Godeps: Update vendored zlint to 8093f21. (#3852)
This updates our zlint dependency to 8093f211c4 - the tip of master at the time of writing. Notably this brings in a gTLD map that has effective periods so cert-checker can catch issuance for removed gTLDs after their removal date.
Unit tests are confirmed to pass:
```
$> git rev-parse HEAD
8093f211c43679b1ade744d238a02ba1f0c07371
$> go test ./...
ok github.com/zmap/zlint 0.284s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.165s
ok github.com/zmap/zlint/util 0.005s
```
This commit is contained in:
Daniel McCarney
Roland Bracewell Shoemaker
parent
db01b0b5bc
commit
134dc68d14
|
|
@ -345,15 +345,15 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ImportPath": "github.com/zmap/zlint",
|
"ImportPath": "github.com/zmap/zlint",
|
||||||
"Rev": "02fe9a29bbae57da0c77db7afb53734dc262b130"
|
"Rev": "8093f211c43679b1ade744d238a02ba1f0c07371"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ImportPath": "github.com/zmap/zlint/lints",
|
"ImportPath": "github.com/zmap/zlint/lints",
|
||||||
"Rev": "02fe9a29bbae57da0c77db7afb53734dc262b130"
|
"Rev": "8093f211c43679b1ade744d238a02ba1f0c07371"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ImportPath": "github.com/zmap/zlint/util",
|
"ImportPath": "github.com/zmap/zlint/util",
|
||||||
"Rev": "02fe9a29bbae57da0c77db7afb53734dc262b130"
|
"Rev": "8093f211c43679b1ade744d238a02ba1f0c07371"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"ImportPath": "golang.org/x/crypto/cryptobyte",
|
"ImportPath": "golang.org/x/crypto/cryptobyte",
|
||||||
|
|
|
||||||
|
|
@ -31,12 +31,12 @@ func (l *DNSNameValidTLD) CheckApplies(c *x509.Certificate) bool {
|
||||||
|
|
||||||
func (l *DNSNameValidTLD) Execute(c *x509.Certificate) *LintResult {
|
func (l *DNSNameValidTLD) Execute(c *x509.Certificate) *LintResult {
|
||||||
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
|
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
|
||||||
if !util.HasValidTLD(c.Subject.CommonName) {
|
if !util.HasValidTLD(c.Subject.CommonName, c.NotBefore) {
|
||||||
return &LintResult{Status: Error}
|
return &LintResult{Status: Error}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, dns := range c.DNSNames {
|
for _, dns := range c.DNSNames {
|
||||||
if !util.HasValidTLD(dns) {
|
if !util.HasValidTLD(dns, c.NotBefore) {
|
||||||
return &LintResult{Status: Error}
|
return &LintResult{Status: Error}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
# Script to update the list of gTLDs
|
|
||||||
curl -o data/iana_gtlds.txt http://data.iana.org/TLD/tlds-alpha-by-domain.txt
|
|
||||||
echo "ONION" >> data/iana_gtlds.txt
|
|
||||||
sort data/iana_gtlds.txt data/newgtlds.txt | uniq > data/tmp_gtlds.txt
|
|
||||||
rm data/iana_gtlds.txt
|
|
||||||
mv data/tmp_gtlds.txt data/newgtlds.txt
|
|
||||||
curl -o data/removedtlds.txt https://raw.githubusercontent.com/pzb/TLDs/master/removed/rmtlds.csv
|
|
||||||
python scripts/consolidate_tlds.py data/newgtlds.txt data/removedtlds.txt util/gtld_map.go
|
|
||||||
gofmt -w .
|
|
||||||
|
|
@ -12,24 +12,86 @@
|
||||||
* permissions and limitations under the License.
|
* permissions and limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* dataupdate.go
|
|
||||||
* File used to parse newgtlds.csv and generate a map
|
|
||||||
*/
|
|
||||||
|
|
||||||
package util
|
package util
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
func HasValidTLD(domain string) bool {
|
// This package uses the `zlint-gtld-update` command to generate a `tldMap` map.
|
||||||
labels := strings.Split(domain, ".")
|
//go:generate zlint-gtld-update ./gtld_map.go
|
||||||
rightLabel := labels[len(labels)-1]
|
|
||||||
return IsInTLDMap(rightLabel)
|
const (
|
||||||
|
GTLDPeriodDateFormat = "2006-01-02"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GTLDPeriod is a struct representing a gTLD's validity period. The field names
|
||||||
|
// are chosen to match the data returned by the ICANN gTLD v2 JSON registry[0].
|
||||||
|
// See the `zlint-gtld-update` command for more information.
|
||||||
|
// [0] - https://www.icann.org/resources/registries/gtlds/v2/gtlds.json
|
||||||
|
type GTLDPeriod struct {
|
||||||
|
// GTLD is the GTLD the period corresponds to. It is used only for friendly
|
||||||
|
// error messages from `Valid`
|
||||||
|
GTLD string
|
||||||
|
// DelegationDate is the date at which ICANN delegated the gTLD into existence
|
||||||
|
// from the root DNS, or is empty if the gTLD was never delegated.
|
||||||
|
DelegationDate string
|
||||||
|
// RemovalDate is the date at which ICANN removed the gTLD delegation from the
|
||||||
|
// root DNS, or is empty if the gTLD is still delegated and has not been
|
||||||
|
// removed.
|
||||||
|
RemovalDate string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Valid determines if the provided `when` time is within the GTLDPeriod for the
|
||||||
|
// gTLD. E.g. whether a certificate issued at `when` with a subject identifier
|
||||||
|
// using the specified gTLD can be considered a valid use of the gTLD.
|
||||||
|
func (p GTLDPeriod) Valid(when time.Time) error {
|
||||||
|
// NOTE: We can throw away the errors from time.Parse in this function because
|
||||||
|
// the zlint-gtld-update command only writes entries to the generated gTLD map
|
||||||
|
// after the dates have been verified as parseable
|
||||||
|
notBefore, _ := time.Parse(GTLDPeriodDateFormat, p.DelegationDate)
|
||||||
|
if when.Before(notBefore) {
|
||||||
|
return fmt.Errorf(`gTLD ".%s" is not valid until %s`,
|
||||||
|
p.GTLD, p.DelegationDate)
|
||||||
|
}
|
||||||
|
// The removal date may be empty. We only need to check `when` against the
|
||||||
|
// removal when it isn't empty
|
||||||
|
if p.RemovalDate != "" {
|
||||||
|
notAfter, _ := time.Parse(GTLDPeriodDateFormat, p.RemovalDate)
|
||||||
|
if when.After(notAfter) {
|
||||||
|
return fmt.Errorf(`gTLD ".%s" is not valid after %s`,
|
||||||
|
p.GTLD, p.RemovalDate)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// HasValidTLD checks that a domain ends in a valid TLD that was delegated in
|
||||||
|
// the root DNS at the time specified.
|
||||||
|
func HasValidTLD(domain string, when time.Time) bool {
|
||||||
|
labels := strings.Split(domain, ".")
|
||||||
|
rightLabel := labels[len(labels)-1]
|
||||||
|
// if the rightmost label is not present in the tldMap, it isn't valid and
|
||||||
|
// never was.
|
||||||
|
if tldPeriod, present := tldMap[rightLabel]; !present {
|
||||||
|
return false
|
||||||
|
} else if tldPeriod.Valid(when) != nil {
|
||||||
|
// If the TLD exists but the date is outside of the gTLD's validity period
|
||||||
|
// then it is not a valid TLD.
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
// Otherwise the TLD exists, and was a valid TLD delegated in the root DNS
|
||||||
|
// at the time of the given date.
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsInTLDMap checks that a label is present in the TLD map. It does not
|
||||||
|
// consider the TLD's validity period and whether the TLD may have been removed,
|
||||||
|
// only whether it was ever a TLD that was delegated.
|
||||||
func IsInTLDMap(label string) bool {
|
func IsInTLDMap(label string) bool {
|
||||||
label = strings.ToUpper(label)
|
label = strings.ToLower(label)
|
||||||
if _, ok := tldMap[label]; ok {
|
if _, ok := tldMap[label]; ok {
|
||||||
return true
|
return true
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,5 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# Script to update the list of gTLDs
|
|
||||||
curl -o newgtlds.txt http://data.iana.org/TLD/tlds-alpha-by-domain.txt
|
|
||||||
Loading…
Reference in New Issue