpF0QbisfoEwy5xJQKQOe8EvMU4W8CIGAIIuzjxBFlHpkqcsa7UZy24y/B6xZnktUw/Ne5q5hCAHcATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGOFjrv9wAABAMASDBGAiEA+8OvQzpgRf31uLBsCE8ktCUfvsiRT7zWSqeXliA09TUCIQDcB7Xn97aEDMBKXIbdm5KZ9GjvRyoF9skD5/4GneoMWzAlBgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAru2McPr0eNwcWNuDEY0a/rGzXRfRrm+6XfZeSzhYZewCIBq4TUEBCgapv7xvAtRKdVdi/b4m36Uyej1ggyJsiesA" --data severity=warning結果
[{"Linter":"pkilint","Finding":"A discouraged element is present","Field":"certificate.tbsCertificate.subject.rdnSequence","Code":"cabf.serverauth.dv.common_name_attribute_present","Severity":"warning"},{"Linter":"pkilint","Finding":"A discouraged element is present","Field":"certificate.tbsCertificate.extensions","Code":"cabf.serverauth.subscriber.subject_key_identifier_extension_present","Severity":"warning"},{"Linter":"pkilint","Finding":"Validates that the certificate policy OID(s) conform to BR 7.1.2.7.9.","Field":"certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies","Code":"cabf.serverauth.subscriber_first_policy_oid_not_reserved","Severity":"warning"},{"Linter":"pkilint","Finding":"Validates that the inclusion of policy qualifiers is in conformance with BR 7.1.2.3.2, 7.1.2.10.5, and 7.1.2.7.9.","Field":"certificate.tbsCertificate.extensions.5.extnValue.certificatePolicies.0.policyQualifiers.0","Code":"cabf.serverauth.certificate_policy_qualifier_present","Severity":"warning"},{"Linter":"zlint","Finding":"Subscriber Certificate: commonName is NOT RECOMMENDED.","Code":"w_subject_common_name_included","Severity":"warning"},{"Linter":"zlint","Finding":"Subscriber certificates use of Subject Key Identifier is NOT RECOMMENDED","Code":"w_ext_subject_key_identifier_not_recommended_subscriber","Severity":"warning"}]別サーバー(PC)からの問い合わせ対応
ファイアウォールで80、443の開放を行うと別サーバー(PC)からもリクエストを行える。
sudo dnf install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reloadサンプル(IPアドレスだけ変更)
curl --request POST --url http://172.22.1.88:8080/lintcert --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode "b64input=MIIEozCCBEmgAwIBAgIQTij3hrZsGjuULNLEDrdCpTAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIEVDQyBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMB4XDTI0MDMwNzAwMDAwMFoXDTI1MDMwNzIzNTk1OVowFTETMBEGA1UEAxMKZ2l0aHViLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARO/Ho9XdkY1qh9mAgjOUkWmXTb05jgRulKciMVBuKB3ZHexvCdyoiCRHEMBfFXoZhWkQVMogNLo/lW215X3pGjggL+MIIC+jAfBgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4EFgQUO2g/NDr1RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDPEVbu1S58r/OHW9lpLpvpGnFnSrAX7KwB0lt3zsw7CAAAAY4WOvAZAAAEAwBIMEYCIQD7oNz/2oO8VGaWWrqrsBQBzQH0hRhMLm11oeMpg1fNawIhAKWc0q7Z+mxDVYV/6ov7f/i0H/aAcHSCIi/QJcECraOpAHYAouMK5EXvva2bfjjtR2d3U9eCW4SU1yteGyzEuVCkR+cAAAGOFjrv+AAABAMARzBFAiEAyupEIVAMk0c8BVVpF0QbisfoEwy5xJQKQOe8EvMU4W8CIGAIIuzjxBFlHpkqcsa7UZy24y/B6xZnktUw/Ne5q5hCAHcATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGOFjrv9wAABAMASDBGAiEA+8OvQzpgRf31uLBsCE8ktCUfvsiRT7zWSqeXliA09TUCIQDcB7Xn97aEDMBKXIbdm5KZ9GjvRyoF9skD5/4GneoMWzAlBgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAru2McPr0eNwcWNuDEY0a/rGzXRfRrm+6XfZeSzhYZewCIBq4TUEBCgapv7xvAtRKdVdi/b4m36Uyej1ggyJsiesA" --data severity=warning
