change xf to ok for soon-generalized-time
As the spec says, CAs conforming MUST always encode certifcates this
way. Currently root certs in the moziall trust store do not follow this
rule. Hence the libs SHOULD be graceful handling generalized times
before 2050.
change xf to ok for subject-t61
Though the chapter on subject dn doesn't say anything about T61, the
ASN.1 schema still includes it. Hence it SHOULD not be T61 when creating
certs. But also libs SHOULD handle it gracefully.
rework display: show result as list or html table
add display List command
shows a list of passed tests for given tool
migrate script to python3
mention original project in README
scripts: specify python 2.7
Move from Travis to GitHub Action
Use UTF-16BE in BMPString example (#6)
X.690-0207 has:
8.21.8 For the BMPString type, the octet string shall contain the octets specified in ISO/IEC 10646-1, using the 2-octet BMP form (see 13.1 of ISO/IEC 10646-1). Signatures shall not be used.
Use @ as invalid DNS character
A '*' label is OK for a DNS name, to indicate a wildcard cert
(as described in RFC6125 s6.4.3), and leading digits are OK
(from RFC1123 s2.1), so "*.123google.com" is not an invalid
DNS name.
So use '@' instead, which is also outside of the rules of
RFC1034 s3.5.
Fixes #3
Test EKU with an empty OID value
Test SAN with non-IA5 domain
Test RSA pubkey with non-minimally encoded INTEGER
Spot non-fatal errors from certcheck
Add test of ExtendedKeyUsage with no usages