diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go index 1dc560936..137b05767 100644 --- a/cmd/cert-checker/main_test.go +++ b/cmd/cert-checker/main_test.go @@ -631,11 +631,11 @@ func TestIgnoredLint(t *testing.T) { Expires: subjectCert.NotAfter, } - // Without any ignored lints we expect one error level result due to the - // missing OCSP url in the template. + // Without any ignored lints we expect several errors and warnings about SCTs, + // the common name, and the subject key identifier extension. expectedProblems := []string{ - "zlint error: e_sub_cert_aia_does_not_contain_ocsp_url", "zlint warn: w_subject_common_name_included", + "zlint warn: w_ext_subject_key_identifier_not_recommended_subscriber", "zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.", "zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.", } @@ -650,10 +650,10 @@ func TestIgnoredLint(t *testing.T) { // Check the certificate again with an ignore map that excludes the affected // lints. This should return no problems. _, problems = checker.checkCert(context.Background(), cert, map[string]bool{ - "e_sub_cert_aia_does_not_contain_ocsp_url": true, - "w_subject_common_name_included": true, - "w_ct_sct_policy_count_unsatisfied": true, - "e_scts_from_same_operator": true, + "w_subject_common_name_included": true, + "w_ext_subject_key_identifier_not_recommended_subscriber": true, + "w_ct_sct_policy_count_unsatisfied": true, + "e_scts_from_same_operator": true, }) test.AssertEquals(t, len(problems), 0) } diff --git a/go.mod b/go.mod index 1352f46b1..7fe20a612 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 github.com/weppos/publicsuffix-go v0.40.3-0.20240815124645-a8ed110559c9 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c - github.com/zmap/zlint/v3 v3.6.0 + github.com/zmap/zlint/v3 v3.6.4 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 go.opentelemetry.io/otel v1.30.0 diff --git a/go.sum b/go.sum index 390afaf5d..fbe821ed7 100644 --- a/go.sum +++ b/go.sum @@ -267,8 +267,8 @@ github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c h1:U1b4THKcgOpJ+kILupuznNwPiURtwVW3e9alJvji9+s= github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c/go.mod h1:GSDpFDD4TASObxvfZfvpZZ3OWHIUHMlhVWlkOe4ewVk= github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8= -github.com/zmap/zlint/v3 v3.6.0 h1:vTEaDRtYN0d/1Ax60T+ypvbLQUHwHxbvYRnUMVr35ug= -github.com/zmap/zlint/v3 v3.6.0/go.mod h1:NVgiIWssgzp0bNl8P4Gz94NHV2ep/4Jyj9V69uTmZyg= +github.com/zmap/zlint/v3 v3.6.4 h1:r2kHfRF7mIsxW0IH4Og2iZnrlpCLTZBFjnXy1x/ZnZI= +github.com/zmap/zlint/v3 v3.6.4/go.mod h1:KQLVUquVaO5YJDl5a4k/7RPIbIW2v66+sRoBPNZusI8= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 h1:hCq2hNMwsegUvPzI7sPOvtO9cqyy5GbWt/Ybp2xrx8Q= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0/go.mod h1:LqaApwGx/oUmzsbqxkzuBvyoPpkxk3JQWnqfVrJ3wCA= diff --git a/issuance/cert.go b/issuance/cert.go index 884ece7c4..0c97b1b84 100644 --- a/issuance/cert.go +++ b/issuance/cert.go @@ -105,18 +105,7 @@ func NewProfile(profileConfig *ProfileConfig) (*Profile, error) { return nil, fmt.Errorf("validity period %q is too large", profileConfig.MaxValidityPeriod.Duration) } - // TODO(#7756): These lint names don't yet exist in our current zlint v3.6.0 but exist in v3.6.2. - // In order to upgrade without throwing errors, we need to add these to our ignored lints. - // However, v3.6.0 will error if it sees ignored lints it doesn't recognize. Solution: filter - // out these specific lints. As part of the PR that updates to v3.6.2, we will remove this code. - var ignoredLints []string - for _, lintName := range profileConfig.IgnoredLints { - if lintName != "e_cab_dv_subject_invalid_values" && lintName != "w_ext_subject_key_identifier_not_recommended_subscriber" { - ignoredLints = append(ignoredLints, lintName) - } - } - - lints, err := linter.NewRegistry(ignoredLints) + lints, err := linter.NewRegistry(profileConfig.IgnoredLints) cmd.FailOnError(err, "Failed to create zlint registry") if profileConfig.LintConfig != "" { lintconfig, err := lint.NewConfigFromFile(profileConfig.LintConfig) diff --git a/issuance/cert_test.go b/issuance/cert_test.go index 108ae76b3..80f8c5d46 100644 --- a/issuance/cert_test.go +++ b/issuance/cert_test.go @@ -387,11 +387,7 @@ func TestIssueCommonName(t *testing.T) { fc.Set(time.Now()) prof := defaultProfileConfig() - prof.IgnoredLints = []string{ - "w_subject_common_name_included", - "w_ct_sct_policy_count_unsatisfied", - "e_scts_from_same_operator", - } + prof.IgnoredLints = append(prof.IgnoredLints, "w_subject_common_name_included") cnProfile, err := NewProfile(prof) test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) @@ -450,9 +446,12 @@ func TestIssueOmissions(t *testing.T) { pc.OmitClientAuth = true pc.OmitSKID = true pc.IgnoredLints = []string{ - "w_ext_subject_key_identifier_missing_sub_cert", + // Reduce the lint ignores to just the minimal (SCT-related) set. "w_ct_sct_policy_count_unsatisfied", "e_scts_from_same_operator", + // Ignore the warning about *not* including the SubjectKeyIdentifier extension: + // zlint has both lints (one enforcing RFC5280, the other the BRs). + "w_ext_subject_key_identifier_missing_sub_cert", } prof, err := NewProfile(pc) test.AssertNotError(t, err, "building test profile") @@ -529,7 +528,10 @@ func TestIssueSCTList(t *testing.T) { test.AssertNotError(t, err, "failed to load log list") pc := defaultProfileConfig() - pc.IgnoredLints = []string{} + pc.IgnoredLints = []string{ + // Only ignore the SKID lint, i.e., don't ignore the "missing SCT" lints. + "w_ext_subject_key_identifier_not_recommended_subscriber", + } enforceSCTsProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) @@ -754,11 +756,7 @@ func TestMismatchedProfiles(t *testing.T) { test.AssertNotError(t, err, "NewIssuer failed") pc := defaultProfileConfig() - pc.IgnoredLints = []string{ - "w_subject_common_name_included", - "w_ct_sct_policy_count_unsatisfied", - "e_scts_from_same_operator", - } + pc.IgnoredLints = append(pc.IgnoredLints, "w_subject_common_name_included") cnProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") @@ -782,10 +780,6 @@ func TestMismatchedProfiles(t *testing.T) { // Create a new profile that differs slightly (no common name) pc = defaultProfileConfig() pc.AllowCommonName = false - pc.IgnoredLints = []string{ - "w_ct_sct_policy_count_unsatisfied", - "e_scts_from_same_operator", - } test.AssertNotError(t, err, "building test lint registry") noCNProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") diff --git a/issuance/issuer_test.go b/issuance/issuer_test.go index 7d1b39a4b..39e409fa0 100644 --- a/issuance/issuer_test.go +++ b/issuance/issuer_test.go @@ -28,8 +28,12 @@ func defaultProfileConfig() *ProfileConfig { MaxValidityPeriod: config.Duration{Duration: time.Hour}, MaxValidityBackdate: config.Duration{Duration: time.Hour}, IgnoredLints: []string{ + // Ignore the two SCT lints because these tests don't get SCTs. "w_ct_sct_policy_count_unsatisfied", "e_scts_from_same_operator", + // Ignore the warning about including the SubjectKeyIdentifier extension: + // we include it on purpose, but plan to remove it soon. + "w_ext_subject_key_identifier_not_recommended_subscriber", }, } } diff --git a/test/config-next/ca.json b/test/config-next/ca.json index 942bbb386..37f69f6bb 100644 --- a/test/config-next/ca.json +++ b/test/config-next/ca.json @@ -51,7 +51,7 @@ "lintConfig": "test/config-next/zlint.toml", "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_not_recommended_subscriber" ] }, "modern": { @@ -64,8 +64,7 @@ "maxValidityBackdate": "1h5m", "lintConfig": "test/config-next/zlint.toml", "ignoredLints": [ - "w_ext_subject_key_identifier_missing_sub_cert", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_missing_sub_cert" ] } }, diff --git a/test/config-next/cert-checker.json b/test/config-next/cert-checker.json index 2f9844d4f..a4b760e20 100644 --- a/test/config-next/cert-checker.json +++ b/test/config-next/cert-checker.json @@ -14,7 +14,8 @@ ], "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_missing_sub_cert", + "w_ext_subject_key_identifier_not_recommended_subscriber" ], "ctLogListFile": "test/ct-test-srv/log_list.json", "features": { diff --git a/test/config/ca.json b/test/config/ca.json index d023ad101..809d626ac 100644 --- a/test/config/ca.json +++ b/test/config/ca.json @@ -128,7 +128,7 @@ "lintConfig": "test/config/zlint.toml", "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_not_recommended_subscriber" ] }, "expiry": "7776000s", diff --git a/test/config/cert-checker.json b/test/config/cert-checker.json index eb3d73cab..83ecca4f3 100644 --- a/test/config/cert-checker.json +++ b/test/config/cert-checker.json @@ -17,7 +17,7 @@ ], "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_not_recommended_subscriber" ] }, "pa": { diff --git a/vendor/github.com/zmap/zlint/v3/LICENSE b/vendor/github.com/zmap/zlint/v3/LICENSE index b209ae0fc..19a9b8a00 100644 --- a/vendor/github.com/zmap/zlint/v3/LICENSE +++ b/vendor/github.com/zmap/zlint/v3/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2020 Regents of the University of Michigan + Copyright 2024 Regents of the University of Michigan Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/vendor/github.com/zmap/zlint/v3/lint/base.go b/vendor/github.com/zmap/zlint/v3/lint/base.go index 9753d9bea..e572b27a5 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/base.go +++ b/vendor/github.com/zmap/zlint/v3/lint/base.go @@ -1,7 +1,7 @@ package lint /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -221,7 +221,10 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } - if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { + if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) { + return &LintResult{Status: NA} + } + if l.Source == CABFCSBaselineRequirements && !util.IsCodeSigning(cert.PolicyIdentifiers) { return &LintResult{Status: NA} } lint := l.Lint() diff --git a/vendor/github.com/zmap/zlint/v3/lint/configuration.go b/vendor/github.com/zmap/zlint/v3/lint/configuration.go index 0ace959be..9c60a97cb 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/configuration.go +++ b/vendor/github.com/zmap/zlint/v3/lint/configuration.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go b/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go index 0438fab33..4d7758441 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go +++ b/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go b/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go index 91d723606..273aaec9c 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go +++ b/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/profile.go b/vendor/github.com/zmap/zlint/v3/lint/profile.go index d94c94c03..20050b964 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/profile.go +++ b/vendor/github.com/zmap/zlint/v3/lint/profile.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/registration.go b/vendor/github.com/zmap/zlint/v3/lint/registration.go index 9e77ebf8c..d380b2218 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/registration.go +++ b/vendor/github.com/zmap/zlint/v3/lint/registration.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/result.go b/vendor/github.com/zmap/zlint/v3/lint/result.go index fe2a89d5c..5839fb0d3 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/result.go +++ b/vendor/github.com/zmap/zlint/v3/lint/result.go @@ -1,7 +1,7 @@ package lint /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/source.go b/vendor/github.com/zmap/zlint/v3/lint/source.go index e0b19d941..3cd0c3033 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/source.go +++ b/vendor/github.com/zmap/zlint/v3/lint/source.go @@ -7,7 +7,7 @@ import ( ) /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,8 +32,10 @@ const ( RFC5280 LintSource = "RFC5280" RFC5480 LintSource = "RFC5480" RFC5891 LintSource = "RFC5891" + RFC6962 LintSource = "RFC6962" RFC8813 LintSource = "RFC8813" CABFBaselineRequirements LintSource = "CABF_BR" + CABFCSBaselineRequirements LintSource = "CABF_CS_BR" CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR" CABFEVGuidelines LintSource = "CABF_EV" MozillaRootStorePolicy LintSource = "Mozilla" @@ -51,7 +53,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error { } switch LintSource(throwAway) { - case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi: + case RFC8813, RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi, RFC6962: *s = LintSource(throwAway) return nil default: @@ -75,6 +77,8 @@ func (s *LintSource) FromString(src string) { *s = RFC5480 case RFC5891: *s = RFC5891 + case RFC8813: + *s = RFC8813 case CABFBaselineRequirements: *s = CABFBaselineRequirements case CABFEVGuidelines: @@ -87,6 +91,8 @@ func (s *LintSource) FromString(src string) { *s = AppleRootStorePolicy case Community: *s = Community + case RFC6962: + *s = RFC6962 case EtsiEsi: *s = EtsiEsi } diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go index 0849f22bd..eba5da4a9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go index 307b6f153..f67985de9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go index eb0a22c8c..d1d6daa4b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go new file mode 100644 index 000000000..08bd9d233 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go @@ -0,0 +1,78 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIACAIssuersHasHTTPOnly struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +id-ad-caIssuers +1.3.6.1.5.5.7.48.2 uniformResourceIdentifier SHOULD A HTTP URL of the +Issuing CA’s certificate +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_ca_issuers_must_have_http_only", + Description: "The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIACAIssuersHasHTTPOnly, + }) +} + +func NewBRAIACAIssuersHasHTTPOnly() lint.LintInterface { + return &bRAIACAIssuersHasHTTPOnly{} +} + +func (l *bRAIACAIssuersHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return len(c.IssuingCertificateURL) > 0 && util.IsSubscriberCert(c) +} + +func (l *bRAIACAIssuersHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error, Details: "Could not parse caIssuers in AIA."} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in caIssuers of AIA, which is not allowed.", purl.Scheme)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go new file mode 100644 index 000000000..ca7412408 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go @@ -0,0 +1,113 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAAccessMethodAllowed struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +Each AccessDescription MUST only contain a permitted accessMethod, as detailed below, +and each accessLocation MUST be encoded as the specified GeneralName type. + +This lint checks that only the id-ad-ocsp or id-ad-caIssuers accessMethod is present +and that the value is a uniformResourceIdentifier GeneralName. + +GeneralName ::= CHOICE { + otherName [0] AnotherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_must_contain_permitted_access_method", + Description: "The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAAccessMethodAllowed, + }) +} + +func NewBRAIAAccessMethodAllowed() lint.LintInterface { + return &bRAIAAccessMethodAllowed{} +} + +func (l *bRAIAAccessMethodAllowed) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) +} + +func (l *bRAIAAccessMethodAllowed) Execute(c *x509.Certificate) *lint.LintResult { + + // see x509.go + for _, ext := range c.Extensions { + if ext.Id.Equal(util.AiaOID) { + var aia []authorityInfoAccess + _, err := asn1.Unmarshal(ext.Value, &aia) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + for _, v := range aia { + if v.Location.Tag != 6 { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid GeneralName with tag %d in an accessLocation.", v.Location.Tag)} + } + + if !(v.Method.Equal(idAdCaIssuers) || v.Method.Equal(idAdOCSP)) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid accessMethod with OID %s.", v.Method)} + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +type authorityInfoAccess struct { + Method asn1.ObjectIdentifier + Location asn1.RawValue +} + +var ( + idAdOCSP = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1} + idAdCaIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2} +) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go new file mode 100644 index 000000000..6b56e1779 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go @@ -0,0 +1,78 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAOCSPHasHTTPOnly struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +id-ad-ocsp +1.3.6.1.5.5.7.48.1 uniformResourceIdentifier MUST A HTTP URL of the +Issuing CA’s OCSP responder. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_ocsp_must_have_http_only", + Description: "The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAOCSPHasHTTPOnly, + }) +} + +func NewBRAIAOCSPHasHTTPOnly() lint.LintInterface { + return &bRAIAOCSPHasHTTPOnly{} +} + +func (l *bRAIAOCSPHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return len(c.OCSPServer) > 0 && util.IsSubscriberCert(c) +} + +func (l *bRAIAOCSPHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error, Details: "Could not parse OCSP URL in AIA."} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in OCSP URL of AIA, which is not allowed.", purl.Scheme)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go new file mode 100644 index 000000000..f176d35e4 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go @@ -0,0 +1,89 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAAccessLocationUnique struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +When multiple AccessDescriptions are present with the same accessMethod, +each accessLocation MUST be unique. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_unique_access_locations", + Description: "When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAAccessLocationUnique, + }) +} + +func NewBRAIAAccessLocationUnique() lint.LintInterface { + return &bRAIAAccessLocationUnique{} +} + +func (l *bRAIAAccessLocationUnique) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (len(c.IssuingCertificateURL) > 0 || len(c.OCSPServer) > 0) +} + +func (l *bRAIAAccessLocationUnique) Execute(c *x509.Certificate) *lint.LintResult { + + ocspURLs := make([]string, 0) + for _, url := range c.OCSPServer { + for _, foundURL := range ocspURLs { + if strings.EqualFold(url, foundURL) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in OCSP URLs", url)} + } + } + ocspURLs = append(ocspURLs, url) + } + + issuingCertificateURLs := make([]string, 0) + for _, url := range c.IssuingCertificateURL { + for _, foundURL := range issuingCertificateURLs { + if strings.EqualFold(url, foundURL) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in caIssuers URLs", url)} + } + } + issuingCertificateURLs = append(issuingCertificateURLs, url) + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go index e72bb4d72..5e27380f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go index 55d193329..dae179d2d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go index 5ed709a9e..fa97bd977 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go index ac68b3f07..8530f0941 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go index d525423c6..1d1f84be2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go new file mode 100644 index 000000000..d6b8ddea1 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go @@ -0,0 +1,81 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "fmt" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_invalid_eku", + Description: "Checks that SubCA certificates do not contain forbidden values in their EKU extension.", + Citation: "CABF BRs §7.1.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewCaInvalidEKU, + }) +} + +type caInvalidEKU struct{} + +func NewCaInvalidEKU() lint.LintInterface { + return &caInvalidEKU{} +} + +// This lint applies to any SubCA certificate to which the CABF BRs are applicable and which contains +// the EKU extension. Given that the lint source is lint.CABFBaselineRequirements, if we arrive here +// it's been already checked that the certificate falls within the purview of the CABF BRs. +func (l *caInvalidEKU) CheckApplies(c *x509.Certificate) bool { + return util.IsSubCA(c) && len(c.ExtKeyUsage) != 0 +} + +func (l *caInvalidEKU) Execute(c *x509.Certificate) *lint.LintResult { + + // If the EKU contains anyExtendedKeyUsage, it's probably a cross-certicate + // In this case, the EKU must not contain any other value + if util.HasEKU(c, x509.ExtKeyUsageAny) && len(c.ExtKeyUsage) > 1 { + return &lint.LintResult{ + Status: lint.Error, + Details: "anyExtendedKeyUsage MUST NOT be accompanied by any other value in the EKU extension", + } + } + + // If we get here, it is necessarily a SubCA with serverAuth in the EKU + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageEmailProtection || + eku == x509.ExtKeyUsageCodeSigning || + eku == x509.ExtKeyUsageTimeStamping || + eku == x509.ExtKeyUsageOcspSigning { + + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("%s MUST not be present together with serverAuth in the EKU extension", util.GetEKUString(eku)), + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go index 3cd27d26f..eed504195 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go index a1a94db28..481f08b66 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go index 2b7665061..0467c1c6f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go index c7e5226f4..eb19f2233 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go index 123ccad25..e8041fe92 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go index 62564f1da..393f2306e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go index 189f3edd9..8f849cf92 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go index d41ec7909..f982d5688 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go index 23a5377e8..b2a6f0c32 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go index a7ab3eb8f..0d9d87eff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go new file mode 100644 index 000000000..3563da7f0 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go @@ -0,0 +1,77 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type dvSubjectInvalidValues struct{} + +/************************************************ +7.1.2.7.2 Domain Validated + +The following table details the acceptable AttributeTypes that may appear within the type +field of an AttributeTypeAndValue, as well as the contents permitted within the value field. + +Table 35: Domain Validated subject Attributes + +countryName MAY The two‐letter ISO 3166‐1 country code for the country +associated with the Subject. Section 3.2.2.3 + +commonName NOT RECOMMENDED +If present, MUST contain a value derived from the +subjectAltName extension according to Section +7.1.4.3. + +Any other attribute MUST NOT +************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_subject_invalid_values", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.", + Citation: "BRs: 7.1.2.7.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewDvSubjectInvalidValues, + }) +} + +func NewDvSubjectInvalidValues() lint.LintInterface { + return &dvSubjectInvalidValues{} +} + +func (l *dvSubjectInvalidValues) CheckApplies(cert *x509.Certificate) bool { + return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && util.IsSubscriberCert(cert) +} + +func (l *dvSubjectInvalidValues) Execute(cert *x509.Certificate) *lint.LintResult { + names := util.GetTypesInName(&cert.Subject) + for _, n := range names { + if n.Equal(util.CommonNameOID) || n.Equal(util.CountryNameOID) { + continue + } + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("DV certificate contains the invalid attribute type %s", n)} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go index 5ccfb1297..32c016175 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go index a3f1035bc..7206ff712 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go index 2147fc446..a09416506 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go index 70aea45eb..470b1e125 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go index f851b8971..f05f8553e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go index cef1df45b..c146f90cd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go index 7c3562e8f..1cc761db0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go index 85d9bc961..59dda9e4a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go new file mode 100644 index 000000000..54d041a2a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go @@ -0,0 +1,64 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "strings" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_distrib_points_not_http", + Description: "The scheme of each CRL Distribution Point MUST be 'http'", + Citation: "CABF BRs §7.1.2.11.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewCrlDistribPointsNotHTTP, + }) +} + +type crlDistribPointsNotHTTP struct{} + +func NewCrlDistribPointsNotHTTP() lint.LintInterface { + return &crlDistribPointsNotHTTP{} +} + +func (l *crlDistribPointsNotHTTP) CheckApplies(c *x509.Certificate) bool { + return len(c.CRLDistributionPoints) > 0 +} + +func (l *crlDistribPointsNotHTTP) Execute(c *x509.Certificate) *lint.LintResult { + for _, dp := range c.CRLDistributionPoints { + if !strings.HasPrefix(dp, "http:") { + return &lint.LintResult{ + Status: lint.Error, + Details: "Certificate contains a non-HTTP CRL distribution point", + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go new file mode 100644 index 000000000..739ed233d --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go @@ -0,0 +1,79 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crlissuer_must_not_be_present_in_cdp", + Description: "crlIssuer and/or Reason field MUST NOT be present in the CDP extension.", + Citation: "BR Section 7.1.2.11.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewCrlissuerMustNotBePresentInCdp, + }) +} + +type CrlissuerMustNotBePresentInCdp struct{} + +func NewCrlissuerMustNotBePresentInCdp() lint.LintInterface { + return &CrlissuerMustNotBePresentInCdp{} +} + +func (l *CrlissuerMustNotBePresentInCdp) CheckApplies(c *x509.Certificate) bool { + return c.CRLDistributionPoints != nil +} + +func (l *CrlissuerMustNotBePresentInCdp) Execute(c *x509.Certificate) *lint.LintResult { + + for _, ext := range c.Extensions { + if ext.Id.Equal(util.CrlDistOID) { + var cdp []distributionPoint + _, err := asn1.Unmarshal(ext.Value, &cdp) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + for _, dp := range cdp { + if (len(dp.CRLIssuer.Bytes) > 0) || (len(dp.Reason.Bytes) > 0) { + return &lint.LintResult{Status: lint.Error} + } + + } + + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +type distributionPoint struct { + DistributionPoint distributionPointName `asn1:"optional,tag:0"` + Reason asn1.BitString `asn1:"optional,tag:1"` + CRLIssuer asn1.RawValue `asn1:"optional,tag:2"` +} + +type distributionPointName struct { + FullName asn1.RawValue `asn1:"optional,tag:0"` + RelativeName pkix.RDNSequence `asn1:"optional,tag:1"` +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go index ea6472e59..db9546ebd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go index 7f4d6d3b0..4147d04ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go index 1169cbec1..ed3bcc871 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go index d60b6160e..61d46b556 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go index 834235f32..d2b0a0ac9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go index dc2ddd5f3..aa6342c87 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go index c64677e99..9a7474b3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go index f129b64a1..6d619e7b8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go index e8e29a642..8bc682a9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go index fdb69a6a6..0a0f1de67 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go index 03a7c4ab0..0384cf376 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go index 5d12c5779..30be62ff1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go index e8b09ea45..38a952117 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go index f0e28050f..6dc0a0dce 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,11 +29,12 @@ type dsaSubgroup struct{} func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_dsa_correct_order_in_subgroup", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_dsa_correct_order_in_subgroup", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, }, Lint: NewDsaSubgroup, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go index d979b6dd1..83a497528 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go index 690a96039..bde8f0ee4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,8 +31,9 @@ func init() { Description: "DSA modulus size must be at least 2048 bits", Citation: "BRs v1.7.0: 6.1.5", // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, }, Lint: NewDsaTooShort, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go index 5016a83fc..cdb5019ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,11 +29,12 @@ type dsaUniqueCorrectRepresentation struct{} func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_dsa_unique_correct_representation", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_dsa_unique_correct_representation", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, }, Lint: NewDsaUniqueCorrectRepresentation, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go new file mode 100644 index 000000000..200e8362a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go @@ -0,0 +1,99 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "fmt" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_duplicate_subject_attribs", + Description: "Each Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNs", + Citation: "CABF BRs 7.1.4.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewDuplicateSubjectAttribs, + }) +} + +type duplicateSubjectAttribs struct{} + +func NewDuplicateSubjectAttribs() lint.LintInterface { + return &duplicateSubjectAttribs{} +} + +func (l *duplicateSubjectAttribs) CheckApplies(c *x509.Certificate) bool { + return true +} + +// The domainComponent and streetAddress attributes are exempt from +// the single-instance requirement; organizationalUnitName would be too, +// if it weren't for the fact that it has been deprecated. + +var singleInstanceOIDs = map[string]string{ + "1.3.6.1.4.1.311.60.2.1.1": "jurisdictionLocality", + "1.3.6.1.4.1.311.60.2.1.2": "jurisdictionStateOrProvince", + "1.3.6.1.4.1.311.60.2.1.3": "jurisdictionCountry", + "2.5.4.3": "commonName", + "2.5.4.4": "surname", + "2.5.4.5": "serialNumber", + "2.5.4.6": "countryName", + "2.5.4.7": "localityName", + "2.5.4.8": "stateOrProvinceName", + "2.5.4.10": "organizationName", + "2.5.4.15": "businessCategory", + "2.5.4.42": "givenName", + "2.5.4.97": "organizationIdentifier", +} + +func (l *duplicateSubjectAttribs) Execute(c *x509.Certificate) *lint.LintResult { + + var subject pkix.RDNSequence + if _, err := asn1.Unmarshal(c.RawSubject, &subject); err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + + foundOIDs := make(map[string]bool) + + for _, rdn := range subject { + for _, ava := range rdn { + oid := fmt.Sprint(ava.Type) + name, mustBeSingle := singleInstanceOIDs[oid] + _, alreadySeen := foundOIDs[oid] + if mustBeSingle && alreadySeen { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("Multiple instances of '%s' are NOT allowed in the Subject", name), + } + } + foundOIDs[oid] = true + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go new file mode 100644 index 000000000..a2c542d50 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go @@ -0,0 +1,74 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "net/url" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_cps_uri", + Description: "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL", + Citation: "CABF BR 7.1.2 (several subsections thereof)", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidCPSUri, + }) +} + +type invalidCPSUri struct{} + +func NewInvalidCPSUri() lint.LintInterface { + return &invalidCPSUri{} +} + +func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.CertPolicyOID) +} + +func isValidHttpOrHttpsURL(input string) bool { + parsedURL, err := url.Parse(input) + if err != nil { + return false + } + + scheme := parsedURL.Scheme + return scheme == "http" || scheme == "https" +} + +func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult { + // There should normally be just one CPS URI, but one never knows... + for _, pol := range c.CPSuri { + for _, uri := range pol { + if !isValidHttpOrHttpsURL(uri) { + return &lint.LintResult{Status: lint.Error} + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go index 2e6373828..ac887fa1d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go index 5c6c78012..4309c979a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go new file mode 100644 index 000000000..43a2f1394 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go @@ -0,0 +1,52 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type eKUCrit struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_eku_critical", + Description: "Subscriber Certificate extkeyUsage extension MUST NOT be marked critical", + Citation: "BRs: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewEKUCrit, + }) +} + +func NewEKUCrit() lint.LintInterface { + return &eKUCrit{} +} + +func (l *eKUCrit) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid) +} + +func (l *eKUCrit) Execute(c *x509.Certificate) *lint.LintResult { + if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical { + return &lint.LintResult{Status: lint.Error} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go index 838c6eedb..7e7b2d198 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go index e65f71552..875690c9d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go index 90d2dcf0f..d2ab41470 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go index 57d048375..f299c4b74 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go index ace3eb211..e883544a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go index 70f2c4e82..17cecfac2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go index a54cff296..693ac5f91 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go index ad9e44edd..1206b1fbd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go index 62da4b795..1e181c1f6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go index 8a070caf0..daa6e0478 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go new file mode 100644 index 000000000..73d0d24c5 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go @@ -0,0 +1,70 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subjectKeyIdNotRecommendedSubscriber struct{} + +/********************************************************************** +RFC5280 suggested the addition of SKI extension, but CABF BR SC62 +marked the extension as NOT RECOMMENDED for subscriber certificates + +Warning: +Users of zlint will trigger either +`w_ext_subject_key_identifier_not_recommended_subscriber` (this lint) +or `w_ext_subject_key_identifier_missing_sub_cert` the one enforcing +RFC5280's behavior. + +Users are expected to specifically ignore one or the other lint +depending on which one apply to them. + +See: + - https://github.com/zmap/zlint/issues/749 + - https://github.com/zmap/zlint/issues/762 +**********************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_subject_key_identifier_not_recommended_subscriber", + Description: "Subscriber certificates use of Subject Key Identifier is NOT RECOMMENDED", + Citation: "BRs v2: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewSubjectKeyIdNotRecommendedSubscriber, + }) +} + +func NewSubjectKeyIdNotRecommendedSubscriber() lint.LintInterface { + return &subjectKeyIdNotRecommendedSubscriber{} +} + +func (l *subjectKeyIdNotRecommendedSubscriber) CheckApplies(cert *x509.Certificate) bool { + return util.IsSubscriberCert(cert) +} + +func (l *subjectKeyIdNotRecommendedSubscriber) Execute(cert *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(cert, util.SubjectKeyIdentityOID) { + return &lint.LintResult{Status: lint.Warn} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go index f288831b9..c4b5db833 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go index 824ceed4a..95feb2b81 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go index aeaf8a55d..b6bcd92a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go new file mode 100644 index 000000000..b4710e205 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -0,0 +1,145 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "crypto/x509/pkix" + "encoding/asn1" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_subject_rdn_order", + Description: "Subject field attributes (RDNs) SHALL be encoded in a specific order", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidSubjectRDNOrder, + }) +} + +type invalidSubjectRDNOrder struct{} + +func NewInvalidSubjectRDNOrder() lint.LintInterface { + return &invalidSubjectRDNOrder{} +} + +func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func getShortOIDName(oid string) string { + switch oid { + case "0.9.2342.19200300.100.1.25": + return "DC" + case "2.5.4.6": + return "C" + case "2.5.4.8": + return "ST" + case "2.5.4.7": + return "L" + case "2.5.4.17": + return "postalCode" + case "2.5.4.9": + return "street" + case "2.5.4.10": + return "O" + case "2.5.4.4": + return "SN" + case "2.5.4.42": + return "givenName" + case "2.5.4.11": + return "OU" + case "2.5.4.3": + return "CN" + default: + return "" + } +} + +func findElement(arr []string, target string) (int, bool) { + for i, value := range arr { + if value == target { + return i, true + } + } + return -1, false +} + +func checkOrder(actualOrder []string, expectedOrder []string) bool { + var prevPosition int + prevPosition = 0 + + for _, targetElement := range actualOrder { + position, found := findElement(expectedOrder, targetElement) + if found { + if position < prevPosition { + return false + } + prevPosition = position + } + } + return true +} + +func checkSubjectRDNOrder(cert *x509.Certificate) bool { + + rawSubject := cert.RawSubject + + var rdnSequence pkix.RDNSequence + _, err := asn1.Unmarshal(rawSubject, &rdnSequence) + if err != nil { + return false + } + + var rdnOrder []string + + for _, rdn := range rdnSequence { + for _, atv := range rdn { + rdnShortName := getShortOIDName(atv.Type.String()) + if rdnShortName != "" { + rdnOrder = append(rdnOrder, rdnShortName) + } + } + } + + // Expected order of RDNs as per CABF BR section 7.1.4.2 + expectedRDNOrder := []string{"DC", "C", "ST", "L", "postalCode", "street", "O", "SN", "givenName", "OU", "CN"} + + return checkOrder(rdnOrder, expectedRDNOrder) +} + +func (l *invalidSubjectRDNOrder) Execute(c *x509.Certificate) *lint.LintResult { + + var out lint.LintResult + + if checkSubjectRDNOrder(c) { + out.Status = lint.Pass + } else { + out.Status = lint.Error + } + return &out +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go index 8ce71e649..47790642a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go index 2539f590b..ecc0d8cba 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go index a1637a5f7..e16c9a06c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go index 8cd670ddf..527d8e3b4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go index d27c4c0ad..03af21782 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go index 62a666dc6..bf8b1e094 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go index 29e4585ac..56177b66b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go index 6263e6cc6..21c6076c3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go index 7fce2e798..24096b46f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go index e00bec696..cf9da0bb4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go index 91a1692c3..aff346cbf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go index 14ba991af..4be1f786f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go index 3768d0801..f7009eb2b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go index 65ec01fcd..463720b81 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go index 1c983ba6b..81c0961d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go index 66745bdb9..e2eb036a0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go index e18e9baa3..0ab938329 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go index e95f173b3..69a193944 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go index 19aab90e8..af71f1d23 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go index 41c33f156..351cbb67d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go index 7455bfa6f..0751e9b8d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go index 0376d4dcf..fcbf64afd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go index 87c82c686..e80c303af 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go index d10c2efde..c65bced54 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go index 1dec74e97..249ef4b2e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go index 9bf3bac2b..858ed64b1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go index 68742d27b..8a4e8ebb2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go index 7d0cf98cb..8401a6833 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go index 332745ea9..65f266c37 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go index 6e94546b6..4dda8d6b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go index 5b03cce46..7d80cc5b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go index b641ac719..444023ac3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go index d4f72bf21..999458fa8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go index 9b1623458..bbdebdc70 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go index 049c22edb..837f925d9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -15,6 +15,7 @@ package cabf_br */ import ( + "net" "net/url" "time" @@ -53,7 +54,7 @@ func NewSubCertAIAInternalName() lint.LintInterface { } func (l *subCertAIAInternalName) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) } func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { @@ -62,6 +63,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { if err != nil { return &lint.LintResult{Status: lint.Error} } + + if net.ParseIP(purl.Host) != nil { + continue + } + if !util.HasValidTLD(purl.Hostname(), time.Now()) { return &lint.LintResult{Status: lint.Warn} } @@ -71,6 +77,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { if err != nil { return &lint.LintResult{Status: lint.Error} } + + if net.ParseIP(purl.Host) != nil { + continue + } + if !util.HasValidTLD(purl.Hostname(), time.Now()) { return &lint.LintResult{Status: lint.Warn} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go index c7d6b8fad..3fa1f12c1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,9 +26,11 @@ type subCertIssuerUrl struct{} /************************************************************************ BRs: 7.1.2.3 -cRLDistributionPoints -This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the -HTTP URL of the CA’s CRL service. +authorityInformationAccess +This extension MUST be present. It MUST NOT be marked critical, and it MUST contain +the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). +It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = +1.3.6.1.5.5.7.48.2). *************************************************************************/ func init() { diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go index 6c3a73559..e97335a94 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,11 +36,12 @@ It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMet func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_sub_cert_aia_does_not_contain_ocsp_url", - Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_sub_cert_aia_does_not_contain_ocsp_url", + Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_2_0_0_Date, }, Lint: NewSubCertOcspUrl, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go index de6eb1550..67fee7305 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go index 43f813356..894009790 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go index fc67dfd34..0c76a10b2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go index 18ad66830..198ec4f66 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go index 59c1e5c00..33c968117 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go index d97365c6e..54bfeb4a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go index db0ddb057..ffae34b0b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go index facab3aaf..3cd2333b7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go index 763ed5694..eef345c16 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_check.go new file mode 100644 index 000000000..c5ef84c39 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_check.go @@ -0,0 +1,81 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subExtKeyUsageCheck struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_eku_check", + Description: "Subscriber certificates MUST have id-kp-serverAuth and MAY have id-kp-clientAuth present in extKeyUsage", + Citation: "BRs: 7.1.2.7.10 Subscriber Certificate Extended Key Usage", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewSubExtKeyUsageCheck, + }) +} + +func NewSubExtKeyUsageCheck() lint.LintInterface { + return &subExtKeyUsageCheck{} +} + +func (l *subExtKeyUsageCheck) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid) +} + +func (l *subExtKeyUsageCheck) Execute(c *x509.Certificate) *lint.LintResult { + var hasClientAuthEKU, hasServerAuthEKU bool + + for _, eku := range c.ExtKeyUsage { + switch eku { + case x509.ExtKeyUsageServerAuth: + hasServerAuthEKU = true + + case x509.ExtKeyUsageClientAuth: + hasClientAuthEKU = true + + case x509.ExtKeyUsageAny, x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageTimeStamping, + x509.ExtKeyUsageOcspSigning, x509.ExtKeyUsageEmailProtection: + + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("%s MUST NOT be present", util.GetEKUString(eku))} + } + } + + if !hasServerAuthEKU { + return &lint.LintResult{Status: lint.Error, Details: "id-kp-serverAuth MUST be present"} + } + + for _, eku := range c.UnknownExtKeyUsage { + if eku.Equal(util.PreCertificateSigningCertificateEKU) { + return &lint.LintResult{Status: lint.Error, Details: "Precertificate Signing Certificate extKeyUsage MUST NOT be present"} + } + } + + if (len(c.ExtKeyUsage) > 2 && !hasClientAuthEKU) || len(c.UnknownExtKeyUsage) > 0 { + return &lint.LintResult{Status: lint.Warn, Details: "any other value than id-kp-serverAuth and id-kp-clientAuth is NOT RECOMMENDED"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go index 8e324a457..c7d1f182c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,11 +34,12 @@ present. func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "w_sub_cert_eku_extra_values", - Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "w_sub_cert_eku_extra_values", + Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_2_0_0_Date, }, Lint: NewSubExtKeyUsageLegalUsage, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go index 7efd18e4a..3781ef226 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go index 050418891..adb67b4d0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,11 +34,12 @@ present. func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_sub_cert_eku_server_auth_client_auth_missing", - Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_sub_cert_eku_server_auth_client_auth_missing", + Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_2_0_0_Date, }, Lint: NewSubExtKeyUsageClientOrServer, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go index b408defe2..dfc2c1933 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go index 401a83ab2..940c12be2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go index c3834393c..bc7d912ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go index fa71a4128..c154ef033 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go index 9e239dd9e..090d8797a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go index fb46a5a20..c2578e5c5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go index f0a5f2fe9..37da133d4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go index 98b843c75..bfc7a29e5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go index b4acd756e..480804d6a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go index 0413acacc..2b3e50346 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go index 931c4a09c..14d33bcbe 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go index 508ebe18a..831c607b8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go index 6d508b143..71e9d36b6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go index 289f99278..7290fbcc3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go new file mode 100644 index 000000000..c9aebb23a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go @@ -0,0 +1,69 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subj_orgunit_in_ca_cert", + Description: "The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.", + Citation: "CABF BR §7.1.2.10.2 (CA Certificate Naming)", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewSubjectOrgUnitInCACert, + }) +} + +type subjectOrgUnitInCACert struct { + CrossCert bool `comment:"Set this to true if the certificate to be linted is a cross-certificate"` +} + +func NewSubjectOrgUnitInCACert() lint.LintInterface { + return &subjectOrgUnitInCACert{ + CrossCert: false, + } +} + +func (l *subjectOrgUnitInCACert) Configure() interface{} { + return l +} + +func (l *subjectOrgUnitInCACert) CheckApplies(c *x509.Certificate) bool { + return util.IsCACert(c) +} + +func (l *subjectOrgUnitInCACert) Execute(c *x509.Certificate) *lint.LintResult { + if c.Subject.OrganizationalUnit != nil { + if !l.CrossCert { + return &lint.LintResult{ + Status: lint.Error, + Details: "The OU attribute in the Subject is prohibited in Root and TLS CA certificates", + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go index 4b2b0fd81..e34635957 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go index 999ba86ce..6eb502563 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go index f30852edf..b73b38d58 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go index 24dc16c44..a394e95ce 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go index 894d09126..209b46f5b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go index 15cd0578a..933411021 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go index f44d1fa8a..ac694a5f0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go index 590352cae..b1f0fc452 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go index a9b84ca18..188a11bf1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go index 097f743f3..2ef0a9e5e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go index 62cb64c17..d27a61ad0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_rdns_correct_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_rdns_correct_encoding.go new file mode 100644 index 000000000..26b286ea8 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_rdns_correct_encoding.go @@ -0,0 +1,155 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subjectRdnsCorrectEncoding struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_rdns_correct_encoding", + Description: "CAs that include attributes in the Certificate subject field that are listed in the Tables 77 and 78 of BR 2.0.0 SHALL follow the specified encoding requirements for the attribute", + Citation: "BRs 2.0.0: 7.1.4.2, Table 77 and Table 78", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewSubjectRdnsCorrectEncoding, + }) +} + +func NewSubjectRdnsCorrectEncoding() lint.LintInterface { + return &subjectRdnsCorrectEncoding{} +} + +func (l *subjectRdnsCorrectEncoding) CheckApplies(c *x509.Certificate) bool { + return true +} + +func (l *subjectRdnsCorrectEncoding) Execute(c *x509.Certificate) *lint.LintResult { + rdnSequence := util.RawRDNSequence{} + if rest, err := asn1.Unmarshal(c.RawSubject, &rdnSequence); err != nil || len(rest) > 0 { + return &lint.LintResult{Status: lint.Fatal} + } + + for _, attrTypeAndValueSet := range rdnSequence { + for _, attrTypeAndValue := range attrTypeAndValueSet { + oid := attrTypeAndValue.Type.String() + tag := attrTypeAndValue.Value.Tag + + errors := []string{} + + result := isIA5String("0.9.2342.19200300.100.1.25", oid, tag, "domainComponent") + errors = append(errors, result) + result = isPrintable("2.5.4.6", oid, tag, "countryName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.8", oid, tag, "stateOrProvinceName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.7", oid, tag, "localityName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.17", oid, tag, "postalCode") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.9", oid, tag, "streetAddress") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.10", oid, tag, "organizationName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.4", oid, tag, "surname") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.42", oid, tag, "givenName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.11", oid, tag, "organizationalUnitName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.3", oid, tag, "commonName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.15", oid, tag, "businessCategory") + errors = append(errors, result) + result = isPrintable("1.3.6.1.4.1.311.60.2.1.3", oid, tag, "jurisdictionCountry") + errors = append(errors, result) + result = isPrintableOrUTF8("1.3.6.1.4.1.311.60.2.1.2", oid, tag, "jurisdictionStateOrProvince") + errors = append(errors, result) + result = isPrintableOrUTF8("1.3.6.1.4.1.311.60.2.1.1", oid, tag, "jurisdictionLocality") + errors = append(errors, result) + result = isPrintable("2.5.4.5", oid, tag, "serialNumber") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.97", oid, tag, "organizationIdentifier") + errors = append(errors, result) + + for _, encodingError := range errors { + if encodingError != "" { + return &lint.LintResult{Status: lint.Error, Details: encodingError} + } + } + + } + } + return &lint.LintResult{Status: lint.Pass} +} + +func isPrintableOrUTF8(referenceOid string, oid string, tag int, attributeName string) string { + if referenceOid == oid && tag != 19 && tag != 12 { + return fmt.Sprintf("Attribute %s in subjectDN has the wrong encoding %s.", attributeName, getEncodingName(tag)) + } + return "" +} + +func isPrintable(referenceOid string, oid string, tag int, attributeName string) string { + if referenceOid == oid && tag != 19 { + return fmt.Sprintf("Attribute %s in subjectDN has the wrong encoding %s.", attributeName, getEncodingName(tag)) + } + return "" +} +func isIA5String(referenceOid string, oid string, tag int, attributeName string) string { + if referenceOid == oid && tag != 22 { + return fmt.Sprintf("Attribute %s in subjectDN has the wrong encoding %s.", attributeName, getEncodingName(tag)) + } + return "" +} + +//Tag BMPString: 0x1e = 30 +//Tag UTF8String: 0x0c = 12 +//Tag TeletexString: 0x14 = 20 +//Tag UniversalString: 0x1c = 28 +//Tag PrintableString: 0x13 = 19 +//Tag IA5String: 0x16 = 22 + +func getEncodingName(tag int) string { + if tag == 12 { + return "UTF8String" + } + if tag == 19 { + return "PrintableString" + } + if tag == 20 { + return "TeletexString" + } + if tag == 22 { + return "IA5String" + } + if tag == 28 { + return "UniversalString" + } + if tag == 30 { + return "BMPString" + } + return "Unknown" +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go index bd861da8a..183d55100 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go index 269cd07bb..422218b76 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go index 71c010ec0..3460cdc3b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go index d257039b9..2b1c3db9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go new file mode 100644 index 000000000..dfda904f3 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go @@ -0,0 +1,62 @@ +package cabf_cs_br + +import ( + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/*7.1.2.3 b. cRLDistributionPoints +This extension MUST be present. It MUST NOT be marked critical, and it MUST contain the +HTTP URL of the CA’s CRL service*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_crl_distribution_points", + Description: "This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service", + Citation: "CABF CS BRs 7.1.2.3.b", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCrlDistributionPoints, + }) +} + +type crlDistributionPoints struct{} + +func NewCrlDistributionPoints() lint.LintInterface { + return &crlDistributionPoints{} +} + +func (l *crlDistributionPoints) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) || util.IsSubCA(c) +} + +func (l *crlDistributionPoints) Execute(c *x509.Certificate) *lint.LintResult { + cdp := util.GetExtFromCert(c, util.CrlDistOID) + if cdp == nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "The cRLDistributionPoints extension MUST be present."} + } + + if cdp.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "The cRLDistributionPoints MUST NOT be marked critical."} + } + + // MUST contain the HTTP URL of the CA’s CRL service + for _, uri := range c.CRLDistributionPoints { + if !strings.HasPrefix(uri, "http://") { + return &lint.LintResult{Status: lint.Error, Details: "cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service"} + } + } + + return &lint.LintResult{ + Status: lint.Pass, + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_eku_required.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_eku_required.go new file mode 100644 index 000000000..91ac67011 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_eku_required.go @@ -0,0 +1,87 @@ +package cabf_cs_br + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/* 7.1.2.3 Code signing and Timestamp Certificate +f. extKeyUsage +If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present +and the following EKUs MAY be present: + • Lifetime Signing OID (1.3.6.1.4.1.311.10.3.13) + • id-kp-emailProtection + • Document Signing (1.3.6.1.4.1.311.3.10.3.12) + +If the Certificate is a Timestamp Certificate, then id-kp-timeStamping MUST be present +and MUST be marked critical. +Additionally, the following EKUs MUST NOT be present: + • anyExtendedKeyUsage + • id-kp-serverAuth + +Other values SHOULD NOT be present. If any other value is present, the CA MUST have a +business agreement with a Platform vendor requiring that EKU in order to issue a +Platform‐specific code signing certificate with that EKU. +*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_eku_required", + Description: "If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present.", + Citation: "CABF CS BRs 7.1.2.3.f", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsEKURequired, + }) +} + +type csEKURequired struct{} + +func NewCsEKURequired() lint.LintInterface { + return &csEKURequired{} +} + +func (l *csEKURequired) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) || util.IsSubCA(c) +} + +func (l *csEKURequired) Execute(c *x509.Certificate) *lint.LintResult { + prohibitedEKUs := map[x509.ExtKeyUsage]struct{}{ + x509.ExtKeyUsageAny: {}, + x509.ExtKeyUsageServerAuth: {}, + } + + if util.IsSubCA(c) { + prohibitedEKUs[x509.ExtKeyUsageEmailProtection] = struct{}{} + } + + hasCodeSigningEKU := false + + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageCodeSigning { + hasCodeSigningEKU = true + } + + if _, isProhibited := prohibitedEKUs[eku]; isProhibited { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("Code Signing certificate includes prohibited EKU: %v", eku), + } + } + } + + if !hasCodeSigningEKU { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing certificate missing required Code Signing EKU", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go new file mode 100644 index 000000000..686b4405b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go @@ -0,0 +1,79 @@ +package cabf_cs_br + +import ( + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/* 7.1.2.3 Code signing and Timestamp Certificate +e. keyUsage +This extension MUST be present and MUST be marked critical. +The bit position for digitalSignature MUST be set. Bit positions for keyCertSign and +cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set. +*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_key_usage_required", + Description: "This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.", + Citation: "CABF CS BRs 7.1.2.3e", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsKeyUsageRequired, + }) +} + +type csKeyUsageRequired struct{} + +func NewCsKeyUsageRequired() lint.LintInterface { + return &csKeyUsageRequired{} +} + +func (l *csKeyUsageRequired) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *csKeyUsageRequired) Execute(c *x509.Certificate) *lint.LintResult { + ku := util.GetExtFromCert(c, util.KeyUsageOID) + if ku == nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "Key usage extension MUST be present.", + } + } + + if !ku.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "Key usage extension MUST be marked critical", + } + } + + if (c.KeyUsage & x509.KeyUsageDigitalSignature) == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing certificate must have digitalSignature key usage", + } + } + + // keyCertSign and cRLSign bits MUST NOT be set. + if (c.KeyUsage & (x509.KeyUsageCertSign | x509.KeyUsageCRLSign)) != 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "keyCertSign and cRLSign key usages MUST NOT be set", + } + } + + // All other bit positions SHOULD NOT be set. + if c.KeyUsage & ^x509.KeyUsageDigitalSignature != 0 { + return &lint.LintResult{ + Status: lint.Warn, + Details: "Only digitalSignature key usage is recommended. Other key usages SHOULD NOT be set."} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go new file mode 100644 index 000000000..493e3793d --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go @@ -0,0 +1,58 @@ +package cabf_cs_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/*6.1.5.2 Code signing Certificate and Timestamp Authority key sizes +For Keys corresponding to Subscriber code signing and Timestamp Authority Certificates: +• If the Key is RSA, then the modulus MUST be at least 3072 bits in length. +• If the Key is ECDSA, then the curve MUST be one of NIST P‐256, P‐384, or P‐521. +• If the Key is DSA, then one of the following key parameter options MUST be used: +• Key length (L) of 2048 bits and modulus length (N) of 224 bits +• Key length (L) of 2048 bits and modulus length (N) of 256 bits*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_rsa_key_size", + Description: "If the Key is RSA, then the modulus MUST be at least 3072 bits in length", + Citation: "CABF CS BRs 6.1.5.2", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsRsaKeySize, + }) +} + +type csRsaKeySize struct{} + +func NewCsRsaKeySize() lint.CertificateLintInterface { + return &csRsaKeySize{} +} + +func (l *csRsaKeySize) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *csRsaKeySize) Execute(c *x509.Certificate) *lint.LintResult { + rsaKey, ok := c.PublicKey.(*rsa.PublicKey) + if !ok { + return &lint.LintResult{Status: lint.NA} + } + + // If the Key is RSA, then the modulus MUST be at least 3072 bits in length. + if rsaKey.N.BitLen() < 3072 { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing RSA key modulus MUST be at least 3072 bits in length.", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go new file mode 100644 index 000000000..1830f14ff --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go @@ -0,0 +1,57 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cabf_org_identifier_psd_vat_has_state", + Description: "The cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.", + Citation: "9.2.8", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.SC17EffectiveDate, + }, + Lint: NewCabfOrgIdentifierPsdVatHasState, + }) +} + +type CabfOrgIdentifierPsdVatHasState struct{} + +func NewCabfOrgIdentifierPsdVatHasState() lint.LintInterface { + return &CabfOrgIdentifierPsdVatHasState{} +} + +func (l *CabfOrgIdentifierPsdVatHasState) CheckApplies(c *x509.Certificate) bool { + for _, ext := range c.Extensions { + if ext.Id.Equal(util.CabfExtensionOrganizationIdentifier) && (c.CABFOrganizationIdentifier.Scheme == "PSD" || c.CABFOrganizationIdentifier.Scheme == "VAT") { + return true + } + } + return false +} + +func (l *CabfOrgIdentifierPsdVatHasState) Execute(c *x509.Certificate) *lint.LintResult { + if c.CABFOrganizationIdentifier.State == "" { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go index 5eadf688c..445ccff3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go index 94ac320a1..80eadfd4f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_invalid_business_category.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_invalid_business_category.go new file mode 100644 index 000000000..9e57c207d --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_invalid_business_category.go @@ -0,0 +1,69 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_invalid_business_category", + Description: "Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3", + Citation: "EVGs 7.1.4.2.3", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewInvalidBusinessCategory, + }) +} + +type invalidBusinessCategory struct{} + +func NewInvalidBusinessCategory() lint.LintInterface { + return &invalidBusinessCategory{} +} + +func (l *invalidBusinessCategory) CheckApplies(c *x509.Certificate) bool { + return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) +} + +func (l *invalidBusinessCategory) Execute(c *x509.Certificate) *lint.LintResult { + + for _, v := range c.Subject.Names { + if util.BusinessOID.Equal(v.Type) { + businessCategory := v.Value + if (businessCategory == "Private Organization") || + (businessCategory == "Government Entity") || + (businessCategory == "Business Entity") || + (businessCategory == "Non-Commercial Entity") { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} + } + } + } + + // businessCategory missing: that's an error, but is not this lint's business + return &lint.LintResult{Status: lint.NA} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go index ce982fb61..f0ed4bcc5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go index c10274e77..695b909c6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go index d4c202f28..8250c3c2c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go new file mode 100644 index 000000000..d22312eab --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go @@ -0,0 +1,143 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "regexp" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_orgid_inconsistent_subj_and_ext", + Description: "Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent", + Citation: "EVGs 9.2.8 and 9.8.2", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.CABFEV_Sec9_2_8_Date, + }, + Lint: NewOrgIdInconsistentSubjAndExt, + }) +} + +// According to EVGs 9.2.8 +type OrganizationIdentifier struct { + ParseAsPSD bool + Scheme string + Country string + State string + Reference string +} + +func (o OrganizationIdentifier) Parse(orgId string) (OrganizationIdentifier, error) { + re := o.regexForOrgID() + if !re.MatchString(orgId) { + return o, fmt.Errorf("Cannot parse organizationIdentifier ('%s'): it is probably invalid", orgId) + } + names := re.SubexpNames() + match := re.FindStringSubmatch(orgId) + // Initialize a map to hold group names and values + result := make(map[string]string) + // Populate the map + for i, name := range names { + if i != 0 && name != "" { // Skip the whole match and unnamed groups + result[name] = match[i] + } + } + o.Scheme = result["scheme"] + o.Country = result["country"] + o.State = result["state"] + o.Reference = result["reference"] + return o, nil +} + +func (o OrganizationIdentifier) regexForOrgID() *regexp.Regexp { + // This is according to the EVG (stricter than ETSI EN 319 412-1) + const OrgIdPattern = `^(?P[A-Z]{3})(?P[A-Z]{2})(?:\+(?P[A-Z]{2}))?\-(?P.+)$` + const PsdOrgIdPattern = `^(?P[A-Z]{3})(?P[A-Z]{2})(?:\+(?P[A-Z]{2}))?\-(?P[A-Z]*)\-(?P.+)$` + var pattern string + if o.ParseAsPSD { + pattern = PsdOrgIdPattern + } else { + pattern = OrgIdPattern + } + return regexp.MustCompile(pattern) +} + +type orgIdInconsistentSubjAndExt struct{} + +func NewOrgIdInconsistentSubjAndExt() lint.LintInterface { + return &orgIdInconsistentSubjAndExt{} +} + +func (l *orgIdInconsistentSubjAndExt) CheckApplies(c *x509.Certificate) bool { + // It is actually mandatory that, if orgId is present, cabfOrgId be present as well, + // however this is already checked by another lint + return util.IsEV(c.PolicyIdentifiers) && (len(c.Subject.OrganizationIDs) > 0) && + util.IsExtInCert(c, util.CabfExtensionOrganizationIdentifier) +} + +func (l *orgIdInconsistentSubjAndExt) Execute(c *x509.Certificate) *lint.LintResult { + // It should be safe to assume there is only one element in OrganizationIDs + orgId, err := OrganizationIdentifier{ParseAsPSD: false}.Parse(c.Subject.OrganizationIDs[0]) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "the organizationIdentifier Subject attribute probably has an invalid value"} + } + + if (c.CABFOrganizationIdentifier.Scheme != orgId.Scheme) || + (c.CABFOrganizationIdentifier.Country != orgId.Country) || + (c.CABFOrganizationIdentifier.State != orgId.State) || + (c.CABFOrganizationIdentifier.Reference != orgId.Reference) { + + if orgId.Scheme != "PSD" { + + return &lint.LintResult{ + Status: lint.Error, + Details: "CABFOrganizationIdentifier is NOT consistent with organizationIdentifier"} + } + + psdOrgId, err := OrganizationIdentifier{ParseAsPSD: true}.Parse(c.Subject.OrganizationIDs[0]) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "the organizationIdentifier Subject attribute probably has an invalid value"} + } + + if (c.CABFOrganizationIdentifier.Scheme != psdOrgId.Scheme) || + (c.CABFOrganizationIdentifier.Country != psdOrgId.Country) || + (c.CABFOrganizationIdentifier.State != psdOrgId.State) || + (c.CABFOrganizationIdentifier.Reference != psdOrgId.Reference) { + + return &lint.LintResult{ + Status: lint.Error, + Details: "CABFOrganizationIdentifier is NOT consistent with organizationIdentifier"} + } + + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go index 3123bce5f..cb5d41c45 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go index f65114edb..aff09c831 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go index a66203177..ab8be5f8a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go index 2a7a74c10..699565071 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go index bbcc56f51..e37074d3a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go index 85b45c239..73603ea91 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go index 987871fe9..f22551fd4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go new file mode 100644 index 000000000..a8c3835b5 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go @@ -0,0 +1,85 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type keyIdentifier struct { + KeyIdentifier asn1.RawValue `asn1:"optional,tag:0"` + AuthorityCertIssuer asn1.RawValue `asn1:"optional,tag:1"` + AuthorityCertSerialNumber asn1.RawValue `asn1:"optional,tag:2"` +} + +type authorityKeyIdentifierCorrect struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_authority_key_identifier_correct", + Description: "authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.", + Citation: "7.1.2.3.g", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewAuthorityKeyIdentifierCorrect, + }) +} + +func NewAuthorityKeyIdentifierCorrect() lint.LintInterface { + return &authorityKeyIdentifierCorrect{} +} + +func (l *authorityKeyIdentifierCorrect) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *lint.LintResult { + ext := util.GetExtFromCert(c, util.AuthkeyOID) + if ext == nil { + return &lint.LintResult{Status: lint.Error, Details: "missing authorityKeyIdentifier"} + } + if ext.Critical { + return &lint.LintResult{Status: lint.Error, Details: "authorityKeyIdentifier is critical"} + } + + var keyID keyIdentifier + if _, err := asn1.Unmarshal(ext.Value, &keyID); err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: fmt.Sprintf("error unmarshalling authority key identifier extension: %v", err), + } + } + + hasKeyID := len(keyID.KeyIdentifier.Bytes) > 0 + hasCertIssuer := len(keyID.AuthorityCertIssuer.Bytes) > 0 + hasCertSerial := len(keyID.AuthorityCertSerialNumber.Bytes) > 0 + if !hasKeyID { + return &lint.LintResult{Status: lint.Error, Details: "keyIdentifier not present"} + } + if hasCertIssuer { + return &lint.LintResult{Status: lint.Error, Details: "authorityCertIssuer is present"} + } + if hasCertSerial { + return &lint.LintResult{Status: lint.Error, Details: "authorityCertSerialNumber is present"} + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go new file mode 100644 index 000000000..b68a66d63 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go @@ -0,0 +1,58 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_commonname_mailbox_validated", + Description: "If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox address", + Citation: "S/MIME BRs: 7.1.4.2.2a", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewCommonNameMailboxValidated, + }) +} + +type commonNameMailboxValidated struct{} + +func NewCommonNameMailboxValidated() lint.LintInterface { + return &commonNameMailboxValidated{} +} + +func (l *commonNameMailboxValidated) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c) +} + +func (l *commonNameMailboxValidated) Execute(c *x509.Certificate) *lint.LintResult { + var commonNames []string + if c.Subject.CommonName != "" { + commonNames = append(commonNames, c.Subject.CommonName) + } + commonNames = append(commonNames, c.Subject.CommonNames...) + for _, cn := range commonNames { + if !util.IsMailboxAddress(cn) { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go index bfe8e45d0..664b4fc36 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go index 79efb32ce..659288ac7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go index cd277034c..d89c18d7a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go index 49552916b..5e1fb0bb1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go index da996722d..994b5ee07 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go index cb741ae1c..8aa198fd2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go new file mode 100644 index 000000000..0cd6b6bbe --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go @@ -0,0 +1,83 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_legal_entity_identifier", + Description: "Mailbox/individual: prohibited. Organization/sponsor: may be present", + Citation: "7.1.2.3.l", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewLegalEntityIdentifier, + }) +} + +type legalEntityIdentifier struct{} + +func NewLegalEntityIdentifier() lint.LintInterface { + return &legalEntityIdentifier{} +} + +func (l *legalEntityIdentifier) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *legalEntityIdentifier) Execute(c *x509.Certificate) *lint.LintResult { + leiPresent := util.IsExtInCert(c, util.LegalEntityIdentifierOID) + leiExt := util.GetExtFromCert(c, util.LegalEntityIdentifierOID) + leiRolePresent := util.IsExtInCert(c, util.LegalEntityIdentifierRoleOID) + leiRoleExt := util.GetExtFromCert(c, util.LegalEntityIdentifierRoleOID) + + switch { + case util.IsMailboxValidatedCertificate(c), util.IsIndividualValidatedCertificate(c): + if leiPresent { + // Mailbox-validated and Individual-validated prohibited. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present"} + } + case util.IsOrganizationValidatedCertificate(c): + if leiPresent && leiExt.Critical { + // LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"} + } + if leiRolePresent { + // This is affirming the negative. Sponsor validated certificates MAY have an LEI Role, so + // it is being taken here that not explicitly as such for organization validated certificates + // implies that they are not allowed. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present"} + } + case util.IsSponsorValidatedCertificate(c): + if leiPresent && leiExt.Critical { + // LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"} + } + if leiRolePresent && leiRoleExt.Critical { + // LEI Role (1.3.6.1.4.1.52266.2) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present and critical"} + } + default: + return &lint.LintResult{Status: lint.Error, Details: "Unknown validation type"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go new file mode 100644 index 000000000..da37a90be --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_qc_statements_must_not_be_critical", + Description: "This extension MAY be present and SHALL NOT be marked critical.", + Citation: "7.1.2.3.k", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewQCStatementNotCritical, + }) +} + +type qcStatementNotCritical struct{} + +func NewQCStatementNotCritical() lint.LintInterface { + return &qcStatementNotCritical{} +} + +func (l *qcStatementNotCritical) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.QcStateOid) && util.IsSMIMEBRCertificate(c) +} + +func (l *qcStatementNotCritical) Execute(c *x509.Certificate) *lint.LintResult { + san := util.GetExtFromCert(c, util.QcStateOid) + if san.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "qc statements extension is marked critical", + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go index 2d421c785..b5a2d24d3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go index cf17470a1..eb318106a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go index 8815b5b9f..b61de15ee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go index 8182cc533..b16d86780 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go index bbd5aa91b..60b2d5e3d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go index 6d8a00964..a963d2675 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go index 82b6b5c70..d9731d559 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -16,22 +16,40 @@ package cabf_smime_br import ( "fmt" + "net/mail" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" ) +/************************************************************************* +7.1.4.2.1 Subject alternative name extension + +All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be +repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this +extension. + +7.1.4.2.2 Subject distinguished name fields + +h. Certificate Field: subject:emailAddress (1.2.840.113549.1.9.1) Contents: If present, the +subject:emailAddress SHALL contain a single Mailbox Address as verified under +Section 3.2.2. + +Combining these requirements, this lint checks for malformed email addresses in SAN entries +covering the case of a non-single Mailbox Address. +*************************************************************************/ + func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ Name: "e_single_email_if_present", - Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", - Citation: "7.1.4.2.h", + Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address. All Mailbox Addresses in the subject field SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in SAN extension.", + Citation: "7.1.4.2.1 and 7.1.4.2.2.h", Source: lint.CABFSMIMEBaselineRequirements, EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, }, - Lint: func() lint.LintInterface { return &singleEmailIfPresent{} }, + Lint: NewSingleEmailIfPresent, }) } @@ -42,19 +60,18 @@ func NewSingleEmailIfPresent() lint.LintInterface { } func (l *singleEmailIfPresent) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && c.EmailAddresses != nil && len(c.EmailAddresses) != 0 && util.IsSMIMEBRCertificate(c) + addresses := c.EmailAddresses + return util.IsSubscriberCert(c) && addresses != nil && len(addresses) != 0 && util.IsSMIMEBRCertificate(c) } func (l *singleEmailIfPresent) Execute(c *x509.Certificate) *lint.LintResult { - if len(c.EmailAddresses) == 1 { - return &lint.LintResult{ - Status: lint.Pass, - } - } else { - return &lint.LintResult{ - Status: lint.Error, - Details: fmt.Sprintf("subject:emailAddress was present and contained %d names (%s)", len(c.EmailAddresses), c.EmailAddresses), - LintMetadata: lint.LintMetadata{}, + for _, email := range c.EmailAddresses { + if _, err := mail.ParseAddress(email); err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("san:emailAddress was present and contained an invalid email address (%s)", email), + } } } + return &lint.LintResult{Status: lint.Pass} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go new file mode 100644 index 000000000..1958a95d5 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go @@ -0,0 +1,60 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + "net/mail" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_single_email_subject_if_present", + Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", + Citation: "7.1.4.2.2.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSingleEmailSubjectIfPresent, + }) +} + +type singleEmailSubjectIfPresent struct{} + +func NewSingleEmailSubjectIfPresent() lint.LintInterface { + return &singleEmailSubjectIfPresent{} +} + +func (l *singleEmailSubjectIfPresent) CheckApplies(c *x509.Certificate) bool { + emailAddress := c.Subject.EmailAddress + return util.IsSubscriberCert(c) && emailAddress != nil && len(emailAddress) != 0 && util.IsSMIMEBRCertificate(c) +} + +func (l *singleEmailSubjectIfPresent) Execute(c *x509.Certificate) *lint.LintResult { + for _, email := range c.Subject.EmailAddress { + if _, err := mail.ParseAddress(email); err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("subject:emailAddress was present and contained an invalid email address (%s)", email), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go index e47da6a31..61bd8666a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go new file mode 100644 index 000000000..07a7dfd02 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_country_name", + Description: "If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject", + Citation: "S/MIME BRs: 7.1.4.2.2n", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubjectCountryName, + }) +} + +type subjectCountryName struct{} + +func NewSubjectCountryName() lint.LintInterface { + return &subjectCountryName{} +} + +func (l *subjectCountryName) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) +} + +func (l *subjectCountryName) Execute(c *x509.Certificate) *lint.LintResult { + for _, cc := range c.Subject.Country { + if !util.IsISOCountryCode(cc) && strings.ToUpper(cc) != "XX" { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go new file mode 100644 index 000000000..13215469b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go @@ -0,0 +1,52 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subDirAttr struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_strict_multipurpose_smime_ext_subject_directory_attr", + Description: "SMIME Strict and Multipurpose certificates cannot have Subject Directory Attributes", + Citation: "BRs: 7.1.2.3j", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubDirAttr, + }) +} + +func NewSubDirAttr() lint.LintInterface { + return &subDirAttr{} +} + +func (l *subDirAttr) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (util.IsStrictSMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) +} + +func (l *subDirAttr) Execute(c *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(c, util.SubjectDirAttrOID) { + return &lint.LintResult{Status: lint.Error} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go new file mode 100644 index 000000000..3333e36ba --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -0,0 +1,77 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subscribers_crl_distribution_points_are_http", + Description: "cRLDistributionPoints SHALL have URI scheme HTTP.", + Citation: "7.1.2.3.b", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubscriberCrlDistributionPointsHTTP, + }) +} + +type subscriberCrlDistributionPointsHTTP struct{} + +func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface { + return &subscriberCrlDistributionPointsHTTP{} +} + +func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult { + httpCount := 0 + for _, dp := range c.CRLDistributionPoints { + parsed, err := url.Parse(dp) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid CRL distribution point", + } + } + if parsed.Scheme == "http" { + httpCount++ + } + } + + if (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) && httpCount != len(c.CRLDistributionPoints) { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid URI scheme in CRL distribution point", + } + } + if util.IsLegacySMIMECertificate(c) && httpCount == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains no HTTP URI schemes as CRL distribution points", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go index 67e7dedcf..2fe604360 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go new file mode 100644 index 000000000..139b051d6 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go @@ -0,0 +1,124 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// MailboxAddressFromSAN - linter to enforce MAY/SHALL NOT requirements for SMIME certificates +type MailboxAddressFromSAN struct { +} + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_mailbox_address_shall_contain_an_rfc822_name", + Description: "All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension", + Citation: "SMIME BRs: 7.1.4.2.1", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewMailboxAddressFromSAN, + }) +} + +// NewMailboxAddressFromSAN creates a new linter to enforce the requirement that all Mailbox Addresses in SMIME BR certificates must be copied from the SAN +func NewMailboxAddressFromSAN() lint.LintInterface { + return &MailboxAddressFromSAN{} +} + +// CheckApplies is returns true if the certificate's policies assert that it conforms to the SMIME BRs +func (l *MailboxAddressFromSAN) CheckApplies(c *x509.Certificate) bool { + + if !(util.IsSMIMEBRCertificate(c) && util.IsSubscriberCert(c)) { + return false + } + + toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c)) + + for _, dirName := range c.DirectoryNames { + toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...) + } + + return len(toFindMailboxAddresses) > 0 + +} + +// Execute checks all the places where Mailbox Addresses may be found in an SMIME certificate and confirms that they are present in the SAN rfc822Name or SAN otherName +func (l *MailboxAddressFromSAN) Execute(c *x509.Certificate) *lint.LintResult { + lintErr := &lint.LintResult{ + Status: lint.Error, + Details: "all certificate mailbox addresses must be present in san:emailAddresses or san:otherNames in addition to any other field they may appear", + } + + // build list of Mailbox addresses from subject:commonName, subject:emailAddress, dirName + + toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c)) + + for _, dirName := range c.DirectoryNames { + toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...) + } + + sanNames := map[string]bool{} + for _, rfc822Name := range c.EmailAddresses { + sanNames[rfc822Name] = true + } + + for _, otherName := range c.OtherNames { + if otherName.TypeID.Equal(util.OidIdOnSmtpUtf8Mailbox) { + // The otherName needs to be specially unmarshalled since it is + // stored as a UTF-8 string rather than what the asn1 package + // describes as a PrintableString. + var otherNameValue string + rest, err := asn1.UnmarshalWithParams(otherName.Value.Bytes, &otherNameValue, "utf8") + if len(rest) > 0 || err != nil { + return lintErr + } + + sanNames[otherNameValue] = true + } + } + + for _, mailboxAddress := range toFindMailboxAddresses { + if _, found := sanNames[mailboxAddress]; !found { + return lintErr + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +func getMailboxAddressesFromDistinguishedName(name pkix.Name, includeCN bool) []string { + mailboxAddresses := []string{} + + if includeCN { + for _, commonName := range name.CommonNames { + if util.IsMailboxAddress(commonName) { + mailboxAddresses = append(mailboxAddresses, commonName) + } + } + } + + for _, emailAddress := range name.EmailAddress { + if util.IsMailboxAddress(emailAddress) { + mailboxAddresses = append(mailboxAddresses, emailAddress) + } + } + + return mailboxAddresses +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index 782d35ef6..64ce52bd7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go index a3257ca55..8f3ac35e1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -20,7 +20,7 @@ import ( "github.com/zmap/zlint/v3/util" ) -// shallHaveCrlDistributionPoints - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU +// legacyMultipurposeEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU type legacyMultipurposeEKUCheck struct { } @@ -37,7 +37,7 @@ func init() { }) } -// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +// NewLegacyMultipurposeEKUCheck creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs func NewLegacyMultipurposeEKUCheck() lint.CertificateLintInterface { return &legacyMultipurposeEKUCheck{} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go index a7bc1a9af..491540012 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go index 3e0ed613f..7b31c3171 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go index bc6c46681..4dfa36eb1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go index 7e816446e..0207e5d8f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go index 1b3df4a85..a62cf458f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go index 9cf2197a6..56e4210e5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go index 9c326d7e7..7c374dfc6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go index b7c71ecbb..dbb159744 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go index 1a4928a75..5372a207b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go index cfa69fcfe..fa81020b2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go index c22626e6f..dc0b4a0a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go index 0238c26a4..1bca73c21 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go index c56df61d8..0539a19d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go index 645b672c7..437b8146d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go index f120bbcd1..f4aa71a70 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go index 3e0c55251..32fa169a4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go index ef5739f7b..9a08549ae 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go index 9c84d970e..ba0de82ee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go index 0c1f0ba05..a31e90edb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subj_country_not_uppercase.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subj_country_not_uppercase.go new file mode 100644 index 000000000..2c3ccbe8b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subj_country_not_uppercase.go @@ -0,0 +1,62 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package community + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "regexp" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subj_country_not_uppercase", + Description: "Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z", + Citation: "ISO 3166-2:2020(E) section 5.1", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjCountryNotUppercase, + }) +} + +type subjCountryNotUppercase struct{} + +func NewSubjCountryNotUppercase() lint.LintInterface { + return &subjCountryNotUppercase{} +} + +func (l *subjCountryNotUppercase) CheckApplies(c *x509.Certificate) bool { + return true +} + +var re = regexp.MustCompile("^[A-Z]+$") + +func (l *subjCountryNotUppercase) Execute(c *x509.Certificate) *lint.LintResult { + // There should be only one countryName attribute in the Subject, normally, + // but checking this is not our business here, so let's scan them all + for _, cc := range c.Subject.Country { + if !re.MatchString(cc) { + return &lint.LintResult{ + Status: lint.Error, + Details: "Country codes must be comprised of uppercase A-Z letters", + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go index 4f1e44c36..e4b51d04e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go index 7fe70c988..50c471a40 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go index 3794ee3c8..a19821f69 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go index 79e6ccf19..aa610ba79 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go index 3c2bb02ea..88126e401 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go index b7df51635..52c2e1362 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go index abed3568e..a32fe53a0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go index 67440ae3a..0cd439673 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go index aaa8e1fbd..2ed1db224 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go index 83aa604f1..244286d2f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go index 70ac2d9a3..8dfd35230 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go index ef3f8d3bb..ecece31df 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go index 0951efdc3..b4ba4d8c7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go index 6338f6dc8..0add14df4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go index a3a5f4a0d..680820c9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go index 50f0c3469..af8370c60 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go index 9e578da86..4db414db7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go index 6bf0f20f4..c18c41f87 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go index e9dab7b8d..f170e2747 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go index c3c11f0ab..0a86abe87 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go index 105a9b8c0..05e4fbc23 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go index 632494f9f..2a15354d4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go index ba3111565..fea9f4857 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go index e9e784169..122749bab 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go index 6d580c243..0a884d70f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go index 276f20e61..015517c3d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go index d43e75400..7befaa686 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go index 840ce8bba..ba8462df3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_ext_invalid_der.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_ext_invalid_der.go new file mode 100644 index 000000000..578444af6 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_ext_invalid_der.go @@ -0,0 +1,119 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "crypto/x509/pkix" + "encoding/asn1" + "fmt" + "math/big" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_ext_invalid_der", + Description: "Checks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)", + Citation: "RFC 5280 $4.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCertExtensionInvalidDER, + }) +} + +type certExtensionInvalidDER struct{} + +/* + * Modified syntax w/respect to RFC 5280, so we can detect whether + * the critical field is actually present in the DER encoding + */ +type Extension struct { + Id asn1.ObjectIdentifier + // This is either the 'critical' or the 'extnValue' field (see RFC 5280 section 4.1) + // We can discriminate based on tag, since the two fields are of different ASN.1 types + Field2 asn1.RawValue + // If this is present, it can only be the 'extnValue' field + // We need to be able to capture it, but we do not deal with it + Field3 asn1.RawValue `asn1:"optional"` +} + +// This is just plain RFC 5280 +type Certificate struct { + TbsCertificate TBSCertificate + SignatureAlgorithm pkix.AlgorithmIdentifier + SignatureValue asn1.BitString +} + +// Simplified with respect to RFC 5280, as we are not interested in most fields here +type TBSCertificate struct { + Version int `asn1:"optional,explicit,default:0,tag:0"` + SerialNumber *big.Int + SignatureAlgo pkix.AlgorithmIdentifier + Issuer asn1.RawValue + Validity asn1.RawValue + Subject asn1.RawValue + PublicKey asn1.RawValue + IssuerUniqueId asn1.BitString `asn1:"optional,tag:1"` + SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` + Extensions []Extension `asn1:"omitempty,optional,explicit,tag:3"` +} + +func NewCertExtensionInvalidDER() lint.LintInterface { + return &certExtensionInvalidDER{} +} + +func (l *certExtensionInvalidDER) CheckApplies(c *x509.Certificate) bool { + // This lint applies to any kind of certificate + return true +} + +func (l *certExtensionInvalidDER) Execute(c *x509.Certificate) *lint.LintResult { + + // Re-decode certificate based on an ad-hoc target struct + var cert Certificate + _, err := asn1.Unmarshal(c.Raw, &cert) + + // This should never happen + if err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Failed to decode certificate", + } + } + + for _, ext := range cert.TbsCertificate.Extensions { + if ext.Field2.Tag == asn1.TagBoolean { + // This is the 'critical' flag + if ext.Field2.Bytes[0] == 0 { + // This a BOOLEAN FALSE + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("The %v extension is not properly DER-encoded ('critical' must be absent when FALSE)", ext.Id), + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go index 5e2491f14..c19282ffd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go index d03b4c8a1..6b250b612 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_empty_revoked_certificates.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_empty_revoked_certificates.go new file mode 100644 index 000000000..fec36bc47 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_empty_revoked_certificates.go @@ -0,0 +1,101 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "crypto/x509/pkix" + "encoding/asn1" + "math/big" + "time" +) + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_empty_revoked_certificates", + Description: "When there are no revoked certificates, the revoked certificates list MUST be absent", + Citation: "RFC5280 §5.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewEmptyRevokedCertificates, + }) +} + +type emptyRevokedCertificates struct{} + +type RevokedCertificate struct { + UserCertificate *big.Int + RevocationDate time.Time + CrlEntryExtensions asn1.RawValue `asn1:"optional"` +} + +type TBSCertList struct { + Version int `asn1:"optional"` + Signature pkix.AlgorithmIdentifier + Issuer asn1.RawValue + ThisUpdate time.Time + NextUpdate time.Time `asn1:"optional"` + RevokedCertificates []RevokedCertificate `asn1:"optional"` + CrlExtensions asn1.RawValue `asn1:"tag:0,optional"` +} + +type CertificateList struct { + TbsCertList TBSCertList + SignatureAlgorithm pkix.AlgorithmIdentifier + SignatureValue asn1.BitString +} + +func NewEmptyRevokedCertificates() lint.RevocationListLintInterface { + return &emptyRevokedCertificates{} +} + +func (l *emptyRevokedCertificates) CheckApplies(c *x509.RevocationList) bool { + return true +} + +func (l *emptyRevokedCertificates) Execute(c *x509.RevocationList) *lint.LintResult { + + // We have to re-unmarshal the CRL in our own way, as x.509 RevocationList + // does not allow the verification we want to do here + var certList CertificateList + _, err := asn1.Unmarshal(c.Raw, &certList) + if err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Failed to decode CRL", + } + } + + if certList.TbsCertList.RevokedCertificates != nil { + if len(certList.TbsCertList.RevokedCertificates) == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "CRL contains an empty revokedCertificates element", + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go index 70dd461dd..d881307e0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_missing_crl_number.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_missing_crl_number.go new file mode 100644 index 000000000..cbe28b232 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_missing_crl_number.go @@ -0,0 +1,62 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_missing_crl_number", + Description: "CRL issuers conforming to this profile MUST include this extension in all CRLs", + Citation: "RFC5280 §5.2.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewMissingCRLNumber, + }) +} + +type missingCRLNumber struct{} + +func NewMissingCRLNumber() lint.RevocationListLintInterface { + return &missingCRLNumber{} +} + +func (l *missingCRLNumber) CheckApplies(c *x509.RevocationList) bool { + return true +} + +func (l *missingCRLNumber) Execute(c *x509.RevocationList) *lint.LintResult { + for _, e := range c.Extensions { + if e.Id.Equal(util.CRLNumberOID) { + return &lint.LintResult{Status: lint.Pass} + } + } + + return &lint.LintResult{ + Status: lint.Error, + Details: "This CRL lacks the mandatory CRL Number extension", + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go new file mode 100644 index 000000000..4ab576d37 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go @@ -0,0 +1,114 @@ +package rfc + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + "golang.org/x/crypto/cryptobyte" + cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" +) + +type revokedCertificates struct{} + +/* +RFC 5280: 5.1.2.6 + + When there are no revoked certificates, the revoked certificates list + MUST be absent. +*/ +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_revoked_certificates_field_must_be_empty", + Description: "When the revokedCertificates field is empty, it MUST be absent from the DER-encoded ASN.1 data structure.", + Citation: "RFC 5280: 5.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewEmptyRevokedCerts, + }) +} + +func NewEmptyRevokedCerts() lint.RevocationListLintInterface { + return &revokedCertificates{} +} + +func (l *revokedCertificates) CheckApplies(c *x509.RevocationList) bool { + // This lint is to verify that the TBSCertList.revokedCertificates field, + // when empty, is indeed missing from the DER-encoded ASN.1 bytes. + if c != nil && len(c.RevokedCertificates) == 0 { + return true + } + + return false +} + +func (l *revokedCertificates) Execute(c *x509.RevocationList) *lint.LintResult { + // This is a modified version of x509.ParseRevocationList that extracts the + // raw DER-encoded bytes that comprise a CRL and parses away layers until + // the optional `revokedCertificates` field of a TBSCertList is either found + // or confirmed to be missing from the ASN.1 data structure. + input := cryptobyte.String(c.Raw) + + // Extract the CertificateList + if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) { + return &lint.LintResult{Status: lint.Fatal, Details: "malformed CRL"} + } + + var tbs cryptobyte.String + // Extract the TBSCertList from the CertificateList + if !input.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) { + return &lint.LintResult{Status: lint.Fatal, Details: "malformed TBS CRL"} + } + + // Skip optional version + tbs.SkipOptionalASN1(cryptobyte_asn1.INTEGER) + + // Skip the signature + tbs.SkipASN1(cryptobyte_asn1.SEQUENCE) + + // Skip the issuer + tbs.SkipASN1(cryptobyte_asn1.SEQUENCE) + + // SkipOptionalASN1 is identical to SkipASN1 except that it also does a + // peek. We'll handle the non-optional thisUpdate with these double peeks + // because there's no harm doing so. + skipTime := func(s *cryptobyte.String) { + switch { + case s.PeekASN1Tag(cryptobyte_asn1.UTCTime): + s.SkipOptionalASN1(cryptobyte_asn1.UTCTime) + case s.PeekASN1Tag(cryptobyte_asn1.GeneralizedTime): + s.SkipOptionalASN1(cryptobyte_asn1.GeneralizedTime) + } + } + + // Skip thisUpdate + skipTime(&tbs) + + // Skip optional nextUpdate + skipTime(&tbs) + + // Finally, the field which we care about: revokedCertificates. This will + // not trigger on the next field `crlExtensions` because that has + // context-specific tag [0] and EXPLICIT encoding, not `SEQUENCE` and is + // therefore a safe place to end this venture. + if tbs.PeekASN1Tag(cryptobyte_asn1.SEQUENCE) { + return &lint.LintResult{Status: lint.Error, Details: "When there are no revoked certificates, the revoked certificates list MUST be absent."} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go index 602ec1823..20bbb2303 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go index e14577c79..c3b53dbdf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go index 7629b249b..4640f8877 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go index a26991cc4..0b9f7b70c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go index 26b47ecd4..9ab2060f6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go index d1f97f933..5aad650d8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go index b213b416f..ae2604d00 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go index a7849fff4..380d84cc7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go index 61653c929..a2e89f71f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go index c7b263ac0..2400115e9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go index 4969fd2d9..84d3403e7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_empty_sct_list.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_empty_sct_list.go new file mode 100644 index 000000000..d6f47a2c8 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_empty_sct_list.go @@ -0,0 +1,99 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "encoding/asn1" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_empty_sct_list", + Description: "At least one SCT MUST be included in the SignedCertificateTimestampList extension", + Citation: "RFC 6962 section 3.3", + Source: lint.RFC6962, + EffectiveDate: util.RFC6962Date, + }, + Lint: NewEmptySCTList, + }) +} + +type emptySCTList struct{} + +func NewEmptySCTList() lint.LintInterface { + return &emptySCTList{} +} + +// CheckApplies returns true for any subscriber certificates that are not precertificates +// (i.e. that do not have the CT poison extension defined in RFC 6962) +func (l *emptySCTList) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && !util.IsExtInCert(c, util.CtPoisonOID) +} + +func (l *emptySCTList) Execute(c *x509.Certificate) *lint.LintResult { + + var sctListExtValue []byte + + for _, e := range c.Extensions { + if e.Id.Equal(util.TimestampOID) { + sctListExtValue = e.Value + break + } + } + + // SCT extension not found, so there is nothing to check + if sctListExtValue == nil { + return &lint.LintResult{Status: lint.Pass} + } + + var octetString []byte + + _, err := asn1.Unmarshal(sctListExtValue, &octetString) + if err != nil { + // This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Error decoding the SignedCertificateTimestampList extension", + } + } + + // Per RFC 5246, the SCT list must begin with a two-bytes length field + if len(octetString) < 2 { + // This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Invalid SCT list encoding (missing length field)", + } + } + + // If the SCT list length (first two bytes) is zero, then it's an invalid SCT list per RFC 6962 + if octetString[0] == 0 && octetString[1] == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "At least one SCT MUST be included in the SignedCertificateTimestampList extension", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go index 6a1f321b6..c57bad163 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go index c8d221f93..2257957f7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go index 04703e518..51cea0cc8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go index da91e5667..81103b46f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go index 0f954f130..19944aa35 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go index 4ab2ece9a..002af303d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go index 9c2e0a5ab..d6b446029 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go index 4919a7098..66d86b4ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go index 60d260d5f..3db9981bc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go index 976cde025..bd9350234 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go index 26ed42561..ec7ec651e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go index a5b12b137..023b130fe 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go index 7e827bfd3..4d4e2a4a1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go index e76f47fd9..431f19aad 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go index d710b9a17..5f198ff8b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go index 5a79abda3..5e6f4c319 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go index ff4ab8170..49fa5f948 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go index ffcd291e1..75f657d21 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go index 473d9bf2f..85191ea0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go index 1bb41766b..37f65e0cb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go index 369008d1d..02177c033 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go index 4843bb6b9..bb93397b3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go index fd6977aea..6e344a9bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go index b459bf3f9..48f66868d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go index c4e61b09d..ae489ada5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go index f8dfcb4b0..1edac2988 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go index 74067d6b0..fb35aafec 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go index fe30ad81c..6c2ab82f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go index 2a6c5120b..88f5086c4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go index edc5ae098..1f44017ee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go index 30f9577c9..54e612861 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go index f3e680bd3..91873c9fa 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go index 64fed3d7f..2df3f9f0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go index 08b307116..b0531ef0f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go index c0b46d83b..dc8b8a059 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go index 34228b648..5095558f5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go index de3953e2c..7849fe6bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go index 86db09f40..8dd70b39b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go index 5f51e09ac..02969f71e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go index 034d52f53..396169f40 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go index a6d179335..80c1cb72e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go index 3fa4a3040..7f4bc1c3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go index 60c556534..783f9b47d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go index 6eb42763b..410c1fd00 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go index d0cad9208..243788956 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go index 6d0f66e95..78cb772b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go index 75edd8bda..ba54e83a4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go index 495777f50..5b589f4bf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go index 6c4e2a8e5..df6d46d27 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go index fc66e1b39..948a00d43 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go index 312dc9dda..17928a960 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go index c6c4ed992..4b0e5be4e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go index 492513dc0..415b4011c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go index 3b7b19472..ec9c01027 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go index 8b3917df6..970f5bb51 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go index 55ed709c1..51de2e854 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go index e7e81dbfe..4e22b9aa3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go index ed442e47d..956017a77 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go index 5041e88cc..1c5e2bae1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go index df017fc6c..f49c5919f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go index 1a875568d..d93669617 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go index 8fcc372bb..dcdb358fb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go index 78b0029d5..ff6ebd212 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go index 113ce13ec..ca05fc14b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go index 38a352d19..e359024ee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go index ed34a08f9..42bc2a7f1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go index 16371bd80..6ac32ff23 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go index dcd2b5d3a..54cece228 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go index a229cfcca..ddce296a6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go index c2441ea85..ac8133a01 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_precert_with_sct_list.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_precert_with_sct_list.go new file mode 100644 index 000000000..a84b7a417 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_precert_with_sct_list.go @@ -0,0 +1,59 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_precert_with_sct_list", + Description: "SCTs must be embedded in the final certificate, not in a precertificate", + Citation: "RFC 6962 §3.3", + Source: lint.RFC6962, + EffectiveDate: util.RFC6962Date, + }, + Lint: NewPreCertWithSCTList, + }) +} + +type preCertWithSCTList struct{} + +func NewPreCertWithSCTList() lint.LintInterface { + return &preCertWithSCTList{} +} + +func (l *preCertWithSCTList) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.CtPoisonOID) +} + +func (l *preCertWithSCTList) Execute(c *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(c, util.TimestampOID) { + return &lint.LintResult{ + Status: lint.Error, + Details: "Precertificates must not contain the SignedCertificateTimestampList extension", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go index aff892a3c..9e9677ad6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go index d15134a47..45c9e137e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go index f35f25955..8e234995b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go index 20114ae1f..500bcefb4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go index 0efb8f078..709872ea1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go index b5bf7317b..a55ada9d7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go index 1d8e4f147..9126548ac 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go index e996906f4..7c1236ac8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go index 347f51402..d3a04187e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go index c448d1d02..3a983c466 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go index a0595a868..b772635b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go index 6c57dd073..e4ca16bc0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go index 62d578f1d..d53d96305 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go index f2321dfd5..b86e8eec8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go index 95d0d9e58..fab70f3cc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go index 50e3baad8..85b9ffdee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go index 677e5d9bb..643368bc2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go index e78026396..9256742f8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go index a1b35e26d..469968a6a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go index a29f7677b..15c2edcc8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go index 8495c3179..e812e7375 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go index f43a9401c..a5da6ebc5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go index 8a56d940c..0b38c3f14 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go index c3fea203d..2359cff36 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go index 3053f0d47..5fc3d20d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go index dec500954..652b085f1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go index 050247551..54f44fe4a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go index a8ebeb0d6..04b577aa2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go index 7b22fa75a..4731106e8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go index 5502b2a60..971b1e2d3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go index f2d31ffe9..f14c477cb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go index b7ff29cae..7cff58574 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/newLint.sh b/vendor/github.com/zmap/zlint/v3/newLint.sh index fde173dc4..859d8e93f 100644 --- a/vendor/github.com/zmap/zlint/v3/newLint.sh +++ b/vendor/github.com/zmap/zlint/v3/newLint.sh @@ -1,51 +1,102 @@ -# Script to create new lint from template +#!/usr/bin/env bash -USAGE="Usage: $0 +function usage() { + echo "./newLint.sh [-h|--help] -r|--req -f|--file -s|--struct " + echo "" + echo "Options:" + echo " -h|--help Prints this help text." + echo " -r|--req The name of the requirements body governing this lint. Valid options are $(valid_requirement_names)." + echo " -f|--file The target filename for the given lint (no file extension is required)." + echo " -s|--struct The name of the Golang struct to create." + echo "" + echo "Example:" + echo " $ ./newLint.sh --req rfc --file crl_must_be_good --struct CrlMustBeGood " + echo " Created lint file /home/chris/projects/zlint/v3/lints/rfc/lint_crl_must_be_good.go with struct name CrlMustBeGood" + echo " Created test file /home/chris/projects/zlint/v3/lints/rfc/lint_crl_must_be_good_test.go" +} -ARG1: Path_name -ARG2: File_name/TestName (no 'lint_' prefix) -ARG3: Struct_name" +function git_root() { + git rev-parse --show-toplevel +} -if [ $# -eq 0 ]; then - echo "No arguments provided..." - echo "$USAGE" - exit 1 +# Searches within the v3/lints directory for a subdirectory matching +# the name of the governing requirements body provided by the -r|--req flag. +# +# Exits with error code 1 if no such directory is found +function requirement_dir_exists() { + exists=$(find "$(git_root)/v3/lints/" -maxdepth 1 -type d -not -name lints -name "${1}") + if [ -z "${exists}" ]; then + echo "Unknown requirements body (${1}). Valid options are $(valid_requirement_names)." + usage + exit 1 + fi +} + +# Echoes out a comma separated list of directories within v3/lints +function valid_requirement_names() { + names=$(find "$(git_root)/v3/lints/" -type d -not -name "lints" -exec basename {} \;) + echo -n "${names}" | tr '\n' ', ' +} + +while [[ $# -gt 0 ]]; do + case "$1" in + -r | --req) + requirement_dir_exists "${2}" + REQUIREMENT="${2}" + shift 2 + ;; + -f | --file) + LINTNAME="${2}" + FILENAME="lint_${LINTNAME}.go" + TEST_FILENAME="lint_${LINTNAME}_test.go" + shift 2 + ;; + -s | --struct) + STRUCTNAME="$2" + shift 2 + ;; + -h | --help) + usage + exit 0 + ;; + *) + echo "Unknown option: $1" + usage + exit 1 + ;; + esac +done + +if [ -z "${REQUIREMENT}" ]; then + echo "The -r|--req flag is required. Valid options are $(valid_requirement_names)" + usage + exit 1 fi -if [ $# -eq 1 ]; then - echo "Not enough arguments provided..." - echo "$USAGE" - exit 1 +if [ -z "${LINTNAME}" ]; then + echo "The -f|--file flag is required." + usage + exit 1 fi -if [ $# -eq 2 ]; then - echo "Not enough arguments provided..." - echo "$USAGE" - exit 1 +if [ -z "${STRUCTNAME}" ]; then + echo "The -s|--strut flag is required." + usage + exit 1 fi -if [ ! -d lints/$1 ] -then - echo "Directory 'lints/$1' does not exist. Can't make new file." - exit 1 -fi +PATHNAME="$(git_root)/v3/lints/${REQUIREMENT}/${FILENAME}" +TEST_PATHNAME="$(git_root)/v3/lints/${REQUIREMENT}/${TEST_FILENAME}" - -if [ -e lints/$1/lint_$2.go ] -then - echo "File already exists. Can't make new file." - exit 1 -fi - -PATHNAME=$1 -LINTNAME=$2 -# Remove the first two characters from ${LINTNAME} and save the resulting string into FILENAME -FILENAME=${LINTNAME:2} -STRUCTNAME=$3 - -sed -e "s/PACKAGE/${PATHNAME}/" \ +sed -e "s/PACKAGE/${REQUIREMENT}/" \ -e "s/PASCAL_CASE_SUBST/${STRUCTNAME^}/g" \ -e "s/SUBST/${STRUCTNAME}/g" \ - -e "s/SUBTEST/${LINTNAME}/g" template > lints/${PATHNAME}/lint_${FILENAME}.go + -e "s/SUBTEST/${LINTNAME}/g" "$(git_root)/v3/template" > "${PATHNAME}" -echo "Created file lints/${PATHNAME}/lint_${FILENAME}.go with struct name ${STRUCTNAME}" +sed -e "s/PACKAGE/${REQUIREMENT}/" \ + -e "s/PASCAL_CASE_SUBST/${STRUCTNAME^}/g" \ + -e "s/SUBST/${STRUCTNAME}/g" \ + -e "s/SUBTEST/${LINTNAME}/g" "$(git_root)/v3/test_template" > "${TEST_PATHNAME}" + +echo "Created lint file ${PATHNAME} with struct name ${STRUCTNAME}" +echo "Created test file ${TEST_PATHNAME}" diff --git a/vendor/github.com/zmap/zlint/v3/profileTemplate b/vendor/github.com/zmap/zlint/v3/profileTemplate index 109dc7d25..a65f3443e 100644 --- a/vendor/github.com/zmap/zlint/v3/profileTemplate +++ b/vendor/github.com/zmap/zlint/v3/profileTemplate @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/resultset.go b/vendor/github.com/zmap/zlint/v3/resultset.go index 343a00d9e..5fd34d814 100644 --- a/vendor/github.com/zmap/zlint/v3/resultset.go +++ b/vendor/github.com/zmap/zlint/v3/resultset.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/template b/vendor/github.com/zmap/zlint/v3/template index f3780cdf4..224791623 100644 --- a/vendor/github.com/zmap/zlint/v3/template +++ b/vendor/github.com/zmap/zlint/v3/template @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/test_template b/vendor/github.com/zmap/zlint/v3/test_template new file mode 100644 index 000000000..fdc41ce91 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/test_template @@ -0,0 +1,31 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package PACKAGE + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestPASCAL_CASE_SUBST(t *testing.T) { + inputPath := "TEST_CERT.pem" + expected := lint.Error + out := test.TestLint("LINT_NAME", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} diff --git a/vendor/github.com/zmap/zlint/v3/util/ca.go b/vendor/github.com/zmap/zlint/v3/util/ca.go index 8a1bb5504..c62421147 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ca.go +++ b/vendor/github.com/zmap/zlint/v3/util/ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -52,7 +52,7 @@ func IsDelegatedOCSPResponderCert(cert *x509.Certificate) bool { } func IsServerAuthCert(cert *x509.Certificate) bool { - if len(cert.ExtKeyUsage) == 0 { + if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { return true } for _, eku := range cert.ExtKeyUsage { @@ -60,21 +60,30 @@ func IsServerAuthCert(cert *x509.Certificate) bool { return true } } - return false -} - -// IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. -// A certificate is for use protecting emails if it contains the Any Purpose or emailProtection -// EKUs or if the certificate contains no EKUs. This last point is a way of being overly cautious -// and choosing to prefer false positives over false negatives. -func IsEmailProtectionCert(cert *x509.Certificate) bool { - if len(cert.ExtKeyUsage) == 0 { - return true - } - for _, eku := range cert.ExtKeyUsage { - if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + for _, policy := range cert.PolicyIdentifiers { + if policy.Equal(BRDomainValidatedOID) || policy.Equal(BROrganizationValidatedOID) || + policy.Equal(BRIndividualValidatedOID) || policy.Equal(BRExtendedValidatedOID) { return true } } return false } + +// IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. +// The S/MIME BRs say the certificate can be identified by an EKU for id-kp-emailProtection +// and the inclusion of a rfc822Name SAN or an otherName of type id-on-SmtpUTF8Mailbox. +// As a way of being overly cautious and choosing to prefer false positives over false negatives, +// also include certificates that have no EKUs, the any purpose EKU, or one of the policy OIDs. +func IsEmailProtectionCert(cert *x509.Certificate) bool { + if HasEmailSAN(cert) { + if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { + return true + } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + return true + } + } + } + return IsSMIMEBRCertificate(cert) +} diff --git a/vendor/github.com/zmap/zlint/v3/util/countries.go b/vendor/github.com/zmap/zlint/v3/util/countries.go index 2ec04aee9..01915433d 100644 --- a/vendor/github.com/zmap/zlint/v3/util/countries.go +++ b/vendor/github.com/zmap/zlint/v3/util/countries.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/cs.go b/vendor/github.com/zmap/zlint/v3/util/cs.go new file mode 100644 index 000000000..5191ba285 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/util/cs.go @@ -0,0 +1,18 @@ +package util + +import "github.com/zmap/zcrypto/encoding/asn1" + +const ( + evCodeSigningPolicy = "2.23.140.1.3" + codeSigningPolicy = "2.23.140.1.4.1" +) + +func IsCodeSigning(policies []asn1.ObjectIdentifier) bool { + for _, policy := range policies { + if policy.String() == evCodeSigningPolicy || policy.String() == codeSigningPolicy { + return true + } + } + + return false +} diff --git a/vendor/github.com/zmap/zlint/v3/util/encodings.go b/vendor/github.com/zmap/zlint/v3/util/encodings.go index 316217440..ca192675f 100644 --- a/vendor/github.com/zmap/zlint/v3/util/encodings.go +++ b/vendor/github.com/zmap/zlint/v3/util/encodings.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/ev.go b/vendor/github.com/zmap/zlint/v3/util/ev.go index 54729f7dc..e3d3c1b32 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ev.go +++ b/vendor/github.com/zmap/zlint/v3/util/ev.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/fqdn.go b/vendor/github.com/zmap/zlint/v3/util/fqdn.go index bcf3f8e23..ff4859da3 100644 --- a/vendor/github.com/zmap/zlint/v3/util/fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/util/fqdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/gtld.go b/vendor/github.com/zmap/zlint/v3/util/gtld.go index 6a7fb64f3..c39429e56 100644 --- a/vendor/github.com/zmap/zlint/v3/util/gtld.go +++ b/vendor/github.com/zmap/zlint/v3/util/gtld.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go index 6fb589b45..ab5244a51 100644 --- a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go +++ b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go @@ -2,7 +2,7 @@ // This file was generated by zlint-gtld-update. /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -481,7 +481,7 @@ var tldMap = map[string]GTLDPeriod{ "avianca": { GTLD: "avianca", DelegationDate: "2016-03-09", - RemovalDate: "", + RemovalDate: "2024-03-27", }, "aw": { GTLD: "aw", @@ -536,7 +536,7 @@ var tldMap = map[string]GTLDPeriod{ "bananarepublic": { GTLD: "bananarepublic", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2024-01-22", }, "band": { GTLD: "band", @@ -1426,7 +1426,7 @@ var tldMap = map[string]GTLDPeriod{ "comcast": { GTLD: "comcast", DelegationDate: "2016-07-07", - RemovalDate: "", + RemovalDate: "2024-02-06", }, "commbank": { GTLD: "commbank", @@ -1631,7 +1631,7 @@ var tldMap = map[string]GTLDPeriod{ "dabur": { GTLD: "dabur", DelegationDate: "2015-01-24", - RemovalDate: "", + RemovalDate: "2024-09-25", }, "dad": { GTLD: "dad", @@ -2771,7 +2771,7 @@ var tldMap = map[string]GTLDPeriod{ "guardian": { GTLD: "guardian", DelegationDate: "2016-05-13", - RemovalDate: "", + RemovalDate: "2024-03-05", }, "gucci": { GTLD: "gucci", @@ -4416,7 +4416,7 @@ var tldMap = map[string]GTLDPeriod{ "natura": { GTLD: "natura", DelegationDate: "2016-02-11", - RemovalDate: "", + RemovalDate: "2024-06-12", }, "navy": { GTLD: "navy", @@ -4676,7 +4676,7 @@ var tldMap = map[string]GTLDPeriod{ "oldnavy": { GTLD: "oldnavy", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2024-01-22", }, "ollo": { GTLD: "ollo", @@ -5701,7 +5701,7 @@ var tldMap = map[string]GTLDPeriod{ "shaw": { GTLD: "shaw", DelegationDate: "2016-03-22", - RemovalDate: "", + RemovalDate: "2024-07-09", }, "shell": { GTLD: "shell", @@ -6956,7 +6956,7 @@ var tldMap = map[string]GTLDPeriod{ "xfinity": { GTLD: "xfinity", DelegationDate: "2016-07-07", - RemovalDate: "", + RemovalDate: "2024-02-06", }, "xihuan": { GTLD: "xihuan", diff --git a/vendor/github.com/zmap/zlint/v3/util/idna.go b/vendor/github.com/zmap/zlint/v3/util/idna.go index 45d14daab..c96f6ab04 100644 --- a/vendor/github.com/zmap/zlint/v3/util/idna.go +++ b/vendor/github.com/zmap/zlint/v3/util/idna.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/ip.go b/vendor/github.com/zmap/zlint/v3/util/ip.go index 7aefe6797..a61c77344 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ip.go +++ b/vendor/github.com/zmap/zlint/v3/util/ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/names.go b/vendor/github.com/zmap/zlint/v3/util/names.go index e8fc5c49e..abccb2b94 100644 --- a/vendor/github.com/zmap/zlint/v3/util/names.go +++ b/vendor/github.com/zmap/zlint/v3/util/names.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/oid.go b/vendor/github.com/zmap/zlint/v3/util/oid.go index fd037e0a1..ec81a9041 100644 --- a/vendor/github.com/zmap/zlint/v3/util/oid.go +++ b/vendor/github.com/zmap/zlint/v3/util/oid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,37 +24,43 @@ import ( var ( //extension OIDs - AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension - AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension - AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access - AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier - BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints - CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies - CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points - CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison - EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax - FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL - InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy - IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name - KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage - LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext - NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints - OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check - PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints - PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings - PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period - QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements - TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List - SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities - SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name - SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes - SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax - SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier - ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code - // CA/B reserved policies - BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated - BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated - BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated + AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension + AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension + AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access + AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier + BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints + CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies + CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points + CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison + EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax + FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL + InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy + IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name + KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage + LegalEntityIdentifierOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 1} // Legal Entity Identifier + LegalEntityIdentifierRoleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 2} // Legal Entity Identifier Role + LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext + NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints + OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check + PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints + PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings + PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period + QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements + TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List + SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities + SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name + SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes + SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax + SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code + CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number + // Extended Key Usage OIDs + PreCertificateSigningCertificateEKU = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} + // CA/B Reserved Certificate Policy Identifiers + BRExtendedValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 1} // CA/B BR Reserved Certificate Policy Identifiers - Extended Validation + BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Reserved Certificate Policy Identifiers - Domain-Validated + BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Reserved Certificate Policy Identifiers - Organization-Validated + BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Reserved Certificate Policy Identifiers - Individual-Validated BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier SMIMEBRMailboxValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 1} // CA/B SMIME BR Mailbox Validated, Legacy @@ -158,6 +164,14 @@ func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool { return false } +func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier { + types := make([]asn1.ObjectIdentifier, 0) + for _, name := range name.Names { + types = append(types, name.Type) + } + return types +} + // helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error) { if polMap == nil { diff --git a/vendor/github.com/zmap/zlint/v3/util/primes.go b/vendor/github.com/zmap/zlint/v3/util/primes.go index 20b04f8df..6520a5400 100644 --- a/vendor/github.com/zmap/zlint/v3/util/primes.go +++ b/vendor/github.com/zmap/zlint/v3/util/primes.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go b/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go index a8f7c0a5e..b258053d7 100644 --- a/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go +++ b/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/rdn.go b/vendor/github.com/zmap/zlint/v3/util/rdn.go index 3ce4dd989..6b94e923c 100644 --- a/vendor/github.com/zmap/zlint/v3/util/rdn.go +++ b/vendor/github.com/zmap/zlint/v3/util/rdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/san.go b/vendor/github.com/zmap/zlint/v3/util/san.go index d1f2f551a..a22bda719 100644 --- a/vendor/github.com/zmap/zlint/v3/util/san.go +++ b/vendor/github.com/zmap/zlint/v3/util/san.go @@ -1,6 +1,10 @@ package util -import "github.com/zmap/zcrypto/x509" +import ( + "net/mail" + + "github.com/zmap/zcrypto/x509" +) func HasEmailSAN(c *x509.Certificate) bool { for _, san := range c.EmailAddresses { @@ -17,3 +21,10 @@ func HasEmailSAN(c *x509.Certificate) bool { return false } + +// IsMailboxAddress returns true if the passed in string resembles an RFC 5322 +// mailbox address. +func IsMailboxAddress(address string) bool { + validAddress, err := mail.ParseAddress(address) + return err == nil && validAddress.Address == address +} diff --git a/vendor/github.com/zmap/zlint/v3/util/smime_policies.go b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go index afee1e234..f0f4eb3be 100644 --- a/vendor/github.com/zmap/zlint/v3/util/smime_policies.go +++ b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go @@ -1,7 +1,7 @@ package util /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -18,9 +18,13 @@ import ( "github.com/zmap/zcrypto/x509" ) -func IsMailboxValidatedCertificate(c *x509.Certificate) bool { +func IsSMIMEBRCertificate(c *x509.Certificate) bool { + return IsLegacySMIMECertificate(c) || IsMultipurposeSMIMECertificate(c) || IsStrictSMIMECertificate(c) +} + +func IsIndividualValidatedCertificate(c *x509.Certificate) bool { for _, oid := range c.PolicyIdentifiers { - if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBRMailboxValidatedStrictOID) { + if oid.Equal(SMIMEBRIndividualValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedMultipurposeOID) || oid.Equal(SMIMEBRIndividualValidatedStrictOID) { return true } } @@ -28,13 +32,9 @@ func IsMailboxValidatedCertificate(c *x509.Certificate) bool { return false } -func IsSMIMEBRCertificate(c *x509.Certificate) bool { - return IsLegacySMIMECertificate(c) || IsMultipurposeSMIMECertificate(c) || IsStrictSMIMECertificate(c) -} - -func IsLegacySMIMECertificate(c *x509.Certificate) bool { +func IsMailboxValidatedCertificate(c *x509.Certificate) bool { for _, oid := range c.PolicyIdentifiers { - if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedLegacyOID) { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBRMailboxValidatedStrictOID) { return true } } @@ -62,6 +62,16 @@ func IsSponsorValidatedCertificate(c *x509.Certificate) bool { return false } +func IsLegacySMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedLegacyOID) { + return true + } + } + + return false +} + func IsMultipurposeSMIMECertificate(c *x509.Certificate) bool { for _, oid := range c.PolicyIdentifiers { if oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBROrganizationValidatedMultipurposeOID) || oid.Equal(SMIMEBRSponsorValidatedMultipurposeOID) || oid.Equal(SMIMEBRIndividualValidatedMultipurposeOID) { diff --git a/vendor/github.com/zmap/zlint/v3/util/time.go b/vendor/github.com/zmap/zlint/v3/util/time.go index 2db1b9a33..c0c9ee3e6 100644 --- a/vendor/github.com/zmap/zlint/v3/util/time.go +++ b/vendor/github.com/zmap/zlint/v3/util/time.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,6 +37,7 @@ var ( RFC4630Date = time.Date(2006, time.August, 1, 0, 0, 0, 0, time.UTC) RFC5280Date = time.Date(2008, time.May, 1, 0, 0, 0, 0, time.UTC) RFC6818Date = time.Date(2013, time.January, 1, 0, 0, 0, 0, time.UTC) + RFC6962Date = time.Date(2013, time.June, 1, 0, 0, 0, 0, time.UTC) RFC8813Date = time.Date(2020, time.August, 1, 0, 0, 0, 0, time.UTC) CABEffectiveDate = time.Date(2012, time.July, 1, 0, 0, 0, 0, time.UTC) CABReservedIPDate = time.Date(2016, time.October, 1, 0, 0, 0, 0, time.UTC) @@ -74,13 +75,18 @@ var ( AppleReducedLifetimeDate = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_7_9_Date = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + SC17EffectiveDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) // Enforcement date of CRL reason codes from Ballot SC 061 CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) + // Date when section 9.2.8 of CABF EVG became effective + CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) + CABF_CS_BRs_1_2_Date = time.Date(2019, time.August, 13, 0, 0, 0, 0, time.UTC) ) var ( diff --git a/vendor/github.com/zmap/zlint/v3/zlint.go b/vendor/github.com/zmap/zlint/v3/zlint.go index 7cb773f88..93c7a2e14 100644 --- a/vendor/github.com/zmap/zlint/v3/zlint.go +++ b/vendor/github.com/zmap/zlint/v3/zlint.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,6 +23,7 @@ import ( "github.com/zmap/zlint/v3/lint" _ "github.com/zmap/zlint/v3/lints/apple" _ "github.com/zmap/zlint/v3/lints/cabf_br" + _ "github.com/zmap/zlint/v3/lints/cabf_cs_br" _ "github.com/zmap/zlint/v3/lints/cabf_ev" _ "github.com/zmap/zlint/v3/lints/cabf_smime_br" _ "github.com/zmap/zlint/v3/lints/community" diff --git a/vendor/modules.txt b/vendor/modules.txt index 0a2d3187c..1ad538325 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -287,12 +287,13 @@ github.com/zmap/zcrypto/util github.com/zmap/zcrypto/x509 github.com/zmap/zcrypto/x509/ct github.com/zmap/zcrypto/x509/pkix -# github.com/zmap/zlint/v3 v3.6.0 +# github.com/zmap/zlint/v3 v3.6.4 ## explicit; go 1.18 github.com/zmap/zlint/v3 github.com/zmap/zlint/v3/lint github.com/zmap/zlint/v3/lints/apple github.com/zmap/zlint/v3/lints/cabf_br +github.com/zmap/zlint/v3/lints/cabf_cs_br github.com/zmap/zlint/v3/lints/cabf_ev github.com/zmap/zlint/v3/lints/cabf_smime_br github.com/zmap/zlint/v3/lints/community