Upgrade zlint v3.6.4 (#7897)

This brings in several new and useful lints. It also brings in one CABF
BR lint which we have to ignore in our default profile which includes
the Subject Key Identifier extension:
"w_ext_subject_key_identifier_not_recommended_subscriber". In our modern
profile which omits several fields, we have to ignore the opposite
RFC5280 lint "w_ext_subject_key_identifier_missing_sub_cert".

Release notes: https://github.com/zmap/zlint/releases/tag/v3.6.4
Changelog: https://github.com/zmap/zlint/compare/v3.6.0...v3.6.4
Note that the majority of the ~400 file changes are merely copyright
date changes.

The corresponding production config changes tracked in IN-10466 are
complete.

cmd/cert-checker/main_test.go

@@ -631,11 +631,11 @@ func TestIgnoredLint(t *testing.T) {
 		Expires: subjectCert.NotAfter,
 	}
 
-	// Without any ignored lints we expect one error level result due to the
-	// missing OCSP url in the template.
+	// Without any ignored lints we expect several errors and warnings about SCTs,
+	// the common name, and the subject key identifier extension.
 	expectedProblems := []string{
-		"zlint error: e_sub_cert_aia_does_not_contain_ocsp_url",
 		"zlint warn: w_subject_common_name_included",
+		"zlint warn: w_ext_subject_key_identifier_not_recommended_subscriber",
 		"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
 		"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
 	}
@@ -650,10 +650,10 @@ func TestIgnoredLint(t *testing.T) {
 	// Check the certificate again with an ignore map that excludes the affected
 	// lints. This should return no problems.
 	_, problems = checker.checkCert(context.Background(), cert, map[string]bool{
-		"e_sub_cert_aia_does_not_contain_ocsp_url": true,
-		"w_subject_common_name_included":           true,
-		"w_ct_sct_policy_count_unsatisfied":        true,
-		"e_scts_from_same_operator":                true,
+		"w_subject_common_name_included":                          true,
+		"w_ext_subject_key_identifier_not_recommended_subscriber": true,
+		"w_ct_sct_policy_count_unsatisfied":                       true,
+		"e_scts_from_same_operator":                               true,
 	})
 	test.AssertEquals(t, len(problems), 0)
 }

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	github.com/weppos/publicsuffix-go v0.40.3-0.20240815124645-a8ed110559c9
 	github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c
-	github.com/zmap/zlint/v3 v3.6.0
+	github.com/zmap/zlint/v3 v3.6.4
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0
 	go.opentelemetry.io/otel v1.30.0

go.sum

@@ -267,8 +267,8 @@ github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL
 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c h1:U1b4THKcgOpJ+kILupuznNwPiURtwVW3e9alJvji9+s=
 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c/go.mod h1:GSDpFDD4TASObxvfZfvpZZ3OWHIUHMlhVWlkOe4ewVk=
 github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8=
-github.com/zmap/zlint/v3 v3.6.0 h1:vTEaDRtYN0d/1Ax60T+ypvbLQUHwHxbvYRnUMVr35ug=
-github.com/zmap/zlint/v3 v3.6.0/go.mod h1:NVgiIWssgzp0bNl8P4Gz94NHV2ep/4Jyj9V69uTmZyg=
+github.com/zmap/zlint/v3 v3.6.4 h1:r2kHfRF7mIsxW0IH4Og2iZnrlpCLTZBFjnXy1x/ZnZI=
+github.com/zmap/zlint/v3 v3.6.4/go.mod h1:KQLVUquVaO5YJDl5a4k/7RPIbIW2v66+sRoBPNZusI8=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 h1:hCq2hNMwsegUvPzI7sPOvtO9cqyy5GbWt/Ybp2xrx8Q=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0/go.mod h1:LqaApwGx/oUmzsbqxkzuBvyoPpkxk3JQWnqfVrJ3wCA=

issuance/cert.go

@@ -105,18 +105,7 @@ func NewProfile(profileConfig *ProfileConfig) (*Profile, error) {
 		return nil, fmt.Errorf("validity period %q is too large", profileConfig.MaxValidityPeriod.Duration)
 	}
 
-	// TODO(#7756): These lint names don't yet exist in our current zlint v3.6.0 but exist in v3.6.2.
-	// In order to upgrade without throwing errors, we need to add these to our ignored lints.
-	// However, v3.6.0 will error if it sees ignored lints it doesn't recognize. Solution: filter
-	// out these specific lints. As part of the PR that updates to v3.6.2, we will remove this code.
-	var ignoredLints []string
-	for _, lintName := range profileConfig.IgnoredLints {
-		if lintName != "e_cab_dv_subject_invalid_values" && lintName != "w_ext_subject_key_identifier_not_recommended_subscriber" {
-			ignoredLints = append(ignoredLints, lintName)
-		}
-	}
-
-	lints, err := linter.NewRegistry(ignoredLints)
+	lints, err := linter.NewRegistry(profileConfig.IgnoredLints)
 	cmd.FailOnError(err, "Failed to create zlint registry")
 	if profileConfig.LintConfig != "" {
 		lintconfig, err := lint.NewConfigFromFile(profileConfig.LintConfig)

issuance/cert_test.go

@@ -387,11 +387,7 @@ func TestIssueCommonName(t *testing.T) {
 	fc.Set(time.Now())
 
 	prof := defaultProfileConfig()
-	prof.IgnoredLints = []string{
-		"w_subject_common_name_included",
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
+	prof.IgnoredLints = append(prof.IgnoredLints, "w_subject_common_name_included")
 	cnProfile, err := NewProfile(prof)
 	test.AssertNotError(t, err, "NewProfile failed")
 	signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)
@@ -450,9 +446,12 @@ func TestIssueOmissions(t *testing.T) {
 	pc.OmitClientAuth = true
 	pc.OmitSKID = true
 	pc.IgnoredLints = []string{
-		"w_ext_subject_key_identifier_missing_sub_cert",
+		// Reduce the lint ignores to just the minimal (SCT-related) set.
 		"w_ct_sct_policy_count_unsatisfied",
 		"e_scts_from_same_operator",
+		// Ignore the warning about *not* including the SubjectKeyIdentifier extension:
+		// zlint has both lints (one enforcing RFC5280, the other the BRs).
+		"w_ext_subject_key_identifier_missing_sub_cert",
 	}
 	prof, err := NewProfile(pc)
 	test.AssertNotError(t, err, "building test profile")
@@ -529,7 +528,10 @@ func TestIssueSCTList(t *testing.T) {
 	test.AssertNotError(t, err, "failed to load log list")
 
 	pc := defaultProfileConfig()
-	pc.IgnoredLints = []string{}
+	pc.IgnoredLints = []string{
+		// Only ignore the SKID lint, i.e., don't ignore the "missing SCT" lints.
+		"w_ext_subject_key_identifier_not_recommended_subscriber",
+	}
 	enforceSCTsProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")
 	signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)
@@ -754,11 +756,7 @@ func TestMismatchedProfiles(t *testing.T) {
 	test.AssertNotError(t, err, "NewIssuer failed")
 
 	pc := defaultProfileConfig()
-	pc.IgnoredLints = []string{
-		"w_subject_common_name_included",
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
+	pc.IgnoredLints = append(pc.IgnoredLints, "w_subject_common_name_included")
 	cnProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")
 
@@ -782,10 +780,6 @@ func TestMismatchedProfiles(t *testing.T) {
 	// Create a new profile that differs slightly (no common name)
 	pc = defaultProfileConfig()
 	pc.AllowCommonName = false
-	pc.IgnoredLints = []string{
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
 	test.AssertNotError(t, err, "building test lint registry")
 	noCNProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")

issuance/issuer_test.go

@@ -28,8 +28,12 @@ func defaultProfileConfig() *ProfileConfig {
 		MaxValidityPeriod:   config.Duration{Duration: time.Hour},
 		MaxValidityBackdate: config.Duration{Duration: time.Hour},
 		IgnoredLints: []string{
+			// Ignore the two SCT lints because these tests don't get SCTs.
 			"w_ct_sct_policy_count_unsatisfied",
 			"e_scts_from_same_operator",
+			// Ignore the warning about including the SubjectKeyIdentifier extension:
+			// we include it on purpose, but plan to remove it soon.
+			"w_ext_subject_key_identifier_not_recommended_subscriber",
 		},
 	}
 }

test/config-next/ca.json

@@ -51,7 +51,7 @@
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
 						"w_subject_common_name_included",
-						"w_sub_cert_aia_contains_internal_names"
+						"w_ext_subject_key_identifier_not_recommended_subscriber"
 					]
 				},
 				"modern": {
@@ -64,8 +64,7 @@
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
-						"w_ext_subject_key_identifier_missing_sub_cert",
-						"w_sub_cert_aia_contains_internal_names"
+						"w_ext_subject_key_identifier_missing_sub_cert"
 					]
 				}
 			},

test/config-next/cert-checker.json

@@ -14,7 +14,8 @@
 		],
 		"ignoredLints": [
 			"w_subject_common_name_included",
-			"w_sub_cert_aia_contains_internal_names"
+			"w_ext_subject_key_identifier_missing_sub_cert",
+			"w_ext_subject_key_identifier_not_recommended_subscriber"
 		],
 		"ctLogListFile": "test/ct-test-srv/log_list.json",
 		"features": {

test/config/ca.json

@@ -128,7 +128,7 @@
 			"lintConfig": "test/config/zlint.toml",
 			"ignoredLints": [
 				"w_subject_common_name_included",
-				"w_sub_cert_aia_contains_internal_names"
+				"w_ext_subject_key_identifier_not_recommended_subscriber"
 			]
 		},
 		"expiry": "7776000s",

test/config/cert-checker.json

@@ -17,7 +17,7 @@
 		],
 		"ignoredLints": [
 			"w_subject_common_name_included",
-			"w_sub_cert_aia_contains_internal_names"
+			"w_ext_subject_key_identifier_not_recommended_subscriber"
 		]
 	},
 	"pa": {

vendor/github.com/zmap/zlint/v3/LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2020 Regents of the University of Michigan
+   Copyright 2024 Regents of the University of Michigan
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

vendor/github.com/zmap/zlint/v3/lint/base.go

@@ -1,7 +1,7 @@
 package lint
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy
@@ -221,7 +221,10 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration)
 	if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
 		return &LintResult{Status: NA}
 	}
-	if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
+	if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) {
+		return &LintResult{Status: NA}
+	}
+	if l.Source == CABFCSBaselineRequirements && !util.IsCodeSigning(cert.PolicyIdentifiers) {
 		return &LintResult{Status: NA}
 	}
 	lint := l.Lint()

vendor/github.com/zmap/zlint/v3/lint/configuration.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lint/global_configurations.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lint/profile.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lint/registration.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lint/result.go

@@ -1,7 +1,7 @@
 package lint
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lint/source.go

@@ -7,7 +7,7 @@ import (
 )
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy
@@ -32,8 +32,10 @@ const (
 	RFC5280                       LintSource = "RFC5280"
 	RFC5480                       LintSource = "RFC5480"
 	RFC5891                       LintSource = "RFC5891"
+	RFC6962                       LintSource = "RFC6962"
 	RFC8813                       LintSource = "RFC8813"
 	CABFBaselineRequirements      LintSource = "CABF_BR"
+	CABFCSBaselineRequirements    LintSource = "CABF_CS_BR"
 	CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR"
 	CABFEVGuidelines              LintSource = "CABF_EV"
 	MozillaRootStorePolicy        LintSource = "Mozilla"
@@ -51,7 +53,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error {
 	}
 
 	switch LintSource(throwAway) {
-	case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi:
+	case RFC8813, RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi, RFC6962:
 		*s = LintSource(throwAway)
 		return nil
 	default:
@@ -75,6 +77,8 @@ func (s *LintSource) FromString(src string) {
 		*s = RFC5480
 	case RFC5891:
 		*s = RFC5891
+	case RFC8813:
+		*s = RFC8813
 	case CABFBaselineRequirements:
 		*s = CABFBaselineRequirements
 	case CABFEVGuidelines:
@@ -87,6 +91,8 @@ func (s *LintSource) FromString(src string) {
 		*s = AppleRootStorePolicy
 	case Community:
 		*s = Community
+	case RFC6962:
+		*s = RFC6962
 	case EtsiEsi:
 		*s = EtsiEsi
 	}

vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go

@@ -0,0 +1,78 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIACAIssuersHasHTTPOnly struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+id-ad-caIssuers
+1.3.6.1.5.5.7.48.2 uniformResourceIdentifier SHOULD  A HTTP URL of the
+Issuing CA’s certificate
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_ca_issuers_must_have_http_only",
+			Description:   "The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIACAIssuersHasHTTPOnly,
+	})
+}
+
+func NewBRAIACAIssuersHasHTTPOnly() lint.LintInterface {
+	return &bRAIACAIssuersHasHTTPOnly{}
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) CheckApplies(c *x509.Certificate) bool {
+	return len(c.IssuingCertificateURL) > 0 && util.IsSubscriberCert(c)
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, u := range c.IssuingCertificateURL {
+		purl, err := url.Parse(u)
+		if err != nil {
+			return &lint.LintResult{Status: lint.Error, Details: "Could not parse caIssuers in AIA."}
+		}
+		if purl.Scheme != "http" {
+			return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in caIssuers of AIA, which is not allowed.", purl.Scheme)}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go

@@ -0,0 +1,113 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+
+	"github.com/zmap/zcrypto/encoding/asn1"
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIAAccessMethodAllowed struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+Each AccessDescription MUST only contain a permitted accessMethod, as detailed below,
+and each accessLocation MUST be encoded as the specified GeneralName type.
+
+This lint checks that only the id-ad-ocsp or id-ad-caIssuers accessMethod is present
+and that the value is a uniformResourceIdentifier GeneralName.
+
+GeneralName ::= CHOICE {
+     otherName                 [0]  AnotherName,
+     rfc822Name                [1]  IA5String,
+     dNSName                   [2]  IA5String,
+     x400Address               [3]  ORAddress,
+     directoryName             [4]  Name,
+     ediPartyName              [5]  EDIPartyName,
+     uniformResourceIdentifier [6]  IA5String,
+     iPAddress                 [7]  OCTET STRING,
+     registeredID              [8]  OBJECT IDENTIFIER }
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_must_contain_permitted_access_method",
+			Description:   "The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIAAccessMethodAllowed,
+	})
+}
+
+func NewBRAIAAccessMethodAllowed() lint.LintInterface {
+	return &bRAIAAccessMethodAllowed{}
+}
+
+func (l *bRAIAAccessMethodAllowed) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID)
+}
+
+func (l *bRAIAAccessMethodAllowed) Execute(c *x509.Certificate) *lint.LintResult {
+
+	// see x509.go
+	for _, ext := range c.Extensions {
+		if ext.Id.Equal(util.AiaOID) {
+			var aia []authorityInfoAccess
+			_, err := asn1.Unmarshal(ext.Value, &aia)
+			if err != nil {
+				return &lint.LintResult{Status: lint.Fatal}
+			}
+			for _, v := range aia {
+				if v.Location.Tag != 6 {
+					return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid GeneralName with tag %d in an accessLocation.", v.Location.Tag)}
+				}
+
+				if !(v.Method.Equal(idAdCaIssuers) || v.Method.Equal(idAdOCSP)) {
+					return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid accessMethod with OID %s.", v.Method)}
+				}
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
+
+type authorityInfoAccess struct {
+	Method   asn1.ObjectIdentifier
+	Location asn1.RawValue
+}
+
+var (
+	idAdOCSP      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
+	idAdCaIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
+)

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go

@@ -0,0 +1,78 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIAOCSPHasHTTPOnly struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+id-ad-ocsp
+1.3.6.1.5.5.7.48.1 uniformResourceIdentifier MUST  A HTTP URL of the
+Issuing CA’s OCSP  responder.
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_ocsp_must_have_http_only",
+			Description:   "The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIAOCSPHasHTTPOnly,
+	})
+}
+
+func NewBRAIAOCSPHasHTTPOnly() lint.LintInterface {
+	return &bRAIAOCSPHasHTTPOnly{}
+}
+
+func (l *bRAIAOCSPHasHTTPOnly) CheckApplies(c *x509.Certificate) bool {
+	return len(c.OCSPServer) > 0 && util.IsSubscriberCert(c)
+}
+
+func (l *bRAIAOCSPHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, u := range c.OCSPServer {
+		purl, err := url.Parse(u)
+		if err != nil {
+			return &lint.LintResult{Status: lint.Error, Details: "Could not parse OCSP URL in AIA."}
+		}
+		if purl.Scheme != "http" {
+			return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in OCSP URL of AIA, which is not allowed.", purl.Scheme)}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go

@@ -0,0 +1,89 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIAAccessLocationUnique struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+When multiple AccessDescriptions are present with the same accessMethod,
+each accessLocation MUST be unique.
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_unique_access_locations",
+			Description:   "When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIAAccessLocationUnique,
+	})
+}
+
+func NewBRAIAAccessLocationUnique() lint.LintInterface {
+	return &bRAIAAccessLocationUnique{}
+}
+
+func (l *bRAIAAccessLocationUnique) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c) && (len(c.IssuingCertificateURL) > 0 || len(c.OCSPServer) > 0)
+}
+
+func (l *bRAIAAccessLocationUnique) Execute(c *x509.Certificate) *lint.LintResult {
+
+	ocspURLs := make([]string, 0)
+	for _, url := range c.OCSPServer {
+		for _, foundURL := range ocspURLs {
+			if strings.EqualFold(url, foundURL) {
+				return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in OCSP URLs", url)}
+			}
+		}
+		ocspURLs = append(ocspURLs, url)
+	}
+
+	issuingCertificateURLs := make([]string, 0)
+	for _, url := range c.IssuingCertificateURL {
+		for _, foundURL := range issuingCertificateURLs {
+			if strings.EqualFold(url, foundURL) {
+				return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in caIssuers URLs", url)}
+			}
+		}
+		issuingCertificateURLs = append(issuingCertificateURLs, url)
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go

@@ -0,0 +1,81 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <asantoni64@gmail.com>
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"fmt"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_ca_invalid_eku",
+			Description:   "Checks that SubCA certificates do not contain forbidden values in their EKU extension.",
+			Citation:      "CABF BRs §7.1.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_1_7_1_Date,
+		},
+		Lint: NewCaInvalidEKU,
+	})
+}
+
+type caInvalidEKU struct{}
+
+func NewCaInvalidEKU() lint.LintInterface {
+	return &caInvalidEKU{}
+}
+
+// This lint applies to any SubCA certificate to which the CABF BRs are applicable and which contains
+// the EKU extension. Given that the lint source is lint.CABFBaselineRequirements, if we arrive here
+// it's been already checked that the certificate falls within the purview of the CABF BRs.
+func (l *caInvalidEKU) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubCA(c) && len(c.ExtKeyUsage) != 0
+}
+
+func (l *caInvalidEKU) Execute(c *x509.Certificate) *lint.LintResult {
+
+	// If the EKU contains anyExtendedKeyUsage, it's probably a cross-certicate
+	// In this case, the EKU must not contain any other value
+	if util.HasEKU(c, x509.ExtKeyUsageAny) && len(c.ExtKeyUsage) > 1 {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "anyExtendedKeyUsage MUST NOT be accompanied by any other value in the EKU extension",
+		}
+	}
+
+	// If we get here, it is necessarily a SubCA with serverAuth in the EKU
+	for _, eku := range c.ExtKeyUsage {
+		if eku == x509.ExtKeyUsageEmailProtection ||
+			eku == x509.ExtKeyUsageCodeSigning ||
+			eku == x509.ExtKeyUsageTimeStamping ||
+			eku == x509.ExtKeyUsageOcspSigning {
+
+			return &lint.LintResult{
+				Status:  lint.Error,
+				Details: fmt.Sprintf("%s MUST not be present together with serverAuth in the EKU extension", util.GetEKUString(eku)),
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go

@@ -0,0 +1,77 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type dvSubjectInvalidValues struct{}
+
+/************************************************
+7.1.2.7.2 Domain Validated
+
+The following table details the acceptable AttributeTypes that may appear within the type
+field of an AttributeTypeAndValue, as well as the contents permitted within the value field.
+
+Table 35: Domain Validated subject Attributes
+
+countryName MAY The two‐letter ISO 3166‐1 country code for the country
+associated with the Subject. Section 3.2.2.3
+
+commonName NOT RECOMMENDED
+If present, MUST contain a value derived from the
+subjectAltName extension according to Section
+7.1.4.3.
+
+Any other attribute MUST NOT
+************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_cab_dv_subject_invalid_values",
+			Description:   "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.",
+			Citation:      "BRs: 7.1.2.7.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewDvSubjectInvalidValues,
+	})
+}
+
+func NewDvSubjectInvalidValues() lint.LintInterface {
+	return &dvSubjectInvalidValues{}
+}
+
+func (l *dvSubjectInvalidValues) CheckApplies(cert *x509.Certificate) bool {
+	return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && util.IsSubscriberCert(cert)
+}
+
+func (l *dvSubjectInvalidValues) Execute(cert *x509.Certificate) *lint.LintResult {
+	names := util.GetTypesInName(&cert.Subject)
+	for _, n := range names {
+		if n.Equal(util.CommonNameOID) || n.Equal(util.CountryNameOID) {
+			continue
+		}
+		return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("DV certificate contains the invalid attribute type %s", n)}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go

@@ -0,0 +1,64 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <adriano.santoni@staff.aruba.it>
+ * of ACTALIS S.p.A. (www.actalis.com).
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"strings"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_crl_distrib_points_not_http",
+			Description:   "The scheme of each CRL Distribution Point MUST be 'http'",
+			Citation:      "CABF BRs §7.1.2.11.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_2_0_0_Date,
+		},
+		Lint: NewCrlDistribPointsNotHTTP,
+	})
+}
+
+type crlDistribPointsNotHTTP struct{}
+
+func NewCrlDistribPointsNotHTTP() lint.LintInterface {
+	return &crlDistribPointsNotHTTP{}
+}
+
+func (l *crlDistribPointsNotHTTP) CheckApplies(c *x509.Certificate) bool {
+	return len(c.CRLDistributionPoints) > 0
+}
+
+func (l *crlDistribPointsNotHTTP) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, dp := range c.CRLDistributionPoints {
+		if !strings.HasPrefix(dp, "http:") {
+			return &lint.LintResult{
+				Status:  lint.Error,
+				Details: "Certificate contains a non-HTTP CRL distribution point",
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go

@@ -0,0 +1,79 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/encoding/asn1"
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zcrypto/x509/pkix"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_crlissuer_must_not_be_present_in_cdp",
+			Description:   "crlIssuer and/or Reason field MUST NOT be present in the CDP extension.",
+			Citation:      "BR Section 7.1.2.11.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewCrlissuerMustNotBePresentInCdp,
+	})
+}
+
+type CrlissuerMustNotBePresentInCdp struct{}
+
+func NewCrlissuerMustNotBePresentInCdp() lint.LintInterface {
+	return &CrlissuerMustNotBePresentInCdp{}
+}
+
+func (l *CrlissuerMustNotBePresentInCdp) CheckApplies(c *x509.Certificate) bool {
+	return c.CRLDistributionPoints != nil
+}
+
+func (l *CrlissuerMustNotBePresentInCdp) Execute(c *x509.Certificate) *lint.LintResult {
+
+	for _, ext := range c.Extensions {
+		if ext.Id.Equal(util.CrlDistOID) {
+			var cdp []distributionPoint
+			_, err := asn1.Unmarshal(ext.Value, &cdp)
+			if err != nil {
+				return &lint.LintResult{Status: lint.Fatal}
+			}
+			for _, dp := range cdp {
+				if (len(dp.CRLIssuer.Bytes) > 0) || (len(dp.Reason.Bytes) > 0) {
+					return &lint.LintResult{Status: lint.Error}
+				}
+
+			}
+
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
+
+type distributionPoint struct {
+	DistributionPoint distributionPointName `asn1:"optional,tag:0"`
+	Reason            asn1.BitString        `asn1:"optional,tag:1"`
+	CRLIssuer         asn1.RawValue         `asn1:"optional,tag:2"`
+}
+
+type distributionPointName struct {
+	FullName     asn1.RawValue    `asn1:"optional,tag:0"`
+	RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy
@@ -29,11 +29,12 @@ type dsaSubgroup struct{}
 func init() {
 	lint.RegisterCertificateLint(&lint.CertificateLint{
 		LintMetadata: lint.LintMetadata{
-			Name:          "e_dsa_correct_order_in_subgroup",
-			Description:   "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
-			Citation:      "BRs v1.7.0: 6.1.6",
-			Source:        lint.CABFBaselineRequirements,
-			EffectiveDate: util.CABEffectiveDate,
+			Name:            "e_dsa_correct_order_in_subgroup",
+			Description:     "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
+			Citation:        "BRs v1.7.0: 6.1.6",
+			Source:          lint.CABFBaselineRequirements,
+			EffectiveDate:   util.CABEffectiveDate,
+			IneffectiveDate: util.CABFBRs_1_7_1_Date,
 		},
 		Lint: NewDsaSubgroup,
 	})

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy
@@ -31,8 +31,9 @@ func init() {
 			Description: "DSA modulus size must be at least 2048 bits",
 			Citation:    "BRs v1.7.0: 6.1.5",
 			// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
-			Source:        lint.CABFBaselineRequirements,
-			EffectiveDate: util.ZeroDate,
+			Source:          lint.CABFBaselineRequirements,
+			EffectiveDate:   util.ZeroDate,
+			IneffectiveDate: util.CABFBRs_1_7_1_Date,
 		},
 		Lint: NewDsaTooShort,
 	})

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy
@@ -29,11 +29,12 @@ type dsaUniqueCorrectRepresentation struct{}
 func init() {
 	lint.RegisterCertificateLint(&lint.CertificateLint{
 		LintMetadata: lint.LintMetadata{
-			Name:          "e_dsa_unique_correct_representation",
-			Description:   "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
-			Citation:      "BRs v1.7.0: 6.1.6",
-			Source:        lint.CABFBaselineRequirements,
-			EffectiveDate: util.CABEffectiveDate,
+			Name:            "e_dsa_unique_correct_representation",
+			Description:     "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
+			Citation:        "BRs v1.7.0: 6.1.6",
+			Source:          lint.CABFBaselineRequirements,
+			EffectiveDate:   util.CABEffectiveDate,
+			IneffectiveDate: util.CABFBRs_1_7_1_Date,
 		},
 		Lint: NewDsaUniqueCorrectRepresentation,
 	})

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go

@@ -0,0 +1,99 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <asantoni64@gmail.com>
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/encoding/asn1"
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zcrypto/x509/pkix"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"fmt"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_duplicate_subject_attribs",
+			Description:   "Each Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNs",
+			Citation:      "CABF BRs 7.1.4.1",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_2_0_0_Date,
+		},
+		Lint: NewDuplicateSubjectAttribs,
+	})
+}
+
+type duplicateSubjectAttribs struct{}
+
+func NewDuplicateSubjectAttribs() lint.LintInterface {
+	return &duplicateSubjectAttribs{}
+}
+
+func (l *duplicateSubjectAttribs) CheckApplies(c *x509.Certificate) bool {
+	return true
+}
+
+// The domainComponent and streetAddress attributes are exempt from
+// the single-instance requirement; organizationalUnitName would be too,
+// if it weren't for the fact that it has been deprecated.
+
+var singleInstanceOIDs = map[string]string{
+	"1.3.6.1.4.1.311.60.2.1.1": "jurisdictionLocality",
+	"1.3.6.1.4.1.311.60.2.1.2": "jurisdictionStateOrProvince",
+	"1.3.6.1.4.1.311.60.2.1.3": "jurisdictionCountry",
+	"2.5.4.3":                  "commonName",
+	"2.5.4.4":                  "surname",
+	"2.5.4.5":                  "serialNumber",
+	"2.5.4.6":                  "countryName",
+	"2.5.4.7":                  "localityName",
+	"2.5.4.8":                  "stateOrProvinceName",
+	"2.5.4.10":                 "organizationName",
+	"2.5.4.15":                 "businessCategory",
+	"2.5.4.42":                 "givenName",
+	"2.5.4.97":                 "organizationIdentifier",
+}
+
+func (l *duplicateSubjectAttribs) Execute(c *x509.Certificate) *lint.LintResult {
+
+	var subject pkix.RDNSequence
+	if _, err := asn1.Unmarshal(c.RawSubject, &subject); err != nil {
+		return &lint.LintResult{Status: lint.Fatal}
+	}
+
+	foundOIDs := make(map[string]bool)
+
+	for _, rdn := range subject {
+		for _, ava := range rdn {
+			oid := fmt.Sprint(ava.Type)
+			name, mustBeSingle := singleInstanceOIDs[oid]
+			_, alreadySeen := foundOIDs[oid]
+			if mustBeSingle && alreadySeen {
+				return &lint.LintResult{
+					Status:  lint.Error,
+					Details: fmt.Sprintf("Multiple instances of '%s' are NOT allowed in the Subject", name),
+				}
+			}
+			foundOIDs[oid] = true
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go

@@ -0,0 +1,74 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <adriano.santoni@staff.aruba.it>
+ * of ACTALIS S.p.A. (www.actalis.com).
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"net/url"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_invalid_cps_uri",
+			Description:   "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL",
+			Citation:      "CABF BR 7.1.2 (several subsections thereof)",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_2_0_0_Date,
+		},
+		Lint: NewInvalidCPSUri,
+	})
+}
+
+type invalidCPSUri struct{}
+
+func NewInvalidCPSUri() lint.LintInterface {
+	return &invalidCPSUri{}
+}
+
+func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool {
+	return util.IsExtInCert(c, util.CertPolicyOID)
+}
+
+func isValidHttpOrHttpsURL(input string) bool {
+	parsedURL, err := url.Parse(input)
+	if err != nil {
+		return false
+	}
+
+	scheme := parsedURL.Scheme
+	return scheme == "http" || scheme == "https"
+}
+
+func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult {
+	// There should normally be just one CPS URI, but one never knows...
+	for _, pol := range c.CPSuri {
+		for _, uri := range pol {
+			if !isValidHttpOrHttpsURL(uri) {
+				return &lint.LintResult{Status: lint.Error}
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go

@@ -0,0 +1,52 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type eKUCrit struct{}
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_eku_critical",
+			Description:   "Subscriber Certificate extkeyUsage extension MUST NOT be marked critical",
+			Citation:      "BRs: 7.1.2.7.6",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewEKUCrit,
+	})
+}
+
+func NewEKUCrit() lint.LintInterface {
+	return &eKUCrit{}
+}
+
+func (l *eKUCrit) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid)
+}
+
+func (l *eKUCrit) Execute(c *x509.Certificate) *lint.LintResult {
+	if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical {
+		return &lint.LintResult{Status: lint.Error}
+	} else {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go

@@ -0,0 +1,70 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type subjectKeyIdNotRecommendedSubscriber struct{}
+
+/**********************************************************************
+RFC5280 suggested the addition of SKI extension, but CABF BR SC62
+marked the extension as NOT RECOMMENDED for subscriber certificates
+
+Warning:
+Users of zlint will trigger either
+`w_ext_subject_key_identifier_not_recommended_subscriber` (this lint)
+or `w_ext_subject_key_identifier_missing_sub_cert` the one enforcing
+RFC5280's behavior.
+
+Users are expected to specifically ignore one or the other lint
+depending on which one apply to them.
+
+See:
+ - https://github.com/zmap/zlint/issues/749
+ - https://github.com/zmap/zlint/issues/762
+**********************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "w_ext_subject_key_identifier_not_recommended_subscriber",
+			Description:   "Subscriber certificates use of Subject Key Identifier is NOT RECOMMENDED",
+			Citation:      "BRs v2: 7.1.2.7.6",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewSubjectKeyIdNotRecommendedSubscriber,
+	})
+}
+
+func NewSubjectKeyIdNotRecommendedSubscriber() lint.LintInterface {
+	return &subjectKeyIdNotRecommendedSubscriber{}
+}
+
+func (l *subjectKeyIdNotRecommendedSubscriber) CheckApplies(cert *x509.Certificate) bool {
+	return util.IsSubscriberCert(cert)
+}
+
+func (l *subjectKeyIdNotRecommendedSubscriber) Execute(cert *x509.Certificate) *lint.LintResult {
+	if util.IsExtInCert(cert, util.SubjectKeyIdentityOID) {
+		return &lint.LintResult{Status: lint.Warn}
+	} else {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go

@@ -0,0 +1,145 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <adriano.santoni@staff.aruba.it>
+ * of ACTALIS S.p.A. (www.actalis.com).
+ */
+
+package cabf_br
+
+import (
+	"crypto/x509/pkix"
+	"encoding/asn1"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_invalid_subject_rdn_order",
+			Description:   "Subject field attributes (RDNs) SHALL be encoded in a specific order",
+			Citation:      "BRs: 7.1.4.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_2_0_0_Date,
+		},
+		Lint: NewInvalidSubjectRDNOrder,
+	})
+}
+
+type invalidSubjectRDNOrder struct{}
+
+func NewInvalidSubjectRDNOrder() lint.LintInterface {
+	return &invalidSubjectRDNOrder{}
+}
+
+func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c)
+}
+
+func getShortOIDName(oid string) string {
+	switch oid {
+	case "0.9.2342.19200300.100.1.25":
+		return "DC"
+	case "2.5.4.6":
+		return "C"
+	case "2.5.4.8":
+		return "ST"
+	case "2.5.4.7":
+		return "L"
+	case "2.5.4.17":
+		return "postalCode"
+	case "2.5.4.9":
+		return "street"
+	case "2.5.4.10":
+		return "O"
+	case "2.5.4.4":
+		return "SN"
+	case "2.5.4.42":
+		return "givenName"
+	case "2.5.4.11":
+		return "OU"
+	case "2.5.4.3":
+		return "CN"
+	default:
+		return ""
+	}
+}
+
+func findElement(arr []string, target string) (int, bool) {
+	for i, value := range arr {
+		if value == target {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+func checkOrder(actualOrder []string, expectedOrder []string) bool {
+	var prevPosition int
+	prevPosition = 0
+
+	for _, targetElement := range actualOrder {
+		position, found := findElement(expectedOrder, targetElement)
+		if found {
+			if position < prevPosition {
+				return false
+			}
+			prevPosition = position
+		}
+	}
+	return true
+}
+
+func checkSubjectRDNOrder(cert *x509.Certificate) bool {
+
+	rawSubject := cert.RawSubject
+
+	var rdnSequence pkix.RDNSequence
+	_, err := asn1.Unmarshal(rawSubject, &rdnSequence)
+	if err != nil {
+		return false
+	}
+
+	var rdnOrder []string
+
+	for _, rdn := range rdnSequence {
+		for _, atv := range rdn {
+			rdnShortName := getShortOIDName(atv.Type.String())
+			if rdnShortName != "" {
+				rdnOrder = append(rdnOrder, rdnShortName)
+			}
+		}
+	}
+
+	// Expected order of RDNs as per CABF BR section 7.1.4.2
+	expectedRDNOrder := []string{"DC", "C", "ST", "L", "postalCode", "street", "O", "SN", "givenName", "OU", "CN"}
+
+	return checkOrder(rdnOrder, expectedRDNOrder)
+}
+
+func (l *invalidSubjectRDNOrder) Execute(c *x509.Certificate) *lint.LintResult {
+
+	var out lint.LintResult
+
+	if checkSubjectRDNOrder(c) {
+		out.Status = lint.Pass
+	} else {
+		out.Status = lint.Error
+	}
+	return &out
+}

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go

@@ -1,5 +1,5 @@
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy

vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go

@@ -1,7 +1,7 @@
 package cabf_br
 
 /*
- * ZLint Copyright 2023 Regents of the University of Michigan
+ * ZLint Copyright 2024 Regents of the University of Michigan
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy