{
    "id": "S027",
    "name": "Validate mTLS client certificates before authentication",
    "description": "Ensure mTLS client certificates are properly validated and trusted before using certificate identity for authentication or authorization decisions. Verify certificate is signed by trusted CA, not expired, not revoked, and subject/SAN matches expected identity.",
    "category": "security",
    "severity": "critical",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "mtls", "certificates", "authentication", "tls"],
    "examples": {
        "valid": [
            "const cert = req.socket.getPeerCertificate(); if (!cert.valid_to || !cert.issuer) throw new Error('Invalid cert');",
            "// Check certificate chain validation",
            "// Verify certificate not expired: cert.valid_to > Date.now()",
            "// Check certificate revocation via OCSP/CRL"
        ],
        "invalid": [
            "const cert = req.socket.getPeerCertificate(); processRequest(cert.subject.CN); // No validation",
            "// Accepting any valid certificate without identity check",
            "// Skipping revocation checks",
            "// Using certificate CN without proper validation"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule ensures mTLS client certificates are properly validated before trusting certificate identity. Validation includes: verify certificate is signed by trusted CA, check certificate has not expired, validate certificate is not revoked (CRL/OCSP), confirm certificate subject/SAN matches expected identity, full chain validation up to root CA, check Extended Key Usage for client authentication.",
        "url": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
    }
}