Misissued certificate example: malformed stateOrProvinceName containing embedded C=JP

[ONO-Fumiaki]

Summary

I would like to share a real‑world misissuance case that may help improve ZLint’s ability to detect malformed Subject attributes.

---

Background / Context

I previously submitted a related Bugzilla report:
https://bugzilla.mozilla.org/show_bug.cgi?id=2004654

As a follow‑up, I’m providing an additional certificate example that exhibits an incorrectly constructed Subject attribute, which may be useful for refining ZLint’s lint coverage.

---

Real‑world Example

Certificate:
https://crt.sh/?sha256=2E4CD75510F999F1DC1C986BCD7C0BDB9BF9D622843A8B3B32379A4EED0F0B7F

Subject:

stateOrProvinceName = Tokyo, C=JP

As shown above, the value of the stateOrProvinceName attribute erroneously includes C=JP, which should not appear inside this field.

---

Expected behavior

ZLint should detect malformed Subject attribute values where components such as C=XX appear incorrectly embedded within another RDN.

---

Actual behavior

This case does not appear to trigger an existing lint.

---

Additional Information

We have already addressed the underlying issue on our side, but I believe this example may help strengthen ZLint’s handling of malformed Subject attribute structures.

Thank you for your ongoing work on ZLint and your support of the broader PKI ecosystem.

---

Best regards,
ONO Fumiaki / 大野 文彰
SECOM Trust Systems CO., LTD.
(Japanese name order: family name first, in uppercase)

[christopher-henderson]

Howdy @ONO-Fumiaki, thank you for submitting this issue!

Would you be able to point me towards a direct citation for this requirement? I have flipped through the most recent CABF/BR but I could not immediately find anything that would dictate the precise, textual, format of this field.

ZLint is broken up into groups of lints that each refer to a governing document (such as CABF/BR or the Mozilla Root Store Policy). And, within each lint, is a citation to the clause that defined the requirement.

Without such a citation we can still move forward with what is called a community lint. That is, a lint that is not strictly speaking required by any existing standard, but it is otherwise understood to be best practice.

If this lint would be a case of writing a community lint, then we will have to formally define the requirement. That is, does it simply ban the = character? Does it try to look for patterns?

[mcpherrinm]

It seems to me the ideal thing would be a lint which uses some sort of data source which has all countries and the stateOrProvinceName inside each. I'm not quite sure how feasible that would be - I assume there are at least hundreds, if not thousands of them.

If not possible to explicitally enumerate them all, perhaps we can construct a fairly narrow set of characters which appear in any valid state or province. For example, there's probably no = or maybe even ,.

I think this proposed lint should probably be part of the BRs 3.2.2.1 Identity, as the country and state/province should come from a reliable datasource. This is clearer in the EVGs, 7.1.4.2.4 Subject Jurisdiction of Incorporation or Registration Field.

[ONO-Fumiaki]

Hello @christopher-henderson, @mcpherrinm — thank you both for the detailed and helpful feedback.

Normative context

As noted earlier, the Baseline Requirements do not define the textual formatting of stateOrProvinceName.
However, BR 3.2.2.1 Identity (MUST) requires that all Subject Identity Information reflect validated data obtained from authoritative sources.

In addition, BR 7.1.4.2 Certificate Subject (MUST) requires each attribute within the Subject DN to be represented in its proper structural position and encoded as an independent RDN.

A value such as:

stateOrProvinceName = Tokyo, C=JP

cannot originate from any authoritative Japanese registry, and therefore does not satisfy BR 3.2.2.1.
It is also inconsistent with the X.500 / RFC 5280 Section 4.1.2.6 requirement that each RDN represent a single attribute.

On the linting approach

Enumerating every state or province worldwide is not feasible.
Instead, this issue can be generalized as:

“The value of one RDN contains structural artifacts that belong to another RDN.”

From that perspective, a practical approach is to focus on RDNs that contain geographic information — specifically stateOrProvinceName (ST) and localityName (L).
If these geographic fields contain identifiers that belong to other Subject attributes, it is always a structural error, with negligible risk of false positives.

---

1. Formal RDN labels

The following X.500 / RFC 5280 labels should never appear inside the value of ST or L, with or without a space:

C=
C =
ST=
ST =
L=
L =
O=
O =
OU=
OU =
CN=
CN =

If any of these appear within ST or L, it is a clear structural violation and should produce an error.

---

2. Internal Subject attribute identifiers used within CA software

Many CA systems internally represent Subject attributes as JSON keys, configuration fields, or form labels.
These identifiers should never appear inside ST or L, because such geographic values cannot naturally contain these terms in any real‑world context.
Their presence indicates a concatenation or template‑processing bug.

Therefore, if ST or L contains any of the following identifiers, it should be treated as an error:

countryName
stateOrProvinceName
localityName
streetAddress
postalCode

organizationName
organizationalUnitName
businessCategory
serialNumber
jurisdictionCountryName
jurisdictionStateOrProvinceName
jurisdictionLocalityName

commonName
title
pseudonym
domainComponent

These terms do not occur in legitimate place names, addresses, or jurisdictional labels.
Detecting them inside ST or L has an extremely low false‑positive risk and is therefore well‑suited for a community lint.

(Conversely, applying this detection to attributes such as organizationName or commonName would cause unnecessary false positives, since those values may legitimately contain ordinary English words that overlap with internal attribute identifiers.)

---

Summary

Focusing this detection on ST and L ensures:

• strict alignment with the BRs and RFC 5280,
• extremely low false‑positive risk, and
• reliable identification of real DN construction bugs in CA implementations.

If this direction is useful, I would be happy to provide additional context as the discussion continues.

Best regards,
ONO Fumiaki / 大野 文彰
SECOM Trust Systems CO., LTD.

[christopher-henderson]

@ONO-Fumiaki @mcpherrinm

I agree that enumerating all possible values is infeasible. As such, I think the issue can be reframed as...

This field should just be the plain, human readable, name of the country/region. For example, Tokyo or France.

Unfortunately, CAs have sometimes accidentally injected strings that are meant for machine consumption and contain key-value pairs, or even JSON.

If we approach it from this angle then the lint becomes ensure that the stateOrProvinceName does not contain structured data, at which point running a simple contains relationship for common structural control characters (E.G, =, ,, :, {, }) can go long ways towards carrying this lint.

[ONO-Fumiaki]

@christopher-henderson @mcpherrinm

Thank you for the helpful discussion. I have aligned the structured‑data detection proposal with the Baseline Requirements (Version 2.2.1) and RFC 5280 in a way that minimizes false positives and avoids incorrect section references.

Summary

• Return Error if any structured‑data control symbols appear in either ST or L.
• Comma (,)
  • ST (stateOrProvinceName) → Error.
  • L (localityName) → Allowed, no Warning.
• countryName / jurisdictionCountry must be ISO 3166‑1 alpha‑2 uppercase (MUST). This area is already covered by existing or upcoming ZLint checks (e_subj_country_not_uppercase, e_subject_country_name).

Alignment with the correct BR / RFC sections

• BR 3.2.2.1 (Identity): governs verification of organizational identity and address, including stateOrProvinceName and localityName.
• BR 7.1.4 and 7.1.4.1 (Name Forms / Name Encoding): define the general requirements for RDN structure and encoding.
• BR 7.1.2.7.x (Subscriber Certificate Profiles – IV / OV): contain the actual rules for stateOrProvinceName and localityName (e.g., presence conditions, verification requirements).
• RFC 5280 Section 4.1.2.6: requires each RDN value to be a single, human‑readable attribute.

Symbols indicating structured‑data contamination

If any of the following symbols appear in ST or L, the lint should return Error. These do not naturally occur in administrative place names and indicate JSON/KV/template residue.

Symbol	Typical non‑address usage	Explanation
=	key=value, attribute markup	Machine‑formatted strings like C=JP or ST=Tokyo.
:	JSON/YAML key: value	Structured separators.
{	JSON object start	JSON fragments.
}	JSON object end	Same as above.
[	Array syntax	[Tokyo, Osaka] is not a natural place name.
]	Array end	Same as above.
;	CSV / data separators	Not used in natural place names.
"	String literal delimiters	Indicates serialization residue.
|	Pipe delimiter	Machine‑only separators.
\\	Escape character	Residual artifacts such as \n.

Additional handling

• Comma (,) → Error in ST; Allowed in L (no Warning).
• Slash (/) → common in informal formatting; not treated as Error at this time.

Attribute groups

• countryName / jurisdictionCountry
  Must be ISO 3166‑1 alpha‑2 uppercase (MUST). Existing ZLint lints already address this area.
• stateOrProvinceName / jurisdictionStateOrProvince
  Error if any structured‑data symbols are present. Comma is also Error.
• localityName / jurisdictionLocality
  Error if structured‑data symbols are present. Comma is allowed.

Rationale

This approach aligns with the identity verification and subject name rules defined in BR 3.2.2.1, BR 7.1.4 / 7.1.4.1, and the subscriber subject attribute requirements in BR 7.1.2.7.x, as well as the RDN composition rules defined in RFC 5280 Section 4.1.2.6. It reliably detects high‑confidence structured‑data artifacts while avoiding false positives in valid locality formats.

Best regards,
ONO Fumiaki / 大野 文彰
SECOM Trust Systems CO., LTD.

[christopher-henderson]

Howdy @ONO-Fumiaki and @mcpherrinm.

I've whipped up an implementation of this lint at #1014. I would appreciate a smoke check that this makes sense to folks (and, yes, we already found five certs in the wild that fail this lint).

Thank you!

[ONO-Fumiaki]

Hello @christopher-henderson and @mcpherrinm
Thank you for the rapid implementation of this lint and for sharing the detection results from the test corpus.
I have reviewed the content of PR #1014 and it appears to align well with the proposed approach:

• Ensuring that stateOrProvinceName does not contain structured data or inappropriate symbols.
• Detecting machine-formatted characters (=, :, {}, [], ;, ", |, \\).

This approach minimizes false positives while reliably detecting structural issues.
Thank you again for your swift response.

Best regards,
ONO Fumiaki / 大野 文彰
SECOM Trust Systems CO., LTD.

[christopher-henderson]

Thank you @ONO-Fumiaki! The lint is merged and it will be included in the next release of ZLint.

[ONO-Fumiaki]

Hello @christopher-henderson ,

Thank you for implementing the lint for stateOrProvinceName.

One follow-up question:
This issue originally discussed both ST and L.
However, the current implementation appears to cover only ST.

Do you plan to extend the same structured‑data detection to localityName (L) as well?
If needed, I’m happy to open a separate issue for that enhancement.

[christopher-henderson]

Thank you for the catch @ONO-Fumiaki! Give #1015 a glance to see if that is precisely what you are looking for.

[ONO-Fumiaki]

Hello @christopher-henderson,

Thank you very much for your prompt response.
I reviewed #1015, and I can confirm that it precisely addresses the point I had in mind.
The extension of structured‑data detection to localityName (L) is now fully clear to me as well.
I sincerely appreciate your swift and thoughtful handling of this matter.